Auditmanual
Auditmanual
Auditmanual
CONTENTS
2300 Communications
CONTENTS
CONTENTS
7100 Introduction
CONTENTS
Section Overview .01 The following sections set forth the mission and charter of the UC
Internal Audit Program and outline the policies and guidelines for
UC Internal Audit dual reporting and professional standards and
ethics.
Authority .02 The mission and charter authorize and guide the UC Internal
Audit Program in carrying out its independent appraisal function.
Mission .03 The mission of the University of California (UC) internal audit
Statement program (IA) is to provide the Regents, President, and campus
Chancellors, and Laboratory Director independent and objective
assurance and consulting services designed to add value and to
improve operations. We do this through communication,
monitoring and collaboration with management to assist the
campus community in the discharge of their oversight,
management, and operating responsibilities. Internal audit brings a
systematic and disciplined approach to evaluating and improving
the effectiveness of risk management, control and governance
processes.
Authority .04 IA functions under the policies established by the Regents of the
University of California and by University management under
delegated authority.
Independence .05 To permit the rendering of impartial and unbiased judgment essential to
and Reporting the proper conduct of audits, internal auditors will be independent of the
Structure activities they audit. This independence is based primarily upon
organizational status and objectivity and is required by external industry
standards.
Scope of Work .06 The scope of IA work is to determine whether UC’s network of risk
management, control, and governance processes, as designed and
represented by management at all levels, is adequate and functioning in
a manner to ensure:
• Risk management processes are effective and significant risks
are appropriately identified and managed.
Mandatory .08 IA serves the University in a manner that is consistent with the
Guidance standards established by the SVP/CCAO and acts in accordance
with University policies and UC Standards for Ethical Conduct.
At a minimum, it complies with relevant professional standards,
and the Institute of Internal Auditors’ mandatory guidance
including the Core Principles for the Professional Practice of
Internal Auditing, the Definition of Internal Auditing, the Code of
Ethics and the International Standards for the Professional
Practice of Internal Auditing. This mandatory guidance
constitutes principles of the fundamental requirements for the
professional practice of internal auditing and for evaluating the
effectiveness of the internal audit activity’s performance.
Certain Personnel .09 Action to appoint, demote or dismiss the SVP/CCAO requires the
Matters approval of The Regents. Action to appoint an IAD requires the
concurrence of the SVP/CCAO. Action to demote or dismiss an
IAD requires the concurrence of the President and Chair of the
Compliance and Audit Committee upon the recommendation of
the SVP/CCAO.
Dual Reporting .01 In March 1995, The Regents’ Committee on Audit (predecessor to
Structure the Regents’ Committee on Compliance and Audit) approved a
recommendation for a dual reporting structure for the University’s
Internal Audit Program. This Policy is intended to assist The
Regents and senior administrative officials with local
responsibility for the Internal Audit Program and internal auditors
in the understanding and execution of their responsibilities under
the dual reporting relationship.
Definition .03 Consistent with the guidelines of the Institute of Internal Auditors,
dual reporting means functional reporting to The Regents’ through
their Committee on Compliance and Audit, and administrative
reporting to management. Campus/lab Internal Audit Directors
report functionally to The Regents through the SVP/CCAO.
Campus and .06 • Involve internal audit in the design of major new
Laboratory Local automated systems.
Internal Audit • Consult with the SVP/CCAO before assigning to the local
Responsibilities IAD any responsibility other than management of the
(Cont’d) internal audit program in order to ensure that the audit
program’s independence is not impaired.
Campus and • Submit for review by the SVP/CCAO in draft form, audit
Laboratory Local and investigation reports on sensitive matters and those
Internal Audit that are expected to be distributed outside of the normal
Responsibilities campus/ laboratory channels. This will include all
(Cont’d) investigation audit reports on matters reported to the
Systemwide Locally Designated Official (SWLDO)
pursuant to the Whistleblower Policy.
• Participate in benchmarking and other surveys, etc., as
requested for the assessment of the Internal Audit
Program.
• Contribute to the strategic planning efforts and
accomplishment of Internal Audit Program initiatives.
• Designate an external audit coordinator. (Note: the
coordinator does not have to be in the internal audit
office.)
• Fulfill reporting requirements as established by the
SVP/CCAO
The Regents’
Committee on
Compliance and Audit
Chancellor/Laboratory
UC President Director or Designee
SVP/CCAO
S = Sole responsibility
P = Primary responsibility
X= Shared responsibility
Section Overview .01 The internal auditing profession is governed by a set of standards,
the Institute of Internal Auditors’ (IIA) International Professional
Practices Framework, which includes the Core Principles for the
Professional Practice of Internal Auditing, the Definition of
Internal Auditing, the Code of Ethics and the International
Standards for the Professional Practice of Internal Auditing
(Standards). These pronouncements provide guidance to internal
auditors on the practice of the internal auditing profession and
protect the interests of those served by internal auditors. The UC
Audit Program has adopted the Standards and the Code of Ethics
and has designed the policies and procedures included in this
systemwide Internal Audit Manual to comply with them, in
addition to UC policies and UC Standards for Ethical Conduct.
Alignment with .02 The UC Internal Audit Manual incorporates the practices and
the Standards for procedures described in the IIA’s International Standards for the
the Professional Professional Practice of Internal Auditing. A matrix has been
Practice of prepared that cross-references the IIA Standards to the UC Internal
Internal Auditing Audit Manual and demonstrates the audit program’s alignment
with the International Standards for the Professional Practice of
Internal Auditing.
Code of Ethics .03 The UC Internal Audit Program Professional Code of Ethics
incorporates the Code of Ethics adopted by the Institute of Internal
Auditors in June 2000 and UC policies and UC Standards for
Ethical Conduct. The Code of Ethics applies to all members of
the internal audit professional staff and should not be modified
from location to location. The Audit Director is responsible for
regularly reinforcing the concepts and behaviors embodied in the
Code of Ethics, for example, through discussions at staff meetings,
during interim or annual performance evaluations, or by other
appropriate methods.
P.1of 2
UNIVERSITY OF CALIFORNIA
Internal Audit Program
Professional Code of Ethics
Campus/Laboratory Location
The Institute of Internal Auditors has adopted the following Code of Ethics, which applies to
both individuals and entities that provide internal auditing services. The Code of Ethics provides
guidance for staff in the conduct of their profession and elicits the trust and confidence of those
for whom services are rendered. The University of California Audit Program has adopted the
Code of Ethics promulgated by the Institute of Internal Auditors.
Principles
Internal auditors are expected to apply and uphold the following principles:
• Integrity
The integrity of internal auditors establishes trust and thus provides the basis for reliance
on their judgment.
• Objectivity
Internal auditors exhibit the highest level of professional objectivity in gathering,
evaluating, and communicating information about the activity or process being examined.
Internal auditors make a balanced assessment of all the relevant circumstances and are
not unduly influenced by their own interests or by others in forming judgments.
• Confidentiality
Internal auditors respect the value and ownership of information they receive and do not
disclose information without appropriate authority unless there is a legal or professional
obligation to do so.
• Competency
Internal auditors apply the knowledge, skills, and experience needed in the performance
of internal auditing services.
Rules of Conduct
1. Integrity
Internal auditors:
1.1. Shall perform their work with honesty, diligence, and responsibility.
1.2. Shall observe the law and make disclosures expected by the law and the profession.
1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are
discreditable to the profession of internal auditing or to the organization.
1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.
2. Objectivity
Internal auditors:
2.1. Shall not participate in any activity or relationship that may impair or be presumed to
impair their unbiased assessment. This participation includes those activities or relationships
that may be in conflict with the interests of the organization.
2.2 Shall not accept anything that may impair or be presumed to impair their professional
judgment.
2.3 Shall disclose all material facts known to them that, if not disclosed, may distort the
reporting of activities under review.
3. Confidentiality
Internal auditors:
3.1 Shall be prudent in the use and protection of information acquired in the course of their
duties.
3.2 Shall not use information for any personal gain or in any manner that would be contrary
to the law or detrimental to the legitimate and ethical objectives of the organization.
4. Competency
Internal auditors:
4.1. Shall engage only in those services for which they have the necessary knowledge, skills,
and experience.
4.2 Shall perform internal auditing services in accordance with the International Standards
for the Professional Practice of Internal Auditing.
4.3 Shall continually improve their proficiency and the effectiveness and quality of their
services.
CROSS-REFERENCE OF
INSTITUTE OF INTERNAL AUDITORS ATTRIBUTE AND PERFORMANCE
STANDARDS TO THE UNIVERSITY OF CALIFORNIA AUDIT MANUAL (Page 1 of 2)
Standard Short Description of Standard UC Audit Section Title/Description
No. Manual
Reference
Attribute Standards
1000 Purpose, Authority, and Responsibility - The purpose, 1100 Internal Audit Charter
authority, and responsibility of the internal audit activity
must be formally defined in an internal audit charter, 1200 Policy on Dual Reporting for Internal Audit
consistent with the Core Principles for the Professional
Practice of Internal Auditing, the Definition of Internal
Auditing, the Code of Ethics, and the Standards. The chief
audit executive must periodically review the internal audit
charter and present it to senior management for approval.
1100 Independence and Objectivity - The internal audit activity 1100.04 Internal Audit Charter – Independence and
must be independent, and internal auditors must be objective Reporting Structure
in performing their work. Safeguards must be in place to
limit impairment to independence or objectivity if the CAE 1200 Policy on Dual Reporting for Internal Audit
as roles that fall outside of internal audit. 2200 Customers and Services
1200 Proficiency and Due Professional Care -Engagements 1200.05 Policy on Dual Reporting for Internal Audit -
must be performed with proficiency and due professional SVP/CCAO Responsibilities
care.
4100.04 Roles and Responsibilities – Director
1300 Quality Assurance and Improvement Program -The chief 1100.04 Internal Audit Charter – Independence and
audit executive must develop and maintain a quality Reporting Structure
assurance and improvement program that covers all aspects
of the internal audit activity. 1200.05 Policy on Dual Reporting for Internal Audit
– SVP/CCAO Responsibilities
(Page 2 of 2)
2100 Nature of Work - The internal audit activity must evaluate 1100.05 Internal Audit Charter – Scope of Work
and contribute to the improvement of governance, risk
management, and control processes using a systematic, and 3200 Operating Plans
disciplined, and risk-based approach.
Internal audit credibility and value are enhanced when
auditors are proactive and their evaluations offer
new insights and consider future impact.
