1. Schedule the Audit
    Audits are scheduled based upon the annual audit plan approved by the Audit, Risk and Compliance Committee of the JMU Board of Visitors with input provided by the audit committee, vice presidents and the president. Audit and Management Services (AMS) periodically completes risk assessments for the purposes of audit planning. Risk factors included in the assessment may include financial, compliance, reputational, physical security, health and safety, and other factors. Audits with higher risks are given priority over lower risk audits. 

  2.  Request Information
    The vice president, assistant vice president or dean, and the department head are notified that an audit will be performed. Specific information required to begin the audit is requested at this time.

  3. Determine the Scope of an Audit
    After reviewing the information provided by the department and further discussions with key personnel, the scope of the audit is determined and communicated to the vice president, assistant vice president and department head.

  4. Develop Understanding of Activities
    A detailed understanding of each activity included in the scope of the audit is developed by reviewing policies and procedures, examining documentation provided by the department and interviewing key personnel. The department and AMS then identify the risks and controls associated with these activities.

  5. Evaluate Internal Controls
    AMS evaluates the design and application of internal controls identified for each activity included in the scope of the audit.  Standard controls (e.g., authorizations, approvals, reconciliations, documentation, and segregation of duties) are evaluated as part of this process.  If control weaknesses are found, AMS makes recommendations to enhance or establish controls.

  6. Test Controls: After identifying the controls that are in place for each activity and evaluating controls design and application, AMS develops an audit program to test if the controls are functioning as intended.  Compliance with applicable policies or laws is also tested.  Errors or exceptions found during testing are discussed with applicable personnel and recommendations to mitigate the risk(s) identified are explored.

  7. Draft Audit Report: At the conclusion of the test work, AMS issues a draft report on the effectiveness of controls, including recommendations for improvements. The draft report is sent to the department head to provide an opportunity to express concerns or disagreement with the findings and recommendations. A revised draft is issued based on discussions with the department head and forwarded to the assistant vice president or dean for review.

  8. Exit Conference: A meeting may be scheduled with the vice president, the assistant vice president or dean, and department head to discuss the report. The purpose of this discussion is to provide the department with an opportunity to express concerns or disagreements with the draft opinion and/or recommendations.  AMS revises the draft report based on the results of this discussion as necessary.

  9. Request Management Responses: After the meeting, the department head is asked to provide management responses in writing to the draft audit report.  AMS incorporates the department's response into the revised draft and forwards it to the assistant vice president or dean and vice president for review.

  10. Issue Final Report: The final report, which includes management responses, is distributed to the president, vice president, assistant vice president or dean, and the department head. The final report is also distributed to the Audit, Risk and Compliance Committee of the Board of Visitors.

Back to Top