Per the University of California Audit Charter:

“Internal Audit (IA) is established by the Regents, and its responsibilities are defined by the Regents' Committee on Compliance and Audit as part of their oversight function.

"It is the policy of the University of California to maintain an independent and objective internal audit function to provide the Regents, President and campus Chancellors with information and assurance on the governance, risk management and internal control processes of the University. Further, it is the policy of the University to provide the resources necessary to enable Internal Audit to achieve its mission and discharge its responsibilities under its charter.

"IA is authorized to have full, free and unrestricted access to information including records, computer files, property and personnel of the University in accordance with the authority granted by approval of this charter and federal and state statutes. Except where limited by law, the work of IA is unrestricted. IA is free to review and evaluate all policies, procedures and practices for any University activity, program or function.”

Myth #1: Internal auditors are accountants by training. We are not the IRS. UCSF contracts with third-party accounting firms to audit their financial statements. Internal auditors commonly address fraud risks, compliance issues and myriad operational issues that are unrelated to accounting, and the auditors’ backgrounds are likely to be as diverse as the operations they audit. While accounting training maybe helpful, it is not required. Internal auditors’ skills include analytical and critical thinking, data mining and business acumen.

Myth #2: Internal auditors are responsible for the detection of all fraud. Our primary focus is on business risks; however, our project charter requires that we consider fraud risks in our audit reviews.  Additionally, the Institute of Internal Auditors (IIA) has professional standards that include the following statements related to fraud:

• The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.
• An internal auditor’s responsibilities for detecting fraud include: (1) evaluating fraud indicators and (2) deciding whether any additional action is necessary or whether an investigation should be recommended.

We do make key controls recommendations, such as segregation of duties and monitoring reports to prevent or detect anomalies. Any staff with curiosity or a suspicion that something seems odd in their business operations can be “fraud detectors” and can report their concerns to management or the whistleblower hotline. Additionally, fraud can be detected externally and reported to our organizations.

Myth #3: Auditors are nitpickers and faultfinders. We use our limited resource to focus on significant risks and controls that are at the heart of internal audit. We prefer to report on significant process failures, such as not billing for services performed, than on smaller isolated occurrences such as a $6 typographical error. If we identify minor errors, we prefer to share them verbally with our clients rather than spend time drafting report language for them. 

Myth #4: It’s best not to tell the auditors anything unless they specifically ask. This thinking actually does harm to the business operations, as internal auditors work for the organization. They provide independent insights to help departments enhance business processes and solve issues they might not otherwise have identified – problems that could have gone unchanged until reported by external auditors. 

If auditors believe their clients are purposefully hiding information, either by omission or commission, they normally will increase the scope of the audit to determine whether other important information has gone unreported. Hiding information is against everyone’s best interests, because external findings may result in financial sanctions, whereas internal findings and plans to address them give federal agencies more confidence in our internal controls. 

Myth #5: Internal audit is the corporate “police function.” At UCSF, we encourage clients to see our audit services as similar to those of doctors – providing a “health checkup” on the business operation. We do work with the police department for investigation projects. We strive for collaboration as part of the PRIDE value: Professionalism, Respect, Integrity, Diversity and Excellence.

1. An audit derives from a risk assessment–based project plan, is retrospective in nature and may result in management corrective actions (MCAs). 
2. An advisory is based on a request made by the department, will yield recommendations instead of MCAs, may be more limited or proactive in nature and does not require formal follow-up. 
3. An investigation usually derives from a whistleblower complaint; departments may receive both an investigation and a control report identifying internal control deficiencies that may have contributed to the wrongdoing.  

Audits are selected through a risk assessment process. However, audits may also come from departments, functions or external sources. A number of factors influence the selection and scheduling of audits, including:

1. The complexity of laws and regulations governing the audit area and the frequency and significance of changes made to these laws and regulations
2. The complexity and volume of transactions
3. Susceptibility to fraud, waste and abuse
4. Public sensitivity about the activity and the level of importance placed on the area by stakeholders
5. The results of external monitoring and reviews over the audit area
6. The extent to which the audit area depends on technology
7. Geographic isolation of decentralized offices
8. Adequacy of staffing levels and degree of training for employees in the area
9. Results of prior audits and time elapsed since the last audit was performed
10. Input from University leadership.

