SEARCH   ECU WebsitePeople GO
 
Welcome to East Carolina University
Office of Internal Audit and Management Advisory Services
Printer Friendly


 
 
 
 
Engagement Process
 
 
 
 
 


Stepping Through the Engagement Process

Frequently Asked Questions

 

 

Preface

The first time that many clients are aware of an impending engagement is when they receive a memo from the audit director informing the client the auditor in charge will contact them in order to schedule an opening meeting. This introduction to the engagement may leave the client wondering "Why me?" or "What did I do wrong?" These questions are often followed by confusion of the engagement process and how to prepare for the review. Some clients are even confused as to what an internal auditor does and the role the internal audit department plays in the organization.

 

In order for the engagement process to be successful it is important that the client understand its role in the review and is familiar with the internal audit function at East Carolina University. Stepping Through the Engagement Process has been written with the client in mind and explains the engagement process as well as the role of the internal auditor and the internal audit department. From this point on the Office of Internal Audit will be referred to as Internal Audit.

 

What is internal auditing?

When most people think of auditing the first thing that comes to mind is "financial" auditing. While this is an important aspect of auditing, it has a much broader meaning. The Institute of Internal Auditors defines internal auditing as "an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.  It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."

 

Does Internal Audit follow professional standards?

Internal Audit at East Carolina University follows the professional standards that have been established by the Institute of Internal Auditors (IIA), the Information Systems Audit and Control Association (ISACA), and the Association of Certified Fraud Examiners (ACFE). The IIA serves over 70,000 members and provides the internal auditing profession with standards, guidance, and information on internal auditing best practices. ISACA has over 23,000 members and is recognized as a global leader in IT governance, control, and assurance. The ACFE has over 25,000 members and provides guidance on the detection and prevention of fraud. All organizations have a Code of Ethics, which has been adopted by Internal Audit. One of the standards requires that the purpose, authority, and responsibility of the internal audit function be defined in a charter.

 

The audit charter for Internal Audit can be found here.

 

How is Internal Audit organized?

East Carolina University is required by the President of the UNC System to maintain an internal audit function. In accordance with the East Carolina University internal audit charter, Internal Audit operates as an independent appraisal function within East Carolina University and reports functionally to the Board of Trustees and administratively to the Chancellor. Internal Audit has six staff members, which is comprised of one director, two assistant directors, two internal auditors, one IT systems auditor, and one auditing intern.

 

What is its purpose and objectives?

The primary purpose of Internal Audit is to function as a service unit to assist all levels of management in the effective discharge of their responsibilities. Through consulting and performing independent audits, reviews, and investigations, the office seeks to provide reasonable assurance to management that effective stewardship is maintained over the University's resources. Internal Audit also serves as a liaison between management and all external auditors.       

 

In general, the objectives of Internal Audit are to:

  • Evaluate the adequacy of the internal control structure within a department or unit.
  • Assess the extent of compliance of each area with applicable laws, regulations, policies, and procedures.
  • Verify the existence of University assets and ensure proper safeguards for their protection.
  • Evaluate the reliability and integrity of data produced by information systems.
  • Investigate concerns relating to fraud, embezzlement, and theft.
  • Consult with management and provide methodologies, facilitation, focus, knowledge, technology, best practices, and independence that help solve managements' problems.

 

What is its scope of authority?

In accordance with the audit charter, Internal Audit has unrestricted access to all records, assets, and other resources of the University, which are necessary to accomplish its objectives. Internal Audit ensures the safekeeping and confidentiality of all records and information used during an engagement.

 

Who is reviewed and why?

Internal Audit develops an annual audit plan that is reviewed and approved by the Board of Trustees and the Chancellor. This plan identifies the engagement projects to be conducted during the upcoming fiscal year; however, it can be amended to include requested reviews, special projects, or changes in priority.

 

Not all reviews are selected in the same way. An area can be selected for a review if:

  • It's assessed as an area with high risk
  • It's a cyclical engagement project
  • Irregular conduct is alleged and a review is requested
  • There is a request from management

 

Selection based on assessment of risk: The most common method of selecting an area for an engagement is through the application of a risk assessment. Several factors that are considered in the assessment are:

  • Internal control structure
  • External regulations
  • Financial impact
  • Complexity of operations
  • Prior engagement findings
  • Length of time since last engagement

 

When this model is applied, areas are ranked according to their risk. Areas with the greatest risk become priority engagements and can result in three types of engagements: compliance, operational, or information systems.

 

Cyclical engagements: Some engagements are performed on a regular basis. Examples are: petty cash reviews, inventory counts, security reviews, and disaster recovery testing.

 

Investigative engagements: These engagements are normally requested by management and/or anonymous tips and focus on alleged, irregular conduct. Reasons for investigative engagements include: internal theft, misuse of State property, and/or conflicts of interest.

 

Requests from management: Management requests these engagements through the Office of Internal Audit. The scope of the engagement depends on the request.

 

How is the scope of the engagement determined?

