UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

CONTENTS
INTRODUCTION SECTION 1000 AUTHORITY, ORGANIZATION AND PROFESSIONAL STANDARDS Mission and Management Charter Outline of UC Audit Management Plan Policy on Dual Reporting for Internal Audit Appendix 1 – Organizational Chart Professional Standards and Ethics Appendix 2 – Responsibility Chart Appendix 3 – IIA Code of Ethics Appendix 4 – Cross Referenced Ethics Matrix INTERNAL AUDIT PROGRAM History and Overview Customers and Services Communications Role of the University Auditor’s Office Guidelines for Local Audit Committees Appendix 5 – Sample Audit Committee Charter INTERNAL AUDIT PROGRAM PLANNING AND REPORTING Strategic Plan Appendix 6 – FY04/05 Strategic Plan Operating Plans Appendix 7 – Audit Planning Timeline Appendix 8 – Risk Model Appendix 9 – Audit Universe Appendix 10 – Sample Audit Plan and Narrative Guidelines Monitoring and Reporting Appendix 11 – Standard Time Categories and Definitions

1100 1200 1300 1400

SECTION 2000 2100 2200 2300 2400 2500

SECTION 3000 3100 3200

3300

University of California

6/9/2009

Page 1

UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

CONTENTS
SECTION 4000 4100 PERSONNEL Roles and Responsibilities Appendix 12 – Sample Job Description (Staff/Senior) Appendix 13 – Sample Job Description (Principal/Supervisor) Appendix 14 – Sample Job Description (Manager) Appendix 15 – Sample Job Description (Director) Appendix 16 – Sample Skills Matrix Career Development and Counseling Appendix 17 – Sample Career Development Form Training and Professional Development Skills Assessment and Resource Analysis Performance Evaluations Appendix 18 – Sample Performance Evaluation Appendix 19 – Sample Interim Evaluation LIAISONS Campus Controllers General Counsels Office State Auditor General Law Enforcement Agencies Department of Energy AUDIT SERVICES Appendix 20 - Internal Audit Process Appendix 21 – General Audit Process Planning an Audit Appendix 22 – Sample engagement letter Appendix 23 – Sample audit assignment sheet Appendix 24 – Sample preliminary survey template Conducting an Audit Appendix 25 – Sample Attestation (Auditor) Appendix 26 – Sample Attestation (Manager) Appendix 27 – Sample Attestation (Director)

4200 4300 4400 4500

SECTION 5000 5100 5200 5300 5400 5500 SECTION 6000

6100

6200

University of California

6/9/2009

Page 2

UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

CONTENTS
6300 Reporting Results Appendix 28 – Audit Report Pre-Issue Check list Audit Follow-up Other Audit Matters • Project Management and Reporting • Record Retention • Dispute Resolution • Scope Limitations • Client Satisfaction Surveys Appendix 29 – Sample Client Survey Appendix 30 – Sample Management Survey • Access to Audit Information • Electronic Workpapers Conducting Information Technology Audits

6400 6500

6600

SECTION 7000 7100 7200 7300 SECTION 8000

INVESTIGATION SERVICES Introduction Conducting an Investigation Communications and Reporting ADVISORY SERVICES

SECTION 9000 9100

QUALITY ASSURANCE Quality Assurance Processes at the Local Level Appendix 31 – Sample Pre-Filing check list System-wide Quality Assurance Programs Quality Assurance Review Manual

9200 9300

University of California

6/9/2009

Page 3

UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

INTRODUCTION Purpose
.01 The purpose of this manual is to outline the authority and scope of the Internal Audit function within the University of California (UC or University) and to document standards and provide cohesive guidelines and procedures for the Internal Audit Department. These guidelines aim to provide for consistency, stability, continuity, standards of acceptable performance and a means of effectively coordinating the efforts of the staff members comprising the Internal Audit Department. .02 The overall objective of the Internal Audit function is to provide all levels of University management and The Board of Regents with an independent assessment of the quality of the University’s internal controls and administrative processes, and provide recommendations and suggestions for continuous improvements. The auditor's judgment will be required in applying this information to specific audit assignments. This manual should provide guidance, but it should not inhibit professional judgment, practicality and innovative auditing.

Objective

University of California

6/9/2009

Page 4

Internal Audit is headed by a University Auditor in the Office of the President. dual reporting and professional standards and ethics. The University Auditor prepares. ORGANIZATION AND PROFESSIONAL STANDARDS . counsel and information concerning the activities and records reviewed.04 The University of California Internal Audit Program complies with the Institute of Internal Auditor’s Standards for the Professional Practice of Internal Auditing and Code of Ethics.02 The mission and management charter authorizes and guides the UC Internal Audit Program in carrying out its independent appraisal function. recommendations. . Section Overview Authority Organization Professional Standards .01 The following sections set forth the mission and management charter of the UC Internal Audit Program and outline the policies and guidelines for the UC Internal Audit Management Plan.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1000 AUTHORITY. for approval by the President and The Board of Regents Audit Committee. University of California 6/9/2009 Page 5 . a UC Internal Audit Annual Plan that defines the Audit Program to be conducted for the University during the year. The University Auditor is appointed by the President. Internal Audit is a management control that functions by assessing the effectiveness of other managerial controls. . Internal Audit examines and evaluates University business and administrative activities in order to assist all levels of management and members of The Board of Regents in the effective discharge of their responsibilities and furnishes them with analyses.03 It is the policy of The UC Board of Regents to establish and maintain an Internal Audit Program as a staff and independent appraisal function.

This independence is based primarily upon organizational status and objectivity. the Chancellor’s designee shall be at the level of Vice Chancellor or above. and the Laboratory Director’s designee shall be at the level of Associate Director or above. disciplined approach to evaluate risk and improve the effectiveness of control and governance processes. The University Auditor also has direct access to the President of the University.01 The mission of internal audit is to assess and monitor the university community in the discharge of their oversight. independent. The University Auditor reports functionally to The Regents through its Committee on Audit and administratively to the Senior Vice President—Business and Finance. . To permit the rendering of impartial and unbiased judgment essential to the proper conduct of audits.02 The Regents last revised the Management Charter in March 2004.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1100 Mission and Management Charter . regulations and University policies including those related to ethical conduct by providing relevant. Internal Audit functions under the policies established by The Regents of the University of California and by University management under delegated authority. The locally based Internal Audit Departments report functionally to The Regents through the Office of the University Auditor and administratively to the campus Chancellor or Laboratory Director directly or through designated channels. management.) Mission Statement Management Charter Authority Independence University of California 6/9/2009 Page 6 .. internal auditors will be independent of the activities they audit. advisory and investigative services using a systematic. and compliance with laws. and operating responsibilities in relation to governance processes. (For reporting purposes. Independence is essential to the effectiveness of the Internal Audit Office. the systems of internal controls. timely. and objective assurance.

the internal audit review and appraisal process does not in any way relieve other persons in the organization of the responsibilities assigned to them. such as the Standards For The Professional Practice of Internal Auditing and with professional standards of conduct such as the Code of Ethics of the Institute of Internal Auditors. or any other credible allegations that if true could cause significant harm or damage to the reputation of the University. the Internal Audit Office has no direct responsibility for. Internal Auditors shall take directly to the University Auditor who shall report to The Regents’ Committee on Audit Chair any allegations by or about the Senior Vice President—Business and Finance or the President. Therefore. At a minimum. nor authority over. the University Auditor. Internal Auditors shall take directly to the University Auditor who shall report to the Senior Vice President—Business and Finance and The Regents’ Committee on Audit Chair any credible allegations of significant wrongdoing (including any wrongdoing for personal financial gain) by or about a Chancellor. any of the activities reviewed. procedures and practices of any University activity.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1100 Mission and Management Charter Internal Auditors may take directly to the respective Chancellor or Laboratory Director. Page 7 University of California 6/9/2009 . Independence (cont'd) Scope Internal Audit is authorized to have full. the President. computer files. Except where limited by law. Executive Vice Chancellor or Vice President. Any such matters will be reported to The Regents’ Board Chair at the discretion of the University Auditor or Committee on Audit Chair In performing the audit function. free and unrestricted access to information including records. program. property. it shall comply with the relevant professional standards. Inc. or The Regents matters that they believe to be of sufficient magnitude and importance. or function. the work of Internal Audit is unrestricted. and personnel of the University in accordance with the authority granted by the Board's approvals of this charter and applicable federal and state statutes. Internal Audit is free to review and evaluate all policies. Standards The responsibility of Internal Audit is to serve the University in a manner that is consistent with the standards established by the University of California internal audit community.

and procedures are being complied with 3) University assets are accounted for and safeguarded from loss. University of California 6/9/2009 Page 8 . C. Providing recommendations to improve operating efficiency and internal controls. Reviewing management. Reliability of financial reporting. B. Providing consultation on current and proposed operating policies and procedures and changes in the system of internal controls. provide reasonable assurance regarding the achievement of objectives in the following categories: • • • Effectiveness and efficiency of operations. Compliance with applicable laws and regulations. as to whether: 1) The systems of internal control effected by the University’s Board of Regents. Office of the University Auditor reporting functionally to The Regents’ through its Committee on Audit and the Senior Vice President-Business and Finance. B. Campus/Laboratory Internal Audit Departments reporting functionally to The Regents through the University Auditor and administratively to the Chancellors/Laboratory Directors or designee. policies.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1200 Outline of UC Audit Management Plan . financial. management and other personnel. and operating controls to appraise their soundness and adequacy to advise management. consultations. and on matters of material import. 2) Established plans. and investigations which are of service to The Regents and management through the following activities: A. University Audit Program Program Objectives . The Regents. C. An external independent certified public accounting firm reporting to The Regents.01 A.02 To conduct a program of audits.

03 A. 2) Analyze and evaluate University-wide policies. Program Objectives (cont'd) Audit Group Responsibilities 1) Establish a relationship with the University’s external auditors whereby annual plans are developed in concert. University of California 6/9/2009 Page 9 . and government auditing standards an audit of the financial statements of the University to determine whether such financial statements present fairly the University’s financial position changes in net assets and cash flows in accordance with generally accepted accounting principles. 3) Perform such additional financial or compliance audits as directed by The Regents. 2) Review the adequacy of the systems of internal controls related to the financial statement audit and render recommendations as appropriate. and an active channel exists for sharing audit findings and other information of mutual interest and concern. 4) Provide such accounting and other consultation as requested by management or The Regents. B. Conducting investigations in support of the University’s compliance with laws governing improper government activities. in accordance with generally accepted auditing standards. appropriate support is provided to them. External Auditors. . Office of the University Auditor. plans. 1) Perform. procedures and practices including those designed to assure ethical conduct.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1200 Outline of UC Audit Management Plan D.

5) With the Senior Vice President-Business and Finance. documentation and reporting of audit.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1200 Outline of UC Audit Management Plan 3) Conduct investigations pursuant to the University of California Policy on Reporting and Investigating Allegations of Suspected Improper Governmental Activities (the “Whistleblower Policy”). develop appropriate methodologies and objectives. 9) Working with the campus/laboratory internal audit directors. 8) Working with the campus/laboratory Internal Audit Directors. the President. continuing education and a systematic training program for internal auditors. 4) Provide Oversight and administration of compliance with the Whistleblower Policy. establish documented standards for: • • • the conduct. and coordinate the preparation of annual and long-range University-wide internal audit plans. consultation and investigation activities. timely follow-up to assess whether appropriate action has been taken on reported audit findings. the Chancellor or Laboratory Director or their designee. 6) Coordinate and direct special non-recurring studies as requested by The Regents’ Committee on Audit. 7) Coordinate all communications with the California State Auditor in connection with their investigations and requests for preliminary investigations by the University. provide information with respect to material audit and investigation matters so as to keep the President and appropriate Regents adequately informed on a timely basis. or other appropriate University officials. within the Office of the President and at the campuses or laboratories at the request of the President. or the campus/laboratory Internal Audit Director in the event of a conflict of interest. Audit Group Responsibilities (cont'd) University of California 6/9/2009 Page 10 .

UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

1200

Outline of UC Audit Management Plan
• the determination of appropriate minimum levels of audit staffing.

Audit Group Responsibilities (cont'd)

10) Develop and oversee the conduct of a peer review program designed to assess and assure compliance with Institute of Internal Auditors and University adopted professional standards. 11) Coordinate the development of, and archive model audit programs to avoid duplication of efforts. 12) Facilitate and serve as a conduit for the sharing of information among campus/laboratory audit departments regarding planned audit efforts, significant audit and investigation findings of mutual interest and concern, audit reports issued, and the development of improved audit techniques/technologies. 13) Provide research and technical support to campuses or laboratories as needed and requested. 14) Provide, or facilitate the sharing of human resources among the internal audit departments as needed and available. 15) Develop guidelines for local campus/laboratory audit committees and serve as an ex-officio member of each local audit committee. 16) Oversee the campus and laboratory internal audit programs of comprehensive review and examination of policies and procedures to assure that all facets of the University are undertaking such in a clear, consistent and effective manner. C. Campus/Laboratory Internal Audit Departments. 1) Audit campus and medical center and laboratory operations and activities in accordance with an annual plan submitted to the Office of the University Auditor. 2) Conduct investigations in accordance with the Whistleblower Policy, keeping the University Auditor, Senior Vice President-Business and Finance and the General Counsel’s office advised as called for by the Policy.

University of California

6/9/2009

Page 11

UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

1200

Outline of UC Audit Management Plan
3) Provide services in a consultation role as requested by management, business units, and academic administration when such requests are consistent with the professional expertise of the auditors and maintenance of an appropriate level of independence, and do not materially impact the accomplishment of the risk based campus annual internal audit plan 4) Review campus/laboratory compliance with University fiscal and administrative polices and procedures, conformity with governmental laws and regulations, and compliance with resource allocation and gift endowment restrictions. 5) Participate and provide appropriate support to campus/laboratory committees, work groups, task forces and the like involved in the development, review and/or re-engineering of policies, procedures and systems. In these endeavors auditors will be mindful of their appropriate role versus the role of management and will actively promote and advocate a sound system of internal controls in support of operational effectiveness and efficiency objectives. 6) As requested by the Chancellor/Laboratory Director, serve as external audit coordinator working with all external agencies having an audit interest in the University/Laboratory. 7) Support the whistleblower coordinator (Locally Designated Official) facilitating the adoption, implementation, and administration of local whistleblower procedures in support of the University policy. 8) Conduct audit, consultation and investigation activities in accordance with standards established for the entire University of California internal audit program. 9) Participate in the development of standards, audit planning methodologies, common audit programs, peer review programs, and other initiatives undertaken for the benefit of the entire University of California internal audit program.

Audit Group Responsibilities (cont'd)

University of California

6/9/2009

Page 12

UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

1200

Outline of UC Audit Management Plan
10) Consult with the University Auditor on any matter representing a conflict of interest, or the appearance of a conflict of interest on the part of the local internal audit department. 11) For the UCOP audit group, they are responsible for auditing Office of the President fiscal and business matters, such as: • • • • Division of Agriculture and Natural Resources; Office of Technology Transfer; and Other administrative units. Audits of the offices of the principal officers of The Regents;

Audit Group Responsibilities (cont'd)

Reporting Channels

.04

A. The University Auditor. 1) Reports administratively to the Senior Vice PresidentBusiness and Finance and functionally to The Regents’ through its Committee on Audit and has direct access to the President as circumstances warrant. 2) Provides formal reports to The Regents’ Committee on Audit semi-annually, and at other times as requested. The University Auditor will take it as his/her responsibility to seek to establish an active channel of communications with the Chair of The Regents’ Committee on Audit. 3) Meets with the Vice Chancellors/ Deputy Laboratory Directors or other officials to whom internal audit functions report quarterly to discuss audit matters of University-wide concern, to provide information on system-wide internal audit initiatives and to promote consistency of internal audit oversight. 4) Conducts at least quarterly meetings of Internal Audit Directors forming a committee for the promulgation of auditing standards, practices and policies.

University of California

6/9/2009

Page 13

UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

1200

Outline of UC Audit Management Plan
5) Serves as ex-officio member of all campus or laboratory audit committees and work groups. 6) Meets with Chancellors or Laboratory Directors and Vice Chancellors or Deputy Laboratory Directors at least once per year with the respective Audit Director to review the state of internal controls and privately to discuss the functioning of the internal audit program, audit committee, adequacy of resources, and director performance.

Reporting Channels (cont’d)

B. Campus and Laboratory Internal Audit Directors. 1) Report administratively to the Chancellor or Laboratory Director and to The Regents Committee on Audit through the University Auditor but have direct access to the President or The Regents’ Committee on Audit as the circumstances warrant. 2) When, pursuant to their re-delegation authority, Chancellors or Laboratory Directors designate a position to whom the Internal Audit Director shall report, that position shall be at least at the Vice Chancellor or Deputy Laboratory Director level and the Chancellor or Laboratory Director shall retain responsibility for: position shall be at least at the Vice Chancellor or Deputy Laboratory Director level and the Chancellor or Laboratory Director shall retain responsibility for: • • approval of the annual audit plan; approval of audit committee/work group charter;

and shall meet with the Internal Audit Director at least annually to review the state of the internal audit function and the state of internal controls locally. When reporting responsibility is re-delegated, Internal Audit Directors also have direct access to Chancellors or Laboratory Directors as the circumstances warrant.

