Business Procedures Manual

Fiscal Affairs Division

16.4 Internal Audit/Engagement Process

16.4 Internal Audit/Engagement Process

(Last Modified on January 30, 2024)

The engagement process as described below begins with the development of the audit/engagement plan and ends with the issuance of the final report and any follow-up of significant or material exceptions.


16.4.1 Audit/Engagement Plan

(Last Modified on January 30, 2024)

Internal audit professional standards mandate the development of a risk-based audit plan. Audit plans are to be developed by gaining an understanding of the entity’s strategies, key business objectives, associated risks and risk management processes. Audit plans are fluid and must be periodically reviewed and updated in response to changes in organizational risks. The risk assessment process will focus on issues that present a high degree of risk to the USG and/or USG institutions. Issues will be identified through:

  • gathering information on fundamental management activities, governance processes and core operational and system controls;
  • evaluating collected information to identify potential risks; and,
  • assessing potential risks by likelihood, impact, and magnitude.

The risk assessment process will be ongoing and will include input from the BOR, USG and institutional leadership, the IARC Committee of the Board of Regents and other sources as appropriate. Issues presenting a high degree of risk will be further analyzed to determine which internal audit engagement best addresses the identified risk. Engagements may be pursued at the system-level or at an institutional-level.

As discussed in Section 16.1, based on guidance provided by the CAO, ICAs shall submit an annual institutional audit plan for review and approval by the IARC Committee and CAO. These plans will include narratives describing the risk assessment process and the list of identified risks. The CAO shall utilize the institutional audit plans and system-wide risk assessments to develop a system-wide internal audit plan, which will be submitted to the IARC Committee for approval. Any revisions to institutional audit plans must be approved by the CAO. Also, the CAO shall inform the IARC Committee of any significant changes. Minor revisions to audit plans do not require approval by the CAO. The CAO shall provide written notification to auditees that the institution/audit area has been included on the audit plan.


16.4.2 Engagement Scheduling and Notification

(Last Modified on January 30, 2024)

Client management will be contacted prior to the intended start of an engagement to provide preliminary information about the project and the process for conducting the work.

A formal engagement letter, to include the engagement scope, will be sent to the institution president (for institutional engagements) or to the senior executive responsible for an activity (for USO and USG-wide engagements) prior to beginning the engagement. The letter will detail specific information needed for the engagement and any logistical assistance that might be required.

The client will be responsible for identifying a representative to serve as the engagement team’s primary contact during the engagement. The client will also identify a key contact person for each function reviewed, as needed. The engagement team leader is responsible for scheduling and facilitating an entrance conference with the client’s senior management.


16.4.3 Conducting the Engagement

(Last Modified on August 14, 2020)

Internal Auditors are obligated by professional standards to act objectively, exercise due professional care, and collect sufficient, competent, relevant, and useful information to provide a sound basis for engagement opinions, observations and/or recommendations.

Work performed will be documented in working papers. Information included in the working papers must be sufficient, competent, relevant, and useful to provide a sound basis for engagement issues, observations and/or recommendations. Working papers may include schedules and analyses, documents, write-up, and flow charts. Evidential matter may also be obtained through interviews and observations.

Upon the conclusion of the fieldwork, the engagement team will summarize the engagement issues, observations and recommendations necessary for preparation of the engagement draft report. The engagement team will also meet with the client’s management team to discuss the issues, observations and recommendations noted. At this time, any concerns that the client may have with issues, observations and recommendations, will be resolved to the extent possible.


16.4.3.1 Utilizing Sampling Techniques in an Engagement

(Last Modified on January 30, 2024)

Sampling may be used to test less than 100% of a population. In sampling, the engagement team accepts the risk that some or all errors may not be found which could lead to erroneous conclusions. When sampling is used, the engagement team must:

  1. determine the type of sampling to be used,
  2. decide on the number of items to be selected, which should be based on the engagement team’s understanding of the relative risks and exposures of the areas reviewed, and
  3. apply the results to the entire population subject to testing as appropriate.

Other substantive procedures may also be used to test accuracy of populations when sampling is not deemed appropriate or cost effective. Substantive procedures may consist of target testing, analytical procedures and physical verification.


16.4.4 Engagement Close-Out and Report Preparation

(Last Modified on January 30, 2024)

At the conclusion of the engagement, the engagement team will prepare a draft report that details the engagement executive summary, background, issue ratings (for assurance engagements), engagement observations, and recommendations. This draft report will be shared with the client’s management prior to conducting a formal exit conference.

