Audit Procedures

A normal audit project performed by the Office of Internal Controls and Audit Services (Internal Audit) will follow the processes listed below:

Audit Selection

Audit Plan:

The Director of Internal Audit in collaboration with senior management and the Wright State University Board of Trustees (Board) carefully select the audit areas through a university-wide risk assessment. Risk can be defined in many categories financial, competitive, regulatory and reputation-relatedness, etc. Additionally, special review and consultation projects may be requested by senior management and the Board.

Scheduling

Notification Memo:

In general, several weeks before a project is scheduled to begin, Internal Audit will contact the management of the audit client through a notification memo. The audit notification memo will briefly describe the nature of the audit and also request information from the client, such as organizational charts and internal policies and procedures for audit planning purposes.

Entrance Meeting:

After the notification has been received, Internal Audit will set up an entrance meeting including the audit staff and management of the area being audited. At this meeting, Internal Audit will introduce its staff and identify how the audit process will proceed. Internal Audit will also present a preliminary scope and timeline for completion and solicit management's thoughts and concerns.

Preliminary Survey

Pre-audit Memo:

After the entrance meeting, a pre-audit memo will be issued to the audit client to summarize matters discussed at the entrance meeting.

Departmental Audit Questionnaire:

Whenever applicable, a departmental audit questionnaire will be completed by the client as part of the risk assessment process.

Interviews with Staff:

Internal Audit will usually meet with various members of the client's staff to gain an understanding of the business environment and key processes. This understanding is important to conducting an effective audit.

Risk and Control Matrices:

As the audit staff gains more familiarity with the client's operations, we will collaborate with the client to prepare risk and control matrices analyzing each control or lack thereof. In addition, proper testing strategies will be developed to be incorporated into the audit program.

Audit Program:

An audit program will be developed noting how the fieldwork will be conducted. The audit program will occasionally be adjusted as the project evolves and new risks are identified through-out the audit field work.

Field Work

Audit Testing:

The focus of this phase is to gather information to afford an unbiased conclusion on the audit objectives. It usually involves various testing procedures utilizing sample selection. Samples can be selected judgmentally and/or randomly. Once the selection is complete, a listing will be provided to the client to determine how best to pull the information.

Documents will either be tested on-site or copies will be taken back to the Internal Audit office for review, depending on the nature of the documentation and the client's preference. If testing is to take place on-site, the audit team will need space in the client's office to perform the work.

Review of Issues/Concerns:

Whenever test work identifies material concerns that require immediate remedy, these concerns will be shared with the client. Other identified issues will be confirmed with the client before proceeding into the reporting phase.

Reporting

Draft Report:

The Internal Audit team will prepare a draft report to share with the client before the exit meeting. The draft report will usually include background, scope, conclusion, detail discussion of major issues and auditor's recommendations.

Exit Meeting:

An exit meeting will be held with the internal audit staff and the client. The purpose of this meeting is to go over the draft report for factual confirmation, wording clarification and to discuss any needed follow-up procedures.

Management Responses:

After the exit meeting, the clients have two weeks to prepare their responses and action plans to be included in the final report. These responses and action plans should be brief, but must address the issue and risk appropriately. The final draft report including any revisions discussed in the exit meeting will be provided to the client in an electronic format so that clients can enter their response directly into the document.

Client Survey:

A survey will be distributed during the exit meeting to offer the client a chance to evaluate the internal audit staff on performance and customer satisfaction. Internal Audit takes these surveys very seriously and hopes that all clients would complete them in a timely manner. Internal Audit is constantly looking for feedback to help improve our level of service to the community.

Report Distribution:

After the client's response is received, the final report is issued to the audit client, with copies sent to the Senior Vice President of Business and Fiscal Affairs and all other senior management affected by the report.

Follow-Up

Semi-Annual Client Updates on Issues:

Six months after an audit is completed, Internal Audit will contact the client to obtain an update on the progress of recommendation implementation. This update will not be verified at this time by Internal Audit but certain major updates will be included in the executive summary.

Executive Summary:

Every six months, the Director of Internal Audit will present an executive summary of audit activities to be reviewed by the Finance and Audit Committee of the Board of Trustees.