The audit of most areas (other than special requests) is based on the
periodic Risk Assessment. This assessment includes input from management
and staff in identifying risks.
Another factor that increases a department’s chances of being audited
is not returning information requested by Internal Audit throughout the
year (i.e. risk assessment questionnaires, revenue analysis information,
etc.). If information needed to rank an areas’ risk is not received,
we have no choice but to audit the area to get the information.
2. Notification and Planning:
We will notify you of the upcoming audit and submit a request for information.
The auditor assigned to the audit will review any prior audits in your
area and the information submitted by the department, research applicable
policies and external laws or regulations, and prepare the audit program.
The audit program is basically a list of steps that will be performed
during the course of the audit. This work will be performed in our office.
3. Entrance Conference:
This is the initial meeting between the departmental director/chair of
the area being audited and the auditor(s). In this meeting we explain
what we expect to happen in the audit and give you the opportunity to
share any concerns that you may have. For example, if you would like us
to review a particular process or procedure in your unit, let us know
at this meeting and we will try to include it in our audit. This meeting
will be held in the department being audited.
During this process we will interview various departmental employees
about their duties related to the areas being reviewed. We will also perform
tests to determine the adequacy of various internal controls. It is during
these tests that we will determine whether the controls identified during
departmental interviews are operating as described. Some of this work
will be performed in our office and some in the department under review.
5. Audit Findings:
It is not unusual for one or more deficiencies to be noted during the
course of an audit. Most will be relatively minor issues that will require
a slight adjustment to a process. The auditor will address each finding
and provide a recommendation on how to correct in the audit report. Internal
Audit staff are always available to assist departments in any way.
6. Draft Audit Report:
Once the fieldwork is completed, we will draft an audit report which
will include observations and recommendations for improvement. There will
be a place in this report for departmental responses to be included in
the final audit report. This work will be performed in the Internal Audit
7. Exit Conference:
Throughout our review we will be open regarding what we find and plan
to recommend in the audit report. Normally, many of the recommendations
will have been implemented before the report is drafted. During the exit
conference, the draft audit report will be presented to the departmental
director/chair under review and will be gone over in detail. The departmental
director/chair will have the opportunity to ask questions and voice concerns
at this point. This meeting will be held in the department being audited.
8. Departmental Responses and Plans of Action:
Once the departmental director/chair receives the draft audit report, he/she will be required to provide a departmental response and plan of action for each observation. This information will be included verbatim in the final audit report.
9. Distribution of Report:
The final report will be distributed to the departmental chair/director
of the area under review, his/her immediate supervisor, the division Vice
Chancellor, the Vice Chancellor for Administration & Finance, the
Chancellor, and the Audit Committee.
10. Post Audit Evaluation:
As part of our evaluation program, you will be requested to complete
a post audit evaluation after the final report is distributed. This feedback
will help us to improve our audit procedures.
11. Audit Follow-up:
A follow-up review will be performed several months after the initial
audit to verify that recommendations/plans of action have been implemented
for all observations. The follow-up audit repeats the normal audit process,
but is limited in scope, in most cases, to the findings of the initial audit.