The audit process for performing and audit is a ten-step procedure as outlined below. Please click through the steps in order to better understand the process.
First, you will receive a letter to inform you of an upcoming audit which will include a preliminary checklist. This is a list of documents such as but not limited to organization charts, SOP’s, technical systems documentation, process flows, and data flow diagrams will help us learn about the IT department, process, or system before preparing the final audit plan, scope and audit program for the audit.
After reviewing the preliminary checklist documentation we will plan the review, conduct an engagement risk assessment, draft an audit plan, and schedule an opening meeting with you.
The opening meeting should include senior management and any administrative staff that may be involved in the audit. During this meeting, the scope of the audit will be discussed. You should feel free to ask the auditors to review areas that you are concerned about. The time frame of the audit will be determined, and you should discuss any potential timing issues (e.g. vacations, deadlines) that could impact the audit. It doesn't take as much of your time as you might expect!
After the opening meeting, the auditor will finalize the audit plan and begin fieldwork. Fieldwork typically consists of talking with staff, reviewing procedure manuals, learning about business processes, system processing, interfaces, access points, and communications technologies utilized, and testing for compliance with applicable university policies and procedures and laws and regulations and the adequacy of internal controls. You should make your staff aware that we will be scheduling meetings with them.
Throughout the process, we will keep you informed, and you will have an opportunity to discuss issues noted and the possible solutions.
After the fieldwork is completed, we will draft a report. The report consists of several sections and includes: the distribution list, the follow-up date, a general overview of your unit, the scope of the audit, any major audit concerns, the overall conclusion, and detailed commentary describing the findings and recommended solutions. You should read the draft report carefully to make sure there are no errors. If you find a mistake, please inform us right away so that it can be corrected before the final report is issued.
Once the report is finalized, we will request your management responses. The response consists of 3 components: whether you agree or disagree with the problem, your action plan to correct the problem, and the expected completion date. For observations or risks for which there is no corrective action contemplated please specifically state in the response that you accept the responsibility for this decision.
A closing meeting will be held so that everyone can discuss the audit report and review your management responses. This is an opportunity to discuss how the audit went and any remaining issues.
The report is then distributed at a minimum to you, your manager(s), UMIT senior executives. We also may distribute an audit survey to the audited unit to solicit feedback about the audit. Feedback is important to us, since it can help us improve the audit process.
Follow-up reviews are performed on an issue-by-issue basis and typically occur shortly after the expected completion date per the management response, so that agreed-upon corrective actions can be implemented. The purpose of the follow-up is to verify that you have implemented the agreed-upon corrective actions. The auditor will interview staff, perform tests, or review new procedures to perform the verification. You will then receive a letter from us indicating whether you have satisfactorily corrected all problems or whether further actions are necessary.