The Standard Audit Process
The most successful audit projects are those in which the auditor and the auditee consider themselves as consultant and client. Understanding and applying this concept tends to foster a more constructive working relationship and can result in improved operations for the department under review.
Although each unit is unique, there are similarities that can be found in each. The typical audit process is illustrated as follows:
Prior to meeting with the client, the Internal Auditor will begin planning for the engagement. If the area has been audited previously, a review of the audit work paper file and prior audit reports will be done to familiarize the auditor with the unique operations of the particular unit. Any developments that may have occurred since the last audit that could potentially impact the current audit are carefully reviewed and considered. Examples include the installation of a major new computer system, new management, reorganization, or staff turnover. Current financial information is usually reviewed during the planning process.
The entrance conference provides the opportunity for the auditor and client to establish the scope and schedule for the audit. The Internal Auditor will contact the department head to schedule a mutually agreeable time for the entrance conference, usually held at the client's location. At the meeting, the auditor will outline the audit objectives, approximate time schedules, types of audit tests, and the process of reporting. The client should inform the auditor of any special time constraints to which the department will be subject. Every attempt to minimize any disruptions of regular departmental routines and to avoid seasonal busy periods will be made. The client should designate himself/herself or a senior member of the department staff as the primary contact person for the auditor to direct questions or requests for assistance. Any special areas of concern the client would like to have reviewed should also be brought up at this meeting.
Preliminary Survey/Systems Analysis: The next phase of the audit process requires the auditor to gather information about the client's operations. This is especially important if the unit has not been previously audited, but is also necessary to determine whether significant changes in operating procedures have occurred since the last audit. The auditor will conduct interviews with key personnel and review office manuals and policies to produce a plan for the remainder of the audit. This work normally results in narratives, procedural flow charts, obtaining samples of documents, and a detailed step-by-step audit program. The purpose of the systems analysis is to determine the types of internal controls the client has implemented and to evaluate them to ensure the proper recording of business transactions, the existence of policies for safeguarding University assets, and the promotion of operational efficiency. Ideally, the auditor will find adequate internal controls and sound operating procedures in place. If this is the case, the auditor will proceed to the transaction testing stage. However, if the auditor detects a significant internal control deficiency during the survey/analysis stage, an audit finding would be written immediately.
Transaction Testing: The purpose of transaction testing is to examine documents and other records for evidence that the internal controls that have been described in the preliminary survey/analysis stage are actually in place and working as intended on a daily basis. When such evidence is found in a representative sample of transactions or records, it can generally be concluded that established procedures are being consistently followed and the level of compliance with internal controls is adequate. When a strong system of internal controls is in place and is being followed, there is confidence that the data generated by the transactions can be relied upon as accurate and that administrative policies are being carried out.
Audit Findings: As is often the case, the auditor will find one or more deficiencies during the course of a typical audit. Some may be significant, but most will be relatively minor problems that will require minimal adjustments in procedures to correct. The auditor will bring all potential audit findings to the client's attention as they are identified in an attempt to resolve them before the completion of fieldwork. Some of the findings may turn out not to be findings at all and will be disposed of. Others may be actual findings that will require more analysis and study by the client after the audit is completed. At the end of the fieldwork stage, the auditor will informally review all actual findings with the client who should expect to see them written in a formal draft report, which will follow. An alternative method is to provide the client with interim audit memos that detail the findings and request a written response. These can be resolved before the draft report is written. The draft report should contain few, if any, surprises.
The auditor will write a draft report for the client to review. After the client has had reasonable time to review the draft report, an exit conference will be scheduled. At the exit conference, the auditor will determine that everything included in the draft report is factually correct. Each audit finding will be discussed in detail, along with the corresponding recommendations for corrective action. Any new information the client has gathered with regard to the audit findings, any alternative recommendations, and any editorial suggestions should be made known to the auditor at this time. This information will be taken into consideration and, if necessary, a revised draft will be issued.
Upon final revision of the draft audit report, the client will be requested to provide a written response to the recommendations presented in the report, usually within 3-4 weeks. The response should indicate:
Whether or not there is agreement with the recommendations.
The plan to implement the recommendations.
Any alternative corrective action planned if not implementing a recommendation.
The expected implementation date.
Any other information necessary for an understanding of the issue.
Upon receipt of the written response, the auditor will issue a final audit report that incorporates the client's responses to the divisional head of the audited department and the Vice Chancellor of Administration and Finance. Additional copies of the report may be distributed as deemed necessary by the Office of Internal Audit.
After a reasonable period of time has passed, the Office of Internal Audit will perform a follow-up review to verify that appropriate action has been taken based upon the prior recommendation. Internal Audit will periodically review the implementation until the auditor has a reasonable assurance that corrective actions are being followed. The follow-up report will be distributed to those who received the original audit report.