Once a decision has been made to audit a unit (based on the annual risk assessment and after approval of the audit plan), the following are the usual steps in the process:
The unit is contacted, an initial introductory meeting is held, and financial information is reviewed.
Based on the initial meetings and information reviewed, a risk assessment is done to determine where the effort should be concentrated in the review (the scope of the audit).
Audit Services staff will then get a thorough understanding of the activities by interviewing all key personnel in the unit and reviewing relevant documentation.
An assessment of the internal controls and effectiveness and efficiency of the operation will be completed for each activity within the scope of the audit. Examples of internal controls include, authorizations and approvals, safeguarding of assets, segregation of duties, completeness of information, etc.
There will be some testing of records to verify findings.
Findings are discussed with management throughout the audit process and recommendations are made. Management may suggest alternative solutions and these will be evaluated and accepted if they achieve the control needed to mitigate the risk within the University's appetite for risk tolerance.
A draft audit report is prepared for the department managers giving them an opportunity to respond to the findings. Management is required to provide a timely written response to the findings, including an action plan of how the audit recommendations will be handled.
A final report, which includes management responses, is prepared and a copy is given to all senior management responsible for the department (e.g. the Dean , the Vice-Principal & the Principal). The report is also given to the Audit Committee Chair, the University's external auditors, and the Vice-Principal (Finance and Administration). An executive summary of the report, which highlights significant findings, is presented to the Audit Committee of the Board of Trustees.
A timely follow-up, primarily through discussion with management, is completed to ensure that appropriate action plans have or will be taken.