Areas selected for audit are included on the annual audit plan which is based in part upon a periodic comprehensive University risk assessment. The audit plan is also developed from input from University administrators, especially the Senior Vice President for Finance/Treasurer. Final review and approval of the audit plan is made by the University's Finance Committee of the Board.
The audit plan has provisions for special management requests and to investigate possible irregularities as they arise.
In addition to new internal audits, the audit plan includes assignments related to the University's mandatory external audits, regular monitoring procedures performed on high risk/financially material University transactions, post audit implementation reviews and special projects.
Factors that are considered in selecting areas to be audited include:
- Results of the last audit of the area and length of time since the last audit.
- The size and complexity of the operation.
- Magnitude of potential risk exposure or material financial loss to the University.
- Major changes in operation, program, systems, or controls.
- Highly regulated operations, the degree of federal funding, and operations subject to a high level of public scrutiny.
At the beginning of each audit, a meeting is scheduled with the unit/department head and other appropriate personnel to discuss the audit scope and objectives, time schedule, and audit review process. Any concerns raised by the unit/department personnel are also discussed.
The field work may include examining, on a test basis, supporting documents in the records as considered necessary to disclose procedures and make any necessary recommendations. Internal control systems and procedures are evaluated through the observation of the unit's operations, discussions with the director and/or unit staff, and the review of a sample of transactions.
The emphasis of the evaluation is to determine if there are adequate control systems and whether the systems are functioning as intended. The controls are measured against University policies and procedures, government laws and regulations, and generally accepted accounting principles. Areas of deficiencies and potential recommendations are discussed with the appropriate staff and are documented in the audit work papers.
The evaluation of internal controls is conducted within a cost/benefit framework. Whenever less than ideal controls exist, the Internal Auditor will first look to the existence or the possible establishment of monitoring controls in order to mitigate risk.
The Internal Auditor encourages personnel to share their ideas for improvement to the operation of the area or process being audited. This productive exchange of ideas often results in them being formally documented and communicated to appropriate decision makers for consideration and discussion.
The Internal Auditor also reviews management practices against University policy, government laws and regulations, best practices at other colleges and universities, and to determine if such practices are sound.
A meeting is scheduled with the same individuals who attended the entrance conference. At the exit conference, a rough draft of the audit report is reviewed so that all of the parties understand the nature of the recommendations and agree upon the possible solutions to any problem areas.
Any misunderstandings or possible misstatements contained in the report are identified and resolved. Any deficiencies identified during the audit, which were not significant enough to be included in the audit report, but still represent a potential risk, are also discussed.
If necessary, a second exit conference may be scheduled if there was not sufficient time to address all areas of concern during the initial exit conference. In addition, written management responses to the rough draft of the audit report may also be discussed in order to help build a mutual understanding of the perspectives of all parties.
After the exit conference(s), a draft of the audit report is prepared. The report contains the Executive Summary, Introduction, Audit Objectives and Scope, Findings and Recommendations, Management's Responses, and any necessary attachments. The draft audit report (or selected findings and recommendations, as appropriate) is sent to the personnel who furnished any management responses.
Management either accepts the draft audit report as written or, if necessary, any final corrections or modifications are made. The accepted draft report is sent to the Senior Vice President for Finance/Treasurer and to the Vice President of the area audited for input and optional written comments that will be included in the final report.
The final audit report is printed and may be bound in a booklet format by the Office of Internal Audit. The report is distributed to appropriate university officials.
Any findings considered to be "major" according to the criteria described at rating of audit findings are communicated to the Finance Committee of the University's Board of Trustees.
There may be a closeout meeting to discuss plans for how the recommendations will be implemented. An implementation timetable will also be discussed so that recommendations are promptly acted upon and the timing for the post audit implementation review may be scheduled.
Generally within a year of the original audit report a post audit implementation review may be scheduled to report on the actions taken in response to audit recommendations. Any problems encountered are also noted.
A draft of this report is presented to the unit/department head and other appropriate personnel for any necessary corrections and modifications. The unit/department head may also provide written comments that will become part of the report.
The final post audit implementation review report will be distributed to the same parties who received the original audit report.