The Internal Audit Process at a Glance

Audit Process Although every audit is unique, the audit process is similar for most engagements and generally consists of 4 stages: Planning Field work/Execution Reporting Follow-up Timing During each stage of the audit, the involvement of the school boards personnel is critical and will consist in answering questions, participating in interviews, preparing documents for testing as well as designing and overseeing the implementation of controls following managements response to previous audit reports. The auditor will establish the timing of the audit and the scheduling of the staff in conjunction with the school board taking into consideration the busy periods of different departments/schools/entities trying to minimize disruption. Steps in performing the Internal Audit 1. Planning During the planning portion of the audit, the auditor establishes the terms of the engagement with the auditee, notifies the school board of the audit, gathers information on important processes, evaluates existing controls, and prepares the audit plan. a. Engagement Team Debrief In this stage, the audit senior will contact the staff who will be conducting the audit to give them a debrief of the school boards previous contact and/or history with the internal audit function, as well as previous findings, time spent on the previous audits, results of the risk assessment and the preliminary scope of the audit. The auditor will prepare a client assistance letter with general requests to be sent to the entity to be audited (example of general requests are: flow charts, processes narratives, organizational chart, department heads availability, recent changes in the processes etc.) which will have a deadline on or before the initial meeting. Engagement Letter The auditor will prepare the engagement letter to be sent to the head of the audited department which will confirm the scope of work to be performed, objectives of the audit, the auditors assigned to the project and other relevant information. The auditee can contact the auditor at any time before the initial meeting and ask for clarifications and/or make amendments to the terms of the engagement. Preliminary Survey & Documentation To increase the efficiency of the planning and to speed up the process of developing the audit program tailored for the specific audit at hand, the auditor

b.

c.

might ask some general questions for a better understanding of the processes or ask for copies of the policies and procedures by email. The auditor gathers relevant information about the auditee in order to obtain a general overview of operations. The auditor discusses with key personnel and reviews sources of information. This process will likely take place through telephone or email. d. Notification The auditor will confirm with the head of the audited department (or heads of departments, if more than one department will be included in the same period), in writing (i.e. via email), the timing and the scope of work of the audit to be performed (already agreed upon in the engagement letter). Review of Processes and Internal Controls During this step, the auditors will get an understanding of the processes and policies of the unit being audited. If this is not the first audit of the unit, the auditor will update the processes with the changes/improvements that took place since the last audit, as confirmed with the processes owners. The review might consist of either one or a combination of the following: interviews and enquires with the managers of the unit and/or the personnel that are actually performing the tasks, review of documentation used in transaction processing, flow-charts etc. Audit Program The audit program concludes the planning phase. This will describe the fieldwork to be performed to achieve the objectives.

e.

f.

2. Fieldwork/Execution The fieldwork stage concentrates on transaction testing and communications. It concludes with a list of significant findings from which the auditor prepares a draft of the audit report. a. Initial Meeting During this meeting, the auditee describes the unit or system to be reviewed, the available resources and other relevant information. The auditee identifies issues or areas of special concern that should be addressed. During this meeting, different issues can be discussed: - introduction of the team and clients personnel - communication standards with the client (daily/weekly update, communication of the outstanding points, discussion of the issues and findings etc) - targeted timeline of the mandate - reconfirm the scope of the engagement, as well as explain the approach that will be followed b. Transaction Testing In this stage transactions will be tested using various techniques, including sampling. The purpose of the testing is for the auditor to assess whether the controls mentioned in the Review of Processes and Internal Controls step are operating effectively. Continuous Communication As the fieldwork is performed, the auditor will discuss any significant findings with the owners of the processes. At the same time, the process owners will have the opportunity to discuss with the auditor compensatory controls as well as the

c.

supporting documentation. The auditor will also inform the client of the progress of the audit throughout the process. Usually the communication will be oral, with written emails or memos for more complex issues to ensure full understanding by the client and the auditor. d. Exit Meeting Upon completion of the fieldwork, the auditor will meet with the client to discuss the preliminary findings and the proposed recommendations. This meeting gives the opportunity to both parties to agree on the most feasible recommendation and to avoid any unpleasant surprises during the reporting phase.

3. Reporting This phase is where the principal product from the audit occurs. It expresses the auditors opinion, presents audit findings and discusses recommendations for improvements. a. Preliminary Audit Report After the file is reviewed, the auditor will prepare the draft internal audit report outlining the entities audited, the scope of work, the recommendations and the recommended timeframe for their implementation. Managements Response The management in the audited department will prepare a response to the audit findings in the audit report. The response (plan of action) will indicate: the title of the person responsible for the implementation the action to be taken the timeline for the implementation. The response will be sent to the auditor. Final Report When the managements response is incorporated in the draft audit report, the report becomes final. The auditor will present the final report to the audit committee. Copies will be distributed to the head of the audited activity or department, the person to whom this individual reports to and up the chain of command to the director of education of the affected school board.

b.

c.

4. Follow-up The auditor will follow-up on the completed audit within approximately one year of the final report to verify the resolution of the report findings. a. Follow-Up Review The auditor will keep an updated log of issues to be followed-up from the previous audits, including the deadline for the implementation of the proposed and agreed upon recommendations. The auditor will contact the client to follow up on the implementation of the recommendation as the deadlines approach. They will discuss and understand the process that is implemented, asking for different documents supporting the implementation. Follow-Up Report A follow-up report will be issued to the management and a copy sent to the audit committee, describing the issue followed-up on, the managements control implementation, the assessment of the appropriateness of the control and a listing of unresolved finding, including their deadline.

b.