Often clients first become aware of an impending engagement when they receive a memo that the auditor will contact them to schedule an opening meeting. This introduction to the engagement may leave a client wondering “Why me?” or “What did I do wrong?” These questions are often followed by confusion about the engagement process or how to prepare for the review. Some clients may even be confused as to what an internal auditor does and the role internal audit plays in the organization.
To help the engagement process be successful it is important that the client understand their role in the review and is familiar with the internal audit function. We hope the following information helps.
What is internal auditing?
When most people think of auditing the first thing that comes to mind is financial auditing. While this is an important aspect of auditing, it is only one small facet. The Institute of Internal Auditors defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. See the Audit Services section of the site to learn more about the services internal can provide.
If I call you with a question, are you going to audit me?
Typically no. One service we provide is to help answer questions when you are not sure the responsible office or would like assistance interpreting policies or regulations. If we can’t answer the question for you, we try to help you find the right person to assist you.
What is the purpose and objective of internal audit?
The primary purpose of internal audit is to function as a service unit that assists all levels of management in the effective discharge of their responsibilities. This can be done by consulting and performing independent audits, reviews, and investigations. The office seeks to provide reasonable assurance to management that effective stewardship is maintained over the organization’s resources. Internal audit also serves as a liaison between management and external auditors.
What is the scope of internal audit’s authority?
In accordance with the internal audit charter and NCGS §116-40.7, internal auditors have unrestricted access to all records, assets, and other resources of the organization, which are necessary to accomplish its objectives. Internal audit ensures the safekeeping and confidentiality of all records and information used during an engagement to the extent provided by NCGS §116-40.7.
Does internal audit follow professional standards?
Internal audit follows the professional standards that have been established by the Institute of Internal Auditors (IIA). As required by these Standards, internal audit undergoes an external quality assessment every five years to measure its compliance with IIA Standards.
How is internal audit organized?
NCSSM is required by NCGS §143-746 to maintain an internal audit function. In accordance with the Internal Audit Charter, Internal Audit operates as an independent appraisal function and reports functionally to the Board of Trustees audit committee and administratively to the Chancellor. This reporting structure exists to help ensure that the internal audit function maintains a required level of independence and objectivity when conducting their duties.
What is reviewed and why?
Internal audit develops an annual audit plan that is reviewed and approved by the Board of Trustees audit committee and the Chancellor. The plan identifies the engagement projects to be conducted during the upcoming fiscal year; however, it can be amended to include requested reviews, special projects, or respond to changes in priority.
Not all reviews are selected in the same way. The most common method of selecting an audit project is through the application of a risk assessment. Several factors are considered in the assessment, such as applicable compliance requirements, recent changes, reliance on IT technology, public interest/scrutiny, past deficiencies, or current concerns. However, thoughout the year needs are re-assessed and the audit plan may be amended.
How is the scope of the engagement determined?
The scope of the engagement and/or review is determined from one or more of the following:
- Information collected during a preliminary survey, which includes interviews with the relevent personnel;
- Assessment of risk associated with the specific function or process;
- Evaluation of answers received on internal control questionnaires tailored for the assignment;
- Client requests concerning topics, functions and/or time frames.
Sometimes discoveries during a project can change the scope of an engagement. If this should happen, the client is notified of significant scope changes.
What is the actual engagement process?
The internal audit process generally consists of the following:
1. The engagement or review is formally announced through an engagement letter. Internal Audit notifies the appropriate members of management (i.e. the client) in writing when their area is selected for an audit. The engagement letter describes the general objectives of the engagement, the auditor in charge, the projected time frame of the engagement, and information the auditor may need the early in the project.
2. An entrance conference is scheduled with the client to discuss the engagement purpose, scope, and process. The auditor and personnel deemed appropriate by the client attend the entrance conference. Clients are encouraged to present any questions or concerns they have about the engagement. Clients are also given the opportunity to request that a specific function or area of their department be examined during the engagement or in future work.
3. Preliminary research and survey is performed. During this portion of the engagement, the auditor will gain an understanding of the client’s operations and/or the area being reviewed. The auditor may request written policies and procedures, organizational charts, job descriptions, and other information in order to become familiar with the client’s operations. Internal controls may be reviewed and documented during this portion of the engagement.
4. Fieldwork is conducted. This phase of the engagement may include testing the internal controls, collecting and analyzing data, and/or performing other procedures necessary to accomplish the objectives of the engagement. This phase of the engagement is the most time-consuming part of the review for the client because personnel will need to be available to answer questions and provide information. Internal Audit realizes the value of each person’s time and tries to arrange meetings in advance and work around scheduling conflicts when possible. Also during this phase of the engagement, the auditor will strive to maintain an open communication with the client to ensure they are kept abreast of the initial observations so there are no surprises once the final report is issued.
5. A draft report is prepared. After the fieldwork is completed, the auditor prepares a draft report, which will include an overview of area being audited, audit purpose, objectives, scope, methodology, reportable conditions, and recommendations. The draft report along with any non-reportable condition is shared with the client for review before the exit conference.
6. An exit conference is scheduled. This conference held with the client to discuss the draft audit report. This is an opportunity to discuss the observations and clarify any ambiguities. Non-reportable conditions will also be discussed during the exit conference.
7. The client submits their responses to the audit findings and recommendations. After the exit conference, if necessary, changes are made to the draft report then shared with the client. The client is normally given anywhere from one to two weeks to respond to the draft report. If circumstances arise that prohibits the client from responding to the report in the allotted time frame, the client is encouraged to contact Internal Audit and request more time. The client provides Internal Audit with a response to each of the observations and recommendations. The response to each observation/recommendation should include 1) whether the client agrees with the finding, 2) whether they will implement corrective action suggested or a description of alternative steps that will be taken to address the issue, 3) an estimated date the corrective action will be completed, and 4) the position responsible for ensuring corrective action is taken.
8. The final report is issued. A final report is issued after the auditor receives the draft report with the client’s responses. The report is distributed to the client, senior management, the Chancellor and the Board of Trustees audit committee.
9. A follow-up review is conducted within a reasonable time after the final report is issued. A follow-up review is performed to verify the resolution of the audit observations and recommendations. The review is concluded with a report that notes the status of management’s corrective actions. The draft report is shared and discussed with the client before the report is issued. Once finalized, the follow-up report will be provided to the original report recipients and other NCSSM officials as deemed appropriate.
How long does an engagement last?
Engagements and reviews vary in length. The amount of time required depends on the objectives of the engagement, the cooperation and availability of the client, and the complexity of the operation. An internal control review may take one to two weeks, while a broad-based engagement may take months. A positive working relationship between the client and the auditors is an important factor in the accuracy of information gathered and the timely completion of the engagement.