The scope of the engagement and/or review is determined from one or more of the following:

  • Information collected during a preliminary survey, which includes interviews with the appropriate client personnel
  • Assessment of risk associated with the client's functions
  • Evaluation of answers received on internal control questionnaires tailored for the assignment
  • Client requests concerning topics, functions and/or time frame

 

Sometimes discoveries or events that occur during a project can change the scope of an engagement. If this should happen, the client is notified if the scope changes significantly.

 

How long does an engagement last?

Engagements and reviews vary in length. The amount of time required depends on the objectives of the engagement, the cooperation and availability of the client, and the complexity of the operation. An internal control review may take one to two weeks, while a broad-based engagement may take months. A positive working relationship between the client and the auditors is an important factor in the accuracy of information gathered and the timely completion of the engagement.

 

What is the actual engagement process?

 

1.   The engagement or review is announced through an engagement letter.

Internal Audit notifies the client in writing when their area is selected for an audit. An engagement letter is sent to the client, which describes the general objectives of the engagement, the auditor in charge, the projected time frame of the engagement, and information the auditor may need the client to supply.

 

2. An entrance conference is scheduled.

An entrance conference is scheduled by the auditor in charge with the client to discuss the purpose, scope, and process of the engagement. The director and auditor in charge attend the entrance conference along with personnel deemed appropriate by the client. Clients are encouraged to present any questions or concerns they have about the engagement. Clients are also given the opportunity to request that a specific function or area of their office be examined during the engagement or in future work.

 

3.    A preliminary survey is performed.

During this portion of the engagement, the auditor will gain an understanding of the client's operation or area being reviewed. The auditor may request written policies and procedures, organizational charts, job descriptions, and other information in order to become familiar with the client's operation. Internal controls may be reviewed and documented during this portion of the engagement through an internal control questionnaire.

 

4.   Fieldwork is conducted.

This phase of the engagement includes testing the internal controls and performing other procedures necessary to accomplish the objectives of the engagement. The auditor will follow a work program when conducting this phase of the engagement. A work program lists the control objectives of the engagement and the necessary steps an auditor must follow to collect and analyze the data.

 

This phase of the engagement is the most time-consuming part of the review for the client because personnel will need to be available to answer questions and provide information. Internal Audit realizes the value of each person's time and tries to arrange meetings in advance and work around scheduling conflicts when possible.

 

During this phase of the engagement, the auditor will strive to maintain an open communication with the client to ensure they are kept abreast of the initial observations and there are no surprises once the final report is issued.

 

5.   Draft report is prepared.

    After the fieldwork is completed, the auditor prepares a draft report, which will include the background of area being audited, audit purpose, objectives, scope, methodology, reportable conditions, and recommendations. The draft report along with any non-reportable condition is sent to the client via e-mail for review before the exit conference.

 

6.   An exit conference is scheduled.

    An exit conference is scheduled by the auditor in charge with the client to discuss the draft audit report. The director and auditor in charge attend the exit conference along with client personnel. The conference is an opportunity to discuss the observations and clarify any ambiguities. Non-reportable conditions will also be discussed during the exit conference.

 

7.   Client submits their responses to the audit findings and recommendations.

    After the exit conference, any changes deemed necessary are made to the draft report and submitted to the client via e-mail. The client is normally given 30 days to respond to the draft report. The client includes a response to each of the observations and recommendations and sends the report to the auditor in charge via e-mail. If circumstances arise that prohibits the client from responding to the report in the allotted time frame, the client should contact the director to request more time.

 

8.   The final report is issued.

    A final report is issued after the auditor in charge receives the draft report with the client's responses. The final report is distributed to the client, senior-level management, ECU Board of Trustees, and the Chancellor.

 

9.   Post-engagement survey.

    As part of a self-evaluation program, Internal Audit asks client's to comment on their performance. After the final report is distributed, Internal Audit will send client management a post-engagement survey to evaluate their performance concerning the review process. Clients need to be very honest when completing this survey because it will be used to evaluate procedures and make changes as a result of a client's suggestions.

 

10. Follow-up review.

    A follow-up review is performed approximately 9 months after the final report is issued to verify the resolution of the observations. The review will conclude with a follow-up report, which lists the actions taken by the client to resolve the original observations. A discussion draft of the report will be circulated to the client before the report is issued. The follow-up report will be circulated to the original report recipients and other University officials as deemed appropriate.

 

Conclusion

Hopefully, Stepping Through the Engagement Process has explained the review process as well as the role of the internal auditor and the internal audit department. Client participation is imperative throughout the entire engagement and the process works best when client management and Internal Audit have a solid working relationship based on committed and continuing communication.

 

Many clients extend this working relationship beyond the particular review. In many instances, Internal Audit is asked to evaluate the feasibility of making further changes or modifications in a client's operations.

 

Internal Audit is committed to serving the University community. For more information or to ask questions about the engagement, please contact our office.

 

  


 
ecu logo
East Carolina University | Office of Internal Audit
Suite 2800 Greenville Centre | Greenville, NC 27858 USA
252.328.9025 phone | 252.328.4340 fax | Contact Us
© 2008 | terms of use | Last Updated: 01.08.2007