Audit Process

The Chief Audit Executive, by authorization of the President and the Board of Regents, annually establishes a plan of scheduled audits called the Annual Audit Plan (‘Plan’). The Plan covers the universities governed by the Board of Regents, i.e. The University of Oklahoma, Cameron University, and Rogers State University.  The audits selected can relate to specific departments/units within the universities, to processes that are carried out across a number of different departments/units (for example payroll), and/or to information technology systems.  In order to maximize the use of Internal Audit resources, a risk-based approach is adopted in drawing up the Plan. Major risk factors are identified using different risk assessment criteria, and areas with the highest perceived risk are given high priority for audit.  

The Plan, which is confidential, is prepared and submitted to the Board of Regents for review and approval.  Upon approval, the Plan is executed by Internal Audit during the course of the following year.  Additionally, unannounced audits may be performed at the discretion of the Chief Audit Executive or at the request of the Board of Regents, the President, or unit head.

The Annual Audit Plan remains flexible allowing Internal Audit to respond to change, whether due to emerging risks or changes in Board priorities. 

An audit starts with engagement with the VP/Dean/Head of Department to be audited (‘unit management’).

An entrance conference is scheduled with unit management and key personnel to make the necessary introductions, to align on risks, to discuss the purpose, objectives and scope of the audit, the expected start and completion dates of the field work and any accommodation requirements. Input from the unit management is welcomed at this stage, particularly with reference to risks, any known concerns or areas of potential internal control weakness.

The audit team research the audit needs incorporating any specialist knowledge required, and input from the audit client.  A risk analysis and audit program are developed and reviewed by the Chief Audit Executive.

Back to Top

Field work addresses the objectives of the audit and is carried out by the audit team.  Primarily, the work consists of verifying the existence of appropriate internal controls through discussions with key personnel and the testing of specific transactions with supporting documents on a sampling basis, and/or through data analytics and analysis. Progress is discussed with unit management, usually as individual objectives are finished, and particularly with regard to any audit concerns.

An exit conference is held to discuss the results of the completed audit and any concerns that may have arisen.  Those attending the conference usually include the Chief Audit Executive, the audit team, the unit head, and anyone the unit head wishes to invite.  The exit conference provides an opportunity to resolve any questions the audit client may have about the concerns raised and to address any other issues before the Audit Report is prepared. Preliminary observations and recommendations may be discussed to provide transparency and gain alignment on identified risks.

Back to Top

A draft Audit Report is prepared by Internal Audit to summarize the audit work and provide details of any observations, together with recommendations for action necessary to address the identified concerns.  The draft report is sent to the unit head.

If audit recommendations are made, a written management response to each recommendation is required.  The unit head should coordinate the development of these responses with appropriate levels of management.  The response should include:

• Agreement with the observations and recommendations
• Action plans for addressing the identified risks
• Due date for implementation to which management commits
• Name and title of individuals primarily responsible for implementing action plans

In the event that there is disagreement with a specific recommendation that cannot be resolved through discussion, the Chief Audit Executive may schedule the matter for consideration at the next meeting of the Finance, Audit, and Risk  Committee of the Board of Regents.

Managements commitments are incorporated into the Audit Report by Internal Audit and sent to the appropriate vice president for final review and concurrence before the Report is issued as a final document.

The final Audit Report is issued with copies going to each member of the Board of Regents, the University President, appropriate Vice President, Dean, and unit head.

Back to Top

Audits with observations and recommendations require a Post-Audit Review. The post-audit review process is Internal Audit's validation of managements commitment to address the identified risks. The Post-Audit Review starts soon after the final audit report is issued with communication of the validation plan to the unit. The unit is responsible for providing status updates during implementation of their action plans and for completing full implementation by their commitment date as stated in the management response and documented in the Audit Report. Internal Audit tests the effectiveness of each action taken to address the identified risks, and communicates with the unit any concerns noted or when the actions taken are sufficient.

A Post-Audit Review Summary of the validation status and timing of remediation per outstanding action plan is communicated to the Finance, Audit, and Risk Committee periodically. 

In the event that management action plans have not been fully implemented following a Post-Audit Review the Chief Audit Executive notifies the committee who may in turn require a progress report from the unit head to ensure satisfactory conclusion.

Back to Top