Audits and advisory services are used to evaluate the adequacy and effectiveness of controls in responding to risks within the university’s governance, operations, and systems regarding the:
Audits are typically based on one or more of the following six objectives:
Audits are selected based on a risk assessment of the university. Areas with higher risk are those with a larger volume of transactions or potential for fraud risk, past internal control concerns, complex operations, significant impact on university operations or the strategic plan, greater potential for negative publicity, significant changes in management or organizational structure, and extended time since last audit.
The audit begins with planning the audit and meeting with management at an entry conference. At the meeting, we explain the audit scope and objectives, discuss the timing of the audit, and ask about any concerns of management. The auditor next obtains background information, reviews applicable regulations, and discusses with management the area's mission, objectives, and higher risk issues.
In this phase of the audit, the auditor meets with staff and management to understand the unit's procedures and internal controls. The auditor identifies controls that reduce risk, as well as any missing controls.
The auditor tests a sample of transactions, with emphasis placed on higher risk items to verify that controls are functioning as intended or determine where improvements are needed. Audits of revenues and expenditures typically include tests of revenues, purchases, PCard purchases, property, travel, and payroll.
The auditor first meets informally with management of the area to discuss probable report comments to ensure the comments are accurate and that the recommendations are feasible. Then the report is drafted and sent to management for review prior to discussion at the exit conference.
The final report reflects changes discussed at the exit conference as well as management's plan for corrective action. The report is officially addressed to the University President, with copies to applicable administrators and to the Board of Trustees.
We follow-up with management to determine whether the recommendations were successfully implemented. To perform the follow-up, the auditor enquires about progress in implementing the recommendations and may test transactions related to new or redesigned controls.