University Auditor
Audit Committee Charter

The Audit Process

On an annual basis, the university auditor completes a risk assessment, which forms the basis for a strategic audit plan. Annually, the university auditor presents an audit plan to the Board of Trustees, which includes all audits for the coming year. The most successful audit projects are those in which the audit team and auditee consider themselves as consultant and client. Understanding and applying this concept tends to foster a more constructive working relationship and can result in improved operations for the department under review. Although every audit is unique, similarities can be found in each one. The typical audit process consists of:

Planning
Prior to meeting with the client, the internal audit team discusses the upcoming audit. If the area has been audited previously, we review the file to re-familiarize ourselves with the unique operations of that unit. Any new developments that may have occurred since the last audit are reviewed and discussed. The area's recent financial transactions may be extracted and reviewed, as well as other information such as policies and procedures. With this information, the audit team produces a set of audit objectives.

Entrance Conference
The entrance conference provides the opportunity for the audit team and client to discuss the scope and schedule for the audit. We schedule a mutually agreeable time for the entrance conference, which is held at the client's location. At the meeting, the audit team outlines audit objectives, approximate time schedules, types of auditing tests, and the process of reporting. Entrance conferences are typically held with chancellor’s office management at the start of each new audit subject area, as well as with campus management at the start of fieldwork on each campus.

We make an effort to minimize any disruption of regular departmental routines and avoid seasonal busy periods. The client may designate a member of the department staff as the primary contact person for audit team questions and assistance. Any areas of concern the client would like to have reviewed by the audit team should be brought up at this stage.

Fieldwork

Preliminary Survey - In the next phase of the process, the audit team gathers additional information about the client's operations. If the unit has not previously been audited, this is a significant effort. The audit team also reviews any changes in operations since the last audit. Key personnel are interviewed; and CSU policies, Trustee policy, state/federal regulations, and other relevant guidance are reviewed to produce a plan for the rest of the audit. This work typically results in narratives, flowcharts, document samples, and a detailed program of audit steps. The detailed audit program is typically produced by the supervisor-in-charge and includes a corresponding internal control questionnaire and document request. At the campus level, the preliminary survey primarily consists of client completion of the internal control questionnaire and document request. This survey helps evaluate internal controls related to the recording of business transactions, safeguarding university assets, compliance with university policies, and promotion of operational efficiency. If the audit team finds adequate internal controls and sound operating procedures in place, they will proceed to the transaction testing stage. However, if the audit team detects a significant internal control deficiency during the survey stage, an audit finding is written immediately.

Transaction Testing - The purpose of transaction testing is to examine documents and other records for evidence that the internal controls described in the preliminary survey stage are actually in place and functioning as intended. When we find such evidence on a sample of transactions or records, we conclude that established procedures are being followed and the level of compliance with internal controls is adequate. When a strong system of internal controls is in place and followed, we are confident that the data generated by the transactions can be relied upon as accurate and that administrative policies are being carried out.

Audit Findings - The audit team may find one or more opportunities/deficiencies during the course of a typical audit. They will bring all potential audit findings to the client's attention as they are identified to ensure that the audit team has been provided with all the relevant facts. At the end of the fieldwork stage, the audit team informally reviews all findings with the client.
Exit Conference
At the exit conference, the draft report is discussed with client administration. Any findings determined to be of a minor nature will be deleted from the report, but will be included in a letter of minor findings submitted to the client along with a revised report. A "Client Satisfaction Survey" will also be given to the highest-ranking member of the client administration in attendance at the exit conference.

Reply to Report
After the exit conference, the official transmittal to the client (i.e., campus president or vice chancellor-in-charge) consists of the incomplete draft report and, if needed, a formal report of minor findings. Within 30 days, the campus/chancellor’s office must respond only to the recommendations in the draft report. The 30-day reply period begins on the date the letter and report are submitted to the campus president/vice chancellor-in-charge. All replies must include a corrective action plan with a time estimate for completion for each finding.

Acceptance of Audit Report
The responses will be included with the audit report and forwarded to the chancellor with the university auditor's recommendation for acceptance. Once accepted by the chancellor, a final campus report is individually bound and forwarded to the campus president/vice chancellor-in-charge; at this point, the report becomes public. Periodically for FISMA reports, and at the end of all other report cycles, bound reports are forwarded to the Board of Trustees, Department of Finance, Budget and Audit Divisions, and the Joint Legislative Budget Committee.

Follow-Up
The client will communicate to the university auditor in writing on the progress made in implementing corrective actions noted in the audit report. The university auditor or designee will review the responsiveness of the corrective action taken and determine whether additional action may be required. In certain instances, it may be necessary to revisit the campus to ascertain whether the corrective action taken is achieving the desired results; however, as a rule, we ask the client to provide appropriate documentation to support the corrective action. Reports of follow-up activity will be made at each meeting of the Committee on Audit. This follow-up report is referred to as the “Matrix.”
Note: Clients can report anytime when a particular recommendation has been completed.


Content Contact:
Anne Marie Douglas
(562) 951-4430
Technical Contact:
webmaster@calstate.edu

Last Updated: September 23, 2010