The Audit Process

Audit Goals

  1. Risk based auditing
  2. Address stakeholder concerns
  3. No surprises to the auditee


You hear that the auditors are coming to conduct fieldwork at your department.   You may ask.   “What will I have to do?   How much of a disruption will this be to my normal operations, and should I show Audit and Consulting Services everything that I do?”   Remember, we are on the same team so we are working together to help the university meet regulatory compliance and quality standards.

The first notification of an audit is typically when the Chief Audit Executive or lead auditor on the engagement contacts the department head for the department(s) expected to be included in the audit.   This is introductory and is often used to communicate that we’ll be in touch to schedule an audit planning meeting.


The audit planning phase is extremely important to the success of the overall audit.   Planning includes our performance of an engagement level risk assessment, preliminary survey, planning meeting and, on occasion, an internal control questionnaire.

Engagement Level Risk Assessment

The purpose of the risk assessment is to determine the risks involved with the planned audit topic. The risks will be evaluated to determine which ones are high risk that should be considered for inclusion in the current audit.   Oftentimes we bring the risk assessment to the planning meeting to review with the department head and gather their perspective on the risks identified and the assessment of the risks.

Preliminary Survey

The purpose of the preliminary survey is to help us gain a basic understanding of your department’s operations, and help us prepare for our visit with you.   This preparation helps our visits move quickly and efficiently.

Planning Meeting

The auditor will contact the department head, process owner or relevant stakeholder to discuss the audit planning, gather additional information, ensure that our understanding of relevant processes is accurate, and review the engagement level risk assessment.   We will discuss tentative audit objectives and scope, and inquire about other concerns or risks that may not have been identified thus far.

At times, it is efficient to conduct the internal control questionnaire (ICQ) during this meeting, but at other times the ICQ will be conducted during fieldwork.

Internal Control Questionnaire

These are commonly referred to as ICQs.   An ICQ is a tool used by auditors to document a process or function, including the basics of the process such as who, what, why, where and how.   These often help us identify potential segregation of duties issues for the process being audited.   They also help us understand the documentation we are reviewing and any department-specific internal controls that we should be aware of.

ICQs may be conducted during the audit planning phase or during fieldwork.

The end of planning is marked by the development of a defined scope and objectives for the audit that takes into account concerns and risks identified during the planning steps described above.

Entrance Letter

This is the formal notification to the Chancellor that the audit is beginning.   It usually includes our planned dates for fieldwork.


Audit fieldwork for your department will usually take about two business weeks.   It’s not unusual for the auditor to be on-site for one of the business weeks.   The following components are typical during fieldwork.

Entrance Conference

This is a meeting with the department head and staff that are pertinent to the audit.   We will also invite the associate vice chancellor for administrative services.   The following will be discussed at the meeting:

·          The final scope and objectives of the audit

·          Auditor work space and internet access

·          Office rules necessary that the auditor needs to be aware of

·          The audit report process

·          Key dates and milestones for the audit process

·          Any questions you may have

Process Walk-thru

For many processes we like to have a knowledgeable individual walk us through the key points of the process from the original source document to the final disposition of the transaction.   For example, in a cash receipts audit, we may ask someone to walk us through the process from the time the department is available to receive funds on a normal day to delivering that day’s deposit to the business office or the bank.   It’s not uncommon to have to work with multiple departments to complete the walk-thru.

Transaction Sampling

Most audits include review of files and documentation relevant to the processes or functions being audited.   Sometimes we will have a sample of transactions of which we will ask to see the related documentation and at other times we will ask where files are kept and we’ll select a sample on-site.   Oftentimes we use a mix of the two sampling methods.

Our auditors will strive to limit disruption to your regular work day.   We’ll try to cover questions at the end of each day, or at the end of the visit.   If additional fieldwork is necessary, we will coordinate with you to meet again at a mutually agreeable time.   We often make copies of documentation to take with us for further review at our office.   If questions arise during our review, we will email or call you with them.   Also, if at any time you have questions about our work, please feel free to ask us.

Exit Conference

When fieldwork is complete, we will schedule an exit conference with you to discuss the audit results.   We will also invite the associate vice chancellor for administrative services.   This is an opportunity to help us better understand any results that require more context or to explain those we may have misinterpreted.   The meeting helps reduce uncertainty about the audit report.   See Audit Reports for details on our audit reporting.

The exit conference is very important, also, because we seek your agreement or disagreement to each audit recommendation, and your opinion as to the reasonableness of each recommendation.    We do not want to issue a recommendation of which the cost outweighs the risk, or that is addressed to an individual that is not best suited to ensure implementation of the recommendation.   We want the recommendations to mitigate the risk identified but also for them to work with you, not against you.