Any individual, department or unit identifying suspected fraudulent activity should contact the Chief Audit Officer. If the individual prefers to report anonymously, he or she can use the Whistleblower Hotline at 1-800-403-4744 or https://www.ucop.edu/uc-whistleblower/index.html.

During the risk assessment process, senior leadership of the departments may identify several risk areas that warrant separate reviews.

Additionally, departments may also be audited by external auditors, such as an external auditors CPA firm, federal auditors, environmental health and safety auditors or other compliance auditors. We try to reduce duplication of effort by coordinating our schedule with other auditors as much as possible. Consequently, an area or department may be reviewed more than once during the year due to identified risks.

Also, other business units (e.g., Accounts Payable for MyExpense and P-Cards) may perform “audits” which are very narrowly focused on a small group of transactions and are not process-focused or as substantial as those performed by A&AS.

An observation identifies a control deficiency or having no control present. An opportunity for improvement increases efficiency and effectiveness within a process.

Observations require management corrective actions (MCAs), plans for implementation, and formal follow-up by A&AS for verification, while opportunities for improvement do not require MCAs or follow-up by A&AS.

An audit observation indicates a lack of control within a process. An audit observation does not necessarily indicate the overall performance of a department.

Our audit observations provide additional insights into the department’s operations. They help in preventing larger issues from developing before a risk event occurs or a similar audit observation is identified in an external audit report, which may result in financial or legal repercussions.

We do identify commendable practices in our audit reports when they are identified during audit fieldwork. If there is something you are very proud of or want to share, please bring it to the auditors’ attention. We may include it in the report, share it with other units as a best practice or recommend that the University adopt it campus-wide.

The time varies depending on the size, complexity and strength of the organization's internal controls. The audit is a dynamic process, the scope of which can be expanded or reduced at any time depending on the issues. We aim for audits to be completed within one quarter.

At the audit kickoff meeting, our scope document will define tentative start and end dates for the review. We will get your input on availability of personnel to conduct the audit. Your timely response to audit requests will support timely audit completion.

We always attempt to minimize any interruptions to your normal work schedule to the greatest extent possible.

You will be notified in advance that we will be starting an audit in your department. We will request to set up an entrance meeting to explain the audit objective and process and obtain any input you may have. Prior to the entrance meeting, we may request some preliminary information, such as organization charts, policies and procedures, a list of systems you use and any metrics or monitoring reports you utilize.

After the entrance meeting, the auditors will begin their fieldwork. This may include but not be limited to:

1. Formal and informal meetings or discussions with employees in your area
2. A walkthrough of systems and processes
3. Examination of financial documentation and reports via data analytics
4. Evaluation of IT system security such as access, permission, and segregation of duties
5. Validation of transactions against approved policies, procedures and best practices

During fieldwork, we attempt to keep you apprised of the audit progress and issues identified through regular touchpoint meetings. Once fieldwork is complete, we will prepare a draft of all audit observations and recommendations and share it with department management. We will then schedule an exit meeting to discuss these observations with department management along with any management corrective actions (MCAs). If there is disagreement with an audit observation, we will ask for extra information to establish facts. Following the exit meeting, we will prepare and issue the final audit report including MCAs.

Requests may include the following in order to understand the function being reviewed:

1. Organizational chart, process flowcharts and system diagrams, if available
2. Internal or external policies
3. Standard operating procedures (SOPs)
4. Risks and controls (i.e., processes to mitigate risk) relating to your business operations
5. Monitoring reports that management uses for their business operations
6. Other reports to support the testing objectives
7. Read-only system access when data or reports are not readily available 

The assigned auditor(s) will keep management informed of progress. Auditors may discuss some audit issues with you or your staff during the fieldwork. If you have any information that can clarify a potential audit issue, please let the auditor know during the audit. If you would like more frequent updates or are simply curious, please ask!

At the conclusion of fieldwork, a full list of observations will be shared and discussed at the exit meeting. We strive to have no surprises at the end of the audit.