Audit Process

The scope and engagement planning of routine audits will, to the extent practicable, be in conformity with the International Standards for the Professional Practice of Internal Auditing (Standards) as promulgated by the Institute of Internal Auditors, Inc.  Standards (Sections 2120 - 2201) require the internal auditor to obtain an understanding of the audited unit's risk management processes, governance, operations and information systems as a basis for planning the audit. This planning activity includes a review of strategic objectives; financial and operational information; operations; safeguarding assets; and compliance with laws, regulations, policies, procedures and contracts.

  • Planning - The Office of Internal Auditing (OIA) will maintain an annual audit plan, approved by the Chancellor and the Board of Trustees' Risk Management, Audit and Compliance Committee, covering each fiscal year.
  • Scheduling - The OIA will send out letters informing departments of the intent to perform an audit during the applicable period. The OIA will notify an area scheduled for an audit at least two (2) weeks before the scheduled beginning date. Approximately one week before the beginning date, the OIA will schedule an entrance interview with the manager and other auditee personnel the manager considers appropriate.

The entrance interview marks the beginning date for field work. The OIA will discuss the objectives and scope of the audit, estimated time for completion of the audit, on-site workspace requirements, procedures for communicating audit findings, and audit report procedures. The auditee will be requested to identify problem areas which the OIA may be able to offer assistance. Results of the entrance interview will be documented and placed in the planning file of the working papers for the particular audit.

A review (study and evaluation) of internal control involves performing, as appropriate, a survey to become familiar with the activities, risks, and controls to identify areas for audit emphasis and to invite auditee comments and suggestions.

During this phase of the audit, testing of internal controls and other procedures necessary to accomplish the objectives of the engagement are performed.

Exceptions noted during the audit are communicated orally as found and graphically with a recommendation for each finding after completion of applicable audit section. (All findings require approval of the Audit Director.) The audited department is requested to return communications with departmental responses to the OIA in two weeks. Auditee responses are included with findings and recommendations in the final audit report (except in the case of fraud and some special request audits).

The OIA will discuss conclusions and recommendations at appropriate levels of management before issuing final written reports. A draft of the audit report is reviewed at the exit conference. The exit conference allows the auditee the opportunity to discuss, challenge, and seek clarification of any finding, recommendation or report content. After the exit conference, a second report draft (if necessary) is reviewed in a meeting with senior management to discuss the implications of the audit and other concerns that may arise.

A signed written report will be issued after audit completion and should be objective, clear, concise, constructive and timely. The final report includes a statement evaluating auditee responses. The evaluation statement will indicate whether the responses have or have not satisfied the requirements of the stated recommendations.

The OIA will conduct follow-up reviews of all audit findings to determine the extent of corrective actions taken to remediate reported deficiencies.  If the review reveals that appropriate action has not been taken, or practices adequately adjusted to resolve audit problems, the Audit Director will notify appropriate University management.