How
do you select an area for review?
Audit and Management Services (AMS) performs an annual risk
assessment to ensure that key audit areas at the University
and Health System are examined on a frequent basis. Risk assessment
scores for potential audit areas are updated at the conclusion
of audits or when we become aware of significant changes.
In addition to selected audit areas, the plan also includes
time for special projects. Such projects may be the request
of management or may be performed as a result of suspected
fraud, waste, or abuse.
Back
to top
Why
might I request an audit?
An
audit is an opportunity to receive an independent appraisal
of the effectiveness and efficiency of your area's activities.
If you have recently assumed new or additional supervisory
responsibilities, an audit review can evaluate procedures
to assess whether internal controls in that unit are adequate.
Also, it can be a periodic “checkup” to review
your area’s activities and can help to ensure that your
procedures continue to comply with University policy.
Back
to top
Why
was my area selected for an internal audit?
Annually
AMS performs a risk assessment based on several factors as
well as input from senior University and Health System management.
Consideration is also given to whether the area has been audited
before, how long it has been since its previous audit, and
whether past audit recommendations warrant a follow-up audit.
Due to external factors, some operations receive an annual
internal audit. Other operations may be audited less than
every five years. After
these factors are considered, the audit plan is submitted
to the President for his review and subsequently to the Audit
Committees of the Board of Visitors and the Board of Directors
for their review and approval. The plan remains subject to
change depending on the urgency of issues that may arise during
the year. Items removed from the initial plan will receive
priority when developing the audit plan for the next year.
Back
to top
How
long does an audit take?
An
audit can last from several days to several months. The amount
of time needed varies depending on the scope and purpose of
the audit. The average audit takes 8-10 weeks to conduct.
Back
to top
What
can we do to facilitate the audit process?
First,
document and maintain policies and procedures in easily accessible
manuals. Include all current organizational charts, detailed
position descriptions, and duty lists. Second,
develop an understanding of internal control structures: know
when, why, and how to separate duties; how to cross check
to ensure the accuracy of records; how to keep control accounts
and reconcile data; and how to control automated systems for
data processing. Third,
maintain “audit trails” – the documents
or evidence accompanying and supporting references to transactions
or actions authorized by management. Examples of adequate
audit trails are:
· requiring signature approvals;
· developing efficient forms or, increasingly, computerized
processes, to document important, routine decisions; and
· maintaining memoranda documenting important, and
unusual decisions.
In
addition, conduct and document your own quality control reviews,
including action taken to address problems. Finally,
be honest and open; understand that AMS is there to assist
you. Participate in the planning process and discussions.
Identify key personnel. Share information to assist auditors
in performing an efficient review thereby minimizing disruptions
in operations. Voice your opinions regarding areas of weakness,
issues of concern, or suggestions for improvement.
Back
to top
What
should I expect when my area is scheduled for an audit?
AMS
will contact you to schedule an entrance conference to discuss
the scope of the review and the logistics of conducting the
audit. During this time you should take the opportunity to
discuss any concerns or questions you may have about the audit.
Following the entrance meeting, the auditor will formulate
the audit plan and begin test work. This is
for the auditor to gain an understanding of the area under
review, assess the internal control structure, and verify
compliance with policies and procedures. After the test work
is complete, the auditor then drafts a report of the
business issues and sends it to the manager of the area. An
exit conference is then scheduled with the client to discuss
the report. After management responds to the recommendations
made, the draft is sent to the Vice President for review
and comments. Then a final copy is sent to the President and
the Board of Visitors Audit Committee or Board of Directors
Audit and Compliance Committee.
Back
to top
What
is the reporting process?
Audit
reports are distributed only to those people who need to know.
Before the exit meeting, a draft report is written. The draft
report is then sent to the manager responsible for the area
audited and direct supervisor. The manager is then
given sufficient time to develop a written response to each
observation in the draft report. The responses address the
actions that will be taken in response to the observations
and recommendations and the estimated implementation date
of these actions. At this stage the draft report is still
subject to editing or clarification as necessary. After management’s
responses have been inserted into the report, the next draft
report goes to the appropriate Vice President and a copy to
the manager. The Vice President is then given sufficient time
to review the recommendations. A final copy is then sent to
the President. Finally, the audit report will be presented to the
next Board of Visitors Audit Committee or Board of Directors
Audit and Compliance Committee meeting.
Back
to top
How
do we respond?
The
manager has seven days following the exit conference to send
AMS a written response to each recommendation noted in the
report. The response should also include a target date specifying
when the action will be implemented.
Back
to top
How
often is my department reviewed?
The
frequency of review depends on the results of the risk analysis
performed and the corresponding priority ranking for each
auditable unit. Based on the audit resources available, the
annual audit schedule is defined and reviewed by management.
The audit plan is then submitted to and reviewed by the Board
of Visitors Audit Committee or the Board of Directors Audit and Compliance
Committee.
Back
to top
