Frequently Asked Questions
How are audits selected?
Institute audits are prioritized and selected through a risk assessment process. We identify and prioritize operational, financial and compliance risks to MIT, and the audit projects for the year are selected based on assessed risk factors employed, such as: financial, reputation, safety, etc.
What should I expect during an audit?
There are four phases to the audit process. The understanding of these phases will help you through the audit.
(1) Planning Phase: The audit division develops the objectives and scope of the audit.
(2) Fieldwork Phase: This is when interviews are conducted coupled with testing of policy and procedures, and internal controls and systems are tested for adequacy and effectiveness.
(3) Communication of Results: The results of the audit are presented in draft form for management comment/discussion on findings (observations) and recommendations. Then a final report is published to management.
(4) Follow-up Phase: This phase may be conducted as means to ensure that the significant observations have been addressed.
Why are good practices not mentioned in an audit report?
The objective of an audit report is to inform management of problem areas that were identified, verify with management that the problem exists and help management move toward improvement in the specified area of concern. To accomplish these steps, the audit observations (findings) that strengthen the control environment and require management assistance are specifically mentioned in the audit report. The report must be objective thus offering an unbiased review of the control environment. This is done in the cover letter of the Draft and Final Reports where an overall assessment of the controls is provided. As example of this would be effective, effective with opportunity for improvement, effective-partially, ineffective, etc. However, when warranted, we do mention an overall assessment of stronger controls in the Department, Laboratory or Center.