Audit Process

  1. Selection:

    • Audit plans are based on a comprehensive risk assessment, including risks identified by the Board of Trustees, the Commissioner, and the University Executive Officers.

  2. Planning:

    • Review any prior audits of the University, research applicable policies and procedures, and any State/federal laws and regulations;

    • Once an objective and scope of the audit are determined an audit program will be developed;

    • The Internal Auditor (IA) will notify the head of the department and schedule an entrance conference; and

    • There will be some cases where an entrance conference is not scheduled depending on the nature of the audit.

  3. Entrance Conference:

    • The head of the department being audited may at his/her discretion invite other management to attend;

    • During the entrance conference, the IA will discuss the objective, scope, and timing of the audit;

    • The IA may discuss certain planned audit procedures and may have an initial request for information; and

    • The IA will also answer any questions that management may have concerning the audit.

  4. Fieldwork:

    • This is where the IA will gather information about the unit by interviewing, observing processes, confirmations, analyzing data, and performing tests of controls;

    • The IA will determine the adequacy and efficiency of internal controls of the department’s operation;

    • The IA will also incorporate best/good practices to evaluate if processes are operating efficiently; and

    • The IA will try to schedule on-site fieldwork visits at a time where there will be minimal distraction from the day-to-day operation of the department.

  5. Observation(s):

    • The IA will document any observations during fieldwork; and

    • During the fieldwork, the IA may discuss observations with management or give periodic progress updates to management.

  6. Preliminary Report and Discussion:

    • The IA will prepare a report;

    • The report will contains the purpose, scope, and results of the engagement and have recommendations, if applicable, for management to consider; and

    • The report contents are discussed with management.

  7. Management Corrective Action Plan:

    • Management is given an opportunity to review the content of the report and is requested to provide a written management corrective action plan; and

    • Once the IA has received management’s responses they are included into the final report.

  8. Exit Conference:

  • An exit conference is held to discuss any final details of the audit.