Skip to main content

Secondary navigation:

Audit Process

The audit process generally follows the steps outlined below. Please click through the tabs in order to better understand the process.

Area management will receive an email informing them of the upcoming audit.

An Audit Introduction Meeting is held with area management and the audit team. 

The purpose of this meeting is to conduct introductions, determine key processes and controls that should be included as part of the review and discuss any areas that should be provided with special attention.

During planning, research is conducted to gain anunderstanding of the area, key controls are identified and a preliminary assessment of the adequacy of existing controls is performed.  

Documentation will be requested and meetings will be held between members of the audit team and area management and staff, to gather information about the area being audited.

Once planning has been completed, an engagement level risk assessment will be conducted by the audit team to determine the focus of the audit. 

The focus of the audit is communicated to area management through an Audit Objectives Memo.

Fieldwork typically consists of talking with area staff, testing for compliance with applicable university policies and procedures and laws and regulations and assessing the adequacy of internal controls.

Throughout fieldwork, the audit team will discuss any potential findings with area management as they arise. 

In addition, area management and the audit team will conduct a mid-audit meeting to confirm known findings and provide a status of the audit.

An exit meeting will be held between area management and the audit team once fieldwork has been completed. The purpose of this meeting is to discuss and concur on audit findings, preliminary discussion on next steps and action plans and answer questions.

After the exit meeting, the audit team will draft an audit report.

The audit report consists of several sections including the distribution list, a general overview of the area, the purpose and scope of the audit, the overall conclusion, and details describing the findings and recommended solutions. 

This will be presented to area management for their review and comments.

Reports are rated according to the following criteria:


  • No significant observations noted.
  • Control environment appears sound.
  • High level risks are adequately controlled.

Effective with opportunity for improvement:

  • Minor observations and/or opportunities for improvement were noted.
  • Control environment appears otherwise sound.
  • High level risks are adequately controlled.

Insufficient and requires improvement:

  • At least one noted observation is rated as “High”.
  • Control environment requires improvement.
  • Some high level risks are not adequately controlled.

Not adequate:

  • Requires senior management’s immediate attention.
  • Lack of attention could lead to significant losses.
  • Control environment considered unsound.

Once the report is finalized, if needed, the audit team will request management responses.

The response consists of an action plan to correct the problem, an owner and the expected completion date.

Copies of the audit reports are sent to area management, the President, the Executive Vice President, the Financial Vice President, General Counsel and others, depending on the type of audit.

A summary of the audit report is provided to the Finance and Audit Committee.

Follow-up will occur after the expected completion date. 

The auditee can submit notification and/or evidence that area management has implemented the agreed-upon corrective actions.

Internal Audit will then update the board regarding the status of issues.

In the future, the auditee will have an opportunity to provide feedback to each auditor.

Please click here for an illustration of our audit process.

The file above is an Adobe Reader® (PDF) formatted file. To view it, you will need to download the free Adobe Reader.