At the exit conference, the engagement team will review the draft report with management, focusing on ratings, observations and recommendations with specific emphasis on areas where improvement is needed. Disagreements should be resolved to the extent possible before final engagement closure. For any issues or observations noted, management provides corrective action plans and/or final responses in writing within 15 working days after the exit conference. If management fails to respond, that will be noted in the final report.

After the exit conference, the engagement team will prepare a final report, taking into account any revisions resulting from the exit conference and other discussions. When changes have been reviewed by ICA and/or CAO, along with an evaluation of the client’s written responses for inclusion in the final report, the report will be issued.

The CAO’s approval is required for release of all internal audit reports performed by OIAEC system office personnel. Institutional engagement reports will be approved for release by the ICA, but a copy must also be submitted to the CAO. All material issues are summarized for reporting to the IARC Committee.


16.4.5 Follow-Up Review

(Last Modified on January 30, 2024)

Follow-up is required of all issues classified as material. Each material issue shall be reviewed by appropriate internal audit personnel until the issue is closed or resolved. Significant issues may be reviewed after being reported as closed but this review is not required. The actions taken to resolve the issues are to be reviewed and may be tested to ensure that the desired results were achieved. In some cases, managers may choose not to implement an issue recommendation and to accept the risks associated with the issue reported. The follow-up review will note this as an unresolved exception. The CAO shall periodically report the status of material issues to the IARC Committee to include the status of issues not closed in a timely manner.

Open or partially resolved engagement issues/findings will be maintained and periodically updated in the USG Internal Audit function enterprise system.


16.4.6 Exception Ratings

(Last Modified on August 14, 2020)

Individual ratings are assigned to each assurance engagement observation contained in reports issued. All issues are included in the audit report but “Comments” are not presented in a full audit finding format. The scales for the USG Internal Audit rating systems are listed below.

Report Item Rating Scale

  • Advisory (Consulting Engagements only)
    • Categorized by area reviewed
    • Used to identify recommendations contained in a consulting engagement report

Assurance Engagements Rating Scale

Likelihood Impact/Magnitude
Low Medium High
Not Likely No Issue Comment Moderate
Likely Moderate Significant Material
  • No Issue
    • Engagement Team did not identify any reportable issue
  • Comments
    • Nominal or minor violations of procedures, rules, or regulations.
    • Issue(s) identified are not likely but could have a medium impact on the organization.
    • Minor opportunities for improvement.
    • Not included in report but are communicated to management during the exit conference or at the end of the engagement.
  • Moderate
    • Violation of policies/procedures/laws and/or lack of internal controls that either does or could pose a notable level of exposure to the organization.
    • Issue(s) identified are (a) either not likely but could have a high impact or are (b) likely and could have a low impact on the organization.
    • Notable opportunities to improve effectiveness and efficiency exist.
    • Corrective action is needed by management in order to address the noted concern and reduce risks to a more desirable level.
  • Significant
    • Violation of policies/procedures/laws, and/or lack of internal controls that either does or could pose a substantial level of exposure to the organization.
    • Issue or issues identified are likely and could have a medium impact on the organization.
    • Substantial opportunities to improve effectiveness and efficiency exist.
    • Prompt corrective action by management is essential in order to address the noted concern(s) and reduce the risk to the organization.
  • Material
    • Violation of policies/procedures/laws and/or unacceptable level of internal controls that either does or could pose an unacceptable level of exposure to the organization.
    • Issue or issues identified are likely and could have high impact on the organization.
    • Major opportunities to improve effectiveness and efficiency exist.
    • Immediate corrective action by management is required.

16.4.7 Quality Assurance/External Assessments

(Last Modified on January 30, 2024)

A quality assurance and improvement program is critical to maintaining the efficiency and effectiveness of an internal audit operation. All USG internal audit departments must develop a quality assurance and improvement program. Assessments are required to be updated periodically with results reported to appropriate leadership and the CAO.

Also, professional standards require that external assessments must be conducted at least once every five (5) years by a qualified, independent assessor or assessment team from an outside organization. The CAO is required to have discussions with the Board to determine:
* The form and frequency of the external assessment;
* The qualifications of independency of the external assessor or assessment team, including any potential conflicts of interest.

Additional information on quality assurance requirements and external assessment may be found in Section 1300 of the USG’s System-Wide Audit Manual.


↑ Top