The primary objectives of an audit or review is to determine whether management has put sufficient internal controls in place to adequately mitigate risks, processes are efficient and effective, and the unit complies with applicable rules and regulations. The outcome of an audit or review is positive change through improved mitigation of risk.
Audits are selected from a risk assessment of the university. Areas with higher risk are those with cash collections, large volume of transactions, past internal control concerns, complex operations, systems significantly impacting university operations, greater potential for negative publicity, and extended time since last audit.
The audit begins with planning the audit and meeting with management at an entry conference. At the meeting, we explain the audit scope and objectives, discuss the timing of the audit, and ask about any concerns of management. The auditor next obtains background information, reviews applicable regulations, and discusses with management the area's mission, objectives, and higher risk issues.
In this phase of the audit, the auditor meets with staff and management to understand the unit's procedures and internal controls. The auditor identifies controls that reduce risk, as well as any missing controls.
The auditor tests a sample of transactions, with emphasis placed on higher risk items to verify that controls are functioning as intended or determine where improvements are needed. Audits of revenues and expenditures typically include tests of revenues, purchases, PCard purchases, property, travel, and payroll.
The auditor first meets informally with management of the area to discuss probable report comments to ensure the comments are accurate and that the recommendations are feasible. Then the report is drafted and sent to management for review prior to discussion at the exit conference.
The final report reflects changes discussed at the exit conference as well as management's plan for corrective action. The report is officially addressed to the University President, with copies to applicable administrators and to the Board of Trustees.
We follow-up with management to determine whether the recommendations were successfully implemented. To perform the follow-up, the auditor inquires about progress in implementing the recommendation and