The Internal Audit Department’s approach to conducting regular audits will
vary based on the type of audit objectives and on the auditor’s familiarity
with the area audited. However, scheduled audits will generally consist of five
phases, with supervisory review occurring at appropriate intervals:
- Preliminary Survey;
- Review of Work Flows and Internal Controls;
- Communicating Results; and
Two or more of these steps may be performed concurrently if the nature of the
During this phase, an auditor becomes familiar with the mission and major activities
of the area being audited. The auditor uses information obtained during the
preliminary survey to develop the focus of and objectives for an audit. The
goal of a preliminary survey is to identify areas where Internal Audit can provide
analyses and assistance that will benefit the area audited or the University
as a whole. The results of the preliminary survey should be documented in accordance
with the work paper standards established for the department.
Approximately two to three weeks before an audit is scheduled to begin, the
Director of Internal Audit or the in-charge auditor should write auditee management
to notify them of the project, schedule an entrance meeting, and begin the exchange
of information that will be needed during the audit. For surprise cash counts
or potential frauds, it may be necessary to delay this initial contact to preserve
the effectiveness of the review. The letter should be addressed to the head
of the area being audited and copied to the appropriate Vice-President and other
members of management who may be affected by the audit.
During the entrance meeting, the audit team should explain the audit process,
identify the auditee’s suggestions for objectives, and generally open the channels
of communication that are necessary to a successful project.
The nature of the assignment will determine what items should be considered
during the preliminary survey. Examples of information that may be reviewed
during the preliminary phase of a project are:
- The area’s Mission, major functions, goals, and objectives;
- The Auditee’s requests or suggestions for items to be included in the audit;
- Flowcharts or narrative descriptions of processes in the area audited;
- Policies and procedures manuals;
- Organizational chart of the area;
- Work performed in the area by the State Auditor’s Office, internal audit,
or other review groups;
- Major expenditures and sources of revenue;
- Nature of any independent information systems in the area; and
- Laws, regulations, or policies that govern the area,
- Other information and reports.
After reviewing relevant background information and considering the results
of this review as a whole, auditors will identify potential objectives that
provide a value-added service to the University. Where practicable, audit objectives
should include items suggested by the management. The in-charge auditor is responsible
for identifying final audit objectives and submitting these objectives to the
Director of Internal Audit for approval. Once final objectives are approved,
the original budgets and timeframes set for the project may need to be adjusted.
The final objectives and information about any changes to the expected duration
of the project will be communicated to auditee management.
Review of Work Flows and Internal Controls
A study and analysis of internal controls and process flows relative to audit
objectives is one feature that distinguishes internal and external auditing.
Internal auditors perform these functions to determine whether the activity’s
processes and controls are adequate (i.e. its design incorporates the checks,
balances, and procedures needed to ensure that management’s objectives are carried
A study of controls and processes includes identifying the purpose of an activity
and how it works. An analysis of controls and processes includes considering
potential risks (what can go wrong), using professional judgment to determine
what is needed to protect against those risks (strengths), and assessing whether
the necessary features are included in the activity. In addition, auditors should
be alert for weak, unnecessary, or duplicative steps, inefficient operations,
and compensating controls that offset a weak or missing step. As part of the
review, auditors should have the employee responsible for a process review narratives
or flowcharts prepared to document the review of workflow and controls. This
step helps ensure that the narratives or flowcharts are accurate and complete.
Alternatively, the auditor should "walk" a sample transaction or activity
through the process to ensure that he or she understands how it works and that
all major steps are considered.
At the end of this phase, the in-charge auditor should conclude whether the
process, as designed, is adequate. In addition, an audit program should be developed
that will be used to test whether strengths identified during the control review
are in effect (actually operating as described) or explore the effect of any
material weakness noted during the initial stages of the audit.
In unusual cases, an analysis of the system of internal controls will not be
necessary. This situation occurs when the preliminary survey shows that policies
and procedures in an area are so weak or poorly understood that little benefit
would be gained from studying or analyzing controls. In these cases, the working
papers should explain why the control review was omitted. Depending on the circumstances,
auditors may also choose to omit fieldwork and proceed with the normal process
of communicating the results of the audit.
