Office of Risk Management > Internal Audit > Process

Internal Audit Process

​IA conducts reviews identified as part of its annual audit plan as well as consulting, investigations and management requests, as necessary. 

The annual audit plan is approved by the Audit Committee of the Board of Trustees. All audit activity is governed by the mandatory guidance of IIA’s International Professional Practices Framework, which includes the Definition of Internal Auditing, the Code of Ethics, and the International Standards​ for Professional Practice of Internal Auditing.

The audit process consists of the following four phases:

IA will conduct interviews with auditee personnel to learn about departmental processes. Taking what we learned from those meetings, IA will identify risks and controls and document process narratives and flow charts. IA will confirm the documented narratives and flow charts with process owners before developing plans for fieldwork/testing.

Fieldwork includes assessing the adequacy of internal controls and compliance, testing transactions, and performing data analysis and/or other procedures necessary to accomplish the objectives of the audit. Sufficient evidence will be developed to support audit observations. IA will work with auditees to identify root causes. 

IA will work with auditees to develop action plans for observations, which are included in the audit report. The audit report is a formal document where IA summarizes its work and reports observations and agreed-upon action plans based on that work. The final audit report is issued to auditees, executive management and the Audit Committee of the Board of Trustees. 

IA will work with auditees to confirm the agreed-upon action plans have been implemented. IA provides reports on the implementation status to executive management and the Audit Committee of the Board of Trustees.

​​