The Audit Process

Specific procedures vary from one engagement to the next; however, seven stages are involved in every audit process:


An audit begins with an initial meeting between the auditor and management from all interested offices and units. The entrance conference provides an opportunity for discussion of the audit process, the scope and objectives of the audit, the estimated completion date, and on-site work space requirements. It also provides management with an opportunity to discuss any questions or concerns they may have. Management's input at this stage will help us to establish a work plan to minimize audit time and avoid disruption of ongoing activities to the greatest extent possible.


The first step of the actual audit consists of interviews with managers and staff, and a review of documents and data to gain a better understanding of the unit's operations. Transactions and records are then tested to determine if controls are operating as intended. Informal communication between the audit and unit management is maintained to avoid misunderstandings, and to ensure that there are no surprises in later stages of the audit.


After all fieldwork is completed, a draft report is prepared by the auditor. The report documents our objectives, procedures performed, our conclusions as to the adequacy of controls, and specific observations and recommendations for improvement if necessary. Internal Audit management reviews the draft thoroughly before it is presented to the unit's management. This draft report is prepared only for the unit's operating management and it provides the basis for discussions at the exit conference.


A meeting is scheduled with the same individuals who attended the entrance conference. At the exit conference, the report draft is reviewed so that all of the parties understand the nature of the recommendations and agree upon the possible solutions. This meeting is also an opportunity to ensure any misunderstandings, possible misstatements or factual errors contained in the report are identified and resolved. Any issues identified during the engagement which were not significant enough to be included in the report, but still represent a potential risk, are also presented and discussed.


After the exit conference the draft report is finalized including any agreed upon changes from the exit conference. In addition, the unit head will be responsible for formulating management's response to the recommendations and forwarding them to Internal Audit. The management response is a critical element of the feedback loop. The response serves to reinforce the proactive nature of the audit process by demonstrating to the reader that improvements are being made. The response should contain three elements:

  1. An action plan of activities to take place
  2. The individual responsible for the planned activities
  3. A timeline by which the activities will be completed

Once any changes and managements responses have been incorporated the draft is now considered final. Final reports are distributed to the appropriate managers involved in the audit and to senior executives. Audit reports are considered confidential documents.


There will be a follow-up review of all audit recommendations approximately six to twelve months after the engagement. The purpose of the follow-up is to verify that you have implemented the agreed-upon activities. The auditor may send a request for status, interview staff, perform additional tests or review new procedures.