Audit Process

Audit Process

Although every audit is unique, the audit process usually consists of four stages: Planning, Field work, Reporting and (for some audits) Follow-up. Engagement of the client, or the area being audited, is critical at every stage of the audit process. An audit often results in a certain amount of time being diverted from your department’s usual routine. It’s helpful for a client to treat an audit like any other special project and allocate time for you and your staff to participate in the audit process. This minimizes the time necessary for the audit and avoids disrupting ongoing activities.


Each audit requires planning, starting from defining the scope and objective to developing audit steps to meet the objective. Internal audit conducts an entrance meeting with management to discuss the purpose of the audit, risk factors, and other logistics. Management is included in the planning phase and the details are documented in a planning and scoping memo.

                                                                 1 email notification can be delegated

                                                                 2 consider need for engagement by UVA Counsel’s office

                                                                 3 update project Kanban card with agreed upon dates, staffing, milestones

                                                                 4 Director or CAE approval required


During the fieldwork phase, auditors conduct the steps identified in the planning process. Steps often include conducting interviews, reviewing laws, policies and best practice, verifying sample transactions, analyzing data sets, and conducting surveys. Auditors meet regularly with management throughout fieldwork and discuss the status of the audit, preliminary observations, and potential recommendations.


Auditors conduct an exit meeting with management at the conclusion of the fieldwork to discuss the results of the audit, specific findings and recommendations and other observations. Auditors communicate these to management through an audit observation memo and ask management to provide a response with a corrective action plan and timeline to implement. These responses are included in the final report. Management and leadership are provided an opportunity to review drafts and provide feedback.

                                                                 1 Table with Priority Rating and brief description of each observation; brief narrative of overall insights

QA & Wrap Up

  1. QA checklist must be completed within 30 days of final report issuance
  2. Issues/Observations and Management’s Corrective Action Plans input to audit management software for follow-up testing.
  3. must be completed within 30 days of final report issuance
  4. Shared folders (Teams, Box, Dropbox) to facilitate document sharing from client must be deprovisioned and closed, with all evidence supporting the audit opinion stored in Onspring. If approval to maintain a collaboration tool location has been received from Audit leadership, all non-Audit employees must be deprovisioned and access removed.


  1. Testing procedures on audit findings from final report
  2. Status of findings reported to Audit, Compliance, and Risk Committee in Board of Visitor materials