The Audit Process
Each year the System Audit Office prepares an Annual Audit Plan. Audits are selected through a risk assessment process that focuses on areas of greatest risk and opportunity for improvement in areas such as internal control, cost savings, revenue enhancement, and increased efficiency. Additional audit areas are selected based on management requests, external requirements, and legislative focus. At the beginning of each audit engagement, meetings are held with management to discuss the scope, objectives, and timing of the work to be performed.
Audits are performed in four phases:
- Planning involves research performed to assess risks and determine existing controls in place. Most often, the audit team requests that the auditee submit an Internal Control Questionnaire, used to determine the level of internal control in place. In addition, the team may conduct interviews, flowchart processes, and review other documentation in order to obtain a complete understanding of the audit area and finalize the scope and objectives of the engagement.
- Fieldwork generally involves testing and evaluating the functions being audited. The audit team will determine whether controls are adequate and whether operations are conducted in an efficient and effective manner. Sufficient evidence will be developed to support audit observations and recommendations may be made for improving processes.
- Reporting begins with a draft report that is discussed with management at an exit conference near the conclusion of the audit. During this meeting, the audit team reviews and discusses all findings to reach agreement on steps needed to enhance operations or correct any deficiencies. The final report includes details of the audit findings, including any recommendations, and management's response.
- Follow-up is a periodic review in which the progress and implementation status of agreed-upon recommendations are assessed and verified.