Internal Audit Polices and Procedures
Chapter 10 - Scheduled Audits
The Internal Audit Department's approach to conducting regular audits will vary based on the type of audit objectives and on the auditor's familiarity with the area audited. However, scheduled audits will generally consist of five phases, with supervisory review occurring at appropriate intervals:
Two or more of these steps may be performed concurrently if the nature of the project allows.
During this phase, an auditor becomes familiar with the mission and major activities of the area being audited. The auditor uses information obtained during the preliminary survey to develop the focus of and objectives for an audit. The goal of a preliminary survey is to identify areas where Internal Audit can provide analyses and assistance that will benefit the area audited or the University as a whole. The results of the preliminary survey should be documented in accordance with the work paper standards established for the department.
Approximately two to three weeks before an audit is scheduled to begin, the Director of Internal Audit or the in-charge auditor should call auditee management to notify them of the project, schedule an entrance meeting, and begin the exchange of information that will be needed during the audit. For surprise cash counts or potential frauds, it may be necessary to delay this initial contact to preserve the effectiveness of the review. The initial phone call should be followed with a memo confirming the meeting and identifying any information or documents that will be needed early in the project. This memo should be addressed to the head of the area being audited and copied to the appropriate Vice-Chancellor, and other members of management who may be affected by the audit.
During the entrance meeting, the audit team should explain the audit process, identify the auditee's suggestions for objectives, and generally open the channels of communication that are necessary to a successful project.
The nature of the assignment will determine what items should be considered during the preliminary survey. Examples of information that may be reviewed during the preliminary phase of a project are:
After reviewing relevant background information and considering the results of this review as a whole, auditors will identify potential objectives that provide a value-added service to the University. Except in unusual circumstances, audit objectives should include at least one item suggested by management. The in-charge auditor is responsible for identifying final audit objectives and submitting these objectives to the Director of Internal Audit for approval. Once final objectives are approved, the original budgets and timeframes set for the project may need to be adjusted. The final objectives and information about any changes to the expected duration of the project will be communicated to auditee management in the form of an engagement memorandum.
Review of Work Flows and Internal Controls
An extensive study and analysis of internal controls and process flows relative to audit objectives is one feature that distinguishes internal and external auditing. Internal auditors perform these functions to determine whether the activity's processes and controls are adequate (i.e. its design incorporates the checks, balances, and procedures needed to ensure that management's objectives are carried out).
A study of controls and processes includes identifying the purpose of an activity and how it works. An analysis of controls and processes includes considering potential risks (what can go wrong), using professional judgment to determine what is needed to protect against those risks (strengths), and assessing whether the necessary features are included in the activity. In addition, auditors should be alert for weak, unnecessary, or duplicative steps, inefficient operations, and compensating controls that offset a weak or missing step. As part of the review, auditors should have the employee responsible for a process review narratives or flowcharts prepared to document the review of work flows and controls. This step helps ensure that the narratives or flowcharts are accurate and complete. Alternatively, the auditor should “walk” a sample transaction or activity through the process to ensure that he or she understand how it works and has considered all major steps.
At the end of this phase, the in-charge auditor should conclude about whether the process, as designed, is adequate. In addition, an audit program should be developed that will be used to test whether strengths identified during the control review are in effect (actually operating as described) or explore the effect of any material weakness noted during the initial stages of the audit.In unusual cases, an analysis of the system of internal controls will not be necessary. This situation occurs when the preliminary survey shows that policies and procedures in an area are so weak or poorly understood that little benefit would be gained from studying or analyzing controls. In these cases, the working papers should explain why the control review was omitted. Depending on the circumstances, auditors may also choose to omit fieldwork and proceed with the normal process of communicating the results of the audit.
During fieldwork, auditors carry out the audit program developed for the area under review. At the end of a test, auditors should reach a conclusion about whether strengths identified during the review of internal controls are in effect (working as intended). Another purpose of fieldwork is to assess the possible impact of weak or missing controls.
After testing begins, auditors may find that a planned step cannot be completed or is unnecessary or that the results of tests may also demonstrate the need for additional steps. This situation may occur when a test yields results that vary significantly from a process identified in the control review or when records are unavailable for testing. In this case, auditors should update the audit program to ensure that it contains appropriate steps and procedures and obtain approval of the changes made.
Auditors should examine sufficient, competent, relevant, and useful information (as defined in the Standards) in carrying out testing and other evaluations. Documentation of fieldwork will vary but should be sufficient to demonstrate what work was performed, without oral explanations, and should support the findings, recommendations, and conclusions contained in the work papers or audit report. Refer to Chapter 15 - Workpaper Documentation section for additional information.
Auditors should keep management informed of how the audit is progressing and discuss possible findings and recommendations as these are identified throughout the audit. This practice helps ensure that the results of an audit are accurate. It promotes a "team approach" by actively involving management in developing solutions to issues identified by the audit. Early discussion of possible findings also allows management to promptly begin any corrective action that is needed. While most findings will be presented in the form of a written point sheet (Potential Audit Comment), very minor findings may be presented orally.
After fieldwork for a scheduled audit is complete, we will issue a written audit report using the department standard format. This report will include an opinion relating to each of the audit objectives and provide details about any significant issues, or findings, identified in the audit. Findings should be presented in order of importance. Each finding should identify the issue noted and offer a recommendation for correcting the cause of the problem. Only significant items, those that should be brought to the attention of senior management, should be included in the report.
Management's written response to each finding and recommendation will also be included in the report. The audit report should identify the individuals who provided the responses. Other, less significant, findings will be presented to management, orally or in a written format such as a point sheet or memorandum.
Until the final version of the report is complete and ready to issue to the Chancellor, all copies of reports that are released should be marked "Draft." Management of the area audited should be allowed to review a draft of the report and meet with Internal Audit to discuss the report. Once wording and content of the report have been agreed upon, management should provide written responses to the findings and recommendations. The in-charge auditor should review these responses to evaluate whether the action proposed will correct the issue described in the finding and the time frame for corrective action is reasonable.Reports for scheduled audits will be addressed to the Chancellor of the University and signed by the Director of Internal Audit and the in-charge auditor for the project. Copies will also be issued to members of management who are in a position to take corrective action or ensure that any necessary changes are made.
This phase involves most of the administrative activities associated with an audit. Procedures that should occur as the audit is wrapping-up include:
|Return to Home Page||Table of Contents|