The Audit Process

When we notify you about an upcoming audit of your unit, or if you have requested an audit, we ask that you supply information regarding financial, operational, and information system documentation unique to your unit so we can get to know your unit and its operations. If you are aware of other information that would be helpful to us as we review your operation, we ask that information also be provided.

At the entrance conference, we describe the audit process and ask that you share any internal control concerns you have regarding your unit. This is an opportunity to request audit review and assessment of issues important to management.

With input from you and the information you have provided, we begin the audit planning process. We meet with your unit’s management from various areas (e.g., finance, human resources, IT) and may go over an internal control questionnaire to better understand each area’s existing controls. Most audits will also include an employee survey. When planning is complete we send you an engagement letter and audit work plan and ask that you review the plan and suggest revisions, if needed. We encourage you to ask questions if you don't understand why certain activities have been included or excluded. There are no secrets to our audit scope or process, and your input at this point is particularly valuable. However, the audit work plan may change slightly if additional areas of risk are identified during testing.

Much of our testing is accomplished “behind the scenes” using sources such as EFS and the Perceptive Content imaging software; however, we also spend time in your unit asking questions and interviewing appropriate staff as needed to clarify processes and ask questions regarding our test results. As we share test results with management, we ask that you review the preliminary results and begin thinking about possible corrective actions.

After our testing has concluded, we provide you with a draft audit report with our results. All issues raised will have recommendations, which are our suggestions on how to remediate the issue. When you have had a chance to review the draft report, we hold an exit conference with you and any of your staff you’d like to include, during which you may make suggestions for any changes or enhancements. Keep in mind this review is vital to ensuring the accuracy of the report.

We ask units to offer solutions to the issues addressed, assign individual(s) responsible for seeing that the solution has been attained, and to project realistic time frames for completion of the recommendations made. Your involvement is particularly critical to ensure the corrective action taken is the best solution to the control issue addressed.

After we have reviewed the draft report with you and you have provided your management action plan, we issue a final report and executive summary. Copies of the report and/or the executive summary will be distributed to the President of the University, the Board of Regents, the Legislative Auditor, the University’s external auditors, and other interested parties. The final audit report is a public document.

As part of the audit report, we prepare and include a control chart. The control chart is a visual representation of the areas where our testing has indicated control processes are operating effectively or where improvements are needed to increase the effectiveness and efficiency of your internal control environment. This bar chart will indicate what areas are “Essential” and “Significant” to improving internal control, as well as, areas we reviewed that have sufficient controls.

After the final report has been issued, we send you a post-audit survey where you may rate our performance and your satisfaction with the audit process; your feedback helps us continually improve our processes.

Three times per year, we perform follow up on audited units that have audit recommendations rated as “Essential” that are not yet fully implemented, and update the Audit and Compliance Committee as to the status of your corrective actions. We contact your unit and ask you to provide information on any outstanding items; it is helpful for you to be proactive in monitoring and reporting the status of corrective action internally. The primary benefits of the audit are not realized until effective corrective action is taken to address the underlying issue, which may vary from our recommendation or even from your original management action plan.

As you can see, the audit process is optimized with your active participation and input. Again, to this end, we look forward to partnering with you throughout this process to improve and sustain University controls, accountability and oversight.

This audit incorporates a rating system that has been developed to enable the reader to determine the relative importance of the recommendations made. The rating for each recommendation is shown directly after each recommendation. Recommendations are rated as follows:

Essential
Resolution would help avoid a potentially critical negative impact involving loss of material assets, reputation, critical financial information, or ability to comply with the most important laws, policies, or procedures.

Significant
Resolution would help avoid a potentially significant negative impact on the unit's assets, financial information, or ability to comply with important laws, policies, or procedures.

Useful
Resolution would help improve controls and avoid problems in the unit's operations. These issues are handled verbally with the unit audited.

The status of all "Essential" recommendations is determined and reported to the Audit & Compliance Committee quarterly. "Significant" and "Useful" recommendations are followed up on during the next scheduled audit.