Selection: Audit plans are based on a comprehensive risk assessment, including risks identified by the Board of Trustees, the Commissioner and the Institutional Executive Officer.
Planning: During the planning stages of an audit, the lead auditor will review any prior audits of the unit, research applicable polices and procedures and any state/federal laws and regulations. Once an objective and scope of the audit are determined an audit program will be developed. The lead auditor will notify the head of the unit and schedule an entrance conference. There will be some cases where an entrance conference is not scheduled depending on the nature of the audit.
Entrance Conference: The head of the unit being audited may at his/her discretion invite other management to attend. During the entrance conference, the lead auditor will discuss the objective, scope and timing of the audit. The auditor may discuss certain planned audit procedures and may have an initial request for information. The auditor will also answer any questions that management may have concerning the audit.
Fieldwork: This is where the audit team will gather information about the unit by interviewing, observing processes, confirmations, analyzing data, and performing tests of controls (including testing technology controls). The audit team will determine the adequacy and efficiency of internal controls of the unit's operation. The audit team will also incorporate best/good practices to evaluate if processes are operating efficiently. The audit team will try to schedule on-site fieldwork visits at a time where there will be minimal distraction from the day-to-day operation of the unit.
Observation(s): The auditor will document any observations during his/her fieldwork. During the fieldwork, the auditor may discuss observations with management or give periodic progress updates to management.
Preliminary Report and Discussion: The auditor prepares a report. The report contains the purpose, scope, and results of the engagement and, most likely, has recommendations for management to consider. The report contents are discussed with management as many times the best solution to an observation comes from management.
Management Corrective Action Plan: Management is given an opportunity to review the content of the report and is requested to provide a written management corrective action plan. Once the auditor has received managements responses they are included verbatim into the final report.
Exit Conference: An exit conference is held to discuss any final details of the audit.