The purpose of this stage is to create a positive relationship with the auditee, identify pertinent information and useful audit tools for the activities to be audited.
Research activities include discussions with relevant officers of the area under review, scanning documents such as policies, procedures, memos. The internal auditor surveys the e-mail discussion lists and establishes contacts with auditors worldwide who have recently completed similar audits. The internal auditor also performs keyword searches on the internet to identify audit programs that apply to our audit.
At this stage, a consultative team is formed with the auditee. The team is composed of officers from the area under review who will work with the internal auditor throughout the audit. The approach advocates the concept of cooperative auditing whereby the auditee is an active participant in the audit process.
This process is arguably the most critical step in an audit. The aim is to perform a risk assessment coupled with an informal Strengths, Weaknesses, Opportunities and Threats (SWOT) analysis of the area and related activities. The purpose is to identify in conjunction with the auditee and stakeholders significant issues with the view to extract from the list, the four or five most important ones. These will be the issues that are critical to the area.
Thus, at this point, the scope of the audit is determined with management and the stakeholders.
The Internet, Library's CD-ROMs, Email discussion lists, site visits and resources from peers are key tools used to identify Best Practices in relation to the issues selected from the scope analysis.
In particular, we do three main types of research. The first type is for the Email lists through the Internet aiming at documenting and gathering evidence about Best Practice worldwide. Responses from our peers across the world then assist us in formulating practical recommendations which appeal to the auditee as being cost effective.
The second type is a staff survey of the area under review which entice them to suggest ways to improve the systems and practice in place.
The third type is a stakeholders survey where they are invited to state their needs and suggest ways to improve the various processes that impact on their activities.
Through the Internet, we may extract audit programs or reports from various sites.
The fieldwork involves the gathering of sufficient, appropriate evidence with the aid of relevant audit techniques. This stage involves the confirmation that key controls are designed and operate effectively, and that processes are cost effective. We measure performance through agreed criteria with the auditee and with the input from our peers on the Internet who would have had recently completed a similar audit. Documents are also extracted from several databases to be used as measuring and evaluating tools.
We sample transactions, perform substantive tests depending on the results of controls tests.
Emerging findings are discussed with the management team.
We prepare drafts and agree all facts with the consultative team. We work closely with the team to ensure that our recommendations, often based on Best Practice noted in other universities or organizations are practical and cost effective.
We hold an exit conference to discuss each of the findings and recommendations. This gives management the opportunity to discuss their thoughts regarding the recommendation and head toward a consensus.
Management will then submit those responses in writing and they will be included in the final audit report. These responses should include a timetable for implementing recommendations.
The final audit report is then submitted to the key officers, the President and, if requested, the Kansas Board of Regents.
We perform followup after approximately six months to one year after the final report to discuss auditee's success at implementing the recommendations. Results of followup are submitted to key officers and the President.