Frequently Asked Questions

Audit & Advisory Services is an independent and objective internal audit function reporting to the Regents, President, and Chancellor with information and assurance on the governance, risk management and internal control processes.  

Audit & Advisory Services provides a critical assessment, monitoring, and consultative role; assisting the chancellor and senior management in the discharge of their oversight, management, and operating responsibilities; and is an integral part of the University’s shared governance structure. 

Audit & Advisory Services is authorized to have full, free and unrestricted access to information including records, computer files, property and personnel of the University and is free to review and evaluate all policies, procedures, and practices for any University activity, program, or function in accordance with the authority granted by the UC Regents. Except as limited by law, the work of Audit & Advisory Services is unrestricted.

Anyone can request an audit by calling the Audit & Advisory Services. Some audit requests originate with the Regents, the office of the president, or campus senior management. In order to help determine the relative importance of a particular request in comparison to items already included in the annual plan, requests for reviews from the campus are reviewed by the Audit & Advisory Services director. The capacity of Audit & Advisory Services to accommodate an audit request is determined by the available audit staffing level and the relative risk of the topic in relation to audits already included on the annual audit plan.

The Audit & Advisory Services director is responsible for deploying existing Audit & Advisory Services resources in a manner that optimizes the balance between assurances and Consulting/Advisory services.

Audit & Advisory Services are generally initiated by Audit & Advisory Services as part of the annual audit plan. The annual audit plan, which is approved by the UC Regents, is designed to provide information and assurances on governance, risk management and internal control processes. The scope of an Internal Audit is developed by Internal Audit in consultation with management. 

Consulting/Advisory services are requested by management or suggested by Audit & Advisory Services and agreed upon by management. Assisting campus management in the discharge of their fiduciary responsibilities through consulting services that are designed to add value and improve operations is another role of the Internal Audit program. The scope of the consulting service is developed by the client in consultation with Internal Audit.

The majority of audits are identified and scheduled up to a year in advance as part of the annual audit planning process, which includes an integrated risk assessment exercise designed to identify auditable areas of concern and potential risk to the campus and university. A formal audit plan is generated annually and reviewed by the campus Audit Committee.

Each year, there are a selected number of audits that are requested in advance by the UC Regents or president, referred to as systemwide audits, and included on the audit plan. In addition, an internal audit may originate as a request from the campus chancellor, executive vice , or campus principal/senior officers. 

Most internal audits are conducted by a staff professional internal auditor who is responsible for obtaining sufficient understanding about the process or entity under review. This includes an understanding the barriers that prevent the accomplishment of a desired objective and an understanding of controls in place that help ensure its achievement.

The auditor will not spend all of this time with you directly. Generally, the auditor will meet with you up front to get information on the unit or process under audit. Typically, he or she will need to document the effort and analysis involved in the review, which often can be done remotely. Actual time spent in your area varies, but in most cases, distraction to your daily routine is minimal.

The audit process consists of the following components:

Key steps in the audit process are outlined below.

Planning – The client department or unit is notified and a planning meeting is conducted with the responsible principal officer to discuss and obtain input on the initial objectives and scope of the engagement, the timing of the review, and reporting process.

Preliminary Survey – A preliminary survey is conducted which usually begins with a meeting with the principal/senior officer of the activity to discuss potential scope and concerns; interviewing management and staff, and gathering background information; identifying key strategic, operational, and compliance objectives; reviewing formal guidance; gaining an understanding of organizational governance, risk management processes, and regulatory compliance; reviewing budgetary information, flowcharting key departmental processes, and identifying and testing key departmental processes and controls. The preliminary survey may indicate that additional field work is necessary to focus on areas where controls could be improved. The result of the survey is the generation of a risk matrix leading to the development of an audit program.

Field Work – The auditor conducts steps to test key objectives identified in the project risk matrix; gathers, classifies and appraises information to measure and evaluate the effectiveness of specific processes and controls. Sample transactions for a specific test period are often evaluated. Throughout the course of audit fieldwork, the auditor confers with client management about areas where improvements may be appropriate.

Draft Report – Upon completion of the fieldwork, the auditor prepares a draft audit report which outlines the conclusion (executive summary), audit objective, scope, observations, and recommendations/agreements. Meetings are conducted with individuals and/or impacted units. In these meetings, the observations are discussed with the client with the goal of reaching agreement as to the appropriate corrective action to address the observation(s). The other goal is to resolve any misunderstandings regarding the content and accuracy of the report.

Principal Officer Concurrence – Following these meetings(s), the report is revised as needed and recommendations are changed to agreements where possible. A review copy of the final report is shared with the principal officer for concurrence prior to release of the final report. Corrective actions agreed to by management and Audit & Advisory Services is included in the final report in lieu of a subsequent written departmental response.

Final report – The finalized report is is issued to the campus principal or senior officer who has responsibility over the area; to the campus Audit Committee; and to the UC Ethics and Audit Office.

Follow-up – Audit & Advisory Services performs follow-up on observations to determine whether departments have implemented corrective actions. The follow-up is generally performed quarterly, with an audit inquiry as to the status of corrective action followed by a validation of completion if so indicated by the client. When it has been determined that corrective actions have been conducted as agreed to resolve the underlying audit issue, the audit is considered closed. Management corrective actions are maintained electronically in a secure database. A report is generated monthly and distributed to the Principal Officers and responsible party to assist in the resolution of open, agreed upon management corrective actions.