The Office of the University Auditor follows a standard process in the conduct of its scheduled audits. The process is intended to be an interactive one; the following will provide information that promotes an understanding of the process and everyone's role in the review.
Each year, the University's Board of Visitors approves an annual audit plan for ¹ÏÉñÍø. The development of this audit plan and the individual audits that will be performed is a multi-step process. This process works as follows:
Ìý
- The first step is a University-wide risk assessment. A risk assessment is a systematic process for assessing and integrating professional judgments about probable adverse conditions and/or events. The process provides a means to organize and prioritize these judgments so that they may be used to assist in developing an audit schedule. The risk assessment provides a long-range guide and source of information for developing annual audit plans.
Ìý - The results of the risk assessment are balanced by other factors, including:
- A desire to coordinate audit work with the Auditor of Public Accounts so that Internal Audit complements their work and does not duplicate it;
- Concerns expressed by administrators, Board members, internal audit staff or other state personnel as to areas that should be audited;
- A desire for audit coverage throughout the University, to include audits in all vice presidential areas and areas never audited before;
- Major changes in operations, programs, systems or controls;
- The time elapsed since an activity's last audit;
- Auditor judgment; and
- Audit work requested or required each year, such as the Commonwealth's Fraud, Waste and Abuse Hotline and various ongoing projects.
Initial contact is made by memo with the appropriate department head or administrator to schedule an entrance conference.
The auditor-in-charge will hold a meeting with the department head/administrator or others affected by the review. The purpose of the meeting is to discuss the audit process, the general scope, and anticipated timing. This is also an opportunity for department personnel to have input into areas that might be reviewed.
- Preliminary Survey:ÌýThe auditor will review documented policies and procedures and interview departmental staff members to become familiar with the department's operations. This step may include the preparation of flowcharts and completion of internal control questionnaires.
Ìý - Fieldwork:ÌýBased on the results of the preliminary survey, the testing to be performed will be defined. The auditor will perform the testing defined and other tests as necessary during the fieldwork stage.
The auditor will hold an exit conference with department personnel. At this meeting the findings from the fieldwork will be discussed and the factual accuracy of this information will be verified. The conference is an opportunity for department personnel to discuss potential action plans to address the findings.
Initial Draft Report
An initial draft will be presented to the department head for review and comment. The department head and auditor are to agree to any necessary changes in the report. The department head will be asked to submit written responses to each finding, outlining the planned action to address the finding, the person(s) responsible and a planned date of implementation. These responses will be incorporated into the draft. SeeÌýResponse ProceduresÌýfor details on responding to an audit report.
Ìý
Second Draft
A draft report, with department responses incorporated, will be issued to the appropriate Vice President for review and comment.
Ìý
Final Report
Once signed off by the Vice President, the final report will be addressed to the President of the University. At a minimum, the appropriate Vice President and department head will receive copies of the final report. Audits reports are presented to the Audit Committee of the Board of Visitors.
Audit follow-up will occur on or near the planned date for completing corrective actions. Our office will contact the department to request the status of actions taken or the status of planned actions. Audit testing will be performed as necessary to determine the extent to which the actions taken address the concerns of the audit point.