Audit Process
Below is more information explaining the audit process.
Areas selected for audit are on an audit plan which is based upon input from university administration, Board of Regents, managers, and the Internal Audit staff. The audit plan is risk based, and prioritizes potential projects based on risk rating, balancing potential impacts against probability. The audit plan also has provisions for special management requests and to investigate possible irregularities.
Factors that are considered in selecting units to be audited include:
- Results of the last audit of the area and length of time since last audit.
- The size and complexity of the operation
- Potential risk of financial loss
- Major changes in operation, program, systems, or controls
- Highly regulated operations or operations subject to a high level of public scrutiny
The audit plan is reviewed by University of West Georgia leadership, including the VP of Business & Finance as well as the University President. The plan is then submitted to the University System of Georgia Office of Internal Audit and Compliance (USG OIAC) for final review prior to approval by the Board of Regents’ Committee on Internal Audit, Risk, and Compliance.
Once the audit plan has been approved, communications will occur with the future auditable areas included in the plan (auditee) to work out the best timing for the review. This will allow Internal Audit to complete its required activity while minimizing any negative impact on the auditee.
Prior to the start of fieldwork, an audit plan will be developed to guide activities and ensure all critical risk areas are covered within engagement. All engagements will include a consideration of all potential areas which may be exposed to the risk of fraud.
In developing the audit program a number of resources will be accessed and incorporated in the final plan including:
- Past Audit workpapers from the same or similar area
- University System of Georgia resources
- Internet searches for audit documentation from other universities or similar resources
The audit program will include a prenumbering of anticipated activities which will then be reflected within Teammate. Teammate is a 3rd-party software product for tracking and retention of audit workpapers and related documentation.
Prior to start of fieldwork, an engagement letter will be distributed which will fully describe to the auditee the planned activities and timeframe for completion of the review.
The primary auditor assigned to a review will begin exploratory discussions with personnel in the audit area to identify the key personnel, procedures and systems related to the process under review. After input has been provided and the scope of the review more clearly defined, we will schedule an entrance meeting to discuss the scope and objectives of the audit.
The entrance meeting occurs at the beginning of fieldwork with the unit head and other appropriate personnel to discuss the audit scope and objectives, time schedule and audit review process. Any concerns raised by the unit personnel are also discussed.
Field work will vary by engagement, but generally will include the following steps:
- Collection and review of relevant policies, procedures and guidelines at the State, University System and University of West Georgia levels. Documentation will be evaluated against expected best practice standards and other professional documentation relevant to the subject of the audit.
- Process walk-throughs to ensure control and procedures are working as intended.
- Evaluation and analysis of data relevant to the audit subject. This could include:
- Benford’s analysis of expected patterns
- Review for unusual transactions or data patterns
- Consultation with USG OIAC data analytics audit specialists
- Sample selection for detail testing. Samples will be chosen based on appropriate criteria which may be random or judgmental depending upon the specific attributes to be tested. An examination of this test data will be conducted. Supporting documents will be reviewed as considered necessary to evaluate compliance with policies and procedures and make any necessary recommendations.
- Interviews will be conducted with impacted and involved department employees. These will be timed around their existing duties to minimize any intrusive disruption.
The emphasis of the evaluation is to determine if there are adequate control systems and whether the systems are functioning as intended. The controls are measured against University, State and Federal policies and procedures, as well as, generally accepted accounting principles and best practice standards. Areas of deficiencies and potential recommendations are discussed with the appropriate staff and are documented in the audit work papers.
Management should encourage personnel to be open with the auditors when discussing any aspect of the review. Often concerns raised by an auditor can be satisfied by alternate procedures or controls the auditor may be unaware of.
An Audit Observation is defined as an area of potential control weakness, policy violation, financial misstatement, inefficiency, or other problematic issue identified during the audit. Documentation of all Audit Observations will be maintained to facilitate discussion with auditee management during the course of the audit. When the Audit Observation is deemed valid and of sufficient significance, it will be documented within the Audit Report.
Observations will not be graded for inclusion on the formal audit report, but all items deemed by Internal Audit to be of Material or Significant concern will be documented within the audit report and management will be required to provide to provide an action plan addressing the concern. Observations will be graded within Internal Audit’s tracking system, TeamMate, for departmental tracking purposes. These rating can be provided to management upon request, but will have no bearing on the official report:
Grade | Description | Expected Remediation |
---|---|---|
Material |
|
|
Significant |
|
|
Comments |
|
|
Areas where no issues or exceptions have been identified are also tracked in the TeamMate system to assist in future audit planning and selection.
Throughout the engagement, audit personnel will discuss findings with auditee management. The objective of these discussions is to communicate and validate the audit findings, obtain agreement on resolving the audit finding, and use the proposed resolution to develop an Action Plan that management can commit to. While developing audit observations, the auditor will present the apparent root cause, risk, and proposed resolution for the issue. Therefore, when reviewing a draft of the issue for the first time, auditee management should take this into consideration and feel free to discuss modifications of the proposed Action Plans to more closely reflect a feasible solution.
During the course of the engagement, issues may arise that do not necessarily represent internal control weaknesses. These will be considered General Business Observations and are intended to surface issues considered of interest to the auditee. They describe observations identified through the normal audit process and may reflect broad concerns or opportunities associated with the area under review. General Business Observations will be communicated to auditee management when identified. Audit encourages auditee management to provide feedback on these observations to ensure relevant perspectives are considered. These concerns will be reported in the Internal Audit Report but may not require Action Plans depending upon the level of concern.
A meeting is scheduled with the same individuals who attended the entrance conference. At the exit conference, a rough draft of the audit report is reviewed so that all of the parties understand the nature of the recommendations and agree upon the possible solutions to any problem areas. Any misunderstandings or possible misstatements contained in the report are identified and resolved. Any deficiencies identified during the audit, which were not significant enough to be included in the audit report, but still represent a potential risk, are also discussed.
After the exit conference, a draft of the audit report is finalized. The report contains the Executive Summary, Introduction, Purpose and Scope, Observations and Recommendations, General Comments and any necessary attachments.
The draft of the audit report is sent to the appropriate department head and other impacted parties with a request to prepare a response to each recommendation which will address the observation appropriately. The final management comments are due within 10 business days following transmission of the final report draft.
The unit's responses are added to the audit report and any other corrections are also made. The final audit report is uploaded to TeamMate, and a pdf version of the report is distributed as appropriate. This distribution typically will include:
- University of West Georgia President
- UWG Vice President of Business & Finance
- UWG Vice President for Academic Affairs
- USG Chief Audit Officer/Associate Vice Chancellor for the Board of Regents
Additional parties will be copied on the report depending upon the subject and content.
Following the Final Audit Report distribution, auditee management may be asked to complete a Post-Audit Survey to help the Department of Internal Audit evaluate the effectiveness of the audit process. In addition, auditee management may be surveyed at specific times throughout the audit to assist us in determining the effectiveness of the audit, including department performance and professionalism.
The Department of Internal Audit will follow-up with regards to observations and action plans contained within the report to ensure appropriate mitigating activity is being implemented. This will generally take place within 60 tp 90 days of report date, but could be extended if the improvements are of a longer implementation timeline. A 60 day implementation timeline will be the minimum acceptable response for items of material concern.
The status of corrective action is also tracked in the TeamMate system, and late findings/resolutions are periodically reported to the Board of Regents.