Each year the Internal Audit Director reviews the audit plan. Audits are selected through a risk analysis process to concentrate on areas of greatest risk and opportunity for improvements. Audit areas are also selected based on requests from the Audit Committee, Board of Trustees, Executive Director, and management.
Audits are performed in four phases:
- Survey and research: Completes the Internal Auditor's understanding of the audit area and finalizes the audit's scope and objectives. The Internal Auditor may develop potential points for improvement.
- Fieldwork: The audit activities related to identifying, testing, and evaluating key controls of the functions under audit. In this phase, the Internal Auditor develops adequate evidence for audit observations and recommendations.
- Reporting: A written audit report summarizing observations made. After agreement is reached on the observations, a final report containing the audit results is issued. The area under audit will issue a response to the recommendations, if applicable, within 14 days of the audit report's issuance date.
- Follow-up: A periodic review with management to assess the progress of agreed upon improvements.
The audit report process consists of four phases:
- Discussion Draft: The Division of Internal Audit will provide a discussion draft of the audit report to the division/area audited.
- Formal/Final Report: After making revisions to the discussion draft report, the formal report will be issued to the division/area audited, the Executive Director, and the applicable Chief Officer.
- Division/Area Response: The division/area must submit a written response to the formal report's recommendations, if applicable, within 14 days of the report's issuance date. The written response should be delivered to the Internal Auditor.
- Copy to Audit Committee: The final audit report, along with the written response to the recommendations, if applicable, will be presented to the Audit Committee of the Board of Trustees.
Benefits of an audit include:
- objective assessment of areas of interest to the Audit Committee and management;
- confirmation that controls and procedures are satisfactory;
- identification of deviations from policies and procedures or management's standards and expectations;
- identification of controls that need improvement;
- recognized improvements to accounting controls to prevent and detect problems;
- ideas to eliminate redundant and burdensome controls;
- identification of productivity enhancements;
- recognized opportunities to automate procedures;
- confidence in the use or design of electronic data processing systems; and,
- early detection of problems before they come to the attention of others.