Audit Process Details

Step 1: Identification of Factors Contributing to Business Risk

This is one of the most important parts of any audit process. The Auditor and the Audit Client draw upon the collective resources available to them and comprise a complete list of factors, which could give rise to business risk as it relates to the defined audit objective. They comprise this list irrespective of the likelihood the event could occur or the cost of an unwanted situation. Examples of sources utilized are as follows:

  • Prior work experiences
  • Historical Data
    • Audit 
    • Client
    • Internet
    • Textbooks
    • Periodicals
    • Information Services
  • Flow charting business processes
  • Planned Future Events
  • Policies and Procedures
  • Application System Documentation

The Auditor inputs these factors into the Risk Database.

Step 2: Determination of Probability of Risk and Loss Potential

The Auditor works with the Audit Client to determine the Probability of Risk and the Loss Potential. Two primary assumptions must be made during this process:

  • Probabilities of Risk of Loss - Assume there are no controls in place to mitigate this risk. 
  • Loss Potential - Assume the event occurred without controls and was not prevented or detected during a business cycle.

For simplicity sake probability and loss potential are judged to be either high, moderate, low or none. The Auditor and the Client negotiate these ratings and the Auditor updates the Risk Database. The Auditor provides Executive Management with a complete list of business risk and evaluations prior to the beginning of the documentation and evaluation of controls. They can and should provide input, as they deem necessary, prior to the start of the audit. 

Step 3: Documentation of Mitigating Controls

The Auditor makes inquiries of the Clients personnel regarding controls in place to prevent or detect unwanted situations. The Auditor should also be concerned with controls in place to correct situations detected by the control system. Information to be collected regarding the control system includes the following:

  • Detail description of the control procedure
  • Person(s) performing the control procedure
  • Frequency the control procedure is performed
  • Documentation maintained evidencing the control procedure was carried out
  • Policies and procedures related to the control procedure
  • Extent of any Supervisory level review 
  • Person(s) performing Supervisory review
  • Frequency of Supervisory review
  • Documentation maintained evidencing the Supervisory review was carried out
  • Detail description of application system control and references
  • Identification of Application System and Version in use
  • System Documentation evidencing control procedure
  • Business Continuity Plan References

The Auditor inputs this information in the Risk Database.

Throughout this phase of the process the Auditor should be cognizant of system enhancements which could improve operational efficiency. Opportunities typically exist where information is passed between departments or control processes do not take advantage of current technology.

Step 4: Evaluation of Control Design

The Auditor makes a determination regarding how well management has designed the control system to mitigate loss to an acceptable level. This is a subjective process which should take into account the probability of loss and loss potential which has been agreed upon in Step 2 above. If deficiencies are noted the Auditor should document the following information:

  • Narrative description of the problems noted
  • Relative significance of the problems
  • Individual who is accountable for correcting the problems *
  • Date the corrective actions will be taken *
  • Narrative description of corrective actions which will be taken *
  • Date the corrective action occurred *

* This information will be determined in Step 7 - Exit Conference

All information collected must be input in the Risk Database. If the Auditor feels management is unnecessarily accepting a high degree of risk, the Audit Client should be notified immediately and corrective actions implemented. 

Step 5: Audit Testing

This phase of the Audit process requires the Auditor to design testing procedures. Audit tests should be designed to ensure key control procedures effectively prevent, detect, or correct errors and/or irregularities. Tests should include procedures to ensure compliance with applicable federal and state laws and university policies. All testing should be documented in accordance with industry and university procedures. 

Step 6:  Draft Report

The Auditor should draft a report at the conclusion of Step 5, which identifies significant risk issues. The report should identify the scope of the audit, present an overall conclusion regarding the control environment, summarize the operating environment being evaluated and provide detail explanation of significant risk issues requiring corrective action. This report should be forwarded to the Audit Client and an exit conference scheduled.

Step 7:  Exit Conference

The Auditor and the Audit Client should discuss the draft report to ensure:

  • The accuracy and clarity of its contents,
  • Attempt to establish consensus regarding:
  • Risk issues identified
  • Corrective actions taken or planned 
  • Individual(s) accountable for correcting the problems 
  • Date the corrective actions will be taken or are planned

The Audit Client should draft responses for inclusion in the final report detailing their opinions regarding the risk issues and corrective actions. In rare situation,  there may be professional differences of opinion regarding  risk issues or controls. The Auditor should make any additional comments considered necessary to ensure the report presents all points of view.

Step 8:  Final Report

The final report is signed by the Audit Client and the Auditor and sent to the President for his review and comments. Final reports include an attachment of business risk considered during the course of the Audit. Copies of all reports are given to the Chief of Staff and she is briefed regarding the report.

All audit reports are discussed with the Audit Committee at regularly scheduled meetings. Additionally, findings from prior audits are reported to the Audit Committee until corrective actions have been implemented. Status reports related to outstanding risk issues are also provided to the Audit Committee.