The audit process starts with the preparation of the annual audit plan each fiscal year. The plan is developed by performing a risk assessment across the whole OHSU enterprise. This is done to help ensure the resources of the Audit & Advisory Services department are being used efficiently and effectively. The first part of the risk assessment process includes identifying all the OHSU auditable entities (OHSU Audit Universe). The current audit universe model consists of categorizing all the auditable entities by OHSU Vice President. Discussions are then held with senior management, Deans, Department Heads, and Internal Audit Committee member to obtain their input on what they perceive to be high risk areas or areas that should be reviewed.
A formal Risk Assessment Methodology is also performed by scoring each auditable entity. Once the audit plan is developed, it's submitted to the Internal Audit Committee members for approval. Quarterly, the status of the annual plan is reviewed with the Internal Audit Committee to determine if other high risk areas have evolved and need attention since the development of the plan.
If an area under you is selected for an audit, the following are the typical phases that will be performed:
- Entrance Conference: The head of the department or unit being reviewed is notified in writing that an audit will be performed. The appropriate Vice President for the unit or area under review will also be included as a "cc" to the notification memo. In addition, an entrance conference is held with the auditee to discuss the purpose and objectives of the review, timing, and necessary staff cooperation.
- Preliminary Survey: Background information is obtained on the unit or area being audited. This can include financial information such as source of funding and types of expenses, objectives and goals, policies and procedures, listing of employees, position descriptions, key business processes, organization charts, and any prior audit reports. This part of the process also includes performing a risk assessment to identify the key business risks and the internal controls established to help reduce those risks. An audit program is also developed to test the high risk areas.
- Audit Fieldwork: The steps per the audit program will be performed. The audit program will include the objectives and scope of the audit; degree of testing required to achieve the audit objectives; and procedures for analyzing, interpreting, and documenting information obtained during the audit.
- Report: At the conclusion of audit fieldwork, a draft report will be prepared and reviewed with the auditee. After obtaining the auditee's comments, the report will be submitted to the head of the unit being reviewed. A request will be made to have the unit head respond in writing to any recommendations included in the report. The audit report and responses will be issued to the appropriate Vice President for the unit or area being reviewed and to the members of the Internal Audit Committee.
- Follow-up: A follow-up review will be performed approximately six months after the date of the audit response to determine if the audit recommendations have been implemented. Follow-up work will continue until all recommendations have been appropriately addressed.