Internal Audit

Audit Process

The Audit Process

Vertical Chart of Audit Process

Selection of Audit Topic

Audit topics are identified as part of an annual risk assessment the Internal Audit Office (IAO) conducts.  The primary goal of the annual risk assessment is to identify audit topics that will provided value to PSU’s governance processes and will provide assurance on the operating effectiveness of key operations at PSU.

Audit Planning and Notification 

If your department is selected for an audit and/or assists in a process that will be audited by IAO, then you will receive a letter informing you of the upcoming audit project.  IAO will reach out to the department head and other key staff to discuss timing, resource needs, and preliminary records requests that will be needed to help assist the audit team during the project.  During the planning stage, IAO will also ask you to identify potential objectives that would add value to your department that should be considered for the audit.  As a university manager, this is your opportunity to improve your department’s operations by having an independent review of key processes and risk areas or to obtain assurance that your department’s operations are functioning effectively.  

Entrance Conference

After the notification letter is sent out to applicable department heads and appropriate personnel, then a formal meeting called the Entrance Conference is scheduled.  This meeting formally kicks off the audit and allows IAO to further discuss the audit’s planned scope, objectives, time schedule, and general review process with the applicable department head and other appropriate personnel.

Audit Fieldwork 

IAO will begin fieldwork after the Entrance Conference is conducted.  Fieldwork involves interviews with staff and management, the review of policies and procedures, review of supporting records, and the performance of detailed testing by IAO.  The primary goals of an audit are to:

  • Identify opportunities for increased efficiencies;
  • Mitigate the risk of loss related to internal control breakdowns;
  • Verify existing control strengths and effectiveness; and
  • Provide reasonable assurance of the operations of the department and/or processes being audited.

The focus of the audit is to determine whether there are adequate control systems in place and whether those systems working effectively.  PSU IAO utilizes the COSO internal control framework as the primary criteria for assessing control processes.  A copy of COSO can be located at www.coso.org.  Internal controls are also assessed against governmental laws, rules, and regulations, as well as internal PSU policies and procedures.  A review of industry best practices and peer comparisons is also a part of the audit process.

Communication

Throughout the audit process, IAO will work on keeping applicable personnel informed.  IAO provides monthly updates to applicable personnel as a standard procedure during each audit project.  If IAO identifies areas to improve upon, discussion will occur with applicable personnel to ensure the topic is understood and the recommendations planned to be made are practical and will focus on addressing the root cause of any deficiency and/or opportunity for improvement noted.  The process to provide feedback is very important to any audit project and a client survey will be sent by IAO near the end of each engagement to help ensure the audit process added value and to help IAO obtain feedback about how to improve the audit process for future projects.

Exit Conference

Near the end of the audit project, a formal meeting called the Exit Conference is scheduled with the same individuals who attended the Entrance Conference.  IAO strives to provide individuals attending this meeting with a draft copy of the audit results at least 10 business days before the Exit Conference.  IAO expects that all parties attending the Exit Conference will have read the draft materials and will have a management response to all draft recommendations provided to IAO at the Exit Conference.  The primary purpose of this meeting is to allow all parties involved in the project understand any recommendations made by IAO, corrective actions taken by management to address those recommendations, and final steps to close-out the audit.  Any deficiencies identified during the audit, which were not deemed significant and/or material deviations, will also be discussed with applicable personnel.

Management Response & Draft Results 

Audit standards that PSU’s IAO follows require that a formal management response be received for each recommendation IAO makes during an audit project.  The management response must contain the following elements:

  1. A general statement of whether management agrees or disagrees with the recommendation;
  2. A summary of the corrective action(s) management plans to take or has taken to address the recommendation;
  3. An estimated date by which the correction action(s) will be fully implemented by management; and
  4. An overview of who IAO should work with to verify the correction action(s) have been implemented.

Given the nature of certain audit topics and recommendations made by IAO, IAO may require other university officials to review the management response.  These officials may include the Office of General Counsel, the Office of Academic Affairs, Human Resources and Payroll, and/or the vice presidents of finance or research.

Finalizing the Audit

The final results of the audit are distributed to appropriate university officials and the President of PSU after the Exit Conference occurs and the management response is received.  The results of the audit project are then distributed to members of PSU’s Executive and Audit Committee two business days after the results are issued to the President of PSU, unless the Office of General Counsel advises differently.

Follow-up Audit

IAO periodically conducts follow-up audits of all audit recommendations made during an audit project.  The follow-up audit is conducted to comply with auditing standards IAO follows and is typically conducted approximately 6 month to 2 years after the initial audit depending on the nature of the topics that IAO denoted during the original audit that received recommendations and based on IAO’s review of the corrective action plan management plans to implement in response to IAO’s recommendations.  The primary purpose of the follow-up audit is to verify the department has implemented the corrective action plan and/or taken satisfactory other steps to mitigate the risk denoted in the original audit.  During follow-up audits, IAO may interview staff, perform additional tests, and/or review new procedures to obtain reasonable assurance that the corrective actions have been implemented and are working effectively.

IAO will communicate the results of the follow-up audit to applicable management and the President of PSU.  If the follow-up audit notes that further corrective action is needed, then a subsequent follow-up audit will occur until actions are completed and/or risks are mitigated to a reasonably low level.  In addition, the results of follow-up audits are communicated to members of PSU’s Executive and Audit Committee two business days after the results are issued to the President of PSU, unless the Office of General Counsel advises differently.