Every successful audit is based on sound planning and an atmosphere of constructive involvement and communication between the client and Internal Audit. Our objective is to involve client management throughout each phase of the audit. Management’s participation results in both a better understanding of unit operations and a more effective implementation of recommendations. The West Virginia University audit process has four phases: Planning, Fieldwork, Reporting, and Follow-up. These phases are discussed in the following paragraphs.
Proper planning is critical to audit success. During this phase client opening meetings are conducted, audit objectives and scope are determined, Internal Audit staff gain an understanding of the unit’s business and operations, and an audit program is prepared. Internal Audit utilizes three steps to complete this phase of the audit project: Entrance Conference, Preliminary Survey, and Audit Planning Memorandum.
Prior to the start of fieldwork, Internal Audit meets with client management to identify risks, determine preliminary audit objectives, establish an audit timeline, and discuss audit deliverables. Client management is asked to designate a primary contact person from their staff to assist the audit team and to answer questions that might arise. Client management is also encouraged to use this opportunity to identify special concerns that should be included in the audit planning and to inform the auditors about any time constraints that must be observed during the audit. Internal Audit’s goal is to minimize, to the extent possible, the amount of disruption to ongoing departmental activities as a result of the audit process. However, some disruption is inevitable and it is best to plan for it during this phase of the audit. Representatives from client management attending this meeting usually include the Dean or Director, Chairperson or Department Heads, and Business Managers. At the conclusion of this step, a preliminary audit program is created by the Internal Auditor.
This is a general information-gathering process used by the Internal Auditor to obtain an overview of the client’s operations, practices, and policies. The information gathered in this step is generally obtained through discussions with departmental personnel and reviews of department reports or files. The survey process can take from several days to several weeks depending on the audit objectives, availability of records and personnel, and the Internal Auditor’s prior understanding of the department’s operations and business objectives. The Internal Auditor uses this information to refine the audit objectives and the audit program.
The planning memorandum presents the Internal Auditor’s understanding of the function(s) to be audited, the project objectives, the audit procedures to be used to achieve the objectives, a resource plan and budget, any special aspects to be considered, the audit period, and departmental audit contacts. This document is shared with the client and serves as a formal understanding between the client and Internal Audit as to the scope and objectives of the examination.
During this phase, the audit team will normally be on site at the client’s location. Fieldwork can be classified into three categories: analysis and evaluation, transaction testing, and informal audit observations and recommendations.
System Analysis and Evaluation
Much of the audit work performed is based on management’s system of internal controls. The audit team begins their evaluation of internal controls by reviewing system documentation and capabilities. Particular emphasis is placed on the assignment of duties, the approval process, and the reporting structure. This information is obtained primarily through interviews, process walk-throughs and flow charts. The audit team’s opinion regarding the adequacy of internal controls has a direct relationship to the amount and depth of the second category of audit fieldwork, transaction testing.
To determine if internal controls are operating effectively, the audit team selects a sample of transactions and then gathers and inspects sample documentation for evidence of compliance with stated procedures and practices. The testing results provide the audit team with a degree of assurance regarding the reliability and adequacy of the controls, and a means of measuring operational effectiveness and accountability. Through these analyses, the audit team is able to determine if department objectives are being achieved by client management. The audit team documents the test results, both positive and negative, in audit work papers.
Audit-Observations and Recommendations
The audit team leader meets with the designated management representatives during the course of fieldwork to discuss audit progress, audit test results, and observations and recommendations. The purpose of these meetings is threefold: to clarify any misunderstandings, to enlist management’s support in solving any problems discovered, and to ensure timely implementation of recommendations. Our goal is to discuss significant weaknesses discovered during the course of fieldwork and to achieve agreement regarding corrective action to be taken by management prior to the release of the final audit report.
Internal Audit utilizes a three-phase approach to audit report preparation: informal rough draft, discussion draft, and final report.
Informal Rough Draft
After fieldwork is completed, the Internal Auditor prepares a rough draft of the audit report. The report states the audit objective(s), the audit tests performed, the results of the audit tests, and recommendations for improvement.
The rough draft is circulated and discussed internally within Internal Audit prior to delivery of the discussion draft to the client.
After undergoing internal review, the report is
forwarded to the client with the notation that it is a preliminary report for
discussion purposes only. Generally, Internal Audit requests that client
management review the draft within fifteen calendar days and provide feedback
regarding the contents. Management is also asked to provide formal written
responses to each recommendation in the report, along with a target date
associated with their plan of action.
We strongly urge the client not to distribute the report to anyone other than operating management at this point, because the report is still subject to change. The discussion draft report is reviewed in detail during an exit conference between client management and Internal Audit representatives where audit test results, observations, and associated recommendations are discussed. At this meeting, we strive to reach an agreement on our observations and the approach to be taken by management to implement recommendations.
The final report is prepared based on the results of the exit conference and the discussion draft report review. Management’s responses to each recommendation are also incorporated into the final report if they are available within a reasonable time period following the exit conference. Confidential copies of the final report are distributed to the Dean/Director of the audited area, the appropriate Vice-President(s), and the President’s Office. A cover letter attached to the report requests a formal written response from the audit client (usually within thirty calendar days) if it was not already incorporated into the final report. A summary of each audit report is provided to the Audit Committee.
A database is used by
Internal Audit to track all observations and recommendations that are generated
from the audit. After a reasonable period of time, we contact the audit client
to request a status report on the corrective actions taken to date. We evaluate
the effectiveness of the corrective actions taken and may advise the client on
alternatives that they can employ to achieve the desired improvements. In larger,
more complex audit situations, this step may be repeated several times as
additional changes are initiated.
We generally request some type of evidence that can be documented in our database to support management’s implementation of the solution. Additional onsite visits and reviews may be performed to ensure adequate implementation of recommendations. Internal Audit provides information pertaining to the status of open audit issues at each Audit Committee meeting.