The typical audit is intended to determine whether or not the area under review is following prudent business and administrative practices consistent with the mission of the organization, official policies and bylaws of the University, and the laws or requirements of external authorities, as may be applicable. When we are able to verify that these issues are taken seriously by both management and support personnel, and that these practices are actively carried out in their daily work routines, we will invariably conclude that a strong internal control environment (also known as a system of checks and balances) is in place. The existence of an effective internal control environment in all of the University's administrative and support functions is an integral part of maintaining a sound financial position and providing quality services in support of academic excellence. The existence of these features, along with providing quality academic programs, will contribute towards achieving the University's vision of "Scholarship in Action."
The director or department head of the area to be audited will be contacted by the Chief Internal Auditor to inform him/her of our intentions to perform an audit of the area's operations and to arrange an entrance meeting. A formal Engagement Letter will then be delivered to the client, along with a Pre-Entrance Meeting Questionnaire, an Audit Policy statement, and a Customer Satisfaction Survey. The questionnaire, which will provide the auditors with basic background information about the operations to be audited, should be completed by the client prior to the entrance meeting. The survey, which offers the client the opportunity to evaluate our audit process, should be completed by the client subsequent to audit completion.
An entrance meeting will serve to allow the Audit Department to describe to the client the goals and objectives for performing the audit. Any questions or concerns the client may have regarding the audit should be brought forth at this meeting. The entrance meeting should also be utilized to determine the appropriate contact personnel, set-up any necessary appointments, and determine the desired and most efficient methods of communication during the course of the audit.
One of the primary objectives of the auditor is to gain an understanding of the client's operations. The auditor will ask to examine any existing written policies and/or procedures which your area may have produced. Additionally, the auditor will ask to interview key personnel in order to develop (or update) our understanding of the operations being audited. Upon completion of this stage of the audit, the auditor will prepare a control document ( flowchart, narrative, or questionnaire). This document will be utilized to help assess the operation's control strengths and weaknesses and to determine the nature and extent of audit testing to be performed.
Audit tests serve to determine whether or not the stated controls are working effectively. The client may be asked to provide documentation or other appropriate evidence pertinent to their operation that will assist in audit testing. The auditor may require assistance in obtaining documentation and in answering questions that may arise during the course of the audit. Based on the review of the control environment and audit test work conducted, the auditor will attempt to identify any actual or potential control weaknesses and/or findings. These areas of audit concern will be informally communicated to the client during the course of the audit and summarized into a draft report once the audit review has been completed.
The draft report will be forwarded to the client for review and arrangements will be made to have an exit meeting to discuss the draft report. The client should carefully review the draft report for accuracy of content prior to the exit meeting. This meeting will allow for discussion of the audit concerns detailed in the report and the audit process in general. Additionally, this provides a forum for both the auditor and client to reach agreement or discuss alternatives to any audit recommendations in the report. The meeting also provides the auditor an opportunity to make any necessary edits prior to issuing the formal audit report.
The formal audit report or memorandum will be issued to the client subsequent to the exit meeting. The client will have 2 weeks (or other mutually agreeable time frame) in which to prepare a formal response to the audit report. The response should be forwarded to the auditor and will serve as the client's corrective action plan. The audit report and client response will be packaged with a cover letter from the Director of Internal Audit addressed to the client's immediate supervisor, with additional copies to other appropriate University personnel. Should any audit issues not be satisfactorily resolved via the client's corrective action plan, the auditor will follow these issues through with the client until a satisfactory resolution has been established.
- We're on the same team!! Cooperation on the part of the client and auditor are essential to a successful audit. In conducting routine audits, our purpose is to identify potential opportunities for improvement which are in the best interests of both the University and the area being audited.
- Acceptance of responsibility for creating and maintaining a good system of internal control over the activities (financial and non-financial) occurring within your organization. Establishment of a good system of internal control (and accountability for the lack thereof) is the responsibility of department and executive management, not the auditors. We will assist in identifying potential exposure areas and provide suggestions and recommendations as to how you might rectify these situations if and when they exist.
- A current organization chart of your area of responsibility. This and other information will assist the auditor in gaining an understanding of your administrative structure, nature of your operations and familiarity with your employees.
Policy/Procedure manual (if available) We encourage all departments to maintain a current policy/procedure manual. In addition to assisting the auditor in understanding your operation more thoroughly, a well-documented policy/procedure manual will guide new as well as veteran employees regarding the established and approved methods of doing business.
- Temporary work space for the auditor(s) within reasonable proximity to the office staff and records. Since many of the original documents and records we will need to examine are located at the local department level, the auditor(s) will need a temporary work area with adequate space and lighting. The amount of time needed for the auditors to be physically present at your location will vary from audit to audit. We will attempt to perform as much of the audit as possible from our office so as to minimize any disruption of your operations.
- Access to all employees and pertinent records. The Audit Department is authorized to have access to any and all University employees and records which may reasonably be necessary in the course of conducting our audits. The auditor's analysis of your operation may require that several of your employees at various levels be asked to explain in detail how they perform their jobs. In addition to examining hard copy records, it may be necessary for the auditor to make photocopies, and/or obtain samples, of key documents for our files. Regarding computerized records, our access authority is "Read Only." The confidentiality of records reviewed during the course of the audit (i.e.: payroll data, student transcripts, etc.) will be maintained by the auditor(s).
- An honest and candid appraisal of the audit process at the conclusion of the audit. As stated earlier, the department head of the area being audited will be provided with a Customer Satisfaction Survey. Each member of the audit staff has been professionally trained in the practice of internal auditing. They are expected to abide by the professional standards and ethics established by the Institute of Internal Auditors as well as our own departmental standards. Your objective answers and constructive comments on the survey form will assist us in evaluating and improving the effectiveness of our program.
We do occasionally have the unfortunate task of conducting investigations of alleged fraudulent activity. However, largely due to the honesty of individual, hard-working employees, combined with sound internal control processes, the occasions for such investigations have been relatively few. In these cases, all of the resources of the Department of Internal Audit, executive management, selected CSU offices as deemed appropriate, legal counsel and the criminal justice system are used, as necessary, to bring the matter to its appropriate conclusion. While those who may be the subject of a fraud investigation can expect that no stone will be left unturned in our pursuit of evidence, the majority of our "clients" can expect a friendly, cooperative and courteous appraisal of their operations. If you become aware, or suspect, that potentially fraudulent activity is taking place anywhere, involving CSU faculty, staff, or students, we urge you to contact us immediately. Please read CSU's policy on fraudulent activities for more information.