2200 Engagement Planning - Internal auditors must develop and 6100 Planning an Audit
document a plan for each engagement, including the scope,
objectives, timing, and resource allocations. The plan must
consider the organization’s strategies, objectives, and risks
relevant to the engagement
2300 Performing the Engagement - Internal auditors must 6200 Conducting an Audit
identify, analyze, evaluate, and record sufficient information
to achieve the engagement's objectives.
2400 Communicating Results - Internal auditors must 6300 Reporting Results
communicate the engagement results.
2500 Monitoring Progress - The chief audit executive must 1200.05 Policy on Dual Reporting for Internal Audit –
establish and maintain a system to monitor the disposition of SVP/CCAO Responsibilities
results communicated to management.
2600 Communicating the Acceptance of Risks- 1100.04 Internal Audit Charter – Independence and
When the chief audit executive concludes that management Reporting Structure
has accepted a level of risk that may be unacceptable to the
organization, the chief audit executive must discuss the 1100.08 Internal Audit Charter – Certain Personnel
matter with senior management. If the chief audit executive Matters
determines that the matter has not been resolved, the chief
audit executive must communicate the matter to the board. 6500.07 Other Audit Matters – Dispute Resolution
Section Overview .01 The following section provides an overview of the history and
evolution of the UC Internal Audit Program and of its current
array of customers and services. Additionally, it outlines the
requirements for Internal Audit to communicate information and
findings about its activities to its customers, the role of the
Systemwide Office of Ethics, Compliance and Audit Services in
the Internal Audit Program and guidelines for local oversight audit
committees.
Overview .01 UC Internal Audit has evolved since the mid-1950s from a single
function performing campus audits to an Internal Audit Program
comprised of twelve Internal Audit Departments operating under
the oversight of the Chief Compliance and Audit Officer’s Office.
The Program provides a broad spectrum of services to assist The
Board of Regents and University management in the discharge of
their oversight, management and operating responsibilities.
Establishment and .02 Campus Audits - The Internal Audit Program was first
Early Growth established at the University of California, Berkeley campus in
July 1955 with one auditor responsible for auditing at all of the
campuses. Soon thereafter, a second auditor established a "branch
office" based out of UCLA to provide audit services to the
southern campuses. The audit function remained centralized and
grew over time to a staff of approximately eight in the northern
division and six in the southern division by the early 1960s.
Implementation .05 Risk Assessment - The Core Audit Program was implemented for
the 1988-1989 fiscal year after additional system-wide staffs were
added to design and administer its elements. Its concepts were
used to drive the assessment of system-wide or "institutional" risk
in approximately 45 common areas of operations as a basis for
determining areas of audit focus on a system-wide basis. During
the seven years that the Core Audit Program was active, 23 Core
Audits were completed covering approximately one-half of the
universe of institutional risk areas identified by the Core Audit
Program.
Additional .06 Continued growth - From the late 1980s to the mid-1990s
Restructuring of Internal Audit Program staffing increases at the individual
Program locations was largely driven by campus growth and by local
events that brought audit issues to the forefront.
Additional .06 Dual Reporting - Together with the hiring of a new University
Restructuring of Auditor, the appropriateness of the structure and adequacy of
Program (cont'd) operation of the Internal Audit Program was further studied at the
request of the Regents’ Committee on Audit. This resulted in the
March and September 1995 recommendations accepted for
adoption by the Regents’ Committee on Audit of a dual reporting
structure. After an external review in 2003, the guidelines were
subsequently updated in order for the University Auditor to take
full responsibility for certain responsibilities that were previously
shared with the campus/lab.
Audit Plan .07 The Core Audit Program was abandoned in 1995 in favor of a
system-wide risk assessment and audit planning methodology, and
increased reporting of local audit department activities to the
University Auditor. The risk based operating plan is discussed in
more detail in Section 3200.
Audit Plan .07 In 2006, management control of Los Alamos National Laboratory
(cont’d) was taken over by Los Alamos National Security, a limited
liability company (LANS LLC). In 2007, a separate limited
liability company, Lawrence Livermore National Security (LLNS
LLC) assumed control of Lawrence Livermore National
Laboratory. With these structural changes, the internal audit
departments began operating as separate organizations, thus
discontinuing functional reporting to the Office of Ethics,
Compliance & Audit Services. However, UC’s Chief Audit
Officer is a member of the Ethics and Audit Committee of LANS
LLC and LLNS LLC.
Overview .01 The UC Internal Audit Program's perspective of its customers and
services has evolved and broadened along with the changes
occurring within the internal auditing profession. The changes in
the profession itself are in part based on the standards and
guidance issued by the Institute of Internal Auditors. Even the
definition of internal auditing has been revised.
Customers of .02 In the broadest sense, the beneficiaries of the services of Internal
Internal Audit Audit include the taxpayers of the state of California, donors,
Services federal, state and private research sponsors, and all faculty,
students, patients and staff of the University. However, customers
are those we serve more directly and who are the recipients of our
services, or reports on services provided. The customers of
Internal Audit include those parties with oversight, management
and operating responsibilities for the University such as:
Services Provided .03 Internal Audit's primary activity in fulfilling its mission is the
by Internal Audit conduct of a program of regular audits of the University's business
operations. However, as the Internal Audit Program has evolved
and restructured in recent years, it has expanded to include
additional activities in order to enhance the value of services to its
customers. The Annual Audit Plan outlines Internal Audit
services under three types of activities as follows:
Services Provided .03 Other - Internal Audit may serve in additional capacities such as
by Internal Audit External Audit Coordinator (acting as liaison for campus visits by
(cont’d) regulators and investigators), Information Practices Act
Coordinator or Conflict of Interest Coordinator.
Alignment of .04 Internal Audit's Services are designed to fulfill the varying needs
Services with of its diverse customers. The operating plan of the Internal Audit
Customer Needs Program prepared annually aligns these services, across all of the
University's business operations.
University Lines .05 The business operations of the University are organized under the
of Business following three lines of business.
Access the following internet link to access the most recent fact
sheet for the medical centers:
http://health.universityofcalifornia.edu/files/2014/01/academicme
dicalcenters101_1.21.14.pdf
2300 Communications
2300 Communications
Local Internal .04 Local Committees provide oversight for the communication and
Audit Oversight coordination of Internal Audit and related matters (e.g. external
Committees audit matters and control initiative activities). The guidelines for
local audit oversight committees include the regular agenda of
information and reports to be reviewed.
2300 Communications
President’s .06 The President’s Compliance and Audit Committee (PCAC) meets
Compliance and periodically. The role of the PCAC is to ensure the President and
Audit Committee other senior management officials are fully aware of major
systemwide compliance and audit issues, provide oversight of the
systemwide consolidated financial statement preparation process,
provide advice on staffing and direction of the internal audit
function, and advise on the adequacy of the organization and staff
pay of the campus audit offices.
Overview .01 The Office of Audit Services (part of the Office of Ethics,
Compliance and Audit Services) is a Department of the Office of
the Regents. Within it are two functions: the Office of the
President Internal Audit Department and the Systemwide Office
of Audit Services.
Coordination
• Conduct regular meetings of the IADs and other sub-
groups (e.g. health sciences IADs) as necessary
• Communicate with IADs regularly on all issues of interest
to the Internal Audit Program
Administration
Development
• Assist with IAD development and training
• Establish policies for the conduct of the Internal Audit
Program in consultation with the IAD’s
Duties of the .02 • With the IAD’s, create and monitor the execution of a
Systemwide Office strategic plan Maintain an awareness of and assess the impact
of Audit Services on the Program of developments in the accounting, public
(cont’d) accounting, and internal audit professions
Dual Reporting .03 See Guidelines for the Chief Compliance and Audit Officer's
administrative responsibilities for dual reporting at Section
1200.
Role and .04 See The Chief Compliance and Audit Officer's role and
Responsibilities responsibilities at Section 4100.
Purpose, Charter .01 Each UC campus and the Lawrence Berkeley National Laboratory
and Scope have a local committee that provides oversight for Internal Audit
activities to ensure appropriate communication and coordination
of internal audit and related matters. The intent is to share
information with and promote a dialogue among a variety of local
participants who collectively represent the customers of internal
audit services.
Composition and .03 The composition of the committee will depend to some extent on
Chair local custom, but should be broad enough to represent the interests
of the campus or lab community as a whole. It is important that
there be sufficient representation from the faculty administrative
leadership, the health sciences enterprise, a research perspective
and others deemed appropriate Consideration should also be given
to including the campus or lab counsel if the committee is to deal
with investigation matters.
Meeting .04 Committees should meet quarterly, or three times per year at a
Frequency minimum. The meeting cycle can be viewed as tied to the annual
audit plan cycle.
Audit Reports and .07 The audit oversight committee’s input and guidance on sensitive
Follow-ups matters can be very useful to effective communications in audit
reports. In addition, their support in gaining customer acceptance
and encouraging committed responses to recommendations can be
very useful to effecting improvements. And lastly, broad
awareness that the audit oversight committee has an active interest
in tracking follow-up activities to make sure that committed
actions are completed in a timely manner helps assure their
appropriate attention. Accordingly, IADs may choose to share
draft audit reports with audit oversight committee members to
further these objectives as appropriate on an ad hoc basis.
External Audit & .08 The audit oversight committee should routinely receive updates on
Agency Reviews external audit and agency reviews occurring at the institution.
Such reviews can pose serious risks to the institution and warrant
active oversight and monitoring. As external reviews may be
coordinated by various functional units, schools, or divisions, the
audit oversight committee should serve as the central oversight and
monitoring body to assure risks are identified and corrective
actions implemented where indicated.
Annual Report .09 The audit oversight committee should be presented with a formal
annual report on internal audit activities. Such reporting will
apprise the committee of activities of the Internal Audit Program as
well as summarize key audit areas covered, identify significant risk
and internal control deficiencies, as well as outstanding high risk
corrective actions.
P.1of 3
(CAMPUS/LAB LOCATION)
LOCAL AUDIT OVERSIGHT COMMITTEE
SAMPLE CHARTER
Purpose
The (Campus/Lab Location) local (Name) Committee will assist the (Campus/Lab Location)
Audit Department (Department) by helping to ensure that its objectives and goals support those
of (Campus/Lab Location) and the University.
Mission
The mission of the Department is to assist management and the Board of Regents in the
discharge of their oversight, management, and operating responsibilities through independent
audits and consultations designed to evaluate and promote the system of internal controls,
including effective and efficient operations.
Meeting Frequency
The local (Name) Committee will meet quarterly (or no less frequently than three times a year).
Regarding organizational status, the Internal Audit Director reports functionally to the Chief
Compliance and Audit Officer, who in turn reports to the Board of Regents and the President,
and administratively to the (indicate position to whom the Audit Director reports, who in turn
reports to the Chancellor). In performing the audit function, the Department has no direct
responsibility for, or authority over, any of the campus/lab processes reviewed.
