On a yearly basis, the Director of Internal Audit will perform a risk assessment, which forms the basis for a strategic audit plan. Upon completion of the risk assessment, the areas which have a higher risk are presented to the Audit Committee for the selection of the audits to be performed for the upcoming fiscal year. Although every audit is unique, similarities can be found in each one. The typical audit process consists of:
The Director of Internal Audit notifies the unit head in writing when his or her area is selected for an audit. This document, which is referred to as an engagement letter, indicates general objectives of the audit and the projected time frame of the audit. A request for relevant information/item records that will facilitate the audit is included with the engagement letter as an attachment.
The entrance conference provides the opportunity for the Director of Internal Audit and unit head to discuss the scope and schedule of the audit. Personnel deemed appropriate by the unit head are encouraged to attend and present any questions or concerns they have about the audit.
During this portion of the audit, the Director of Internal Audit will gain an understanding of the unit's functions, procedures, objectives, size, etc. Key personnel are interviewed; written policies and procedures, organizational charts, related forms and job descriptions are reviewed to enable the auditor to plan the audit tests to be performed and to become familiar with the unit's operations
This phase of the audit includes testing the internal controls and performing other audit procedures necessary to accomplish the objectives of the audit. Status meetings are conducted throughout this time period, and all potential audit observations and recommendations are discussed
An exit conference is scheduled for the last day of fieldwork. The Director of Internal Audit presents the summary of observations and gathers cause statements from management. Further, it is an opportunity to discuss the audit observations and clarify any ambiguities
It is the goal of the Director of Internal Audit to complete the audit and issue a draft audit report within 30 days after the completion of fieldwork. The draft audit report is prepared from the summary of observations presented at the exit conference. A written response to the draft report is required within 2 weeks of receiving the draft report. Management’s responses must include the unit’s plan for corrective action, the name and title of the person responsible for implementing the corrective action and the date by which the action will be implemented
When all of the draft audit issues are finalized and all the responses are received, a final report will be issued