1. Outlining the audit process.
The main phases of the audit process are:
- Assessing risk.
- Selecting the area to audit.
- Notifying the component to be audited with a detailed letter describing the subject of the audit—may include an entrance conference, especially if requested.
- Conducting a preliminary survey. During this phase, the auditor familiarizes himself with the particular nature of the department’s operations and processes.
- Evaluating the internal control environment.
- Preparing an audit program, a step-by-step guide to be followed while auditing.
- Performing field work such as interviewing staff, testing transactions, and observing operations.
- Drafting a report and holding an exit conference.
- Obtaining a response to a preliminary draft
- Issuing a final report that includes auditee responses.
- Conducting a follow-up review at a later date, usually 6-12 months later.
Most audits include each of these steps, but exceptions occur.
2. Identifying the types of audits.
The types of audits conducted are:
- Financial: During financial reviews, auditors determine whether historical financial information presents fairly the financial position and results of operations as of a given point—the end of the fiscal year. To form an opinion, auditors examine the internal control structure and test transactions surrounding economic events. Financial audits are not primarily intended to evaluate the auditees’ effectiveness or efficiency. As a result, comments and recommendations about operational matters are byproducts of a financial audit rather than the main objective (delivered in a document known as a “Management Letter.”). For the University globally, the financial audit is conducted by outside independent auditors.
- Operational: Also known as performance audits or managerial audits, these reviews are aimed at assessing an operation's ongoing administrative efficiency and effectiveness. The objective is to assist management in identifying and resolving problems that may exist. To successfully audit operations, auditors develop standard managerial yardsticks and approaches to administrative activities. This process enables the internal auditor to analyze and evaluate the effectiveness, efficiency, and economy of University operations. Although financial data continues to be the base of reference, auditors look beyond the numbers to provide assistance toward improving auditees' operations. At the end of the audit, a written report containing the most significant findings and recommendations is sent to affected and responsible management for consideration and action.
- Construction Audits: These are operational audits performed to review the extent to which contractors fulfill their obligations under construction agreements. These audits are typically outsourced.
- Compliance: During compliance audits, internal auditors assess the degree to which an operation conforms to legal obligations and agreements with outside parties. Included in this category are reviews of federal contracts and grants as well as audits of trusts in the endowment fund. Also included in compliance auditing is assessing the degree to which a component adheres to applicable federal and state policies and procedures.
- Investigative: Internal Audit undertakes investigative audits when circumstances or evidence suggest a fiscal irregularity involving university funds, property, or personnel. Investigative audits differ from other audits in that they are normally conducted without first notifying the personnel who may be affected by the findings. (See University Policy manual, 2.5.8)
- Follow-up audits: Internal Audit has been charged with following up the status of corrective actions taken in response to recommendations in completed audit reports. The follow-up process will usually be less rigorous than the original audit. However, repeated comments on the same issue are typically cause for concern.
- Information Technology: IT auditing provides evaluations of our institution’s policies, procedures, standards, measures, and practices for safeguarding electronic information from loss, damage, unintended disclosure, or denial of availability. An IT audit provides management with an assessment of whether sufficient controls exist to mitigate the University’s risks. Reviews include areas such as: network security; application security and controls; software change management procedures; environmental and physical security; and, disaster recovery procedures. These audits would also be done on an outsourced basis.
Questions may arise during audits that require formal legal analysis. In those situations, University Audit refers the questions to Legal Counsel for their advice and resolution.