Each year, Internal Audit prepares a rolling three-year audit plan after conducting a university-wide preliminary risk assessment. The purpose of the audit plan is to outline audits that Internal Audit will conduct throughout the fiscal year.
Although every audit is unique, the audit process is generally similar for most engagements. The information outlined below is intended to provide an overview of the audit process.
The audit of most areas (other than special requests) is based on the annual comprehensive risk assessment. This assessment includes input from management and staff in identifying risks.
Another factor that increases a department’s chances of being audited is not returning information requested by Internal Audit throughout the year (i.e., risk assessment questionnaires, revenue analysis information, etc.). If the information needed to rank an areas’ risk is not received, then it will be likely that an audit of the areas will be conducted to gather any necessary information.
During planning, we will review any prior audits of the unit, research applicable state/federal laws and regulations. A notification will be sent to the department head to schedule an entrance conference and will sometimes request initial documents (policies, procedures, assessments, etc.) for key areas being reviewed. Internal Audit will prepare an audit program. We also perform initial discussions with key personnel to gain an understanding of processes and to identify risks and controls. There will be some cases where an entrance conference is not scheduled depending on the nature of the audit.
We will notify the department head of the upcoming audit and submit a request for information. We typically notify the department head at least two weeks in advance. The information request and questionnaire are typically due back to us within two weeks. Although audit notifications are a common courtesy, there may be some instances that the Office of Internal Audit is not required to give prior notification.
At the beginning of an audit, a meeting is held with the department head of the area being audited and the auditors. The head of the unit being audited may at his/her discretion invite other management to attend. In this meeting, we discuss the scope, objectives, and timing of the review (if known at this time). The auditor may request for information if initial requests were not previously included with the audit notification. There may be times when certain planned audit procedures may be discussed. The auditor will also answer any questions that management may have concerning the audit.
We will interview various departmental employees about their duties related to the areas being reviewed. The purpose of these meetings is for us to learn your departmental processes and procedures. These meetings will typically be held in the department being audited.
The audit program list procedures that will be performed during the course of the audit. Sometimes adjustments are made to the audit program based on information obtained during the entrance conference. This work will be performed in our office; however, it is also possible that additional modifications to the audit program may occur during the course of the audit.
During fieldwork, the audit team will determine the adequacy and efficiency of internal controls of the unit's operation. The audit team will also incorporate best/good practices to evaluate if processes are operating effectively and determine compliance with federal and state regulations as well as university policies and procedures. Additional information will be gathered through follow-up interviews, observing processes, confirmations, analyzing data, and performing tests of controls (including testing technology controls). With the exception of first-time audits, when considerable audit testing is necessary, the scope and extent of testing may be reduced substantially when internal controls are considered strong. The audit team will try to schedule on-site fieldwork visits at a time where there will be minimal distraction from the day-to-day operation of the unit being audited.
The auditor will document any observations during his/her fieldwork. During the fieldwork, the auditor may discuss observations with management or give periodic progress updates to management.
An audit finding is defined as an area of potential control weakness, risk associated with a policy violation, inadequate performance, financial misstatement, or other problematic issue identified during the audit. It is not unusual for one or more deficiencies to be identified during the course of an audit. Most will be relatively minor issues that will require a slight adjustment to a process. Identified control weaknesses, noncompliance, or irregularities are documented as a potential issue that may be included in the draft report and will be discussed with management before they are included in the report. Determination of the significance of an issue is a professional judgment and is subject to Internal Audit management review during the reporting phase. Internal Audit staff are always available to assist departments in any way.
Preliminary Report and Discussion
Once the fieldwork is completed, we will draft an audit report. The report contains the objective, scope, and results of the engagement and, most likely, has recommendations for management to consider. The report contents are discussed with management as many times until the best solution to an observation comes from management. Management will have an opportunity to comment on the content and discuss any concerns during the Exit Conference. There will be a place in this report for departmental responses to be included in the final audit report.
At the conclusion of the audit, a meeting is held with the department head to present the draft audit report and discuss the findings and recommendations in detail. The department head will have the opportunity to ask questions and voice concerns at this point. This meeting will typically be held with the department being audited; however, the head of the unit being audited may at his/her discretion invite other management to attend.
Management Response and Action Plan
Once the department head receives the draft audit report, he/she will be required to provide a departmental response and plan of action for each finding within ten (10) business days. The purpose of an action plan is for management to specifically state how the issue will be resolved. Action plans are due within two weeks of the exit conference and will be included verbatim in the final audit report. Management will also be required to submit an anticipated target date in which the action plan will be implemented. An adequate response to the auditor’s report is implementation of the auditor’s recommendations stated in the report, the implementation of alternative procedures that provide approximately the same degree of control as the auditor’s recommended procedures, or a statement explaining that management has assumed the risk of not taking corrective action on the reported findings. If the department does not respond within the appropriate timeframe, the final audit report will be issued noting the area under review had not provided a response.
Final Audit Report Distribution
The final report will be distributed to the President, Vice Presidents, Senior Management, the Chief Audit Executive at the Mississippi Institutions of Higher Learning, and other personnel relevant to each audit.