Each year, Internal Audit prepares an Annual and Long Term Audit Plan and Risk Assessment report. The purpose of the audit plan is to outline audits that Internal Audit will conduct during the fiscal year. The Audit Director will make changes to the plan, in consultation with the MSU President and the IHL Chief Audit Executive, to address changes in identified risks or management’s requests. Our goal throughout the audit process is to create a constructive, collaborative working relationship with management and employees responsible for the areas being reviewed.
Every audit is unique; however, they generally consist of the following four phases: Planning, Fieldwork, Reporting, and Follow-up Procedures.
Planning
During planning, we gather information about the department or processes being reviewed. We will request initial documents (policies, procedures, assessments, etc.) for key areas being reviewed. We also perform initial discussions with key personnel to gain an understanding of processes and to identify risks and controls.
Fieldwork
During fieldwork, we perform audit steps to test controls. We determine if adequate controls exist to ensure compliance with federal and state regulations, University policies and procedures, and good business practices. Identified control weaknesses, noncompliance, or irregularities are documented as a potential issue that may be included in the draft report. These issues are discussed with management before they are included in the report. Determination of the significance of an observation is a professional judgment and is subject to Internal Audit management review during the reporting phase.
Reporting
When testing is complete and all information has been reviewed, a draft report will be prepared by Internal Audit and discussed with management during the exit conference meeting. The report will include observations identified during the audit, along with their level of significance (high or moderate).
For the observations identified in the report, management will be required to respond with corrective actions that will be taken to improve the controls. Management’s responses should be returned to the Office of Internal Audit within ten working days of the exit conference. Upon receipt of management’s responses, the final report will be issued to senior management and all of those in the reporting chain, up to and including the President. IHL will also receive a copy of the report.
Follow-up Procedures
Follow-up Reports are issued each quarter. Internal Audit will perform follow-up procedures near the date provided with management’s response to determine whether management’s action plans have been “fully implemented,” “partially implemented,” or “not implemented.” Follow-up procedures and updates from management will be required until all action plans have been satisfactorily implemented and the identified control issues have been resolved. Senior management and the President will receive notification of past due issues falling within the audited unit’s span of control.