Audit Process
The scope and engagement planning of routine audits will, to the extent practicable, be in conformity with the International Standards for the Professional Practice of Internal Auditing (Standards) as promulgated by the Institute of Internal Auditors, Inc. Standards (Sections 2120 - 2201) require the internal auditor to obtain an understanding of the audited unit's risk management processes, governance, operations and information systems as a basis for planning the audit. This planning activity includes a review of strategic objectives; financial and operational information; operations; safeguarding assets; and compliance with laws, regulations, policies, procedures and contracts.
- Planning - The Office of Internal Auditing (OIA) will maintain an annual audit plan, approved by senior management and the Board of Trustees' Risk Management, Audit and Compliance Committee.
- Scheduling - The OIA will send out letters informing departments of the intent to perform an audit during the applicable period. The OIA will notify an area scheduled for an audit at least two (2) weeks before the scheduled beginning date. Prior to the beginning of the audit, the OIA will schedule an entrance interview with the manager and other auditee personnel the manager considers appropriate.
The entrance interview marks the beginning date for field work. The OIA will discuss the objectives and scope of the audit, estimated time for completion of the audit, on-site workspace requirements, procedures for communicating audit findings, and audit report procedures. The auditee will be asked to identify any additional areas of concern for possible review by the OIA. Results of the entrance conference will be documented and placed in the planning file of the working papers for the particular audit.
A review (study and evaluation) of internal control involves performing, as appropriate, a survey to become familiar with the activities, risks, and controls to identify areas for audit emphasis and to invite auditee comments and suggestions.
During this phase of the audit, testing of internal controls and other procedures necessary to accomplish the objectives of the engagement are performed.
Exceptions noted during the audit are communicated orally as found and graphically with a recommendation for each finding after completion of applicable audit section. (All findings require approval of the Director of Internal Auditing.) The audited department is requested to return communications with departmental responses to the OIA in two weeks. Auditee responses are included with findings and recommendations in the final audit report (except in the case of fraud and some special request audits).
The OIA will discuss conclusions and recommendations at appropriate levels of management before issuing final written reports. Audit Issue Fact Forms are reviewed at the exit conference. The exit conference allows the auditee the opportunity to discuss, challenge, and seek clarification of any finding, recommendation or report content. It will also give senior management the opportunity to discuss the implications of the audit and other concerns that may arise. A draft of the audit report will be provided to the General Counsel and Vice Chancellor for Legal Affairs, Risk and Compliance either before or at the time of the exit conference for review. If necessary, a second report draft may be generated and reviewed after the exit conference.
A signed written report will be issued after audit completion and should be objective, clear, concise, constructive and timely. The final report includes a statement evaluating auditee responses. The evaluation statement will indicate whether the responses have or have not satisfied the requirements of the stated recommendations. A final audit report containing the auditee's responses will then be issued to the Chancellor, Risk Management, Audit & Compliance Committee members and other responsible parties, at the discretion of the Director of Internal Auditing. A copy of the final report is also sent to the North Carolina Office of State Budget & Management. Copies of all audit reports issued by the Office of Internal Auditing are requested by the North Carolina Office of the State Auditor on an annual basis.
The OIA will conduct follow-up reviews of all audit findings to determine the extent of corrective actions taken to remediate reported deficiencies. If the review reveals that appropriate action has not been taken, or practices adequately adjusted to resolve audit problems, the Director of Internal Auditing will notify appropriate University management.