The Audit Process

One of the objectives of Audit & Advisory Services (A&AS) is to maintain a constructive and transparent relationship with our clients during their audits. A&AS strives to have your continued involvement at every stage so you understand what we do and why as well as how we work to minimize disruptions of your daily activities.

The comprehensive Audit & Advisory Service auditing process includes four main phases:

  • Preliminary planning with the client, to determine the audit’s scope 
  • Fieldwork to collect, analyze and assess information (including data) on risk levels and controls within the organization
  • Reporting (1) to communicate our findings and recommendations for corrective actions (if any) and (2) to finalize actions management will take to reduce identified risks and improve controls
  • Postaudit follow-up to determine the outcomes of actions taken and obtain client feedback on the audit experience

Preliminary planning 

  1. Client Notification Letter and Audit Scope: The Chief Audit Officer will email (1) a formal notification informing the client of an upcoming audit and (2) a scope document describing at a high level the preliminary audit purpose and objectives and the functional areas that will be included in the audit.
  2. Entrance Conference: The audit team will go over the audit process with your management and key staff members, discuss the objective and scope of the audit, and set up regular status meetings to keep the client informed of progress. A “Request for Information” may be made prior to or during the meeting asking for organization charts, policies and procedures, desktop procedures and other items pertaining to the audit, to help identify inherent risks. Management should communicate any concerns or issues and identify other risk areas, if any, that should be included in the scope of the audit.
  3. Planning & Information Gathering: Typically, this stage comprises interviews or engagements with management and staff to gain a better understanding of your department policies, internal processes and system of internal controls.


  1. Fieldwork: During this phase, the auditor assesses the identified risks within your area and business processes and tests the effectiveness of implemented controls to learn if they are operating correctly and efficiently. Examples of fieldwork include, but are not limited to: staff interviews, walk-throughs of processes and systems, data collection, sample testing and observations of personnel performing certain transactions. The results of the fieldwork and any observations identified will be reviewed at status meetings.
  2. Preliminary Exit – Wrap-up and Validation: At this stage, for validation and feedback, we present significant findings and preliminary observations made during fieldwork, along with A&AS recommendations. We also discuss with you best practices or opportunities to improve controls that aren't included in the audit scope. In addition, we preliminarily discuss timelines and any recommendations or management corrective-action plans intended for inclusion in the audit report.


  1. Draft Audit Report: We write and send to you a draft report on your audit that includes (1) reporting observations from the preliminary exit stage, (2)  A&AS recommendations and (3) information on management corrective actions that you provided. This report is discussed during the Exit Conference.
  2. Exit Conference: The Exit Conference marks the conclusion of the audit and signals the presentation of the Final Audit Report to you. The objectives of this meeting are (1) to provide an overview of key findings and (2) to establish final management corrective actions and timeframes and the people responsible for implementing them.
  3. Final Audit Report: This final report serves as the official report to you, the client; to the UCSF Ethics, Compliance & Audit Board; and to the UC Regents. It incorporates management's responses to our observations and recommendations as well as a timeframe for implementing management's corrective actions.

Postaudit follow-up

  1. Management Corrective Actions (MCA) Follow-upsAfter the final report is issued, agreed-upon Management Corrective Actions (MCAs) are entered into A&AS’s MCA tracking database. We send open MCA reports to those designated as responsible parties in the final audit report, requesting status information. Quarterly reports are sent to the control points over the process area. Once you communicate to A&AS that the actions have been implemented, we validate the actions taken, which allows closure of the MCA. Some actions can be closed by providing documentation, some will require a meeting with A&AS, and others may require testing of the new, postaudit process.
  2. Client Service Survey: When the audit is complete, we send a client survey seeking honest feedback on how the audit was conducted. We use this information to develop our staff and improve our services.