Skip to main content

The Audit Process

The Audit Process


The Auditor allocates audit teams to specific audit topics based on the Audit Plan and staff resource availability. To gain a comprehensive understanding of the subject, its scale, and potential areas of concern, audit teams conduct preliminary research.

We will conduct an entrance conference with agencies and departments to review the scope and objectives with management and establish primary points of contact for the audit.

What is meant by 'risk' in this context?

Our objective is to enhance government efficiency and cost-effectiveness. Your tax contributions support the services and programs offered by Salt Lake County. We determine and prioritize potential audits and assessments using a risk-based approach. This involves evaluating several factors that could expose the county to fraud, misappropriation of funds, liability, or damage to its reputation. Accordingly, we evaluate risk factors by examining:

  • Notable changes within the County.
  • Time elapsed since the last audit in a particular area.
  • The size of the agency, program, activity, or contract.
  • Budget size.
  • Compliance with regulations.
  • Pending or recent legislation.
  • Complexity of transactions.
  • Fiscal sustainability.
  • Critical information technology systems, encompassing hardware and software.
  • Management accountability.
  • Quality of internal control systems.
  • Age of programs, operations, or contracts.
  • Considerations related to public health and safety.
  • Critical infrastructure.
  • Short- and long-term strategic risks.
  • Equity considerations.
  • Ongoing litigation.
  • Pertinent case law.
  • Emerging risk areas.

Once we have thoroughly examined the subject and assessed the community's concerns, we determine the audit's scope.

What do we mean by 'scope'?

Government auditing standards necessitate that we define the scope of our work. This practice enables us to allocate our resources to areas with higher risk rather than conducting broader assessments of entire agencies. Our audits focus on specific programs or functions within an agency to determine their effectiveness. A wider scope often extends the audit's duration.

Following the completion of these planning phases, we formally dispatch an engagement letter to the agency, informing them of our intent to audit.

We then extend an invitation for an "entrance conference" to apprise the agency of the audit's commencement, its expected duration, the specific areas of focus, the key staff members we will collaborate with, and the type of information we will request from them.


This is the core of the audit process, where we collaborate with the agency and delve into their documentation, policies, procedures, and plans related to the subject.

We conduct walkthroughs or interviews with agency staff members at all levels, especially those actively engaged in the area under examination. These interviews aim to gauge their understanding of their roles and responsibilities, and whether they have received clear guidance to perform their duties effectively.

We assess the program or process's operational efficiency and explore best practices, reports, insights from other government agencies, and recommendations from professional organizations nationwide to identify potential improvements and more efficient methods that could benefit the County. Simultaneously, we gather and scrutinize pertinent data directly from the agency's systems. We also conduct assessments of their processes and controls. During this phase, we observe ongoing activities, make detailed observations, gather supporting evidence, and begin shaping our conclusions. We also conduct quality assurance reviews to ensure the accuracy and comprehensiveness of all the data we've collected.

What is meant by 'testing'?

"Testing" involves scrutinizing data to identify trends and errors. When conducting testing, we may encounter limitations in data availability or resources, making it unfeasible to examine every record within a dataset or group. In such cases, we often opt to sample a subset of the data for examination. When we employ statistical sampling techniques, the results can often be extrapolated to the entire dataset. However, when we engage in continuous auditing, we possess tools that allow for comprehensive assessment of the entire dataset and the ongoing monitoring of trends.

What do we mean by 'controls'?

"Controls" refer to the mechanisms and procedures put in place by an agency to prevent problems and mitigate risks. These safeguards encompass policies, processes, techniques, and tools designed to facilitate the achievement of an organization's objectives while addressing identified risks.

Draft Report

Once we have amassed sufficient information, we proceed to draft our public report and finalize our recommendations. Occasionally, we collaborate with the agency to acquire additional information or to gently remind them to provide us with data that we had previously requested but not yet received.

Agreement to the Facts Meeting

Subsequently, we arrange for an "agreement to the facts meeting" with the agency to present our findings and the recommendations we intend to put forward. This meeting provides the agency with an opportunity to address any concerns they may have or to request amendments to the facts presented in our report's draft, especially if they possess new or different information to contribute.

The insights shared during the agreement to the facts meeting typically do not come as a surprise to the audited agency, as we maintain ongoing communication throughout the audit process, openly discussing our findings during the fieldwork phase.

The agency is invited to furnish their response to our recommendations within 14 days of receiving the draft report. To hlp facilitate this, we furnish them with a specific form for this purpose, and we incorporate their response into the final public report.

The agency's response should explicitly indicate whether they agree or disagree with each individual recommendation, alongside specifying their anticipated implementation timeline. They are also expected to furnish a succinct overview of their strategy for executing the recommendations. The only available response options are "agree" or "disagree." If management disagrees with a recommendation, the Auditor will include an addendum addressing that recommendation.

If an agency chooses to not respond, that will be noted in the audit and the audit will be published.

Publish the Audit

In this phase, the audit report is officially accessible to the public. However, the accompanying documentation derived from our audit activities, termed as "work papers," remains confidential and is preserved in our archives.


We conduct a follow-up audit 6 months after we publish the audit to see if the recommendations have been implemented. An additional follow-up might be needed 6 months later.