The Audit Process
- Risk based auditing
- Address stakeholder concerns
- No surprises to the auditee
You hear that the auditors are coming to conduct fieldwork at your department. You may wonder: “What will I have to do? How much of a disruption will this be to my normal operations, and should I show Internal Audit everything that I do?” Remember, we are on the same team so we are working together to help the university meet regulatory compliance and quality standards.
The first notification of an audit is typically when the chief audit executive or lead auditor on the engagement contacts the university audit liaison, which is often the Vice Chancellor for Administrative Services or their designee, and department head for the department(s) expected to be included in the audit. This is introductory and is often used to communicate that we’ll be in touch to schedule an audit planning meeting.
The audit planning phase is important to the success of the audit. Planning includes our performance of an engagement level risk assessment, preliminary survey, planning meeting(s) and, on occasion, an internal control questionnaire.
Engagement Level Risk Assessment
The purpose of the risk assessment is to determine the risks involved with the planned audit topic. The risks will be evaluated to determine which ones are high risk that should be considered for inclusion in the current audit. Sometimes we bring the risk assessment to the planning meeting to gather perspective on the risks identified and the assessment of the risks.
The purpose of the preliminary survey is to help us gain a basic understanding of your department’s operations or the process or function being audited, and help us prepare for the audit.
The auditor will contact the department head, process owner, subject matter experts, and other relevant stakeholders to discuss audit planning, gather additional information, ensure that our understanding of relevant processes is accurate, and review the engagement level risk assessment. We will discuss tentative audit objectives and scope, and inquire about other concerns or risks that may not have been identified thus far.
At times, it is efficient to conduct the internal control questionnaire (ICQ) during this meeting, but at other times the ICQ will be conducted during fieldwork.
Internal Control Questionnaire
These are commonly referred to as ICQs. An ICQ is a tool used by auditors to document a process or function, including the basics of the process such as who, what, when, why, where and how. These often help us identify potential segregation of duties issues for the process being audited. They also help us understand the documentation we are reviewing and any department-specific internal controls that we should be aware of.
ICQs may be conducted during the audit planning phase or during fieldwork.
The end of planning is marked by the development of a defined scope and objectives for the audit that takes into account concerns and risks identified during the planning steps described above.
This is the formal notification to senior leadership that the audit is beginning. Distribution of the entrance letter often includes one or more Chancellors and Vice Presidents, depending on the audit topic. The entrance letter may be distributed before or at the end of audit planning.
The length of time for audit fieldwork ranges by audit topic and scope. We perform the majority of fieldwork remotely, but we will be onsite for some procedures. The following components are common during fieldwork.
Communication of Entrance Information
Not to be confused with the Entrance Letter, this is a more detailed communication that we relay via email to the university audit liaison and individuals we expect to work with during fieldwork. We are always happy to schedule a meeting upon request to discuss the information further.
The final scope and objectives of the audit
Initiate discussion on auditor work space and internet access (if onsite fieldwork has been determined)
Key dates or milestones for the audit
Next steps/what to expect
For many processes we find it helpful to have a knowledgeable individual walk us through the key points of the process from the original source document (or other starting point) to the final disposition of the transaction (or other ending point). For example, in a cash receipts audit, we may ask someone to walk us through the process from the time the department is available to receive funds on a standard business day to delivering that day’s deposit to the business office or the bank. It’s not uncommon for auditors to work with multiple departments to complete the walk-thru.
Most audits include review of files and documentation relevant to the processes or functions being audited. Usually we will have a sample of transactions for which we will ask to see the related documentation. On occasion, we will ask where files are kept and we’ll select a sample onsite.
Our auditors will strive to limit disruption to your work day. However, we often have questions arise during the review of documentation. We will email or call you to review the questions. This is to ensure an accurate understanding of the documentation and avoid inaccurate assumptions or observations made on incomplete knowledge or information.
Also, if at any time you have questions about our work, please feel free to ask us.
When fieldwork is complete, we will schedule an exit conference with you to discuss the audit observations and tentative recommendations. We will invite the university audit liaison, too. The exit meeting is another opportunity to help us better understand any results that require more context or to explain those we may have misinterpreted. The meeting helps reduce uncertainty about the audit report. See Types of Reports for details on our audit reporting.
The exit conference is important, also, because we seek your agreement or disagreement to each audit recommendation, and your opinion as to the reasonableness of each recommendation. We do not want to issue a recommendation for which the cost outweighs the risk, or that is addressed to an individual that is not best suited to ensure implementation of the recommendation. We want the recommendations to mitigate the risk identified and work with you, not against you.