- What is the authority and role of Internal Audit?
- What types of services are performed by IAS?
- Why was I selected for an internal audit?
- How can IAS help my department/unit?
- What is the process for conducting internal audits?
- What can I expect in an internal audit?
- What will the auditors need from me?
- What documents will IAS request or require access to as part of the audit?
- How long will the audit take?
- Who can request an internal Audit?
- Who is on the distribution list to recieve written internal audit reports?
Internal Audit Services (IAS) IAS functions under the policies established by the UC Regents and by University management under delegated authority. IAS is authorized to have full, free and unrestricted access to information including records, computer files, property, and personnel of the University in accordance with the authority granted by approval of this charter and subject to applicable University policy and federal and state statues.
IAS provides an assessment, monitoring, and consulting role; assisting the Chancellor and senior management in the discharge of their oversight, management, and operational responsibilities. Assisting management in the discharge of their fiduciary responsibilities through consulting services that are designed to add value and improve operations is another role of IAS.
IAS performs various assurance, consulting and support services including:
- Planned and Requested Audits;
- Advisory Services;
- Participation on Campus and Systemwide Committees;
- External Audit Coordinator; and
For a detailed description of the different project types, see below:
Audits - Audits are projects identified and scheduled by IAS and approved by the Audit Committee whose purpose is to provide an objective conclusion as to the achievement or adequacy of established or desired objectives addressing governance, risk management and control processes within the organization.
These projects are generally focused on providing independent assurances over the area reviewed for the benefit of UC and UC Irvine senior management and are conducted in accordance with professional auditing standards.
At the conclusion of the project, a formal report with agreed upon management action plans, as identified, is issued to the department or unit head and senior officer who has responsibility over the area; to the Audit Committee; and to the UC Ethics, Compliance and Audit Office.
Advisory Services – Advisory services are requested by the client where the nature and scope are agreed to in advance for the benefit of the requesting party. These projects are intended to add value and improve the organization's governance, risk management and control processes.
Advisory Services take on many forms, including:
- management requested reviews, advisory services, and analysis;
- collaboration and advice on campus initiatives;
- consultation on risks and controls within campus operations;
- input on policy/procedure development;
- advice provided through participation on campus committees; and
- training in the areas of governance, risk management and controls.
At the conclusion of the engagement, a report is issued to the requesting senior manager or operational director/manager, and to the Audit Committee. Advisory services reports are generally not distributed outside the campus, unless the issues addressed are considered material or significant from a UC systemwide perspective.
Investigations - Investigations are independent evaluations of allegations generally focused on improper government activities, including misuse of university resources, fraud, financial irregularities, significant control weaknesses, and unethical behavior or actions.
Investigation reports are confidential, and distribution is limited to the requesting or impacted senior manager; the campus local designated official, the UC Compliance and Audit Officer, and UC Director of Investigations.
Participation on Campus and UC Systemwide Committees - IAS is often invited to participate as a member of an on-going or ad-hoc committees and workgroups. These committees are often special groups or task forces assembled at the request of management to address specific problems or ongoing issues. IAS's role in these committees is advisory in nature and intended to add value.
External Audit Coordinator – IAS is often requested to assist in the coordination and facilitation of reviews conducted by external regulatory agencies, and act in an advisory role in helping departments understand the audit process and how to respond accurately and appropriately to documentation and information requests.
Systems Re-Engineering and Development Projects – Internal Audit is often invited to participate on systems re-engineering and development teams to facilitate the optimization of risk assessment and controls and foster the integration of desired controls into the system as it is being developed, which is often more cost effective than reviewing and retrofitting needed controls after the system has already been built.
Training – IAS has unique knowledge, skills and abilities in the areas of governance, risk management, and control processes, and are available to provide training in these areas as requested.
The majority of audits are identified and scheduled up to a year in advance as part of the annual audit planning process, which includes a risk assessment exercise designed to identify auditable areas of concern and potential risk to the campus and university. A formal audit plan is generated annually and reviewed by the Audit Committee.
Each year, there are a selected number of audits that are requested in advance by the UC Regents or President, referred to as systemwide audits, and included on the audit plan. In addition, an internal audit may originate as a request from the Chancellor or senior management.
Our reviews are designed to help you manage your operation more effectively and efficiently. This might include alternate ways of approaching a problem based on our encountering similar situations in other areas. As a result, we can identify strengths and weaknesses in processes quickly and make practical recommendations. This will save you time and money on a variety of matters, and ensure that your operation is based on sound business practices and is in compliance with university, Board of Regents, and State policies, procedures, and regulations.
We work closely with university leadership and a variety of other internal entities. This access, along with our experience, provides us with a broad prospective which we can employ to benefit your operation.
Internal Audit Services (IAS) is comprised of professional staff with the education, experience, and credentials to make a positive impact in your area.
- We have experience from a variety of industries including corporate and government.
- We possess advanced degrees, professional designations, and licenses.
