Audit Process

Audit Goals:

  1. Risk based auditing
  2. Address stakeholders (supervisor, department chair, dean, executive management) concerns
  3. No surprises to the client

Introduction:

You hear that the auditors are coming to conduct an entrance conference or fieldwork at your department.  You may ask,

  • What will I have to do? 
  • How was my department selected for an audit?
  • How much of a disruption will this be to my normal operations?
  • Should I show the auditor everything I do?

The most successful audit projects are those in which you, the audit client, and Internal Audit have a constructive working relationship.  Our objective is to have your continued involvement at every phase so you understand what we are doing and why, while trying to minimize disruptions of your daily activities.

Although every audit project is unique, the audit process is similar for most audits and consists of the same phases.  There are five phases of our audit process, each one requiring the involvement from you, our audit client.  In the annual audit plan phase, your supervisors, department chairs, deans, and executive management complete a risk assessment questionnaire.  During planning, we work with you to understand and learn about your area so that we can develop step to evaluate the processes and controls currently in place.  Fieldwork consists of specific testing steps we perform to identify whether the controls are mitigating the risks.  Reporting of our results takes place through a transparent reporting process involving you, the audit client.  Finally, follow-up is where we come back to you after a period of time to reassess the progress made against your agreed upon management responses.  Each of the following sections describes the above phases in more detail.

Annual Audit Plan:

Every other year we conduct a University-wide risk assessment in the spring.  We interview the supervisors, department chairs, and deans of each department utilizing a standardized questionnaire. This questionnaire identifies specific risk criteria within six general areas of risk:

  1. Financial Risk
  2. Management Control & Operations Risk
  3. Strategic Risk
  4. Compliance & Public Interest Risk
  5. Information Technology Risk
  6. Audit History & Judgment Risk

We have developed the questions to attempt to objective determine the amount of risk in the department relative to each risk criteria.  Each individual criteria is given a score from one (low risk) to five (high risk) and the sum of all those scores determines the department’s risk ranking.  We evaluate those departments with high-risk rankings and develop the annual audit plan.  We present the proposed annual audit plan to the President and the Fiscal Affairs and Audit Committee of the Kansas Board of Regents for review and approval.

Planning:

The planning phase is extremely important to the success of the overall audit.  During the planning phase we:

  • Gather relevant background information about your department via: your strategic plan, your policies and procedures, your job descriptions, ACUA resources, Google searches, and e-mail discussion lists
  • Review the background information we gathered to understand your department’s goals and objectives  
  • Conduct an opening meeting with you to provide education about the audit process,  obtain your list of high risks effecting your department, and obtain your general concerns about your department
  • Develop a department level risk assessment to determine which risks are high and what processes should be reviewed during fieldwork,
  • Develop the audit scope and objectives for your audit and provide you with the audit scope and objectives
  • Develop the audit program – an outline of the fieldwork steps necessary to achieve the audit objective

Fieldwork:

It is during this phase that we gather relevant information about your department in order to obtain a general overview of your operations and internal controls and perform transaction testing.  During fieldwork, we determine whether the controls identified are operating efficiently and are adequately controlling the risks identified during the planning phase.  During the fieldwork we:

  • Conduct inquiry interviews with you and/or your staff to obtain an understanding and documentation of your departmental policies, processes, and related internal controls
  • Observe you and/or your staff performing their daily operations and obtain copies of your documentation
  • Review supporting documentation for your historic transactions based on a sample selection
  • Keep you informed of the process and any finding we may have, if possible

Reporting:

During the reporting phase, we schedule several meetings, preliminary close meetings and a final close meeting.

  • 1st preliminary close meeting – includes us and you and your staff; your staff is included in this meeting at your discretion
  • 2nd preliminary close meeting – includes us and your direct supervisor; you are included in this meeting at your supervisor’s discretion
  • Final close meeting – includes us, the President, and the associated Vice President; you may be asked by your Vice President to attend this meeting
  • By having the first meeting with you and not your supervisors, there should be no surprise to you once we discuss the audit with your supervisors. 
1st preliminary close meeting:

When the fieldwork is complete, we schedule the first preliminary closing meeting with you and your staff to discuss the audit results.  During this meeting, we discuss our findings and recommendations.  Typically, this information is in the format of a finding spreadsheet.  This is an opportunity to help us better understand any results that require more context or to explain those we may have misinterpreted.  Our recommendations are just that, recommendations based on our knowledge of the subject or a best practice we identified during our research of the audit area. 

At the conclusion of this meeting, we request that you provide us with your management responses to our audit findings and suggested recommendations.  Your management responses are usually required back to us within 2 weeks.  Your management response is either:

  • Acceptance of our recommendation and how you will implement the recommendation
  • Partial acceptance of our recommendation and how you will implement the recommendation
  • A new recommendation you developed to resolve the finding and how you will implement the recommendation
  • Or a statement that you, the management, accept the risk and will not be making any changes to your process and why

As you can see, this meeting is very important because we seek your agreement or disagreement to each audit finding and recommendation, and your opinion as to the reasonableness of each recommendation.  We do not want a recommendation of which the cost outweighs the risk.  We want the recommendations to mitigate the risk identified but also for them to work with you, not against you. 

Between the first and second preliminary meeting, we draft the audit report based on the information in the audit finding spreadsheet.  At this point, we adjust the wording if necessary to make the report sound more like an audit report and less like a spreadsheet.  We also give an overall opinion regarding the audit results.  Once we receive your management responses, we include them in the draft audit report.   We send you the draft report for your review.

2nd preliminary close meeting:

Once we have received your management responses and you have reviewed the draft report, we meet with your direct supervisor to discuss the draft audit report.  We discuss the audit findings, recommendations, and your management responses.  We make any revisions recommended during the second preliminary close meeting to the draft audit report. 

Final close meeting:

The final close meeting is very similar to the second preliminary meeting except the President and Vice President of your area are in the meeting to discuss the draft audit report.  We discuss the audit findings, recommendations, and your management responses.  At the conclusion of the meeting, we request the approval of the draft audit report.  We receive the approval of the draft audit report via email.  We change the draft report into a final report and send it electronically to you, your supervisor, your Vice President, and the President.

As part of our self-evaluations program, we ask you and/or your staff to comment on our performance.  We send you an email with a link to our post-audit survey after the final close meeting.  This survey helps our department evaluate our strengths and weaknesses and foster future improvements in our audit process.

Follow up:

Once a year in April or May, we perform audit follow up.  During audit follow up, we send you an email requesting you provide us with the status of your management responses.  We want to know if you have implemented the recommendations.  Sometime we request more information from you to test whether you have completely implemented the recommendations.  We create a report of the number of outstanding recommendations.  The report is issued to the President. 

As we have pointed out, during each phase in the audit process you have the opportunity to participate.  There is no doubt that the process works best when we have a solid working relationship based on clear and continuing communication.  Many departments extend this working relationship beyond the initial audit.  Once we have worked with you on a project, we have an understanding of the unique characteristics of your department’s operations.  As a result, we can help evaluate future changes or modifications in your operations.