Internal Audit’s independence is also based on its objectivity. Objectivity is a mental attitude
which internal auditors should maintain in performing audits. Internal auditors are not to
subordinate their judgment on audit matters to that of others.
Scope of Responsibilities
In order for the local (Name) Committee to assist the Department in carrying out its mission
and maintaining its objectivity and independence, the regular agenda will cover:
• Personnel changes and their impact on the completion of the Annual Audit Plan
• Major investigation activities and their impact on the program of regular audits
• On an annual basis, the proposed Annual Plan and an annual summary report of the
activities conducted by the Internal Audit function during the year.
The local (Name) Committee should participate in and review the activities related to the
development of the Annual Audit Plan, including the risk identification and risk assessment
processes. The local (Name) Committee should review the proposed Annual Audit Plan and
recommend its approval prior to its submission to the Chief Compliance and Audit Officer for
consolidation into the systemwide Annual Audit Plan. Any changes to the Annual Audit Plan
that result in approved audits being dropped from the current year’s plan, even if it only involves
the audit’s deferral into a subsequent year, require the approval of the local (Name) Committee
and the Chief Compliance and Audit Officer.
Section Overview .01 The following section sets forth the annual processes by which the
operating and strategic plans for the Internal Audit Program are
developed, monitored for progress and reported to customers.
Planning .02 UC Internal Audit undertakes an extensive planning process to
establish the operating plans for the Internal Audit Program on an
annual basis. These plans guide the Program in its goal of
providing the most timely and comprehensive scope of audit and
other services possible and in deploying its resources in an
effective and efficient manner.
Reporting .03 Internal Audit monitors activities and progress toward both the
annual operating and strategic plans and reports the related
information to The Regents and to UC Senior Management on a
quarterly and annual basis.
Overview .01 The strategic plan is one component of the Internal Audit Program
Annual Plan and conveys the planned efforts designed to provide
continuous improvement to the Internal Audit Program.
Objectives .02 The strategic plan objectives are driven by Internal Audit's
recognition of the needs and opportunities to improve the
Program, recommendations from periodic external reviews and
changes in the direction of the Internal Auditing profession. The
specific strategic plan goals in place at any given time can be
found on the Audit Services homepage.
Plan .03 The SVP/CCAO convenes the IAD’s for the purpose of creating
Establishment the strategic plan.
Overview .01 The Operating Plan is the primary component of the UC Annual
Audit Plan. The Plan represents the consolidated audit plans of
each of the campus and lab Internal Audit Departments, as well as
the allocation of human resources necessary to deliver these
services to customers. The Plan strives to assure an appropriate
balance among the University's lines of business as well as the
Internal Audit Program's service activities. The Plan also serves
as a tool to assist Internal Audit management in analyzing its mix
of customers and services and for measuring and monitoring the
risk exposure in the audit universe.
Annual Audit .02 The Plans are developed annually through a comprehensive risk
Planning assessment and audit planning process. The Systemwide Office
of Audit Services (OAS) leads a collaborative process to establish
the audit universe, identify strategic and business risk and develop
the planning guidelines to complete the annual audit planning
process.
Establishment of .03 The audit planning process begins with an understanding of the
Audit Universe entity, activity or process to be audited and identification of the
auditable elements or components of the entity, traditionally
referred to as the audit universe. The planning process involves
annual reconsideration of transactions, events or conditions which
may impact the audit universe such as:
• New activities, organizations and programs
Development of .05 The Systemwide OAS develops Guidelines for Audit Planning on
Annual Planning an annual basis and submits proposals for any revisions to the
Guidelines SVP/CCAO and Campus and Laboratory IADs. These guidelines
include:
Annual Planning .06 The Systemwide OAS distributes a specific time line defining
Time Line procedures and related deadlines for the audit planning process to
the Campus and Laboratory IADs each year. The timeline helps
to facilitate the preparation of the Operating Plan for its inclusion
in the draft Annual Audit Plan. The draft plan is presented to The
Regents Committee on Compliance and Audit at their May
meeting.
Annual Audit .07 The annual audit planning process involves the Risk Assessment
Planning Process Phase and the Audit Plan Preparation Phase.
• The Risk Assessment Phase is performed at the beginning
of the planning cycle and is focused on gathering current
risk information about the audit universe components and
assessing the relative risks necessary to prepare the Annual
Audit Plan, all in the context of the institution’s risks
previously identified.
Risk Assessment .08 A comprehensive and thorough risk assessment is the key driver
in the development of an effective audit plan. The risk assessment
process involves both a high level overview of topical and
selected strategic business risk as well as an intensive and
comprehensive process to assess risk for all items included in the
audit universe.
Audit Universe .09 The audit universe identifies process and entity topics to allow
and Definitions individual campuses and labs the flexibility to include local and
specific topics, to minimize the number of line items requiring
calculated risk assessments, and to provide a reporting format that
can be condensed at the levels of the various “tiers” for reporting
to different audiences and for different purposes. The audit
universe should be reviewed quarterly and updated as necessary to
address risk priorities in a changing environment.
Relative Risk .10 The audit risk of each component unit in the audit universe is
Assessment assessed. Relative risk assessment is necessary to provide a means
for rational deployment of limited resources across the audit
universe.
In assessing relative risk, auditors at each location gather
information from:
• Financial analyses
• Change analyses (management, systems, funding
sources/levels, regulations, etc.)
Risk Model .11 The Risk Model reflects terminology of the Committee of
Sponsoring Organizations (COSO) of the Treadway Commission
and is applied to all UC lines of business. The factors proposed for
campus, laboratory and health sciences environments are
identical. However, different weightings for each factor within
these three environments have been established.
• Reduced support
Predictive Factors .12 Selected audit topics may not appear to be material, but could
And Value nevertheless influence risk. As sensitivity, exposure, or potential
Weights (cont'd) for public embarrassment increases, the risk factor assigned will
increase. The amount of interest that The Regents or the Office of
the President expresses in a particular unit or function could also
impact this factor.
Predictive Factors .12 • Time sensitivity, mission criticality, support of life safety
And Value processes
Weights (cont'd)
• Campus wide impact due to the loss of access to
information or reporting
Risk Model .13 These predictive factors are weighted, scored and the relative risk
Scoring and ranking of each component of the audit universe is compiled by
Ranking local Audit Management.
Risk index results for the audit topics in one line of the business
environment should be comparable to risk index results for audit
topics in other environments. For example, an index of 700 for a
medical center topic should indicate the same level of risk as an
index of 700 for a campus or laboratory topic.
Analyses of Risk .14 As part of the risk assessment process the Systemwide OAS may
Assessments prepare various analyses of the preliminary risk assessments to
assist in the consistent application of the risk assessment
methodology among all of the UC sites. The analyses also strive
to identify common risks for the purpose of recognizing
opportunities for sharing risk mitigation strategies. The analyses
and their impact on the Annual Audit Plan will be discussed
among Audit Directors and their managers at a meeting held for
this purpose and scheduled as part of the annual planning timeline.
Audit Plan .15 Upon completing the risk assessment process, each campus or
Preparation laboratory Internal Audit department prepares a local Annual
Audit Plan following the requirements of the Planning Guidelines.
The package of Audit Plan materials is submitted to the
Systemwide OAS along with the final risk assessment results
according to the time line outlined under paragraph .02 of this
section. The local plans and risk assessments results are
consolidated into the systemwide Annual Audit Plan.
Resource .16 General guidelines for the allocation of the percentage of time to
Allocation selected time charge categories are provided below. These are
Guidelines only guidelines that may be changed from time to time, and local
circumstances may dictate planned levels outside the ranges
presented below. When this situation occurs, the IAD should
address the unique circumstances in the transmittal letter
accompanying the Audit Plan.
Documentation of .17 Each IAD should maintain documentation of the annual audit
Planning Process planning process. This documentation should include:
Approval of the .18 Upon completion, the Annual Audit Plans are subject to review
Annual Audit and approval as follows:
Plan
• By the Local Audit Oversight Committee (who
recommends approved plan to the Chancellor/Lab
Director)
Changes to the .19 Minor Changes - Relatively minor changes to priorities and the
Annual Audit contents of the plan should be submitted for information to the
Plan Campus Audit Oversight Committee. If the above guidelines
cannot be met, the IAD should consult with local management and
the Systemwide OAS.
Request for .20 Any location which does not expect to accomplish at least 50% of
Assistance planned audit and advisory services (line items) listed in the
Annual Audit Plan as amended should confer with the Campus
Audit Oversight Committee and the SVP/CCAO to determine a
mutually acceptable method of obtaining additional resources or
implementing an alternative method to provide greater breadth of
coverage.
Overview .01 This section outlines the processes by which both the Strategic
and Operating Plans are monitored and the standard reporting
requirements for both internal reporting (within the Internal Audit
function) and reporting to management and The Regents.
Strategic Plan .02 The SVP/CCAO has ultimate responsibility for monitoring the
execution of the strategic plan. The “master” version of the plan
is maintained by the Systemwide OAS and is updated by input
from the workgroups as progress is reported. There are no set
forms or intervals for reporting against the strategic plan.
Operating Plan .03 The Internal Audit Program demonstrates accountability for its
resources as well as communicates its accomplishments through
quarterly reports to The Regents Committee on Compliance and
Audit and UC Senior Management.
• Personnel changes
2. Other Resources - This category will be used for paid overtime and hours in excess of
forty per week for exempt employees, plus contract auditors and recharge activity if staff
is shared between locations. Such recharges must eliminate in consolidation.
3. Non-controllable Hours - This category is for vacations, holidays, illness and all other
non-controllable official absences (e.g. military leave, jury duty, furloughs, and
bereavement).
Other will be limited and will be used for miscellaneous assignments such as suggestion
box committee, floor warden, etc., as well as outside professional interests that are not
captured as part of professional development.
5. Direct Hours - Direct Hours consist of the three lines of business—Audits, Advisory
Services and Investigations—plus Audit Support Activities, such as development of
Computer Assisted Audit Techniques (CAAT).
6. Regular Audits - The bulk of audit resources should be devoted to planned audits
identified as a result of the audit universe model and risk ranking process. For internal
reporting purposes only, planned audits are further broken down into categories
representing work against the current year audit plan.
