The Audit Process


The audit process consists of four phases, beginning with the preliminary survey and risk assessment.  The results of these two phases form the foundation for the fieldwork phase.  Report writing summarizes and makes public the results of fieldwork.


Preliminary Survey

The purpose of the preliminary survey is to gain an understanding of the program or activity being audited.  The auditor reviews written procedures, memoranda, organizational charts, and budgets.  The auditor interviews program staff, collects, summarizes, and evaluates information that will be used to identify potential audit issues and develops an audit program.  A good preliminary survey is essential to a successful audit.


Risk Assessment:

The purpose of risk assessment is to focus audit work on important program elements that may be at risk.  This helps limit the amount of testing the auditor needs to do, and produces a more cost-effective, timely, and relevant audit.  The objectives of risk assessment are to:



During fieldwork, the auditor identifies performance criteria, gathers evidence, and measures and evaluates performance.  The auditor uses a variety of investigative techniques including observing, interviewing, sampling, analyzing, and verifying.  Audit findings include five elements:


Report Writing:

During the audit, the auditor discusses issues with line management and staff as they arise.  Once fieldwork is complete, the auditor prepares the first draft of the written audit report and holds an exit conference with management to review the findings.  City College staff provides feedback and comments on the draft.  Meanwhile, the auditor verifies that each statement of fact in the report is supported in the audit working papers. These processes help ensure that the report is balanced and accurate.  The wrap up phase of the audit process also includes a final quality assurance review of the audit assignment.  The final audit report summarizes key issues, the findings and recommendations, and includes management’s verbatim response.  Audit reports are public documents.  They are issued to the Board’s Audit Committee, the Chancellor, staff, and published on the Internal Audit’s website.



Each year the District is subject to various types of audits such as:

1)     Annual Financial Statement Audits:  the review of the financial statements of a legal entity (including governments), resulting in the publication of an independent opinion on whether or not those financial statements are relevant, accurate, complete, and fairly presented.

Financial audits are typically performed by firms of independent accountants due to the specialist financial reporting knowledge they require.  The financial audit is one of many assurance or attestation functions provided by accounting and auditing firms, whereby the firm provides an independent opinion on published information.

Many organizations separately employ or hire internal auditors, who do not attest to financial reports but focus mainly on the internal controls of the organization.

2)     Performance Audits:  an examination of a program, function, operation or the management systems and procedures of a governmental or non-profit entity to assess whether the entity is achieving economy, efficiency and effectiveness in the employment of available resources.  The examination is objective and systematic, generally using structured and professionally adopted methodologies.

Performance audits may also be conducted by Internal Auditors who are employees of the entity being audited.  However, government may require agencies, departments and branches to periodically retain outside auditors to conduct them.

3)     Grant Audits:  Similar to a financial audit, they are an examination of the grants awarded by Federal and State agencies to the District.  These audits are performed by either the U.S. Inspector Generals or State and local government auditors.


4)     Compliance Audits:  the process of systematic examination of a quality system carried out by an internal or external quality auditor or an audit team.  Compliance audits are typically performed at predefined time intervals and ensure that the institution has clearly-defined internal quality monitoring procedures linked to effective action.  This can help determine if the organization complies with the defined quality system processes and can involve procedural or results-based assessment criteria.


5)     Agreed-Upon-Procedures:  Agreed-upon-procedures is when the accountant is hired to issue a report of findings based on specified financial statement items.  The users of the report agree upon the procedures to be conducted by the accountant that the user believes are suitable.  The user takes responsibility for the adequacy of the procedures.  In this engagement, the accountant does not express an opinion or negative assurance.  Instead, the report should be in the form of procedures and findings.  A representation letter is prepared that depends on the nature of the engagement and the specified users.


6)     Consulting Engagement:  Consulting services are advisory in nature, and are generally performed at the specific request of an engagement client.  The nature and scope of the consulting engagement are subject to agreement with the engagement client.  Consulting services generally involve two parties: (1) the person or group offering the advice - the internal auditor, and (2) the person or group seeking and receiving the advice - the engagement client.  When performing consulting services the internal auditor should maintain objectivity and not assume management responsibility.


7)     Assurance Engagements:  Assurance services involve the internal auditor's objective assessment of evidence to provide an independent opinion or conclusions regarding an entity, operation, function, process, system, or other subject matter. The nature and scope of the assurance engagement are determined by the internal auditor. There are generally three parties involved in assurance services: (1) the person or group directly involved with the entity, operation, function, process, system, or other subject matter - the process owner, (2) the person or group making the assessment - the internal auditor, and (3) the person or group using the assessment - the user.