Skip to main content

The internal audit process

Here's what will happen before, during and after an internal audit.

What to do if you're involved in an audit

As a manager who has been contacted about an upcoming audit, it is normal that you should have some questions. We will be happy to answer these early in the process and we recommend that you read about the audit process in preparation.

Before an audit

Identifying areas to review

Internal Audit produces an annual audit plan which outlines the likely areas of our activity for the coming year. This is largely based on our assessment of the risks facing the University. This plan is approved by the University’s Audit and Risk Assurance Committee.

We try to achieve a balance of work between specific risks, functions and processes and across different areas of the University.

We work flexibly, allowing us to respond to emerging risks identified by Internal Audit or managers during the year. Areas of high risk and impact are likely to be audited more frequently than other areas.

Our plans also include a provision to build in ad-hoc reviews and investigations to allow us to respond to emergent risks.

Arranging an audit

We normally contact you a few weeks prior to the scheduled start date of the audit. We will arrange an initial meeting to establish some background knowledge about the area being reviewed and discuss the scope and timing of the planned audit work.

This is an opportunity for you to provide input to the scope of the audit, particularly if there are any issues or areas of special concern you have identified.

There is normally no need to prepare documentation specifically for the audit at this point. We will confirm the audit arrangements with you in the form of an Audit Terms of Reference.

During an audit

Each audit is different, but most involve the following steps:

  • an initial meeting with managers in the area to be reviewed to discuss the scope and timing of the audit
  • discussions with staff and review of documentation to gain an understanding of systems and processes
  • tests to check how systems are working in practice
  • identification and consideration of areas for improvement
  • preparation of draft report and discussion with managers
  • issue of final report including issues identified and management actions
  • follow up monitoring of management actions response to identified issues


The information gathered from the initial meetings, discussions and tests will influence our assessment of the systems under review and the effectiveness of controls in place. Fieldwork will normally be scheduled to fit in as conveniently as possible for you and your team.

We will be open with you about issues identified through our work as the audit progresses. This is important as managers are well placed to help determine the best ways of resolving issues. The most effective reviews occur when staff are willing to share their knowledge and experience.

During the audit we will discuss findings and possible remedial actions as they emerge and will work with you to identify appropriate practical and cost-effective solutions.

We will evaluate the findings from our audit work and assess whether actions adopted by management fully address the identified risks.

Minimising disruption during an audit

We consider departmental work patterns when scheduling audits and try to avoid times of peak workloads and minimise disruption and work with line managers to work around the other demands placed on departments wherever possible.

We do have the right of access to all of the University's records, information and assets which we consider necessary to fulfil our responsibilities.

After an audit

Our aim is to communicate our findings to you in a clear, concise and constructive report.


A draft report and summary of the main issues identified will be prepared and circulated to you as soon as possible after the completion of the audit. We will then meet with you again to discuss the findings.

This meeting provides an opportunity to explain the issues arising from the review and to consider any outstanding queries. The meeting also helps to ensure that any possible misunderstandings are resolved.

We aim to agree the validity of all reported issues as far as possible with relevant managers at this stage and to discuss any required management actions.

If any changes to the draft report are agreed during the meeting these will be incorporated into the final report. You will also be asked to provide a written response to any identified issues. These responses will be formally recorded in the Management Action Summary.

The final report will be circulated to appropriate managers and will be considered by the University’s Audit and Risk Assurance Committee.


Management are responsible for implementing the actions which have been agreed within the identified timescale.

We will monitor implementation by requesting periodic updates from managers. Progress is reported to the University’s Audit and Risk Assurance Committee.

If managers choose not to act in response to findings it is important that they recognise and accept the associated risks of not taking action.

If problems are encountered in the implementation phase please let us know as soon as possible – we will do our best to assist.

We do not routinely carry out follow-up audits although occasionally this may be required – either to assess progress made or to direct additional attention towards areas which could not be fully addressed within the original audit.