The Audit Process
The audit process has four phases, each one requiring the involvement of our audit clients. During planning we work with you to understand and learn about your area so that we can evaluate the processes and controls currently in place. Fieldwork consists of specific testing scenarios or steps to identify areas for improvement. Communication of our results takes place through a transparent reporting process and finally, follow-up, is where we come back to you after a determined period of time to reassess the progress made against the agreed upon management action plans.
The most important items needed from the client for a successful audit are cooperation and good communication with the auditor. Here are some specific examples of what the client can do to facilitate the audit process:
- Schedule personnel for audit activities such as interviews, observation, or walkthroughs;
- Make the pertinent data, records, and technology resources available to the auditor;
- Review preliminary findings and provide written responses regarding corrective actions and specified time frames;
- Establish and maintain required controls;
- Share your concerns with the auditor;
- Review the audit objectives and scope presented for your area, and ask questions if you don't understand why certain activities have been included or excluded;
- Be proactive, monitor and report progress of your corrective actions to the auditor.
How Can We Help You?
The Office of Internal Audit has a staff of professionals with the education, experience, and credentials to make a positive impact in your area.
- We have experience from a variety of corporate and not-for-profit industries.
- We possess advanced degrees, professional designations, and licenses.
- In order to maintain our professional certifications and stay up-to-date on the latest issues impacting the university, we attend continuing education programs at both the national and local level.
Our recommendations are designed to help you manage your operation more efficiently, resulting in a more effective use of resources. This might include alternate ways of approaching a problem based on our encountering similar situations in other areas. As a result, we can identify strengths and weaknesses in processes quickly and make practical recommendations. This will save you time and money on a variety of matters, and ensure that your operation is based on sound business practices and is in compliance with university, Board of Regents, and State policies, procedures, and regulations.
We work closely with university leadership and a variety of other internal entities. This access, along with our experience, provides us with a broad prospective which we can employ to benefit your operation.
Types of Audits
Operational - Comprehensive reviews of an office, program or process to evaluate fundamental business practices to ensure there are adequate internal controls as well as operational efficiency and effectiveness.
Compliance - Measure adherence with:
- Iowa State University and Board of Regents policies and procedures.
- State and Federal laws and regulations.
- NCAA Bylaws.
- Sponsor grant and contract requirements.
- Donor restrictions on use of funds.
Investigative - Identify the facts and circumstances of possible fraud or misappropriation of the organization's assets.
Information Systems - Analyze the effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of data and programs on computer and communication systems.
Why Was My Department Selected For An Audit?
The annual audit plan is primarily developed using a risk-based methodology. It includes input from the university community, and considers various factors such as: financial impact, required regulatory or legal compliance, complexity of environment, technology, and prior audit experience. Management requests standard annual audits and unanticipated projects round out the plan. While we want to visit as many departments as possible, because of our risk based approach, some areas will be audited more frequently than others.
What are "Internal Controls"?
Internal controls are nothing more than policies or procedures put in place to safeguard an asset, provide reliable financial information, promote efficient and effective operations, and ensure policy compliance. For example: When you came to work this morning did you lock the doors to your house? If so, that's an example of an "internal control" you used to protect the assets you own. Generally there are three types of control:
- Preventative Controls - are designed to discourage errors or irregularities from occurring. For example: Processing a requisition only after it has been approved by the appropriate personnel.
- Detective Controls - are designed to find errors or irregularities after they have occurred. For example: Reviewing the monthly tranactions for your area's accounts in WebFM.
- Directive Controls - are designed to encourage a desirable event. For example: Written policies and training seminars assist in the accomplishment of area goals and objectives.
What will the auditors need from me?
The main items needed from you for a successful audit are cooperation and communication with the auditor. Here are some specific examples of what you can do to help the audit process:
- Supply all requested information on a timely basis.
- Share any internal control concerns you have with the auditor.
- Review the audit program presented for your area, and ask questions if you don't understand why certain activities have been included or excluded.
- As issues are communicated to you during the audit, begin thinking about potential corrective actions.
- Review the audit report draft and make any suggestions for changes or enhancements either before or during the exit conference.
- Provide a written response to the issues identified in the report, along with who will be responsible for implementing the corrective actions and when they will be completed.
- Be proactive in monitoring the progress of the corrective actions and reporting them.
How long will the audit take?
Audits can last from a few days to several months, depending on the scope and objectives of the audit work. The auditor(s) assigned to your area will give you an estimate of the time they will need to complete the audit, after the planning phase is complete.
Will the audit disrupt my department's everyday activities?
Like any special project, an audit affects the area's routine to some extent. The Office of Internal Audit will make every effort to minimize this disruption and cooperate with you to make the process as smooth as possible.
How is an audit comment reported and to whom?
We use a variety of methods for communicating issues/comments back to you and senior management, including:
- Audit Report comment - Comments in this classification are included in the official audit report, and represent items that are either regulatory/policy/legal violations, or present an unacceptably high level of risk of financial loss or adverse public/political exposure. The audit report is copied to immediate area management, and all appropriate university management up to the level of the President, who receives all reports. The report is also sent to the State Board of Regents, and the Auditor of the State of Iowa.
- Management Advisory comment - These are issues that the auditor noted during field work, but they are either outside the established scope of this audit project or are not of immediate concern. However, if they are not addressed in a timely manner, they could potentially have an adverse impact on the operation of the area in the future. This type of item is communicated to management of the immediate area being audited and at least their supervisor.
- Non-reportable comment - These issues are generally minor in nature or scope, but are items that the auditor encountered and of which you need to be aware. They are communicated only to management in the immediate area being audited.