ABOUT INTERNAL AUDITS:

1.  Why was I selected for an internal audit?

2.  What is the AMAS audit process?

3.  What can I expect?

4.  What types of projects does AMAS do?

5.  What documents will I need for an internal audit?

6.  Who can request an internal audit?

7.  What are internal controls?

8.  How long will it take?

9.  Will there be a written report and who will receive it?

10. Do I have any say in this process?

AMAS performs an annual assessment of all the operating units and processes at UCSD to identify areas of possible institutional risk. These operating units and processes are risk-ranked using the following seven factors:

• Management Control Environment
• Business Exposure
• Public and Political Sensitivity
• Compliance Requirements
• Administrative and Financial Reporting
• Organizational Change / Growth
• Information Technology Processing

Based on the available resources and risk-ranking, AMAS develops an annual audit plan. The annual plan will consist primarily of audit topics selected based on perceived areas of risk, but will also include topics or departments selected based on how long it has been since their last review (for core topics, or large departments). Discussions with UCSD senior management, and UCSD Audit Committee members are used to fine tune the final audit plan that is endorsed by the Audit Committee, approved by the Chancellor, and forwarded to the University Auditor.

The audit process consists of the following components:

• Entrance Meeting
• Preliminary Survey
• Field Work
• Communicating Results
• Follow-Up

Other activities undertaken by AMAS such as the performance of management consultations or internal control training follow a less structured process.

For a Detailed Description of the components of the Audit Process, see below:

1. Entrance Meeting

An entrance meeting is generally conducted with the department to discuss the audit objective, scope, timing, report process, and management concerns, if any.

2. Preliminary Survey

The survey usually involves reviewing budgetary information, flowcharting key departmental processes, reviewing departmental objectives, and identifying and testing key departmental processes and controls. The preliminary survey may indicate that additional field work is necessary to focus on areas where controls could be improved. Often, during the planning process, the auditor works in consultation with client management to determine the most useful focus of the audit.

3. Field Work

During the field work phase, the auditor gathers, classifies, and appraises information to measure and evaluate the effectiveness of specific departmental processes and controls. Sample transactions for a specific test period are often evaluated. Throughout the course of audit fieldwork, the auditor confers with departmental representatives about areas where improvements may be appropriate.

4. Communicating Results

Upon completion of the field work, the auditor prepares a draft audit report which outlines the audit objective, scope, observations, recommendations, and conclusions. The purpose of the exit meeting is to discuss the draft audit report conclusions and recommendations, and resolve any misunderstandings regarding the content and accuracy of the report. Following the exit conference, the report is revised as needed, finalized, and distributed to campus management including the cognizant Vice Chancellor, and the University Auditor. All prior draft reports are destroyed.

Departments are required to submit written management responses to recommendations appearing on the final report. Whenever possible, corrective actions agreed to by management and AMAS are included in the final report, in lieu of a subsequent written departmental response. This enables the audit report to be a more complete document with respect to how issues noted during the audit are being resolved.

5. Follow-up

AMAS performs follow-up on observations to determine whether departments have implemented corrective actions. The follow-up is generally performed six to twelve months after the audit report is issued. When it has been determined that corrective actions have resolved the underlying audit issue, the audit is considered closed. This is usually effected by an internal administrative action, as opposed to a more formal communication to the department.

Your experience with Audit & Management Advisory Services will likely be a friendly one. While a single individual conducts most audits, some audits are conducted in teams so as to benefit from the individual experience of each team member. Audits vary in length depending on the work requested. An audit may extend from just a few days to several weeks or months. The auditor will not spend all of this time with you directly. Typically, he or she will need to document the effort and analysis involved in the review, which often can be done away form the site. The source of the request for audit will be discussed with you in as much detail as possible.

4. What types of projects does AMAS do?

AMAS performs various types of audit and non-audit projects. These include:

• Planned Campus or Health Sciences Audits
• Special Request Audits
• Investigations
• Participation on Committees
• Small Consultations
• Coordinating External Audits
• Systems Development or Reengineering Projects

For a detailed description of the different project types, see below:

Planned campus or health sciences audits are defined as specific audit projects that were included in the annual audit plan based on the results of the annual risk assessment process.

Special request audits are audit projects that were not included in the annual audit plan. These projects are typically requested by UCSD management or by the Office of the President. Specific requests for audits should be discussed with the Audit Director at 858 534-3617.

An investigation is a review of reported or suspected improper activities. Investigations may be initiated upon receipt of an allegation that University resources have been misused or misappropriated.

Committees are special groups or task force groups created by Campus or Health Sciences management to address specific problems or ongoing issues. Committees are typically identified on the annual audit plan and may span multiple years.

Small consultations are defined as projects requested by UCSD management, or other individuals such as UCOP or inquiries from other audit offices.

External audits are defined as projects performed by external regulatory agencies or other consulting/audit firms for which AMAS provides overall coordination assistance.

A reengineering project is a system development or process redesign effort. These efforts are typically included in the annual audit plan.

Requested documents for a typical departmental audit may include, but are not limited, to the following:

• Long and short range management plans
• Results of prior managerial and external reviews
• Action plans for significant management initiatives
• Organizational charts
• Process flowcharts
• Summary of contracts and grants and/or clinical research projects
• Departmental-specific policies and procedures
• Budgetary, financial, management, and exception reports
• Source documents such as payroll records, travel vouchers, recharges, and cost transfers

Anyone can request an audit by calling the Director, Audit & Management Advisory Services. Some audit requests will originate with the Regents of the UC Board of Trustees, the Office of the President, or campus executive management. In order to help determine the relative importance of a particular request in comparison to items already included in the annual plan, additional requests for reviews are generally routed through a department head, dean, or director.

Internal controls are the way in which we ensure business is conducted in the manner we intend. They reflect our values of what’s the right and wrong way of doing things. The basic internal control is dependent on those who implement them.

Next, how we design our transaction process to happen in certain ways – and how we make sure that they do – represent our internal control environment. Internal controls can be informal, such as by consensus. They can be explicit, also, in the form of codes, rules, regulations of conduct and process.

When internal controls are not appropriate in their design or function or if they’re inadequate, and give undesired outcomes, then they should be revised.

AMAS examines controls in that light and makes recommendations necessary to improve them.

8.  How long will it take?

An audit may extend from just a few days to several weeks or months. The auditor will not spend all of this time with you directly. Typically, he or she will need to document the effort and analysis involved in the review, which often can be done away form the site. The source of the request for audit will be discussed with you in as much detail as possible.

All audit information is treated as confidential and is reported only to those who need to know within the institution. The reports go only to those administrators and institutional executives who are responsible for the functions being reviewed. The final report will be addressed to the next level above the audited organization. The University Auditor at UCOP and the Vice Chancellor Resource Management & Planning receive copies of final reports. Beyond these people, who receives the report depends upon the nature of the issues and activities involved.

Yes. The internal audit process is a cooperative effort between the management of the unit or activity being reviewed and the auditor. Full participation is essential to the success of the effort. There may be times, however, when because of the sensitive nature of the issues involved, the auditor will have to follow a course of investigation which the circumstances mandate and for which it is not appropriate to collaborate.