The Internal Audit Process
The Audit Process
The audit process is a sequential order of steps followed by the auditor in the examination of client records. The audit process may vary depending on the nature of the engagement, its objectives and type of audit assurance desired.
The Internal Audit Department's goal is to assist departments and to make the audit process as smooth as possible. University personnel are encouraged to contact Internal Audit for advice on internal control procedures, efficiency and productivity questions or to share concerns regarding possible irregularities. All sensitive information received will be kept confidential to the extent possible by law.
The Audit Selection Process
Risk assessment is the identification and analysis of risks to the achievement of the University's established objectives. It is important that Internal Audit's resources be allocated and priorities established to address areas with the highest risk exposure. The degree of risk associated with an area can be measured in financial terms, in terms of activities that affect the delivery of important services to the University community, in terms of goal importance or activities that are regulated by external bodies.
Risk factors must be considered when prioritizing audits and may include, but are not limited to, complexity and size of the operation, personnel turnover, results of previous audits and laws and regulations. In addition, some areas require more frequent audit or review while others may only need to be reviewed every few years.
The existence and effectiveness of internal controls within a department or process is another consideration in the audit selection process. A preliminary step in determining the existence of such controls would include reviewing whether goals and objectives are clearly defined and that actual operations are consistent with those goals.
Types of Audits
Audit projects can normally be categorized as one of the following:
Financial Audit - this type of audit involves a review of a department's records and reports in order to check that financial transactions are properly recorded in the University's financial accounting and reporting system.
Operational/Process Audit - this type of audit involves a review of a department's operating processes, procedures and associated internal control activities.
Compliance Audit - this type of audit generally involves verification of whether or not the department, area or individual is in compliance with established guidelines (policies, procedures, laws, regulations). Various programs, contracts and grants have specific rules and regulations that must be followed in order to maintain funding.
Special Requests (investigative engagements) - this type of audit is usually requested by management or external parties. The purpose is to investigate incidents of possible fraud or misappropriation of assets.
Multiple Objectives - this type of audit will be comprised of one or more of the aforementioned audit categories and is often referred to as a department or unit audit.
Follow-up Engagements - this type of engagement reviews administration's action plans implemented based on a previous audit or review.
Prior to beginning the audit, Internal Audit Department personnel will gather as much information as possible about the area to be audited. Prior audits, if applicable, would be reviewed and areas of concern would be highlighted.
The responsible Vice President, Chair, Dean, Director (client) would be notified in writing of the audit and asked to complete a preliminary survey instrument. The written notification would provide brief information regarding the audit, the time frame for return of the questionnaire and the intent to contact them in the near future to set up the entrance conference.
Audit objectives will be determined and formulated prior to the end of the planning phase. After audit objectives are approved by the Internal Audit Director, a written notification will be sent to the client.
The next phase of the audit process involves gathering information via interviews with key personnel, review of department manuals, policies and procedures, general operations, etc. This work is tailored to address the audit objectives determined during the planning phase.
When performing tests on items, the Internal Auditor may select audit items via a technique called sampling. Sampling allows the auditor to test attributes and internal controls activities by selecting a sample of transactions from a population of data (e.g., payroll checks, Travel and Business Expense Reports (TER)) and testing the presence or absence of certain attributes or qualities. For example, a sample of TERs are selected and tested to see whether or not each contains a signature of approval by an authorized signer. Sampling permits the auditor to review a portion of the total population to determine and express an opinion on whether or not the University is in compliance with policies and procedures, assets are being safeguarded and managed appropriately, or grant sponsor requests are being followed. It allows the auditor to gather evidence that the system of internal controls that has been established is actually in place and functioning appropriately.
After technical review and approval by the Internal Audit Director, a preliminary draft report is prepared and sent to the client. This report will contain an executive summary letter, introduction, statement of objectives and scope, conclusion and summary, appendices outlining the detail of the reported findings and exhibits as appropriate.
The client will have the opportunity to review the preliminary draft for errors in fact and will be asked to provide a response and corrective action plan to the reported findings.
A final draft report containing the client's responses and action plan will then be issued to the applicable area Vice President for review and comment prior to final issuance and distribution.
The final report will be issued to the University President and other responsible parties at the discretion of the Internal Audit Director.
Typically, follow-up activities are scheduled between 60 to 120 days after issuance of the final audit report depending on the significance of the findings noted. Follow-up activities focus primarily on the progress the client is making to correct matters previously reported and any specific instructions received from the University President and Vice President responsible for the area audited. Generally, follow-up report distribution will parallel that of the final audit report.