7. Supplemental Audits - This category is created to recognize the dynamic nature of our
environment and to provide flexibility in the plan. Audits undertaken on a special request
basis or because of interim amendments to the risk assessment results are supplemental
audits. Audit work undertaken within the budget for Supplemental Audits is at the
discretion of the IAD with no need to seek approval from local Audit Oversight
Committees or the SVP/CCAO. If the volume of Supplemental Audits exceeds the
budget in this category, then other planned work is generally being displaced (absent
incremental resources) and care should be taken that the work undertaken is truly more
essential than the work displaced. The work being displaced may constitute an amendment
of the audit plan that should be dealt with as discussed herein for plan amendments.
10. Audit Support Activities - Activities in support of our local and systemwide audit
program are captured in this category. They are distinguishable from regular management
activities in that they clearly relate to the program as a whole and are easily identified with
the sub-captions that include:
b. Audit Planning - This support activity category is intended for annual planning
efforts including the risk ranking process and revisions to those plans. It is not
intended for planning time that should be charged to individual audits.
c. Audit Oversight Committee - This support activity is intended for time spent
preparing for Audit Oversight Committee meetings, attending meetings, handling
minor specific requests for information from audit committee members, and in
communication with Audit Oversight Committee members.
d. Systemwide Audit Support - This support activity is for efforts in support of the
overall systemwide audit program. Efforts on systemwide workgroups and projects
should be charged to this category. It should not be used for systemwide audits.
e. Quality Assurance - This support activity is intended primarily for the peer review
program and other limited local uses and should not be used for time related to
specific audits such as the pre-issuance review of audit reports
4000 PERSONNEL
Section Overview .01 This section of the manual describes personnel policies adopted
by the Internal Audit Program. It includes sections on roles and
responsibilities, career development and counseling, training and
professional development, Skills Assessment and Resource
Analysis, and performance evaluations.
Application of UC .02 Each local Internal Audit Department consists of several levels of
Policy for Roles staff positions, each having varying responsibilities for carrying
and out the audit function. Each position is described and the related
Responsibilities responsibilities required to perform it are outlined.
Job Descriptions .03 Job descriptions that outline the roles and key responsibilities for
each staff level position have been developed. Each member of
the Internal Audit Department should have a current job
description signed by both the employee and supervisor. The job
description should reflect all of the activities and expectations for
the particular position. It should also include the knowledge,
skills and abilities required to perform the duties of the position.
Roles and .04 In carrying out this responsibility, he or she performs the
Responsibilities following:
(cont'd)
• Oversees a highly visible audit function which is both
strategically and operationally important to the governance
of the institution
Roles and .04 • Determines the nature, scope, and effectiveness of existing
Responsibilities compliance structures, processes, and policies for campus
(cont'd) activities
Related Guidelines .05 Recruitment and Advancement Guidelines - The Internal Audit
for Roles and Program identifies guidelines for basic educational and
Responsibilities professional experience qualifications as well as desired
knowledge, skills and abilities for each staff level. The
qualifications and knowledge, skills and abilities apply to both
candidates who are being recruited as well as staff members who
are being considered for advancement. They are also a useful
reference tool that can assist supervisors in preparing staff
evaluations and conducting career development and counseling
sessions.
(Page 1 of 1)
Sample Job Description – Staff/Senior Auditor
POSITION OVERVIEW
In conjunction with the Assistant/Associate Director and/or Internal Audit Director (IAD), responsible for and
conducting financial, compliance and operational audits of campus organizations, departments and functions
to determine the adequacy of controls, the degree of compliance with established policies and procedures,
and the effectiveness and efficiency of the area under review.
FUNCTION/TASKS
% of Time List the functions and tasks of the position.
In consultation with the Assistant/Associate Director and/or IAD, plans the
5% scope of the audit, prepares the audit program, and determines the
appropriate auditing procedures and examination techniques to be applied
(e.g., computer extracts, statistical sampling, etc.).
(Page 1 of 3)
Sample Job Description – Principal/Supervising Auditor
POSITION OVERVIEW
Internal auditor position is responsible for performing or supervising full scope auditing and advisory services that
encompasses financial, compliance, economy and efficiency, and effectiveness reviews as a service to management
according to professional auditing standards. Performs and directs audits and management studies of highly complex
areas at UCxx. Exercises interpersonal skills and judgment required for controversial and sensitive assignments.
Assesses organizational and operational risks for assigned review area, designs and prepares audit programs, establishes
contact with operating personnel, conducts fieldwork, prepares work papers, drafts reports, and follows up on
observations and recommendations. On a project basis, provides direction to support audit staff as may be assigned by
the Internal Audit Director (IAD), and mentors other staff members as assigned. Ability to act in an audit management
capacity in the absence of the Assistant/Associate Director. Communicates and interacts effectively with all levels of
management and staff.
FUNCTION/TASKS
% of Time/ Function/ List the functions and tasks in descending order or importance starting with the essential
Frequency Task No. functions. Number each function and write ESSENTIAL after each essential function.
50% 1. Conducts Financial, Operational, Functional and IS Application Audits
(Essential)
Performs full scope financial and compliance, efficiency, and effectiveness auditing as
a service to management in accordance with professional auditing standards. Audit
scopes encompass moderate risks that cross organizational lines; and involve complex
technology associated with the use of financial, medical, research and information
resources.
(Page 3 of 3)
EMPLOYEE SIGNATURE
I certify that the above job description is correct, complete and describes my job as I understand it.
I have read and understand both the Safety and Overtime Payment statements.
_________________________________________________ _________________________________
Employee's Signature Date
SUPERVISOR’S SIGNATURE
I have reviewed the job description and the above statements and certify to their accuracy.
_________________________________________________ _________________________________
Supervisor’s Signature Date
(Page 1 of 4)
Sample Job Description – Associate Director/Audit Manager
POSITION OVERVIEW
This internal auditor position is responsible for performing full scope auditing that encompasses financial,
compliance, economy and efficiency, and effectiveness reviews as a service to management according to
professional auditing standards. Supervises or performs audits and management studies of the highest
level of complexity that may include a myriad of external agencies' regulations and fraud issues. Serves as
audit coordinator with outside agencies to ensure effective interaction on external audits, investigations and
control system certifications. Assesses organizational and operational risks for assigned review area,
designs and prepares audit programs, establishes contact with operating personnel, conducts fieldwork,
prepares work papers, drafts reports, and follows up on observations and recommendations. Assists the
Internal Audit Director (IAD) as a member of the management team in the audit planning process, selecting
candidates for hiring, conducting performance evaluations and determining disciplinary action for pool of
staff auditors. Communicates and interacts effectively with all levels of management, staff, and external
agencies (public and private). Designs and presents seminars to assist management and staff in the
effective resolution of external audit and fraud issues. With the IAD, is jointly responsible for supervision of
campus and health sciences audits.
FUNCTION/TASKS
% of Time/ Function/ List the functions and tasks in descending order or importance starting with the essential
Frequency Task No. functions. Number each function and write ESSENTIAL after each essential function.
30% 2. Conducts Special / Fraud Audits and Manages Fraud Hotline (Essential)
Performs full scope financial and compliance, economy and efficiency, and
effectiveness auditing as a service for management according to professional auditing
standards. Audit emphasis is on regulatory compliance and fraud. Audit scopes
encompass high risk issues that cross organizational lines; require interaction with
external agencies; involve complex technology associated with use of financial,
medical, research, and information resources; and are sensitive to media exposure.
Manages UCxx’s hotline and performs appropriate follow-up as necessary.
% of Time/ Function/ List the functions and tasks in descending order or importance starting with the essential
Frequency Task No. functions. Number each function and write ESSENTIAL after each essential function.
I certify that the above job description is correct, complete and describes my job as I understand it.
I have read and understand both the Safety and Overtime Payment statements.
_________________________________________________ _________________________________
Employee's Signature Date
SUPERVISOR’S SIGNATURE
I have reviewed the job description and the above statements and certify to their accuracy.
_________________________________________________ _________________________________
Supervisor’s Signature Date
(Page 1 of 1)
Sample Job Description – Internal Audit Director (IAD)
Basic Functions
The Director, Audit Services has overall responsibility for the conduct of the internal audit program
as provided for by the Audit Services mission and charter, the University of California Audit
Management Plan approved by The Regents, dual reporting structure for internal audit approved
by The Regents and professional standards issued by the Institute of Internal Auditors (IIA).
FUNCTION/TASKS
Oversees the preparation and execution of an annual campus audit plan prepared on the
basis of established systemwide risk assessment methodologies. Directs the
performance of the staff of audit professionals and support staff in the conduct of a
comprehensive program of financial, operational, compliance and IT audits.
Conducts fraud investigations and coordinates with campus management, the Locally
Designated Official, Campus Police, Human Resources, General Counsel and the OP
Director of Investigations as appropriate.
Consults, as requested, with both academic and business and finance administration on
internal control aspects of business practices and policy, and procedure development,
implementation and monitoring. Participates in or provides staff for related training
purposes as appropriate and coordinates with the Director of Controls and Accountability.
Coordinates all external audit activity on campus other than the annual financial and A-
133 audit conducted by the public accounting firm engaged by the UC Regents.
Manages the department’s human resources. Recruits, develops, directs and evaluates
performance of the staff of audit professionals and support staff. Maintains a working
environment that fosters professional growth and advancement, teamwork, initiative and
creativity. Identifies staff development and training opportunities. Ensures that
processes are in place for feedback to and from staff on job related issues and the work
environment. Resolves any internal or external conflicts or difficulties in a timely, fair and
constructive manner.
Provides support to the Campus Audit Committee, prepares meeting agendas and
reports of activities for the Committee and recording the actions requested/approved by
the Committee.
Deals with matters of a highly confidential nature and extreme public and political
sensitivity using sound judgment and discretion, consulting with campus management
and the Chief Audit Officer as appropriate.
Ensures that the audit program adheres to the standards of the Institute of Internal
Auditors, including the Code of Ethics, and the University adopted standards.
Contributes to the enhancement of the systemwide audit program through participation
in systemwide initiatives, sharing best practices and participating in the UC Internal Audit
Quality Assurance Program.
Participates in campus Administrative Services meetings, serves on campus committees
and work groups as appropriate.
Manages the budget of the Audit Services Office. Ensures that financial resources are
organized and expended in support of Audit Services activities in the most economic
manner.
Career .01 The Internal Audit Program requires that a career development
Development and and counseling process be implemented at each campus’ Internal
Counseling Policy Audit Department in order to continuously enhance the skills and
abilities, guide the career paths and cultivate the varied interests
and abilities of its professionals.
