Understanding the Audit Report
Every engagement will result in a published audit report. The report:
- Is intended to provide internal management with concise and timely feedback on areas requiring improvement.
- Includes an executive summary (1-2 pages) and a detail Appendix.
- Is prioritized to include more significant issues "up front".
The auditee will have an opportunity to review the document and provide feedback in advance of publication.
In the audit report, issues identified will be documented using the following standard headers:
Criteria - What should be happening?
Condition - What is happening?
Cause - Root cause of why the condition is in place.
Effect - Negative impact of the condition.
Recommendation - The auditor recommendation action to resolve the issue.
In the audit report, issues of varying severity will be identified. To ensure that issues can be appropriately reported, prioritized for resolution, and tracked through closure, all issues will be classified as follows:
Major Findings are those identified control weaknesses that generally have a broad impact on the University, or meet certain criteria. Those criteria may include: financial misstatement or loss greater than $50,000; systemic regulatory non-compliance or loss of confidential information; process weakness leading to fraud; or information technology issues likely to lead to failure.
Minor Findings are those issues that, while not meeting the criteria for a Major Finding, still represent a weakness in process controls.
Management Recommendations are findings identified through the course of an audit that are not necessarily control weaknesses, and may represent unrealized opportunities for the University.
Determination of a finding’s classification will be based on both quantitative and qualitative factors. Although guidelines are in place to assist with this process, final determination rests with the Director of Internal Audit & Advisory Services.