Audit Process

The Internal Audit Process from Beginning to End

  • Audit Process
    Although every audit process is unique, the audit process is similar for most engagements and normally consists of four stages: Planning (sometimes called Survey or Preliminary Review), Fieldwork, Audit Report and Follow-up Review. Client involvement is critical at each stage of the audit process. As in any special project, audits require a certain amount of time being diverted from your department’s personnel. One of the key objectives is to minimize this time and avoid disrupting ongoing activities.
  • Planning
    During the planning portion of the audit, the auditor notifies the client of the audit, discusses the scope and objectives of the examination in a formal meeting with organization management, gathers information on important processes, evaluates existing controls (when existing narratives and flow charts are available) and plans the remaining audit steps.
  • Announcement Letter (Planning Memo)
    The client is informed of the audit through an announcement or engagement letter from the Internal Audit Director. This letter communicates the scope and objectives of the audit, the auditors assigned to the project and other relevant information.
  • Opening Conference
    Internal Audit discusses the IA process and the plan for completing the audit. During this meeting, the client describes the unit or system to be reviewed, the organization, available resources (personnel, facilities, equipment, funds) and other relevant information. The internal auditor meets with the senior officer directly responsible for the unit under review and any staff members s/he wishes to include. It is important that the client identify issues or areas of special concern that should be addressed.
  • Preliminary Survey/Questionnaire
    In this phase the auditor gathers relevant information about the unit in order to obtain a general overview of operations. S/He meets with key personnel to reviews reports, files and other sources of information.
  • Internal Control Design
    The auditor will review the unit’s internal control structure, a process which is usually time-consuming. In doing this, the auditor uses a variety of tools and techniques to gather and analyze information about the operation. The review of internal controls helps the auditor determine the areas of highest risk and design tests to be performed in the fieldwork section. CSU Internal Audit has adopted flow-charting and Risk/Control Matrices as the tools to evaluate the design effectiveness of the Internal Control structure. Copies are given to the client for their use, future reference and training needs.
  • Prepared by Client (PBC) Listing
    This is a document that is prepared by Internal Audit which documents the items that are needed to complete the audit.  Items such as reports, vouchers, meeting minutes, policies and procedures are just a few that would be on this listing.
  • Audit Program
    Preparation of the audit program concludes the preliminary review phase. This program outlines the fieldwork necessary to achieve audit objectives.
  • Fieldwork
    The fieldwork concentrates on transaction testing and informal communications. It is during this phase that the auditor determines whether the controls identified during the preliminary review are operating effectively and in the manner described by the client. The fieldwork stage concludes with a list of significant findings from which the auditor will prepare a final draft of the audit report.
  • Transaction Testing
    After completing the preliminary review, the auditor performs the procedures in the audit program. These procedures usually test the major internal controls and the accuracy and propriety of the transactions. Various techniques including sampling are used during the fieldwork phase.
  • Audit Working Papers
    Working papers are a vital tool of the audit profession. They are the support for the audit observations. They connect the client’s accounting records and financials to the auditor’s opinion. They are comprehensive and serve many functions.
  • Advice and Informal Communications
    As the fieldwork progresses, the auditor discusses any significant findings with the client. This allows the client the ability to offer insights and work with the auditor to determine the best method of resolving the finding. Usually these communications are oral. However, in more complex situations, memos and/or e-mails are written in order to ensure full understanding by the client and the auditor. Our goal: No Surprises.
  • Audit Summary
    Upon completion of the fieldwork, the auditor summarizes the audit findings, conclusions and recommendations necessary for the audit report discussion draft.
  • Internal Audit Report
    Our principal product is the final report in which we document our audit observations and recommendations for improvements. This also includes management’s response and implementation plan, the time frame for completion and responsible individual(s).  To facilitate communication and ensure that the recommendations presented in the final report are practical, Internal Audit discusses the rough draft with the client prior to issuing the final report.
  • Audit Report Discussion Draft
    At the conclusion of fieldwork, the auditor prepares a “draft” report. Audit management thoroughly reviews the audit working papers and the discussion draft before it is presented to the client for comment. This discussion draft is prepared for the unit’s operating management and is submitted for the client’s review before the exit conference.
  • Exit Conference
    When audit management has approved the discussion draft, Internal Audit meets with the unit’s management team to discuss the findings, recommendations and text of the draft. At this meeting, the client comments on the draft and the groups work to reach an agreement on the audit findings and report content.
  • Client Response
    The client has the opportunity to respond to the audit findings prior to issuance of the final report which can be included or attached to our final report. However, if the client decides to respond after we issue the report, the first page of the final report is a letter requesting the client’s written response to the report recommendations. In the response, the client should explain how report findings should be resolved and include an implementation timetable. In some cases, managers may choose to respond with a decision not to implement an audit recommendation and to accept the risks associated with an audit finding. The client should copy the response to all recipients of the final report if s/he decides not to have their response included/attached to Internal Audit’s final report.
  • Formal Draft
    The auditor prepares a formal draft, taking into account any revisions resulting from the exit conference and other discussions. When the changes have been reviewed by audit management and the client, the final report is issued.
  • Final Report
    Internal Audit distributes the final report to the unit’s operating management, the unit’s reporting supervisor, the Vice President for Administration, the University President, Controller, Audit Committee Chairman and other appropriate members of senior University management. This report is primarily for internal University management use. The approval of the Chief Internal Auditor is required for the release of the report outside the University.
  • Auditee/Client Comments
    Finally, as part of Internal Audit’s self-evaluation program, we ask auditee personnel to comment on Internal Audit’s performance. This feedback has proven to be very beneficial to us and we have made changes in our procedures as a result of clients’ suggestions.
  • Aging Process
    After each audit report is comp-lete, we keep track of all audit observations and the timeing of implementation.  We follow-up on each audit point to determine the status.  We prepare aging reports to present to management and the Board of Trustees.  Management is accountable for ensuring that recommendaed implementations arw acvted upon in completed in a timely manner.
  • Follow-Up Review
    The client response documentation is reviewed and the actions taken to resolve the audit report findings may be tested to ensure that the desired results were achieved. All unresolved findings will be discussed in the follow-up report.
  • Follow-UP Report
    The review will conclude with a follow-up report which lists the actions taken by the client to resolve the original report findings. Unresolved findings will also appear in the follow-up report and will include a brief description of the finding, the original audit recommendation, the client response, the current condition and the continued exposure to CSU. A discussion draft of each report with unresolved findings is circulated to the client before the report is issued. The follow-up review results will be circulated to the original report recipients and other University officials as deemed appropriate.
  • Internal Audit Quarterly Report to the Board
    In addition to the distribution discussed earlier, the contents of the audit report, client response and follow-up report may also be communicated to the Board as part of the Internal Audit Quarterly Report.

The Process: A Collaborative Effort

As pointed out, during each stage in the audit process, audit clients have the opportunity to participate. There is no doubt that the process works best when client management and Internal Audit have a solid working relationship based on clear and continuing communication. Many clients extend this working relationship beyond the particular audit. Once the audit department has worked with management on a project, we have an understanding of the unique characteristics of your unit’s operations. As a result, we can help evaluate the feasibility of making further changes or modifications in your operations.