Audit Process
What to expect during an audit
The most successful audit projects are those in which you, the audit client, and Internal Audit have a constructive working relationship. The objective is to have your continued involvement at every stage, so you understand what is being done and why, while trying to minimise disruptions of your daily activities.
A typical audit is comprised of the following four stages:
| Planning | Receive announcement communication Hold scoping meeting Review audit scope and objectives Address management concerns and finalise audit Terms of Reference |
| Fieldwork | Review policy/process documentation Interview relevant staff Conduct audit test work of processes and controls Communicate throughout on audit progress and potential findings |
| Reporting | Conduct closing meeting with management to discuss observations and recommendations Issue draft report to function/department management and request response to recommendations Issue final report to function/department and senior management with management response included Request management to provide feedback on the internal audit process |
| Follow up | Internal audit to contact the function/department to obtain an update on report recommendation progress Additional inquiry or testing may be performed. |
Planning
During the planning phase, we notify you of the audit through an announcement letter. An auditor will contact you to set up an audit planning meeting. The purpose of the meeting is to discuss the audit process and review the scope and objectives of the audit (‘terms of reference’), discuss any concerns or suggested scope items, and discuss risks inherent to the function/department.
Fieldwork
In this phase the auditor gathers relevant information about the function/department being audited in order to obtain a general overview of operations and internal controls and performs transaction testing (if applicable). The auditor then determines whether the controls identified are operating properly and in the manner described. These procedures usually test the major internal controls and the accuracy and propriety of the transactions.
As the fieldwork progresses, the auditor will discuss any significant findings with the function/department, with the aim being that the audit client can offer insights and work with the auditor to determine the best method of resolving findings. Upon completion of the fieldwork, the lead auditor will summarise the audit findings, conclusions, and recommendations and review them with the key contact(s) in the function/department.
Reporting
Internal Audit’s principal product is the final report in where they express their opinions, present the audit findings, and discuss recommendations for improvements. After the fieldwork is completed, Internal Audit will meet with the function/department’s management team to discuss the findings, conclusions, and recommendations. The auditor prepares a draft report, taking into account any revisions resulting from the closing meeting and other discussions. The report consists of several sections and includes: the distribution list, scope and objective, overall assessment, and internal audit findings and recommendations and management’s agreed actions. The draft audit report is shared with management of the function/department being audited for their review and comment and copied to the Head of Risk, Compliance and Assurance / Director of Assurance for information. The function/department management then provide written responses to the draft report comments, indicating how and when the agreed actions will be implemented. It is very important you are clear on what the recommendations are and are comfortable you can implement them in the timeframes suggested as this is what the follow-up will be based on and completion of agreed actions is reported to Audit & Scrutiny Committee.
Once the management responses have been received, Internal Audit incorporates the responses into the draft report, before sharing this with the senior management sponsor of the audit for review including the Director (or equivalent, e.g. Divisional Registrar) responsible for the function. A final version will then be submitted to the Audit & Scrutiny Committee, with copies sent to the senior management sponsor of the audit for review including the Director (or equivalent, e.g. Divisional Registrar) responsible for the function, Head of Risk, Compliance and Assurance and Director of Assurance. Following the acceptance of reports by the Audit and Scrutiny Committee, executive summaries are also uploaded onto the intranet here and any lessons learned of broader applications will be shared with relevant parties.
This report is primarily for internal University management use. All audit information should be treated as confidential and is reported only to those within the University who need to know.
Finally, the functions/departments who have been audited are asked to provide feedback on Internal Audit's performance to ensure an optimum service is provided.
Audit Follow-Up
Internal Audit will follow-up to verify the agreed recommendations from the final review have been implemented in the designated timeframe. This can range from answers to update questions, to isolated document reviews or systems testing, or a follow-up audit. The University is currently using the platform TrAction to manage follow up, with action owners providing a status update and evidence of closure directly in TrAction. See user guidance for TrAction here.
In exceptional circumstances, the function/department may need to seek an extension to the completion date. Extensions will be managed by the Head of Risk, Compliance and Assurance, and reported to the Assurance Management Group, with a report to the Audit & Scrutiny Committee if required.
Get in touch
For queries about Risk, Compliance and Assurance, including internal audit and the Audit and Scrutiny Committee, please contact the Head of Risk, Compliance and Assurance
