Planned Review Process
The process for planned reviews consists of the following phases:
Internal Audit conducts an opening conference with the Vice President, management, and key staff members of the office being audited to discuss the audit process and potential areas that could be reviewed with management and staff members. The conference is a participative forum that encourages input from participants and is designed to establish a teaming relationship with our audit customers.
Participative Work Team (PWT) Meetings
Internal audit invites staff and management members to a collaborative meeting before audit fieldwork begins. During the meeting, participants work together to identify the key processes of the area being audited, the risks associated with those processes and the internal controls that are or should be in place to reduce the risks associated with those processes.
PWT meetings will be held throughout the audit, either at the request of management or Internal Audit, to discuss audit observations and applicable management action plans.
The fieldwork phase consists of performing audit activities to satisfy the scope and objectives of the audit. General fieldwork procedures typically include:
- Interviews with relevant staff and management members to determine the primary functions
for each area or department, job responsibilities of each individual and how those
responsibilities are fulfilled. During the interviews, we also determine reporting
relationships and areas that employees are concerned about and/or would like Internal
Audit to review.
- Expenditure testing to verify compliance with departmental, KSU, Board of Regents,
State, and Federal expenditure policies and procedures (e.g., general expenditures,
P-Card expenditures, travel, appropriate approvals, business purposes, etc.).
- Process reviews to determine if adequate internal controls are in place to reduce
the risks associated with key processes (e.g., segregation of duties, cash handling
- Review of safety measures in place (e.g., card readers, locks on doors, hazardous
- Safeguarding of assets (e.g., access to keys, combinations to safes, sign-out for
assets that leave the campus, etc.).
- Safeguarding of information (e.g., access to information systems and specific computer functions, retention of information, locked filing cabinets, etc.).
- Interviews with relevant staff and management members to determine the primary functions for each area or department, job responsibilities of each individual and how those responsibilities are fulfilled. During the interviews, we also determine reporting relationships and areas that employees are concerned about and/or would like Internal Audit to review.
Implementing Management Action Plans During an Audit
Throughout the audit, the auditor will provide information to management regarding areas where there are opportunities for process improvement. After meeting with management and relevant staff members to determine the most practical and reasonable way to improve these processes, management will be given the opportunity to implement the agreed-upon management action plans before the completion of the audit.
There may be instances where management is not able to implement agreed-upon management action plans for process improvement before the completion of the audit. For these occurrences, we will conduct a PWT meeting with departmental management and staff members to discuss the outstanding action plans, obtain agreement with them regarding the best way to report the observations, and determine the most reasonable and practical way to implement the remaining action plans. Based on this discussion, we will team with management to develop and document a management action plan and determine an estimated date of completion for the action plan. The audit observations and the related management action plans will be documented in the final audit report.
Before writing the draft audit report, Internal Audit will conduct a PWT meeting with management and staff members where participants help us determine what information should be in the report and the best format to use to present the information. Audit reports typically include:
- Summary results of the areas tested.
- Executive summary.
- Introduction and background information.
- Organizational structure.
- Audit scope and objectives.
- Detailed information on audit observations and management action plans for those areas where management was not able to implement process improvements before the completion of the audit.
After the draft audit report is written, it will initially be shared only with management of the office that was audited and will not be distributed to any individuals outside of that office. Internal Audit will solicit feedback from management of the office audited to determine if they agree with the content and format of the draft audit report and if they have any suggestions to improve the report. This process will continue until management of the office audited and Internal Audit agree with the content and format of the draft audit report.
After all agreed-upon revisions have been made to the draft audit report, a formal exit conference will be held to discuss the report. Formal exit conference attendees include Vice Presidents, management, and key staff members. After the formal exit conference is completed, Internal Audit will incorporate any changes into the draft audit report that were agreed-upon during the conference. The draft audit report will then be provided to KSU’s President and the Vice Presidents for their review and comments. After approval from the President and Vice Presidents, the final audit report will be distributed to KSU’s executive management, departmental managers, and the Board of Regents’ Chief Audit Officer and Associate Vice Chancellor.