The Audit Process
Introduction
The general objective of an audit is to evaluate the adequacy of the internal control structure and general controls established through policies and procedures. Auditing is carried out with reference to federal and state law and other governing regulations, Board of Regents' Policy, and general good business practice and will include the following:
- Assessing compliance with regulations and written policies and procedures
- Verifying the existence of assets and ensuring proper safeguards for their protection
- Investigating reported occurrences of fraud, embezzlement, theft, waste, etc., and recommending controls to prevent or detect such occurrences
- Determining if resources are employed in an economic, efficient, and effective manner
The Director of Internal Audit and the Internal Audit staff are authorized by the President and the Board of Regents to have full, free, and unrestricted access to all University functions, records, property, and personnel.
Annual Audit Plan
The Director of Internal Audit, by authorization of the President and the Board of Regents, annually establishes a plan of scheduled audits called the Annual Audit Plan. The Plan covers the universities governed by the Board of Regents, i.e. University of Oklahoma, Cameron University, and Rogers State University. The audits selected can relate to specific departments/units within the universities, or to processes that are carried out across a number of different departments/units (for example payroll). In order to maximize the use of Internal Audit resources, a risk-based approach is adopted in drawing up the Plan. Major risk factors are identified, using different risk assessment criteria, and areas with the highest perceived risk are given high priority for audit. All university areas receive audit coverage and an 'average-risk' unit might expect to be audited every four to five years.
The confidential Annual Audit Plan is prepared and submitted to the Board of Regents each year for review and approval. Upon approval, the Plan is executed by Internal Audit during the course of the following fiscal year. Additionally, unannounced audits may be performed at the discretion of the Director of Internal Audit or at the request of the Board of Regents, the President, or unit head.
Engagement
An audit on the Annual Audit Plan starts with the issue of an engagement letter. The head of the department/unit to be audited (the 'auditee') is contacted by the Director of Internal Audit in writing before the audit is scheduled to start and notified of the audit process.
Entrance Conference
An entrance conference is scheduled with unit management and key personnel to discuss the purpose, objectives and scope of the audit, and the expected start and completion dates of the field work. Input from the unit management is welcomed at this stage, particularly with reference to any known concerns or areas of potential internal control weakness.
Preliminary Planning and Audit Program Development
The in-charge Audit Manager researches the audit needs, incorporating any specialist knowledge required, and develops an audit program to be approved by the Director of Internal Audit.
Field Work
Field work addresses the objectives of the audit and is carried out by the audit team usually comprising the Audit Manager and one or two audit staff. Primarily, the work consists of verifying the existence of appropriate internal controls through discussions with key personnel and the testing of specific transactions with supporting documents on a sampling basis. Progress is discussed with unit management, usually as individual objectives are finished, and particularly with regard to any audit concerns.
Exit Conference
An exit conference is held to discuss the results of the completed audit and any concerns that may have arisen. Those attending the conference usually include the Director/Associate Director of Internal Audit, the Audit Manager, the unit head, and anyone the unit head wishes to invite. The exit conference provides an opportunity to resolve any question the audit client may have about the concerns raised and to address any other issues before the Audit Report is finalized.
Audit Report
An initial Audit Report is prepared by Internal Audit to summarize the audit work done and give details of any concerns that have been found, together with recommendations for action necessary to address those concerns. The report is sent to the unit head, with a copy to the appropriate vice president.
If audit recommendations are made, a written management response to each recommendation is required. The unit head should coordinate the development of these responses with appropriate levels of management. The response should include:
- Agreement with the recommendation
- The plan of action for implementing the recommendation
- The deadline date for implementation to which management commits
- The name and status of the individual primarily responsible for implementing the recommendation
In the event that there is disagreement with a specific recommendation that cannot be resolved through discussion, the Director of Internal Audit may schedule the matter for consideration at the next meeting of the Finance and Audit Committee of the Board of Regents.
The responses are incorporated into the Audit Report by Internal Audit and sent to the appropriate vice president for final review and concurrence before the Report is issued as a final document.
The final Audit Report is issued with copies going to each member of the Board of Regents and to the President, appropriate vice president, dean, and unit head.
The Post-Audit Review Process
All audits with concerns and recommendations are required to have a Post-Audit Review. The post-audit review process is intended to ensure that management has addressed all recommendations included in the Audit Report. The Post-Audit Review takes place soon after the agreed implementation deadline to which management has committed in the management response. During the review, Internal Audit tests the effective implementation of each audit recommendation. If recommendations have not been satisfactorily addressed, a second Post-Audit Review is scheduled. This process continues with successive Reviews until either the recommendation has been implemented or the circumstances giving rise to the concern have changed.
The results of each Post-Audit Review are summarized in a memorandum that is sent to every member of the Board of Regents and to the President, appropriate vice president, dean, and unit head.
Report of Open Audit Recommendations
A 'Report of Open Audit Recommendations' is presented by the Director of Internal Audit at each scheduled meeting of the Finance and Audit Committee of the Board of Regents. This report lists the audit recommendations that have not been fully implemented following a Post-Audit Review and takes the form of a color-coded summary of the outstanding issues, as follows:
Green: Recommendation is fully implemented
Yellow: Implementation of the recommendation is in progress and a revised date for completion has been agreed
Red: Recommendation is either: a) not in progress, or b) not fully implemented and 'past due' following a second or later Post-Audit Review. To the extent that past due issues give rise to special concern, a progress report to the Finance and Audit Committee of the Board of Regents may be required from the unit head.
Overview of Internal Audit
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. To view a Power Point presentation showing and overview of auditing at the University of Oklahoma please click here.
*****
Professional Standards
Internal Auditors perform their audit work in accordance with gennerally accepted auditing standards as outlined by the Institute of Internal Auditors and the American Institute of Certified Public Accountants
Institute of Internal Auditors
American Institute of Certified Public Accountants