Office of University Audit
The Audit Process
Every successful audit is based on an atmosphere of constructive involvement between the auditor and the department being audited. It is our intention to involve management in each stage of the audit, as communication is crucial for an audit to be effective. The constructive and cooperative approach taken by our staff has helped to dispel the negative connotations that the word "audit" conjures up. We see ourselves as partners, not rivals, of those that are audited.
Audits can last a few hours or can take many weeks to complete, depending on the size of the operation and the scope and objectives of the audit. The day-to-day activities of the department being audited should incur only minimal interruption during this time. Much of the audit work is completed outside of the department, therefore direct contact with departmental employees is not necessary throughout the entire audit process.
Most internal audits completed at the University of Rochester go through five major phases: Scheduling, Planning, Field Work, Audit Report, and Follow Up.
The Director of University Audit prepares an annual plan of audits that are intended to be completed. This is used as a framework for our detailed work. Of course, there are often projects that we undertake that were not anticipated when the annual plan was created. Audit projects are identified in a number of ways:
- Risk—Based on assessment of various risk factors, including financial, public relations and compliance issues, we will schedule projects to ensure that there are sufficient controls in place to ensure exposure to the risks is minimized.
- Request—Audits are often requested by management, officers or the Audit Committee of the Board of Trustees.
- Urgency—Urgent issues like suspected fraudulent activity do not warrant future scheduling. These issues are reviewed immediately.
In the planning phase, audit objectives are defined and the audit techniques to be used are determined. A preliminary meeting is scheduled with the area to be audited. The audit team and the department discuss the purpose and objectives of the audit and any concerns the department may have that should be included in the audit. The audit team performs a risk assessment of the department, analytically reviews the department's ledger accounts and designs audit techniques that will be implemented to accomplish the audit objectives. An audit program is prepared to serve as a detailed plan of action for the audit.
The auditor then completes the measurement and evaluation phase of the audit, referred to as the field work. During the field work, the auditor accumulates and appraises information, including the strengths and weaknesses of internal controls and compliance with University policies and government regulations. Testing of departmental records is completed as deemed necessary, to enable the auditor to form an opinion and to make any needed recommendations for improvement. When the field work is completed, an exit conference is held with appropriate management, to review the audit findings, comments, and recommendations. Progress meetings are informally held throughout the audit process to keep the administrator advised of any significant findings as they arise.
The final result of every audit is a written report to senior management that details the objectives of the audit, significant audit findings and recommendations for improvement. We request that appropriate management provide a written response to all findings that recommend corrective actions. Management's detailed plans for addressing audit findings are incorporated into the final audit report that is distributed to senior management.
An annual report of all audits conducted by University Audit is prepared by the Director. Significant findings, audit conclusions and management comments are discussed. The Director meets with the Audit Committee of the Board of Trustees two to four times per year to review the activities of University Audit.
Within a reasonable time after completion of an audit, a follow up review is completed. The objectives of a follow up review are to determine whether recommended procedures have been implemented and that expected results are being achieved.