SCHEDULED AUDITS

Introduction

The Internal Audit Department’s approach to conducting regular audits will vary based on the type of audit objectives and on the auditor’s familiarity with the area audited. However, scheduled audits will generally consist of five phases, with supervisory review occurring at appropriate intervals:

• Preliminary Survey;
• Review of Work Flows and Internal Controls;
• Fieldwork
• Communicating Results; and
• Wrap-up

Two or more of these steps may be performed concurrently if the nature of the project allows.

Preliminary Survey

During this phase, an auditor becomes familiar with the mission and major activities of the area being audited. The auditor uses information obtained during the preliminary survey to develop the focus of and objectives for an audit. The goal of a preliminary survey is to identify areas where Internal Audit can provide analyses and assistance that will benefit the area audited or the University as a whole. The results of the preliminary survey should be documented in accordance with the work paper standards established for the department.

Approximately two to three weeks before an audit is scheduled to begin, the Director of Internal Audit or the in-charge auditor should write auditee management to notify them of the project, schedule an entrance meeting, and begin the exchange of information that will be needed during the audit. For surprise cash counts or potential frauds, it may be necessary to delay this initial contact to preserve the effectiveness of the review. The letter should be addressed to the head of the area being audited and copied to the appropriate Vice-President and other members of management who may be affected by the audit.

During the entrance meeting, the audit team should explain the audit process, identify the auditee’s suggestions for objectives, and generally open the channels of communication that are necessary to a successful project.

The nature of the assignment will determine what items should be considered during the preliminary survey. Examples of information that may be reviewed during the preliminary phase of a project are:

• The area’s Mission, major functions, goals, and objectives;
• The Auditee’s requests or suggestions for items to be included in the audit;
• Flowcharts or narrative descriptions of processes in the area audited;
• Policies and procedures manuals;
• Organizational chart of the area;
• Work performed in the area by the State Auditor’s Office, internal audit, or other review groups;
• Major expenditures and sources of revenue;
• Nature of any independent information systems in the area; and
• Laws, regulations, or policies that govern the area,
• Other information and reports.

After reviewing relevant background information and considering the results of this review as a whole, auditors will identify potential objectives that provide a value-added service to the University. Where practicable, audit objectives should include items suggested by the management. The in-charge auditor is responsible for identifying final audit objectives and submitting these objectives to the Director of Internal Audit for approval. Once final objectives are approved, the original budgets and timeframes set for the project may need to be adjusted. The final objectives and information about any changes to the expected duration of the project will be communicated to auditee management.

Review of Work Flows and Internal Controls

A study and analysis of internal controls and process flows relative to audit objectives is one feature that distinguishes internal and external auditing. Internal auditors perform these functions to determine whether the activity’s processes and controls are adequate (i.e. its design incorporates the checks, balances, and procedures needed to ensure that management’s objectives are carried out).

A study of controls and processes includes identifying the purpose of an activity and how it works. An analysis of controls and processes includes considering potential risks (what can go wrong), using professional judgment to determine what is needed to protect against those risks (strengths), and assessing whether the necessary features are included in the activity. In addition, auditors should be alert for weak, unnecessary, or duplicative steps, inefficient operations, and compensating controls that offset a weak or missing step. As part of the review, auditors should have the employee responsible for a process review narratives or flowcharts prepared to document the review of workflow and controls. This step helps ensure that the narratives or flowcharts are accurate and complete. Alternatively, the auditor should "walk" a sample transaction or activity through the process to ensure that he or she understands how it works and that all major steps are considered.

At the end of this phase, the in-charge auditor should conclude whether the process, as designed, is adequate. In addition, an audit program should be developed that will be used to test whether strengths identified during the control review are in effect (actually operating as described) or explore the effect of any material weakness noted during the initial stages of the audit.

In unusual cases, an analysis of the system of internal controls will not be necessary. This situation occurs when the preliminary survey shows that policies and procedures in an area are so weak or poorly understood that little benefit would be gained from studying or analyzing controls. In these cases, the working papers should explain why the control review was omitted. Depending on the circumstances, auditors may also choose to omit fieldwork and proceed with the normal process of communicating the results of the audit.

