The Audit Process
On an annual basis, the Office of Audit and Advisory Services (OAAS) completes a risk assessment and develops a strategic audit plan, which is presented to the Board of Trustees for approval. The most successful audit projects are those in which the audit team and auditee consider themselves as consultant and client. Understanding and applying this concept tends to foster a more constructive working relationship and can result in improved operations for the department under review. Although every audit is unique, similarities can be found in each one. The typical audit process consists of:
Preliminary Survey, Research and Audit Program Development
The general purpose and scope of the audit are defined in the audit plan approved by the Board of Trustees. The scope of the audit is further refined by performing a survey that may include prior OAAS audit history, reports and management letters from external auditors, CSU structure and organization, CSU policies and procedures, state and federal regulations, industry/professional association information, discussions with chancellor’s office executive management, on-site visits with campus subject matter experts or management, and other pertinent data. This provides the OAAS with information on any significant risks, the CSU control framework, compliance requirements, and general background on the audit topic.
The areas within the audit topic that pose the highest risk to the CSU are determined, the audit scope and objectives are finalized, and the audit program is developed based on the selected audit scope and objectives. Within the audit program, audit tests and applicable criteria are identified for each objective. An internal control questionnaire and request for documents are also developed.
If the audit has been performed in the past, the prior audit program may be used as a basis for the current audit. However, a preliminary survey and research will still be performed to ensure that appropriate updates are made.
At the campus level, the preliminary survey primarily consists of client completion of the internal control questionnaire and document request. This survey helps evaluate internal controls related to the recording of business transactions, safeguarding university assets, compliance with university policies, and promotion of operational efficiency. If the audit team finds adequate internal controls and sound operating procedures in place, they will proceed to the internal control/transaction testing stage. However, if the audit team detects a significant internal control deficiency during the survey stage, an audit finding is written immediately.
The entrance conference provides the opportunity for the audit team and client to discuss the scope and schedule for the audit. We schedule a mutually agreeable time for the entrance conference, which is held at the client's location. At the meeting, the audit team outlines audit objectives, approximate time schedules, types of auditing tests, and the process of reporting. Entrance conferences are typically held with chancellor’s office management at the start of each new audit subject area, as well as with campus management at the start of fieldwork on each campus.
We make every effort to minimize any disruption of regular departmental routines and avoid seasonal busy periods. The client may designate a member of the department staff as the primary contact person for audit team questions and assistance. Any areas of concern the client would like to have reviewed by the audit team should be brought up at this stage.
Internal Control/Transaction Testing
The auditor may perform a variety of audit techniques, including inspections and observations of processes; interviews and inquiries of personnel; transaction testing of reports, invoices, and other types of records; and performance of computations, comparisons, and other types of analysis for evidence that the internal controls described in the preliminary survey stage are actually in place and functioning as intended. When such evidence is found for a sample of transactions or records, we conclude that established procedures are being followed and the level of compliance with internal controls is adequate. When a strong system of internal controls is in place and followed, we are confident that the data generated by the transactions can be relied upon as accurate and that administrative policies are being carried out.
The audit team may find one or more opportunities and/or deficiencies during the course of a typical audit. They will bring all potential audit findings to the client's attention as they are identified to ensure that the audit team has been provided with all the relevant facts. At the end of the fieldwork stage, the audit team conducts an informal exit conference to review all findings with the client.
Audit Report Writing and Wrap-up
After fieldwork is complete, the audit team completes its workpapers and prepares a draft report, which includes identification of audit scope and objectives; an overall audit opinion; audit findings inclusive of condition, criteria, cause and effect; and recommendations for remediation or improvement. After the draft report is reviewed by OAAS management, it is sent to client management for review and comment.
Formal Exit Conference
The client has the option to forgo the formal exit conference, or to request scheduling of a formal exit conference to discuss the results. If the client decides to forgo the formal exit conference, he/she may still request minor changes to the audit report, which will be discussed with the relevant audit management and proposed to the vice chancellor and chief audit officer (VCCAO) for approval. Any findings determined to be of a minor nature will be removed from the report and be included in a letter of minor findings submitted to the client along with a revised report. A "Client Satisfaction Survey" will also be given to the client audit contact.
Reply to Report
After the formal exit conference or acceptance of option to forgo the formal exit conference, the official transmittal to the client consists of the incomplete draft report and, if needed, a formal report of minor findings. Within 30 days, the client must respond only to the recommendations in the draft report. The 30-day reply period begins on the date the letter and report are submitted to the client. All replies must include a corrective action plan with a time estimate for completion for each finding.
Acceptance of Audit Report
The responses will be included with the audit report and forwarded to the chancellor with the VCCAO’s recommendation for acceptance. Once accepted by the chancellor, a final campus report is posted on the OAAS website. Notification letters providing a link to the audit reports are sent to the Board of Trustees, California State Auditor, Committee on Higher Education, Joint Legislative Audit Committee, Joint Legislative Budget Committee, Department of Finance, and Legislative Analyst’s Office. In addition, each of the campus presidents and the CSU Advocacy State Relations department receive emails with a link indicating that reports have been posted to the OAAS website.
The client will communicate to the VCCAO in writing on the progress made in implementing corrective actions noted in the audit report. The VCCAO or designee will review the responsiveness of the corrective action taken and determine whether additional action may be required. In certain instances, it may be necessary to revisit the client to ascertain whether the corrective action taken is achieving the desired results; however, as a rule, we ask the client to provide appropriate documentation to support the corrective action. Reports of follow-up activity will be made at each meeting of the Committee on Audit. This follow-up report is referred to as the “Matrix.”