A representative from University Audits contacts the unit or department to be audited to obtain background information. This information is used to perform a risk assessment and create an audit program, which is the blueprint for conducting the audit.
At the opening meeting processes and controls that will be part of the audit are discussed with department management. Timing and resource requirements are also identified. Input from the audit client regarding other risks or concerns is important to this process. After the opening meeting, an engagement letter is sent to management and Executive Officers to ask for their input on the audit.
Senior leadership at the University of Michigan has strong interest in University Audits’ activities. In order to take advantage of their collective knowledge, we send an announcement letter during the planning phase of all audits. This provides senior executives an opportunity to offer insight before finalizing the scope of an audit.
After planning, the auditor reviews and tests the areas identified in the audit program. Fieldwork includes interviewing personnel, observing department activities, and reviewing documents. Areas of concern are shared as they are identified. Fieldwork generally concludes after 2-3 months. Not all of this time requires direct client involvement.
Draft Audit Report
After fieldwork, a draft audit report is distributed to department management. Audit reports detail areas of concern, outline recommendations, and document management’s plan for corrective actions.
University Audits meets with department representatives and other stakeholders to finalize the audit report.
Final Audit Report
After the closing meeting, the audit report is distributed.
- Final audit reports are issued to the Dean or Director responsible for the department or process being audited.
- The President, Executive Vice Presidents, General Counsel, Associate Vice President for Finance, Controller, and Director of Internal Controls receive all final audit reports.
- The Finance, Audit, and Investment Committee and the full Board of Regents periodically receive a report on all audit activity, including the copies of the final reports.
- A management advisory memo is usually supplemental to a formal audit report. They are used to communicate:
- Detailed supporting information for the issues presented in the formal audit report
- An issue that is outside the scope of the audit but observed during the audit
- Report of results of a limited project or request
- Report of individual findings to a sample unit within the broad audit scope
- An issue that is relevant to the area audited but cannot be resolved by that unit
During the follow-up process, University Audits verifies action plans have been effectively implemented. University Audits will periodically ask the unit that was audited for the status of open action items.
- High- and Medium-Risk Issues: Every three months until completed, unit management should report the status of their action plans to University Audits. At six months, and every six months thereafter until the actions are completed, University Audits will conduct follow-up procedures to verify the actions are complete and are effectively managing the risk. University Audits will summarize the results of each six-month follow-up review in a written memo.
- Low-Risk Issues: Low-risk issues are expected to be addressed by unit management and may be reviewed at another time. However, a status update is not required and University Audits will not conduct follow-up procedures.
Upon completion of all action plans, a final follow-up memo is issued. The Board of Regents is periodically updated on the status of audit follow-ups.