FAQ - General Questions

>> Click here for a list of UCSC Internal Audit Reports <<

What is the authority and role of internal audit?

Audit & Advisory Servies is an independent and objective internal audit function reporting to the Regents, President, and Chancellor with information and assurance on the governance, risk management and internal control processes.  

Audit & Advisory Services provides a critical assessment, monitoring, and consultative role; assisting the chancellor and senior management in the discharge of their oversight, management, and operating responsibilities; and is an integral part of the University’s shared governance structure. 

What type of access do auditors have?

Internal audit is authorized to have full, free and unrestricted access to information including records, computer files, property and personnel of the University and is free to review and evaluate all policies, procedures, and practices for any University activity, program, or function in accordance with the authority granted by the UC Regents. Except as limited by law, the work of internal audit is unrestricted.

What types of services are performed by Internal Audit?

Internal Audit performs various assurance, Consulting/Advisory and support services including:

• Planned and Requested Audits
• Consulting Services
• Investigation Services
• Participation on Campus and Systemwide Committees
• External Audit Liaison
• Systems Re-engineering and Development Projects
• Training

For a detailed description of the different project types, see below:

Audits - audits are specific projects identified by Internal Audit, or requested by UC or campus senior leadership, whose purpose is to provide an objective conclusion as to the achievement or adequacy of established or desired objectives addressing governance, risk management and control processes within the organization.

These projects are generally focused on providing independent assurances over the area reviewed for the benefit of UC and campus senior leadership and are conducted in accordance with professional auditing standards. 

At the conclusion of the project, a formal report with agreed upon management corrective actions, as identified, is issued to the campus principal or senior officer who has responsibility over the area; to the campus Audit Committee; and to the UC Ethics and Audit Office.
 
Management Advisory/Consulting Services – are services requested by the client where the nature and scope are agreed to in advance for the benefit of the requesting party.

These projects are intended to add value and improve the organization's governance, risk management and control processes without the internal auditor assuming management responsibility over the area reviewed.  
Consulting/Advisory Services take on many forms, including;

• management requested reviews, advisory services, and analysis,
• collaboration and advice on campus initiatives,
• consultation on risks and controls within campus operations,
• input on policy/procedure development,
• advice provided through participation on campus committees, and
• training in the areas of governance, risk management and controls.

At the conclusion of the engagement, a report is issued to the requesting principal or senior campus officer or operational director/manager, and to the campus Audit Committee. Consulting/Advisory service reports are generally not distributed outside the campus, unless the issues addressed are considered material or significant from a UC systemwide perspective. 

In addition, Consulting/Advisory services may contain recommendations for consideration by the client, but these recommendations are not generally followed up on by Internal Audit.

Investigations - investigations are independent evaluations of allegations generally focused on improper government activities, including misuse of university resources, fraud, financial irregularities, significant control weaknesses, and unethical behavior or actions. 

Investigation reports are confidential and distribution is limited to the requesting or impacted principal officer or senior campus official; the campus local designated official and/or campus Investigation Workgroup; and the UC compliance and audit officer and UC director of investigations if the investigation reaches required reporting thresholds.  

Participation on Campus and UC Systemwide Committees - Internal Audit is often invited to participate as a member of an on-going or ad-hoc committees and workgroups.  These committees are often special groups or task forces assembled at the request of management to address specific problems or ongoing issues. Internal audit's role of these committees is advisory in nature; intended to add value without the internal auditor assuming management responsibility.

External Audit Liaison – Internal Audit is often requested to assist in the coordination and facilitation of reviews conducted by external regulatory agencies, and act in an advisory role in helping departments understand the audit process and how to respond accurately and appropriately to documentation and information requests.

Training – Internal Audit staff has unique knowledge, skills and abilities in the areas of university and campus governance, risk management and control processes, and are available to provide training in these areas as requested.

Also see: Internal Audit Resources for more information on services we provide.

Who can request an internal audit?