Fieldwork

During fieldwork, auditors carry out the audit program developed for the area under review. At the end of a test, auditors should reach a conclusion about whether strengths identified during the review of internal controls are in effect (working as intended). Another purpose of fieldwork is to assess the possible impact of weak or missing controls.

After testing begins, auditors may find that a planned step cannot be completed or is unnecessary or that the results of tests may also demonstrate the need for additional steps. This situation may occur when a test yields results that vary significantly from a process identified in the control review or when records are unavailable for testing. In this case, auditors should update the audit program to ensure that it contains appropriate steps and procedures.

Auditors should examine sufficient, competent, relevant, and useful information (as defined in the Standards) in carrying out testing and other evaluations. Documentation of fieldwork will vary but should be sufficient to demonstrate what work was performed, without oral explanations, and should support the findings, recommendations, and conclusions contained in the work papers or audit report. Refer to Workpaper Documentation section for additional information.

Communicating Results

Auditors should keep management informed of how the audit is progressing and discuss possible findings and recommendations as these are identified throughout the audit. This practice helps ensure that the results of an audit are accurate. It promotes a "team approach" by actively involving management in developing solutions to issues identified by the audit. Early discussion of possible findings also allows management to promptly begin any corrective action that is needed. While most findings will be presented in the form of a written finding sheet (Potential Report Finding), very minor findings may be presented orally. Management should complete the "departmental response" section of the finding sheets and return each to the auditor within a reasonable amount of time (normally less than two weeks). The auditor and managers will discuss the finding and departmental response to ensure that all parties understand the finding, recommendation, and management response.

After fieldwork for a scheduled audit is complete, we will issue a written audit report using the department standard format. This report will include an opinion relating to the audit objectives and provide details about any significant issues, or findings, identified in the audit. Findings should be presented in order of importance. Each finding should identify the issue noted and offer a recommendation for correcting the cause of the problem. Only significant items, those that should be brought to the attention of senior management, should be included in the report.

A draft copy of the report will be sent to the auditee and an exit conference will be scheduled to discuss the report. The exit conference will include the audit director, audit team and all representatives the auditee wants to attend.

During the exit conference, the entire report will be discussed and all parties will agree to the factual accuracy and fairness of the report. The auditee will be asked to suggest any changes they feel will make the report more understandable, especially to the introduction that briefly describes the entity being audited. Per mutual agreement, minor findings that have been corrected and verified, will be removed from the report. Other findings that have been properly addressed may be removed from the report by the director of auditing after consulting with the auditor in charge, senior administrators and the chairman of the Fiscal Policy Committee of the Board of Trustees, whenever it is appropriate to do so.

Management will be asked to provide a written response to each finding within two weeks. These responses will be incorporated into the report after each finding by the administrative assistant. After an audit manager and the director proof the report, it will be sent to printing where they will prepare a front and back cover and bind 55 copies. The cover must be inspected and approved when the reports are received from printing services.

All reports will remain in the Internal Audit Department until approximately eight days prior to the next scheduled meeting of the Fiscal Policy Committee, at which time they will be delivered to the Secretary of the Board of Trustees for distribution. Reports will be addressed to the Secretary of the Board of Trustees and signed by the Director of Internal Audit. Copies will be issued to the Fiscal Policy Committee and the Executive Committee of the Board of Trustees, the President, Vice President over the area being audited, and the head of the audited area. Others are provided copies upon request.

Several weeks prior to the scheduled meeting of the Fiscal Policy Committee of the Board of Trustees, the Secretary of the Board will call Internal Audit for a list of all audit reports and other items for inclusion in the agenda for the upcoming meeting.

Wrap-up

This phase involves most of the administrative activities associated with an audit. Procedures that should occur as the audit is wrapping-up include:

• Completing necessary forms for evaluation and inclusion in the audit tracking report.

• Doing an overall review of the working papers to see that all procedures are complete, work papers are signed-off, and Internal Audit’s working paper standards have been met.

• Comparing actual budgeted hours and completion dates and providing explanations for any material variances.

• Backing-up all microcomputer files and preparing the diskettes for archival filing.

• Binding and filing the workpapers.