What happens during an audit?
People can be concerned about "being audited". Internal Audit Services (IAS) does not set out to find fault when we perform an audit. We aim to identify risk and control issues and to work with you to find cost effective ways of addressing those issues.
IAS has a structured approach, which follows professional audit standards designed to keep you informed of what we plan to do and what we find. We use a variety of audit techniques and will discuss options with you before we start fieldwork.
A typical audit would involve a member of IAS arriving on the first day having agreed the scope of the review in advance i.e :
- What we are going to audit and why;
- How long we believe the audit will take and who is to undertake the work;
- What will happen at the end of the review.
Our work will involve talking to some, or all, of the people involved in the function we are auditing. This is to find out how the job is done and the sort of records kept. We record the information to help us understand how the system operates and then assess the risk and control environment and how it is operating. We may have to come back more than once to ask other questions or clarify points but this process minimises the time we have to spend during the detailed audit process.
As part of the audit process IAS needs to make sure the system is operating effectively and efficiently. We will generally examine records and files, looking at both operational and financial aspects. In particular, we may look at your processes to see how they assist in mitigating the risks specified on the corporate risk register, as appropriate. As part of our work we may also look at system outputs including such things as purchase orders, customer bills, management reports and accounts to make sure they are correct, agree with supporting documentation and support your business objectives.
Compliance with rules and regulations:
We ensure that systems are operating on accordance with University policies, Financial Regulations , financial policy and procedures and other laws or regulations.
Conclusion of review:
At the end of the audit we will form an opinion on the effectiveness of the controls that operate and make recommendations for improvements. We will discuss each point with you during the audit or at the closing meeting and agree specific actions that you will take to address the issues identified.
We will, normally within four weeks of the completion of our fieldwork, issue a draft report.
We ask that you provide a written management response to our points setting out the actions that you will be taking, the person who will be responsible for the action and a date by which the action will be completed. We ask that you finalise the responses normally within four weeks of issue of the draft report. We are happy to meet with you to discuss the report and your responses.
The report will then be formally issued to original recipients, other senior management in the area, the University Secretary and summaries will be submitted to the Audit Committee. Key Risk audit reports will also be issued to the Risk Management Group to consider on behalf of the University Executive Board.