Internal Audit Services

Utah State University Logo

Audit Process


What to Expect When Audited


In most cases, expect to receive notification when you or your department is to be audited. However there may be instances in which we conduct audits without prior notification, i.e., continuous auditing of transactions for anomalies, fraud allegation, etc. Expect to:

  • Understand the audit's purpose and objective
  • Provide your ideas or concerns regarding the audit
  • To be treated with respect and courtesy
  • To be asked for various financial and department documentation; some may be confidential
  • Have confidential information to remain confidential
  • To answer all questions honestly
  • To receive a draft copy of the final audit report prior to its release

Preparing for an Audit


  • Have all requested materials/records ready when requested
  • Organize files so we minimize disruption of your office
  • Provide complete files
  • Please make yourself available during the time of the audit and communicate any planned absences
  • Provide work space for auditors, if requested

The Audit Process


Step 1: Planning


The auditor will review any prior audits in your area, professional literature, relevant regulations and industry best practices. The auditor will research applicable policies and statutes and prepare a basic audit plan to follow.


Step 2: Notification


Internal Audit Services will notify the appropriate department or departmental personnel regarding the upcoming audit and its purpose, at which time an opening meeting will be scheduled.


Step 3: Opening Meeting


This meeting will include management and any administrative personnel involved in the audit. The audit's purpose and objective will be discussed as well as the audit program. The audit program may be adjusted based upon information obtained during this meeting.


Step 4: Preliminary Work and Planning


The core of the audit program is developed using knowledge and information obtained during this process. Through interviews with key personnel and walk-throughs of key processes, the auditor will gain an understanding of your operation. Based on this initial assessment of risks and controls, tests of controls will be developed. The auditor will be learning about:

  • The objectives of the operation and major processes
  • The risks that could prevent objectives from being met
  • The controls in place or should be in place to manage these risks

Step 5: Fieldwork


This step includes the testing to be performed as well as follow-up interviews and walk-throughs with appropriate department personnel as necessary.


Step 6: Report Drafting


After the fieldwork is completed, a report is drafted. The report includes such areas as the objective and scope of the audit, relevant background, the strengths of the operation and department and the findings and recommendations for correction or improvement.


Step 7: Closing Meeting


This meeting is held with department management. Prior to the closing meeting, a draft report will be submitted to department management for their review. The audit report and management responses will be reviewed and discussed. This is the time for questions and clarifications. Also, department management should suggest any changes or correction to the draft audit report. Results of other audit procedures not discussed in the final report will be communicated at this meeting.


Step 8: Management Response


At the closing meeting, management will be requested to provide written responses to each audit recommendation. Appropriate responses to audit report observations and recommendations should:

  • Not be a defense or justification as to why the observation noted occurred
  • Be brief, explaining how you will ensure the observation does not reoccur, i.e., changes to policies or procedures
  • Consider the audience or report recipients, i.e., President and Board of Trustees' Audit Committee

Responses are inserted into the report verbatim, including typos and grammatical errors. So please proofread and try not to be verbose. To ensure accountability, management responses should include the name of the person responsible for implementing the recommendation and the expected implementation or completion date.

We also request responses from one level above the department audited. The second or third level respondents should review the first level response for appropriateness and agreement. If the second/third level disagrees with the response or does not feel it's appropriate, they should contact the first level respondent to come to an agreement on the response. If the second/third level respondent agrees, the response may be as simple as "I concur".


Step 9: Report Distribution


Once all responses are received, the report is distributed to the president, provost, the Board of Trustees' Audit Committee, the vice president for Business and Finance, the controller and the audited unit's administration and management.