University of California

6/9/2009

Page 14

Any such matters will be reported to The Regents' Board Chair at the discretion of the University Auditor or Committee on Audit Chair. Internal Auditors shall report directly to the University Auditor who shall report to The Regents' Committee on Audit Chair any allegations by or about the Senior Vice PresidentBusiness and Finance or the President. 4) Campus and laboratory internal audit directors should plan on attending the May and November Regents’ meetings. Direct Reporting to The Regents’ Committee on Audit 1. Any such matters will be reported to The Regents' Board Chair at the discretion of the University Auditor or Committee on Audit Chair. Executive Vice Chancellor or Vice President. 3. C. or The Regents matters that they believe to be of sufficient magnitude and importance. University of California 6/9/2009 Page 15 . or any other credible allegations that if true could cause significant harm or damage to the reputation of the University. 2. when the annual report on internal audit activities is presented. Internal Auditors may take directly to the respective Chancellor or Laboratory Director. the University Auditor. Internal Auditors shall take directly to the University Auditor who shall report to the Senior Vice President-Business and Finance and The Regents' Committee on Audit Chair any credible allegations of significant wrongdoing (including any wrongdoing for personal financial gain) by or about a Chancellor. Internal Auditors shall take directly to the University Auditor who shall report to The Regents' Committee on Audit Chair any allegations by or about the Senior Vice President-Business and Finance or the President. as well as the November Regents’ Committee on Audit meeting. the President.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1200 Outline of UC Audit Management Plan Reporting Channels (cont'd) 3) Facilitate the scheduling of local audit committee/work group meetings and provide staff support to the audit committee/work group. Internal Auditors shall report directly to the Senior Vice President-Business and Finance who shall report to the Chair of The Regents' Committee on Audit any allegations related to the University Auditor.

Action to appoint campus/laboratory Internal Audit Directors requires the concurrence of the University Auditor. Certain Personnel Matters University of California 6/9/2009 Page 16 . Action to demote or dismiss campus/laboratory Internal Audit Directors requires the concurrence of the President upon the recommendation of the University Auditor. demote or dismiss the University Auditor requires the approval of The Regents.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1200 Outline of UC Audit Management Plan . Action to appoint. B.05 A.

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1300 Policy on Dual Reporting for Internal Audit . b) available and responsive to local needs. approval of the Annual Audit Plan. The DOE in its oversight role may require certain activity and has certain authority. d) for the labs.01 In March 1995. The Regents’ Committee on Audit approved a recommendation for a dual reporting structure for the University’s Internal Audit Program. especially for investigations. c) respectful of campus/laboratory local authority for decision making. This Policy is intended to assist The Regents and senior administrative officials with local responsibility for the Internal Audit Program and internal auditors in the understanding and execution of their responsibilities under the dual reporting relationship. These guidelines are not intended to usurp any of the DOE’s authority and any conflict in the application of these guidelines by the Labs with their contracts and the Cooperative Audit Strategy should be brought to the attention of the University Auditor. Department of Energy (DOE) as delineated in their contracts and the Cooperative Audit Strategy. It is acknowledged that the Laboratories have reporting responsibilities to the U. Campus/laboratory management further recognizes the benefit of a local Internal Audit Program that is: a) knowledgeable about local policies. and.02 Both The Regents and campus and laboratory management have an interest in a capable and effective Internal Audit Program.S. Dual Reporting Structure Purpose . responsive to the needs of the local DOE contracting officer. for example. procedures and practices. University of California 6/9/2009 Page 17 . Both recognize the need for objectivity and an appropriate level of organizational independence from day to day operations and management activities. e) The dual reporting relationship structure is designed to accommodate both interests by providing for a locally operated Internal Audit Program while preserving the organizational independence necessary for objectivity and accountability to The Regents.

and administrative reporting to management.03 Consistent with the guidelines if the Institute of Internal Auditors. each IAD has the authority to communicate directly with the Chair of The Regents’ Committee on Audit as necessary in their judgment regarding matters of independence. the University Auditor has been delegated as having primary responsibility as noted below.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1300 Definition Policy on Dual Reporting for Internal Audit . (University Auditor primary) b) Approval of changes to the audit plan (University Auditor primary). Campus/lab Internal Audit Directors report functionally to The Regents through the University Auditor. while the University Auditor will have primary responsibility for the professional and technical aspects of the Internal Audit Program. dual reporting means functional reporting to The Regents’ through their Committee on Audit. However. c) Selection of the campus/laboratory IAD. management of an audit program that is acceptable to the local DOE contracting officer. Typically. It is acknowledged as a practical matter that campus/laboratory management will have primary responsibility for local administrative matters (such as space allocation and funding). These shared responsibilities (and any primary responsibility delegation) include the following: a) Approval of the campus/laboratory annual audit plan. However. for many of the shared responsibilities. (University Auditor consent required) d) Annual performance evaluation of the IAD University of California 6/9/2009 Page 18 . Structurally. and in the case of the laboratories. Shared Responsibilities . the IAD’s avenue for communications with The Regents’ Committee on Audit will be through the University Auditor.04 There are certain responsibilities shared by campus and laboratory management and the University Auditor. these relationships are depicted in organization charts by a dual solid line reporting relationship for the campus/laboratory Internal Audit Director (IAD) to the Chancellor/Laboratory Director (or designee as provided by the Internal Audit Management Plan) and the University Auditor.

(University Auditor primary) h) Pursuant to the Internal Audit Management Plan. g) Collaboration on Internal Audit policy development and implementation. which will be requested upon the concurrence of campus/laboratory management and the University Auditor. Shared Responsibilities (cont'd) University Auditor Responsibilities .05 The University Auditor will have responsibility for the following matters. Typically. technological) (University Auditor primary).UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1300 Policy on Dual Reporting for Internal Audit e) Determination of the compensation/classification of the IAD (Campus/lab management primary) f) Assessment of the adequacy of resources provided for the Internal Audit Program (e. 4) Fulfill reporting requirements to The Regents’ Committee on Audit and gain Committee approval of: • • • • • The Internal Audit Mission Statement The Internal Audit Management Plan The Annual Audit Plan The Audit Strategic Plan The Annual Report of Audit Activities University of California 6/9/2009 Page 19 . financial. 2) Establish policies and procedures for the conduct of the Internal Audit Program. human. the University Auditor will initiate action in regard to these responsibilities but will work in concert with the IAD’s as a group on their development and execution. 3) Establish and implement professional standards for the conduct of the Internal Audit Program. termination of an Internal Audit Director requires the approval of the President.g. 1) Establish UC Internal Audit Program mission and the Internal Audit Management Plan.

8) Establish system-wide Risk Assessment and other planning methodologies.. 13) Communicate with campus/laboratory IAD’s significant findings from other campus/laboratory audits and investigations and ensure consideration of such issues on a system-wide basis. 9) Establish time reporting and other periodic reporting mechanisms for monitoring the accomplishment of the annual plan and for accountability and performance measurement. This includes reviewing the campus/laboratory Whistleblower policy implementation procedures (with final approval by the Senior Vice President Business & Finance) and Investigation group procedures.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1300 Policy on Dual Reporting for Internal Audit 5) Administer the University Policy on Reporting and Investigating Allegations of Improper Governmental Activities (Whistleblower Policy) and other Business & Finance policies as appropriate. Monitor and report on followup processes and significant open management corrective actions. reports and other materials useful as a resource to campus/laboratory internal audit departments to promote consistency and efficiency. state auditor) and coordinate with campus/laboratory management the timely communication of such matters to the Office of the President and The Regents.g. Consult as necessary with campus/laboratory management and IAD on the investigation plan and the adequacy of investigation resources. University Auditor Responsibilities (cont'd) University of California 6/9/2009 Page 20 . 6) Maintain a current understanding of the progress of all open IGA and other investigations (e. the principal component of which will be a peer review program. 7) Serve as primary Internal Audit liaison with the State Auditor and The Regents’ external auditors. 10) Establish and oversee a quality assurance program. and administer a database of open investigations conducted by Internal Audit. 11) Establish and oversee a program of audit follow-up including maintenance of a data base of open recommendations and agreed upon management corrective actions ensuing from all audit and investigation reports. 12) Maintain a data warehouse of audit programs.

University Auditor Responsibilities (cont'd) Campus and Laboratory Responsibilities University of California 6/9/2009 Page 21 . 5) Establish and fund at an appropriate level the Internal Audit Program operating budget. for the laboratories. while some are the responsibility of local management with oversight responsibility for the Internal Audit Program. in a manner that is “satisfactory” to DOE. Some are the responsibility of local internal auditors. 2) Designate an external audit coordinator.) 3) Maintain an active campus/laboratory audit committee or workgroup within UC guidelines established by the University Auditor. 1) Conduct the local Internal Audit Program in accordance with the provisions of the Internal Audit Management Plan. 18) Promote. The University Auditor will consult on needs as requested or necessary to provide information on comparability or appropriate levels of support. (Note: the coordinator does not have to be in the internal audit office. 16) Meet with Chancellors/Laboratory Directors at least annually to discuss audit matters and to promote consistency of internal audit oversight. the Systemwide Internal Audit manual.06 The following are campus/laboratory responsibilities. . 4) Involve internal audit in the design of major new automated systems. the IIA Professional Standards and.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1300 Policy on Dual Reporting for Internal Audit 14) Establish a training curriculum in core competencies for UC internal auditors. and in compliance with the Cooperative Audit Strategy. 15) Establish guidelines for campus/laboratory audit committees/workgroups. Separate competencies may need to be developed to address the unique needs of the campus or laboratory environments. 17) Conduct periodic strategic planning sessions with the IAD’s and oversee the carrying out of strategic planning initiatives. encourage and provide a mechanism for active involvement in Internal Audit Directors and “All Auditors” meetings and Program initiatives (such as accomplishment of strategic plan goals) on the part of the campus/laboratory management to whom internal auditors report locally.

will rest locally. 10) Develop and maintain IGA implementing procedures. recommend to the University Auditor for approval and ultimate submission to The Regents’ Committee on Audit. This will include all investigation audit reports on matters reported to the Senior Vice President—Business and Finance pursuant to the Whistleblower Policy. assuring timely notification to the Office of the President of matters under investigation either internally. 7) Prepare an annual internal audit plan using Risk Assessment and other planning methodologies established by the University Auditor. technology. 11) Conduct investigations in accordance with the Whistleblower Policy and local implementing policies. Once approved. etc. Campus and Laboratory Responsibilities (cont'd) University of California 6/9/2009 Page 22 .. including prioritization of assignments. 12) Submit for review by the University Auditor in draft form. 8) Recommend the annual internal audit plan first to the Chancellor/Lab Director and local audit committee for approval. or by external audit agencies. audit and investigation reports on sensitive matters and those that are expected to be distributed outside of the normal campus/laboratory channels. 9) Implement the annual campus internal audit plan approved by the Chancellor/Laboratory Director. data access).. the University Auditor and The Regents’ Committee on Audit. The laboratories’ annual audit plans are subject to the concurrence of the DOE. as requested by the University Auditor.g. 13) Participate in benchmarking and other surveys. conformance with the plan and reasons for material deviations from the plan. reporting periodically.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1300 Policy on Dual Reporting for Internal Audit 6) Provide for appropriate physical location and space requirements of the Internal Audit Program and attendant needs (e. Day to day execution of the plan. as requested for the assessment of the Internal Audit Program. keeping the University Auditor and the Office of the President informed of major developments in open investigations.

Overall Responsibility .07 A. The overall responsibility for implementation of an effective dual reporting relationship for auditors in the UC system rests jointly with the University Auditor and the campus or laboratory management to whom local internal auditors report. and 15) Consult with the University Auditor before assigning to the local IAD any responsibility other than management of the internal audit program in order to ensure that the audit program’s independence is not impaired. B. The necessity for independence and accountability to The Regents in order for the Internal Audit Program to have credibility will be paramount in resolving conflicts or issues arising in the implementation of the dual reporting relationship. 16) Fulfill reporting requirements as established by the University Auditor.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1300 Policy on Dual Reporting for Internal Audit 14) Contribute to the strategic planning efforts accomplishment of Internal Audit Program initiatives. University of California 6/9/2009 Page 23 .

Hamilton (6) Total Professional Staff. S. is in parentheses. Chief Compliance and Audit Officer. Reed (2.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1300 Appendix 1 – Organizational Chart University of California Internal Audit Program Organizational Chart The Regents’ Committee on Audit UC President M.9) UCSF A.5) UCB UCD UCI UCLA UCR UCSB UCSC UCSD UCSF LBNL Chancellor Birgeneau Interim Provost and Executive VC Horwitz Vice Chancellor Brase Vice Chancellor Olsen Vice Chancellor Bolar Associate Vice Chancellor Cortez Vice Chancellor Vani Vice Chancellor Matthews Interim Vice Chancellor Lopez Interim Laboratory Director Alivisatos UCI B.7 (LANL& LLNL Audit Departments not reflected in UC Audit Program) University of California 6/9/2009 Page 24 . Whitebirch (6) UCSD S. Burke (16.75) LBNL T.85) UCSC B. Pierce (27) UCSB C.2) UCOP P. Vacca University Auditor P.5) UCD R. G. Yudof EVP. Zubov (12) UCLA E. Jenson (5. Catalano (12) UCB W. Riley (6.V.L. including the Director. Lapp SVP. Long (4. Total Authorized Professional Positions = 114. Nielsen (9) UCR M. Business Operations K. Reed (6.

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1300 Appendix 2 – Responsibility Chart The following chart summarizes the Shared responsibilities over the Internal Audit Program: Reporting Responsibilities Administration (funding and space) Professional and technical aspects Approval of the audit plan Evaluation of the internal audit plan Selection of the Internal Audit Director (IAD) Annual performance of the IAD Determination of IAD compensation Assess the adequacy of the resources Agreement on the termination of the IAD Approval of changes to the audit plan S = Sole responsibility P = Primary responsibility X= Shared responsibility Shared Campus/Lab S X X X X X X X X S P P P P P P P University Auditor University of California 6/9/2009 Page 25 .

The matrix cross-referencing the Standards for the Professional Practice of Internal Auditing to the UC Internal Audit Manual is included as Appendix 4 at the end of this section.02 The UC Internal Audit Manual incorporates the practices and procedures described in the Institute of Internal Auditor’s Standards for the Professional Practice of Internal Auditing. The UC Audit Program has adopted the Standards and the Code of Ethics and has designed the policies and procedures included in this systemwide Internal Audit Manual to comply with them. or by other appropriate methods. for example. University of California 6/9/2009 Page 26 . A matrix has been prepared that cross-references the IIA Standards to the UC Internal Audit Manual and demonstrates the audit program’s alignment with the Standards for the Professional Practice of Internal Auditing.03 The UC Internal Audit Program Professional Code of Ethics incorporates the Code of Ethics adopted by the Institute of Internal Auditors in June 2000. The Audit Director is responsible for regularly reinforcing the concepts and behaviors embodied in the Code of Ethics. and a Code of Ethics.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1400 Professional Standards and Ethics .01 The internal auditing profession is governed by a set of standards. the Standards for the Professional Practice of Internal Auditing. The UC Internal Audit Program Professional Code of Ethics is included as Appendix 3 at the end of this section. Section Overview Alignment with the Standards for the Professional Practice of Internal Auditing Code of Ethics . These pronouncements provide guidance to internal auditors on the practice of the internal auditing profession and protect the interests of those served by internal auditors. The Code of Ethics applies to all members of the internal audit professional staff and should not be modified from location to location. during interim or annual performance evaluations. . through discussions at staff meetings.

University of California 6/9/2009 Page 27 . • Competency Internal auditors apply the knowledge. and responsibility.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1400 Appendix 3 . Integrity Internal auditors: 1. The Code of Ethics provides guidance for staff in the conduct of their profession and elicits the trust and confidence of those for whom services are rendered. evaluating. The University of California Audit Program has adopted the Code of Ethics promulgated by the Institute of Internal Auditors. Shall perform their work with honesty.1. which applies to both individuals and entities that provide internal auditing services. and experience needed in the performance of internal auditing services. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments • Confidentiality Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. Rules of Conduct 1.Professional Standards and Ethics UNIVERSITY OF CALIFORNIA Internal Audit Program Professional Code of Ethics Campus/Laboratory Location The Institute of Internal Auditors has adopted the following Code of Ethics. skills. diligence. and communicating information about the activity or process being examined. Principles Internal auditors are expected to apply and uphold the following principles: • Integrity The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment • Objectivity Internal auditors exhibit the highest level of professional objectivity in gathering.

1 Shall be prudent in the use and protection of information acquired in the course of their duties. Shall not knowingly be a party to any illegal activity.4.3 Shall continually improve their proficiency and the effectiveness and quality of their services. 4.Professional Standards and Ethics 1. 3.1. 4. and experience. 2. Competency Internal auditors: 4.2 Shall not accept anything that may impair or be presumed to impair their professional judgment.3 Shall disclose all material facts known to them that. 1. University of California 6/9/2009 Page 28 . 1.3.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. skills. if not disclosed. Confidentiality Internal auditors: 3. or engage in acts that are discreditable to the profession of internal auditing or to the organization. Shall respect and contribute to the legitimate and ethical objectives of the organization.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1400 Appendix 3 .2 Shall perform internal auditing services in accordance with the International Standards for the Professional Practice of Internal Auditing. 3.2. Objectivity Internal auditors: 2. 2. Shall observe the law and make disclosures expected by the law and the profession. Shall engage only in those services for which they have the necessary knowledge. may distort the reporting of activities under review.2 Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization. 4. 2. This participation includes those activities or relationships that may be in conflict with the interests of the organization.

and responsibility of the internal audit activity should be formally defined in a charter.05 (14) 4100.02 6200. University of California 6/9/2009 Page 29 .UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1400 Appendix 4 .05 (10) 9100 9200 9300 Section Title/Description Attribute Standards 1000 Purpose.The purpose. consistent with the Standards.03 (C3. and Responsibility . authority. Mission and Management Charter Outline of UC Audit Management Plan Policy on Dual Reporting for Internal Audit Mission and Management Charter – Management Charter – Independence Outline of UC Audit Management Plan – Audit Group Responsibilities – Campus Internal Audit Departments Outline of UC Audit Management Plan – Reporting Channels Policy on Dual Reporting for Internal Audit Policy on Dual Reporting for Internal Audit University Auditor Responsibilities Roles and Responsibilities – Director Planning an Audit – Audit Plan and Program Development Conducting an Audit – Policy Skills Assessment and Resource Analysis Outline of UC Audit Management Plan – Audit Group Responsibilities – Office of the University Auditor Policy on Dual Reporting for Internal Audit – University Auditor Responsibilities Quality Assurance Processes at the Local Level System-wide Quality Assurance Programs Quality Assurance Manual 1100 1300 Quality Assurance and Improvement Program -The chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. and internal auditors should be objective in performing their work.03 (B10) 1300. Independence and Objectivity -The internal audit activity should be independent.Professional Standards and Ethics Cross-Reference CROSS-REFERENCE OF INSTITUTE OF INTERNAL AUDITORS ATTRIBUTE AND PERFORMANCE STANDARDS TO THE UNIVERSITY OF CALIFORNIA AUDIT MANUAL (Page 1 of 2) Standard No. and approved by the board.02 6100. Short Description of Standard UC Audit Manual Reference 1100 1200 1300 1100.04 1300 1200 Proficiency and Due Professional Care -Engagements should be performed with proficiency and due professional care. Authority. 1300.01 4400 1200.5) 1200.02 1200.

