Internal Audit and Advisory Services (IAS) operates under UC Regents-approved resolution as the University’s independent and objective resource providing value-added information and assurances to the Regents, president and chancellor on the governance, risk management and internal control processes of the University.
IAS provides a critical assessment, monitoring and consultative role in assisting the chancellor and senior management in the discharge of their oversight, management and operating responsibilities. IAS is an integral part of the University’s shared governance structure.
IAS performs various assurance, consulting and support services including:
For a detailed description of the different project types, see below:
Audits - audits are specific projects identified by Internal Audit, or requested by UC or campus senior leadership, whose purpose is to provide an objective conclusion as to the achievement or adequacy of established or desired objectives addressing governance, risk management and control processes within the organization.
These projects are generally focused on providing independent assurances over the area reviewed for the benefit of UC and campus senior leadership and are conducted in accordance with professional auditing standards.
At the conclusion of the project, a formal report with agreed upon management corrective actions, as identified, is issued to the campus principal or senior officer who has responsibility over the area; to the campus Audit Committee; and to the UC Ethics and Audit Office.
Consulting services – are advisory and consultation services requested by the client where the nature and scope are agreed to in advance for the benefit of the requesting party.
These projects are intended to add value and improve the organization's governance, risk management and control processes without the internal auditor assuming management responsibility over the area reviewed.
Consulting services take on many forms, including:
At the conclusion of the engagement, a report is issued to the requesting principal or senior campus officer or operational director/manager and to the campus Audit Committee. Consulting service reports are generally not distributed outside the campus unless the issues addressed are considered material or significant from a UC systemwide perspective.
In addition, consulting services may contain recommendations for consideration by the client, but these recommendations are not generally followed up on by Internal Audit.
Investigations - investigations are independent evaluations of allegations generally focused on improper government activities, including misuse of university resources, fraud, financial irregularities, significant control weaknesses and unethical behavior or actions.
Investigation reports are confidential and distribution is limited to the requesting or impacted principal officer or senior campus official; the campus's locally designated official and/or campus Investigation Workgroup; and the UC compliance and audit officer and UC director of investigations if the investigation reaches required reporting thresholds.
Participation on Campus and UC Systemwide Committees - Internal Audit is often invited to participate as a member of ongoing or ad hoc committees and workgroups. These committees are often special groups or task forces assembled at the request of management to address specific problems or ongoing issues. Internal audit's role of these committees is advisory in nature and intended to add value without the internal auditor assuming management responsibility.
External Audit Liaison – Internal Audit is often requested to assist in the coordination and facilitation of reviews conducted by external regulatory agencies and act in an advisory role in helping departments understand the audit process and how to respond accurately and appropriately to documentation and information requests.
Systems Re-Engineering and Development Projects – Internal Audit is often invited to participate on systems re-engineering and development teams to facilitate the optimization of risk assessment and controls and foster the integration of desired controls into the system as it is being developed, which is often more cost effective than reviewing and retrofitting needed controls after the system has already been built.
Training – Internal Audit staff has unique knowledge, skills and abilities in the areas of university and campus governance, risk management and control processes and are available to provide training in these areas as requested.
The majority of Internal Audits are identified and scheduled up to a year in advance as part of the annual audit planning process, which includes an integrated risk assessment exercise designed to identify auditable areas of concern and potential risk to the campus and university. A formal audit plan is generated annually and reviewed by the campus Audit Committee.
Each year, there is a selected number of audits that are requested in advance by the UC Regents or president, referred to as systemwide audits and included on the audit plan. In addition, an internal audit may originate as a request from the campus chancellor, executive vice chancellor or campus principal/senior officers.
Audits are initiated by Internal Audit as a function of the UC internal audit program and the scope is established by Internal Audit in consultation with the client. These engagements are designed to provide assurances to the Regents, president, chancellor and campus principal/senior officers. Audit engagements are more formal by nature, are conducted following professional auditing standards, and reports have more visibility.
Consulting Services are generally requested by campus principal/senior officers or campus managers who wish to utilize the expertise of the Internal Audit office to assist in more focused areas, operational processes, or campus initiatives. The scope is generally established by the client in consultation with Internal Audit. Consultative Service engagements are less formal by nature and reports are generally limited to campus distribution only.
The Internal Audit director is responsible for deploying existing Internal Audit resources in a manner that optimizes the balance between assurances and consulting services.
Internal audits are generally initiated by Internal Audit as part of the annual audit plan. The annual audit plan, which is approved by the UC Regents, is designed to provide information and assurances on governance, risk management and internal control processes. The scope of an Internal Audit is developed by Internal Audit in consultation with management.
Consulting services are requested by management or suggested by Internal Audit and agreed upon by management. Assisting campus management in the discharge of their fiduciary responsibilities through consulting services that are designed to add value and improve operations is another role of the Internal Audit program. The scope of the consulting service is developed by the client in consultation with Internal Audit.
