- Determine Audit Objectives
- Audit Announcement
- Audit Kickoff Meeting
- Communicating Results
- Audit Exit Meeting
- Audit Report
- Post Audit
Step 1: Determine Audit Objectives
Prior to the audit, Internal Audit conducts a preliminary planning and information gathering phase. This step allows the Internal Audit team to perform an audit risk assessment in order to define the audit objectives and scope for the area under review. The Internal Audit team also begins to develop the audit program which defines the audit testing procedures.
Step 2: Audit Announcement
Once the appropriate audit objectives are set, Internal Audit formally issues an audit announcement memo to the auditee detailing the objectives. The audit announcement memo is issued to the management of the area to be audited. Other department heads maybe included on the memo’s distribution list. The purpose of the memo is to introduce the objectives of the audit, to detail the planned review process, and to set the expectations for both parties (the auditors and the auditee).
Step 3: Audit Kickoff Meeting
Internal Audit meets with the auditee to discuss the audit scope and subsequent audit steps. At this meeting, the auditee should provide us with contact names, relevant policies and procedures, and other information that will assist us in the fieldwork. Every attempt to minimize any disruptions of regular departmental routines and to avoid seasonal busy periods will be made.
Auditee Responsibility: To provide contact names, relevant policies and procedures, and other information that will be of assistance during the fieldwork.
Step 4: Fieldwork
Internal Audit gathers information and performs audit testing to examine documents and other records for evidence to ensure internal controls are in place. During the audit fieldwork, Internal Audit gathers information to gain an understanding of internal controls and perform detailed testing via review of transactions to evaluate compliance with existing University policies, and adherence to external regulations. System related controls are reviewed for data integrity and completeness.
Auditee Responsibility: Meet with the audit team as necessary and provide requested documentation.
Step 5: Communicating Results
During the course of the fieldwork, if Internal Audit identifies potential control weaknesses, policy violations, or other issues, findings are discussed with the auditee. An audit finding is defined as an area of potential control weakness, policy violation, or other issue identified during the audit. Documentation of all audit findings with supporting documentation will be maintained to reflect the discussion of these findings with management during the course of the audit. Throughout the audit, the auditor andor audit management will discuss the findings with the auditee management in order to communicate those findingsissues and obtain agreement on facts and resolution. If further review and discussion determines that the finding is valid, it will be documented in the audit report.
Step 6: Audit Exit Meeting
At the conclusion of the fieldwork, Internal Audit formally meets with the auditee to discuss issues, audit recommendations, and action plans that will be contained in the audit report. Action plans are discussed and agreed upon by the auditee and Internal Audit to ensure that the management response is reasonable and achievable.
Auditee Responsibility: Review audit issues and recommendations for completeness and accuracy. Provide formal management response and action plan.
Step 7: Audit Report
Issues, recommendations and management responses are included in a draft audit report which is reviewed by all levels of management.
Risk Issue Levels:
During the course of audit work performed, audit findings are rated as High, Moderate or Low based on established criteria. This ensures consistency in reporting audit findings and to ensure the significance of each finding is rated per agreed upon criteria and the seriousness of the audit finding. Based upon the amount of audit findings and the type of risk levels, the overall audit opinion is determined.
- Effective with Opportunity for Improvement;
- Insufficient & Requires Improvement; or
A final audit report includes an audit opinion:
The audit opinion is determined based upon the amount of audit findings and the type of risk ratings assigned. Opinions may change based upon professional discretion of audit management. This ensures that audit opinions are consistence and reflect the internal control environment of the audit areas. Audit opinions are included in the final audit report.
Internal Audit then issues a formal audit report which is used to inform University and auditee management of the identified issues and control weaknesses, and assist management move toward improvement in areas of concern. Audit reports include risk issue levels and final audit opinion. All audit reports are delivered to the Audit Committee.
Following the issuance of the final audit report, auditees and auditee management are asked to complete a Post Audit Survey to help the Internal Audit department evaluate the effectiveness of the audit process, including effectiveness of the review areas in planning the audit, Internal Audit performance, professionalism and knowledge of the audit team.
If you’ve been recently audited by our department and would like to provide feedback, please click here and you will be directed to our online survey tool.
Internal Audit conducts a follow-up audit within six to twelve months if any high or moderate issues were identified in a final audit report. At this time, Internal Audit will request information on corrective action taken to address all previously identified significant issues.