Supplementary .05 The Internal Audit Department and the University benefit from
Guidelines for the contributions of internal audit staff with traditional skill sets as
Career well as from the involvement of professionals from varied and
Development and diverse backgrounds. Some of these individuals may be interested
Counseling after some time in career paths outside of internal audit. While
applying the Career Development and Counseling policy, the
following supplementary guidelines may be considered:
Career .06 Goal setting - In connection with the Career Development and
Advancement Counseling Program, each professional may establish goals for
Goals developing additional or enhanced skills necessary to adapt to
changing environments and increase his or her contribution to
Internal Audit. Through the enhancement of individual skills,
professionals prepare themselves for advancement opportunities.
Following are suggested guidelines for setting career advancement
goals:
• Goals should be aligned with both the individual’s aptitude
and interests and the objectives of the internal audit
program.
• Goal setting should occur in a participatory environment
where the short and long term interests of both the
individual and the Internal Audit are considered.
Professional .01 All auditors are encouraged to have at least one professional
Certifications auditing related certification (e.g. CIA, CPA, CISA, CFE) that is
appropriate to their UC auditing responsibilities. Staff/Senior
Auditors, and Principal/Supervising Auditors are expected to have
at least one certification. Audit Managers should have an
appropriate professional auditing related certification.
Principal Goals .02 In addition to demonstrating compliance with the Standards, the
Assessment information gathered from the skills assessment can be used by
Results the Directors to:
Performance .01 Performance evaluations are required for every staff member to
Evaluation Policy document his or her performance, achievement of agreed upon
goals and compliance with departmental standards. Performance
evaluations serve several major functions:
Employee development - Through performance ratings and
constructive comments, the evaluation assists employees in
recognizing how their performance levels compare to the
expectations of management and provides recommendations for
further training or actions for improvement.
Management decisions - The evaluation process uses consistent
criteria to measure staff performance and, therefore, provides a
basis for making relative rankings among staff members. Relative
rankings and individual experience levels provide input to salary
and advancement decisions.
Professional standards - The evaluation is one of the
components of the overall process of supervision, quality
assurance, and development of the audit staff and demonstrates
compliance with IIA and departmental standards.
University of California
Performance Evaluation (Page 1 of 3)
Evaluation Ratings:
EE – Exceeds expectations, ME – Meets expectations, NI – Needs Improvement, NA – Not applicable
COMMUNICATION SKILLS
• Demonstrates written communication proficiency (e.g. - reports are well written and
require minimal edits).
• Produces reports that are factual, supported by workpapers, and include only EE ME NI NA
relevant information.
• Demonstrates verbal communication proficiency (e.g. - communication is clear,
concise).
CAREER DEVELOPMENT
• Made progress towards achieving previous years’ goal/objectives.
OVERALL EVALUATION:
EE ME NI
Manager Comments:
The above Performance Evaluation was discussed with the employee and agreed upon by the employee,
Audit Manager, and IAD.
Signatures:
University of California
Interim Evaluation Form (Project Based)
Rating Scale:
1 – Did not meet expectations in basic and fundamental respects
2 – Expectations mot met in one or more material respects. Improvement needed.
3 – Met expectations in material respects. Satisfactory performance.
4 – Fully meets expectations in all respects. Very high quality work.
5 – Exceeded expectations. Exemplary performance.
Rating
1 2 3 4 5 N/A
A. Planning the Audit
B. Performing the Preliminary Survey
C. Examine, Document and Evaluate Information
D. Working Paper Preparation
E1. Communicating Results Orally
E2. Communicating Results in Writing
F. Staff Relationships
G. Audit Client Relationships
H. Use and Organization of Resources
I. Professional Proficiency and Development
Signature:
__________________________________
Supervising Auditor/Manager Date
5000 LIAISONS
Section Overview .01 This section describes the relationships between Internal Audit and
the Campus Controllers, the Office of the General Counsel, Office
of Ethics and Compliance Services, Risk Services, External Audit
entities, law enforcement agencies, and the Department of Energy.
Overview .01 Internal Audit works in collaboration with the Office of Ethics
and Compliance Services, Risk Services and Campus Controllers
in order to strengthen the University's control environment.
Background .02 In November of 1996, the University launched a controls initiative
intended to heighten management’s ownership and responsibility
for the internal control environment. At the center of the controls
initiative was the creation of a controllership position at each
campus. (Medical Centers and the national lab already had
financial controllership functions in place.) .The creation of the
controller’s position reaffirmed the concept that management is
responsible for controls.
Control .03 All employees share responsibility for ensuring an effective and
Environment & efficient control environment. However, certain groups of
Responsibilities employees are charged with more specific and interrelated
responsibilities with respect to the control environment.
Internal Audit - Assists management in their oversight and
operating responsibilities through independent audits, advisory
services, and consultations designed to monitor, evaluate and
improve the effectiveness of risk management, control, and
governance systems and processes.
Academic and Administrative Management - Responsible for
developing, implementing and maintaining controls to mitigate
risks and achieve objectives.
Control .03 Faculty and Staff – Responsible for ensuring that operations are
Environment & conducted consistent with University values, policies, procedures
Responsibilities and regulatory requirements.
(Cont’d)
Office of Ethics and Compliance – Provides direction, guidance
and resource references to each University entity on how to
optimize ethical and compliant behavior through an effective
Ethics and Compliance Program.
Interrelationship .04 The Internal Audit helps the Office of Ethics and Compliance
Between Internal Services, Risk Services and Campus Controllers identify the root
Audit and Other cause of challenges that may deter achievement of University
Controls-Focused objectives. All of these controls-focused departments have a
Departments natural interest in promoting sound controls through such
activities as training, development of appropriate policies and
procedures, identification of risks and utilization of risk mitigation
techniques. These activities are carried out jointly and separately
as determined locally, and should be viewed as mutual interests
rather than conflicting responsibilities.
Interrelationship .04 Internal Audit plays an important role in the ERM effort being
Between Internal coordinated by Risk Services. Primarily, Internal Audit serves an
Audit and Other evaluator of ERM efforts by assessing the effectiveness of ERM
Controls-Focused efforts at the systemwide, campus, or department level.
Departments Additionally, Internal Audit can assist in educating departments
(Cont’d) on ERM, facilitating risk assessments, coordinating ERM
activities, and collecting, analyzing and reporting risk exposures
and audit results on an aggregate enterprise-wide basis.
Overview .01 Internal Audit works in liaison with the Office of the General
Counsel (including Resident Counsel) on a number of matters,
including many sensitive investigation matters. These or other
matters may lead to a request to perform internal audit services for
the General Counsel on a privileged basis. This section provides
guidance on working with the Office of General Counsel.
Internal Audit .03 2) The Internal Auditor’s obligation to report in a fair and
Guidance (cont’d) unbiased manner must not be compromised. This does
not preclude sharing report drafts with attorneys, but the
auditor must retain the freedom to report facts that are
both favorable and unfavorable to the University’s
interests, and without undue influence.
Scope and .04 Counsel to approve audit program and direct us to perform the
Procedures work according to the approved program. Any changes to the
scope of the approved program should be discussed with and
approved by the Audit Officer and Counsel before any additional
work is undertaken.
Required .05 It is expected that work will be undertaken for the General
Communications Counsel only in rare circumstances, and as a result of special
considerations. Therefore, the Vice President & General Counsel
and the Audit Officer should be informed of each such instance.
An engagement letter, which includes a standard reference to the
conditions enumerated above should be prepared for each such
arrangement and issued by the local Internal Audit Director (IAD)
to the responsible Counsel with copies to the Vice President &
General Counsel and the Audit Officer.
Draft Audit .08 Particular attention should be paid to the handling and distribution
Reports of draft audit reports. In contrast with normal procedures, draft
reports should be reviewed by the Audit Officer and Counsel
before any outcomes are discussed with campus/lab management
outside of Internal Audit. Draft reports should be shared with
only those directed by Counsel (only those on a “need to know”
basis) and should be carefully guarded. Distribution of any
materials should be clearly defined as attorney-client or work-
product privileged and should be collected after distribution as
directed by OGC. Draft reports should contain a “DRAFT”
marking to clearly identify them as such.
Reporting .11 Local campus, lab, and OP audit reports will be written and
addressed to Counsel with copies to the Audit Officer. There may
be a reason to consolidate and summarize the individual campus,
lab, and OP reports, but consultation with Counsel will occur
regarding this.
All communications to The Regents about the audit and the results
obtained will occur through Counsel.
Overview .01 The systemwide or local internal audit function may be delegated
responsibility, or shared responsibility, for the oversight of
external audit activities, including external investigations, at the
systemwide or local level. In these instances, Internal Audit
should be involved in all matters involving the audit activities and
has specific responsibility for:
• Assuring that senior management and the relevant
governance committees are kept apprised of the status of
external audits and investigations
• Coordinating responses to audit and investigation reports
• Coordinating follow-up reports of University actions in
response to audit or investigation report recommendations
Please refer to Sections .04 and .05 below for information on the
Regents Policy on Compliance with State Audits and Guidelines
on Audits Conducted by the California State Auditor.
Responsibilities .03 An external audit coordinator should act as a liaison for external
audit activities. This may include, but is not limited to,
coordination and review of client responses; assistance in
resolving questions and issues; coordination of interdepartmental
meetings; tracking, documenting and reporting outside audit
activities to management and relevant governance committees;
and follow-up on agreed to corrective actions.
Regents Policy on .04 The Regents created and revised various governing documents
Compliance with in January 2018 to expressly prohibit obstruction or
State Audits interference with the State Auditor or disclosures to the State
Auditor and to clarify and strengthen the independence of
certain administrators when responding to audits or
investigations of the Office of the President. Included in these
changes was the implementation of Regents Policy 7503:
Policy on Compliance with State Audits, which includes the
following requirements:
Regents Policy on .04 C. Communication During State Audits of the Office of the
Compliance with President. If the subject of the State Auditor’s audit or
State Audits investigation is the Office of the President or any division or
(Cont’d) department within the Office of the President that reports directly
to the President of the University, the Chief Compliance and
Audit Officer, when carrying out obligations related to that audit
or investigation, shall report solely and exclusively to the Board
of Regents, through the Chair of the Compliance and Audit
Committee, and the General Counsel, when carrying out
obligations related to that audit or investigation, shall report
solely and exclusively to the Board of Regents, through the Chair
of the Board. Where there is a lack of clarity regarding whether
the Office of the President or any division or department within
the Office of the President is the subject of the State Auditor’s
audit or investigation, the Chief Compliance and Audit Officer
and the General Counsel shall consult with the Chair of the Board
and the Chair of the Compliance and Audit Committee to
determine whether single reporting is in effect for purposes of
such audit or investigation. Both the Chief Compliance and Audit
Officer and the General Counsel shall be responsible for keeping
the Chair of the Board and the Chair of the Compliance and
Audit Committee, respectively, apprised of the status of the State
Auditor’s audit or investigation.
