AUDIT CHRONOLOGY

PLANNING AND FIELDWORK

The purpose of the planning stage is to define the subject and
scope of the audit, establish customer expectations, and identify
the criteria used to evaluate the audit subject. In this stage, the
auditor should obtain an overall view of the department or
function, and the operating context and constraints. Several
methods of gathering information may be appropriate including
the following:
1.
2.
3.
4.
5.

Initial meeting(s) with the department management and process owners

Internal control questionnaire or surveys of process stakeholders
Review of Internal Audit records
Review of external audit files and other appropriate external information
Audit program and fieldwork

Fieldwork means executing the planned audit, and if required

updating the audit plan based on information learned during the
course of the audit. During fieldwork the auditor will collect and
analyze information in order to prepare a draft report and to
regularly update process owners and other stakeholders on the
audits progress.
EXIT CONFERENCE AND AUDIT REPORTS
The Exit Conference is an opportunity for the auditor, department
management, process owners, and other stakeholders to review
and validate audit outcomes. The Exit Conference should
accomplish the following:
1.
2.
3.
4.
5.

Present observations and determine if the current operating context might affect past transactions, e.g.,
reduce the severity of a finding
Confirm facts, observations, and conclusions, e.g., that the findings are accurate
Validate the root cause leading to findings and present recommendations to eliminate the root cause,
and / or achieve control objectives
Estimate the effect of the findings on University operations or its risk management and compliance
objectives
Solicit draft management comments on the audit findings and determine if alternative
recommendations adequately eliminate the root cause of findings

6.

Define the timeline for issuing the final audit report and implementing recommendations

On a high, level audit reports or supporting work papers should

summarize the following information:

Condition: the facts, observations, and conclusions

Criteria: the standard or benchmark to measure a condition against
Root Cause: why the conditions dont measure up
Effect: what happened or will happen if the condition is not corrected, e.g., how important is this
Recommendation: practical, specific, and implementable to eliminate the root cause, and therefore
correct the condition

The actual audit report format should be functional and provide

management with an efficient method of reviewing and
responding to recommendations therein and to expedite
implementation of recommendations. One example of an audit
report format is the following:

Executive Summary
Distribution List - who is receiving the report
Introduction - statement of the auditor's objectives, results obtained, and a summary of department or
function audited including key operating context and constraints
Conclusion - the professional opinion of the area under review
Findings and Recommendations - by organizational unit and / or process in sufficient detail to identify
the issues and solutions
Management Comments key summary information necessary to put the finding into context and
written agreement that recommendations will be implemented
Status of prior audit recommendations, if any
Appendices and exhibits including statistical summaries of audit test results

After the exit conference, the draft audit report is circulated for
review and comment to the process owner and at the Vice
President / Senior Vice President levels responsible for the
department or function.