The Audit Process
SELECTION OF DEPARTMENTS/UNITS TO BE AUDITED
In developing an audit plan for each fiscal year, the Office of Auditing and Management Services utilizes an instrument known as a Risk Assessment Model. This Risk Assessment Model is a survey designed to determine, through quantitative means, those auditable entities within the University that pose the highest degree of relative risk.
With the assistance of the University's Vice Presidents and their staffs, values are subjectively assigned to the entities' operations using such weighted ranking criteria as:
- Prior audit history
- Regulatory compliance and public scrutiny
- Reliance upon information technology
- Dollar value and liquidity of assets
- Organizational change and economic transition within the unit
- Likelihood, which could be low, medium or high
- Impact, which could be low, medium, high or very high
- Breath which could be low, medium or high
Using this survey, auditable areas are scored and ranked from those perceived to pose the greatest risk to those representing a lower degree of risk exposure.
A tentative audit plan is developed by the Office of Auditing and Management Services, taking into consideration coverage provided by the Georgia Department of Audits and Accounts, and the Board of Regents' Office of Internal Audit. The finalized audit plan for the fiscal year incorporates the results of the survey with special requests and recommendations from the University President. This final audit plan is then approved by the University President and submitted to the Board of Regents' Associate Vice Chancellor for Internal Audit.
Prior to the start of each audit, the Director sends an engagement letter to the appropriate Vice President and Supervisor in the department or unit being audited. This letter describes the nature of the audit, the anticipated start date, and asks for the cooperation of the responsible official(s).
An entrance conference is scheduled with the appropriate official(s), during which the audit objectives, timing and intended report format are discussed and a report distribution list is requested. At this time, any necessary background documentation is requested.
The auditor makes a preliminary survey of the area under review in order to become familiar with policies and procedures that might impact the area being audited.
During this time, the auditor:
- Seeks to gain an understanding of existing procedures through observation, by discussions with staff and/or by review of documentation
- Identifies applicable existing internal and accounting controls
- Establishes the scope of the audit on the basis of the information obtained and on the risk assessment
- Prepares an audit program that outlines the nature and extent of audit test work that will be performed.
Throughout the execution of an audit plan, the Office of Auditing and Management Services may perform various types of audits. The types of audits the Office could perform may be of a compliance, economy and efficiency, financial, fraud or programmatic nature. The focus of an audit may emphasize a specific type (such as a compliance audit) or incorporate a combination of types.
The following provides a brief description of each type of audit the Office may perform:
- Compliance - assess whether an auditable area adheres to the policies, plans, procedures, laws, and regulations that impact the operations of the area.
- Economy and Efficiency - assess whether an auditable area manages and utilizes the area's resources (such as personnel and property) economically and efficiently. Also, the audit should assess whether operating standards exist to measure effectiveness and efficiency, and that management monitors the standards and addresses any deviations.
- Financial - assess the reliability and integrity of financial and operational information and the means used to report the information.
- Fraud - assess situations or transactions indicative of fraud, abuse, or illegal acts and, if evidence exists, identify the effect of the act(s) on an area's operations. In exercising due professional care, internal auditors should be alert to the possibility of fraud.
- Programmatic - assess whether the results or benefits achieved by an area are consistent with the area's established objectives and goals, and whether an area's operations or programs are carried out as planned.
An auditor should be aware that in performing different types of audits, various audit techniques might be used to assess the activity. For greater detail of how an auditor should perform different types of audits, an auditor should solicit information from auditors who may have performed the proposed audit and seek written information distributed by reputable audit sources.
The fieldwork of an audit is primarily performed in the office of the department /unit being audited. Depending upon the location and availability of records and reports, testing is sometime done there too. The audit work, in general, follows the following pattern:
Perform Audit Tests
Audit tests are usually analytical in nature and are designed to determine if the controls and procedures thought to be in place are functioning efficiently and as intended. The tests are usually performed on a selected sample of transactions; therefore, they are not intended to detect all errors or irregularities that may have occurred.
Documenting the Audit Work Performed
Completed audit programs and other information gathered during an audit are assembled into files referred to as 'audit work papers.' These papers contain the results of the testing and any other pertinent documentation such as memoranda, copies of reports, reconciliations, any correspondence, etc. Issues requiring corrective action are documented in these papers and are referred to as 'observations.' The work papers are indexed and follow an established format. Any background information that might be pertinent in future audits is maintained in a permanent work paper file.
Exit Conference With Appropriate Official(s)
When auditing is complete, any observations perceived as requiring corrective actions are discussed with the appropriate official(s). Suggested corrective actions are discussed and these, together with feedback from the appropriate official(s), become the basis for recommendations. Observations may be brought to the department/unit manager's attention as found or may be discussed at this time.
Draft Audit Report
The auditor in charge of the audit is responsible for preparing a report summarizing observations and recommendations.
Review Audit Work
The Director of Office of Auditing and Management Services reviews the work papers and approves the draft audit report.
Circulate Preliminary Draft of Audit Report
A preliminary draft of the proposed audit report is circulated to the appropriate official(s) for comments on observations. This gives the department/unit being audited an opportunity to verify the facts disclosed in the observations and to ensure the accuracy of the report. The department/unit manager(s) is/are given a period of time in which to request a meeting with the auditors to discuss these observations and to make comments/responses that will be included in the final report.
After the responses have been received, they are reviewed by the auditor and by the Director to determine what, if any, change may be needed to present a fair and accurate audit report. Every effort is made to correct any misleading or ambiguous statements or those statements that could be liable to incorrect interpretation.
Final Draft of Audit Report
After the preliminary report has been modified, if necessary, to correct factual inaccuracies or disputed wording, a final draft of the audit report is compiled to include the responses of the appropriate officials(s). Each response is listed immediately following the observation/recommendation to which it refers.
Issuance of Audit Report – IIA Standard 2440
A final audit report, including department/unit manager's responses, is prepared and submitted to the President with copies to the appropriate vice president(s), department/unit administrator(s), and the Board of Regents.
Follow-Up – Monitoring of Progress – IIA Standard 2500
Within the first 6 months following issuance of the audit report, plans or actions taken by the department/unit to correct observations will be reviewed. If it does not appear that the department/unit has adequately implemented corrective actions as indicated in the report, additional discussions will be held with the appropriate vice president(s) and administrator(s) to determine final disposition.