Anyone can request an audit by calling the Internal Audit Office. Some audit requests originate with the Regents, the office of the president, or campus senior management. In order to help determine the relative importance of a particular request in comparison to items already included in the annual plan, requests for reviews from the campus are reviewed by the Internal Audit director. The capacity of Internal Audit to accommodate an audit request is determined by the available audit staffing level and the relative risk of the topic in relation to audits already included on the annual audit plan.

What is the difference between an Internal Audit and a Consulting/Advisory Advisory Service?

Audits are initiated by Internal Audit as a function of the UC internal audit program, and the scope is established by Internal Audit in consultation with the client.  These engagements are designed to provide assurances to the Regents, president, chancellor and campus principal/senior officers.  Audit engagements are more formal by nature, are conducted following professional auditing standards, and reports have more visibility.

Consulting/Advisory Services are generally requested by campus principal/senior officers or campus managers who wish to utilize the expertise of the Internal Audit office to assist in more focused areas, operational processes, or campus initiatives.  The scope is generally established by the client in consultation with Internal Audit.   Consultative Service engagements are less formal by nature and reports are generally limited to campus distribution only.

How does Internal Audit determine when to conduct an audit and when to conduct a Consulting/Advisory service?

The Internal Audit director is responsible for deploying existing Internal Audit resources in a manner that optimizes the balance between assurances and Consulting/Advisory services.

Internal audits are generally initiated by Internal Audit as part of the annual audit plan. The annual audit plan, which is approved by the UC Regents, is designed to provide information and assurances on governance, risk management and internal control processes. The scope of an Internal Audit is developed by Internal Audit in consultation with management. 

Consulting/Advisory services are requested by management or suggested by Internal Audit and agreed upon by management.  Assisting campus management in the discharge of their fiduciary responsibilities through consulting services that are designed to add value and improve operations is another role of the Internal Audit program. The scope of the consulting service is developed by the client in consultation with Internal Audit.

Why was I selected for an Internal Audit?

The majority of Internal Audits are identified and scheduled up to a year in advance as part of the annual audit planning process, which includes an integrated risk assessment exercise designed to identify auditable areas of concern and potential risk to the campus and university. A formal audit plan is generated annually and reviewed by the campus Audit Committee.

Each year, there are a selected number of audits that are requested in advance by the UC Regents or president, referred to as systemwide audits, and included on the audit plan. In addition, an internal audit may originate as a request from the campus chancellor, executive vice , or campus principal/senior officers. 

What can I expect in an internal audit?

Most internal audits are conducted by a staff professional internal auditor who is responsible for obtaining sufficient understanding about the process or entity under review. This includes an understanding the barriers that prevent the accomplishment of a desired objective and an understanding of controls in place that help ensure its achievement.

The auditor will not spend all of this time with you directly. Generally, the auditor will meet with you up front to get information on the unit or process under audit. Typically, he or she will need to document the effort and analysis involved in the review, which often can be done remotely. Actual time spent in your area varies, but in most cases, distraction to your daily routine is minimal.

What documents will Internal Audit request or require access to as part of the audit?

The auditor will typically seek access to the following information through formal request and/or referral to the organization's website:

• Mission and key objectives of the entity or process,
• Results of prior internal and external reviews
• Action plans for significant management initiatives
• Organizational charts
• Process flowcharts
• Summary of contracts and grants
• Department-specific policies and procedures
• Budgetary, financial, management, and exception reports
• Source documents such as payroll records, travel vouchers, recharges and cost transfers

What is the process for conducting internal audits?

The audit process consists of the following components:

Key steps in the Internal Audit process are outlined below.

Planning – The client department or unit is notified and a planning meeting is conducted with the responsible principal officer to discuss and obtain input on the initial objectives and scope of the engagement, the timing of the review, and reporting process.

Preliminary Survey – A preliminary survey is conducted which usually begins with a meeting with the principal/senior officer of the activity to discuss potential scope and concerns; interviewing management and staff, and gathering background information; identifying key strategic, operational, and compliance objectives; reviewing formal guidance; gaining an understanding of organizational governance, risk management processes, and regulatory compliance; reviewing budgetary information, flowcharting key departmental processes, and identifying and testing key departmental processes and controls. The preliminary survey may indicate that additional field work is necessary to focus on areas where controls could be improved. The result of the survey is the generation of a risk matrix leading to the development of an audit program.

