Deciding what to audit
Each year, Internal Audit proposes a slate of planned audits to the Audit Committee of the Board of Trustees for approval. We decide which departments to audit by considering:
- The relative risk of various operations throughout the University, giving consideration to numerous types of risk
- The results of past audits
- Input from Internal Audit team members, the Audit Committee of the Board of Trustees, University administration, department managers and external auditors
- Requests for internal audit work from trustees or members of management
The audit process
In general, if we select your department to be audited, we'll discuss such with senior managers in your office well in advance. While there's never a good time for an audit, there are often particular times that are the worst, and we do our best to avoid those.
We'll schedule a pre-audit meeting with leadership of the area to solicit input as to what areas would be best to address in the scope of the audit. This is a great time to ask questions or raise concerns about the process and how you can help.
After we solicit input from leadership and do preliminary information gathering, we finalize the scope of the audit and an estimated timeline of how long the audit will take.
Planning—We review any applicable regulatory standards, industry standards, and prior audit work papers. We then meet with key members of management with responsibility for the function to obtain insight into areas that could be a focus of the audit. This process helps us to scope the audit.
Fieldwork—We conduct interviews, observe your department's workflow, assess your department's controls, review and analyze documents, and compare and contrast record data. We may also perform detailed testing on specific samples. During fieldwork, we discuss any potential findings with management as they arise. If the finding is formalized, we request a responsive management action plan and a date by which it will be completed.
Updates—Our staff will regularly share information about the ongoing audit, the timeline and progress of the audit, any findings that have resulted from fieldwork performed and any areas that are stumbling blocks to completing the audit.
Draft Audit Report—Our audit reports include the scope of the audit as well as affirmative results and findings. The draft report is provided to area leadership for review. While this is the first time management sees the draft audit report, all findings will have already been communicated to management prior to this time.
Final Audit Report—Once management has had an opportunity to review and comment on the report, it is finalized and distributed. The standing distribution list for our audit reports includes a number of members of senior management and the chair of the Audit Committee of the Board of Trustees.
Findings Follow Up—Our office revisits management responsible for the action plans in response to findings, in order to ensure the management action plans have been satisfactorily implemented. Findings are not closed until we are confident that adequate response has taken place. Reports on past due findings are provided to executive leadership and the Audit Committee at their periodic meetings.