Audit Process

The audit process consists of the following 4 phases:

 

Planning

During the planning phase, contact with audit clients is initiated and relevant background information is gathered to gain an understanding of the audited area’s size, responsibilities, and procedures in place.  Also in this phase, audit objectives are defined and audit methodology is determined through the creation of an audit program, which is the blueprint for conducting the audit and accomplishing the audit objectives.  In most cases, a risk assessment of the department and/or function will be performed to help ensure appropriate areas are included. 

Notification Letter – With few exceptions, audit clients are notified in writing when their area is selected for an audit; however, due to the nature of some audit work, little or no advance notice may be given.  This letter is sent to the executive officer of the area being audited as well as the appropriate individuals, such as the Dean, Chairperson, or Director.   Occasionally, a preliminary questionnaire and/or a list of documents that will help the audit team gain an understanding of the unit or function will be provided at this time.

Entrance Meeting – Depending on the type of audit and the amount of audit work planned, an entrance meeting may be scheduled with the head of the unit and any administrative staff that may be involved in the audit.  In-person meetings are preferred, but this may be accomplished via telephone or other ways if necessary. 

At the Entrance Meeting, the following will take place:

  • The objective(s) and scope of the audit will be discussed
  • Audit methodology and the reporting process will be explained
  • Estimated timing and resource requirements are identified – any potential issues (vacations, deadlines, etc.) that could impact the audit should be brought up at this time
  • Any questions about the audit or process will be answered

Input regarding risks and concerns that should be included in the audit is encouraged and is an important part of this meeting and the planning phase.

Return to top

Fieldwork

The evaluation phase of the audit is referred to as fieldwork.  This phase includes assessing the adequacy of internal controls and compliance, testing of transactions, records, and resources, and performing other procedures necessary to accomplish the objectives of the audit.

It may be necessary for the audit team to conduct interviews with departmental personnel and to review departmental records and practices; however, efforts will be made to minimize disruptions and cooperate with audit clients to make the audit process as smooth as possible.

The duration of an audit varies depending upon its scope; limited scope audits may take only a week or two while broad scope audits may take several months.  In addition, access to personnel and records and the timeliness of responses to audit requests may also affect the duration of the audit.

Throughout the audit, audit clients will be informed of the audit process through regular status meetings and/or communications.  The audit team makes every effort to discuss audit observations, potential issues, and proposed recommendations as they are identified.  In some instances, it is necessary to work directly with audit clients to determine or validate the root cause and discuss ways to eliminate the root cause.

Return to top

Reporting

The final result of every audit is a written report that details the audit scope and objectives, results, recommendations for improvement, and the audit client’s responses and corrective action plans.

Draft Report – Audit reports are typically prepared in draft form and distribution is initially limited to the immediate manager of the area so it can be reviewed prior to further distribution of the audit report. 

If recommendations are made, written responses detailing the following are requested of the audit client:

  • A corrective action plan to resolve the problem and its root cause,
  • The person responsible for implementing the corrective action, and
  • An expected implementation date. 

These responses will be included when the final audit report is distributed to the appropriate level of University administration.  Priority level issues and recommendations are reported to and tracked by UT System until implemented.

Exit Meeting – If necessary, an exit meeting will be held to provide an opportunity to resolve any questions or concerns the audit client may have about the audit results and to resolve any other issues before the final audit report is released.  Those attending usually include the audit team, management of the audited entity such as the Dean, Chairperson, and Director, as well as others that the audit client wishes to invite.

After the exit meeting and once the audit client has provided responses and comments, the draft report is distributed to the Vice President, Dean, and other levels of executive management responsible for the department or function for review and comment before the final report is issued.

Final Audit Report – The final audit report is addressed to the University President and copies are provided to appropriate levels of University management, the Board of Regents, the UT System Audit Office, and required state agencies.

Return to top

Follow-up

There will be occasions when corrective actions to resolve an audit issue will not be accomplished until after the audit report has been finalized.  In these cases, follow-up will be performed on the previously reported recommendations to determine whether corrective action plans have been effectively implemented and that expected results are being achieved.  Depending on the severity of the audit issue, follow-up activities could include interviewing staff, reviewing updated procedures or documentation, or re-auditing the processes that originally led to the audit issue.

A summary of the status of all open findings is presented at each quarterly Institutional Audit Committee (IAC) meeting.  If actions plans are not completed by the expected date of implementation, a letter must be sent by the responsible individual to the IAC explaining why the date was not met and when the action will in fact be completed.  If the date is missed a second time, the responsible individual must provide an explanation to the IAC in person.

Return to top