The audit process consists of the following components:
Key steps in the Internal Audit process are outlined below.
Planning – The client department or unit is notified and a planning meeting is conducted with the responsible principal officer to discuss and obtain input on the initial objectives and scope of the engagement, the timing of the review and reporting process.
Preliminary Survey – A preliminary survey is conducted that usually begins with a meeting with the principal/senior officer of the activity to discuss potential scope and concerns; interviewing management and staff, and gathering background information; identifying key strategic, operational and compliance objectives; reviewing formal guidance; gaining an understanding of organizational governance, risk management processes and regulatory compliance; reviewing budgetary information, flowcharting key departmental processes and identifying and testing key departmental processes and controls. The preliminary survey may indicate that additional field work is necessary to focus on areas where controls could be improved. The result of the survey is the generation of a risk matrix leading to the development of an audit program.
Field Work - The auditor conducts steps to test key objectives identified in the project risk matrix and gathers, classifies and appraises information to measure and evaluate the effectiveness of specific processes and controls. Sample transactions for a specific test period are often evaluated. Throughout the course of audit fieldwork, the auditor confers with client management about areas where improvements may be appropriate.
Draft Report - Upon completion of the field work, the auditor prepares a draft audit report which outlines the conclusion (executive summary), audit objective, scope, observations, and recommendations/agreements. Meetings are conducted with individuals and/or impacted units. In these meetings, the observations are discussed with the client with the goal of reaching agreement as to the appropriate corrective action to address the observation(s). The other goal is to resolve any misunderstandings regarding the content and accuracy of the report.
Principal Officer Concurrence - Following these meeting(s), the report is revised as needed and recommendations are changed to agreements where possible. A review copy of the final report is shared with the principal officer for concurrence prior to release of the final report. Corrective actions agreed to by management and Internal Audit is included in the final report in lieu of a subsequent written departmental response.
Final report - The finalized report is issued to the campus principal or senior officer who has responsibility over the area; to the campus Audit Committee; and to the UC Ethics and Audit Office.
Follow-up - IAS performs follow-up on observations to determine whether departments have implemented corrective actions. The follow-up is generally performed quarterly, with an audit inquiry as to the status of corrective action followed by a validation of completion if so indicated by the client. When it has been determined that corrective actions have been conducted as agreed to resolve the underlying audit issue, the audit is considered closed. Management Corrective Actions (MCA) are maintained electronically in a secure database (TeamCentral). A report is generated monthly and distributed to the Principal Officers and responsible party to assist in the resolution of open, agreed upon management corrective actions.
Most internal audits are conducted by a staff professional internal auditor who is responsible for obtaining sufficient understanding about the process or entity under review. This includes an understanding the barriers that prevent the accomplishment of a desired objective and an understanding of controls in place that help ensure its achievement.
The auditor will not spend all of this time with you directly. Generally, the auditor will meet with you up front to get information on the unit or process under audit. Typically, he or she will need to document the effort and analysis involved in the review, which often can be done remotely. Actual time spent in your area varies, but in most cases, distraction to your daily routine is minimal.
The auditor will typically seek access to the following information through formal request and/or referral to the organization's website:
Anyone can request an audit by calling the Internal Audit Office. Some audit requests originate with the Regents, the Office of the President, or campus senior management. In order to help determine the relative importance of a particular request in comparison to items already included in the annual plan, requests for reviews from the campus are reviewed by the Internal Audit director. The capacity of Internal Audit to accommodate an audit request is determined by the available audit staffing level and the relative risk of the topic in relation to audits already included on the annual audit plan.
Internal audit reports are initially shared in draft with operating management within the organization under review or tasked with management corrective actions, until all of the facts in the report have been reviewed for accuracy and agreement has been reached on the management corrective action(s).
The final report is typically addressed to the organizational level above the audited organization, those responsible for management corrective actions, the Audit Committee, and the UC SVP Chief Compliance and Audit Officer. The Chancellor and Executive Vice are also included. In addition, the final report typically shared with directors and managers who were part of the review process.
Internal audit reports can be found on the IAS website or on the University of California’s Reporting Transparency website at http://reportingtransparency.universityofcalifornia.edu/ in accordance with the Governor’s executive order.
Internal Audit typically issues a written report on the results of a consulting services project. The report is typically issued to the requesting principal or senior campus officer or operational director/manager, and to the campus Audit Committee. Consulting Service reports are generally not distributed outside the campus, unless the issues addressed are considered material or significant from a UC systemwide perspective.
An efficient audit process depends on effective communication between auditors and clients (managers and staff). There is a balance between efficiency of having a number of staff to interact with and the need for open access. All employees should feel free to speak with an auditor or contact the internal audit office at anytime.
Internal audit is authorized to have full, free and unrestricted access to information including records, computer files, property and personnel of the University and is free to review and evaluate all policies, procedures, and practices for any University activity, program, or function in accordance with the authority granted by the UC Regents. Except as limited by law, the work of internal audit is unrestricted.