The audit process consists of the following components:
Key steps in the Internal Audit process are outlined below.
Planning – The client department or unit is notified and a planning meeting is conducted with the responsible principal officer to discuss and obtain input on the initial objectives and scope of the engagement, the timing of the review and reporting process.
Preliminary Survey – A preliminary survey is conducted that usually begins with a meeting with the principal/senior officer of the activity to discuss potential scope and concerns; interviewing management and staff, and gathering background information; identifying key strategic, operational and compliance objectives; reviewing formal guidance; gaining an understanding of organizational governance, risk management processes and regulatory compliance; reviewing budgetary information, flowcharting key departmental processes and identifying and testing key departmental processes and controls. The preliminary survey may indicate that additional field work is necessary to focus on areas where controls could be improved. The result of the survey is the generation of a risk matrix leading to the development of an audit program.
Field Work - The auditor conducts steps to test key objectives identified in the project risk matrix and gathers, classifies and appraises information to measure and evaluate the effectiveness of specific processes and controls. Sample transactions for a specific test period are often evaluated. Throughout the course of audit fieldwork, the auditor confers with client management about areas where improvements may be appropriate.
Draft Report - Upon completion of the field work, the auditor prepares a draft audit report which outlines the conclusion (executive summary), audit objective, scope, observations, and recommendations/agreements. Meetings are conducted with individuals and/or impacted units. In these meetings, the observations are discussed with the client with the goal of reaching agreement as to the appropriate corrective action to address the observation(s). The other goal is to resolve any misunderstandings regarding the content and accuracy of the report.
Principal Officer Concurrence - Following these meeting(s), the report is revised as needed and recommendations are changed to agreements where possible. A review copy of the final report is shared with the principal officer for concurrence prior to release of the final report. Corrective actions agreed to by management and Internal Audit is included in the final report in lieu of a subsequent written departmental response.
Final report - The finalized report is issued to the campus principal or senior officer who has responsibility over the area; to the campus Audit Committee; and to the UC Ethics and Audit Office.
Follow-up - IAS performs follow-up on observations to determine whether departments have implemented corrective actions. The follow-up is generally performed quarterly, with an audit inquiry as to the status of corrective action followed by a validation of completion if so indicated by the client. When it has been determined that corrective actions have been conducted as agreed to resolve the underlying audit issue, the audit is considered closed. Management Corrective Actions (MCA) are maintained electronically in a secure database (TeamCentral). A report is generated monthly and distributed to the Principal Officers and responsible party to assist in the resolution of open, agreed upon management corrective actions.