What occurs during an audit?
Once an audit is assigned, the auditor responsible will contact you to advise you of the coming audit and ensure that your workload and staffing makes such an undertaking feasible at the planned time. When possible, audits are assigned for a time period that will create the least disruption for your department.
An entrance conference will be scheduled to introduce the auditor(s) to your department and discuss the general scope and objectives of the audit. We will give you the projected timeframe for the audit through completion; however, there are no guarantees as staff on occasion must suspend work to deal with special time sensitive assignments. If your project is delayed because of a special assignment the auditor will advise you of the delay and keep you apprised of the revised completion schedule.
Our goal is to provide you a draft copy of the audit report within three weeks of completion of fieldwork.
Audit Stages
1. Preliminary Survey
During this stage, the auditor:
- Reviews prior audit reports and other existing information, such as the relevant policies and posted procedures for the department or process. Much of this is done at our office and will not affect your daily work.
- Interviews key employees on how processes work.
- Assesses whether the processes are functioning as described.
- Identifies any additional processes that present risks.
This stage identifies the risks the department faces, and the potential impact (both financial and compliance) such risks might have on the department and University. The auditor then ranks them for audit purposes. The approach, selection of, and degree of testing is then based on these rankings.
2. Fieldwork and Testing
During this stage, based on the rankings and findings from the preliminary survey, the auditor will select the transactions to be tested for accuracy and completeness. This can include anything from review of deposit reconciliation's to testing supporting detail for internal transfers or rate calculations. Testing also involves verification of the accuracy of assertions made during the preliminary survey to source documentation.
The amount of testing performed is dependent upon the adequacy of documentation, internal controls in place and test results. An organization with good internal controls usually requires a limited amount of testing, but it may be increased if problems are discovered.
Transactions chosen to be tested are determined using sampling methods tailored to fit the process under review. Sampling for our purposes is generally done randomly, and may not be statistical in nature as that generally entails a substantially larger test. A statistically valid sample is generally not necessary to assess the adequacy of a system.
You will be kept appraised of findings during the testing stage so there are no surprises when the report is issued. Interim meetings with the client to discuss findings are a part of our audit process.
3. Concluding the audit
Completion of an audit involves more than just issuing the audit report. Our process it includes:
- Write-up of findings and confirmation of the test results with the auditee.
- Exit conference where findings are discussed with the manager of the process or department.
- Issuance of a final report with findings and corresponding recommendations.
While the first two steps may appear to be the same, they are actually two distinct re verifications. First, the test results are verified. In this step, the auditee is given an opportunity to clear the finding by, say, finding whatever was missing, or providing follow-up evidence to show that whatever is incorrect was corrected in a supplemental process, etc. The second step, exit conference, is where the manager discusses the process or control that was being tested. This step is not so much about the detail of what was found, but is about the overall controls that either prevent or detect errors. At this point, the finding may be cleared by informing the auditor that there is some other step or control that was not included in the test.
4. Resolution and Follow up
Audit responses are due four weeks after the report is issued. The preferred method for delivery of an audit response is via e-mail to jicompto@nmu.edu. In the audit response, the auditee will indicate whether or not they agree with the audit finding; what the proposed resolution to the issue will be; and the target date for resolution. If the issue has been resolved before the response is due, evidence of completion should be forwarded with the audit response.
The university president, vice president of finance, and finance committee of the board of trustees receive copies of either the audit report or a summary of the findings. In addition, they receive a tracking report that shows the resolution status of each item identified in the report. The tracking report continues to show the status of each report item until the issue is resolved.
Audit will collect evidence that issues identified as having a high degree of risk have been resolved. In addition, audit will collect evidence of resolution if the issue is a repeat finding, no matter the risk associated with the finding.