Hopkins Internal Audit
What You Can Expect From An Audit
Please place cursor over each step to receive more detail on how the process will work.
The Planning Phase is the first step in the audit and helps Hopkins Internal Audit gain a thorough understanding of the client's business environment, key risks and controls. Once an audit is included in our annual audit plan, our clients can expect to receive an Audit Notification Letter at least 30-days prior to its beginning. The Audit Notification Letter will identify those individuals assigned to the project and also request information from the client, such as organizational charts and financial information, for audit planning purposes.
After the notification has been received, Hopkins Internal Audit will set up an Entrance Conference including Internal Audit Staff and staff members of the area being audited. At this meeting, Internal Audit will introduce themselves and how the audit process will proceed. We will also present a preliminary scope and solicit management's thoughts and concerns.
At the entrance conference, Hopkins Internal Audit will present a preliminary scope based on a review of departmental mission and financial data. The client will be asked for their thoughts and concerns and whether any items need to be added or removed from the preliminary scope.
After the entrance conference has been held, Hopkins Internal Audit will meet with various members of the client's staff to gain an understanding of the business environment and key processes. This understanding is important to conducting an effective audit.
Once all interviews have been completed, Hopkins Internal Audit will now present the client with the final draft of the scope for comment. The scope will then be finalized based on the agreement of Hopkins Internal Audit and the client.
Once the scope has been finalized, Hopkins Internal Audit will proceed with flowcharting the processes surrounding the areas noted in the scope. Flowcharting allows Hopkins Internal Audit to gain a graphical understanding of the processes and makes the identification of controls or lack thereof more efficient. Flowcharts are typically made available to the client after the completion of the audit.
As the flowcharts are prepared, Hopkins Internal Audit will prepare risk and control matrices analyzing each control or lack thereof. The matrix will note a description of the control (or lack thereof), the risk of control breakdown and the strategy to test the control. Control issues to be reported upon, especially in the case of a control that does not exist, will be identified.
Once all the controls have been documented and analyzed, Hopkins Internal Audit will develop a testing strategy. This will be documented in the risk and control matrix for each process.
Once the testing strategy has been approved, an Audit Program will be developed noting how the fieldwork will be conducted. This step ends the planning phase of the audit.
The fieldwork phase begins with the selection of samples for testing. Hopkins Internal Audit is able to pull reports from the accounting system which become the population from which our samples will be pulled. Samples can be selected judgmentally or randomly. Once the selection is complete, a listing will be provided to the client to determine how best to pull the information.
Once the sample is created, either Internal Audit or the client will pull the information needed for testing. If pulled by the client, this step tends to take the most amount of time during the audit process. Documents will either be tested on-site or taken back to the Internal Audit Office for testing, depending on the nature of the documentation and the client's preferences. If testing is to take place on-site, the Audit team will need space in the client's office to perform the work.
Once the documentation has been pulled, Hopkins Internal Audit staff will proceed with testing that documentation in accordance with the Audit Program. The testing will be used to identify whether controls are working effectively or not. Exceptions from testing will become the foundation for issues and recommendations.
Whenever testwork uncovers concerns, these concerns will be shared immediately through a verbal conversation with the client. Concerns may or may not be issues as there may be additional information that the audit staff is missing. Only if the client cannot adequately explain a concern would it become an issue.
Once issues are identified, they will be confirmed with the client before proceeding into the reporting phase. Hopkins Internal Audit will evaluate issues thoroughly before reporting on them.
The reporting phase begins when the client sees the issues in written format for the first time. The issues will be presented to the client in the form of a Matrix of Audit Issues and Recommendations. The Matrix will contain five columns, (1) Issue number, (2) Issue Risk (A,B or C), (3) Description of Issue, (4) Hopkins Internal Audit Recommendation and (5) Management Response and Action Plan. The Issue Risk noted in column 1 identifies the impact of the issue with A being the highest and C being the lowest. Only A items will be reported in the Executive Summary sent to Senior Management.
After receiving the draft matrix, Hopkins Internal Audit will ask the client to prepare a Management Response and Action plan to each issue. These Responses and Action Plans can be very brief, but must address the issue and risk appropriately. If not, the client will be asked to re-write the response. An explanation may be provided by the client in the management response or the client may choose to accept the risk associate with an issue. Disagreements on issues and recommendations between the client and Internal Audit will be resolved before proceeding with the matrix. The Matrix of Audit Issues and Action Plans will be provided to the client in an electronic format so that Management Responses may be entered directly into the document.
Once all the Management Responses have been completed, a Draft of the Executive Summary will be prepared and presented to the client. The Executive Summary will only contain A items from the Matrix of Audit Issues and Action Plans or stated otherwise, the most critical-risk issues. This document should be distributed to the client at least three days before the Closing Conference. Clients are invited to review the Executive Summary and comment upon the wording of any of the issues. Hopkins Internal Audit wants to ensure that all issues properly represent the facts and accurately depict the situation in a fair manner.
A Closing Conference will be held with members of Hopkins Internal Audit staff and the client. During this meeting, the issues noted in the Executive Summary will be reviewed. Note that there should be no surprises as all the issues have already been finalized. At this meeting, the client will be allowed to comment on the wording of the Executive Summary and the process for Follow-Up will be discussed.
Based on the results of the Closing Conference, the final drafts of the Executive Summary and Matrix of Audit Issues and Action Plans is prepared. This document is sent out one last time before issuance for review by the client.
If there are no further comments on the Final Draft of the Executive Summary and Matrix of Audit Issues and Action Plans, the reports are issued in final format. Typically, the reports are issued electronically. Bound hardcopies are available upon request.
A client survey is issued along with the final reports offering the client a chance to evaluate Hopkins Internal Audit staff on performance and customer satisfaction. Hopkins Internal Audit takes these surveys very seriously and hopes that all clients would complete them in a timely manner. Hopkins Internal Audit is constantly looking for feedback to help improve our level of service to the Hopkins community.
After an audit is completed, Hopkins Internal Audit staff will contact the client on a semi-annual basis to obtain an update on the progress of open issue resolution specifically whether an issue is implemented, partially implemented or not implemented. This update will not be verified at this time.
Once all updates have been compiled, the Office of Hopkins Internal Audit will report in summary fashion the status of all open issues to the Audit Commitee of the Board of Trustees. The Audit Committee has asked Hopkins Internal Audit to be more resilient in holding clients accountable to their Management Responses and Action Plans.
Once a majority of Action Plans have been noted as implemented by the client, Hopkins Internal Audit will initiate a Follow-Up Review to verify that the recommendations have indeed been implemented as described in the Action Plans and client updates. Follow-Up Reviews are much less extensive than a regular audit and typically testwork is limited. Follow-Up Reviews can be conducted with very little impact upon the operations of a client's area and staff.
After the Follow-Up Review has been completed, a Follow-Up Report will be issued noting the status of the recommendations and action plans from the original report. If all recommendations have been implemented, no further follow-up will be required. However, if recommendations remain outstanding, an additional Follow-Up Review will be necessary.