The prospect of an audit can be intimidating to most people; however, it does not need to be. The Department of Internal Auditing (DIA) works with its audit client during every step of the process to help improve operations and add value to the organization. Familiarizing yourself with the audit process can pave the way to a pleasant and productive audit experience. The audit process is a seven-step procedure as outlined below.
- Notification of Audit
- Entrance Conference
- Preliminary Survey
- Audit Work
- Exit Conference
- Issuance of the Audit Report
- Follow-up on Responses
In accordance with its approved audit plan, the DIA schedules audits that will be performed during the year. Prior to the start of each audit, the director sends a letter of notification to the appropriate official(s) in the area being audited. The letter of notification gives the name of the auditor in charge, the nature of the audit, the audit objectives, and asks for the cooperation of the responsible official.
It is customary for the Director or Associate Director and the auditor in charge to meet with the responsible official in the department being audited prior to the beginning of the audit. This meeting is used to introduce the audit staff, to communicate to the responsible official the nature of the audit, establish a person as the key contact in the area being audited, and agree on a time when the audit will commence. It also gives the responsible official the opportunity to contribute ideas to the audit process.
The auditor makes a preliminary survey of the area under review in order to become familiar with the policies and procedures which might impact the area being audited. The following would be typical steps taken:
- Gain understanding of existing procedures through observation, by discussions with staff, or review of documentation
- Identify existing internal and accounting controls applicable to the area being audited
- Establish the scope of the audit based on information obtained and risk assessment
- Review applicable policies and/or procedures
- Prepare an audit program which outlines the nature and the extent of audit tests that will be performed
The general flow of the audit work is outlined as follows:
- Perform audit tests: Audit tests are generally analytical in nature and are designed to determine if the controls and procedures thought to be in place are functioning as intended. Because the tests are generally performed by the use of a selected sample of transactions, they are not intended to detect all errors or irregularities that may have occurred in the area being tested.
- Document the audit work performed: The completed audit programs and other information gathered during the course of the audit are assembled in files referred to as the "audit work papers." The work papers contain the results of the testing, as well as any other pertinent documentation such as memoranda on discussions and meetings, copies of reports, reconciliations, etc. Any conditions requiring corrective action are documented in the work papers and are referred to as "findings." Background information which might be useful in future audits is maintained in a permanent work paper file.
- Discuss audit "findings" with appropriate officials: Once a condition is noted that the auditor perceives as requiring corrective action, the "finding" is discussed with the appropriate level of staff in the area being audited. Suggested actions are discussed and become the basis for the auditor's recommendations. Findings may be brought to management's attention as discovered or may be discussed at the end of the audit.
- Draft audit report: The auditor in charge is responsible for preparing a report summarizing the results of the audit assignment. Although audit reports vary according to the nature and complexity of the assignment, they generally follow an established format.
- Review audit work: The audit manager reviews the work papers and approves the draft audit report.
- Circulate draft audit report: A draft of the proposed audit report is circulated to appropriate officials for comments on findings. This policy gives the units being audited an opportunity to verify the facts disclosed in the findings and ensure the accuracy of the report. Units will be asked to provide management responses to recommendations. The response consists of four components: whether the units agree or disagrees with the problem, the action plan to correct the problem, the individual responsible for the correction, and the expected completion date. The corrective action plan should be discussed with the senior management prior to writing a formal response to DIA.
An exit conference will be held so that the audit team and appropriate officials can discuss the draft audit report and review management responses. Every effort is made to correct statements that may be misleading or subject to a wrong interpretation. This is an opportunity to discuss how the audit went and any remaining issues.
After the formal management responses to recommendations are received, they are reviewed by the auditor in charge and included in the audit report. Each response is shown immediately following the recommendation to which it relates. The auditor in charge is responsible for preparing a final version of the audit report. Once the final report has been approved by the Director, copies of the report are sent to the President, the Senior Vice President for Administration and Finance, and to all involved Institute officials. A distribution list, showing the names of persons receiving copies, is included in the audit report memorandum.
DIA follows-up on the responses to the recommendations made in the audit report. The follow-up may be informal observations of corrective action or, in some instances, may take the form of a subsequent audit. The nature of the follow-up will be dictated by the seriousness and complexity of the deficiencies noted.