University Auditor
Audit Committee Charter

Statement of Purpose, Types of Audits, and Standards

Purpose
Education Code Section 89045, enacted by Chapter 1406 of the Statutes of 1969, provided for the establishment of an internal auditing function reporting directly to the Trustees of the California State University (CSU). Subsection (b) of the Code states that the duties of this function/internal audit staff shall include, but not be limited to, auditing, reviewing, cost and system analysis, analyzing and recommending operating procedures for the California State University. Subsection (c) of the Code states that management audits shall be made to determine the effectiveness and efficiency of the organization, operation, and procedures of each state university, each auxiliary organization, and the Office of the Chancellor.
 
In 1991, the Department of Finance determined that it no longer had the staff resources required to perform internal control reviews of the CSU. Such reviews are required as part of the Financial Integrity and State Manager's Accountability Act (FISMA) of 1983. The Office of the University Auditor (OUA) now performs these reviews on all campuses once every two years.

In 1999, the Trustees' Committee on Audit took action at the January 1999 meeting of the Board, which required the OUA to perform an internal compliance/internal control review of each auxiliary organization. The OUA performs these reviews at all auxiliary organizations once every three years.

Types of Audits
With the guidance of the original legislation, as interpreted by Senator Harmer, and The International Standards for the Professional Practice of Internal Auditing (Institute of Internal Auditors), the OUA uses a variety of audit techniques in its review of campus programs/resources. These audit techniques are commonly referred to as:

  • Operational Audits - Examine the use of unit resources to evaluate whether those resources are being used in the most effective and efficient manner to fulfill the University's mission and objectives. An operational audit may include elements of the other audit types listed below.
  • Financial Audits - Focus on accounting and reporting of financial transactions, including commitments, authorizations, and receipt and disbursement of funds. The purpose of this type of audit is to verify that there are sufficient controls over cash and cash-like assets, and that there are adequate process controls over the acquisition and use of resources. Unlike external financial audits, internal financial audits do not prepare or express professional opinions on the fairness of the presentation of financial statements.
  • Compliance Audits - Review adherence to laws, regulations, policies, and procedures. Examples include federal and state law, Trustee policies, and chancellor's office directives. Recommendations typically call for improvements in processes and controls intended to ensure compliance with regulations.
  • Information Systems (IS) Audits - Examine the internal control environment of automated information processing systems and how people use those systems. IS audits typically evaluate system input, output, and processing controls; backup and recovery plan; system security; and computer facility reviews. IS auditing projects can focus on existing systems, as well as systems in the development stage.
  • Internal Control Reviews - Focus on the components of the university and auxiliary organization major business activities. Areas such as payroll and benefits, cash handling, inventory and equipment and their physical security, grants and contracts, and financial reporting are usually subject to review.
  • Investigations - Seek to establish evidence of impropriety; imply a systematic track-down of information the auditor hopes to discover or needs to know. Investigations include alleged instances of fraud, waste and abuse, and improper governmental activities.
  • Consulting Services - Add value and improves an organization's governance, risk management, and control processes without the auditor assuming management responsibilities. Consulting services may include counsel, advice, and facilitation.
Standards
California Government Code Section 1236 (July 1983) requires that all state agencies that have their own internal auditors to:
... utilize the general and specified standards of internal auditing specified on the effective date of this section in the publication entitled, "Standards for the Professional Practice of Internal Auditing," as published by the Institute of Internal Auditors, Inc. (IIA), in its fourth printing, dated April 1980.
In January 2002, the IIA issued The Professional Practices Framework with three categories of guidance: Standards and Ethics, Practice Advisories, and Development and Practice Aids; and a new definition of internal auditing as follows:
"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."
Section 2100 of The International Standards for the Professional Practice of Internal Auditing outlines the nature of work of the University Auditor and states that the internal audit activity evaluates and contributes to the improvement of risk management, control, and governance systems. This includes:
2110 Risk Management – Internal auditors should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems. The internal audit activity should monitor and evaluate the effectiveness of the organization's risk management system and evaluate risk exposures to the organization's governance, operations, and information systems regarding the:
  • Reliability and integrity of financial and operational information.
  • Effectiveness and efficiency of operations.
  • Safeguarding of assets.
  • Compliance with laws, regulations, and contracts.
2120 Control - Internal auditors should assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization's governance, operations, and information systems including the:
  • Reliability and integrity of financial and operational information.
  • Effectiveness and efficiency of operations.
  • Safeguarding of assets.
  • Compliance with laws, regulations, and contracts.
2130 Governance - Internal auditors should assess and make appropriate recommendations for improving the governance process with respect to (1) promoting appropriate ethics and values within the organization, (2) ensuring effective organizational performance management and accountability, (3) effectively communicating risk and control information to appropriate areas of the organization, and (4) effectively coordinating the activities of and communicating information among the board, external and internal auditors, and management. The internal audit activity should evaluate the design, implementation, and effectiveness of the organization's ethics-related objectives, programs, and activities.


Content Contact:
Anne Marie Douglas
(562) 951-4430
Technical Contact:
webmaster@calstate.edu

Last Updated: November 19, 2009