What are audits?

Audits are essentially health checkups for an organization's operations. Audits (1) take a systematic and detailed look at business processes, (2) identify risks (what negative things can happen) and controls (what is in place to achieve the desired outcome), and (3) offer insight and advice to improve operations and help the organization achieve its strategic objectives.

How do we decide what to audit?

A&AS audits are focused on UCSF areas that, for a variety of reasons, may pose the greatest risk of financial or other loss to the Campus. We use an extensive annual process to identify the high-risk areas and topics that may warrant review in the coming year.

We identify these Campus "risk topic areas" using a formal risk assessment methodology that includes evaluation of the effectiveness of internal controls, risk management, compliance and governance activities for functional areas throughout the UCSF enterprise. All significant operations of the Campus and UCSF Health enterprise are scored for six attributes that could indicate risk:

  • Management control environment
  • Business volume
  • Public sensitivity
  • Compliance requirements
  • Information reporting
  • Organizational change

The outcomes of these findings are used to lay the foundation for the UCSF Audit Work Plan and to prioritize resources in support of UCSF strategic initiatives.

Some operations of the Campus are considered core business functions and are therefore audited routinely.

What to expect from an audit

We commit to the following in performing each audit:

  • The team conducting the audit will be independent and objective.
  • Management will be informed and kept apprised of identified risks.
  • The audit's purpose, scope and requirements will be communicated to ensure minimal disruptions in daily operations.
  • The audit will be completed on a timely basis.