Audit provides independent, objective assurance and advisory activity designed to add value and improve university operations. Audit helps the university accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Internal Audit Process
Selection of Engagement Area
Areas selected for audit are identified as a part of robust annual planning process. The goal of the annual planning process is to identify which units can most benefit from assurance services. The annual planning process seeks to apply available resources to highest risks identified, but also serves to provide periodic resources to all units.
For the purposes of audit planning, the Office of Audit, Risk and Compliance has organized the university into nine major functions:
- Governance and leadership
- Instruction and academic support
- Research and development
- Student services
- Human resources management
- Fiscal and asset management
- Campus operations
- Auxiliary operations and services
- Information systems
The audit selection process entails a macro-level risk assessment of the major functional areas using industry trends, past audit experience, fiscal analysis, and campus input. Some factors considered in selecting units include:
- Critical nature of the unit in meeting university objectives
- Length of time since and results of last audit
- The size and complexity of the operation
- Changes in regulations, personnel, operations, programs, systems, or controls
- Regulatory requirements of the operation
- Degree of manual and automated processing
- Sensitivity of unit's operations to the university’s image and reputation
- Amount of fiscal activity and resources
Planning & Notification
If your unit is selected for an audit, you will receive a letter to inform you of the upcoming engagement. The auditor will reach out to the unit head to discuss timing and the best person(s) to contact to plan the audit. The auditor will then send a preliminary checklist and set up a planning meeting. The preliminary checklist is a list of background documents that will help the auditor learn about your unit before planning the engagement. During the planning stages, the auditor will also ask you to identify potential objectives that would add value to your organization. As a unit leader, this is your opportunity to improve your unit operations by having an independent review of key processes or risk areas. The audit serves to provide you assurances over key operations.
Entrance Conference
At the beginning of each engagement, a meeting is scheduled with the unit head and other appropriate personnel to discuss the engagement scope and objectives, schedule, and review process.
Fieldwork
After the entrance conference, the auditor will begin fieldwork. Fieldwork involves interviewing staff, reviewing policies and procedures, and performing detailed tests. The goal of the audit is to:
- Reduce the risk of losses related to internal control breakdowns
- Identify opportunities for increased efficiencies
- Reinforce existing control strengths
The emphasis of the evaluation is to determine if there are adequate control systems and whether the systems are functioning as intended.
COSO is the internal control model utilized by Oregon State University. A copy of COSO can be located at www.coso.org. Controls are also measured against university and governmental rules and regulations, as well as policies and procedures. Industry best practices and peer comparisons are also part of the evaluation process.
Communication
Throughout the process, the auditor will keep you informed. You will have an opportunity to discuss and confirm potential problems found and possible solutions.
If the auditor identifies areas to improve, discussion will occur at various levels to ensure the recommendations made are practical and address the root cause of any deficiency. In addition, the auditor will also want to discuss control strengths identified to ensure they are understood and to reinforce best practices.
If you are surprised by an issue at the end of the engagement, the auditor did not do his/her job adequately. The feedback loop is very important to any audit process and a client survey will be sent at the end of each engagement to ensure the process added value, and to obtain feedback about how to improve the audit process.
Exit Conference
A meeting is scheduled with the same individuals who attended the entrance conference. At the exit conference, a draft of the report is reviewed so that all of the parties understand the nature of the recommendations and agree on the possible solutions. This meeting is also an opportunity to ensure any misunderstandings or possible misstatements contained in the report are identified and resolved. Any deficiencies identified during the engagement, which were not significant enough to be included in the report but still represent a potential risk, are also discussed.
Draft Report & Management Responses
After the exit conference, a draft of the report is finalized. The unit head will be responsible for formulating a management response and forwarding it to the chief audit executive. The management response is a critical element of the feedback loop. The response serves to reinforce the proactive nature of the audit process by demonstrating to the reader that improvements are being made and the activities involved. The response must contain three elements:
- A statement of whether management agrees or disagrees with the recommendations
- An action plan of activities to take place
- A timeline by which the activities will be completed
Given the nature of the recommendations and report, the Office of Audit, Risk and Compliance may require other university officials review the responses. These officials may include vice presidents (finance or research), the Office of General Counsel, the Office of Human Resources, the Office of University Relations, and the provost or president.
Final Report
The final report is printed and distributed to the unit and university officials. The final distribution will be discussed at the entrance and exit conferences.
NOTE: The distribution of the report outside the university is to be discussed with the Office of Audit, Risk and Compliance and the Office of General Counsel prior to release to ensure protected information under federal and state law is not inappropriately released in violation of statutes.
Recommendations Follow-up
There will be a follow-up review of all audit recommendations approximately 6 to 12 months after the engagement. The purpose of the follow-up is to verify that you have implemented the agreed-upon activities. The auditor may interview staff, perform additional tests, or review new procedures.
The Office of Audit, Risk and Compliance will issue a follow-up memo to highlight all the improvements made and note if further work is needed. The final report will be distributed to the unit and university officials who received the original report. If further actions are needed, subsequent follow up audits will occur until actions are all complete.