16.3 Engagement Process
The engagement process begins with the development of the audit plan, and ends with the issuance of the final report and any follow-up of significant and material audit exceptions. The engagement process used by the USG Office of Internal Audit and Compliance (OIAC) is shown below.
16.3.1 Rolling Audit Plan
Internal audit professional standards mandate an audit risk assessment and audit plans. OIAC will meet these professional standards through maintaining a rolling risk assessment that supports a near-term/one to five months, medium-term/six to ten months, and long-term/eleven to fifteen months and beyond audit plan. The OIAC risk assessment will focus on issues that present a high degree of risk to the USG and/or USG institutions. We will identify these issues through:
- collecting information from multiple sources, analyses, and measures;
- fusing collected information into potential risks; and,
- assessing potential risks by likelihood, impact, and breadth.
The OIAC risk assessment will be ongoing and will include input from the Board of Regents (BOR), USG and institutional leadership, the OIAC Audit Advisory Committee, and other sources as appropriate. Issues presenting a high degree of risk will be further analyzed to determine which internal audit engagement best addresses the identified risk. Engagements may be pursued at the system-level or at an institutional-level. The USG Chief Audit Officer (CAO) will periodically present the rolling audit plan for approval to the BOR Committee on Internal Audit, Risk, and Compliance (Committee). The USG CAO is authorized to revise the rolling audit plan but shall inform the Committee of any significant changes. The USG CAO shall provide written notification to auditees that the institution/audit area has been included on the rolling audit plan.
Institutional Chief Auditors (ICAs) may conduct either annual or rolling risk assessments and audit plans. The USG CAO shall issue guidance for use in preparing institutional audit plans in February of each year. ICAs shall submit a narrative describing the risk assessment process, the list of identified risks, and the institutional audit plan for review and compilation by the USG CAO. The USG CAO shall submit the compiled institutional audit plans for approval by the Committee. The ICA (with the authorization of the USG CAO) is authorized to revise institutional audit plans. Minor revisions to institutional audit plans do not require approval by the USG CAO. The USG CAO shall inform the Committee of any significant changes.
16.3.2 Engagement Preliminary Assessment, Scheduling and Notification
Auditee management is contacted at least sixty (60) days prior to the intended start of an engagement in order to schedule a preliminary assessment. The preliminary assessment consists of an initial visit by OIAC staff in order to determine potential engagement areas. The preliminary assessment relies heavily on input from institutional management in order to craft a value-added engagement. The preliminary assessment team shall engage the auditee or client in a discussion on the nature of any opinion to be rendered by the OIAC,
A formal engagement letter, to include the engagement scope, is sent to the institution president (for institutional engagements) or to the senior executive responsible for an activity (for USO and USG-wide engagements) at least thirty (30) days prior to the engagement. The letter also details specific information needed for the engagement and any logistical assistance that might be required.
The auditee or client is responsible for identifying a representative to serve as the engagement team’s primary contact while on campus. The auditee or client also identifies a key contact person for each function reviewed. The engagement team leader schedules and facilitates an opening conference with the auditee or client senior management.
Consulting engagement planning shall also include development of a consulting charter. Office of Internal Audit and Compliance consulting charters should be approved by the USG Chief Audit Officer and the consulting client. Consulting charters shall minimally address engagement objectives and deliverables.
16.3.3 Conducting the Engagement
Information obtained during the course of the engagement provides the documented basis for the engagement team’s opinions, observations, and recommendations expressed in the engagement report. Auditors are obligated by professional standards to act objectively, exercise due professional care, and collect sufficient, competent, relevant, and useful information to provide a sound basis for engagement observations and recommendations.
Sampling may be used to test less than 100 percent of a population. In sampling, the engagement team accepts the risk that some or all errors will not be found and the conclusions drawn may be wrong. The type of sampling used and the number of items selected should be based on the engagement team’s understanding of the relative risks and exposures of the areas reviewed.
Engagement work performed is documented in working papers. Information included in the working papers should be sufficient, competent, relevant, and useful to provide a sound basis for engagement observations and recommendations. Working papers may include schedules and analyses, documents, write-up, and flow charts. Evidential matter may also be obtained through interviews and observations.
