logo for page printing

The Audit Process


The audit process is divided into various parts. A brief description of these parts is provided below.

I. Planning: In planning for a particular audit project, the auditor will gather pertinent information about the operation or function to be reviewed. Such information includes business plans, financial and operations performance measures, organizational charts, systems used, operating procedures, etc. The auditor analyzes this information, along with workpapers from any previous audit of the operational area. In doing so, the planned scope and objectives of the audit are defined. Included in the planning process is the completion of the Risk Assessment Questionnaire, the Risk Assessment Matrix, flow chart diagrams, and the Audit Planning memo. Also included in the planning process are the engagement letter, the entrance conference, and the audit program.
II. Engagement: The engagement letter is addressed to management personnel responsible for the area to be audited; usually the director(s) and manager(s) but senior directors and vice presidents may also be included. The letter identifies Internal Audit’s intent to perform a review of the function/process, and usually the proposed date, time and location of the entrance conference. The letter can also include a request for policies, procedures, and any concerns that the department would like Internal Audit to address, as they relate to the review. In some cases, it may also include the intended scope and audit objectives.
III. Entrance Conference: The entrance conference is held with the addressees of the engagement letter, and any additional staff who they have asked to be invited. Introductions are made, and the intended scope and list of audit objectives are discussed during this meeting. Also discussed is the process for communication of successes and opportunities for improvement noted during the audit (i.e., determine to whom should audit inquiries be addressed and who should be copied on them). The audit reporting and follow-up process is also explained during this conference. Management is also invited, at this time, to present any concerns that they may have and/or any specific issues that they would like addressed during the review.
IV. Audit Program: The audit program is a “road map” used by the audit team. It is a written outline of the planned audit steps, which the auditor(s) will execute in completing the audit. The audit program is developed based on the intended audit scope and objectives and preliminary assessments of the audit risk, control factors, and management concerns and requests. It may be modified during the audit should there be a change in any of the previously mentioned factors.
V. Filedwork and Audit Analysis: During this phase, the individual steps of the audit program are actually performed. Based on the approved audit program, fieldwork will include interviewing responsible personnel, observing operations, conditions, and assets, verifying and analyzing transactions and balances, comparing information from various sources, and evaluating the control environment. Fieldwork is a means of identifying area successes and opportunities for improvement. Communication is a key element to the success of any audit. All results are communicated by the auditor, through the use of the audit inquiry and recommendations. Audit inquiries and recommendations provide a means for timely notification and an opportunity for discussion of potential successes and opportunities for improvement between the responsible manager and the auditor during the course of review. The focus during this phase of the process is to gain consensus on the facts, assess the significance of the issues, and formulate appropriate recommendations for improvements.
VI. Audit Report: The auditor will prepare the draft audit report from the audit inquiries and recommendations in a constructive and balanced tone. When the draft report is completed, approved and distributed, management will be offered the opportunity to have an exit conference to discuss any concerns or questions they may have before the issuance of the final report. The necessary changes or clarifications to the report are made, and the final report is issued. Executive level personnel (trustees, president, cabinet members) to whom the final report is issued will also receive an executive summary. The executive summary is provided to highlight the fine points of the audit process and report.
VII. Follow up Review: Internal Audit will schedule a follow-up review. The follow up review should be done approximately twelve to eighteen months after the issuance of the final audit report and involves determining if and how each issue area has been resolved. Follow up reviews involve inquiry of management and limited field work. Follow up reviews outline the findings that have been resolved, those partially resolved, and any outstanding or new items that have not been addressed. Follow up reviews are issued in accordance with the same reporting process described above.