The internal audit activity should evaluate and contribute to the improvement of risk management. evaluate. the chief audit executive should discuss the matter with senior management.05 3100 3200 4100 Section Title/Description Performance Standards 2000 Managing the Internal Audit Activity . and governance processes using a systematic and disciplined approach. control. Engagement Planning .04 1300.The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management.03 – (B) 1300. Communicating Results .Professional Standards and Ethics Cross-Reference Short Description of Standard UC Audit Manual Reference 1200. Outline of UC Audit Management Plan – Audit Group Responsibilities – Office of the University Auditor Policy on Dual Reporting for Internal Audit – Shared Responsibilities Policy on Dual Reporting for Internal Audit – University Auditor Responsibilities Internal Audit Program Planning and Reporting – Strategic Plan Internal Audit Program Planning and Reporting – Operating Plan Personnel – Roles and Responsibilities Outline of UC Audit Management Plan – Objectives Operating Plans Planning an Audit 2100 Nature of Work .05 Reporting Results Policy on Dual Reporting for Internal Audit – University Auditor Responsibilities 2600 1200. timing and resource allocations. Resolution of Management’s Acceptance of Risks When the chief audit executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organization.Internal auditors should identify.Internal auditors should communicate the engagement results. 1200.02 3200 6100 2200 2300 6200 Conducting an Audit 2400 2500 6300 1300.The chief audit executive should effectively manage the internal audit activity to ensure it adds value to the organization.04 6500 Outline of UC Audit Management Plan – Reporting Channels Other Audit Matters – Dispute Resolution University of California 6/9/2009 Page 30 .Internal auditors should develop and record a plan for each engagement. Performing the Engagement . analyze. Monitoring Progress . If the decision regarding residual risk is not resolved.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 1400 (Page 2 of 2) Standard No. including the scope. and record sufficient information to achieve the engagement's objectives. Appendix 4 . the chief audit executive and senior management should report the matter to the board for resolution. objectives.

Additionally.01 The following Section provides an overview of the history and evolution of the UC Internal Audit Program and of its current array of customers and services. the role of the University Auditor's Office in the Internal Audit Program and guidelines for local audit committees.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2000 INTERNAL AUDIT PROGRAM . Section Overview University of California 6/9/2009 Page 31 . it outlines the requirements for Internal Audit to communicate information and findings about its activities to its customers.

.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2100 History and Overview . With local management's interest in an Internal Audit function. The Program provides a broad spectrum of services to assist The Board of Regents and University management in the discharge of their oversight. which had not increased since 1963-1964. certain campuses began to establish their own "management audit" capabilities.The Internal Audit Program was first established at the University of California. the University of California's external auditors. Haskins & Sells.02 Campus Audits . In 1976. a second auditor established a "branch office" based out of UCLA for the southern campuses. had not kept pace with the growth of the University. Berkeley campus in July 1955 with one auditor responsible for auditing at all of the campuses.In the early 1970s. Efforts to Expand Program .01 UC Internal Audit has evolved since the mid 1950s from a single function performing campus audits to an Internal Audit Program comprised of thirteen Internal Audit Departments. The audit function remained centralized and grew over time to a staff of approximately eight in the north division and six in the south division by the early 1960s. management and operating responsibilities. Soon thereafter. University administration consistently reported to The Regents’ Committee on Audit that the Internal Audit Program was understaffed due to budget constraints. Overview Establishment and Early Growth University of California 6/9/2009 Page 32 . observed that Internal Audit staffing. plus the University Auditor’s Office. The addition of the Lab Internal Audit staff eventually brought the total staff to 21 professionals. a Laboratory Contract Audit Group was established operating out of the Lawrence Livermore National Laboratory. Management committed to increase the audit staffing level and to study the organization of the Internal Audit Program. Laboratory Audits .During the 1970s.

representation. 12 system-wide auditors and 17 DOE contract auditors. coordination.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2100 History and Overview . University administration worked with Haskins & Sells to develop a Reorganization Plan for the Internal Audit Program in 1978." University of California 6/9/2009 Page 33 .The Reorganization Plan called for a threefold increase in the number of auditors situated at the campuses as follows: • • • 45 campus auditors 5 system-wide auditors 10 Department of Energy contract auditors Plan of Reorganization Although funding and coordination issues delayed ramping up staffing to these levels and UC was still at the low end of adequate audit coverage. Roles and Reporting . the staffing concerns of the external auditors were adequately addressed. with funding support from the schools of medicine and medical centers. accountability and evaluation. The System-wide Internal Audit office should primarily "provide leadership for policy development. In 1987. there were 67 campus auditors.The external auditors also observed in 1980 the need to more firmly establish lines of reporting for internal auditors under the new decentralized structure as follows: • • Campus-based auditors should report to the Chancellors or their designees. This plan was consistent with the strict accountability program in a decentralized environment introduced by President Saxon and based on the premise that campuses are responsible for monitoring their operational activities. especially in health sciences.03 Decentralization . The campuses continued to add staff during the 1980s. Staffing Increases . resource acquisition and allocation.As a result of the study.

there were 23 Core audits conducted covering approximately one-half of the universe of institutional risk areas identified by the Core Audit Program. Arthur Andersen & Co. Laboratory Contract Auditors .The Core Audit Program was implemented in the 1988-1989 fiscal year after additional system-wide staff was added to design and administer its elements.The growth of the staffing of the Internal Audit Program at the individual locations from the late 1980s to the mid-1990s was largely driven by campus growth and by local events that brought audit issues to the forefront. Its concepts were used to drive the assessment of system-wide or "institutional" risk in approximately 45 common areas of operations as a basis for determining areas for audit on a system-wide basis.04 Core Audit Program . but with a more central focus on the major portion of the program of work Development of System-wide Program Implementation Risk Assessment . completed a study in 1987. led by individuals on equal footing with the campus Internal Audit Directors. University of California 6/9/2009 Page 34 . its members reported directly to the Office of the University Auditor. the Laboratory Contract Auditors were established under the local jurisdiction of Laboratory Audit Directors.Based on The Regents' Committee on Audit's continuing concern about the adequacy and effectiveness of the Internal Audit Program's structure and operations. Previously. During the seven years that the Core Audit Program was in use. focused on the following: • • • • Development of a system-wide "stewardship" audit program which became known as the Core Audit Program Creation of campus audit committees Strengthening of the oversight provided by the Office of the University Auditor Maintenance of the decentralized structure.As part of that implementation. The resulting report.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2100 History and Overview . accepted by the Committee on Audit in November 1987. Additional Restructuring of Program Continued growth .

another external review of the Program was conducted using a panel of experts from both internal auditing and public accounting.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2100 History and Overview . This resulted in the March and September 1995 recommendations accepted by the Committee on Audit for adoption of a dual reporting structure and related revisions to the Internal Audit Management Plan.06 In addition.05 Dual Reporting . This review reaffirmed the appropriateness of the decentralized model as modified by the dual reporting structure. Additional developments during the late 1990s were intended to strengthen the Program through increased information sharing and communications among the thirteen audit departments.Together with the hiring of a new University Auditor. the guidelines were subsequently updated in order for the University Auditor to take full responsibility for certain responsibilities that were previously shared with the campus/lab. Quarterly reporting to The Regents Committee on Audit of progress against the annual plan commenced in 1996 and was designed to increase visibility and accountability. Additional Restructuring of Program (cont'd) University of California 6/9/2009 Page 35 . Additionally. and increased reporting of local audit department activities to the University Auditor. Policy on Dual Reporting for Internal Audit is included in Section 1300. a system-wide Director of Investigations was hired to provide added expertise and support for this area of service that had grown in hours substantially in the middle 1990’s and continued to consume a significant portion of internal audit’s time. the Core Audit Program was abandoned in 1995 in favor of a system-wide risk assessment and audit planning methodology. the University Auditor currently meets quarterly with the Committee on Audit. The Outline of the UC Audit Management Plan is included in Section 1200. the appropriateness of the structure and adequacy of operation of the Internal Audit Program was further studied at the request of the Committee on Audit in 1994. After an external review in 2003. In addition. The risk based operating plan is discussed in more detail in Section 3200. . In 1998. This was also reaffirmed in their 2000 follow up review.

However. or reports on services provided. patients and staff of the University.02 In the broadest sense. the beneficiaries of the services of Internal Audit include the taxpayers of the state of California.03 Internal Audit's primary activity in fulfilling its mission is the conduct of a program of regular audits of the University's business operations. donors. Overview Customers of Internal Audit Services . it has expanded to include additional activities in order to enhance the value of services to its customers. management and operating responsibilities for the University such as: • • • • • The Board of Regents The Regents' Committee on Audit Senior Management Local Audit Committees Operating Management Services Provided by Internal Audit . students.01 The UC Internal Audit Program's perspective of its customers and services has evolved and broadened along with the changes occurring within the internal audit profession. and all faculty. The Internal Audit Program of the University of California fully ascribes to the revised definition including the emphasis on advisory service activities in addition to assurance activities. federal. customers are those we serve more directly and who are the recipients of our services. Even the definition of internal auditing has been revised.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2200 Customers and Services . The changes in the profession itself are in part based on the report of an Institute of Internal Auditors' Guidance Task Force in 1999. state and private research sponsors. as the Internal Audit Program has evolved and restructured in recent years. The Annual Audit Plan outlines Internal Audit services under three types of activities as follows: University of California 6/9/2009 Page 36 . The customers of Internal Audit include those parties with oversight. However.

Involvement of auditors in a consultative manner during the design and development phase helps to ensure that sound business practices. purchasing..Promote effective and efficient operations through special management studies. Special Projects and Consultations .. uncovered in the course of regular audits. These services include our efforts to support the Controllers' accountability initiatives.g. redesign their business processes to be more effective and efficient and deal with other campus or lab business issues. or based upon concerns conveyed by management. regulatory compliance matters) and assist department and program managers in dealing with issues before they become audit or investigation problems.Involves participation with teams and committees to assist in the continued efforts of campuses and laboratories to develop and implement new systems. These additional activities are proactive or preventive in nature and are focused in the following areas: Internal Control & Accountability . Systems Development and Reengineering . including effective internal controls. etc. Information Practices Act Coordinator or Conflict of Interest Coordinator.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2200 Audits Customers and Services These services include the planned and supplemental program of regular audits of business units (including academic departments) and business processes that cut across all organizational units (e. Investigations Advisory Services University of California 6/9/2009 Page 37 .g.Internal Audit may serve in additional capacities such as External Audit Coordinator (acting as liaison for campus visits by regulators and investigators). including Control SelfAssessment as well as the independent Control Self-Assessment effort at the laboratories. advisory participation on business process and systems reengineering teams and consultation on business issues (e. are built into the systems and processes. Advisory Services encompasses a broad array of activities beyond regular audits. Internal Audit conducts investigations into suspected financial irregularities whether reported by whistleblowers. travel.). Other . Pursuant to University policy.Promotes the systems of internal controls through training of University personnel in concepts of internal control and consultation on their implementation.

Alignment of Services with Customer Needs University Lines of Business Campuses The University encompasses nine campuses located throughout the state with a tenth campus expected to open by 2004. Eight campuses are general campuses and one. University of California 6/9/2009 Page 38 . Department of Energy. In 1999 research expenditures totaled nearly $2 billion. In 1999.05 The business operations of the University are organized under the following three lines of business.S.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2200 Customers and Services .000 students of whom 41. UC manages Lawrence Berkeley National Laboratory and Lawrence Livermore National Laboratory in California and Los Alamos National Laboratory in New Mexico.000.html Laboratories Under contract with the U. three law schools and a statewide Division of Agriculture and Natural Resources. five medical schools. UCSF. across all of the University's business operations.000 were graduate students. The operating plan of the Internal Audit Program prepared annually aligns these services. The laboratories conduct broad and diverse basic and applied research in nuclear science. is a health sciences only campus. The annual budget for the three national labs approximates $4 billion. enrollment totaled 174. national defense and environmental and health areas. Access the following internet link to see the most recent fact sheet for the campuses: http://universityofcalifornia. enrollment was 208.04 Internal Audit's Services are designed to fulfill the varying needs of its diverse customers. .edu/campuses/welcome. In 2005. energy production.

Access the following internet link to access the most recent fact sheet for the medical centers: http://www. 239. two public health schools.edu/health/medcenters.000 emergency room visits and more than 3.000 inpatient discharges. two dentistry schools. The instructional program is conducted in 14 health sciences schools on six campuses.html Health Sciences University of California 6/9/2009 Page 39 . The University of California's five medical centers support the clinical teaching programs of UC's medical and health sciences schools and receive more than 120. They include five medical schools.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2200 Customers and Services UC operates the nation’s largest health science and medical training program.3 million outpatient visits each year. a school of optometry. a school of pharmacy and a school of veterinary science. two nursing schools.universityofcalifornia.

The annual report has some traditional and essential elements. The Regents Committee on Audit has requested and received information analyzing the Internal Audit Program (e. The University Auditor meets quarterly with the Committee on audit and. Historically. investigations.02 The University Auditor is responsible for establishing an active channel of communication with the Chair of The Regents’ Committee on Audit. University of California 6/9/2009 Page 40 . controls. the profession.A management survey is sent at least annually to elicit management’s perception of the Internal Audit Program’s ability to fulfill its mission of assisting management in the effective discharge of their responsibilities.A formal report is provided to The Regents' Committee on Audit (and Senior Management) quarterly which presents comparative analyses of actual results for the year-to-date period to both the annual audit plan and to the prior year. .UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2300 Communications .The consolidated annual audit plan of the nine campuses. local control environment – including significant past due management corrective actions. The annual plan also conveys the current elements of the strategic plan for continuous improvement of the Program.g. Overview Regents Senior Management . The annual plan outlines the planned Internal Audit service activities by line of business as well as the distribution of resources necessary to deliver those services and the risk coverage provided. as well as prepares the following formal reports: Annual Plan . But it also offers an annual opportunity to convey to The Regents educational information about the Program. the Internal Audit Program formally communicates with its customers on a systematic basis. accomplishment of strategic plan initiatives and other material on a detailed level by location. Annual Report . risk assessment and other matters. staffing levels by location) as well as a report of accomplishments measured against the annual plan.A formal annual report is provided to The Regents’ Committee on Audit annually in November.03 Client Satisfaction Survey .01 Beyond the issuance of reports on audits. three national laboratories and the Office of the President is presented to The Regents annually in May. Quarterly Report . and for the Committee as a whole. and advisory services.

As such. The University Auditor communicates with this group about broad Program strategies and developments that impact all locations University of California 6/9/2009 Page 41 . Guidelines for Local Audit Committees are included in Section 2500. The guidelines for local audit committees include the regular agenda of information and reports to be reviewed. external audit matters and control initiative activities).UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2300 Communications .g. Local Audit Committees COVCA . The group includes deputy lab directors for operations. at certain locations related matters (e.05 The Council of Vice Chancellors—Administration is a group of the University’s senior business officers who meet regularly with the Senior Vice President—Business & Finance and his/her staff. for most locations. this group includes the individuals to whom the local Internal Audit Directors report.04 Local Audit Committees provide for the communication and coordination of internal audit and.

and specialized training University of California 6/9/2009 Page 42 . staffing. monitor and manage communications regarding significant investigations Coordination ♦ Conduct regular meetings of the IAD’s and other subgroups (e. investigation.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2400 Role of the University Auditor's Office . The Office of the University Auditor is responsible for overall management. health sciences IAD’s) as necessary ♦ Communicate with IAD’s regularly on all issues of interest to the Internal Audit Program ♦ Coordinate overlapping activities of the workgroups addressing strategic and operational issues ♦ Facilitate training activities including All Auditors Conferences. Overview Duties of the University Auditor’s Office Management ♦ ♦ ♦ ♦ ♦ Oversee the preparation of the annual plan Prepare reports to The Regents Assess staffing and funding sufficiency Assist locations in selection of IAD’s Consult with IAD’s on significant audit. Audit Forums. The OP Internal Audit Department operates in a manner similar to the campus and lab Internal Audit Departments and is managed by a Director independently from the University Auditor’s involvement on a day to day basis.g. The University Auditor is the Program’s principal representative before The Regents. administration and development of the Internal Audit Program of the University.01 The University Auditor's Office is a Department of the Office of the President. coordination. Within it are two functions: the Office of the President Internal Audit Department and the Office of the University Auditor. or operational issues ♦ Appoint and guide workgroups of IAD’s and managers as necessary for the execution of the strategic plan ♦ With the Director of Investigations. lend assistance to.

risk assessment. public accounting. maintain records of investigation activities Development ♦ Establish policies for the conduct of the Internal Audit Program in consultation with the IAD’s ♦ With the IAD’s create. and monitor the execution of a strategic plan ♦ Maintain an awareness of and assess the impact on the Program of developments in the accounting. Regents reports etc. and internal audit professions ♦ Assess the results of the Quality Assurance Program for impact on needs of the Program ♦ Evaluate the Program’s accomplishment of its objectives and the extent to which The Regents and management’s’ needs and expectations are being satisfied ♦ Cause a periodic evaluation of the Program by outsiders to be performed against best practices of the profession and The Regents and management’s expectations Duties of the University Auditor’s Office (cont’d) University of California 6/9/2009 Page 43 . ♦ Provide support to the workgroups in execution of the strategic plan ♦ Provide support for conference and other training activities ♦ Maintain a database of all reports issued and audit programs for common areas ♦ Prepare analyses to assist in the management of the Program including staffing. benchmark/best practices. ♦ Through the Director of Investigations. compensation.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2400 Role of the University Auditor's Office ♦ Facilitate the development of the Internal Audit Program’s collective views on University policy matters ♦ Act as liaison as necessary for campuses and labs with other Office of the President functions ♦ Coordinate activities with other groups such as the Controllers Administration ♦ Maintain Program records including staffing. reports issued.

