An audit, whether conducted by an internal or external auditor, will typically consist of the following steps. The term ―client‖ usually means the management of the department or activity being audited.
Planning: The auditor will gather and review background information about the client‘s activity, determine the audit scope and objectives, and develop an audit program identifying the issues to be examined, questions to be asked, and documents to be reviewed.
Entrance Conference: The auditor meets with department management on campus to discuss the audit scope and objectives, approximate time schedules, types of auditing tests, and how the audit results will be communicated.
Fieldwork: The auditor visits the campus department(s) to interview key personnel and evaluate whether good internal control processes are in place, documented, and being followed.
This will usually include transaction testing to verify that established policies and procedures are actually being followed.
Audit Findings: As deficiencies or ―opportunities for improvement‖ are identified, the auditor will usually bring them to the client‘s attention to verify there is a problem. At the end of the fieldwork, the auditor usually reviews all preliminary findings with the client at an informal exit conference.
Draft Report and Exit Conference: The auditor then writes a draft audit report, identifying problems found and making recommendations for improving operations, and forwards it to the client for review. The auditor meets with the client at a formal exit conference to discuss the draft report and resolve any disagreements over what it says.
Response: The auditor issues a final draft report and asks the client to submit a written response to each recommendation, usually within 30 days. The client is expected to concur with each recommendation and provide a corrective action plan including an estimated date to complete implementation.
Audit Report Issued: After including the client‘s responses to the recommendations, the auditor issues the final audit report. Reports issued by an external auditor or the Office of the University Auditor (OUA) generally becomes public documents at this point. Copies of OUA reports are distributed to the campus president, the Chancellor, the Board of Trustees, the State Auditor, the Department of Finance, and State Legislative Committees.
Audit reports issued by the OUA follow a standard format. Each finding or observation will contain the following 6 elements:
• Condition: What is the problem, and what facts or test results led to this finding?
• Criteria: What regulation or policy or standard is not being followed?
• Cause: Why did it happen? (The client gets to offer an explanation.)
• Effect: What is the impact or risk of letting the condition continue?
• Recommendation: What should be done to correct or improve the condition?
• Campus Response: What does the client plan to do about the condition & when?
Follow-Up: For many but not all audits, the auditor will do some sort of follow-up to determine whether the client actually implemented the recommendations. At the direction of the Trustees‘ Audit Committee, the University Auditor has implemented a rigorous follow-up process. The campus is required to provide written reports on the progress made in implementing the corrective actions promised in the campus response, and to submit documentation proving appropriate actions have been taken. Progress reports will be expected every two months until all recommendations have been completed to the satisfaction of the OUA. Every two months, the University Auditor provides a status report to the Audit Committee of the Board of Trustees. It shows, by campus, what audits are currently underway and how each campus is doing in implementing recommendations from completed audits.