​​​

Types of Audits & Standards

Types of Audits

With the guidance of the original legislation, as interpreted by Senator Harmer, and The International Standards for the Professional Practice of Internal Auditing​ (Institute of Internal Auditors), A&AS uses a variety of audit techniques in its review of campus programs/resources. These audit techniques are commonly referred to as:

  • Operational Audits - Examine the use of unit resources to evaluate whether those resources are being used in the most effective and efficient manner to fulfill the University’s mission and objectives. An operational audit may include elements of the other audit types listed below.
  • Financial Audits - Focus on accounting and reporting of financial transactions, including commitments, authorizations, and receipt and disbursement of funds. The purpose of this type of audit is to verify that there are sufficient controls over cash and cash-like assets, and that there are adequate process controls over the acquisition and use of resources. Unlike external financial audits, internal financial audits do not prepare or express professional opinions on the fairness of the presentation of financial statements.
  • Compliance Audits - Review adherence to laws, regulations, policies, and procedures. Examples include federal and state law, Trustee policies, and chancellor’s office directives. Recommendations typically call for improvements in processes and controls intended to ensure compliance with regulations.
  • Information Systems (IS) Audits - Examine the internal control environment of automated information processing systems and how people use those systems. IS audits typically evaluate system input, output, and processing controls; backup and recovery plan; system security; and computer facility reviews. IS auditing projects can focus on existing systems, as well as systems in the development stage.
  • Internal Control Reviews - Focus on the components of the university and auxiliary organization major business activities. Areas such as payroll and benefits, cash handling, inventory and equipment and their physical security, grants and contracts, and financial reporting are usually subject to review.
  • Investigations - Seek to establish evidence of impropriety; imply a systematic track-down of information the auditor hopes to discover or needs to know. Investigations include alleged instances of fraud, waste and abuse, and improper governmental activities.
  • Advisory Services - More consultative in nature than traditional audits and performed in response to requests from campus management. Advisory services enhance awareness of risk, control and compliance issues and provide a proactive independent review and appraisal of specifically identified concerns. Advisory services may include internal control and risk management reviews, transition reviews, business process assessments, and other activities.

Standards

California Government Code Section 1236 (July 1983) requires that all state agencies that have their own internal auditors to:

... utilize the general and specified standards of internal auditing prescribed by the Institute of Internal Auditors (IIA).

In January 2009, the IIA issued the International Professional Practices Framework (IPPF) with two categories of guidance: Mandatory and Strongly Recommended. The three mandatory elements are the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). The three strongly recommended elements are Position Papers, Practice Advisories, and Practice Guides.

The definition of internal auditing states the fundamental purpose, nature, and scope as follows:

"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."

The Code of Ethics states the principles and expectations governing behavior of individuals and organizations in the conduct of internal auditing. It describes the minimum requirements for conduct, and behavioral expectations rather than specific activities.

The Standards are principle-focused and provide a framework for performing and promoting internal auditing. The Standards consist of statements of basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of its performance; and interpretations, which clarify terms or concepts within the statements.

Section 2100 of the Standards outlines the nature of work of A&AS and states that the internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. This includes:

2110 Governance – The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

  • Promoting appropriate ethics and values within the organization.
  • Ensuring effective organizational performance management and accountability.
  • Communicating risk and control information to appropriate areas of the organization.
  • Coordinating the activities of and communicating information among the board, external and internal auditors, and management.

The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities; and assess whether the information technology governance of the organization supports the organization’s strategies and objectives.

2120 Risk Management – The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding the:

  • Achievement of the organization’s strategic objectives.
  • Reliability and integrity of financial and operational information.
  • Effectiveness and efficiency of operations and programs.
  • Safeguarding of assets.
  • Compliance with laws, regulations, policies, procedures, and contracts.

The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.

2130 Control – The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the:

  • Achievement of the organization’s strategic objectives.
  • Reliability and integrity of financial and operational information.
  • Effectiveness and efficiency of operations and programs.
  • Safeguarding of assets.
  • Compliance with laws, regulations, policies, procedures, and contracts.