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2400 Role of the University Auditor's Office . University of California 6/9/2009 Page 44 .03 Guidelines for the University Auditor's administrative responsibilities for dual reporting are outlined in Section 1300. Audit Management Plan Dual Reporting Role and Responsibilities .04 The University Auditor's role and responsibilities are outlined in Section 4100.02 The University Auditor's responsibilities under the Audit Management Plan are outlined in Section 1200. .

The scope of the audit committees’ function and perspective may be expanded locally to include external audit coordination matters and the control and accountability initiatives of the controllers. Such an expansion of the charter is not in conflict with the objectives of these guidelines and is a local option. .03 The composition of the committee will depend to some extent on local custom.02 Pursuant to the Regentally approved Internal Audit Management Plan. or these matters may be separate. but should be broad enough to represent the interests of the campus or lab community as a whole.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2500 Guidelines for Local Audit Committees . given The Regents’ charter. Charter and Scope Appointment of Members and Orientation .01 Each UC campus and national lab will have a local audit committee for the purpose of communication and coordination of internal audit and related matters. Some locations may choose to combine the audit committee with the oversight of activities carried out under their controls initiative. a separate group typically provides oversight to investigation activities. Such charter for the committee is separate and distinct from a local audit charter— which is optional. Purpose. A sample charter is included as Appendix 5. a research perspective Composition and Chair University of California 6/9/2009 Page 45 . the Chancellor or Laboratory Director appoints the members of the local audit committee. the health sciences enterprise. The Director of Audit should prepare a packet of materials including Regental and campus charters and other materials as appropriate for orientation of new members. The intent is to share information with and promote a dialogue among a variety of local participants who collectively represent the customers of internal audit services. It is important that there be sufficient representation from the faculty administrative leadership. While the campus or lab audit committee should have an interest in investigation matters (at least in regard to the impact on the audit program and indications of internal controls deficiencies). A local charter for the committee should be prepared documenting the purpose. scope and designated members.

Composition and Chair (cont’d) Meeting Frequency . • University of California 6/9/2009 Page 46 . Unless the Chancellor or Lab Director chooses to chair the committee. budget. January or February should be held to begin the process of providing committee input into the risk assessment for the planning cycle for the next year. September to November. current project-specific summaries of significant reports issued and their observations including significant investigation activities (and influence on the program of regular audits). etc. it should be reviewed and approved by the audit committee. human resources. It is appropriate to include the campus or lab controller even if the charter for the committee is not expanded as discussed above. Prior to submission of the annual audit plan to the Chancellor and Regents for approval. the University Auditor and the Audit Director are ex officio members of each campus or lab audit committee. In the fall.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2500 Guidelines for Local Audit Committees and others deemed appropriate including student and auxiliary services. This typically occurs in April. That Vice Chancellor. A third meeting in early winter. a summary of progress against the annual plan. The meeting cycle can be viewed as tied to the annual audit plan cycle. or three times per year at a minimum. it should be chaired by the senior manager to whom the Internal Audit Director reports—typically the Vice Chancellor for Business or Deputy Lab Director for Operations. Regular Agenda Items . a second meeting is useful to review the results of the prior year and first quarter (if available) and to approve changes to the plan as necessary. proposed changes in the approved plan. Consideration should also be given to including the campus or lab counsel if the committee is to deal with investigation matters.04 Committees should meet quarterly. as well as to approve additional changes to the plan as necessary—a mid-year course correction if needed.05 The regular agenda should cover at a minimum: • • • approval of prior meeting minutes.

the Chancellor and others. A significant portion of a mid-year meeting should be devoted to discussion of risk issues facing the University and the location.06 The audit committee shall recommend the annual audit plan to the Chancellor/Laboratory Director for approval. Regular Agenda Items (cont’d) • In addition. Any changes to the annual plan that result in approved audits being dropped from the current year workplan. who in turn recommends the audit plan to the University Auditor for approval. open recommendations from previously issued audit reports should be reported at regular intervals. a summary of open management corrective actions from previously issued audit reports especially for situations where senior management awareness could lead to more rapid action or the removal of barriers to action to improve controls. especially for situations where senior management awareness could lead to more rapid action or the removal of barriers to action to improve controls. University of California 6/9/2009 Page 47 . This mechanism for change acknowledges the dynamic nature of our environment but also our accountability for completion of the plan of work approved by the committee. even if only deferred until a subsequent year. The most important role the audit committee plays in the formulation of the audit plan is assistance in risk identification. a summary of external activities and significant issues identified. The University Auditor consolidates the location audit plans and submits the Annual Report Internal Audit Plan to the Regents’ Committee on Audit for ultimate approval.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2500 Guidelines for Local Audit Committees • • • staffing changes and their impact on completion of the audit plan. the regular agenda should include the proposed annual plan and an annual summary report of the activities conducted by the Internal Audit function during the year. on an annual basis. Audit Plan Role . require the approval of the audit committee and the University Auditor.

07 The audit committee’s input and guidance on sensitive matters can be very useful to effective communications in audit reports.08 The University Auditor’s Office will monitor Local Audit Committee meeting frequency. their support in gaining customer acceptance and encouraging committed responses to recommendations can be very useful to effecting improvements. Care should be taken so as not to create a report issuance protocol that conveys an impression that the audit committee approves the draft reports for issuance. or divisions. attendance. schools. as well as outstanding high risk corrective actions. In addition. Accordingly. attendance. . and coverage of core topics. local program initiatives. identify significant risk and internal control deficiencies. the audit committee should serve as the central oversight and monitoring body to assure risks are identified and corrective actions implemented where indicated.09 The audit committee should routinely receive updates on external audit and agency reviews occurring at the institution. Audit Directors may choose to share draft audit reports with audit committee members to further these objectives as appropriate on an ad hoc basis. And lastly.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2500 Guidelines for Local Audit Committees . and agendas do not meet expectations. and agendas to ensure compliance with charter requirements and will remind locations when their actual and planned meeting frequency.10 The audit committee should be presented with a formal annual report to provide an overall opinion on the state of the local control environment. The reports are the product of the internal audit program and must be viewed as independent of management influence. Audit Reports and Follow-ups Monitoring External Audit & Agency Reviews Annual Report University of California 6/9/2009 Page 48 . Such reporting will apprise the audit committee of activities of the internal audit program as well as summarize key audit areas covered. As external reviews may be coordinated by various functional units. Such reviews can pose serious risks to the institution and warrant active oversight and monitoring. . broad awareness that the audit committee has an active interest in tracking follow-up activities to make sure that committed actions are completed in a timely manner helps assure their appropriate attention. .

Guidelines for Local Audit Committees (CAMPUS/LAB LOCATION) LOCAL AUDIT COMMITTEE SAMPLE CHARTER Purpose The (Campus/Lab Location) Local Audit Committee will assist the (Campus/Lab Location) Audit Department (Department) by helping to ensure that its objectives and goals support those of (Campus/Lab Location) and the University. budget. the research perspective. Composition and Chair The Local Audit Committee will be chaired by the (position title of person who will chair the committee) and will be comprised of representatives from (list constituencies represented. This independence is based primarily upon organizational status and objectivity. and administratively to the (indicate position to whom the Audit Director reports. Objectivity is a mental attitude which internal auditors should maintain in performing audits. typically the Vice Chancellor of Business and Administration. any of the campus/lab processes reviewed. and the Audit Director are ex officio members of the Audit Committee. Mission The mission of the Department is to assist management and the Board of Regents in the discharge of their oversight. the Director of the Internal Audit Department reports functionally to the University Auditor. Regarding organizational status. or authority over. which should include representatives from the faculty administrative leadership. who in turn reports to the Chancellor). student and auxiliary services. human resources. Meeting Frequency The Local Audit Committee will meet quarterly (or no less frequently than three times a year). management. Independence and Objectivity To permit the rendering of impartial and unbiased judgment essential to the proper conduct of audits. Internal auditors are not to subordinate their judgment on audit matters to that of others. In performing the audit function. who in turn reports to the Board of Regents and the Senior Vice President--Business and Finance.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2500 Appendix 5 . the University Auditor. The Chair. such as controller. and others as deemed appropriate. internal auditors are independent of the activities they audit. and operating responsibilities through independent audits and consultations designed to evaluate and promote the system of internal controls. the Department has no direct responsibility for. the health sciences enterprises. University of California 6/9/2009 Page 49 . etc. including effective and efficient operations.). Internal Audit’s independence is also based on its objectivity.

Guidelines for Local Audit Committees Scope of Responsibilities In order for the Local Audit Committee to assist the Department in carrying out its mission and maintaining its objectivity and independence. especially for situations where senior management awareness could lead to more rapid action or the removal of barriers to action to improve controls On an annual basis. require the approval of the Local Audit Committee and the University Auditor.) University of California 6/9/2009 Page 50 . including the risk identification and risk assessment processes. • Role in the Development of the Annual Audit Plan The Local Audit Committee should participate in and review the activities related to the development of the Annual Audit Plan.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 2500 Appendix 5 . the regular agenda will cover: • • • • • • • • Approval of prior meeting minutes A summary of progress against the Annual Audit Plan Proposed changes to the approved Annual Audit Plan Personnel changes and their impact on the completion of the Annual Audit Plan Current project-specific summaries of significant reports issued and their observations Major investigation activities and their impact on the program of regular audits Summary of external activities and significant issues identified Open recommendations and/or management corrective actions from previously issued audit reports. Other Roles and Responsibilities (Describe any other roles and responsibilities of the Local Audit Committee that have not already been discussed. Any changes to the Annual Audit Plan that result in approved audits being dropped from the current year’s plan. even if it only involves the audit’s deferral into a subsequent year. The Local Audit Committee should review the proposed Annual Audit Plan and recommend its approval prior to its submission to the University Auditor for consolidation into the systemwide Annual Audit Plan. the proposed Annual Plan and an annual summary report of the activities conducted by the Internal Audit function during the year.

These plans guide the Program in its goal of providing the most timely and comprehensive scope of audit and other services possible and in deploying its resources in an effective and efficient manner. Section Overview Planning Reporting .02 UC Internal Audit undertakes an extensive planning process to establish the operating plans for the Internal Audit Program on an annual basis. In addition to the operating plan. a strategic plan for the continuous improvement of the Program is established and maintained on an ongoing basis.03 Internal Audit monitors activities and progress toward both the annual operating and strategic plans and reports the related information to The Regents and Senior Management on a quarterly and annual basis. .01 The following Section sets forth the annual processes by which the operating and strategic plans for the Internal Audit Program are developed. monitored for progress and reported to customers. many elements of the plan may have a multi-year planning perspective.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3000 INTERNAL AUDIT PROGRAM PLANNING AND REPORTING . University of California 6/9/2009 Page 51 . objectives and initiatives are re-assessed on an annual basis. While the strategic plan goals.

. A consultant or facilitator may be employed to assist the group. recommendations from periodic external reviews and changes in the direction of the Internal Auditing profession. The workgroups are charged with execution of the strategic plan on behalf of the University Auditor and IAD’s as a whole. initiatives and direction are brought back to the group as a whole for approval before significant effort or resources are committed. The strategic plan is a dynamic set of goals and objectives agreed to by the University Auditor and IAD’s for the purposes of strengthening the Internal Audit Program.02 The strategic plan objectives are driven by Internal Audit's recognition of the needs and opportunities to improve the Program.Execution of the strategic plan is carried out by all of the Internal Audit Directors and managers through their organization into various workgroups. The current initiatives are periodically assessed to validate the direction of the Program.01 The strategic plan is one component of the Internal Audit Program Annual Plan and conveys the planned efforts designed to provide continuous improvement to the Internal Audit Program. . It is constantly revised as tactical initiatives are established and executed. Their efforts are preliminary rather than determinative as significant proposals for Program policies.04 Structure and Charter of workgroups . The specific strategic plan goals in place at any given time are included as an exhibit to this manual and can also be found on the University Auditor’s homepage. Overview Objectives Plan Establishment Plan Execution . University of California 6/9/2009 Page 52 .03 The University Auditor convenes the IAD’s for the purpose of creating the strategic plan. It is created with a multi-year perspective with short-term milestones that can be measured to assure progress.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3100 Strategic Plan . The University Auditor participates in the activities of all workgroups and provides overall leadership to the strategic planning efforts as one of the position’s principal responsibilities. although external events or newly recognized Program needs may dictate a different interval. The strategic Plan is established and revised every two years.

convenes the Team and is generally the spokesperson for the Team in communications with the Directors as a whole.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3100 Strategic Plan Each workgroup has a Director who. Refer to Appendix 6 for the most recent Strategic Plan details. Plan Execution (cont’d) University of California 6/9/2009 Page 53 . at the request of the University Auditor.

respected. functional. INITIATIVES IN SUPPORT OF THESE GOALS INCLUDE: Professional Proficiency • Assess available and needed skills – gap analysis to fill needs • Promote attainment of professional certifications and involvement in professional organizations Identify the Right Risk Issues and Trends Timely • Develop improved process for collecting. cutting-edge.to address contemporary and emerging risks and issues and to promote a culture of accountability and integrity. Innovative Service Render customized. the UC Internal Audit Program must excel at: Operational excellence Provide timely. credible. cost-effective products and services with the effective use of resources. and flexible service improvements grounded in our core competencies.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3100 Appendix 6 – Strategic Plan UNIVERSITY OF CALIFORNIA INTERNAL AUDIT FY 2004 – 2005 GOALS AND INITIATIVES The University Auditor and Campus/Lab Internal Audit Directors have sustained a commitment to continuous improvement of the Internal Audit Program over the years. responsive. Towards that end. disseminating and acting upon “hot topics” and significant findings • Develop improved diagnostic tools for continuous monitoring • Reassess risk assessment process and evaluate Enterprise Risk Management Communications • Define annual report content and sources of data • Improve internal reporting content and criteria • Develop more effective stakeholder relationships Adequately Manage Resources • Develop improved strategies for leveraging resources • Research industry practices and develop new/additional benchmarks to assess minimum standards and needs University of California 6/9/2009 Page 54 . quality. reporting. Stakeholder/Client Relationships Be a proactive. creative. business-oriented resource. The Goals and Initiatives of the recently established strategic plan are as follows: GOALS . a strategic plan is established and revised every two years to provide strategic guidance to the Audit Program leadership in these efforts. trusted.

02 The Plans are developed annually through a comprehensive risk assessment and audit planning process. activity or process to be audited and identification of the auditable elements. The Plan represents the consolidated audit plans of each of the Internal Audit Departments. The Plan also serves as a tool to assist internal audit management in analyzing its mix of customers and services and for measuring and monitoring the risk exposure in the audit universe. The risks identified are organized along the University's lines of business: University of California 6/9/2009 Page 55 . identify strategic and business risk and develop the planning guidelines to complete the Annual Audit Planning process. financial.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Operating Plans .ucop.html .edu/audit/plans_reports/annualplans. The most recent audit plans can be viewed at: http://www. the planning process involves reconsideration of transactions. The University Auditors Office (UAO) leads a collaborative process to establish the audit universe. operational. or components. The audit planning process begins with an understanding of the entity.01 The Operating Plan is the primary component of the UC Annual Audit Plan. of the entity. The Plan strives to assure an appropriate balance among the University's lines of business as well as the Internal Audit Program's three service activities. regulatory and reputational risks at both a system-wide and local level. organizations and programs Changes within the existing organization or operating units Overview Annual Audit Planning Establishment of Audit Universe Identification of Risk The Annual Audit Plan is driven by consideration of the institution's strategic. as well as the allocation of human resources necessary to deliver these services to customers. events or conditions which may impact the audit universe such as: • • New activities. Annually. traditionally referred to as the audit universe. thus permitting local flexibility and input in determining the allocation of audit resources.

operating and research funding Laboratory Based Risk – Risks that impact the three national laboratories. such as political and regulatory risks or matters affecting the DOE contract Health Sciences Based Risk – Industry and regulatory risks. medical education and disproportionate share funding. local Audit Workgroup Members.A variety of sources are utilized to identify risks for the University as a whole. The Regents' Audit Committee. risk analysis worksheets and guidelines for the assignment of predictive risk factors ♦ Narrative outline of the lines of business risk ♦ Guidelines for resource allocation Annual Planning Time Line UAO distributes a specific time line defining procedures and related deadlines for the audit planning process is distributed to the campus and laboratory Audit Directors each year. Vice Chancellors. research and public service as well as patient care Campus Based Risk – Risks that impact the campuses generally. Office of the President Executives. such as enrollment growth. such as managed care.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Operating Plans • University-wide Risk .Risks which affect the University's mission of teaching. and senior laboratory and campus managers. Chancellors. The timeline is developed to facilitate the timely preparation of the Operating Plan for its inclusion in the Annual Audit Plan presented to The Regents Committee on Audit at their May meeting. financial experts. University of California 6/9/2009 Page 56 . Development of Annual Planning Guidelines The UAO develops Guidelines for Audit Planning on an annual basis and submits proposals for any revisions to the University Auditor and Campus and Laboratory Audit Directors. Laboratory Directors. capital. UAO also distributes a memorandum along with the Planning Guidelines to the University Auditor and the UC Directors/Managers. These guidelines include: ♦ Timeline for audit planning process ♦ Risk Model. These sources include: regulatory experts. and Medicare enforcement Identification of Risk (cont'd) • • • Sources of Information . Refer to Appendix 7 for sample timeline.

