Overview of the Audit Process
- Request for Information
The President, Vice President, Assistant Vice President and the Department Head are notified that an audit will be performed. Specific information required to begin the audit is requested at this time.
- Determining the Scope of an Audit
After reviewing the information provided, considering the information systems for which the department has responsibility, and meeting with the Department Head, the scope of the audit is determined.
- Communicating the Scope
The scope of the audit is communicated to the Vice President, Assistant Vice President and Department Head.
- Detailed Understanding of Activity
A detailed understanding of each activity included in the audit is developed by reviewing documentation provided by the department and interviewing key personnel. Flowcharts are often used to document this understanding. Departments are asked to review the flowcharts for accuracy and completeness.
- Evaluating Internal Controls
Internal controls, compliance, effectiveness and efficiency may be evaluated for each activity included in the scope of the audit. Control objectives are identified, ranked, and assessed as part of the evaluation process. Examples of control objectives are: authorization, approvals, verification of accuracy and completeness of information, reconciliations, security of assets, segregation of duties and assignment of access to information.
- Audit Findings Noted During the Evaluation of Controls
During the control evaluation process and throughout the audit, suggestions for improving or establishing controls are considered and, if approved by the Director, audit finding sheets are forwarded to the department. At this point we are just trying to determine whether findings are correct. After determining the accuracy of the findings, we focus on recommendations. When we make a recommendation, the department may suggest an alternative. We are always willing to evaluate an alternative recommendation and determine whether it achieves the control objective that is needed to mitigate risk.
- Communicating Inadequate Controls
At this point, we conclude whether or not internal controls are adequate. If, after considering the controls in place, we conclude that controls are not adequate, a memorandum will be sent to the Vice President, Assistant Vice President and the Department Head communicating our conclusion. This memo will include an explanation as to why we believe the controls are not adequate. We will also determine at this point if audit test work will be performed.
- Testing Controls
After identifying the controls and safeguards that are in place for each activity, an audit program documenting the test work to be performed is developed. Test procedures are then completed to determine if the controls are functioning as intended.
- Audit Findings Noted During Test Work
As described previously, findings are developed and forwarded to departments.
- Conclusion of Test Work
Findings are evaluated, and an opinion on the effectiveness of controls is formed.
- Draft Audit Report
A draft audit report is prepared and forwarded to the Department Head for his/her review. The report is sent to the Department Head to provide an opportunity to express concerns or disagreement with the findings and recommendations included in the draft report.
- Meeting with the Vice President
After reviewing the draft report with the Department Head, a meeting is scheduled with the Vice President, the Assistant Vice President, and the Department Head to discuss the report.
- Requesting Responses to Draft Audit Report
After this meeting, the report is submitted to the Vice President, who has 30 days to respond to the report. Final responses are to be provided by the Vice President.
- Final Report
The final report, which includes management responses, is distributed to the President, Vice President, Assistant Vice President and the Department Head. The final report is also distributed to the Audit Committee of the Board of Visitors. The report categorizes findings as compliance, major control or minor control findings. All major findings included in audit reports are reviewed to determine their impact on the University's overall control structure. Major findings with significant impact are included in a report entitled "Report of Major Control Findings". This report is distributed to the President, Vice Presidents, and the Audit Committee in conjunction with Board meetings.