Guidelines on .05 The California State Auditor (CSA) plays a critical role in our
Audits Conducted State in promoting the efficient and effective management of
by the California public funds and programs. To that end, the CSA has been
State Auditor granted authority to access documents and other information
from public entities, as further detailed below. It is the policy of
the University of California not only to comply with all lawful
requests by representatives of the CSA, but to facilitate the
efforts of the CSA in carrying out his or her mandate.
• Cooperate fully with all lawful requests from the CSA. Please
take special note of California Government Code §§ 8545.2(a),
(c) and 8545.6, which are set forth below.
• Provide timely, candid and complete responses to lawful
inquiries from the CSA. If you have no personal knowledge
related to a particular question, you should acknowledge that fact
to the CSA and identify individuals within the campus that may
be able to answer their inquiry.
• There are new laws that limit the kinds of discussions that can
occur between campus locations and the Office of the President.
Guidelines on .05 the request of the California State Auditor or his or her
Audits Conducted authorized representative.”
by the California
State Auditor California Government Code § 8545.2(c):
(Cont’d) “Any officer or person who fails or refuses to permit access and
examination and reproduction, as required by this section, is
guilty of a misdemeanor.”
Overview .01 Investigation activities may give rise to interactions with law
enforcement agencies. This section provides policy and guidance
for these circumstances.
UC Policy .02 Investigation results that conclude that a crime has probably been
committed shall be reported to the District Attorney or other
appropriate law enforcement officials for the purpose of
determining whether or not to pursue the matter criminally. The
UC Police are normally the conduit for communications with law
enforcement agencies.
Internal Audit .03 In cases where the UC Police have jurisdiction, they should be the
Guidance agency to which all investigation conclusions of potential
criminality are initially referred. In situations where the UC Police
do not have jurisdiction, the IAD needs to determine what the
appropriate agency may be. Such a determination depends on the
nature of the suspected criminality and local conditions. For
instance, a case of embezzlement at a rural co-operative unit may
be more appropriately handled at the level of County Sheriff than
a local police department with few resources. The IAD may wish
to consult the local UC Police unit or the Director of
Investigations for aid in making such a determination.
Internal Audit .03 Law enforcement officials may instruct Internal Audit to hold
Guidance (cont’d) confidential information about the investigation matter being
jointly addressed. Such instructions do not override the auditor’s
obligation to communicate with local senior management or the
Audit Officer.
Overview .01 UC Internal Audit maintains a liaison relationship with the United
States Department of Energy (DOE) with respect to the audit
services provided to Lawrence Berkeley National Laboratory
(LBNL).
History and .02 The origins of the University of California internal audit presence
Overview at LBNL dates back to early 1970's, when the UC Office of the
President maintained an internal audit function at each of the three
UC/DOE Laboratories (LBNL, Lawrence Livermore National
Laboratory and Los Alamos National Laboratory). A separate
contract with DOE provided funding for the internal audit
activities that were centrally managed through the Office of
Ethics, Compliance and Audit Services. .
In late 1992, to more closely align the internal audit structure to
that of the UC campuses and to meet the newly required internal
audit clause in our contracts with DOE, the University
decentralized its DOE Contracts Audit Group, assigning the
function to the Laboratories.
Imbedded in each contract is the "standard" Department of Energy
Acquisition Regulation (DEAR 970.5204-9(h)) that requires the
UC/DOE Labs to:
"…conduct an internal audit examination, satisfactory to DOE, of
records, operations, expenses, and transactions with respect to
costs claimed to be allowable under this contract annually, and
such other times as may be mutually agreed upon. The results of
such audits, including working papers, shall be submitted or made
available to the contracting officer."
History and .02 To provide a basis for interpreting the standard internal audit
Overview clause, in 1992 the DOE Contracting Officers, the Office of
(cont’d) Inspector General (OIG), and the Contractor Internal Audit staffs
developed the Cooperative Audit Strategy. The Strategy’s
governing principles include:
DOE Audit .03 The DOE Acquisition Guide entitled Cooperative Audit Strategy
Criteria provides the following criteria to more fully define the contractors
internal audit functions requirement to "…conduct an audit and
examination satisfactory to DOE…”
• Organizational independence
Annual Reviews .04 The DOE Contracting Officer is required to interpret and assess
the compliance of the internal audit functions with the
Cooperative Audit Strategy criteria. Additionally, the OIG
performs annual reviews of selected working papers as prescribed
in the DOE Office of Inspector General Audit Manual. These
reviews provide the basis for DOE's reliance on work performed
by the UC/DOE audit groups as well as the required external peer
review.
DOE Orders .05 Specific DOE Orders are accepted into the UC/DOE management
contracts. The following DOE Orders are relevant to maintaining
contract compliance and appropriate liaisons with the DOE
Contracting Officer, the Office of Inspector General and the US
General Accounting Office.
• 2030.4B - Reporting Fraud , Waste, and Abuse to the OIG
• 2300.1B - Audit Resolution and Follow-up
• 2320.1C - Cooperation with the OIG
• 2321.1B - Auditing of Programs and Operations
• 2340.1C - Coordination of GAO Activities
Contract .06 The Laboratory Administration Office (LAO) is responsible for
Oversight overseeing the UC/DOE contract for LBNL. All final internal
audit reports are distributed to LAO and the SVP/Chief
Compliance and Audit Officer (SVP/CCAO). Further, external
audits coordinated by the laboratory internal audit functions
should be appropriately communicated to LAO through opening
announcements, formal responses and final reports. LAO
approves the settlement of questioned costs on contracts with the
Department of Energy.
Section Overview .01 This section of the manual outlines the entire internal audit
process from the initial assignment through reporting and follow-
up.
General Audit
Operating
Process
SVP/CCAO
presents Annual SVP/CCAO reports
Audit Plan to the audit results to the
Locations perform Risk assessment SVP/CCAO
President’s Audit President’s Audit
an annual risk results used to summarizes
Committee and Committee and the
assessment of generate local and information in the
Regents’ Regents’ Committee
audit issues and consolidated Audit Annual Report of
Committee on on Compliance and
areas Plans Audit Activities
Compliance and Audit
Audit for approval
Locations have
interviews with IADs forward Once approved,
management preliminary Audit location schedule Feedback and
and perform Plans to SVP/ and perform audit direction is
analytical CCAO and SAD work obtained, when
reviews appropriate
Risk
Locations follow
assessment SVP/CCAO and
Internal Audit
results sent to local management
Project Process
SVP/CCAO review and
and report results
and SAD for approve local Audit
to the SVP/CCAO
consolidation Plans
and SAD
and analysis
Consolidated
Approved local
risk
audit plans are
assessment
forwarded to the
results are
SVP/CCAO & SAD
shared with
for consolidation.
Audit Directors
Local Audit
Project SVP/CCAO - Chief Compliance & Audit Officer
Systemwide IAD - Internal Audit Director
Process
Audit topics SAD -Systemwide Audit Director
are discussed
by IADs, SVP/
CCAO & SAD
for inclusion in
Audit Plans
Local Audit
Project
Process
IAD or Manager assigns Auditor performs Audit results are Audit Report distributed
projects fieldwork communicated to client to client
Auditor obtains
Preliminary scope and corrective action plan
Audit Manager and IAD from client
objectives are defined Update campus
review audit workpapers Yes
and discussed management on audit
results and plan status
Policy .01 Internal Audit develops and documents a plan for every audit
prior to the commencement of audit fieldwork that includes the
project objectives, scope, results, timing, and resource allocations.
Application of UC .02 Adequate audit planning requires that audit management define an
Policy for appropriate preliminary audit scope that considers relevant
Planning systems, records, personnel, and the resources needed for the
audit.
Communication .03 Notification – A member of the audit team should notify the
with the Client parties responsible for an organization or area to be audited that an
audit is scheduled using local audit office protocol. Notification
should generally be sent via written memo or e-mail to the audit
client with copies to senior officials as appropriate.
Audit Plan and .04 Preliminary Survey - The auditor-in-charge should obtain and
Program review the following types of background information about the
Development area being audited (as applicable to audit scope):
• Objectives and goals
• Policies, plans, procedures, laws, regulations and contracts
having significant impact on operations
• Organizational information, such as number and names of
employees, job descriptions, process flowcharts, details
about recent changes, etc.
• Budget information, operating results and financial data
• Systems, records and physical properties including those
controlled by a third party
Audit Plan and .04 inquiries, in order to identify key controls and gain an
Program understanding of the related audit risk.
Development
(cont’d) The risk assessment further defines the objectives of the audit.
The auditor-in-charge must understand management’s assessment
of risk in their area and management’s monitoring and reporting
of risks.
Audit Plan and .04 Audit management generally approves the audit program at the
Program end of the preliminary survey. If there are adjustments to the
Development program, these adjustments should be approved by audit
(cont’d) management prior to beginning the related fieldwork. Changes to
the audit budget should be formally agreed to by audit
management as early in the audit timeline as possible.
Supplementary .06 While applying the planning policy, the auditor may also consider
Guidelines for the following supplementary guidelines:
Audit Planning
Communication - The preliminary objectives and audit timing
should generally be communicated to the client in advance of the
beginning of fieldwork to provide adequate preparation time for
the client.
Policy .01 Internal Audit must identify sufficient, reliable, relevant and
useful information to achieve the audit’s objectives. Internal
Audit must document sufficient, reliable, relevant and useful
information to support the audit conclusions reached. Internal
Audit will assure workpaper documentation is properly filed when
an audit is completed.
Workpaper .04 Purpose - The workpapers document the work the auditor has
Documentation done. The workpapers serve as the connecting link between the
audit assignment, the auditor's fieldwork and the final report.
Workpapers contain the records of planning and preliminary
surveys, the audit program, audit procedures, fieldwork and other
Workpaper .04 documents relating to the audit. Most importantly, the workpapers
Documentation document the auditor's conclusions, the reasons those conclusions
(cont’d) were reached, and whether the objectives were achieved.
UNIVERSITY OF CALIFORNIA
INTERNAL AUDIT
SAMPLE ATTESTATION STATEMENT – Auditor in Charge
Auditor in Charge
I have been the Auditor in Charge for our (audit, advisory service, or investigation) of (project
name and number). In this capacity, I prepared the (audit, advisory service, or investigation)
program and working papers or reviewed all working papers prepared by the staff assigned to this
project. I also prepared or assisted in the preparation of the report to be issued.
