The Audit Process
- Risk based auditing
- Address stakeholder and audit customer concerns
- No surprises to the audit customer
Audit Assignment / Intro
You hear that the auditors are coming to conduct fieldwork at your department. You may ask. “What will I have to do? How much of a disruption will this be to my normal operations, and should I show Audit and Consulting Services everything that I do?” Remember, we are on the same team so we are working together to help the university meet regulatory compliance and quality standards.
The first notification of an audit is typically when the chief audit executive or lead auditor on the engagement contacts the department head for the department(s) expected to be included in the audit. This is introductory and is often used to communicate that we’ll be in touch to schedule an audit planning meeting.
The audit planning phase is extremely important to the success of the overall audit. Planning includes our performance of an engagement level risk assessment, preliminary survey or inquiries, planning meeting and, on occasion, an internal control questionnaire.
Engagement Level Risk Assessment
The purpose of the risk assessment is to determine the risks involved with the planned audit topic. The risks will be evaluated to determine which ones are high risk that should be considered for inclusion in the current audit. We welcome the audit customer’s input on the risk assessment for their perspective on the risks identified and the assessment of the risks. It’s common for us to inquire about risks to help us understand them and complete the engagement level risk assessment.
Planning Meeting / Communications
The auditor will contact the department head, process owner or relevant stakeholder or audit customer to discuss audit planning, gather additional information, and discuss the tentative audit objectives and scope, and inquire about other concerns or risks that may not have been identified thus far.
For efficiency and when it is feasible to do so, we accomplish this step via email communication instead of utilizing a meeting. If a meeting is desired, we are happy to schedule
At times, it is efficient to conduct the internal control questionnaire (ICQ) during a planning meeting, but more commonly the ICQ is conducted during fieldwork.
Preliminary Survey or Inquiry
The purpose of the preliminary survey is to help us gain a basic understanding of the business process or function or an individual department’s operations, and help us prepare for the audit. We aim to use the information to facilitate efficient fieldwork meetings, thus minimizing the time spent by the audit customer. The preliminary survey is often accomplished by requested copies or links to applicable policies, procedures, process descriptions, org charts, etc.
System Understanding and Documentation
The auditors are urged to gain an understanding of the underlying technology systems which support the business process or for which the process relies upon to operate. This information should be gathered during the preliminary survey and inquiries. As more information becomes known as the audit moves into fieldwork, the auditor will update the system documentation.
The end of planning is marked by the development of a defined scope and objectives for the audit that takes into account concerns and risks identified during the planning steps described above.
This is the formal notification to the chancellor, and other senior leadership, as applicable to the audit scope, that the audit is beginning.
This is an email to the relevant audit customers to communicate the final scope and objectives, as well as key dates and milestones for the audit process. We will schedule a formal entrance conference if one is warranted or requested. The information is initially communicated via email to minimize the impact on the audit customers’ time, but we are always ready to schedule a formal entrance meeting. As noted below, a formal entrance conference is more common when we have an auditor on-site for a portion of the fieldwork.
Fieldwork refers to the auditor’s fact gathering and document review procedures. The length of time for fieldwork varies due to multiple factors, such as: system-wide business process audit versus an audit of an individual department. Generally, we aim for fieldwork to last no more than two weeks for an individual department. The auditor may be on-site for one of the business weeks, but we accomplish a lot of our work remotely / from the office. The following components are typical during fieldwork.
This is more common when an auditor will be on-site for a portion of the fieldwork. The Entrance Conference is a meeting with the department head and staff that are pertinent to the audit scope. We will also invite the associate vice chancellor for administrative services whom serves as the liaison between our office and the respective university. The following will be discussed at the meeting:
- The final scope and objectives of the audit
- Auditor work space and internet access
- Office rules necessary that the auditor needs to be aware of
- The audit report process
- Key dates and milestones for the audit process
- Any questions you may have
Internal Control Questionnaire and Process Walk-thru
These are commonly referred to as ICQs. An ICQ is a tool used by auditors to document a process or function, including the basics of the process such as who, what, why, where and how. These often help us identify potential segregation of duties issues for the process being audited. They also help us understand the documentation we are reviewing and any department-specific internal controls that we should be aware of.
For many processes we like to have a knowledgeable individual walk us through the key points of the process from the original source document to the final disposition of the transaction. For example, in a cash receipts audit, we may ask someone to walk us through the process from the time the department is available to receive funds on a normal day to delivering that day’s deposit to the business office or the bank. It’s not uncommon to have to work with multiple departments to complete the walk-thru. It is common that we cover this material during or in conjunction with the ICQ.
Most audits include review of files and documentation relevant to the process or function being audited. Sometimes we will have a sample of transactions for which we will ask to see the related documentation and at other times we will ask where files are kept and we’ll select a sample on-site. Oftentimes we use a mix of the two sampling methods.
Our auditors will strive to limit disruption to your regular work day. We’ll try to cover questions at the end of the day, or at the end of the visit. If additional fieldwork is necessary, we will coordinate with you to meet again at a mutually agreeable time. We often make copies of documentation to take with us for further review at our office. If questions arise during our review, we will email or call you with them. Also, if at any time you have questions about our work, please feel free to ask us.
In preparation for the exit conference, we may reach out to discuss potential findings and recommendations with you. This often serves multiple purposes: help us understand the root cause of the finding so we can develop a reasonable recommendation, and inform us of whether additional information or documentation is available which could clear up the finding.
When fieldwork is complete, we will schedule an exit conference with you to discuss the audit results. We will also invite the associate vice chancellor for administrative services. This is an opportunity to help us better understand any results that require more context or to explain those we may have misinterpreted. The meeting helps reduce uncertainty about the audit report. See Audit Reports for details on our audit reporting.
The exit conference is very important, also, because we seek your agreement or disagreement to each audit recommendation, and your opinion as to the reasonableness of each recommendation. We do not want to issue a recommendation of which the cost outweighs the risk, or that is addressed to an individual that is not best suited to ensure implementation of the recommendation. We want the recommendations to mitigate the risk identified but also for them to work with you, not against you.
On occasion, we find it optimal to accomplish the exit conference via email, but it’s common to schedule a meeting to walk through any questions or brainstorm ideas for a recommendation.