Business & Finance is responsible for coordinating all campus audits both internal and external for the University and Auxiliary Organizations. We support a number of audits including financial, compliance, internal control and investigative.
California State University Stanislaus
One University Circle
Turlock, California 95382
See: Maps & Directions
|Building Location||Mary Stuart Rogers Educational
Services Gateway Building
See Building #27: Map
MSR 274 - See Map
Associate Vice President, Financial & Support Services
8:00 a.m. - 5:00 p.m.
Monday - Friday
Please contact the Associate Vice President, Financial & Support Services immediately if you are notified of an upcoming audit for assistance.
- We centrally coordinate all external audits and act as a liaison between auditors and campus personnel. All pending audits must be reported to the AVP Financial & Support Services to ensure appropriate coordination with all related parties and entities. External entities that could approach the campus for an audit include the CSU Chancellor's Office (Office of Audit & Advisory Services), federal agencies, various State departments, and CPA firms.
- We serve as a resource regarding policies, laws, and regulations and internal controls.
- We provide analysis, advice, research, and information on a variety of administrative and financial policies and internal controls.
- We have the responsibility to review and assist departments with preparation of external reporting.
Purpose of Audits
An audit is a process for providing a review or verification of programs, activities, or functions. This review is conducted in an independent and objective manner. Purposes of audits include the following assurances:
- Compliance with policies, laws, and regulations
- Safeguarding of resources and assets
- Economical and efficient use of resources
- Accurate and reliable financial information and reports
Types of Audits
Financial audits examine the accounting and reporting of financial transactions. The auditor reviews controls over the receipt and disbursement of funds, the safeguarding of assets, and the recording of transactions in accordance with Generally Accepted Accounting Principles, or GAAP.
Compliance audits review whether all applicable laws, regulations, policies, and procedures are followed. Recommendations typically call for improvements in processes and controls intended to ensure compliance with regulations.CSU Campuses are subject to the following
- Internal Revenue Code
- California Education Code
- State Administrative Manual (SAM)
- State University Administrative Manual (SUAM)
- Resolutions and policies established by the CSU Board of Trustees
- A-133 Single Audit for nonfederal entities that expend $500,000 or more of federal awards in a fiscal year (OMB Circular A-133)
- Executive Orders issued by the Chancellor
- Integrated CSU Administrative Manual (ICSUAM)
- Policies and directives issued by the Chancellor's Office, usually in the form of Coded Memoranda
- Auxiliary Internal Control/Compliance Audit
- Campus policies and procedures
Internal Control audits are a specialized type of audit that focus on the internal control environment of automated information processing systems and are typically conducted by the Office of Audit & Advisory Services.
Investigations are conducted when there is a suspicion or allegation of fraud, embezzlement or waste. Investigations involve the examination of records and interviews of employees to determine if any illegal activities have taken place, which if proven, normally lead to disciplinary action and/or criminal prosecution.
An audit, whether conducted by an internal or external auditor, will typically consist of the following steps. The term "client" usually means the management of the department or activity being audited.
The auditor will gather and review background information about the client's activity, determine the audit scope and objectives, and develop an audit program identifying the issues to be examined, questions to be asked, and documents to be reviewed.
The auditor meets with department management to discuss the audit objectives, approximate time schedules, types of auditing tests, and how the audit results will be communicated.
The auditor visits the campus department to interview key personnel and evaluate whether good internal control processes are in place, documented, and being followed. This will usually include transaction testing to verify that established policies and procedures are actually being followed.
Determination of Results
As deficiencies or "opportunities for improvement" are identified, the auditor will bring them to the client's attention in an attempt to resolve them before completing the fieldwork. At the end of the fieldwork, the auditor usually reviews all preliminary observations and findings with the client at an informal exit conference.
Draft Report -
The auditor writes a draft audit report, identifying problems detected and making recommendations for improving operations, and forwards the report to the client for review. The auditor meets with the client at a formal exit conference to discuss the draft audit report and resolve any disagreements.
The auditor issues a final draft report, and asks the client to submit a written response to each recommendation, usually within 30 - 45 days. The client is expected to concur with each recommendation and provide a corrective action plan including an estimated date of completion.
The auditor issues the final audit report.
Generally, the auditor will follow up to ensure implementation of the recommendations.
You may have heard the term "internal control(s)," but what exactly is it? Evaluating internal controls is one of internal auditing's primary responsibilities. The Institute of Internal Auditors (IIA) defines control and control processes as follows:
A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
Control processes are the policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process. Risk management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives.
A broadly accepted definition of internal control comes from the Committee of Sponsoring Organizations (COSO)1 of the Treadway Commission's report entitled The Control-Integrated Framework (COSO Report) as follows:
Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objective in the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.
Key points about internal control include:
- It is a process.
- It is achieved by people.
- It can only provide reasonable assurance.
- It is geared to the achievement of objectives.
In the California State University (CSU) environment, internal controls serve the following purposes:
- Protect the University's Assets
- Ensure Records Are Accurate
- Promote Operational Effectiveness and Efficiency
- Encourage Adherence to Policies
- Ensure Compliance with Laws, Regulations, and Contracts
Generally, controls are of two types:
- Preventative Controls: Designed to discourage errors or prevent irregularities from occurring. They are proactive controls that help prevent a loss. Examples: Separation of duties, proper authorization, adequate documentation, and physical control over assets.
- Detective Controls: Designed to find errors or irregularities after they have occurred. Examples: Reviews, analyses, variance analyses, reconciliations, physical inventories, and audits.
The COSO Report further defines five interrelated components of internal control:
- Control Environment: This sets the tone of the organization and is the foundation for all other components.
- Risk Assessment: Management establishes activity-level objectives and mechanisms for identifying and analyzing risks related to their achievement.
- Control Activities: Polices and procedures that ensure management's directives are carried out and help ensure that necessary actions are taken to address risks to achievement of the entity's objectives.
- Information and Communication: Information identified, captured, and communicated in a form and timeframe to enable people to carryout their responsibilities.
- Monitoring: The process that assesses the quality of the system's performance over time, which includes ongoing monitoring activities, separate evaluations or a combination of the two.
The auditors, right? Wrong! Everyone plays a part in the CSU's internal control system. Ultimately, it is CSU management's responsibility to ensure that controls are in place. That responsibility is delegated to each area of operation, which must ensure that internal controls are established, properly documented, and maintained. Every employee has some responsibility for making this internal control system function. Therefore, all CSU employees need to be aware of the concept and purpose of internal controls. Internal audit's role is to assist management in their oversight and operating responsibilities through independent audits and consultations designed to evaluate and promote the systems of internal control.
The IIA defines internal auditing as an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
The internal audit activity evaluates the adequacy and effectiveness of controls encompassing the organization's governance, operations, and information systems. Internal audit reviews include the reliability and integrity of financial and operational information, effectiveness and efficiency of operations, safeguarding of assets, and compliance with laws, regulations, and contracts. These reviews also ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization, as well as the extent to which results are consistent with established goals and objectives and whether operations and programs are being implemented or performed as intended.
1. COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance.
Updated: November 20, 2023