The following audit process is common to most audits, but may vary depending on the content or needs of the Internal Audit Department and the client.
The auditor initiates the audit process, gains an understanding of the department, identifies risks, and establishes specific audit objectives. The auditor:
- Contacts and informs department management of the reason for the audit and general scope.
- Meets with management to discuss and obtain general information about the department
- Performs a risk assessment to determine audit scope (areas to audit) and objectives.
- Develops the audit plan and programs.
Department management and Internal Audit staff meet to discuss the next steps and functional areas that are included in the audit. The attendees:
- Discuss preliminary audit scope and objectives based on risk assessment
- Discuss department concerns or additional areas of audit interest.
- Review audit and reporting processes.
- Determine time frame for audit.
- Establish department contact person for the auditor staff to communicate audit concerns throughout the audit process.
- Distribute client feedback survey.
The auditor reviews, evaluates, and tests internal controls. The auditor:
- Meets with department staff to obtain understanding of internal control structure
- Performs and documents audit tests.
- Identifies weaknesses in policies or procedures, or business operations.
- Summarizes audit results and communicates areas of concern to department’s primary audit contact.
The auditor reviews the audit documentation and prepares a draft report to:
- Communicate the audit scope, objectives, and conclusions.
- Provide comments and recommendations related to weaknesses in internal controls.
Comments include the following elements:
Condition – what happened.
Cause – why did it happen.
Effect or risks - the resulting outcome or impact.
Criteria – what should be.
Recommendation – what should be done to address the cause.
- Internal Audit staff distributes the draft report to applicable department management.
Department management and Internal Audit staff meet to conclude the audit and discuss the draft report. The attendees:
- Review draft report content and discuss changes.
- Determine due date for management’s response
Department management prepares a written response to the audit recommendations in the draft report. The response includes:
- Corrective action to be taken.
- Implementation timeframe.
Internal Audit staff reviews and adds management’s response to the draft report.
Internal Audit staff prepares the report for final distribution to department management, other University of Washington officials as appropriate, and the State Auditor’s Office
The auditor contacts department management to determine implementation status of audit recommendations.