Upon the conclusion of the fieldwork, the engagement team summarizes the engagement observations, conclusions, and recommendations necessary for preparation of the engagement report draft discussion.
16.3.4 End of Engagement Review
At the conclusion of the fieldwork, the engagement team meets with the auditee’s or client’s management team to discuss observations and recommendations. At this time, the auditee or client comments on observations and recommendations, and any inaccuracies or impractical recommendations are resolved to the extent possible.
16.3.5 Exit Conference
At the conclusion of the end of engagement review, the engagement team develops a discussion draft that details the engagement executive summary, background, issue ratings (for assurance engagements), engagement observations, and recommendations. This discussion draft is shared with the auditee or client management prior to conducting an exit conference. At the exit conference, the engagement team reviews the discussion draft with management and any disagreements are resolved to the extent possible.
16.3.6 Closing the Engagement
After the exit conference, the engagement team prepares a final draft, taking into account any revisions resulting from the exit conference and other discussions. When changes have been reviewed by OIAC management, along with an evaluation of the auditee’s or client’s written responses for inclusion in the final report, the report is issued.
The USG Chief Audit Officer’s approval is required for release of all OIAC reports. Institutional engagement reports must be submitted to the OIAC. All significant issues and material issues are summarized for reporting to the BOR Committee on Internal Audit, Risk, and Compliance.
16.3.7 Follow-Up Review
Follow-up is required of all audit issues classified as significant or material. Each material issue reported as closed/resolved by institution management shall be reviewed by the ICAs or the OIAC within sixty (60) days of the issue being reported as closed. Significant issues may be reviewed after being reported as closed but this review is not required. The actions taken to resolve the issues are reviewed and may be tested to ensure that the desired results were achieved. In some cases, managers may choose not to implement an issue recommendation and to accept the risks associated with the audit issue. The follow-up review will note this as an unresolved exception. The USG Chief Audit Officer shall periodically report the status of audit issues to the Committee to include the status of issues not closed in a timely manner.
Open or partially resolved State, OIAC and institution audit findings are maintained in the USG Internal Audit function enterprise system. Auditee management, such as the chief business officer or the ICA, update the status of each issue in the USG Internal Audit function enterprise system on at least a quarterly basis.
16.3.8 Exception Ratings
Individual ratings are assigned to each assurance engagement observation contained in reports issued by the OIAC. ICAs may choose not to publish observation ratings but shall assign ratings to observations in the USG Internal Audit function enterprise system. ICAs shall use the USG Internal Audit rating system insofar as ICAs elect to publish observation ratings. All issues would be included in the audit report but “Comments” would not be presented in a full audit finding format. The scales for the USG Internal Audit rating systems are listed below.
Report Item Rating Scale
- Categorized by area reviewed
- Used to identify recommendations contained in a consulting engagement report
- No Issue
- Engagement Team did not identify any reportable issue
- Included in report and tracked in USG Internal Audit function enterprise system.
- Nominal or minor violations of procedures, rules, or regulations.
- Minor opportunities for improvement.
- Not included in report but are tracked in USG Internal Audit function enterprise system.
- Corrective action suggested verbally, but not required.
- Significant violation of policies and procedures, and/or weak internal controls.
- Significant opportunity to improve effectiveness and efficiency.
- Significant risk identified.
- Corrective action required.
- Material violation of policies/procedures/laws, and/or unacceptable internal controls, and/or high risk for fraud/waste/abuse, and/or major opportunity to improve effectiveness and efficiency.
- Material risk identified.
- Immediate corrective action required.
16.3.9 State Department of Audits and Accounts Report Ratings
The state Department of Audits and Accounts (DOAA) periodically communicates the results of DOAA audits to those charged with governance as required by DOAA professional standards. DOAA audit results also may be summarized in OIAC communications.
Material weaknesses and significant deficiencies identified by DOAA auditors and the associated corrective action plans are also tracked in the USG Internal Audit function enterprise system. USG and institutional management shall update the status of corrective action plans associated with DOAA findings on at least a quarterly basis. The OIAC shall coordinate with the State Accounting Office (SAO) to update the status of corrective action plans as tracked by the SAO using data submitted by USG institutions. OIAC’s submittal of institutional data does not imply ownership of the institutional findings or validation of management’s reported status.