Audit Chronology

PLANNING AND FIELDWORK

The purpose of the planning stage is to define the subject and scope of the audit, establish customer expectations, and identify the criteria used to evaluate the audit subject. In this stage, the auditor should obtain an overall view of the department or function, and the operating context and constraints. Several methods of gathering information may be appropriate including the following:

  1. Initial meeting(s) with the department management and process owners
  2. Internal control questionnaire or surveys of process stakeholders
  3. Review of Internal Audit records
  4. Review of external audit files and other appropriate external information
  5. Audit program and fieldwork

Fieldwork means executing the planned audit, and if required updating the audit plan based on information learned during the course of the audit. During fieldwork the auditor will collect and analyze information in order to prepare a draft report and to regularly update process owners and other stakeholders on the audit’s progress.

EXIT CONFERENCE AND AUDIT REPORTS

The Exit Conference is an opportunity for the auditor, department management, process owners, and other stakeholders to review and validate audit outcomes. The Exit Conference should accomplish the following:

  1. Present observations and determine if the current operating context might affect past transactions, e.g., reduce the severity of a finding
  2. Confirm facts, observations, and conclusions, e.g., that the findings are accurate
  3. Validate the root cause leading to findings and present recommendations to eliminate the root cause, and / or achieve control objectives
  4. Estimate the effect of the findings on University operations or its risk management and compliance objectives
  5. Solicit draft management comments on the audit findings and determine if alternative recommendations adequately eliminate the root cause of findings
  6. Define the timeline for issuing the final audit report and implementing recommendations

On a high, level audit reports or supporting work papers should summarize the following information:

  • Condition: the facts, observations, and conclusions
  • Criteria: the standard or benchmark to measure a condition against
  • Root Cause: why the conditions don’t measure up
  • Effect: what happened or will happen if the condition is not corrected, e.g., how important is this
  • Recommendation: practical, specific, and implementable to eliminate the root cause, and therefore correct the condition

The actual audit report format should be functional and provide management with an efficient method of reviewing and responding to recommendations therein and to expedite implementation of recommendations. One example of an audit report format is the following:

  • Executive Summary
  • Distribution List - who is receiving the report
  • Introduction - statement of the auditor's objectives, results obtained, and a summary of department or function audited including key operating context and constraints
  • Conclusion - the professional opinion of the area under review
  • Findings and Recommendations - by organizational unit and / or process in sufficient detail to identify the issues and solutions
  • Management Comments – key summary information necessary to put the finding into context and written agreement that recommendations will be implemented
  • Status of prior audit recommendations, if any
  • Appendices and exhibits including statistical summaries of audit test results

After the exit conference, the draft audit report is circulated for review and comment to the process owner and at the Vice President / Senior Vice President levels responsible for the department or function.