Learn How to Prepare for an Audit

If your area has been audited in the past by the Office of Internal Audit, it is worth reviewing the last audit report. A standard feature of our audit approach is to review the progress of past recommendations. It also is useful if you can make us aware of, or provide us with the information of any other reviews or inspections that have taken place in your unit.

Outlined below are general steps recommended to prepare for an audit. We recognize that specific steps and information requests that are unique to your unit will be identified and communicated to you as part of the initial contact and planning with us.

1. Assemble appropriate and current background information about your unit that you think might help us in gaining an understanding of your administrative structure, nature of your operations and knowledge of employee roles and responsibilities. As a general guide, our work is focused upon the aims and objectives identified in your strategic plan so copies of the plan will be helpful.

Other information might typically include any key procedures or policies, organization charts and financial information such as budgets and sample management reports. Copies of these documents are particularly helpful, although we recognize that many parts of the University now hold such information on their web sites – where this is the case, providing the relevant site address is useful for us. 

In addition to assisting the auditor in understanding your operation more thoroughly, a well-documented strategic plan, policy/procedure manual, etc. will guide new as well as veteran employees regarding the established and approved methods of doing business.

2. Temporary workspace for the auditor(s) within reasonable proximity to the office staff and records. Since many of the original documents and records we will need to examine are located at the local department level, the auditor(s) will need a temporary work area with adequate space and lighting.

The amount of time needed for the auditors to be physically present at your location will vary from audit to audit. We will attempt to perform as much of the audit as possible from our office so as to minimize any disruption of your operations.

3. Identify an audit contact person who can act as a liaison person to work with us. This member of staff should be responsible for ensuring that we have access to records and files or any other resources we need to complete our reviews as well as directing us to the appropriate colleagues who can help us complete specific areas of our review.

This officer normally acts as our main point of contact as the audit progresses so that we can continue to keep you informed of how the work is going. Contact officers often find it useful to schedule meetings with us periodically throughout the audit to stay in touch with how we are progressing.

We have found that this is a good way to facilitate communication, resolve issues on a timely basis, and correct any misunderstandings.

4. Access to all employees and pertinent records. As stated in the Columbia University Office of Internal Audit Charter, The Office of Internal Audit shall have full, free and unrestricted access to the University’s records, physical properties, personnel, independent auditors and other individuals relevant to an area under review.

The auditor's analysis of your operation may require that several of your employees at various levels be asked to explain in detail how they perform their jobs. In addition to examining hard copy records, it may be necessary for the auditor to make photocopies, and/or obtain samples, of key documents for our files.

The confidentiality of records reviewed during the course of the audit (i.e.: payroll data, student transcripts, etc.) will be maintained by the auditor(s).

5. Tell your staff about the audit. As part of our planning, we provide an engagement letter that outlines in broad terms the work that we will be doing.

Most units find it useful to distribute a copy of the engagement letter to their staff so that they know to expect us to be around the unit and have an idea of the type of work we will be undertaking. It also helps those staff that we need to contact, identify the sort of records and information that they need to have available when we meet with them.

6. An honest and candid appraisal of the audit process at the conclusion of the audit. As stated earlier, the department head of the area being audited will be provided with an audit effectiveness questionnaire. Each member of the audit staff has been professionally trained in the practice of internal auditing.

They are expected to abide by the professional standards and ethics established by the Institute of Internal Auditors as well as our own departmental standards. Your objective answers and constructive comments on the survey form will assist us in evaluating and improving the effectiveness of our program.

Office of Internal Audit Charter

View the Columbia University Office of Internal Audit Charter, to refer to the framework for the conduct of the internal audit function.

FAQs

How are departments or processes selected for audit?

Internal Audit conducts a yearly university-wide risk assessment of the various business processes and financial reports through senior management discussions which results in the creation of the yearly audit plan. This audit plan is presented and approved by the Audit Committee of the Board of Trustees.

What if an external auditor contacts you?

All external audits should be coordinated through the Office of the Controller and the Office of the General Counsel.

What are internal auditors looking for?

Key effective internal controls that manage risk and compliance with University policies and other external requirements. Columbia's policies are designed to help ensure we all comply with applicable laws and regulations and operate efficiently. Not all internal controls can be codified in policy. If we find control weaknesses, we regularly make recommendations to implement a control even though it may not be specifically required by policy.

What if Internal Audit has a finding during an audit?

We will make recommendations for improvement. The recommendations are realistic because we want you to implement them. It is the responsibility of management to weigh possible additional costs of implementing our recommendations in terms of benefits to be derived and the relative risks involved.

How can I learn more about risks and controls?

We're also available to do presentations and training for your department.

How long does an audit take?

An audit could take from two months to six months to complete depending on the size and complexity of the area. We may need to meet key personnel on the audit two or three times for maybe an hour at a time over the audit period. We may spend equal amounts of time, and perhaps less, with others in the department, but we will not be monopolizing anyone's time in the department and much of our work such as audit planning and report writing, is done in our offices. During the audit opening meeting, we will discuss the audit schedule and try to accommodate the time constraints that you may have.