There are five phases to an audit:
|Selection||Most audits are determined during the development of the annual audit plan. Within the audit universe are auditable units, which may be a procedure, University policy, state or federal law, program, office, department, college, division, or branch campus. Internal Audit conducts a University-wide risk assessment once every three years. The audit plan is developed for subsequent years based on the results of this assessment, new information arising from the previous fiscal year, and available resources. The chancellor and Board of Regents review and approve the audit plan each year.|
|Planning||During the planning phase of each project, the internal auditor gathers relevant background information and initiates contact with the auditable unit. The objectives and scope of the audit as well as the timing of fieldwork and report distribution are determined at this time. When initial contact is being made, the internal auditor will usually notify those responsible that an audit will be performed and provide general information about the audit, when this work is expected to be performed, and any requests the internal auditor might have at this time. Most audits will be annouced before planning begins, but there are some audits that will warrant an unnanounced review. Other audits might be of a sensitive nature with information provided on a need-to-know basis. |
|Fieldwork||Once the audit is planned, fieldwork is executed by the internal auditor. Depending on the audit to be performed, the internal auditor will typically obtain financial information from Banner over the period being audited, any relevant University policies, departmental procedures if applicable, any relevant state or federal laws, external agreements, etc. Samples will be selected and subsequent information requested to complete fieldwork. Any exceptions noted, including those that will be mentioned in the report as well as any findings issued, will be communicated to those responsible before the draft audit report is completed. |
|Reporting||A summary of the audit findings, conclusions and specific recommendations are officially communicated to those responsible through a draft report. This draft report is emailed to everyone related to the audit including department heads, vice presidents, branch presidents, chancellor, and Audit and Finance Committee of the Board of Regents. Responsibile individuals are asked to respond to the report as well as any findings issued. These responses become part of the final report, which is distributed to the appropriate level of administration.|
|Follow-up||For any findings that have been issued for an audit, a determination will be made if a follow-up audit is necessary. These are typically performed in the following year but might be extended for a second year depending on the complexity of the issue identified in the original audit and available department resources. |
Each area being audited is responsible for the following:
- Complying with any and all audit requests in a timely manner. Questions are always encouraged when something is not clear or understood, or if the audit schedule does not work for those responsible. In addition, sometimes the internal auditor is not familiar with the area being audited and may not know exactly what to ask for. Having open communication will ensure the audit is completed timely and eliminate unneccesary requests.
- If a question is asked regarding an individual's viewpoint of a process, the question should be kept confidential from anyone else and answered to the best of that person's knowlege. To say "I don't know" or only have knowledge about part of the answer is an acceptable response. Often, the goal is to get an independent idea of a process as that individual knows in order to corroborate it with someone else's but not to get someone in trouble. This can be an effective tool in evaluating the effectiveness of communication and relaying important information, but oftentimes, an independent confirmation cannot be obtained because other individuals are copied on a response, or the question is directed to someone else.
The internal auditor is responsible for the following:
- Communicating with the auditee. Every effort will be made to communicate with the auditee on the timing of events, where the audit stands, what is needed for the audit, and any potential errors that have been found in an effort to determine if documentation is available or if there is a response to why it appears an error has occurred.
- Being available. The internal auditor may always be contacted by email or phone, and every effort will be made to return missed messages timely. Individuals are always welcome to stop by, but the department will be closed if the internal auditor is unavailable. Please be sure to follow up with an email or a phone call and leave a message should this occur.