During fieldwork, auditors carry out the audit program developed for the area
under review. At the end of a test, auditors should reach a conclusion about
whether strengths identified during the review of internal controls are in effect
(working as intended). Another purpose of fieldwork is to assess the possible
impact of weak or missing controls.
After testing begins, auditors may find that a planned step cannot be completed
or is unnecessary or that the results of tests may also demonstrate the need
for additional steps. This situation may occur when a test yields results that
vary significantly from a process identified in the control review or when records
are unavailable for testing. In this case, auditors should update the audit
program to ensure that it contains appropriate steps and procedures.
Auditors should examine sufficient, competent, relevant, and useful information
(as defined in the Standards) in carrying out testing and other evaluations.
Documentation of fieldwork will vary but should be sufficient to demonstrate
what work was performed, without oral explanations, and should support the findings,
recommendations, and conclusions contained in the work papers or audit report.
Refer to Workpaper Documentation section for additional information.
Auditors should keep management informed of how the audit is progressing and
discuss possible findings and recommendations as these are identified throughout
the audit. This practice helps ensure that the results of an audit are accurate.
It promotes a "team approach" by actively involving management in
developing solutions to issues identified by the audit. Early discussion of
possible findings also allows management to promptly begin any corrective action
that is needed. While most findings will be presented in the form of a written
finding sheet (Potential Report Finding), very minor findings may be presented
orally. Management should complete the "departmental response" section
of the finding sheets and return each to the auditor within a reasonable amount
of time (normally less than two weeks). The auditor and managers will discuss
the finding and departmental response to ensure that all parties understand
the finding, recommendation, and management response.
After fieldwork for a scheduled audit is complete, we will issue a written
audit report using the department standard format. This report will include
an opinion relating to the audit objectives and provide details about any significant
issues, or findings, identified in the audit. Findings should be presented in
order of importance. Each finding should identify the issue noted and offer
a recommendation for correcting the cause of the problem. Only significant items,
those that should be brought to the attention of senior management, should be
included in the report.
A draft copy of the report will be sent to the auditee and an exit conference
will be scheduled to discuss the report. The exit conference will include the
audit director, audit team and all representatives the auditee wants to attend.
During the exit conference, the entire report will be discussed and all parties
will agree to the factual accuracy and fairness of the report. The auditee will
be asked to suggest any changes they feel will make the report more understandable,
especially to the introduction that briefly describes the entity being audited.
Per mutual agreement, minor findings that have been corrected and verified,
will be removed from the report. Other findings that have been properly addressed
may be removed from the report by the director of auditing after consulting
with the auditor in charge, senior administrators and the chairman of the Fiscal
Policy Committee of the Board of Trustees, whenever it is appropriate to do
Management will be asked to provide a written response to each finding within
two weeks. These responses will be incorporated into the report after each finding
by the administrative assistant. After an audit manager and the director proof
the report, it will be sent to printing where they will prepare a front and
back cover and bind 55 copies. The cover must be inspected and approved when
the reports are received from printing services.
All reports will remain in the Internal Audit Department until approximately
eight days prior to the next scheduled meeting of the Fiscal Policy Committee,
at which time they will be delivered to the Secretary of the Board of Trustees
for distribution. Reports will be addressed to the Secretary of the Board of
Trustees and signed by the Director of Internal Audit. Copies will be issued
to the Fiscal Policy Committee and the Executive Committee of the Board of Trustees,
the President, Vice President over the area being audited, and the head of the
audited area. Others are provided copies upon request.
Several weeks prior to the scheduled meeting of the Fiscal Policy Committee
of the Board of Trustees, the Secretary of the Board will call Internal Audit
for a list of all audit reports and other items for inclusion in the agenda
for the upcoming meeting.
This phase involves most of the administrative activities associated with an
audit. Procedures that should occur as the audit is wrapping-up include:
- Completing necessary forms for evaluation and inclusion in the audit tracking
- Doing an overall review of the working papers to see that all procedures
are complete, work papers are signed-off, and Internal Audit’s working paper
standards have been met.
- Comparing actual budgeted hours and completion dates and providing explanations
for any material variances.
- Backing-up all microcomputer files and preparing the diskettes for archival
[Back to Table of Contents]
- Binding and filing the workpapers.