Internal Audit Process

Audit topics are identified through an annual risk assessment conducted by the Office of Internal Audit (OIA).  The primary goal of the assessment is to identify and evaluate areas of highest risk to SBCC so that internal audit resources can be prioritized effectively.  The results are used to develop the annual audit plan and align audit activities with key organizational risks, strategic objectives, and areas of regulatory or operational significance.

The annual risk assessment looks at potential risks across academic, administrative, and operational areas that could impact the institution’s ability to meet its mission and goals. It includes input from leadership and other key stakeholders, and it also takes into account any organizational changes, new or changing compliance requirements, and emerging risks. Once risks are identified, they’re evaluated based on how likely they are to happen and how significant their impact would be. From there, they’re prioritized and used to guide the development of the annual internal audit plan and determine which audit activities should come first.

If your department, area, or process is selected for an audit, OIA will notify you in writing of the upcoming engagement. During the planning phase, OIA will coordinate with management and key staff regarding timing, resource needs, and initial records requests. OIA will also seek your input on areas that would add value to the review and should be considered for the audit scope. This provides an opportunity to strengthen operations through an independent review of key processes and risk areas and to obtain assurance that your department is functioning effectively.

After the audit notification has been sent, OIA will schedule an Entrance Conference to formally initiate the audit.  This meeting provides an opportunity to further discuss the audit scope, objectives and timeline with management and staff in the area being audited.

OIA will begin fieldwork following the Entrance Conference.    This phase may include interviews with staff and management, review of policies, procedures, and documentation, and detailed testing by OIA.  

The primary goal of an audit is to provide independent, objective oversight to help improve SBCC’s operations.  The audit focus is to determine whether controls are in place and working effectively.  OIA may consider the COSO Internal Control Integrated Framework, applicable laws and regulations, internal policies and procedures, and relevant industry best practices when assessing internal controls.

OIA provides periodic updates throughout the audit to keep you informed of progress. If areas for improvement are identified, these will be discussed with you to ensure the issues are clearly understood and that recommendations are practical and address the underlying root cause.

Once OIA has prepared a draft audit report, it will be provided to you for a factual accuracy review.  This is an opportunity to review the conclusions developed during fieldwork and provide any additional information you believe is relevant.  OIA will consider any information submitted and revise the final report as appropriate.

After fieldwork has been completed and the draft audit report prepared, OIA will schedule an Exit Conference with management and key personnel in the audited area. The primary purpose of this meeting is to ensure all parties understand OIA’s recommendations, corrective actions planned by management, and final steps required to close the audit. Any observations or notable practices identified during the audit will also be discussed during the meeting.

A copy of the draft report is provided in advance, and all attendees are expected to review it prior to the meeting and come prepared to discuss preliminary responses to the issues included in the report.  Management is expected to provide final responses within 10 working days following the Exit Conference.

OIA requires a formal management response to each recommendation made in the audit report. The management response must contain the following elements:

• A statement of whether management agrees or disagrees with the recommendation,
• A summary of the corrective action(s) management will take or has taken to address the recommendation or a statement that management accepts the risk associated with the issue identified and will not be taking corrective actions,
• An estimated date that corrective action(s) will be fully implemented, and
• A responsible person who OIA should work with to verify the corrective action implementation.  

Given the nature of certain audit topics and recommendations made by OIA, OIA may require other institution officials, including members of SBCC’s Executive Committee, to review the management response.

The final audit report is distributed to the Superintendent/President of SBCC and appropriate institution management after the final management responses have been received and incorporated into the audit report.  The results of the audit project are distributed to members of SBCC’s Executive Committee and Finance and Audit Subcommittee and presented to the Board in summary format twice annually.

After the audit is completed, you will receive a short survey for feedback on how OIA can improve the audit process during future engagements.  OIA values customer feedback on how audit projects have been performed.

OIA conducts follow-up audits for all audit recommendations in accordance with auditing standards.  Follow-ups typically occur within six months to two years after the initial audit, depending on the nature of the recommendations. The purpose of the follow-up is to confirm that corrective actions have been implemented or that alternate actions have been taken to adequately mitigate identified risks.  During this process, OIA may interview staff, perform additional testing, and/or review updated procedures to verify implementation.

OIA will communicate the results of the follow-up audit to applicable management and the President of SBCC. If the follow-up audit notes that further corrective action is needed, then a subsequent follow-up audit will occur to ensure risks are mitigated.  Results of follow-up audits are communicated to members of SBCC’s Executive Committee and Finance and Audit Subcommittee.