IACS staff conduct assurance audits of individual units and processes as part of the annual audit plan. Assurance audits typically follow a four-phase process from planning to following up. Reviewing the details of the steps in each phase will guide you through the audit and may remove uncertainty about the process IACS follows.
The audit process begins with an opening conference, in which IACS staff meets with the head of the department to discuss the scope and objectives of the audit. The department head has the opportunity to invite any necessary support staff, and to raise any concerns or issues that should be taken into consideration for the audit.
To determine more specific areas to focus the audit, IACS staff may review the Risk Discussion Questionnaire with the department head. For certain audits and departments, IACS staff may also review applicable Internal Control Questionnaires, which cover specific controls relating to revenues and receipts, payment card data security, and inventory for resale.
Field work is typically the longest phase of the audit, as IACS staff will be gathering additional information and data, testing sample transactions, interviewing key personnel, and reviewing departmental policies and procedures. The extent and nature of the field work varies depending upon the scope and objectives of the unique audit.
IACS is committed to no surprises. Staff discuss any audit findings and recommendations for improvement throughout the process to verify accuracy.
Draft Audit Report
IACS prepares a draft audit report that includes any background information, a summary of findings, and any recommendations for improvement. IACS sends this draft report to the department head, and schedules an exit conference to discuss in person.
IACS staff once again meet with the department head and other support staff on occasion to review the draft audit report. This provides the opportunity for clarification prior to the final report being issued, if needed.
During the exit conference, the Chief Audit Officer of IACS asks management to provide a written response to any recommendations, which is included in the final report.
Within five business days of the exit conference, the department head provides IACS with a written response to each recommendation for improvement. Each response must include the following and should include any other information necessary to support your response:
- Whether the department head agrees with the recommendation
- What action will, or has been taken to address the recommendation
- When the action is expected to be completed
Reports that do not include any recommendations for improvement typically do not require a written response from management.
Final Audit Report
The Chief Audit Officer issues the final audit report to the department head's direct report. IACS adds written responses from management to the final report before it is issued. The head of the department, the Senior VP for Finance and Business Services, the Chair of the Finance and Audit Committee of the Board of Trustees, and any other appropriate persons all receive copies of the final report.
At IACS's request, it is often necessary for the department head to provide a status report (at an agreed upon date) regarding the action taken to address any recommendations for improvement. This status report allows for both planning a follow-up audit and keeping the Finance and Audit Committee of the Board of Trustees up-to-date on internal audit activity.
IACS schedules a follow-up audit to determine if appropriate action has been taken to address any recommendations for improvement. Typically, the timing of the follow-up audit is based on management's original response to the recommendation as well as any status reports. Upon completion of the follow-up audit, the Chief Audit Officer issues a follow-up report to those receiving the original report. Follow-up audits continue until appropriate action has been taken to address all recommendations.