A normal audit project performed by the University Audit and Consulting Services (Internal Audit) will follow the processes listed below:
The Chief Auditor, in collaboration with senior management and the Wright State University Board of Trustees (Board), carefully select the audit areas through a university-wide risk assessment. Risk can be defined in many categories financial, competitive, regulatory and reputation-relatedness, etc. Additionally, special review and consultation projects may be requested by senior management and the Board.
In general, several weeks before a project is scheduled to begin, Internal Audit will contact the management of the audit client through a notification memo. The audit notification memo will briefly describe the nature of the audit and also request information from the client, such as organizational charts and internal policies and procedures for audit planning purposes.
After the notification has been received, Internal Audit will set up an entrance meeting including the audit staff and management of the area being audited. At this meeting, Internal Audit will introduce its staff and identify how the audit process will proceed. Internal Audit will also present a preliminary scope and timeline for completion and solicit management's thoughts and concerns.
After the entrance meeting, a pre-audit memo will be issued to the audit client to summarize matters discussed at the entrance meeting.
Departmental Audit Questionnaire
Whenever applicable, a departmental audit questionnaire will be completed by the client as part of the risk assessment process.
Interviews with Staff
Internal Audit will usually meet with various members of the client's staff to gain an understanding of the business environment and key processes. This understanding is important to conducting an effective audit.
As the audit staff gains more familiarity with the client's operations, Internal Audit will collaborate with the client to prepare risk and control matrices analyzing each control or lack thereof. In addition, proper testing strategies will be developed to be incorporated into the audit program.
An audit program will be developed noting how the fieldwork will be conducted. The audit program will occasionally be adjusted as the project evolves and new risks are identified through-out the audit field work.
The focus of this phase is to gather information to afford an unbiased conclusion on the audit objectives. It usually involves various testing procedures utilizing sample selection. Samples can be selected judgmentally and/or randomly. Once the selection is complete, a listing will be provided to the client to determine how best to pull the information.
Documents will either be tested on-site or copies will be taken back to the Internal Audit office for review, depending on the nature of the documentation and the client's preference. If testing is to take place on-site, the audit team will need space in the client's office to perform the work.
Review of Issues/Concerns
Whenever test work identifies material concerns that require immediate remedy, these concerns will be shared with the client. Other identified issues will be confirmed with the client before proceeding into the reporting phase.
The Internal Audit team will prepare a draft report to share with the client before the closing meeting. The draft report will usually include background, scope, conclusion, detail discussion of major issues and auditor's recommendations.
An closing meeting will be held with the internal audit staff and the client. The purpose of this meeting is to go over the draft report for factual confirmation, wording clarification and to discuss any needed follow-up procedures.
After the closing meeting, the clients have two weeks to prepare their responses and action plans to be included in the final report. These responses and action plans should be brief, but must address the issue and risk appropriately. The final draft report including any revisions discussed in the closing meeting will be provided to the client in an electronic format so that clients can enter their response directly into the document.
A survey will be distributed during the closing meeting to offer the client a chance to evaluate the internal audit staff on performance and customer satisfaction. Internal Audit takes these surveys very seriously and hopes that all clients would complete them in a timely manner. Internal Audit is constantly looking for feedback to help improve our level of service to the community.
After the client's response is received, the final report is issued to the audit client, with copies sent to the Senior Vice President of Business and Fiscal Affairs and all other senior management affected by the report.
Corrective Action Plan
The client is asked to resolve all issues identified in the final report within 90 days of the report’s issue date, pursuant to management’s responsibility for establishing and maintaining internal controls to achieve effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. University Audit and Consulting Services will provide a corrective action plan form to facilitate this status review.
Semi-Annual Client Updates on Issues
Six months after an audit is completed, Internal Audit will contact the client to obtain an update on the progress of recommendation implementation. This update will not be verified at this time by Internal Audit but certain major updates will be included in the executive summary.
Every six months, the Chief Auditor will present an executive summary of audit activities to be reviewed by the Compliance and Audit Committee of the Board of Trustees.