There are four phases in the audit process:
Notification: University leadership is made aware of the planned audit projects on an annual basis. The audit area selected is informed about the intent to perform an audit. The auditor may send a request for documentation such as organization charts, procedures, guidelines, checklists, job descriptions, roles and responsibility matrix, etc. which help the auditor gain an understanding before planning the audit.
Scoping Meeting: A scoping meeting is arranged with senior management in the area selected. The meeting serves two purposes – first, the auditor will outline the process, timing and what the auditee can expect, second, the auditee is able to express any issues or concerns with the audit process or areas within their units that they would like to have reviewed. Moreover, any potential timing issues (e.g. vacations, deadlines) that could impact the audit are also discussed. A preliminary scope and objectives of the audit are agreed upon.
The fieldwork stage is typically the lengthiest part of an audit and helps to gather information necessary in assessing the adequacy and effectiveness of internal controls, risk management and governance processes. Auditors work on this phase mostly through walkthrough, inquiry with staff, reviewing procedures and business processes and testing control activities.
Interviews and Walkthroughs: A walkthrough is often the most efficient assessment procedure auditors can use. The primary purpose is to provide an in-depth understanding of the processes and any control activities.
Flowcharts: The auditor's understanding of the processes is typically documented in a flowchart.
Tests of Controls: Audit conducts tests for compliance with applicable university policies and procedures, laws and regulations, and for assessing the adequacy of internal controls. While one sample may have been selected during the walkthrough to gain an understanding of the process, additional samples, based on audit sampling methodology, are requested to demonstrate the operating effectiveness.
Initial Observations: Once fieldwork is substantially completed, the auditor discusses the initial observations with the area leadership. The purpose of this meeting is to either validate the initial observations or provide additional evidence for reconsideration.
Audit report: Once testing is completed, an audit report is drafted and includes several sections: the distribution list, the scope of the audit, the overall conclusion, and detailed commentary describing the findings and recommended solutions. Recommendations that do not address significant risks are handled less formally through discussion. Risk ratings are discussed.
Management Response: The area’s senior management is provided with an opportunity to respond to the findings. The response consists of two components: the action plan to implement the recommendation and the expected completion date. These responses are included in the final audit report.
Finalized Report: The final report is distributed to all senior management of the department (i.e. the Registrar, Provost, etc. as applicable). Copies of all reports are distributed to the President and Vice- Chancellor, Vice-President’s Council, Chief Risk Officer, External Auditor and Chair of the Audit and Risk Committee. A summary of the report is then provided to the Audit and Risk Committee of the Board of Regents.
Follow-up: Once the audit is completed, the Office of Internal Audit monitors progress made in implementing recommendations. Limited scope procedures may be performed to validate the recommendation implementation. Semi-annually, a status of open recommendations is reported to the President and Vice-Chancellor, Vice-President’s Council, Chief Risk Officer, and the Audit and Risk Committee of the Board of Regents.