Audit Process
During this phase, the team obtains an understanding of the operating environment, processes and related risks of the area(s) under audit. Information is gathered from the introductory meeting(s), interviews, documentation including websites, external references, strategic plans, budgets, etc.
The information gathered during the planning phase enables Internal Audit to establish the preliminary scope and objectives. The Audit team prepares a formal risk assessment and an Audit Program to review the unit’s existing procedures and controls which relate to the risks identified. Using this risk-based approach, the auditor ensures the review is focused on the significant risks.
An engagement memorandum is produced to confirm the background, key stakeholders and report distribution list, scope and timing of the engagement. This document also is commitment from Management to abide by the principles of the audit.
Key outputs from this phase include: Engagement Memo, Risk Assessment and Audit Program
During this phase, the team executes the Audit Program, which include procedures to (a) determine the adequacy and effectiveness of procedures and controls for managing the significant risks identified, (b) assess compliance with University and external policies, and (c) identify opportunities for improving the efficiency and effectiveness of the unit’s processes and controls.
Audit procedures performed in this phase typically include interviews with staff, walkthroughs of key processes, examination of the unit’s records and supporting documentation, analytical reviews, and testing of a sample of controls and transactions.
Regular meetings are held to provide an update on the progress of the audit as well as discuss any preliminary findings to confirm the factual accuracy of the finding.
Key outputs from this phase may include: Interim reports and/or other presentations
Once fieldwork is complete, the team holds a closing meeting with Management of the audit area(s) to review and discuss the audit findings and recommendations. Following the closing meeting, the Internal Audit team prepares a draft report, taking into account any clarification resulting from the closing meeting.
Following receipt of the draft report, Management is given 5 business days to provide timely management commitments to remediate the identified findings. Management commitments must include: (a) an action plan of how the recommendations will be implemented, (b) when it will be implemented (timing), and (c) who is responsible for the implementation. Once Management responses have been received, the Internal Audit team will incorporate the responses into the draft report, creating the final report.
The final report is distributed as per the engagement memorandum and to other appropriate members of the University's Senior Management. The report is also distributed to the Audit Committee of the Board of Governors.
Key outputs from this phase includes: Draft Report, Final Report
Once the final report has been issued, the team is required to review the file and ensure all documentation is archived as per our internal document retention rules. All final reports are preserved as per University Archives records retention rules.
During this phase, the Office of the Internal Auditor will also submit a questionnaire to the key stakeholders to encourage client feedback about the engagement.
The objective of the follow-up phase is to ensure that Management actions have been effectively implemented according to the timelines agreed to in the final report.
Reports on the progress of the remediation of identified issues are provided to the Audit Committee of the Board of Governors.
Note: The Office of the Internal Auditor will use its discretion to determine the extent of testing needed to validate the proper remediation of issues.