Audit Process

The Internal Audit Department is committed to providing the highest level of professional audit services to Touro.  Professional audit services include serving as a resource to management and meeting professional standards.

                                             Internal Audit Engagement Timeline




5 weeks


3 weeks

4 weeks


I.    Planning

The Internal Auditor reviews the following types of background information:

  • Department objectives and goals, key metrics, and scorecards;
  • Policies, plans, procedures, laws, regulations, and contracts having significant impact on operations and critical system applications;
  • Organizational information, such as the number and names of employees, job descriptions, process flowcharts, detail about recent changes, etc.; and
  • Prior audit work papers and audit reports (including reports of external independent auditors and other external parties), correspondence files, and relevant authoritative and technical literature.

1)      Risk Control Matrix

The matrix includes steps, risks, control objective, documentation request list, population and sample size, test procedures, and test results. Work papers are prepared at the beginning of the first audit assignment and are updated throughout the course of each subsequent audit.  They represent the documentation of audit activity and must be continuously maintained.

2)      Audit Announcement Memo

The Internal Auditor notifies the parties responsible for the area being audited (the Auditee) of the preliminary objectives, timing, team members that will conduct the review, and the overall protocol to be followed in the audit process.  Notification is sent via email in the form of an engagement letter to the Auditee with copies to Senior Management, as appropriate.

3)       Entry/Opening Meeting

The commencement meeting is conducted with the Auditee in order to discuss the preliminary scope, objectives, and any business concerns.  The following individuals should be invited and encouraged to attend the meeting:

  • Directors and department heads responsible for the area being audited;
  • Manager(s) and any of the staff working in the specific areas being audited; and
  • Key individuals on the Internal Audit team.

 II.    Fieldwork  

1)      Evidence of review of work papers by the Internal Auditor

Auditors must obtain all evidence necessary for the efficient completion of the audit. The decision on how much evidence is sufficient and what type of evidence to seek requires the exercise of the Internal Auditor's judgment based on experience, education, reasoning, and intuition.  A thorough knowledge of the concepts underlying audit evidence will improve the audit quality and efficiency.

  • Physical evidence obtained by observation and inquiry;
  • Testimonial evidence from interviews and statements;
  • Documentary evidence, which may consist of legislation, reports, minutes, memoranda,  contracts, extracts from accounting records, formal charts and specifications of documentation flows, systems design, operations, and organization structure; and
  • Analytical evidence that evaluates financial information through analysis of plausible relationships among financial and nonfinancial data. Systematic evidence may also require investigation of identified fluctuations or relationships that are inconsistent with other relevant information or that differ from expected values by a significant amount.


2)       Exit/Closing Meeting

At the conclusion of fieldwork, the Audit team will meet with the management team to discuss the observations and recommendations.


III.    Report

Audit reports are issued within 30 days of completion of the field work to ensure Senior Management is aware of and can respond to the risks and exposures identified by the audit.  In order to ensure that actions are addressed in an efficient manner, reports will include specific action plans to resolve the concerns noted, the responsible person of the action plan, and an expected completion date. 

The audit service’s principal product is the final audit report in which the Department will:

  • Express opinions;
  • Present audit findings (observations); and
  • Recommend actions to be taken for improvements. 

Prior to final issuance, the Department will discuss the observations and recommendations with the Auditee.  The Department and the Auditee must agree upon the recommendations and the time frame during which they must be implemented.  This conversation facilitates communication and ensures that the final report is practical.

The audit reports consist of 3 parts:

A. Executive Summary: A short section at the beginning of the document in which findings and recommendations are summarized for quick reference.  The executive summary usually contains a brief statement of the project objective, scope, and concise analysis of the issues, recommendations, and overall conclusions in the audited area.

B. Rating: Ratings are used to assess the key attributes of the auditable entity and effectiveness of the controls that mitigate the major risks. A three-tier system is used as follows:

  • Satisfactory – Any weaknesses are minor and can be handled in a routine manner.  Procedures and practices are in place to ensure the accuracy and integrity of the financial records.   
  • Needs Improvement – Moderate weaknesses are present but are well within management’s capabilities and willingness to correct.  Overall procedures and practices are satisfactory.
  • Unsatisfactory – Severe weaknesses exist.  The weaknesses and problems are not being satisfactorily addressed or resolved by management.

C. Improvement Action Plan:A sequence of steps that must be taken, or activities that must be performed, in order for a process to be effective.  The Improvement Action Plan has three major elements:

  • Specific tasks: what will be done;
  • Time horizon: when it will be done; and
  • Resource allocation: who will perform the task