Department of Internal Audit and Compliance

Internal Audit Process

Pre-audit Planning.  Gather background demographic information about the area to be audited. 

Engagement Letter.  Written or electronic announcement to the process owner of the area to be audited (typically a Vice President or Dean). 

Opening Meeting.  Confer with the process owner to discuss the areas to be audited and logistical issues. 

Pre-audit Memo.  Summary of the information gathered to date during pre-audit planning and the opening meeting.  The memo should include a list of at least three business objectives of the functional area (preferably obtained from the process owner during the opening meeting). 

Risk Discussion Questionnaire.  Document prepared for the client’s staff that accumulates detailed demographic information, including the risks to achieving the business objectives previously identified. 

Interviews with Staff.  Obtain further detail about the areas to be audited, including internal controls in place to mitigate the risks previously identified.

Risk and Control Matrices.  Document in a table the business objectives, risks, and controls in place. 

Audit Program.  Work plan of audit testing and verification procedures to be performed.  Internal controls that have already been determined to be insufficient should not be tested, nor should those business risks without internal controls in place. 

Audit Testing.  Evidence gathered via interview, inquiry, observation, confirmation, or other means that prove that internal controls are functioning as expected. 

Review of Issues/Concerns.  Accumulate lists of risks with insufficient internal controls and internal control tests that failed.  Recommend action plans to resolve the root causes of all issues identified. 

Draft Audit Report.  Prepare an executive summary and details of business objectives, scope, and results for client review.  All findings in the draft report should include the condition (what existed), criteria (what was expected), cause, effect (impact of the finding), and recommendations for corrective action. 

Closing Meeting.  Exit conference with the process owner (i.e., addressee on the report) and his/her staff to discuss all audit results (good and bad), including a detailed presentation of all audit findings. 

Management Responses.  Client preparation of action plans to resolve the root causes of all issues identified during the audit, including the corrective action, responsible parties, and implementation dates. 

Client Survey.  Confidential questionnaire sent by the Director of Internal Audit to the client requesting their feedback on internal auditor performance in a variety of areas.

Final Audit Report.  Formal distribution of audit results, including management’s responses, to local and senior management, the University President, and the Audit Committee of The Board of Trustees. 

Follow-up Audit.  A review/confirmation that all corrective actions committed to in the audit satisfactorily resolved the issues.  A follow-up audit will be performed as soon as possible after the implementation of the last corrective action from the original audit. 

Follow-up Audit Report.  Summarize, formalize, and communicate the results of follow-up auditing and testing, indicating which issues are considered resolved by Internal Audit.

Last Updated: 6/24/19