In my opinion, the working papers were prepared in accordance with professional standards
established by the IIA and the University of California Internal Audit Program and comply with
our department policies. Also, in my opinion, the working papers support the findings and
conclusions in the report, and the report complies with IIA and University standards and
department policies.
___________________________________________ _______________________
Signature date
UNIVERSITY OF CALIFORNIA
INTERNAL AUDIT
SAMPLE ATTESTATION STATEMENT – Assistant or Associate Director
I have been the Manager or Assistant or Associate Director assigned to our (audit, advisory service,
or investigation) of (project name and number). In this capacity, I approved the (audit, advisory
service, or investigation) program and reviewed all working papers prepared by the assigned staff.
I also reviewed the report to be issued.
In my opinion, the working papers were prepared in accordance with professional standards
established by the IIA and the University of California Internal Audit Program and comply with
our department policies. Also, in my opinion, the working papers support the findings and
conclusions in the report, and the report complies with IIA and University standards and
department policies.
___________________________________________ _______________________
Signature date
UNIVERSITY OF CALIFORNIA
INTERNAL AUDIT
SAMPLE ATTESTATION STATEMENT - Director
Director
Our (audit, advisory service, or investigation) of (project name and number) has been conducted
under my supervision and direction. As the Director, I approved the (audit, advisory service, or
investigation) program and reviewed the working papers to the extent required by professional
standards established by the IIA, the University of California Internal Audit Program, and the
department. I also reviewed the report to be issued.
In my opinion, the working papers were prepared and reviewed in accordance with professional
standards established by the IIA and the University of California Internal Audit Program and
comply with our department policies. Also, in my opinion, the working papers support the findings
and conclusions in the report, and the report complies with IIA and University standards and
department policies.
___________________________________________ _______________________
Signature date
Application of UC .02 An audit report is issued upon the completion of each project.
Policy for Reporting of audit results and recommendations assists all levels
Reporting Results of UC management and members of the Board of Regents in the
effective discharge of their responsibilities. The process for
reporting results includes draft report preparation and reviews,
quality assurance reviews and final audit report issuance and
distribution.
Report Elements .03 Audit reports can be written in narrative or columnar form and
should generally include the following elements:
Report Timeliness .04 Reports should be issued as soon as practical following the
completion of the audit work. The IAD should establish processes
for ensuring the timely issuance of audit reports.
• Reports should be reviewed in draft form with responsible
operating management on a timely basis following
completion of audit work
• A management response should be requested within a
prescribed time frame in order to ensure timely issuance of
the final report
Report Timeliness .04 • The audit report may be issued without the response in the
(cont’d) event of undue management delays in responding with a
statement by the auditor as to the status of the response
(i.e. pending date, unknown, etc.)
Audit Report .05 A pre-issuance quality assurance review of draft and final audit
Quality Assurance reports should be performed by the auditor-in-charge of the
engagement or an independent party and should be reviewed by
audit management.
The IAD should review and approve the final report prior to
issuance.
Report .06 Draft audit reports - Report copies should be distributed to:
Distribution
• Management personnel directly responsible for the audited
activity or activities to ensure factual accuracy of draft
report content.
• Higher level management where necessary to obtain
authorized commitment to recommended actions or to
inform management timely of a sensitive issue.
Report .06 When reports are distributed by electronic means, a hard copy
Distribution version of the report should be retained with evidence it was sent
(cont’d) by the IAD.
AUDIT REPORT
PRE-ISSUANCE
QUALITY ASSURANCE CHECKLIST
REPORT ELEMENTS
Draft Final N/A
1. The audit report includes:
• Transmittal letter (transmittal letter for final audit report must
be signed by the director)
• Report summary (one page Executive Summary preferred)
• Purpose of the audit, including the origin/source, as
appropriate*
• Objectives*
• Scope of the audit, including time period covered, functions
or processes reviewed, and audit techniques used, as
appropriate*
• Background information describing the audited organization
or activity*
• Audit results
− Audit findings
− Audit conclusions (opinions)
− Audit recommendations (or its equivalent)
• Management’s response or management’s action plan or
statement as to status
• Schedules and attachments, as appropriate, to support or
provide additional detail for report content
•
2. Draft report is clearly labeled as a draft
Policy .01 Internal Audit maintains an audit follow-up process to monitor the
disposition of results communicated to management and whether
significant risks are resolved by management.
Application of UC .02 The audit follow-up process assists management and The Regents
Policy for Audit in monitoring and overseeing potential risk exposures identified in
Follow-Up the audits. The process involves assessing the adequacy and
effectiveness of actions taken by management to resolve and/or
minimize the risk area identified and documenting and
communicating outstanding follow-up issues to higher levels of
management, when appropriate.
Policy .01 Internal Audit maintains policies for managing administrative and
other matters related to the audit process in order to facilitate the
continuing effective and efficient operation of its function.
Application of UC .02 Policies for the following other audit matters are described in this
Policy for Other section: Project management and reporting, record retention,
Audit Matters dispute resolution, scope limitations, client satisfaction surveys
and access to audit information.
• Project number
• Project name
• Location
• Project code
• VC Area
• Type of project (audit, advisory service, investigation)
• Audit Universe identifier
• Line of business (campus, lab, health science)
• Audit team
• Hours budgeted
The TEC (Time and Expense Capture) module is used on a
system-wide basis to capture the following information:
• Actual hours expended for each project
Project .03 SVP/Chief Compliance & Audit Officer – Campus and Lab
Management and audit departments are responsible for keeping information in the
Reporting (cont'd) TEC (Time and Expense Capture) module and TeamCentral
module of the TeamMate audit management system current as
requested by the SVP/CCAO. The SVP/CCAO uses information
generated from TeamMate to provide quarterly and annual reports
to the President and the Regents’ Committee on Compliance and
Audit.
Record Retention .04 Audit work products are the property of the University. Internal
Audit maintains custody of all audit work products, which are
subject to the retention requirements set forth below.
Audit work products – Audit work products include reports and
workpapers for all audit, investigation, and advisory service
projects. They may be in electronic or hardcopy form.
Record Retention .04 Audit work products should be retained by the local audit
(cont’d) departments as follows:
Dispute Resolution .07 Disputes Between Audit Staff & Audit Management - The
exercise of professional judgment involved in determining
reportable conditions and the expression of conclusions in audit
reports may lead to differences in professional opinions.
Dispute Resolution .07 Disputes Between the Audit Client & Auditors - Disputes
(cont’d) which may arise between internal auditors and audit clients can be
generally categorized into those regarding the factual accuracy of
reported findings, and those dealing with the appropriateness of
conclusions or recommendations (the "fairness" of the audit report
in total or specific matters). Such disputes are separate from
scope limitations imposed by audit clients.
Scope Limitations .08 Definition - Scope limitations include situations in which a client
is uncooperative, attempts to limit the scope of planned work or
denies access to records, personnel, assets or other information
necessary to complete the audit.
The Management Charter provides Internal Audit unrestricted
access to all assets, information, reports, records, and personnel
required to perform their work.
Scope Limitations .08 and involved in the process to assist in its resolution. The matter
(cont’d) should be brought to the attention of the Local Audit Committee,
as warranted or escalated to the Regents, if necessary.
Client Satisfaction .09 Each Internal Audit department should measure and monitor the
Surveys satisfaction level of its clients in order to continuously maintain
and improve the quality of services provided.
Transactional Survey - This type of survey should be used to
elicit the client’s perception of the service rendered and identify
opportunities for improvement in those instances where a report is
issued.
The Client Satisfaction Survey included as Appendix 6500.1 to
this section or a locally-developed equivalent should be used. A
standard rating scale should be implemented in order to facilitate
the measuring of results.
Client Satisfaction .09 Results of the surveys should be tabulated and shared with the
Surveys (cont’d) auditor-in-charge, IAD, persons to whom the IAD reports and, at
least annually, to the Local Audit Committee.
Access to Audit .10 All final audit reports dating back to January 1, 2008 are
Information accessible to the general public via the University’s Reporting
Transparency website, unless designated as sensitive or
confidential (http://www.universityofcalifornia.edu/reportingtransparency/).
All requests for access to, or copies of, audit workpapers and audit
reports not available on the Reporting Transparency website are
subject to the approval of the IAD.
The IAD should inform the SVP/CCAO of all requests for audit
materials related to public record requests, investigations or other
sensitive matters in advance of their release.
The IAD should inform client management of any requests by
internal or external parties for access to or copies of audit
materials not available through the University’s Reporting
Transparency website.
Access to Audit .10 External Audit Requests - The IAD should normally approve
Information requests for audit materials by external audit agencies or firms
(cont’d) duly engaged by the UC Regents and other authorized audit
agencies where the report and/or workpaper content is pertinent to
the external audit scope.
UNIVERSITY OF CALIFORNIA
INTERNAL AUDIT DEPARTMENT
CLIENT SATISFACTION SURVEY (page 1 of 2)
Neither
Agree
Strongly Nor Strongly
Survey Questions Agree Agree Disagree Disagree Disagree No Basis
UNIVERSITY OF CALIFORNIA
INTERNAL AUDIT DEPARTMENT
CLIENT SATISFACTION SURVEY (page 2 of 2)
Neither
Agree
Strongly Nor Strongly
Survey Questions Agree Agree Disagree Disagree Disagree No Basis
Please feel free to provide additional comments regarding the performance of Internal Audit in
the space provided below. We are especially interested in any thoughts you might have on how
we can improve our efforts to provide value at the University of California.
UNIVERSITY OF CALIFORNIA
INTERNAL AUDIT DEPARTMENT
MANAGEMENT SATISFACTION SURVEY (page 1 of 2)
TO: _________________________________
CAMPUS/LAB: ______________________
UNIVERSITY OF CALIFORNIA
INTERNAL AUDIT DEPARTMENT
MANAGEMENT SATISFACTION SURVEY (page 2 of 2)
11. Are there any specific changes we can make to improve our audit
process?
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
____
1
Risk Universe adapted from Deloitte & Touche, LLP, IT Internal Audit Risk Assessment, Bishop & Carpenter July
2008.
Audit Planning .04 Documentation of the planning for each audit assignment
must evidence consideration of:
Required .05 Each campus should strive to have both IT audit generalists and
Information specialists on staff to provide coverage of IT risks, recognizing
Technology Audit that most functional area reviews require IT audit generalist
Skills 2 knowledge and skills.
2
These requirements are in addition to a working knowledge of internal control concepts in general e.g., preventive
controls, detective controls, corrective controls, and governance and management controls.
• Others, as needed
Deployment of .06 In all cases, IT audit projects will be staffed with auditors and
Resources supervisors that have IT audit skills commensurate to meet IIA
professional standards. Of special concern are audits that appear
to require the skills of an Information Systems Auditor –
Specialist.