- We obtain continuing education programs at both the national and local level to stay up-to-date on the latest issues impacting the university.
The audit process consists of the following components:
Key steps in the Internal Audit process are outlined below.
Planning – The client department or unit is notified, and a planning meeting is conducted with the responsible management to discuss and obtain input on the initial objectives and scope of the engagement, the timing of the review, and reporting process.
Preliminary Survey – A preliminary survey is conducted which usually begins with a meeting with the client management of the activity to discuss potential scope and concerns including:
- Interviewing management and staff, and gathering background information;
- Identifying key strategic, operational, and compliance objectives;
- Reviewing formal guidance;
- Gaining an understanding of organizational governance, risk management processes, and regulatory compliance; and
- Reviewing budgetary information, flowcharting key departmental processes, and identifying and testing key departmental processes and controls.
The preliminary survey may indicate that additional field work is necessary to focus on areas where controls could be improved. The result of the survey is the generation of a risk matrix leading to the development of an audit program.
Field Work - The auditor conducts steps to test key objectives identified in the project risk matrix; gathers, classifies, and appraises information to measure and evaluate the effectiveness of specific processes and controls. Sample transactions for a specific test period are often evaluated. Throughout the course of audit fieldwork, the auditor confers with client management about areas where improvements may be appropriate.
Draft Report - Upon completion of the field work, IAS prepares a draft audit report which outlines the conclusion, audit objective, scope, observations, and agreed upon management action plans. Throughout the audit process meetings are conducted with individuals and/or impacted units. In these meetings, the observations are discussed with the client with the goal of reaching agreement as to the appropriate management action to address the observation(s). The other goal is to resolve any misunderstandings regarding the content and accuracy of the observations/report.
Final report - The finalized report is issued to the department or unit head and senior officer who has responsibility over the area; to the Audit Committee; and to the UC Ethics, Compliance and Audit Office.
Follow-up - IAS performs follow-up on observations to determine whether departments have implemented management action plans. The follow-up is performed based upon the agreed upon implementation date(s). When it has been determined that management action plan(s) have been conducted as agreed to resolve the underlying audit issue, the audit is considered closed.
Most audits are conducted by a senior internal auditor who is responsible for obtaining sufficient understanding about the process or entity under review. This includes an understanding the barriers that prevent the accomplishment of a desired objective and an understanding of controls in place that help ensure its achievement.
The auditor will not spend all of this time with you directly. Generally, the auditor will meet with you up front to get information on the unit or process under audit. Typically, he or she will need to document the effort and analysis involved in the review, which often can be done remotely. Actual time spent in your area varies, but in most cases, distraction to your daily routine is minimal.
The main items needed from you for a successful audit are cooperation and communication with the auditor. Here are some specific examples of what you can do to help the audit process:
- Supply all requested information on a timely basis;
- Share any internal control concerns you have with the auditor;
- Review the audit objectives and scope presented for your area, and ask questions if you don't understand why certain activities have been included or excluded;
- As issues are communicated to you during the audit, begin thinking about potential corrective actions;
- Review preliminary findings and provide written responses regarding corrective actions and specified time frames;
- Review the audit report draft and make any suggestions for changes or enhancements either before or during the exit conference;
- Provide a written response to the issues identified in the report, along with who will be responsible for implementing the corrective actions and when they will be completed; and
- Be proactive in monitoring the progress of the corrective actions and reporting them.
The auditor will typically seek access to the following information through formal request and/or referral to the organization's website:
- Mission and key objectives of the entity or process;
- Results of prior internal and external reviews;
- Action plans for significant management initiatives;
- Organizational charts;
- Process flowcharts;
- Summary of contracts and grants;
- Department/Unit specific policies and procedures;
- Budgetary, financial, management, and exception reports;
- Source documents such as payroll records, travel vouchers, recharges, cost transfers, etc.
Audits can last from a few weeks to several months, depending on the scope and objectives of the audit work. The auditor(s) assigned to your area will give you an estimate of the time they will need to complete the audit, after the planning phase is complete.
Anyone can request an audit by calling IAS. Some audit requests originate with the UC Regents, the Office of the President, or senior management. In order to help determine the relative importance of a particular request in comparison to items already included in the annual plan, requests for reviews are reviewed by the IAS Director. The capacity of IAS to accommodate an audit request is determined by the available audit staffing level and the relative risk of the topic in relation to audits already included on the annual audit plan.
IAS reports are initially shared in draft with operating management within the organization under review or tasked with management corrective actions, until all of the facts in the report have been reviewed for accuracy and agreement has been reached on the management corrective action(s).
The final report is typically addressed to the organizational level above the audited organization, those responsible for management action plans, the Audit Committee, and the UC SVP Chief Compliance and Audit Officer. In addition, the final report typically shared with directors and managers who were part of the review process.
Internal audit reports can be found on the IAS website or on the University of California's Reporting Transparency website in accordance with the Governor's executive order.