Step 1: Determine Audit Objectives
Prior to the audit, Audit & Advisory Services conducts a preliminary planning and information gathering phase. This step allows the audit team to perform an audit risk assessment in order to define the audit objectives and scope for the area under review. The audit team also begins to develop the audit program which defines the audit testing procedures.
Step 2: Audit Announcement
Once the appropriate audit objectives are set, Audit & Advisory Services formally issues an audit announcement memo to the auditee detailing the objectives. The audit announcement memo is issued to the management of the area to be audited. Other department heads maybe included on the memo’s distribution list. The purpose of the memo is to introduce the objectives of the audit, to detail the planned review process, and to set the expectations for both parties (the auditors and the auditee).
Step 3: Audit Kickoff Meeting
Audit & Advisory Services meets with the auditee to discuss the audit scope and subsequent audit steps. At this meeting, the auditee should provide us with contact names, relevant policies and procedures, and other information that will assist us in the fieldwork. Every attempt to minimize any disruptions of regular departmental routines and to avoid seasonal busy periods will be made.
Auditee Responsibility: To provide contact names, relevant policies and procedures, and other information that will be of assistance during the fieldwork.
Step 4: Fieldwork
Audit & Advisory Services gathers information and performs audit testing to examine documents and other records for evidence to ensure internal controls are in place. During the audit fieldwork, the audit team gathers information to gain an understanding of internal controls and perform detailed testing via review of transactions to evaluate compliance with existing University policies and adherence to external regulations. System-related controls are reviewed for data integrity and completeness. During this time, the audit team also provides regular audit status updates to management.
Auditee Responsibility: Meet with the audit team as necessary and provide requested documentation.
Step 5: Communicating Results
During the course of the fieldwork, if Audit & Advisory Services identifies potential control weaknesses, policy violations, or other issues, findings are discussed with the auditee. An audit finding is defined as an area of potential control weakness, policy violation, or other issue identified during the audit. Documentation of all audit findings with supporting documentation will be maintained to reflect the discussion of these findings with management during the course of the audit. Throughout the audit, the auditor and/or audit management will discuss the findings with the auditee management in order to communicate those findings issues and obtain agreement on facts and resolution. If further review and discussion determine that the finding is valid, it will be documented in the audit report.
Step 6: Audit Exit Meeting
At the conclusion of the fieldwork, Audit & Advisory Services formally meets with the auditee to discuss issues, audit recommendations, and action plans that will be contained in the audit report. Action plans are discussed and agreed upon by the auditee and Audit & Advisory Services to ensure that the management response is reasonable and achievable.
Auditee Responsibility: Review audit issues and recommendations for completeness and accuracy. Provide formal management response and action plan.
Step 7: Audit Report
Issues, recommendations, and management responses are included in a draft audit report which is reviewed by all levels of management.
Risk Issue Levels:
During the course of audit work performed, audit findings are rated as High, Medium or Low based on established criteria. This ensures consistency in reporting audit findings and to ensure the significance of each finding is rated per agreed upon criteria and the seriousness of the audit finding.
Audit & Advisory Services then issues a formal audit report which is used to inform University and auditee management of the identified issues and control weaknesses and assist management move toward improvement in areas of concern. Audit reports include risk issue levels and are delivered to the Audit Committee.
Following the issuance of the final audit report, auditees and auditee management are asked to complete a Post Audit Survey to help Audit & Advisory Services evaluate the effectiveness of the audit process, including the effectiveness of the review areas in planning the audit, audit team performance, professionalism, and knowledge of the audit team.
If you’ve been recently audited by our department and would like to provide feedback, please click here and you will be directed to our online survey tool.
Audit & Advisory Services follows up with management within an agreed upon timeframe if any high or moderate risk issues were identified in a final audit report. At that time, Audit & Advisory Services will request information on corrective action taken to address all previously identified significant issues.