Most audits will be completed in the following general stages:
Designate an employee as audit liaison for the unit. In most cases, this would be the department manager or supervisor. This person will be responsible for primary contacts with the auditors and ensuring proper coordination of activities including provision of records and information.
Know the contacts in the University offices. If initial contact is by external auditors, units are required to contact Internal Audit as soon as feasible. Internal Audit may request to be present at entrance conference or planning meetings. Additional units to be contacted in the event of an audit would include the department/unit administrator, area finance office, and the General Accounting Office (for coordination of centralized process review).
It is important from the outset of the audit to be organized and demonstrate a positive and cooperative attitude. Have the auditor explain why your department was selected for audit. Clarify the audit objective and scope (areas to be tested and period covered by audit). Discuss the results of prior audits or concurrent audits as this may limit the scope of the current audit. Understand the audit and reporting process and determine who will receive audit reports.
Determine staffing and space requirements (auditors will frequently request space to work and access to phone and/or network connections). Identify timelines (beginning and end of fieldwork, report date, etc.). Know contacts in the auditor’s office. Consider giving the auditor a tour of your facilities and introduction to employees with responsibilities key to identified audit scope.
The audit liaison should keep the audit focused, be organized, facilitate the audit, keep constant communication with the auditor, resolve audit issues as soon as they are brought to the department’s attention, keep all parties informed on the progress of the audit and, when possible, attend meetings between the auditors and employees (the department should respect an employee’s wish to meet with an auditor alone).
Keep informed of issues throughout the audit. There should be no surprises at exit meetings or when the final report is received. Ensure an exit meeting is held; this is an opportunity to verify facts and respond to the audit report. Be sure to invite key administrative employees to the exit meeting (generally the same invite list as the entrance meeting). Internal Audit will also want the opportunity to attend the exit meeting. Once an audit report or memorandum is received, the department should take immediate corrective action to resolve the issues.
Management is required to provide a response to audit findings, which should include whether you agree or disagree with the findings (remember the exit meeting is an opportunity to verify information and ensure findings are not a result of miscommunication or misunderstanding of processes), a corrective action plan and target date for implementation. It is important to ensure coordination with Internal Audit in the development of a corrective action plan prior to finalizing and issuing audit responses. Understand the follow-up process – auditors will follow up on audit findings in the next cycled audit or in a specified period. Follow-up includes auditor determination that corrective action has been implemented and is adequate to resolve issues, and no new risks are presented as a result of the actions taken.