Tier Four consists of predominantly local specific organizational entities and minor process topics. The Audit Plan Preparation Phase is performed upon completion of the Risk Assessment Phase and represents an exercise in deploying Internal Audit’s resources in the most effective manner possible prioritizing risks and assuring balance in the Annual Plan. Annual Audit Planning Process • Risk Assessment . The universe is divided into four tiers as follows: • • • Tier One consists of major reporting categories. and to provide a reporting format that can be condensed at the levels of the various “tiers” for reporting to different audiences and for different purposes. 6/9/2009 Page 57 Audit Universe and Definitions • University of California .03 The Annual Audit Planning process involves the Risk Assessment Phase and the Audit Plan Preparation Phase. This permits comparative evaluation of risk scores across all sites for specific topics. Tier Three consists of predominantly major process topics and is generic across all sites. • The Risk Assessment Phase is performed at the beginning of the planning cycle and is focused on gathering current risk information about the audit universe components and assessing the relative risks necessary to prepare the Annual Audit Plan. Sites do not have the ability to modify Tier Three. all in the context of the institution’s risks previously identified.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Operating Plans . The audit universe identifies process and entity topics to allow individual campuses and labs the flexibility to include local and specific topics. to minimize the number of line items requiring calculated risk assessments. Tier Two consists of major processes and entity groupings.04 A comprehensive and thorough risk assessment is the key driver in the development of an effective audit plan. The risk assessment process involves both a high level overview of topical and selected strategic business risk as well as an intensive and comprehensive process to assess risk for all items included in the audit universe.

Documentation shall be available to explain major deviations in Tier Three scores or why a Tier Three topic.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Operating Plans • Entities that are related to Tier Two broad categories such as “departments” or “programs” should be added to Tier Four by individual sites. analysis and discussion with management. regulations. based on specific site criteria. members of the Audit Committee or Workgroup and others. each topic included in Tiers Three and Four is ranked after significant data gathering. Relative risk assessment is necessary to provide a means for rational deployment of limited resources across the audit universe. other UC locations and other universities systems. Audit Universe and Definitions (cont'd) NOTE: The term “sites” rather than “locations” is used above because at the health science campuses risk assessment is performed for both the campus and health sciences sites separately. During this formal risk assessment process. funding A formal risk assessment process is required every year. In assessing relative risk. It is possible that elements of Tier Four could change each planning year for each site. sources/levels. was not scored.) Interviews with management Consideration of external audit activities Audit issues identified and shared by the controllers. Relative Risk Assessment The audit risk of each component unit in the audit universe is assessed using a methodology traditionally utilized by auditors. scored in the previous year. auditors at each location gather information from: • • • • • Financial analyses Change analyses (management. etc. University of California 6/9/2009 Page 58 . The Audit Universe (Tiers 1 -3) is included as Appendix 9.

In the risk model. However.Assessment of control environment is based on factors such as: • • • • • • • • • • • Adequacy of the existing control structure Expertise of management Historical problems Interval since the last audit review Conditions found during recent reviews Adherence to the budget Complexity of operations and technology Overall effectiveness and efficiency of operations Significant downsizing Early retirement programs Reengineering efforts to streamline processes Relative Risk Assessment (cont'd) Risk Model Predictive Factors And Value Weights The relative performance of a function as perceived by other managers may influence risk. laboratory and health sciences environments are identical. effective management reduces overall risk. University of California 6/9/2009 Page 59 . each component of the audit universe is assessed for relative risk considering the following: Quality and Stability of Control Environment . In general. different weightings for each factor within these three environments have been established.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Operating Plans The Risk Model reflects COSO terminology and is applied to all UC lines of business. The factors proposed for campus.

inventory and plant and property safeguarded. as indicated by revenues and expenditures. large dollar amounts either flowing through a system or committed to an activity or project will increase audit interest. Dollar amount and relative liquidity of assets safeguarded will impact this factor. Other things being equal.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Operating Plans Business Exposure (Materiality and Liquidity of Operational Resources) . receivables. University of California 6/9/2009 Page 60 .Larger potential losses are normally associated with larger sized activities. Other objective information to be considered for each auditable unit includes the dollar amount of cash receipts.

exposure. Information Technology and Management Reporting Reliable information is needed at all levels of an organization to run the business and move toward achievement of the entity’s objectives in all categories. The amount of interest that The Regents or the Office of the President expresses in a particular unit or function could also impact this factor. the risk factor assigned will increase. As sensitivity. Risk associated with noncompliance relates to the inability to meet business objectives which can result in monetary loss due to: • • • Improper business practices Levy of fines or litigation Loss of funding sources and disallowed costs from funding agencies. regulatory and statutory matters affecting the operations of the organization as a whole or any of its sub-units impacts an organization's ability to comply.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Operating Plans Public and Political Sensitivity . Reliable internal measurements are essential for generating information used in: University of California 6/9/2009 Page 61 . Compliance Requirements .Complexity and clarity of all internal and external policy. but could nevertheless influence risk. and therefore influences risk.A public relations exposure exists whenever an event occurs which would erode public confidence in the University. procedure. The following conditions influence this factor: • • • • Probability of adverse publicity Reduced support Tarnished reputation or depletion of goodwill Erosion of the legitimacy of the University’s mission or miscommunication of traditional values Predictive Factors And Value Weights (cont'd) Selected audit topics may not appear to be material. or potential for public embarrassment increases.

support of life safety processes Campus wide impact due to the loss of access to information or reporting Accuracy. budgeting and pricing Monitoring performance. availability. mission criticality. planning.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Operating Plans • • • • Developing financial statements for external dissemination Operating decisions. providing services and allocating resources Evaluating vendor performance and joint ventures Predictive Factors And Value Weights (cont'd) Risk factors for information and reporting to be considered for assigning value weights to each auditable unit include: • Extent to which the process or entity depends upon a computerized information system and the complexity of that system Time sensitivity. • • • University of California 6/9/2009 Page 62 . and integrity of the information provided either via manual or automated systems.

02 of this Section. Analyses of Risk Assessments Audit Plan Preparation University of California 6/9/2009 Page 63 . . For example.05 Upon completing the risk assessment process. Although the entire four-tiered package will be forwarded to the UAO. As part of the risk assessment process the University Auditor will prepare various analyses of the preliminary risk assessments to assist in the consistent application of the risk assessment methodology among all of the UC sites. The Risk Model and Guidelines for the assignment of predictive risk factors are included as Appendix 8. a definition of “High Risk” items will be developed for use in the planning process.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Operating Plans These predictive factors are weighted. The current definition of high risk is the top 10 (or equivalent) risk scores at each site. This designation is used to measure coverage of high-risk items and for other analytical purposes. The package of Audit Plan materials is submitted to the UAO along with the final risk assessment results according to the time line outlined under paragraph . only the calculated risk factors from Tiers One through Three will be rolled up into the consolidated calculated risk ranking analyses and summaries. The analyses and their impact on the Annual Audit Plan will be discussed among Audit Directors and their managers at a meeting held for this purpose and scheduled as part of the Annual Planning Time Line. each Local Audit Management prepares a Local Annual Audit Plan following the requirements of the Planning Guidelines. Risk index results for audit topics in one line of business environment should be comparable to risk index results for audit topics in other environments. The analyses also strive to identify common risks for the purpose of recognizing opportunities for sharing risk mitigation strategies. an index of 700 for a medical center topic should indicate the same level of risk as an index of 700 for a campus or laboratory topic. Risk Model Scoring and Ranking Determination of High Risk As part of the Audit Planning Guidelines prepared by the UAO. scored and the relative risk ranking of each component of the audit universe is compiled by Local Audit Management.

system-wide audit support. audit committee support. it is expected that investigation time will be between 10% and 15%. Audit Plan Preparation (cont’d) Resource Allocation Guidelines General guidelines for the allocation of the percentage of time to selected time charge categories are provided below.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Operating Plans A Sample Local Annual Audit Plan format and narrative instructions are included in Appendix 10. On an individual location basis. When this situation occurs. This is a very large range and will depend on matters such as demand for investigations and advisory services. These are only guidelines that may be changed from time to time. the normal range is 5% to 10%. and internal control training--including control and accountability initiatives) is expected to be between 10% and 25% including External Audit Coordination which is to be a part of this reporting category. approximately 10% is normally expected to be set aside for Supplemental Audits. the Audit Director should address the unique circumstances in the transmittal letter accompanying the Audit Plan. and local circumstances may dictate planned levels outside the ranges presented below. Within this total. special projects. systems reengineering. University of California 6/9/2009 Page 64 . computer support and quality assurance on an overall basis. An expectation of 6% has been established for audit support activities including audit planning. Local offices should budget this category based on their own experience and expectations. In general. On an overall basis. The range for audit advisory services (consisting of consultations. The range of regular audit time is expected to be between 40% and 65%. On an individual location basis. Anything outside the upper end of this range should be commented upon and consideration should be given to whether the investigation level represents an undue intrusion on the ability to deliver normal audit services. the range of normal budgeted amounts is 5% to 20%. it is anticipated that an average of 85% of total time available should be budgeted for direct time charges.

The required procedures for revising audit plans depend upon the nature and extent of the change.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Operating Plans Laboratory audit functions must be responsive to DOE requirements. Resource Allocation Guidelines (cont’d) Documentation of Planning Process Each Audit Director should maintain documentation of the annual audit planning process. University of California 6/9/2009 Page 65 .06 Upon completion. the Annual Audit Plans are subject to review and approval as follows: ♦ By the Local Audit Workgroup (who recommends approved plan to the Chancellor/Lab Director) ♦ By the Chancellor/Lab Director (who recommends approved plan to the University Auditor) ♦ By the University Auditor (who submits the Annual Report Internal Audit Plan to the Regent’s Committee on Audit for final approval) Laboratories . these requirements may impact the ability of the laboratory audit functions to meet the above guidance. and must be responsive to DOE requests for DOE mandated audits for topics such as cost allowability Changes to the Annual Audit Plan Revisions to the audit plans may be necessary in some circumstances. Approval of the Annual Audit Plan . In some cases. the laboratories must submit their annual audit plans to DOE for review and approval.In accordance with UC/DOE contractual guidance. This documentation should include: • • • Records of internal planning sessions Records of management input to the planning process Financial and other background information collected for selected audit planning topics The Audit Director should also provide a written explanation in the annual audit planning documentation for any topic assessed as a High Risk that is not included in the final annual audit plan.

Relatively minor changes to priorities and the contents of the plan should be submitted for information to the Campus Audit Committee. In addition." any laboratory which does not expect to make substantial progress in meeting its annual plan should communicate this circumstance to DOE for appropriate mutual resolution. Significant Changes . all topics which are ultimately defined as being in the high risk category and are included in the annual plan and which are subsequently likely to be cancelled or postponed must be reported to and discussed with the Campus Audit Committee and the University Auditor. Laboratory .UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Operating Plans Minor Changes . University of California 6/9/2009 Page 66 .07 Any location which does not expect to accomplish at least 50% of planned audit and advisory services (line items) listed in the annual audit plan as amended should confer with the Audit Committee and the University Auditor to determine a mutually acceptable method of obtaining additional resources or implementing an alternative method to provide greater breadth of coverage.Significant modifications to the plan should be addressed with the Campus Audit Committee and the University Auditor. If the above guidelines cannot be met. Changes to the Annual Audit Plan (cont’d) Request for Assistance . In general. significant changes should be discussed in advance with appropriate DOE representatives. because the laboratory audit functions must be conducted in a manner "satisfactory to DOE. For example. as well as the Local Audit Committee and University Auditor. the Audit Director should consult with local management and the Office of the University Auditor.Modifications to laboratory audit plans should be made in accordance with contractual responsibilities to DOE.

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Appendix 7 . Submit local annual audit plans to the University Auditor. Submit the local risk assessment results to the University Auditor. Present local annual audit plans to Local Audit Committees. Perform comparative analyses based on the risk assessment results and distributes the analytical results to the Local Audit Management. Perform the risk assessment process utilizing the risk model and methodology and validate procedures with local management. Prepare consolidated UC Annual Audit Plan and send to Regents' Item Coordinator. Responsibility UAO Timing November and December 2 UAO/ Directors/ Managers UAO November/ December 3 End of January January to March March March/ April March 4 Local Audit Management Local Audit Management UAO 5 6 7 Local Audit Management Local Audit Management Local Audit Management UAO UCOP 8 9 10 11 March to April End of March April to May May University of California 6/9/2009 Page 67 . Meet with University Auditor to discuss preliminary risk results and share information in order to prepare local annual audit plans. Directors/Managers and UAO meet to identify and describe Lines of Business risks (Contemporary risks). Distribute Annual Planning Guidelines and Risk Analysis Worksheets to Audit Directors. Present consolidated UC Annual Audit Plan to UC Regent’s Committee on Audit.Operating Plans Annual Audit Planning Time Line Step 1 Procedure Work with Local Audit Directors and Managers to obtain and review current information relevant to the audit universe and determine its effect on the Annual Planning Guidelines.

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Appendix 8 . significant reengineering. high turnover. efficient and effective operations. high public interest Regents. significant change in processes. major system changes. well run organization. State or Federal audit interest. early retirements. significant change in prior year budget. national exposure. good reputation. loss probability is significant Exposure represents a significant percentage of total campus operations. management changes. or fairly recent audit with significant unresolved issues or material cash losses. loss probability is high 3 4 Public and Political Sensitivity 1 2 3 4 No press or local press interest in generic topic/ Exposure potential is relatively immaterial Somewhat politically sensitive.Operating Plans University of California Risk Model (Page 1 of 2) Score Key Descriptive Phrases Quality and Stability of Control Environment 1 High confidence in control environment. no increase or decline in budget Good/reasonable confidence in control environment. audited with moderate issues within the last three. high whistleblower or grievance activity. stable organization. 2 3 4 Business Exposure (Materiality and Liquidity of Operational Resources) 1 2 Low probability of loss/ Exposure potential is relatively immaterial Exposure represents a relatively low percentage of total campus operations. recently audited with good results. sound system of internal control. poor campus reputation. but interest is narrowly focused to a limited audience IGA potential.five years with completed follow-up and corrective actions. not audited within the last five years. average turnover in key personnel. loss probability is moderate Exposure represents a moderate percentage of total campus operations. average change in prior year budget Limited confidence in control environment. downsizing. no prior audit coverage. extreme public interest University of California 6/9/2009 Page 68 . loss of funding. turnover in key personnel Little or no confidence in control environment.

system may be older and unable to provide necessary data. or entity is complex or newly implemented and tested. utilizes good technology. mission critical or supports life safety processes or activities. somewhat inefficient or ineffective processes High percentage of transactions subject to complex and changing policies. and has poor security. flexibility permitted in meeting policies. system is highly complex. procedures. needs minor enhancements to fully achieve appropriate system objectives and functionality. Information system. or entity is outdated. procedures & regulations Moderate or significant percentage of transactions subject to policies. impacts other processes or entities or may support life safety process or entities Low degree of information accuracy. System. Information system. availability. and entity are relatively stable and secure. Loss of access to system generated information or reporting capability would have low campus. procedures. and has adequate and trained staff. timeliness or usefulness of information. unallowable costs. has campus-wide impact. Loss of access to system or reporting will have fairly major campus. timeliness and usefulness. heavy fines. procedures. procedures & regulations. process or entity impact Some minor issues of accuracy. application. effective and efficient business processes Significant or high percentage of transactions subject to complex policies. & guidance. application. implementation of system was adequate Uncertain reliability of data. and regulations. system is complex. timeliness & usefulness of information. or entity is secure. unstable. stable. clear and simple policies. Computing risks have not been adequately addressed or controlled. application. process or entity impact. high probability of monetary or funding source loss Key Descriptive Phrases (cont'd) 4 Information Technology and Management Reporting 1 High degree of accuracy.Operating Plans University of California Risk Model (Page 2 of 2) Score Compliance Requirements 1 2 3 Few or limited regulations. Information system. timeliness of information or usefulness.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Appendix 8 . & regulations. application. 2 3 4 University of California 6/9/2009 Page 69 . availability. ineffective or inefficient processes.

