|
The Audit Process
On an annual basis, the university auditor completes a risk assessment,
which forms the basis for a strategic audit plan. Annually, the university
auditor presents an audit plan to the Board of Trustees, which includes all
audits for the coming year. The most successful audit projects are those in
which the audit team and auditee consider themselves as consultant and client.
Understanding and applying this concept tends to foster a more constructive
working relationship and can result in improved operations for the department
under review. Although every audit is unique, similarities can be found in
each one. The typical audit process consists of:
Planning
Prior to meeting with the client, the internal audit team discusses the
upcoming audit. If the area has been audited previously, we review the file
to re-familiarize ourselves with the unique operations of that unit. Any new
developments that may have occurred since the last audit are reviewed and
discussed. The area's recent financial transactions may be extracted and
reviewed, as well as other information such as policies and procedures. With
this information, the audit team produces a set of audit objectives.
Entrance Conference
The entrance conference provides the opportunity for the audit team and client
to discuss the scope and schedule for the audit. We schedule a mutually
agreeable time for the entrance conference, which is held at the client's
location. At the meeting, the audit team outlines audit objectives, approximate
time schedules, types of auditing tests, and the process of reporting. Entrance
conferences are typically held with chancellor’s office management at the start
of each new audit subject area, as well as with campus management at the start of
fieldwork on each campus.
We make an effort to minimize any disruption of regular departmental routines
and avoid seasonal busy periods. The client may designate a member of the
department staff as the primary contact person for audit team questions and
assistance. Any areas of concern the client would like to have reviewed by the
audit team should be brought up at this stage.
Fieldwork
Preliminary Survey - In the next phase of the process, the audit
team gathers additional information about the client's operations. If the unit has not
previously been audited, this is a significant effort. The audit team also
reviews any changes in operations since the last audit. Key personnel are
interviewed; and CSU policies, Trustee policy, state/federal regulations, and
other relevant guidance are reviewed to produce a plan for the rest of the audit.
This work typically results in narratives, flowcharts, document samples, and a
detailed program of audit steps. The detailed audit program is typically
produced by the supervisor-in-charge and includes a corresponding internal
control questionnaire and document request. At the campus level, the preliminary
survey primarily consists of client completion of the internal control
questionnaire and document request. This survey helps evaluate internal
controls related to the recording of business transactions, safeguarding
university assets, compliance with university policies, and promotion of
operational efficiency. If the audit team finds adequate internal controls
and sound operating procedures in place, they will proceed to the transaction
testing stage. However, if the audit team detects a significant internal
control deficiency during the survey stage, an audit finding is written
immediately.
Transaction Testing - The purpose of transaction testing is
to examine documents and other records for evidence that the internal controls
described in the preliminary survey stage are actually in place and functioning
as intended. When we find such evidence on a sample of transactions or records,
we conclude that established procedures are being followed and the level of
compliance with internal controls is adequate. When a strong system of internal
controls is in place and followed, we are confident that the data generated by
the transactions can be relied upon as accurate and that administrative policies
are being carried out.
Audit Findings - The audit team may find one or more
opportunities/deficiencies during the course of a typical audit. They will
bring all potential audit findings to the client's attention as they are
identified to ensure that the audit team has been provided with all the relevant
facts. At the end of the fieldwork stage, the audit team informally reviews all
findings with the client.
Exit Conference
At the exit conference, the draft report is discussed with client administration.
Any findings determined to be of a minor nature will be deleted from the report,
but will be included in a letter of minor findings submitted to the client along
with a revised report. A "Client Satisfaction Survey" will also be given to the
highest-ranking member of the client administration in attendance at the exit
conference.
Reply to Report
After the exit conference, the official transmittal to the client (i.e., campus
president or vice chancellor-in-charge) consists of the incomplete draft report
and, if needed, a formal report of minor findings. Within 30 days, the
campus/chancellor’s office must respond only to the recommendations in the
draft report. The 30-day reply period begins on the date the letter and report
are submitted to the campus president/vice chancellor-in-charge. All replies
must include a corrective action plan with a time estimate for completion for
each finding.
Acceptance of Audit Report
The responses will be included with the audit report and forwarded to the
chancellor with the university auditor's recommendation for acceptance. Once
accepted by the chancellor, a final campus report is individually bound and
forwarded to the campus president/vice chancellor-in-charge; at this point, the
report becomes public. Periodically for FISMA reports, and at the end of all
other report cycles, bound reports are forwarded to the Board of Trustees,
Department of Finance, Budget and Audit Divisions, and the Joint Legislative
Budget Committee.
Follow-Up
The client will communicate to the university auditor in writing on the
progress made in implementing corrective actions noted in the audit report.
The university auditor or designee will review the responsiveness of the
corrective action taken and determine whether additional action may be required.
In certain instances, it may be necessary to revisit the campus to ascertain
whether the corrective action taken is achieving the desired results; however,
as a rule, we ask the client to provide appropriate documentation to support the
corrective action. Reports of follow-up activity will be made at each meeting
of the Committee on Audit. This follow-up report is referred to as the “Matrix.”
Note: Clients can report anytime when a particular recommendation has been
completed. |
