- Selection (Risk Assessment and Annual Audit Plans)
- Notification and Planning
- Entrance Conference
- Audit Findings
- Draft Audit Report
- Exit Conference
- Departmental Responses and Plans of Action
- Distribution of Report
- Post Audit Evaluation
- Audit Follow-up
The information outlined below is intended to familiarize you with the audit process.
The audit of most areas (other than special requests) is based on the periodic Risk Assessment. This assessment includes input from management and staff in identifying risks.
Another factor that increases a department’s chances of being audited is not returning information requested by Internal Audit throughout the year (i.e. risk assessment questionnaires, revenue analysis information, etc.). If information needed to rank an areas’ risk is not received, we have no choice but to audit the area to get the information.
2. Notification and Planning:
We will notify the department head of the upcoming audit and submit a request for information. The auditor assigned to the audit will review any prior audits in your area and the information submitted by the department, research applicable policies and external laws or regulations, and prepare the audit program. The audit program is basically a list of steps that will be performed during the course of the audit. This work will be performed in our office.
3. Entrance Conference:
An entrance conference is the initial meeting between the department head of the area being audited and the auditor(s). It is typically scheduled on the first day of fieldwork. In this meeting, we discuss the scope and objectives of the review and give you the opportunity to share any concerns that you may have. For example, if you would like us to review a particular process or procedure in your unit, let us know at this meeting and we will try to include it in our audit. This meeting will typically be held in the department being audited.
During this process we will interview various departmental employees about their duties related to the areas being reviewed. We will also perform tests to determine the adequacy of various internal controls. It is during these tests that we will determine whether the controls identified during departmental interviews are operating as described. Some of this work will be performed in our office and some in the department under review.
5. Audit Findings:
An audit finding is defined as an area of potential control weakness, risk associated with a policy violation, inadequate performance, financial misstatement, or other problematic issue identified during the audit. It is not unusual for one or more deficiencies to be identified during the course of an audit. Throughout our review we will be open regarding what we find and plan to recommend in the audit report. Most will be relatively minor issues that will require a slight adjustment to a process. Normally, many of the recommendations will have been implemented before the report is drafted. The auditor will address each finding and provide a recommendation on how to correct the issue in the audit report. Internal Audit staff are always available to assist departments in any way.
6. Draft Audit Report:
Once the fieldwork is completed, we will draft an audit report which will include findings and recommendations for improvement. This work will be performed in the Internal Audit office. Management will have an opportunity to comment on the content and discuss any concerns during the Exit Conference. There will be a place in this report for departmental responses (see departmental responses and plans of action below) to be included in the final audit report.
7. Exit Conference:
At the conclusion of the audit, a formal meeting is held with the department head to present the draft audit report and discuss the findings and recommendations in detail. The department head will have the opportunity to ask questions and voice concerns at this point. This meeting will typically be held in the department being audited.
8. Departmental Responses and Plans of Action:
Once the department head receives the draft audit report, he/she will be required to provide a departmental response and plan of action for each finding. The purpose of an action plan is for management to specifically state how the issue will be resolved. Action plans are due within two weeks of the exit conference and will be included verbatim in the final audit report. Management will also be required to submit a target date in which the action plan will be implemented.
9. Distribution of Report:
The final report will be distributed to the department head of the area under review, his/her immediate supervisor, the division Vice Chancellor, the Vice Chancellor for Administration & Finance, the Chancellor, the Chief Audit Executive at the Mississippi Institutions of Higher Learning, and the Audit Committee.
10. Post Audit Evaluation:
As part of our evaluation program, you will be requested to complete a post audit evaluation after the final report is distributed. This feedback will help us to improve our audit procedures.
11. Audit Follow-up:
A follow-up audit will be performed at the end of the quarter in which an action plan is due. Therefore, depending on the target dates of your action plans, a follow-up audit can span over several quarters. Follow-up audits are performed to verify that recommendations/plans of action have been implemented for all findings.