c.d B.07 A.03 B.b.c.05 B.d.e.01 B B.06 A.c.01 B.b.03 A.01 A.02 A.02 A.e.a.06 B.d.02 B.a A.c A.d.01 A.a B.d.a.05 A. Registration and Scheduling Admissions.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Appendix 9 .b.03 A.b B.d.02 A.02 B.c.b.Operating Plans Audit Universe (Page 1 of 8) INDEX MAJOR REPORTING CATEGORY PROCESS OR ENTITY GROUPINGS MAJOR PROCESSES AND COMMON ADMINISTRATIVE SERVICES TIER 1 A A.c B.04 A.b.01 B.d A.d.f Departments Clinics Health Sciences Operations Outreach Programs Campus Departments & Instruction TIER 2 TIER 3 Academic Affairs & Support Academic Affairs & Support Academic Personnel Departments / Principal Administrative Units Departments / Principal Administrative Units / Tier 3 Graduate Extended Studies Summer Session University Extension Student Affairs Admissions ASUC Financial Aid Recreation Registrar Student Fees and Receivables Student Health Outreach Program(s) Admissions.01 A. Registration and Scheduling Ancillary Services Laboratories Laundry Medical Records Pharmacy Radiology Tissue Bank Hospital Based Clinics Primary Network Clinics Compensation Plan Compensation Plans Departments / Tier 3 Managed Care University of California 6/9/2009 Page 70 .04 B.e A.01 B.01 A.01 B.b.c.01 B.b.d.a.d.e B.b A.

d.c.c.Operating Plans Audit Universe (Page 2 of 8) INDEX MAJOR REPORTING CATEGORY PROCESS OR ENTITY GROUPINGS MAJOR PROCESSES AND COMMON ADMINISTRATIVE SERVICES TIER 1 B.i.h B.e C.05 C.b C.04 C.03 B.c.02 B.02 C.01 B.g.i.g.03 C C.b.a.b.d C.03 C.03 C.04 C.e.01 C.i B.a.f.b.a C.01 C.d.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Appendix 9 .c.a.b.02 B.03 B.a.03 C.05 C.04 C.01 C.c C.f.01 B.d.05 C.d.02 B.b.01 B.g B.01 B.02 C.h.02 C.02 C.b.01 C.f.01 Lab Research Programs & Processes TIER 2 Affiliated Agreements Claim Adjudication Contracts Medical Services TIER 3 Emergency and Trauma Nursing Surgical Operations Medical Staff Administration Medical Staff Administration Medical Billing and Receivables Hospital Receivables MediCare Cost Reports Physician Receivables Major Programs Defense and Nuclear Technology Laser Technology Threat Reduction (Nonproliferation) Homeland Security Scientific Disciplines Computing Sciences Physical Sciences Energy Sciences BioSciences General Sciences Engineering Services UC/DOE Contract Administration Appendix F-Performance Measures Appendix G UCDRD Funds Cost Allowability Clauses Precious Metals Accountability Safeguards and Security Information Security Physical Security Personnel Security Computer and Communications Security Nuclear Material Control Work for Others Work for Others University of California 6/9/2009 Page 71 .g.03 C.i.c.06 C.04 C.d.

f.d.03 D.d D.05 D.c.c.04 D.02 D.b.04 D D. Policy Research Center UC Press UC Merced CEB Ed Abroad Program MultiCampus Research DANR Ag Experiment Station Natural Reserve System (33 sites) Coop Extension (CE) Statewide Programs Immediate Office Health Services Clinical Services Health Affairs Special Research Programs Immediate Office HR/Benefits Health/Welfare Cafeteria Benefits Immediate Office/Support Retirement Plan and Annuitant Services Office of General Counsel Outside legal expenses Immediate Office Conflict of Interest Policy and Compliance Secretary of The Regents Coordination and Review Office of the Treasurer Immediate Office MAJOR PROCESSES AND COMMON ADMINISTRATIVE SERVICES TIER 3 Audit Universe (Page 3 of 8) INDEX MAJOR REPORTING CATEGORY TIER 1 C.a.02 D.04 D.a.03 D.02 C.c.d.01 D.e D.10 D.01 C.c D.09 D.a.a.Operating Plans PROCESS OR ENITY GROUPINGS TIER 2 Oversight and Monitoring Activities Sub contract administration Price Anderson ES&H Review Other Monitoring activities Office of the President Academic Affairs Immediate Office Outreach Program Academic Advancement Academic Initiatives Ca.03 C.01 D.a.f.e.02 D.f.01 University of California 6/9/2009 Page 72 .01 D.01 D.03 D.c.07 D.03 D.05 D.03 D.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Appendix 9 .b.a.b D.a.f.b.g D.b.04 D.d.b.02 D.a.g.06 D.f C.a D.01 D.f.a.f D.e.e.a.02 D.08 D.01 D.

g.a.a.b.01 F.e.01 E.a.02 E. Budgeting Allocation Process Regents Budget Process Reports to the Legislature MAJOR PROCESSES AND COMMON ADMINISTRATIVE SERVICES TIER 3 Audit Universe (Page 4 of 8) INDEX MAJOR REPORTING CATEGORY TIER 1 D.f.a F.d.01 E.03 E.a.01 E.g.a.02 F.a.05 F.03 D.c E.a.02 E.06 D.g.04 D.a.03 F F.03 E.a.06 F.h D.e E.h.07 University of California 6/9/2009 Page 73 .b.f E.01 E.a E.02 D.02 E.a.05 D.07 D.b.c.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Appendix 9 .Operating Plans PROCESS OR ENITY GROUPINGS TIER 2 Investments Operations and accounting Real Estate Bank and Cash Management Debt Management STIP Operations GEP Operations Lab Administration Office of Lab Admin Research and Compliance Compliance Program Hospital/Facility Home Health Laboratories Pro Fee Billing Clinical Research Institutional Review Boards Human Subjects Animal Subjects Clinical Trials ORU's/Institutes/MRU ORU's/Institutes/MRU / Tier 3 Contracts & Grant Pre Award Post Award Extramural Fund Accounting Extramural Fund Accounting / Tier 3 Cost Distribution Disclosure Statements Effort Reporting Indirect Cost Rate/Overhead Budget/Planning Budget/Planning Chancellor's Contingency Funds Monitoring Planning and Formulation Capital Planning.d E.g.g.f.a.08 D.02 E.04 E.01 E.b E.g.05 E.01 E E.d.a.03 F.g.04 F.f.01 E.

01 H.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Appendix 9 .c.04 G.03 G.a G.01 G.01 H.f.01 H.b.d H.a.03 Procurement Business Contracts Low Value Purchase Orders /Purchasing Cards Payroll Payroll Processing Honoraria Employee Eligibility Time Reporting Financial Reporting / Accounting General Ledger Sub Ledger Systems Tax Accounting Endowment Accounting Disbursements Accounts Payable Check Requests Entertainment Travel EFT Cash Management Bank Account Administration and Reconciliation Cashiering/Sub Cashiering Financial Management Misc.a H.a.c.Data Center & Networks Information Technology & Communications Information Infrastructure Strategic Planning Network Management University of California 6/9/2009 Page 74 .e H.03 H.03 H.02 H.f H.04 H.b.d.b.01 G.b.f.04 H.04 H.b.b H.05 H.b G.c.d.02 H.e.01 G.02 H. Billings and Receivables Scientific Computing General Controls Academic Computing General Controls Central Administrative Computing Software Acquisition.c.e.05 G.b.Operating Plans PROCESS OR ENITY GROUPINGS TIER 2 MAJOR PROCESSES AND COMMON ADMINISTRATIVE SERVICES TIER 3 Audit Universe (Page 5 of 8) INDEX MAJOR REPORTING CATEGORY TIER 1 G G.e.02 H.e.01 H.02 G.a. Billings and Receivables Misc.01 H.d.d.c G.d.02 G.03 H.c.b.d G.01 H.c H.c.01 H H.06 G.b. Development and Maintenance Logical Security Database Systems Management Data Center Operations & OS Software Backup and Recovery Planning Physical Security -.

UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

3200

Appendix 9 - Operating Plans
PROCESS OR ENITY GROUPINGS TIER 2 Purchase Orders Property Management Fabrication Accounting Personal Property Real Property/Leases Equipment Leases Major Supplies Management Third Party Relationships Conflict of Interest/Conflict of Commitment Joint Ventures / Partnerships/Affiliations Technology Transfer Recharge Activities Recharge Risk Management Risk Management General Liability Medical Malpractice Third Party Administrator Workers Compensation EH&S Controlled Substances Hazardous Waste Safety Programs Select agents Public Safety Fire and Emergency Management Police Response to Terrorist Threats Response to Terrorist threats Emergency Preparedness Planning Emerg Preparedness Planning Human Resources & Benefits Benefits Administration Benefits Eligibility UCRS Human Resources Compensation Education / Training Labor / Employee Relations Recruitment / Staffing MAJOR PROCESSES AND COMMON ADMINISTRATIVE SERVICES TIER 3

Audit Universe (Page 6 of 8)
INDEX MAJOR REPORTING CATEGORY TIER 1 H.f.04 H.g H.g.01 H.g.02 H.g.03 H.g.04 H.g.05 H.h H.h.01 H.h.02 H.h.03 H.i H.i.01 I I.a I.a.01 I.a.02 I.a.03 I.a.04 I.b I.b.01 I.b.02 I.b.03 I.b.04 I.c I.c.01 I.c.02 I.d I.d.01 I.e I.e.01 J J.a J.a.01 J.a.02 J.b J.b.01 J.b.02 J.b.03 J.b.04

University of California

6/9/2009

Page 75

UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

3200

Appendix 9 - Operating Plans
PROCESS OR ENITY GROUPINGS TIER 2 MAJOR PROCESSES AND COMMON ADMINISTRATIVE SERVICES TIER 3 Temporary Staffing Programs Benefit Accounting Compensated Absences Employee Medical and Other Plan Premiums Facilities, Construction & Maintenance Construction Program Major Construction Projects Minor Construction Projects Plant Operations and Maintenance Emergency Services Maintenance Utilities Deferred Maintenance Development & External Relations Development Administrative Funds Endowment Accounting Foundations Alumni Fund Raising and Gift Processing Supports Groups External Relations Government / Public Relations Auxiliary, Business, & Employee Support Services Auxiliary Services Athletics Bookstore/Employee Store Food Services Housing Libraries Museums Parking Storehouse University Events and Services Business Services Conference Administration Continuing Education Faculty and University Clubs Fleet Management Mail Services

Audit Universe (Page 7 of 8)
INDEX MAJOR REPORTING CATEGORY TIER 1 J.b.05 J.c J.c.01 J.c.02 K K.a K.a.01 K.a.02 K.b K.b.01 K.b.02 K.b.03 K.b.04 L L.a L.a.01 L.a.02 L.a.03 L.a.04 L.a.05 L.a.06 L.b L.b.01 M M.a M.a.01 M.a.02 M.a.03 M.a.04 M.a.05 M.a.06 M.a.07 M.a.08 M.a.09 M.b M.b.01 M.b.02 M.b.03 M.b.04 M.b.05

University of California

6/9/2009

Page 76

UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

3200

Appendix 9 - Operating Plans

Audit Universe (Page 8 of 8)
INDEX MAJOR REPORTING CATEGORY TIER 1 M.b.06 M.b.07 M.b.08 M.c M.c.01 M.c.02 Employee Support Services Child Care Staff Assistance Program PROCESS OR ENITY GROUPINGS TIER 2 MAJOR PROCESSES AND COMMON ADMINISTRATIVE SERVICES TIER 3 Printing, Graphics and Photo Legal Counsel Records Management

University of California

6/9/2009

Page 77

UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

3200

Appendix 10 - Operating Plans
Sample Local Annual Audit Plan – Schedule 1

University of California FY 20xx Audit Plan - Schedule 1 UCxx OR Lxxx Schedule 1 - Personnel Gross & Net Available Hours Calculation Number of authorized professional staff Number of Permanently OPEN Authorized Professional Staff Positions Number of professional positions at full staffing PLANNED ACTUAL FTEs Beginning of Period Additions--Permanent Additions--Temporary Departure --Within UC Departure--Outside UC Retirements Long-Term Leave Estimated Turnover End of Period GROSS & NET AVAILABLE HRS CALCULATION Weighted Avg. FTE's Hours in the period - Campus Hours in the period - Lab Subtotal - Lab / Campus Other Resources: Overtime Contract Labor/Interns Recharge In (or Out) Admin. & Other Subtotal Gross Available Hours Non Controllable Hours Non Controllable Hours Percent Net Available Hours 0.00 0.00 0.00 0.00 0.00 Total Year FTE's 1st Quarter 9/30/20xx 2nd Quarter 12/31/20xx 3rd Quarter 3/31/20xx 4th Quarter 6/30/20xx Lab 9/30/xx

0.00 0.00 0.00 (0.00) (0.00) (0.00) (0.00) (0.00) 0.00 Total Year Hours 0.00 2,088 2,080 0 0 0 0 0 0 0 0 0

0.00

0.00

0.00

0.00

0.00 1st Quarter 9/30/20xx 528 0

0.00 2nd Quarter 12/31/20xx 520 520 0

0.00 3rd Quarter 3/31/20xx 520 520 0

0.00 4th Quarter 6/30/20xx 520 520 0

0.00 Lab 9/30/xx

520 0

0 0

0 0

0 0

0 0

0 0

0

0

0

0

0

University of California

6/9/2009

Page 78

Projects.Activity Report Distribution of Net Available Hours INDIRECT HOURS Administration Professional Development Other Total Indirect Hours Total Indirect Percent DIRECT HOURS Audit Program Planned Carried Forward Audits. etc.00% 85% 100% University of California 6/9/2009 Page 79 . IN Investigations Percent Audit Support Activities Audit Planning Audit Committee Support Systemwide Audit Support Computer Support Quality Assurance Total Audit Support Hours Total Audit Support Percent Total Direct Hours Total Direct Percent Total Net Available Hours Total Net Available Percent UCOP % Guideline 2nd Quarter 12/31/20xx 3rd Quarter 3/31/20xx 4th Quarter 6/30/20xx Lab 9/30/xx 5--10% 2--5% 0--3% 15% 0 0 0 0 - 0 - 0 - 0 - 0 - 0 - 0 0 Approx 10% 0 0 0 - 40--60% 0 - 0 - 0 - 0 - 0 - 10--25% 0 0 0 0 0 0 0 - 0 - 0 - 0 - 0 - 0 - 10--20% - - - - - 5--10% 0 0 0 0 0 0 0 0 100. Audit Coordination.. PC Planned New Audits. PN Supplemental Audits.00% 0 0 0 100. COI & Other. SC Ext.Operating Plans Sample Local Annual Audit Plan – Schedule 2 Total Year Hours 1 Quarter 9/30/20xx st Schedule 2 . Reengineering Teams.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Appendix 10 . SR Total Advisory Services Hours Total Advisory Services Percent Investigations Hours. SP Systems Dev. PU Total Audit Program Hours Total Audit Program Percent Advisory Services Consultations/Spec.00% 0 0 0 100.00% 0 0 0 100.00% 0 0 0 100. PS Unplanned Carried Forward Audits. SE Internal Control & Accountability.00% 0 0 0 100. SI IPA.

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Appendix 10 . 3 = all others (2) (1) University of California 6/9/2009 Page 80 . 2 = next top 10 scores.Planned New Audits PS (c) Planned Supplemental Audits (lump sum) Total Planned Audit Program (a+b+c) (1) Planned Advisory Services: <Insert specific Advisory Services projects> (d) Subtotal . – SC) (x) indicates core program will be used * 1 = Top 10 scores. and Investigations KEY: Must tie to Schedule 2 Activity Report enter lump sums for each AS category (i.Planned Advisory Services Unplanned Advisory Services (by Category) (2) <insert sub totals for each applicable category) (e) Subtotal .Operating Plans Sample Local Annual Audit Plan – Schedule 3 UNIVERSITY OF CALIFORNIA .e.Unplanned Advisory Services Total Advisory Services (d+e) (1) IN Total Investigation Hours (lump sum) Total Audits.INTERNAL AUDIT PLAN DETAIL FY 20xx <LOCATION> Prj Code High Risk* Plan Hours SCHEDULE 3 FY LOB LOC Name/Title of Audit Planned Carry Forward: <insert projects> (a) Subtotal .Planned Carry Forward Index Code Core (x) PC PN Planned New Audits: <insert projects> (b) Subtotal . Advisory Services.

