Stage One: Planning
Our planning for our work across the University is based on a five-year cycle and within this period we cover all activities of the institution at least once. Some areas that are considered to be high risk or high priority are often covered more than once in this period. This five-year plan is broken down into annual plans that identify audit reviews for each financial year. Prior to the start of each year we will contact your department or school to notify you about the audit and to schedule a time during the year that is most convenient for the audit to take place.
Nearer the start of the audit we will arrange a meeting with you to discuss the scope and objectives of the audit. Your input at this stage is important to us as it helps us establish areas of risk that should be included in the scope of the work. This is also your opportunity to raise any issues or areas of special concern that could be covered as part of the audit. We use this meeting, to establish information about the area being reviewed and this typically includes personnel, finance and other relevant information. One specific aspect of this meeting is identifying the strategic objectives and a discussion of the risks on your local risk register. From this we determine the possible risks that exist that may affect the achievement of your objectives of your team and how best you can manage them through the use of internal controls.
It is helpful to us at this point if you can identify staff who can assist us in our work and any information that we are likely to need access to. We have found that in the past, a nominated audit contact is a useful way of managing the audit jointly between you and us so that issues can be raised and cleared on an ongoing basis with you as the audit progresses. This also allows you to pick up early indications of the sort of areas we will be reporting on.
The information we have gained from our initial planning meeting is used in conjunction with other relevant information about your area in order to obtain a general overview of operations. This may include information on budgets and strategic plans as well as past audit reports. There are certain risks that we will always review to ensure that they are being adequately controlled and managed - these include financial transactions, local risk management and business continuity planning.
All of this information is then used to make a preliminary assessment of the risks and controls for your unit. In the interests of quality and consistency, the Head of Internal Audit reviews this work and agrees the scope of work to be carried out. We then confirm the arrangements discussed at the meeting in a scope letter when you will be asked to confirm as appropriate.
We use this preparatory work to produce an Audit Programme – this is an internal document that specifies detailed work that needs to be undertaken as part of the fieldwork.
Stage Two: Fieldwork
Our fieldwork concentrates on determining how well your area is managing the risks identified at the planning stage and what controls are operating to help you do this. This can take a variety of forms that includes interviews and detailed testing / analysis of documents or transactions. When we have completed the fieldwork stage, we usually have a list of findings that we use to prepare a draft audit report.
However, prior to this we will usually have arranged to discuss any key issues with our audit contact before completion of the fieldwork. We encourage this aspect of the audit as our contact can offer insights and work with us to determine the best method of resolving any issues that arise. Usually these communications are oral. However, sometimes, they are written in order to ensure full understanding by you and us: we aim for a no surprises approach!
Stage Three: Reporting
When we have finished our fieldwork, we draft a report. The Head of Internal Audit reviews the fieldwork and the draft in line with professional auditing standards. Once this stage has been completed, we hold a feedback meeting to summarise the audit findings, conclusions, and recommendations necessary for us to publish a draft version of the report. We use this meeting, to listen to your comments on our findings and to reach an agreement on any recommendations that we have identified.
We then produce a formal draft report, taking into account any revisions resulting from the feedback meeting and any other subsequent work we have done in light of it. The Head of Internal Audit also reviews this work. The formal draft is then sent to you so that you have the opportunity to respond to the audit findings prior to the final report being published. We also use your response to include any further, relevant observations that you have into our final report. Included with our draft is an action plan that identifies the recommendations made in the report and as part of your response we ask you to complete the action plan. This involves explaining how the recommendations will be implemented, by whom and within what time scale. We ask that you respond to us within two weeks of receiving the draft report and action plan. This is because, like you, we don’t want the audit review process to become drawn-out and protracted and need a timely response so that we can finalise the report as quickly as possible.
The recommendations made in the report are prioritised according to the four categories below:
We distribute copies of the final report to the operational managers of your area, the Head of College or Corporate Service and to the Director of Finance and the Registrar and Secretary. The University’s Audit Committee also receives summary reports of our work for each audit undertaken, and a copy of the completed action plan.
Finally, as part of Internal Audit's self-evaluation program, we ask you to comment on our performance. This feedback has proven to be very helpful to us, and we have made changes in our procedures as a result of the suggestions we have received. This is a short questionnaire that only takes a few minutes to complete but is important as it benefits both you and us for future audits; we also summarise the results of these questionnaires to report periodically to the Audit Committee.
Stage Four: Follow-up
Each year we follow up the recommendations made in previous audits to check progress on the recommendations madet. During these reviews we use the completed action plan as a basis for the work to be undertaken and examine the progress on the agreed recommendations.
The reporting process for follow-up work follows a similar pattern to that of the routine reporting processes (see stage three) and you have the opportunity to respond to the audit findings prior to issue of a summary of progress.
In addition, whenever we start a planned audit review from our agreed audit schedule of work, we will also review any key recommendations from past audits as part of our programme of work.