A normal audit project will follow the processes listed below:
The assistant vice president and chief audit, risk, and compliance officer, in collaboration with senior management and the Wright State University Board of Trustees, carefully select the audit areas through a university-wide risk assessment. Risk can be defined in many categories including financial, competitive, regulatory, and reputation, etc. Additionally, special review and consultation projects may be requested by senior management and the board.
In general, several weeks before a project is scheduled to begin, an internal auditing staff member will contact the management of the audit client through a notification memo. The audit notification memo will briefly describe the nature of the audit and also request information from the client, such as organizational charts and internal policies and procedures for audit planning purposes.
After the notification has been received, internal auditing staff will set up an entrance meeting including the audit staff and management of the area being audited. At this meeting, internal auditing staff will introduce themselves and identify how the audit process will proceed. Internal auditing staff will also present a preliminary scope and timeline for completion and solicit management's thoughts and concerns.
After the entrance meeting, a pre-audit memo is issued to the audit client to summarize matters discussed at the entrance meeting.
Departmental Audit Questionnaire
Whenever applicable, a departmental audit questionnaire will be completed by the client as part of the risk assessment process.
Interviews with Staff
Internal auditing staff will usually meet with various members of the client's staff to gain an understanding of the business environment and key processes. This understanding is important for conducting an effective audit.
As the audit staff gains more familiarity with the client's operations, internal auditing will collaborate with the client to prepare risk and control matrices analyzing each control or lack thereof. In addition, proper testing strategies will be developed for the audit program.
An audit program will be developed noting how the fieldwork will be conducted. The audit program will occasionally be adjusted as the project evolves and new risks are identified throughout the audit fieldwork.
The focus of this phase is to gather information to allow auditing to come to an unbiased conclusion on the audit objectives. It usually involves various testing procedures using sample selection. Samples can be selected judgmentally or randomly. Once the selection is complete, a listing is provided to the client to determine how best to pull the information.
Documents will either be tested on-site or copies will be taken back to the Department of Audit, Risk, and Compliance office for review, depending on the nature of the documentation and the client's preference. If testing is to take place on-site, the audit team will need space in the client's office to perform the work.
Review of Issues/Concerns
Whenever test work identifies material concerns that require immediate remedy, these concerns will be shared with the client. Other identified issues will be confirmed with the client before proceeding into the reporting phase.
The internal auditing team will prepare a draft report to share with the client before the closing meeting. The draft report will usually include background, scope, conclusion, detailed discussion of major issues, and the auditor's recommendations.
A closing meeting will be held with the internal auditing staff and the client. The purpose of this meeting is to go over the draft report for factual confirmation, wording clarification, and to discuss any needed follow-up procedures.
After the closing meeting, the clients have two weeks to prepare their responses and action plans to be included in the final report. These responses and action plans should be brief but must address the issue and risk appropriately. The final draft report, including any revisions discussed in the closing meeting, will be provided to the client in an electronic format so that clients can enter their responses directly into the document.
A survey will be distributed during the closing meeting to offer the client a chance to evaluate the internal audit staff on performance and customer satisfaction. Internal auditing takes these surveys very seriously and encourages university clients to complete them in a timely manner. Internal auditing is constantly looking for feedback to help improve our level of service to the community.
After the client's response is received, the final report is issued to the audit client, with copies sent to the appropriate senior management.
Corrective Action Plan
The client is asked to resolve all issues identified in the final report within 90 days of the report’s issue date, pursuant to management’s responsibility for establishing and maintaining internal controls to achieve effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. Internal auditing will provide a corrective action plan form to facilitate this status review.
Semi-Annual Client Updates on Issues
Six months after an audit is completed, internal auditing will contact the client to obtain an update on the progress of recommendation implementation. This update will not be verified at this time by internal auditing staff, but certain major updates will be included in the executive summary.
Every six months, the assistant vice president and chief audit, risk, and compliance officer will present an executive summary of audit activities to be reviewed by the finance, audit, and infrastructure committee of the Board of Trustees.