Distribution of Tier 1 Audit Coverage Campus Departments & Instruction Health Sciences Operations Laboratories UCOP Research and Compliance Budget and Planning Information and Technology Financial Management Risk Management Human Resources Facilities and Construction Development Auxiliary. Coverage of High Risk Top 10 High Risk (if not 10 insert correct #) (1) Audits Advisory Services Total Percentage Hours No.Operating Plans Sample Local Annual Audit Plan – Schedule 4 UNIVERSITY OF CALIFORNIA – AUDIT PLAN STATISTICS (Schedule 4) Camp/Lab/OP I.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Appendix 10 . 0 x% 0 0 x% 0 0 x% 0 (1) . Health Sciences Hours No.Refers to # of High Risk areas addressed . Lab (27). Camp/Lab/OP II. and HS (35) Camp/Lab/OP Hours % x% x% x% x% x% x% x% x% x% x% x% x% x% x% Health Sciences Hours % x% x% x% x% x% x% x% x% x% x% x% x% x% x% 0 x% 0 III.not # of audits covering high risk. Coverage of CORE Hours (2) Health Sciences Hours Number Combined Total Hours Number Number Number of Core elements in Universe In Plan: Audits Advisory Services Total 0 0 0 0 Percentage x% x% (2) There 44 elements. Specific element numbers are: Campus and OP (35). Combined Total Hours No. Bus and Employee Support TOTAL Combined Total Hours % 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x% x% x% x% x% x% x% x% x% x% x% x% x% x% 0 0 University of California 6/9/2009 Page 81 .

policies. For example. however. any location expecting to spend time on these matters (outside of project specific time that should be charged to the project) can budget and charge time here. However. this narrative will address the factors that contributed to the score and will highlight the relevant risks. using statistics from Attachment F1 (Schedule 4 Plan Statistics). NB . interns. Also – please include a brief narrative for each project (Planned New Audits and Planned Advisory Services) on the plan. you may elect to a separate narrative. assumed turnover and impact on available hours. such as one you’ve prepared for your respective audit committee. Professional Development different from guidelines. University of California 6/9/2009 Page 82 . e. A template (Schedule 3A) is provided as part of Attachment F1. paid or unpaid overtime. 2. and any positions authorized but intentionally left open for necessary salary savings.while Supplemental Audits are intended to acknowledge the dynamic nature of our environment--and also our on-going risk assessment--it is not intended to undermine our ability to audit highly ranked risks or mask accountability for our time. or re-charge to another internal audit department (negative). Comment also on the extent of obligated time versus time freely available to assign by the Audit Director on a risk assessment basis.R. or Other reflecting the impact from an office relocation etc. Supplemental hours should be approximately 10% of total audit program hours. temporary assistance. Comment on material changes from historical patterns if any are projected. time frame for filling open positions. Available Hours--Describe the basis for the number of FTE’s in the plan including any change from current year staffing levels. Audit Program--Comment on coverage of the Audit Universe and its high-risk components. It will also indicate the preliminary scope of the reviews. 3. Comment also on the basis for the hours assumed in Supplemental Audits. 4. as appropriate. especially if the overall indirect percentage is unusually high (greater than 20%) or low (less than 10%). Non-Controllable time which is budgeted differently from leave permitted by H. As a way to help bridge the risk assessment results to the work that we perform.Operating Plans Sample Local Annual Audit Plan – Narrative Guidelines (Page 1 of 3) FY 20xx Plan Narrative and Assumptions __________________________________________________________________________ 1. Advisory Services--Note IPA (Information Practices Act) and COI (Conflict of Interest Coordination) activities would be reported here and are reflective of the roles assigned to UCSD and UCSC respectively.g.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Appendix 10 . Comment on the manner in which Director’s time is allocated to administration versus audit projects. Separately describe the basis for any hours in the “Other Resources category. Comment also if any projected change is a result of re-characterizing hours historically charged elsewhere or on any efforts to promote Advisory Services in your environment. Indirect Hours--Describe any unusual variances from expected norms.

Comment on significant assumptions made in spreading the annual plan by quarter. Total Direct Hours & Percent--Comment on the overall allocation of Direct Hours and the commitment to an audit program aimed at providing basic audit coverage with principal audit emphasis on highly ranked risks. not Schedule 3 level. If a basis other than historical patterns was used to estimate investigations comment on that basis. managers’ new assignments to systemwide workgroups and the like. illness and other authorized time off are less predictable. Comment on the Direct Hour Percentage as a performance measure and the variance from a benchmark of 85%. However.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Appendix 10 . 6. Remember that it is not necessary to spread individual audits by quarter --time phasing is o nly requested at the Schedule 2 level. Comment on the assumptions that drive significant hours in these categories and any variances from historical or “normal” commitments o f time in these categories. It is suggested that you first estimate total available hours by period. For instance. Other items. Support Activities --Quality Assurance may be used for local QA programs as well as the systemwide program. then estimate non-controllable and controllable hours (for such things as scheduled CPE) to arrive at total hours available for direct audit activities before spreading the annual plan total for Planned Audits and other direct activities. It should not be used for any project specific time that belongs in t he project and is not a substitute for supervision. the holiday hours are predictable based on the local holiday schedule. secondary review or pre report issuance quality assurance measures. 8. such as vacations. post completion checks for documentation and compliance with standards and local procedures. University of California 6/9/2009 Page 83 . Examples might include an increase in commitments to Quality Assurance teams.Comment on material changes from historical patterns if any are projected. 7. Time Phasing Assump tions--Predictable variances from period to period should be accounted for in your spread of hours. care should be ta ken to charge time only for formal QA program efforts such as post issuance report reviews.Operating Plans Sample Local Annual Audit Plan – Narrative Guidelines (Page 2 of 3) 5. but it may nevertheless be your assumption that they do not flow evenly by quarter. Investigations-.

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3200 Appendix 10 . major external investigations on the horizon. to what extent do you consider the plan to be a stretch goal or what level of contingency availability is built into the plan. e. FYxx plan. Credit for core coverage will be earned when the Core Programs are followed.Operating Plans Sample Local Annual Audit Plan – Narrative Guidelines (Page 3 of 3) 9. University of California 6/9/2009 Page 84 . and current FYxx plan). Comment on the capacity to handle additional work. NB – Core coverage expectations include comprehensive coverage of the area creating a basis for assurance that key controls are present and functioning as designed to manage risk inherent in the activity. 10. Please identify any shortfalls of Core coverage and the proposed timeline for complete coverage. staffing contingencies. Such things may include significant contingencies that can’t be predicted at this time. e. Comment on any other matters that are relevant to under standing your Audit Plan. Core Audit--Comment on the coverage of core audit topics with a 3 -year perspective (FYxx actual.g. Internal Audits role in a CSA program.g. and the like. Other Matters--Comment on the biggest variables that will drive the ultimate determination of your ability to complete the annual plan. DOE directives.

. the Quarterly Reports to The Regents contain a narrative description of major milestones and accomplishments. University of California 6/9/2009 Page 85 .01 This section outlines the processes by which both the Strategic and Operating Plans are monitored and the standard reporting requirements for both internal reporting (within the Internal Audit function) and reporting to management and The Regents. individual members may have a lead role on specific initiatives and assume responsibility for communicating with the IAD’s as a whole on that matter. the period of time encompassed in reports for the campuses and OP and the labs is different by one quarter. Therefore. 200X for the labs. Overview Strategic Plan Operating Plan .02 The University Auditor has ultimate responsibility for monitoring the execution of the strategic plan. the annual report presented in November of 200X includes activity for the twelve months ended June 30. However. this reporting convention is appropriate. Workgroups keep the University Auditor and the IAD’s apprised of progress and initiatives through the bi-weekly Directors’ conference calls.Each workgroup’s leader is the spokesperson for the Team as a whole. (NOTE) Because of the federal government fiscal year employed by the national labs. Work Group Teams . The “master” version of the plan is maintained by the Office of the University Auditor and is updated by input from the workgroups as progress is reported. with the labs’ data trailing by three months. Since the Annual Report isn’t presented until November. 200X for the campuses and OP but includes activity for the twelve months ended September 30.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3300 Monitoring and Reporting . by utilizing a portion of the regularly scheduled Directors’ meetings or by other means as appropriate. However.03 The Internal Audit Program demonstrates accountability for its resources as well as communicates its accomplishments through regular reports to The Regents Committee on Audit and Senior Management. There are no set forms or intervals for reporting against the strategic plan.

the President’s Cabinet. and Senior Campus/Lab Management. for quarterly reporting purposes. the activities accomplished on a year-to-date basis against the current year plan for the same calendar period are reported. the September 30th quarterly report includes no lab activities since none have been commenced against the fiscal year being reported on..UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3300 Monitoring and Reporting However. For example. Annual Report . In addition. The quarterly reports include the following sections: ♦ Bullet highlights of the reporting period ♦ Narrative discussion about progress achieved against the Annual Plan ♦ Significant personnel matters ♦ Narrative discussion about progress achieved against the strategic plan Operating Plan (cont’d) University of California 6/9/2009 Page 86 .). Consistent reporting formats and styles as used in the Annual Plan are presented in the interest of comparability. The Chair of The Regents Committee on Audit should be consulted in advance of preparation of the Annual Report to determine if additional reporting elements would assist in the oversight of the Internal Audit Program.The University Auditor prepares quarterly reports within a target of 45 days after the end of each calendar quarter for dissemination to The Regents Committee on Audit. The Annual Report is also the venue in which Audit Tracker results (specifically Management Corrective Actions) are communicated to The Regents. etc. while the report for December 31st includes two quarters for the campuses and one quarter for the labs—a consistent 90 day lag. The activity data in the Annual Report is essentially a compilation of the quarterly reports.The Annual Report of the Internal Audit Program is presented by the University Auditor to The Regents Committee on Audit at their November meeting each year. the University’s controls. staffing analyses. The report compares actual activities to the Operating Plan approved for the fiscal year being reported upon. developments in the internal audit profession or to otherwise educate the Committee or provide information requested by the committee.g. the Annual Report should be prepared to include other information about the Program (e. Quarterly Reports .

Special instructions determined annually apply to the labs for their October report due to the proximity to the Annual Report. and detailed project statistics. Standard categories and definitions are included as an Exhibit to this section. but absent other instructions is established as the last Monday of the month following a calendar quarter. which may vary from time to time. The standard definitions are provided in the interest of consistency and to facilitate consolidation of individual audit plans. April and July.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3300 Monitoring and Reporting The Quarterly Report to The Regents is consolidated from more detailed reports submitted by the IAD’s to the University Auditor. reports are due in October. Standard Time Reporting Categories and Definitions Standard time categories and definitions have been adopted by all UC audit departments. Some categories may not be used by certain Audit Directors. Audit Directors will discuss any plans to deviate from the standard categories and definitions with the University Auditor. A standard quarterly report format is used by all locations to report personnel statistics. Standard Time Reporting Categories and Definitions are included as Appendix 11. January. Therefore. available hours. The University Auditor establishes the quarterly report due date. Operating Plan (cont’d) Time Reporting in Quarterly Reports University of California 6/9/2009 Page 87 .

Such audits may be of various scopes. plus contract auditors and recharge activity if staff is shared between locations. 7. illness and all other non-controllable official absences (e.g.This category will be used for paid overtime and hours in excess of forty per week for exempt employees.The bulk of audit resources should be devoted to planned audits identified as a result of the audit universe model and risk ranking process. and include departmental surveys and follow-up audits if planned. including hiring and personnel management. 4. but normally for programs that qualify for continuing education credit.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3300 Appendix 11 . including travel. Non-controllable Hours . Such recharges must eliminate in consolidation. Supplemental Audits . 3. as well as outside professional interests that are not captured as part of professional development. Administration as used here is basically for all time not captured anywhere else. Other will be limited and will be used for miscellaneous assignments such as suggestion box committee.. jury duty.Operating Plans Standard Time Categories and Definitions (page 1 of 3) 1. Direct Hours .This category is for vacations. holidays. For example. University of California 6/9/2009 Page 88 .Indirect hours includes Administration. If the volume of Supplemental Audits exceeds the 6. Professional development is for all time associated with training. etc. Professional Development and Other. floor warden. military leave. Audits undertaken on a special request basis or because of interim amendments to the risk assessment results are supplemental audits. only 1/2 FTE should be budgeted in the audit plan for that position. Other less formal types of training tend to be either related to audit planning or general understanding of UC policies and procedures or accounting and auditing matters. 5. bereavement). planned audits are further broken down into categories representing work against the current year audit plan and the completion of planned audits that are carried over into the current year from prior years.This category is created to recognize the dynamic nature of our environment and to provide flexibility in the plan. Employees (FTEs) . Indirect Hours . Regular Audits . Advisory Services and Investigations—plus Audit Support Activities. and should either be captured within the audit project or treated as administration. For internal reporting purposes only. Audit work undertaken within the budget for Supplemental Audits is at the discretion of the Audit Director with no need to seek approval from local audit committees or the University Auditor.The number of FTEs actually expected to be employed by the department during the year to fulfill the audit plan being submitted should be used. if it is expected that a position will be filled mid-year. 2. Other Resources .Direct Hours consist of the three lines of business—Audits.

Advisory Services is comprised of separate categories for Consultations. Internal Control and Accountability efforts and External Audit Coordination. 10. The work being displaced may constitute an amendment of the audit plan that should be dealt with as discussed herein for plan amendments. Advisory Services can be either planned or arise during the year. 12. The Audit Manual is expected to contain definitions and more guidance on this topic. LAN support.Activities in support of our local and systemwide audit program are captured in this category. if traditional CSA types of activities are undertaken in lieu of regular audit activities they may constitute an audit. and the development of Computer Assisted Audit Techniques (CAATs). Page 89 9. All G-29 investigations are to be reported in this category as well as investigations that do not meet the G-29 threshold. main frame extraction capability. It is not intended for planning time that should be charged to individual audits. 8. including automated workpapers. At certain locations. Advisory Services . 11. Projects should be classified by their nature and care should be taken to appropriately distinguish between activities that are Audit Services from those that are Advisory Services. Systems Reengineering.This includes the development and maintenance of internal audit technology. The distinction between consultations and special projects is a judgment of the Director. University of California 6/9/2009 . Every effort should be made to distinguish the separate activities. other assignments such as conflict of interest and information practices act coordination should also be considered Advisory Services. Special Projects. They are distinguishable from regular management activities in that they clearly relate to the program as a whole and are easily identified with the sub-captions that include: Computer/Network Support . Audit Planning .UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3300 Appendix 11 .Local experience and history should be used to establish an estimate of time that will be planned for investigation activities. Audit Support Activities . then other planned work is generally being displaced (absent incremental resources) and care should be taken that the work undertaken is truly more essential than the work displaced. This category should not be used for EDP Audit activities that should be characterized as audits. Support for a CSA initiative on the other hand would be appropriately budgeted and reported in this category. Investigations . Efforts in support of internal control training and other accountability initiatives should be reported here—however.Operating Plans Standard Time Categories and Definitions (page 2 of 3) budget in this category.This support activity category is intended for annual planning efforts including the risk ranking process and revisions to those plans. Audits can often lead to investigations and investigations can also lead to the recognition of the need for an audit.

and in communication with audit committee members. University of California 6/9/2009 Page 90 .UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 3300 Appendix 11 .This support activity is for efforts in support of the overall systemwide audit program. Systemwide Audit Support . attending meetings. 14. Quality Assurance .This support activity is intended primarily for the peer review program and other limited local uses and should not be used for time related to specific audits such as the pre-issuance review of audit reports 15. handling minor specific requests for information from audit committee members. For example. It should not be used for systemwide audits such as the Y2k audit. efforts on systemwide work groups and projects such as the data warehouse or IT task force should be charged to this category. Audit Committee .This support activity is intended for time spent preparing for audit committee meetings.Operating Plans Standard Time Categories and Definitions (page 3 of 3) 13.

It includes sections on roles and responsibilities. Section Overview University of California 6/9/2009 Page 91 . and performance evaluations. career development and counseling. training and professional development.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4000 PERSONNEL . Skills Assessment and Resource Analysis (SARA).01 This section of the manual describes personnel policies adopted by the Internal Audit Program.

he or she performs the following: University of California 6/9/2009 Page 92 . The University Auditor reports jointly to the Board of Regents and the Senior Vice President--Business and Finance. management.01 The roles and responsibilities required to efficiently and effectively perform the UC internal audit function are clearly defined and communicated. The job description should reflect all of the activities and expectations for the particular position. In carrying out this responsibility. each having varying responsibilities for carrying out the audit function. and operating responsibilities using independent audits and consultations designed to evaluate and promote the internal controls system. The Auditor assists the Board and University management in the discharge of their oversight.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4100 Policy Roles and Responsibilities . Sample job descriptions are included as an appendix to this section for these categories of staff members: • • • • Director (Appendix 15) Associate Director/Manager (Appendix 14) Supervisor/Principal Auditor (generally Auditor IV or Principal Auditor II) (Appendix 13) Senior/Staff Auditor (generally Auditors I through III) (Appendix 12) Application of UC Policy for Roles and Responsibilities Job Descriptions Local campus/lab Internal Audit Departments may opt to modify the sample job descriptions to meet their specific needs. Roles and Responsibilities Key roles and responsibilities for the various staff levels are summarized below: University Auditor. Each position is described and the related responsibilities required to perform it are outlined. . It should also include the knowledge.02 Each local Internal Audit Department consists of several levels of staff positions. Job descriptions that outline the roles and key responsibilities for each staff level position have been developed. Each member of the Internal Audit Department should have a current job description signed by both the employee and supervisor. skills and abilities required to perform the duties of the position.

and the Business and Finance department heads. job management. the campus auditors. Creates an environment conducive to the best practices of risk assessment. Ensures that all professional activities comply with IIA Standards and University Policy. • • • • University of California 6/9/2009 Page 93 . Contributes to the improvement and enhancement of the system-wide audit function through participation in workgroups and meetings.The Director guides the local campus/lab Internal Audit Department in performing its audit function. Director . Develops relationships with management and audit clients to promote the positive image of the department.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4100 Roles and Responsibilities • • • • • Makes revisions to the UC Internal Audit Program Revises and updates the audit process Increases communications regarding audits to and from the campuses and to the Regents Reengineers performance standards and electronic technology used in the audit process improves Roles and Responsibilities (cont'd) Revamps the investigations and external review processes The University Auditor works closely with the campus Vice Chancellors for Administration. Ensures the availability of qualified Internal Audit resources and their efficient and effective use to meet planned and other obligations. This generally requires that he or she: • • • Formulates strategic long-term plans that ensure application of the system-wide philosophy and vision. Establishes short-term and annual work plans that review significant high-risk areas of university activities including material financial concerns. staff supervision and quality assurance.

Seniors will conduct complex assignments with direction from the project supervisor while staff auditors will conduct less complex assignments with closer supervision.The Supervisor/Principal Auditor plans and conducts the most difficult. operational. Senior/Staff Auditor . To fulfill these responsibilities. depending on his or her specific staff level: • • Gathers financial. To carry out his or her responsibilities. laws.The Associate Director/Manager assists the Director and may function as Director in the Director's absence. these responsibilities will typically be performed by the Director. Analyzes and verifies the accuracy of financial statements and transactions and/or other management documents. • • University of California 6/9/2009 Page 94 . Seniors may function as team leaders on assigned projects. Supervisor/Principal Auditor . reports. Reviews and evaluates basic systems of internal control. plans. The primary distinctions between the senior and junior staff positions are the complexity of assignments and degree of supervision.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4100 Roles and Responsibilities Associate Director/Manager .The Senior/Staff Auditor plans and conducts assignments and reports results to management. He or she may supervise others and generally works independently with only general direction. complex and sensitive assignments and reports results to management. or regulations and determines the extent of such compliance. Participates in or is responsible for many departmental management responsibilities such as counseling staff. and internal control information. records. Roles and Responsibilities (cont'd) In the absence of an Associate Director/Manager. and methods. Reviews systems established to ensure compliance with policies. the Associate Director/Manager generally: • • Assigns and manages the daily work of the professional audit staff. procedures. the Senior/Staff Auditor generally.

