Audit Process

Selection of Engagement Area

Areas selected for audit are identified as a part of robust annual planning process.  The goal of the annual planning process is to identify what units can most benefit from assurance services.    The annual planning process seeks to apply available resources to highest risks identified, but also serves to provide periodic resources to all units. 

For the purposes of audit planning the Office of Audit Services has been organized the university into nine major functions: (1) governance and leadership, (2) instruction and academic support, (3) research and development, (4) student services, (5)human resources management, (6)fiscal management, (7) plant operations,  (8) athletics and auxiliary services, and (9) information technology.

The audit selection process entails a macro-level risk assessment of the major functional areas using industry trends, past audit experience, fiscal analysis, and campus input.    Some factors considered in selecting units include: 

  • Critical nature of the unit in meeting university objectives
  • Results of and length of time since last audit
  • The size and complexity of the operation
  • Changes in regulations, personnel, operations, programs, systems, or controls
  • Regulatory requirements of the operation
  • Degree of manual and automated processing
  • Sensitivity of units operations to the university’s image and reputation 
  • Amount of fiscal activity and resources

Return to menu

Planning & Notification 

If your unit is selected for an audit, you will receive a letter to inform you of the upcoming engagement.  The auditor will reach out to the unit head to discuss timing and the best person(s) to contact to plan the audit.  The auditor will then send a preliminary checklist and set up a planning meeting.  The preliminary checklist is a list of background documents that will help the auditor learn about your unit before planning the engagement. During the planning stages, the auditor will also ask you to identify potential objectives that would add value to your organization.  As a unit leader, this is your opportunity improve your unit operations by having an independent review of key processes or risk areas.  The audit serves to provide you assurances over key operations. 

Return to menu


Entrance Conference

At the beginning of each engagement, a meeting is scheduled with the unit head and other appropriate personnel to discuss the engagement scope and objectives, time schedule, and review process. 

Return to menu


Fieldwork 

After the entrance conference, the auditor will begin fieldwork. Fieldwork involves interviewing staff, reviewing policies and procedures, and performing detailed tests.  The goal of the audit is to:

  1. Reduce the risk of losses related to internal control breakdowns
  2. Identify opportunities for increased efficiencies
  3. Reinforce existing control strengths

The emphasis of the evaluation is to determine if there are adequate control systems and whether the systems are functioning as intended.  COSO is the internal control model utilized by Oregon State University.  A copy of COSO and the university internal control policy can be located at _________________.  Controls are also measured against university and governmental rules and regulations, as well as policy and procedures.  Industry best practice and peer comparisons are also part of the evaluation process. 

Return to menu


Communication

Throughout the process, the auditor will keep you informed. You will have an opportunity to discuss and confirm potential problems found and possible solutions.

If the auditor identifies areas to improve upon, discussion will occur at various levels to ensure the recommendations made are practical and address the root cause of any deficiency.  In addition, the audit will also want to discuss control strengths identified to ensure they are understood and reinforce best practice. 

If you are surprised by an issue at the end of the engagement, the auditor did not do their job adequately.  The feedback loop is very important to any audit process and a client survey will be sent at the end of each engagement to ensure the process added value and to obtain feedback about how to improve the audit process.

Return to menu

Exit Conference

A meeting is scheduled with the same individuals who attended the entrance conference. At the exit conference, a draft of the report is reviewed so that all of the parties understand the nature of the recommendations and agree upon the possible solutions.   This meeting is also an opportunity to ensure any misunderstandings or possible misstatements contained in the report are identified and resolved. Any deficiencies identified during the engagement, which were not significant enough to be included in the report, but still represent a potential risk, are also discussed.

Return to menu

Draft Report & Management Responses

After the exit conference, a draft of the report is finalized. The unit head will be responsible for formulating a management response and forwarding them to the Chief Audit Executive.  The management response is a critical element of the feedback loop.  The response serves to reinforce the proactive nature of the audit process by demonstrating to the reader that improvements are being made and the activities involved.  The response must contain three elements:

  1. A statement of whether management agrees or disagree with the recommendation
  2. An action plan of activities to take place
  3. A timeline by which the activities will be completed

Given the nature of the recommendations and report, the Office of Audit Services may require other university officials to review the responses.  These officials may include Vice Presidents (Finance or Research), General Counsel, Human Resources, University Relations, and the Provost or President. 

Return to menu

Final Report

The final report is printed and distributed to the unit and university officials.  The final distribution will be discussed at the entrance and exit conference. 

NOTE- The distribution of the report outside the university is to be discussed with the Office of Audit Services and Office of General Counsel prior to release to ensure protected information under federal and state law is not inappropriately released in violation of statutes. 

Return to menu

Follow-up of recommendations

There will be a follow-up review of all audit recommendations approximately 6 to 12 months after the engagement.  The purpose of the follow-up is to verify that you have implemented the agreed-upon activities.  The auditor may interview staff, perform additional tests, or review new procedures.

The Office of Audit Services will issue a follow-up memo to highlight all the improvements made and note if further work is needed.  The final report will be distributed to the unit and university officials who received the original report.  If further action subsequent follow up audit will occur until actions are all complete.