I'm Going to be Audited! Now What?
Why was my department selected to be audited?
Internal Audit's scheduling process begins with requests for audit services. Requests and suggestions come from several sources. One major source is Internal Audit itself. Our extensive knowledge of the risks facing the university and its operations gives us a perspective on the areas in which we can reduce those risks. Some of Internal Audit's projects result from the annual external audit of the university as a whole, which is conducted by an outside accounting firm.
University and departmental management represent other sources of requests. These originate from management's requests for assistance concerning the administration of a specific area.
Several factors influence the scheduling of audit services which include: the degree of risk or exposure to loss, type of audit, and the current and planned work in other audit projects requiring substantial time commitments.
Numerous audits simply originate from a random selection.
What will the auditors need from me?
In order to perform a successful audit, cooperation and communication between the auditor(s) and the area being audited is essential. Your active involvement will be needed throughout all phases of the audit - starting before the entrance conference, and continuing through planning, testing, reporting, and follow-up. The following include specific examples of how your active involvement will enhance the audit process and the resulting product:
Prior to entrance conference - Supply requested information regarding financial, operational, and information system documentation. If you are aware of other information that would be helpful to us as we review your operation, we ask that information also be provided.
Entrance conference - Share any internal control concerns you have regarding the unit being audited. This is an opportunity to request audit review and assessment of issues troubling to management.
Planning - In addition to providing input throughout the planning process, review the engagement letter and audit work plan, and where appropriate suggest revisions. Ask questions if you don't understand why certain activities have been included, or excluded.
Testing - As test results are shared with management, we ask that you review the preliminary results and begin thinking about possible corrective actions.
Reporting - Review the draft report and make suggestions for any changes or enhancements before, or during, the exit conference. Keep in mind this review is vital to insuring the accuracy of the report.
Developing the management plan - Your involvement is particularly critical to ensure the corrective action taken is the best solution to the control issue addressed. We encourage departments to offer alternative solutions to the issues addressed and to project realistic time frames for completion of the management plan. In some cases, departments may decide to accept certain risks if they feel no cost-effective solution is available.
Recommendation follow-up - Be proactive in monitoring and reporting the status of corrective action. The primary benefits of the audit are not realized until effective corrective action is taken.
How long will the audit take?
Audits can last from one or two days to several weeks. The auditor(s) assigned to your area will give you a reasonable estimate of the time they need to complete the audit.
Will the audit disrupt my department's everyday activities?
Like any special project, an audit affects the department's routine to some extent. Internal Audit makes every effort to minimize this disruption and cooperate with you to ensure a smooth process.
What is the audit process?
The following outlines a standard audit process. Depending on the scope of a particular audit or review, some steps may be modified or deleted.
I. Scheduling of an Audit Project
Entrance Conference - A meeting to discuss the nature and scope of the audit and the operational characteristics of the department to be audited.
Preliminary Survey - A departmental profile to be completed by the department's management.
III. Field Work - The gathering of evidence through observation, inspection, and confirmation to enable a reasonable basis for an opinion or conclusion about controls, compliance, and performance. Field work helps to ensure that we gain a sufficient understanding of your operation.
Systems Analysis - A review of the system's documentation and capabilities where the auditor(s) may use a variety of tools and techniques including flow charts, interviews, data gathering and analysis, and techniques for documenting findings.
Transaction Testing - Tests of important controls to determine if the control is reliable and transactions comply with rules and regulations.
Advice and Informal Communications - To promote constructive communication and avoid misunderstandings.
IV. Reporting Process
Informal Discussion Draft - Includes audit findings and recommendations for department's responses and feedback.
Exit Conference - A formal meeting to discuss the preliminary audit findings and draft audit report.
Client's Response - Submission of department's responses to audit recommendations for inclusion in audit report.
Final Audit Report - Final report includes audit findings, recommendations, department's responses, and auditor's conclusions.
V. Audit Follow-up - Internal Audit will review and report on the extent of implementation of recommended corrective actions.