The audit process is divided into various parts. A brief description of these parts is provided below.
| I. | Planning: In planning for a particular audit project, the auditor will gather pertinent information about the operation or function to be reviewed. Such information includes business plans, financial and operations performance measures, organizational charts, systems used, operating procedures, etc. The auditor analyzes this information, along with work papers from the previous audit of the operation function, to define the planned scope and objectives of the audit. Included in the planning process is the completion of the Risk Assessment Questionnaire, the Risk Assessment Matrix, flow chart diagrams, and the Audit Planning memo. Also included in the planning process are the engagement letter, the entrance conference, and the audit program. |
| II. | Engagement Letter: The engagement letter is addressed to management personnel responsible for the area to be audited; usually the director(s) and manager(s) but senior directors and vice presidents may also be included. The letter identifies Internal Audit’s intent to perform a review of the function/process, and usually the proposed date, time and location of the entrance conference. The letter can also include a request for policies, procedures, and any concerns that the department would like Internal Audit to address, as they relate to the review. In some cases, it may also include the intended scope and audit objectives. |
| III. | Entrance Conference: The entrance conference is held with the addressees of the engagement letter, and any additional staff who they have asked to be invited. Introductions are made, and the intended scope and list of audit objectives are discussed during this meeting. Also discussed is the process for communication of successes and opportunities for improvement noted during the review (i.e., determine to whom should audit inquiries be addressed and who should be copied on them) and to explain the audit reporting and follow-up process. Management is also invited, at this time, to present any concerns that they may have and/or any specific issues that they would like addressed during the review. |
| IV. | Audit Program: The audit program is a “road map” used by the audit team. It is a written outline of the planned audit steps, which the auditor(s) will execute in completing the audit. The audit program is developed based on the intended audit scope and objectives and preliminary assessments of the audit risk, control factors, and management concerns and requests. It may be modified during the audit should there be a change in any of the previously mentioned factors. The audit program is approved by Internal Audit management prior to initiating audit testing. |
| V. | Analysis: During this phase, the individual steps of the audit program are actually performed. Based on the approved audit program, field work will include interviewing responsible personnel, observing operations, conditions, and assets, verifying and analyzing transactions and balances, comparing information from various sources, and evaluating the control environment, as a means of identifying area/function successes and opportunities for improvement. Confidentiality of this information is strictly enforced. Communication is a key element to the success of any audit. All results are communicated by the auditor, through the use of the audit inquiry. Audit inquiries provide a means for timely notification and an opportunity for discussion of potential successes and opportunities for improvement between the responsible manager and the auditor during the course of review. The specific personnel to whom the audit inquiry should be addressed and copied should have been determined in the entrance conference. The focus during this phase of the process is to gain consensus on the facts, assess the significance of the issues, and formulate appropriate recommendations for improvements. |
| VI. | Audit Report: The auditor will prepare the draft audit report from the audit inquiries in a constructive and balanced tone. When the draft report is completed, approved and distributed, management will be offered the opportunity to have an exit conference to discuss any concerns or questions they may have before the issuance of the final report. The necessary changes or clarifications to the report are made, and the final report is issued. Executive level personnel to whom the final report is issued may also receive an executive summary of the report attached to the front of the final report. |
| VII. | Follow up Review: The auditor will schedule a follow-up review. The follow up review should be done approximately twelve to eighteen months after the issuance of the final audit report and involves determining if and how each issue area has been resolved. Follow up reviews involve inquiry of management and limited field work. Follow up reviews outline the findings that have been resolved, those partially resolved, and any outstanding or new items that have not been addressed. Follow up reviews are issued in accordance with the same reporting process described above. |