MIT Audit Division
Frequently Asked Questions (FAQ)
Contact us: audiv-www@mit.edu
Audit Process
The following information is intended to familiarize you with the audit process. Please share this document with your staff. Any comments on how we can improve our processes and any suggestions for improvement are welcome.
Audit Objective
The Audit Division’s objective is to ensure the financial, operational and informational systems (IS) controls within each Department, Laboratory or Center (DLC) are adequate. This includes an overall assessment of the general control environment via performing financial, compliance, operations, IS and Construction audits throughout the Institute. Our general audit objectives are to evaluate:
- compliance with the Institute’s policies and procedures;
- safeguarding and proper accounting of all assets, including the MIT
brand;
- adequacy of general computer controls;
- areas of exposure to the Institute; and
- general business concerns.
CONFIDENTIALITY
Auditors will maintain the confidentiality of information obtained during the course of the audit work by ensuring that access to the information is properly controlled and disseminated to authorized individuals only.
MIT MANAGEMENT RESPONSIBILITIES
MIT Management is responsible for devising, implementing and ensuring
adequacy, effectiveness and efficiency of controls. Audit Division functions
most effectively when it is able to objectively review, analyze and interpret
management’s information, conditions, procedures, organization and
control. Management should ensure their personnel to be open with the
auditors when discussing issues.
GENERAL PHASES OF AN AUDIT
PLANNING:
The planning and information gathering phase is designed to enable the
auditors to perform an audit risk assessment and develop a specific audit
program and scope for the review.
ENGAGEMENT LETTER:
The audit engagement letter is issued to the management of the area to
be audited. The objective of this letter is to explain the purpose of
the audit and to detail the planned review process and to set the expectations
for both parties (the auditors and the auditee).
ENTRANCE CONFERENCE:
At the beginning of the audit, we will conduct an entrance conference
with the management of the audited area to identify and discuss the scope
and objective of our review, and ask the management to provide us with
contact names, relevant policies and procedures, and other information
that will assist us in the fieldwork.
AUDIT FIELDWORK:
During the audit fieldwork we will perform:
- Control reviews through discussions with the personnel and examining
their responsibilities for various operating functions to evaluate the
existence and adequacy of internal controls.
- Detailed testing via review of transactions to evaluate compliance with
existing departmental and Institute policies.
AUDIT FINDINGS AND ISSUES/DEVELOPING ACTION PLANS:
An audit finding is defined as an area of potential control weakness,
policy violation, financial misstatement, or other issue identified during
the audit. Documentation of all audit findings with supporting documentation
will be maintained to reflect the discussion of these findings with the
management during the course of the audit.
Throughout the audit, the Audit Division personnel will discuss the
findings with the auditee management in order to communicate those findings/issues
and obtain agreement on facts and resolution. If further review and discussion
determines that the finding is valid, it will be documented in the audit
report. The report will reflect most of the issues developed during the
audit; however, some of the findings may be documented in a memo or may
be only a topic of a verbal discussion between the auditors and the management.
AUDIT MANAGEMENT REVIEW OF AUDIT WORK:
All audit work documentation is reviewed by the Audit Team Coordinator,
the Audit Manager and the Institute Auditor prior to the issuance of the
Draft and the Final report. This review is performed to ensure that all
issues are documented completely and that all information contained in
the report is accurate.
EXIT CONFERENCE:
At the conclusion of the fieldwork, a formal meeting is held with the
senior management to discuss the audit issues, audit recommendations and
action plans that will be contained in the audit report. If possible,
the auditee may be furnished a summarized list of the issues at the meeting.
Any additional comments or questions will be addressed at that time.
SUPPLEMENTARY REPORT:
During the course of the audit, issues may arise that may not directly
affect the auditee; nor it is the auditee’s responsibility to resolve
them. These issues may represent broader general business concerns of
interest to the whole Institute. Findings of this nature will be documented
in a supplementary report addressed to relevant management.
DRAFT REPORT:
A Draft Report contains issues identified during the audit along with
respective details and audit recommendations for action plans discussed
with the management. Those issues to be included in the draft copy of
the report should be available for distribution and discussion during
the exit conference.
MANAGEMENT RESPONSES:
The auditee management will be given an opportunity to make comments and
respond to the Draft Report. Usually we expect to receive responses within
2-4 weeks. The auditee management responses to the issues raised in the
audit report should contain action items, completion dates and other measures
that will determine the success of the implementation of the recommendations.
It is a responsibility of the auditee management to ensure the audit issues
are resolved in a timely manner or that compensatory measures are taken.
FINAL REPORT:
After auditee management has been given an opportunity to make comments
and respond to the Draft Report, the Final Report is issued. Audit reports
express an audit opinion and usually include the audit issues and audit
recommendations. When relevant, background information may also be included
in the report.
REPORT OPINIONS:
The auditor will include an overall opinion based on the severity of the
audit issues in the report. The severity of the issues and the whole report
will be discussed with the auditee management prior to issuing the final
report and communicating this information to others. Although the exact
wording of the opinion may differ, depending on the scope and nature of
the review, the format of the opinion will be consistent and presented
as: “effective”, “effective with opportunity for improvement”,
“effective-partially”, or “ineffective”. Areas
for which adverse (ineffective) opinions are issued will be prioritized
by subsequent audit planning efforts and re-audited as appropriate.
DISTRIBUTION:
The final report is distributed to the auditee management and the Executive
Vice President. In addition, copies of the report may be distributed to
other personnel as appropriate. All reports are made available to members
of the Auditing Committee.
CUSTOMER SATISFACTION SURVEY:
Following the issuance of the final audit report, auditee management may
be asked to complete a Customer Satisfaction Survey to help the Audit
Division evaluate the effectiveness of the audit process including effectiveness
of the review areas in planning the audit, Audit Division performance,
professionalism and knowledge of the audit team.
AUDIT FOLLOW-UP:
Follow-up work will be scheduled for all audit findings rated as high
risk and other matters deemed necessary to be conducted within a reasonable
time frame. Generally, such follow-up will be performed subsequent to
the related response’s expected date of completion committed to,
by the auditee. confirmation of modified procedures, phone call updates,
and/or other specified steps. Negative results from our follow-up work
may lead to the elevation of audit findings to the Auditing Committee.
Click here for a graphical representation
of Audit Methodology
