In most cases, expect to receive notification when you or your department is to be audited. However there may be instances in which we conduct audits without prior notification, i.e., continuous auditing of transactions for anomalies, fraud allegation, etc. Expect to:
Understand the audit's purpose and objective
Provide your ideas or concerns regarding the audit
To be treated with respect and courtesy
To be asked for various financial and department documentation; some may be confidential
Have confidential information to remain confidential
To answer all questions honestly
To receive a draft copy of the final audit report prior to its release
Preparing for an Audit
Have all requested materials/records ready when requested
Organize files so we minimize disruption of your office
Provide complete files
Please make yourself available during the time of the audit and communicate any planned absences
Provide work space for auditors, if requested
The Audit Process
The auditor will review any prior audits in your area, professional literature, relevant regulations and industry best practices. The auditor will research applicable policies and statutes and prepare a basic audit plan to follow.
Internal Audit Services will notify the appropriate department or departmental personnel regarding the upcoming audit and its purpose, at which time an opening meeting will be scheduled.
This meeting will include management and any administrative personnel involved in the audit. The audit's purpose and objective will be discussed as well as the audit program. The audit program may be adjusted based upon information obtained during this meeting.
Preliminary Work and Planning
The core of the audit program is developed using knowledge and information obtained during this process. Through interviews with key personnel and walk-throughs of key processes, the auditor will gain an understanding of your operation. Based on this initial assessment of risks and controls, tests of controls will be developed. The auditor will be learning about:
The objectives of the operation and major processes
The risks that could prevent objectives from being met
The controls in place or should be in place to manage these risks
This step includes the testing to be performed as well as follow-up interviews and walk-throughs with appropriate department personnel as necessary.
After the fieldwork is completed, a report is drafted. The report includes such areas as the objective and scope of the audit, relevant background, the strengths of the operation and department and the findings and recommendations for correction or improvement.
This meeting is held with department management. Prior to the closing meeting, a draft report will be submitted to department management for their review. The audit report and management responses will be reviewed and discussed. This is the time for questions and clarifications. Also, department management should suggest any changes or correction to the draft audit report. Results of other audit procedures not discussed in the final report will be communicated at this meeting.
At the closing meeting, management will be requested to provide written responses to each audit recommendation. Appropriate responses to audit report observations and recommendations should:
Not be a defense or justification as to why the observation noted occurred
Be brief, explaining how you will ensure the observation does not reoccur, i.e., changes to policies or procedures
Consider the audience or report recipients, i.e., President and Board of Trustees' Audit Committee
Responses are inserted into the report verbatim, including typos and grammatical errors. So please proofread and try not to be verbose. To ensure accountability, management responses should include the name of the person responsible for implementing the recommendation and the expected implementation or completion date.
We also request responses from one level above the department audited. The second or third level respondents should review the first level response for appropriateness and agreement. If the second/third level disagrees with the response or does not feel it's appropriate, they should contact the first level respondent to come to an agreement on the response. If the second/third level respondent agrees, the response may be as simple as "I concur."
Once all responses are received, the report is distributed to the president, provost, the Board of Trustees' Audit Committee, the vice president for Business and Finance, the controller and the audited unit's administration and management.