Field Work - The auditor conducts steps to test key objectives identified in the project risk matrix; gathers, classifies and appraises information to measure and evaluate the effectiveness of specific processes and controls. Sample transactions for a specific test period are often evaluated. Throughout the course of audit fieldwork, the auditor confers with client management about areas where improvements may be appropriate.

Draft Report - Upon completion of the fieldwork, the auditor prepares a draft audit report which outlines the conclusion (executive summary), audit objective, scope, observations, and recommendations/agreements. Meetings are conducted with individuals and/or impacted units. In these meetings, the observations are discussed with the client with the goal of reaching agreement as to the appropriate corrective action to address the observation(s). The other goal is to resolve any misunderstandings regarding the content and accuracy of the report.

Principal Officer Concurrence - Following these meetings(s), the report is revised as needed and recommendations are changed to agreements where possible. A review copy of the final report is shared with the principal officer for concurrence prior to release of the final report. Corrective actions agreed to by management and Internal Audit is included in the final report in lieu of a subsequent written departmental response.

Final report - The finalized report is is issued to the campus principal or senior officer who has responsibility over the area; to the campus Audit Committee; and to the UC Ethics and Audit Office.

Follow-up - Internal Audit performs follow-up on observations to determine whether departments have implemented corrective actions. The follow-up is generally performed quarterly, with an audit inquiry as to the status of corrective action followed by a validation of completion if so indicated by the client. When it has been determined that corrective actions have been conducted as agreed to resolve the underlying audit issue, the audit is considered closed. Management corrective actions are maintained electronically in a secure database (TeamCentral). A report is generated monthly and distributed to the Principal Officers and responsible party to assist in the resolution of open, agreed upon management corrective actions.

Who is on the distribution list to receive written internal audit reports?

Internal audit reports are initially shared in draft with operating management within the organization under review or tasked with management corrective actions until all of the facts in the report have been reviewed for accuracy and agreement has been reached on the management corrective action(s).

The final report is typically addressed to the organizational level above the audited organization, those responsible for management corrective actions, the Audit Committee, and the UC SVP Chief Compliance and Audit Officer. The chancellor and Executive Vice are also included.  In addition, the final report typically shared with directors and managers who were part of the review process.
Internal audit reports can be found on the Internal Audit website or on the University of California’s Reporting Transparency website at http://reportingtransparency.universityofcalifornia.edu/ in accordance with the Governor’s executive order. 

What about written consulting services reports?

Internal Audit typically issues a written report on the results of a consulting services project. The report is typically issued to the requesting principal or senior campus officer or operational director/manager, and to the campus Audit Committee. Consulting/Advisory Service reports are generally not distributed outside the campus unless the issues addressed are considered material or significant from a UC systemwide perspective. 

Audit Management & Advisory Services Risk Assessment and Audit Planning Process

The annual audit plan is the result of the audit planning process and involves three phases: Risk Assessment, Audit Plan Preparation, and the Annual Audit Plan Submission

Risk Assessment: A risk assessment is performed at the beginning of the planning cycle and is focused on gathering current risk information necessary to prepare the Annual Audit Plan, all in the context of the institution’s risks identified in previous risk assessments.

Audit Plan Preparation: The audit plan is prepared upon completion of the Risk Assessment Phase and represents an exercise in deploying Internal Audit’s resources in the most effective manner possible. 

Annual Audit Plan Submission: Upon completing the risk assessment process and audit plan preparation, each campus or laboratory Internal Audit department prepares a local audit plan. The audit plan documents (Schedules 1, 2, and 3) are submitted to the systemwide SVP/Chief Compliance and Audit Officer with the final risk assessment results. The local plans and risk assessment results are consolidated into the systemwide annual audit plan for that year.