Section Overview .01 This Section of the manual establishes the standards for
conducting investigations. It includes criteria for determining
whether an engagement qualifies as an investigation and,
therefore, becomes subject to these investigation standards.
7100 Introduction
Application of .02 The investigation standards shall apply for an internal audit
Investigations engagement when:
Standards
• The primary purpose is to gather, develop, examine and/or
evaluate evidence to determine if there has been suspected
improper governmental activity as defined in the
University Whistleblower Policy committed by a person or
entity; and
• Allegations of an improper act have been received, or
investigation issues have surfaced as part of a routine
audit, whenever the circumstances would result in the
potential for legal action, whether in the form of hearings,
litigation, or criminal proceedings.
7100 Introduction
Application of .02 It is expected that such an engagement would also determine the
Investigations techniques used in committing the improper act, the extent of
Standards (cont'd) damage caused by the improper act, and the causal factors
permitting or contributing to the improper act (including internal
control or policy violations or deficiencies).
There are matters related to fraud that are not covered by the
investigation standards set forth in this manual. They include:
Definition of .03 For purposes of this manual, an improper act includes both an
Improper Act improper governmental activity as defined in statute and serious
or substantial violations of University Policy as defined in the
University of California Policy on Reporting and Investigating
Allegations of Suspected Improper Governmental Activities
(Whistleblower Policy).
The Client .04 The ultimate clients of the investigations conducted by Internal
Audit are The Regents of the University of California.
Accordingly, the Internal Audit function of the University of
California acts with independence and derivative authority to
initiate investigations on its own for the benefit of the client. Such
activities are normally coordinated with designated channels at
each location. However, the local procedures do not override
Internal Audit's authority to conduct investigations. In rare
circumstances when agreed to by General Counsel and the Chief
Audit Officer, an audit may be undertaken under the direction of
Counsel and the work product protected by the attorney client
privilege – usually when litigation is pending.
7100 Introduction
Roles and .05 Following are the primary roles and related responsibilities
Relationships for conducting investigation services:
7100 Introduction
Roles and .05 Law Enforcement - If it appears that a crime may have been
Relationships committed, campus police, Office of the General Counsel and
(cont’d) Department of Energy (DOE) Office of Inspector General –
Investigations for Lawrence Berkeley National Laboratory
should be consulted to determine appropriate action with
regard to the investigation and legal proceedings. Unless
otherwise requested by the cognizant agencies, it is expected
that UC Police will normally handle all communication with
other law enforcement bodies.
Initiating an .01 While the specific reasons for initiating an investigation will vary,
Investigation there must be an adequate basis for suspecting a possible improper
act. The primary factors to consider are:
• The allegation or suspicion, if true, constitutes an improper
governmental activity under law or a serious or substantial
violation of University policy. If not, then no matter how
egregious a situation or behavior may appear, it would not
provide a basis for an investigation under this standard.
• An allegation should be accompanied by information
specific enough to be investigated. For example, "There is
fraud in the hospital", by itself, is not sufficient to begin an
investigation.
• An allegation should have, or directly point to,
corroborating evidence that can give the allegation
credibility. Preliminary investigation procedures to
corroborate such evidence (testimonial or documentary)
may be considered.
Documentation .03 Within audit investigations there are two types of documentation:
administrative and evidentiary. The two types of documentation
should be kept discrete.
Administrative documentation pertains to the management of
the case within the University that does not have a direct bearing
on evidence.
Administrative documentation includes, but is not limited to,
materials evidencing:
• Chronologies of important events.
• Planning not pertaining to allegations or evidence (e.g.
personnel scheduling).
• Engagement administration.
Evidentiary .04 Evidentiary Workpapers – These documents include, but are not
Documentation limited to, interview notes or summaries, originals and copies of
University records, charts, graphs, spreadsheets, abstracts of
University records, schedules or commentaries prepared by the
audit investigator and results of tests. As determined appropriate
in consultation with General Counsel, internal audit evidentiary
workpapers may be referenced or provided to University
management, counsel, or prosecutors.
Initial Notification .01 The IAD shall notify the Office of Ethics, Compliance, & Audit
to OP Services of any audit investigation as soon as it appears that the
investigation:
Interim .02 Updates and changes in the status of information provided above
Communications are made through the systemwide whistleblower case
management system, to appraise the Office of Ethics,
Compliance & Audit Services of the progress of investigations.
Updates should be made, at a minimum, whenever there is a
development in the investigation that materially affects the
information previously provided; including, but not limited to,
new allegations, certain allegations shown to be untrue, the entry
of law enforcement or other authorized investigative body into
the case, changes in the principal subject, media or other public
interest and new estimates of dollars involved. In those cases
that are inactive, or for which there has been no change, a
monthly update reflecting that status should be made to the
systemwide investigation case management system consistent
with information contained in the Monthly Report of Significant
Matters.
Communication of .03 There are different types of reports that can be issued. Generally,
Results the differences depend on the end-users of the reports, which
may in turn depend on whether any administratively or legally
actionable matters were sustained in the course of the
investigation.
Report Format .04 For purposes of formal reporting, an executive summary and a
detailed section of the report are normally expected, unless the
case is so simple that such a breakdown would not be warranted.
Matters dealing with the allegations or theories of improper acts
should be either in a separate report from the one dealing with
control issues, or they should be located in a separate section of
the investigation report.
Report Elements .05 Each report must contain certain elements, no matter what type
of report is issued. These elements are:
Report Elements .05 If the allegation is not substantiated there are two main types of
(cont’d) situations.
Report Distribution .06 Investigation reports are a special purpose type of audit report.
Accordingly, all normal draft and final report distribution
policies and practices, including copies to OP, are applicable.
Care should be taken to ensure that the addressee is at an
appropriately high level of management.
Report Distribution .06 there may be privacy rights of witnesses that should be
(cont’d) protected, regardless of a finding of wrongdoing. Consultation is
recommended with campus counsel and the Public Records Act
coordinator where privacy concerns are implicated.
Record Retention .07 Record Retention requirements can be found at Section 6500.
Section .01 The following Section sets forth the process by which Internal
Overview Audit should perform advisory services in a manner consistent
with its charter. Policies for the types of advisory services
engagements which are performed, and issues concerning
objectivity and independence are discussed in this section.
Definition .02 Advisory and related client service activities, the nature and scope
of which are agreed with the client, are intended to add value and
improve an organization’s governance, risk management, and
control processes without the internal auditor assuming
management responsibility. Examples include advice, facilitation,
training and participation in on-going committees.
Inclusion in Audit .03 Internal Audit’s annual plan of engagements should include
Plan anticipated advisory services along with unallocated hours for
these projects. The audit planning process may include
consideration of advisory services engagements to address areas
considered high risk.
Use in Risk .04 Internal auditors should incorporate knowledge of risks gained in
Assessment advisory service engagements into the process of identifying and
evaluating significant risk exposures of the organization.
Policy .01 In most cases, Internal Audit should develop and record a plan for
advisory services engagements.
Advisory Services .03 Advisory Services Work Plan (in lieu of Audit Program
Work Plan section in Section 6100)
Development Work plans for advisory service engagements should vary in form
and content depending upon the nature of the engagement. In
general, an advisory services work plan should be prepared in
advance of field work and should outline:
• Objectives of the engagement
Policy .01 Internal Audit maintains a process for communicating the results
and recommendations for all advisory services engagements to the
management requesting the services.
Oral Report .04 In some circumstances, with the agreement of the IAD, advisory
Elements services results may be communicated orally. In these cases,
presentations should be reviewed in advance with the IAD and the
workpapers should contain a record of communications with the
client.
Advisory Services .05 For larger advisory services projects, a pre-issuance quality
Report Quality assurance review of draft and final written reports should
Assurance normally be performed by the auditor-in-charge of the
engagement or an independent party and be reviewed by the
Assistant/Associate Director or IAD. The IAD should review and
approve the final report prior to issuance.
Report Timeliness .06 Written and oral reports should be issued as soon as practical
following the completion of advisory services work.
Management .07 A management response to an advisory services engagement is
Responses not required.
Significant .09 Significant internal control concerns coming to the attention of the
Internal Control auditor during the course of the advisory services engagement
Concerns should be communicated in writing by Internal Audit to
appropriate Laboratory/Campus personnel who can ensure that the
results are given due consideration. These concerns should also be
communicated to the SVP/CCAO.
Follow-Up Policy .01 The auditor should conduct follow-up in instances where internal
and Procedures control concerns have come to the attention of the auditor and
recommendations or management corrective actions have been
identified during the course of the engagement.
Policy .01 Internal Audit maintains policies for managing administrative and
other matters related to the advisory service process in order to
facilitate the continuing effective and efficient operation of its
function.
.
Application of UC .02 Policies for the following other advisory services matters are
Policy for Other described in this section: records retention and client satisfaction
Advisory Services surveys.
Matters
Records Retention .03 Advisory service projects are considered audit work products for
records retention purposes.
Client Surveys .04 For advisory services projects requiring over forty hours to
complete, client surveys should be processed.
Section Overview .01 This Section of the manual describes the quality assurance
processes practiced by Internal Audit at the University of
California to ensure that audit work conforms to Institute of
Internal Auditors (IIA) and University standards. It includes
standards for local as well as system-wide quality assurance
processes.
The Chief Compliance and Audit Officer and the campus Internal
Audit Directors (IAD’s) must develop and maintain a quality
assurance and improvement program that covers all aspects of the
internal audit activity. The quality assurance and improvement
program must include both internal and external assessments.
UNIVERSITY OF CALIFORNIA
INTERNAL AUDIT DEPARTMENT
PRE-FILING REVIEW CHECKLIST
Audit __________________________________________
QAIP .03 The QAIP process provides reasonable assurance that the internal
audit activity:
QAIP (cont’d) .03 The peer review team for LBNL must be led by a Director from
another independent DOE contractor.
External Quality .04 An External Quality Assurance Review must be conducted at least
Assurance Review once every five years by a qualified, independent reviewer or
review team from outside the University. The team reviews the
overall system-wide University audit program. The scope of the
review should include all University internal audit locations
except LBNL.
Periodic Reviews .06 The periodic internal assessment process (IAP) at UC is designed
to assess conformance with the internal audit charter, the
Standards, the Code of Ethics, the efficiency and effectiveness of
internal auditing in meeting the needs of its various stakeholders
and the identification of best practices and areas for improvement.
Reporting .01 The SVP/CCAO must communicate the results of the quality
assurance and improvement program to senior management and
The Regents.