What Occurs During an Audit
Once an audit is assigned, an Internal Audit Office staff member will make contact and advise the department administrator of the coming audit to ensure that workload and staffing makes such an undertaking feasible at the planned time. When possible, audits are assigned for a time period that will be the least disruptive for the department. An opening conference will be scheduled to introduce the auditor(s) and discuss the general audit scope and objectives. The department administrator will be given the projected audit timeline through completion; however, there are no guarantees that the auditor will not suspend work to deal with a special time sensitive assignment. If the project is delayed because of a special assignment, the auditor will advise the department administrator of the delay and keep him/her apprised of the revised completion schedule. Our goal is to provide a draft copy of the audit report to the department administrator or the person who requested the audit within three weeks of the completion of fieldwork.
The following applies to financial, performance, program, internal controls, and follow-up audits.
1. Preliminary Survey
During this stage, the auditor conducts an opening conference and completes audit planning which includes:
- Reviewing prior audit reports and other information including nature of the operation, policies and procedures, rules and regulations, budget, revenue and expenses etc. (much of this is done at our office and will not affect your daily work)
- Interviewing key employees on work processes (the auditor will try to work with auditees on scheduling interviews, but to complete our work in a timely manner there may be some disruption),
- Assessing whether processes are functioning as described (while this does not involve extensive meetings with auditees, some interaction with department staff members will be required to clarify points of concern)
- Identifying any additional processes that present risks. This stage identifies the risks the department faces, and the potential effect (both financial and compliance) such risks might have on the department and College. The auditor then ranks them for audit purposes. The audit approach and degree of testing are based on these rankings.
2. Fieldwork And Testing
During this stage, based on preliminary survey findings and risk ranking, the auditor selects transactions to be tested for accuracy and completeness. This can include anything related to business activities and transactions, account reconciliations, reports, and analyses. The extent of testing is dependent upon the adequacy of documentation, internal controls in place, and test results. The presence of good internal controls usually reduces testing, but it may be increased if problems are discovered. Transactions selected for testing are determined using sampling methods tailored to fit the process under review. Sampling for our purposes is generally done randomly. Statistical sampling techniques may be used but generally it entails a substantially larger test. A statistically valid sample is usually not necessary to assess the adequacy of an operating system. Testing also involves verifying the accuracy of assertions made during the preliminary survey by reference to source documentation. The department administrator will be kept appraised of findings during the testing stage so there are no surprises when the report is prepared. Interim meetings with the auditee to discuss findings are a part of the audit process.
3. Concluding The Audit
Completion of an audit involves more than just issuing the audit report. The process includes:
- Writing findings and confirming results with the auditee,
- Discussing the draft report at a closing conference during which potential discrepancies are identified and discussed along with possible action plans,
- Issuing a final report with findings and corresponding recommendations or action plans.
The Internal Audit Office always affords auditees the opportunity to comment on findings during the audit, at pre-closing and closing conferences, and with a formal response. It is our practice to provide the auditee the opportunity to include their response with the final report. We prefer to include the response in the final report so external audiences can see the action plan developed as a result of the audit in a single document.