The Audit Process

This audit process map is a representation of the process and artifacts pertaining to the life cycle of a typical audit.

Preliminary Planning and Assessment

  1. Client Notification Letter and Audit Scope: The Audit and Advisory Services Director will send a formal notification informing the client of an upcoming audit as well as a scope document, describing at a high level the preliminary audit purpose and objectives and impacted functional areas that will be included in the audit.
  2. Entrance Conference: During this stage of the audit process, the audit team will present the objective and scope of the audit to management and staff members. To minimize disruptions to management and operations during the review, a “Request for Information” may be made prior to the meeting for policies and procedures, desktop procedures, and/or other artifacts pertaining to the audit. It is important that management also take this opportunity to communicate any concerns or issues and or identify other risk areas that should be included in the scope of the audit.
  3. Planning & Information Gathering: Typically, these are interviews or engagements with management and staff to gain a better understand of your department policies, internal processes and system of internal controls.



  1. Fieldwork: This can take many forms but the intent is to assess the risks within your area/business processes and test the effectiveness of implemented controls to ascertain if they are operating correctly and efficiently. Some examples of field work include staff interviews, walk-throughs of processes and systems, data collection, sample testing or observations of personnel performing certain transactions. During the course of the review, touch point meetigs will be held to go over the reuslts of the review and any observations identified.
  2. Preliminary Exit - Wrap-up and Validation: A draft observation report is created that includes all observations made during fieldwork, AAS recommendations, and proposed management corrective actions. The report may also include notable leading practices or opportunitites to improve other controls that may not be included in the audit scope. This is the opportunity to review and validate observations with management and staff noted during the audit. It is important to discuss timelines and any recommendations or management corrective action plans during this time to include in the audit report.



  1. Draft Audit Report: A draft report is written that includes reporting observations, AAS recommendations and management corrective actions provided by the clients. This report is circulated to the clients and is discussed during the Exit Conference.
  2. Exit Conference: The Exit Conference signals the conclusion of the audit and the presentation of the Final Audit Report to the clients. The objectives of this meeting are to provide an overview of key risk areas and management corrective actions and also to engage in a dialogue on the review process and other impacted areas or risks pertaining to the audit.
  3. Final Audit Report: This report will serve as the official report to the UCSF Ethics, Compliance & Audit Board, and the UC Regents, and shall incorporate management responses to observations and recommendations, and a timeframe for implementing management correction actions.


Post-Audit Follow-Up

  1. Management Corrective Actions (MCA) Follow-UpsMonthly open MCA reports are sent to responsible clients for status information. Once the client communicates to AAS that actions have been implemented, AAS will verify for closure.
  2. Client Service Survey: Once the review is complete, a client survey is sent seeking honest feedback on the performance of the review. The information is used to develop our staff and improve our services.