Internal Audit and Advisory Services

Audit Survival Guide

Audit Process PowerPoint Presentation

UCSC Audit Process Flow Chart	UCSC Risk Ranking Matrix

The mission of UCSC Internal Audit is to assist The Board of Regents and University management in the discharge of their oversight, management and operating responsibilities through independent audits, consultations, and investigations designed to evaluate and promote the system of internal controls, including effective and efficient operations. In this capacity UCSC Internal Audit may review: governance processes, internal controls, and the compliance with laws, regulations and University policies (including those related to ethical conduct).  In addition to conducting audits, Internal Audit performs liaison functions for external auditors working on campus except for the annual financial audit of the university that is conducted by the campus controller.

• Internal Audit Management Charter
• Outline of the University of California Audit Management Plan
• Directory of UC Internal Audit Offices
• University Auditor's office Org Chart
• University of California Audit program Org Chart
• Directions to the University Auditor's office
  

Typical Questions

1. Who are the auditors at UCSC? The Internal Audit and Advisory services staff are employees of the university who report to the Director of Internal Audit, the Internal Audit committee (see names below), and the University Auditor. In addition to conducting audits, Internal Audit performs liaison functions for all external auditors working on campus. Audit Committee Members (see also Internal Audit Committee) The UCSC Audit Committee is made up of UCSC staff. The Audit Committee meets approximately every 3 months to review audit activity. Audit Committees provide for the communication and coordination of internal audit and, at certain locations related matters (e.g. external audit matters and control initiative activities). The mission of the Department is to assist management and the Board of Regents in the discharge of their oversight, management, and operating responsibilities through independent audits and consultations designed to evaluate and promote the system of internal controls, including effective and efficient operations. 


Audit Committee Members
Senior Vice President  UC Office of the President Chief Compliance and Audit Officer		Sheryl Vacca
Assistant Chancellor, Chief of Staff		Ashish Sahni
Vice Chancellor, BAS		Tom Vani (Chair)
Vice Chancellor, Student Affairs		Felicia McGinty
Acting Vice Chancellor, Planning and Budget		Margaret (Peggy) Delaney
Vice Chancellor, Research		Bruce Margon
Vice Chancellor, University Relations		Donna Murphy
Vice Chancellor, Information Technology		Mary Doyle
Assistant Vice Chancellor, Financial Affairs		Kirk Lew
Executive Director, Policy and Information Management		Linda Beaston
Internal Audit Director, Internal Audit and Advisory Services		Barry Long


2. What types of audits are there? The Annual Audit Plan outlines Internal Audit services under three types of activities as follows:
• Audits: These services include the planned and supplemental program of regular audits of business units (including academic departments) and business processes that cut across all organizational units (e.g., purchasing, travel, etc.).
• Investigations: Pursuant to University policy, Internal Audit conducts investigations into suspected financial irregularities whether reported by whistleblowers, uncovered in the course of regular audits, or based upon concerns conveyed by management.
• Advisory Services: Advisory Services encompasses a broad array of activities beyond regular audits. These additional activities are proactive or preventive in nature and are focused in the following areas:
  1. Internal Control & Accountability - These services include our efforts to support the Controllers' accountability initiatives, including Control Self-Assessment as well as the independent Control Self-Assessment effort at the laboratories.
  2. Special Projects and Consultations - Special management studies, advisory participation on business process and systems reengineering teams and consultation on business issues (e.g., regulatory compliance matters) and assist department and program managers in dealing with issues before they become audit or investigation problems.
  3. Systems Development and Reengineering - assist in the continued efforts of campuses and laboratories to develop and implement new systems, redesign their business processes.
  4. Other - Internal Audit may serve in additional capacities such as External Audit Coordinator (acting as liaison for campus visits by regulators and investigators), Information Practices Act Coordinator or Conflict of Interest Coordinator.

