Audits

An above table image of the audit process

What are the steps of the audit process and how does it affect your unit?

PHASE 1: Engagement Planning

  • Engagement planning ensures each audit is clearly defined, properly scoped, and aligned with the risks and objectives of the area under review.
  • The process begins with setting objectives—such as assessing controls, compliance, efficiency, or fraud risk—and defining the scope, boundaries, and limitations.
  • The Chief Auditor assigns staff and establishes a preliminary timeline, while auditors conduct a risk assessment, review prior reports and documentation, and meet with key personnel to understand processes.
  • Based on this, a tailored audit program is developed and approved, followed by an entrance meeting to confirm expectations.
  • A formal engagement letter or notification memo then documents the audit’s purpose, scope, timeline, and cooperation requirements, ensuring clarity and collaboration before fieldwork begins.

PHASE 2: Fieldwork-Documentation

  • The fieldwork phase is where auditors gather evidence, test controls, and evaluate processes to determine effectiveness, efficiency, and compliance, following the approved audit program and professional standards.
  • Activities include interviews, observations, document review, and risk-based sampling or analytics, with auditors expected to remain objective and discreet.
  • Internal controls are assessed for proper design, operation, and documentation, and technology or data analytics may be used to detect anomalies or trends.
  • All work is recorded in secure electronic workpapers that support conclusions and meet quality standards.
  • Throughout fieldwork, auditors maintain open communication with management to clarify issues and share preliminary observations, while supervisors review progress, results, and documentation to ensure accuracy, completeness, and adherence to standards.

PHASE 3: Reporting

  • The reporting phase communicates audit results to management and the Board, providing an objective assessment of risks, controls, and recommendations to improve operations.
  • Report types include full-scope audits, advisory engagements, and special reviews or investigations.
  • Each report typically includes an executive summary, objectives, scope, findings with root-cause analysis, recommendations, management responses, and an overall risk rating.
  • Findings are classified as high, moderate, or low risk.
  • Draft reports are reviewed for accuracy, shared with management for feedback, and finalized after incorporating responses.
  • Final reports are distributed to department leadership, the overseeing Vice President, the President, the Board, and other stakeholders as appropriate.
  • Reports are generally issued within 30 days of completing fieldwork, with any delays documented and communicated to the Chief Auditor.

PHASE 4: Follow-Up Activities

  • Follow-up activities ensure audit recommendations are implemented effectively and risks are mitigated, reinforcing accountability and continuous improvement.
  • The Office of Internal Audit tracks all recommendations, verifies implementation through documentation or testing, and reports results to senior management and the Board.
  • Management is responsible for carrying out corrective actions, providing timely updates, and notifying Internal Audit of delays or changes.
  • Recommendations are logged after each audit, and progress is monitored through reminders and status updates.
  • Internal Audit validates completion based on risk level and issues quarterly reports summarizing implementation status as implemented, partially implemented, not implemented, or no longer applicable.
  • Unresolved high-risk items may be escalated to executive leadership or the Board.
  • Follow-up reviews typically occur three to six weeks after due dates, with all work documented in the audit management system.