An Operational Audit Process is designed to:
- understand the responsibilities and risks faced by an auditable faculty, department, unit or process ( Hierarchy of Concerns for Audit ) and ( Risk Assessment Overview Chart );
- assess the level of control exercised by management;
- identify, with management participation, opportunities for improving control;
- provide senior management of the University and the Audit Committee of
the Board of Governors (and thus the Board of Governors) with an
understanding of the degree to which management has achieved its
responsibilities and mitigated the risks associated with the operation of the
University. This includes:
- reliability and integrity of financial and operational information;
- effectiveness and efficiency of operations;
- safeguarding of assets;
- compliance with laws, regulations, and contracts.
Normally, this involves the following six phases:
1) Pre-audit process
The process normally begins with an introductory meeting to inform the unit's senior management that an audit will take place, to explain the process, and to gather background information.
Following the introductory meeting, the auditor performs a preliminary gathering of information using various sources of information (for example, the unit's web site) to identify the possible components and concerns. At the end of this stage, a binder is prepared and is used in the risk assessment meeting with the auditees.
2) Risk assessment meeting with auditee
The risk assessment meeting involves the key managers of the department or faculty or unit to be audited. One objective of the risk assessment meeting is to obtain confirmation of the components (i) and major concerns of the unit (ii).
The key managers also perform an assessment of the importance of each concern (low, medium or high) for each component. They are also requested to perform a voting exercise to compare and rank the components and concerns. This step is preferably completed during the meeting, but may be completed separately with each manager.
The result is a risk template. The high-risk areas identified by management will then provide the focus for the audit project.
3) Control matrix
The auditor meets with the managers of the high-risk areas to identify the key management objectives and the key control activities (iii) performed. After these meetings, the auditor documents the key management objectives and the key controls.
The lack of key controls identified, referred to as control design issues, is also documented in the matrix.
Once the first draft of the control matrix is completed, it is sent back to the managers for confirmation and validation. The lack of key controls (control design issues) is also discussed with management.
The key controls identified in the matrix represent the controls to be tested in the next phase.
4) Test design
Once the matrix has been agreed upon with management, the auditor designs the test procedures for the identified key controls. The auditor prepares a test design for each key control activity identified in the matrix.
The testing plan is reviewed before the testing phase begins. The testing phase usually requires the auditor's presence in the department to conduct interviews, examine documents, and obtain explanations.
The auditor documents the results of the tests, the conclusion, and any proposals. During testing, the auditor also discusses preliminary findings with individual managers.
The test results become the basis for the first draft of the audit report.
5) Report drafting
After the previous stages have been completed, the auditor can produce a draft report to be presented and discussed with management. The draft report uses the following standard structure:
- Background information
- Risk template and key controls as an appendix
- Other appendices
The report review and discussion process is designed to arrive at agreed action plans to resolve identified issues. Any management-accepted risks and differences of opinion are also reported.
The report drafting process involves meetings with increasingly senior levels of the management hierarchy until the report has both the moral and monetary (if needed) support for the issues raised.
6) Final audit report
The final report is distributed to all managers of an audited unit, the relevant members of senior management, the Vice-Principal, (Administration and Finance), the Chair of the Audit Committee of the Board, and the external auditors.
(i) Components: Represent the principal
deliverables of the unit (products, services or processes.
(ii) Concerns: Represent the events that could prevent the audited unit from achieving its objectives.
(iii) Controls: Any action taken by management, the board, and other parties to enhance risk management and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.