More information can be found in the University of California Internal Audit Manual

3. How is internal audit accountable? Internal Audit is required to communicate with the Office of the President by preparing the following formal reports:

• Annual Plan - In May of each year, the annual plan outlines the planned Internal Audit service activities by line of business as well as the distribution of resources necessary to deliver those services and the risk coverage provided. The annual plan also conveys the current elements of the strategic plan for continuous improvement of the Program.
• Annual Report - A formal annual report is provided to The Regents’ Committee on Audit annually in November. Historically, The Regents Committee on Audit has requested and received information analyzing the Internal Audit Program (e.g. staffing levels by location) as well as a report of accomplishments measured against the annual plan, accomplishment of strategic plan initiatives and other material on a detailed level by location.
• Quarterly Report - A formal report is provided to The Regents' Committee on Audit (and Senior Management) quarterly which presents comparative analyses of actual results for the year-to-date period to both the annual audit plan and to the prior year.
4. How are internal audits scheduled? Audits are assigned based on risk assessment and topics which audit would customarily be expected to cover, the concept of core audit work has been incorporated into the planning process. Criteria for identification of core topics include the following:   
• Cyclical in nature
• Routine processes or risks that exist year after year
• Politically sensitive
• Majority of locations identified as common risk area

Identification of potential institutional risks are based on assessments and discussions with management, the Director of Internal Audit and Institutional Compliance recommendations, which is approved by the Office of The President. The Internal Audit Department also responds to special requests from University and department management, inquiries received from members of the Stanford community through the University's Code of Conduct for Business Activities (Administrative Guide Memo #1), and special requests for audits from external agencies.

5. What does a typical internal audit include?

A. Notification – The auditor-in-charge notifies ( via written memo or e-mail) the parties responsible for an organization and copies to senior officials as appropriate that an audit is scheduled.

B. Preliminary Scope and Objectives - The audit timing and preliminary objectives are communicated to the client. This information may be included in the entrance meeting materials

C. Entrance Conference - The entrance conference is conducted with the client in order to discuss the preliminary scope and objectives. The following individuals are typically invited and encouraged to attend the meeting: Directors and department heads responsible for the area being audited, Manager(s) and any of his or her subordinates who work in the specific audit area, Internal audit director, for all high-risk audits.

D. Preliminary Survey - The auditor-in-charge obtains and reviews background information about the area being audited.

E. Risk Assessment - As part of the preliminary survey, the auditor should reviews systems and processes to identify key controls.

F. Audit Program - The audit program is be prepared in advance of field work and outlines the audit objectives, scope, procedures, and technical aspects of the audit.

G. Testing Phase

H. Audit Report Quality Assurance - A pre-issuance quality assurance review of draft report and a request for management concordance on issues raised during testing phase.

I. Final audit reports - Report copies are distributed to: The director, chairperson or department head directly responsible for the audited activity or activities, Management personnel, the local executive to whom the Audit Director reports, and the University Auditor

J. Internal Audit maintains an audit follow-up process to monitor whether audit items for which corrective actions are recommended have been adequately addressed by management.

For details of the above look in Internal Audit Standard Operating Procedures

6. How can I best work with auditors? Each audit engagement has a defined scope and objectives. Any auditor requesting information from you should be able to explain the audit's purpose and objectives so you can understand the reasons for questions being asked and provide accurate answers. When you understand the audit's purpose, you can assist by either providing relevant information or, if you are not the best source of the requested information, directing the auditor to the right person or office. If you have questions or concerns about information being requested, it is appropriate to discuss those concerns with the auditor, an Internal Audit manager, or the Executive Director of Internal Audit and Institutional Compliance.

7. Who audits the Internal Audit Department? The Internal Audit Department follows the Standards of the Institute of Internal Auditors (IIA). Accordingly, periodically an outside review team performs a peer review and assesses the quality of our function and makes recommendations directly to the Committee on Audit and compliance.

8. How do you ensure quality client service? At the completion of each audit engagement, Internal Audit requests primary audit clients to complete and return a client feedback evaluation to identify areas for improving our service. We welcome comments at any time regarding the quality, timeliness, and responsiveness of audit engagements.