Selection of Area
Areas selected for audit are on an audit plan which is based upon input from university administration, Board of Regents, managers, and the Internal Audit staff. The audit plan includes a scheduled audit in each college or organizational unit on a regular basis. The audit plan also has provisions for special management requests and to investigate possible irregularities.
Factors that are considered in selecting units to be audited include:
- Results of the last audit of the area and length of time since last audit.
- The size and complexity of the operation
- Potential risk of financial loss
- Major changes in operation, program, systems, or controls
- Highly regulated operations or operations subject to a high level of public scrutiny
At the beginning of each audit, a meeting is scheduled with the unit head and other appropriate personnel to discuss the audit scope and objectives, time schedule and audit review process. Any concerns raised by the unit personnel are also discussed.
The field work consists of examining, on a test basis, supporting documents in the records as considered necessary to disclose the procedures and make any necessary recommendations. Internal control systems and procedures are evaluated through the observation of the unit's operations, discussions with the director and/or unit staff, and the review of a sample of transactions.
The emphasis of the evaluation is to determine if there are adequate control systems and whether the systems are functioning as intended. The controls are measured against University, State and Federal policies and procedures, as well as, generally accepted accounting principles. Areas of deficiencies and potential recommendations are discussed with the appropriate staff and are documented in the audit work papers.
A meeting is scheduled with the same individuals who attended the entrance conference. At the exit conference, a rough draft of the audit report is reviewed so that all of the parties understand the nature of the recommendations and agree upon the possible solutions to any problem areas. Any misunderstandings or possible misstatements contained in the report are identified and resolved. Any deficiencies identified during the audit, which were not significant enough to be included in the audit report, but still represent a potential risk, are also discussed.
Draft Audit Report
After the exit conference, a draft of the audit report is finalized. The report contains the Executive Summary, Introduction, Purpose and Scope, Observations and Recommendations, General Comments and any necessary attachments. The draft of the audit report is sent to the process owner for management action plans.
Final Audit Report
The unit's responses are added to the audit report and any other corrections are also made. The final audit report is distributed electronically to the appropriate university officials.