Career Development and Counseling Policies and Procedures are included in Section 4200. University of California 6/9/2009 Page 95 . The qualifications and knowledge. subject to review by higher level auditors. knowledge. subject to review by higher level auditors. and abilities and ensure that they are commensurate with his or her assigned roles and responsibilities. Performance Evaluation . skills. They are also a useful reference tool that can assist supervisors in preparing staff evaluations and conducting career development and counseling sessions. Career Development and Counseling .03 Recruitment and Advancement Guidelines . Roles and Responsibilities (cont'd) The individual’s specific responsibilities will vary depending upon his or her staff level and assigned audit role. skills. Performance Evaluation Policies and Procedures are included in Section 4500. Related Guidelines for Roles and Responsibilities . skills. Prepares reports of audit results. SARA Policies and Procedures are included in Section 4400.Each staff member's performance is evaluated regularly to assess how his or her knowledge. A matrix reflecting the qualifications. skills and abilities for each staff level.The Internal Audit Program identifies guidelines for basic educational and professional experience qualifications as well as desired knowledge. System-wide or local Skills Assessment and Resource Analysis (SARA) efforts may be useful in identifying areas requiring the enhancement of individual or group skills. and abilities desired for each staff level is included as an appendix to this section. skills and abilities apply to both candidates who are being recruited as well as staff members who are being considered for advancement.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4100 Roles and Responsibilities • • Prepares audit programs. and abilities compare to the responsibilities outlined in his or her job description.Each staff member receives career development and counseling in order to continuously enhance his or her knowledge.

Performs audit assignments which involve research and analysis of University policy and procedures.). FUNCTION/TASKS List the functions and tasks of the position. compliance and operational audits of campus organizations. 5% 15% 10% 5% 5% University of California 6/9/2009 Page 96 . % of Time 5% In consultation with the Associate Director and/or Director. etc. departments and functions to determine the adequacy of controls. plans the scope of the audit. administrators and management involving a wide range of procedural and control issues. Prepares and organizes audit workpapers that adequately support audit conclusions and recommendations. and the effectiveness and efficiency of the area under review. Depending on scope and complexity of the project may conduct or assist in fraud investigations requiring strict confidentiality and the ability to deal with sensitive personnel situations. Prepares formal written reports covering the results of assigned audit projects and participates in report reviews with auditees and campus management. statistical sampling. and an evaluation of audit related documentation as a basis for an objective opinion on the effectiveness and efficiency of operations and the adequacy of internal control. prepares the audit program. computer extracts.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4100 Appendix 12 . may direct auditors assigned to assist on audit projects and review their work for completeness and accuracy. Assists the Associate Director and/or Director on special projects.Roles and Responsibilities (Page 1 of 1) Sample Job Description – Staff/Senior Auditor POSITION OVERVIEW Responsible for planning in conjunction with the Associate Director and/or Director and conducting financial. the degree of compliance with established policies and procedures. Makes oral presentations to auditees and other campus administrators during and at the conclusion of the audit covering the results of the audit and recommendations for corrective action. Provides advisory services as assigned to campus operating staff. 50% 5% Depending on scope and complexity of the project. and determines the appropriate auditing procedures and examination techniques to be applied (e. and which adhere to prescribed internal auditing standards for workpaper content and presentation.g..

to find and evaluate alternative solutions. Exercises interpersonal skills and judgment required for controversial and sensitive assignments. and operations of organizations assigned by the Director. Performs studies and analyses of organizations. and effectiveness reviews as a service to management according to professional auditing standards. to gather meaningful data and information. and involve complex technology associated with the use of financial. efficiency. W d. FUNCTION/TASKS % of Time/ Frequency Function/ Task No. 50% 1. University of California 6/9/2009 Page 97 . analyzing. Designs audit programs to accomplish stated objectives for review by audit management. Writes. reviewing. establishes contact with operating personnel. exercising individual judgment to analyze complex problems. Assesses organizational and operational risks for assigned review area.Roles and Responsibilities (Page 1 of 3) Sample Job Description – Principal/Supervising Auditor POSITION OVERVIEW Internal auditor position is responsible for performing or supervising full scope auditing and advisory services that encompasses financial. reviews. Communicates and interacts effectively with all levels of management and staff. D D b. procedures. and recommend appropriate changes in design to accomplish desired control objectives. designs and prepares audit programs. policies. Number each function and write ESSENTIAL after each essential function. prepares work papers. Exercises individual judgment and initiative in selecting emphasis of audit coverage and determining and locating sources of information. List the functions and tasks in descending order or importance starting with the essential functions. edits and presents reports to UCSD officials containing recommendations for the establishment or revision of complex policies. Functional and IS Application Audits (Essential) Performs full scope financial and compliance. For assigned projects. compliance. research and information resources. information systems and the improvement of operations. and summarizing information and data. Operational. Conducts Financial. and mentors other staff members as assigned. Audit scopes encompass moderate risks that cross organizational lines. a. economy and efficiency. and to make final recommendations. information systems. correlation studies. Ability to act in an audit management capacity in selected areas in an audit manager’s absence. and effectiveness auditing as a service to management in accordance with professional auditing standards. drafts reports. Uses the computer in applying analytical techniques and tools such as statistical sampling. and flow-charting in gathering. Performs and directs audits and management studies of highly complex areas at UCxx. and follows up on observations and recommendations. procedures. On a project basis. provides direction to support audit staff as may be assigned by the Director. administrative practices. D c. reviews and evaluates the adequacy of systems controls and documentation. conducts fieldwork.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4100 Appendix 13 . medical.

d. W W 10% 3. a. d. Training Provides training assistance as assigned by audit management to assist internal audit staff in becoming proficient with auditing standards and internal control systems at UCSD. W a. Directs studies and analyses performed by assigned staff of organizations. Presents training programs as assigned by audit management with emphasis on how the auditor can assist management in developing efficient and effective control systems. procedures. Q b. D 25% 2. policies. Prepares and conducts project performance evaluations for staff auditors that identify their strengths and weaknesses as determined by the Audit Director. Number each function and write ESSENTIAL after each essential function. systems. and operations for organizational assignments. Assists in developing training programs specifically designed for UCxx audit staff that promote understanding of systems and methods of effective internal control. e. counsels. Audit projects may require direction of up to three auditors to meet the objectives. Lead Responsibilities for Complex Audits (Essential) Directs audits and management studies of a high level of complexity as assigned by the Director. (Page 2 of 3) List the functions and tasks in descending order or importance starting with the essential functions. Acts as a resource to staff auditors in specialized areas of expertise. and instructs staff auditors for assigned audit projects. Provides assistance in developing manuals and training guides and in presenting training courses to the audit staff. Provides research support as required. reasonableness. Completes Special Projects as Assigned by the Director. W b. University of California 6/9/2009 Page 98 . 5% Q Q Q Q 10% 4. c. information systems. administrative practices. b. and adequacy of documentation. Ensures that the project resources involving one to three auditors are used effectively and efficiently. 5. W D a. mentors other staff members as assigned. Reviews the work of staff auditors for technical proficiency. Exercises interpersonal skills and judgment required for controversial and sensitive assignments Directs. and systems design. b. On selected projects.Roles and Responsibilities Sample Job Description – Principal/Supervising Auditor Function/ Task No. Q a. Maintains documentation of audits and studies by establishing supportable and logical indexed working papers. Assists in establishing audit coverage and schedules Ability to act in an audit management capacity in selected areas in an audit manager’s absence. management techniques. Promotes Concepts of Internal Control Through Effective Communications (Essential) Promotes concepts of internal control that assist management and staff in meeting their responsibilities for effective internal control and develop professional respect for the audit function.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4100 % of Time/ Frequency Appendix 13 . Acts as consultant to individuals at UCxx regarding control issues for financial and admin. c.

UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

4100

Appendix 13 - Roles and Responsibilities
(Page 3 of 3 ) SKILLS AND KNOWLEDGE

Sample Job Description – Principal/Supervising Auditor

Function/Task No.

* Selection Importance

1(all), 2(all),3a, 3b 1a,1b,1c,2(all), 3a,4(all),5b 1a,1b,1c,2(all) 3a,3b 1a,1b,1c, 2(all) 3a,3b,5b 1c,2a,2c,3b,5(all) 1a,1c,1d,2a,2c, 3a,4b 1a,1b,1c,2(all) 3a,5b 1a,1b,1c,2(all) 3a,5b 1a,1b,1c,2a,2b, 3a,4a,5b 1a,1b,1c,2a,2b, 3a,4a,5b 1a,1b,1c,2a,2b, 4a,5b 1a,1b,1c,2a,2b, 3b,5b 1a,1b,1c,1d

Ability to perform and supervise audits and management studies of the high level of complexity which require a high degree of ingenuity and innovation. Ability to demonstrate judgment and initiative to obtain high levels of performance and efficiency, either individually or from assigned staff, in a broad variety of responsibilities. Ability to evaluate the adequacy and effectiveness of administrative and financial controls and to evaluate the effectiveness and efficiency of operations. Skills to apply IS concepts and techniques to evaluate the processing integrity and controls of operational systems. Excellent interpersonal skills to deal independently with business and IS managers, faculty, physicians, other staff on a wide variety of topics. Excellent oral and written communication skills. Broad and thorough knowledge of theories and principles of the auditing and accounting profession and or general administration. Working knowledge of the theories and principles of IS auditing. Working knowledge of theories and systems of internal controls (financial, management, and IS). Working knowledge of good business practices. Broad knowledge of health care concepts and principles including health maintenance organizations and managed care. Working knowledge of University, Medical Center and Medical Group Plan policies and procedure. Graduation from college with a major in an appropriate field such as Accounting, Business Administration, Computer Science, or Industrial Engineering and extensive audit experience or the equivalent is required. MBA/CPA/CIA/CISA is preferred.

R R R R R R R R R

R A

A

R P

1(all)

EMPLOYEE SIGNATURE
I certify that the above job description is correct, complete and describes my job as I understand it. I have read and understand both the Safety and Overtime Payment statements. _________________________________________________ Employee's Signature _________________________________ Date

SUPERVISOR’S SIGNATURE
I have reviewed the job description and the above statements and certify to their accuracy. _________________________________________________ Supervisor’s Signature _________________________________ Date

University of California

6/9/2009

Page 99

UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

4100

Appendix 14 - Roles and Responsibilities
(Page 1 of 4) Sample Job Description – Audit Manager

POSITION OVERVIEW Internal auditor position is responsible for performing full scope auditing that encompasses financial, compliance, economy and efficiency, and effectiveness reviews as a service to management according to professional auditing standards. Supervises or performs audits and management studies of the highest level of complexity that may include a myriad of external agencies' regulations and fraud issues. Serves as audit coordinator with outside agencies to ensure effective interaction on external audits, investigations and control system certifications. Assesses organizational and operational risks for assigned review area, designs and prepares audit programs, establishes contact with operating personnel, conducts fieldwork, prepares work papers, drafts reports, and follows up on observations and recommendations. Assists the Director as a member of the management team in the audit planning process, selecting candidates for hiring, conducting performance evaluations and determining disciplinary action for pool of staff auditors. Communicates and interacts effectively with all levels of management, staff, and external agencies (public and private). Designs and presents seminars to assist management and staff in the effective resolution of external audit and fraud issues. With the Director, is jointly responsible for supervision of campus and health sciences audits.
FUNCTION/TASKS % of Time/ Frequency Function/ Task No.
List the functions and tasks in descending order or importance starting with the essential functions. Number each function and write ESSENTIAL after each essential function.

25%

1.

External Audit Coordination (Essential) Serves as the primary contact to coordinate external agencies' audits, investigations, system certifications and preliminary reviews for compliance purposes. a. b. Maintains liaison with external agencies regarding regulatory changes affecting UCxx and prospective visits to UCxx. Serves as the primary contact for coordinating on-campus visits by external agencies with the campus personnel. Ensures campus personnel are informed of the purpose for the visit and the information being sought. Conducts entrance, interim and exit status meetings with visiting personnel. Identifies any issues disclosed by visiting personnel and stays informed of their status in terms of resolution. Assists management regarding effective controls for resolving issues. Ensures management is kept informed as to the status of open issues. Conducts Special / Fraud Audits and Manages Fraud Hotline (Essential) Performs full scope financial and compliance, economy and efficiency, and effectiveness auditing as a service for management according to professional auditing standards. Audit emphasis is on regulatory compliance and fraud. Audit scopes encompass high risk issues that cross organizational lines; require interaction with external agencies; involve complex technology associated with use of financial, medical, research, and information resources; and are sensitive to media exposure. Manages Ucxx’s hotline and performs appropriate follow-up as necessary.

W W

W

c.

30%

2.

University of California

6/9/2009

Page 100

UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

4100

Appendix 14 - Roles and Responsibilities
Sample Job Description – Audit Manager (Page 2 of 4)

% of Time/ Frequency

Function/ Task No.

List the functions and tasks in descending order or importance starting with the essential functions. Number each function and write ESSENTIAL after each essential function.

D

a.

D

b.

D

c.

W

d.

D D

e. f.

Q

g.

Exercises individual judgment and initiative in selecting emphasis of audit coverage and determining and locating sources of information. Design audit programs to accomplish stated objectives for review by the Internal Audit Director. Performs studies and analyses of organizations, policies, procedures, information systems, administrative practices, and operations of organizations assigned by the Director, exercising individual judgment to fully analyze complex problems, to gather meaningful data and information, to find and evaluate alternative solutions, and to make final recommendations. Uses the computer in applying analytical techniques and tools such as statistical sampling, correlation studies, and flow charting in gathering, reviewing, analyzing, and summarizing information and data. Writes, reviews, edits and presents reports to UCxx officials containing recommendations for the establishment or revision of complex policies, procedures, information systems and the improvement of operations. Maintains documentation of audits and studies by establishing supportable and logical indexed working papers. Receives and analyzes all complaints received through the hotline. Chairs the university=s hotline triage group (comprised of high level university management) and presents complaints for a determination of appropriate action. Performs follow-up on all cases to ensure action was taken. Summarizes hotline activity and presents to the Audit Committee, hotline triage group, and Committee on Accountability and Controls. Lead Responsibilities for Complex Audits (Essential) Supervises audits and management studies of the highest level of complexity as assigned by the Director. Audit projects may require supervision of an audit team to meet the audit objectives. Directs, counsels, and instructs staff auditors for assigned audit projects. Prepares and conducts project performance evaluations for staff auditors that identify their strengths and weaknesses. Recommends hiring, merit and disciplinary actions to the Director as a member of the management team. Supervises studies and analyses performed by assigned staff of organizations, policies, procedures, information systems, administrative practices, and operations for organizational assignments. Reviews the work of staff auditors for technical proficiency, reasonableness, and adequacy of documentation. Ensures that the project resources involving one to six auditors are used effectively and efficiently.

25%

3.

W

a.

W

b.

W W

c. d.

University of California

6/9/2009

Page 101

UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

4100

Appendix 14 - Roles and Responsibilities
Sample Job Description – Audit Manager (Page 3 of 4)

% of Time/ Frequency

Function/ Task No.

List the functions and tasks in descending order or importance starting with the essential functions. Number each function and write ESSENTIAL after each essential function.

10%

4.

Q

a.

Q

b.

Staff Training (Essential) Provides training seminars as assigned by the Director to assist management and staff to understand effective control systems, the latest issues related to compliance and fraud, and information access. Develops training programs specifically designed for UCxx audit staff that promote understanding of fraud auditing, and systems and methods of effective internal control. Presents training programs with emphasis on how the auditor can assist management in developing efficient and effective control systems.

5%

5.

W W D

a. b. c.

Promote Concepts of Internal Control Through Effective Communications (Essential). Promotes concepts of internal control that assist management and staff in meeting their responsibilities for effective internal control and develop professional respect for the audit function. Establishes and maintains contact with various departments, groups and staff. Provides campus consultation to individuals regarding control issues for financial and administrative systems, management techniques, and fraud cases. Acts as a resource to staff auditors in specialized areas of expertise.

5% Q Q Q Q

6. a. b. c. d.

Complete Special Projects as Assigned by the Director. Provides research support as required. Provides assistance in developing manuals and training guides. Assists in the audit planning process and selecting staff for assigned projects. Provides technical support in areas of expertise.

University of California

6/9/2009

Page 102

2c. 6a. 2f.. 6a. Excellent oral and written communication skills. 6d. 6d 1(all). _________________________________________________ Employee's Signature _________________________________ Date SUPERVISOR’S SIGNATURE I have reviewed the job description and the above statements and certify to their accuracy. 3(all). R R P1 A R 2a-d P2 EMPLOYEE SIGNATURE I certify that the above job description is correct. 5b. complete and describes my job as I understand it. 5b. 3a. 2g. 2a. 3a. 1c. 5b-c. 6d 1c. 2b. 6c 1(all). * Selection Importance 2 (all). Excellent interpersonal skills to deal independently with business and IS managers. 2a. 5b. 2a-b.2a-b. or Industrial Engineering and extensive audit experience or the equivalent is required. 5c. 6a. 4b. 5 (all). 4b. 5b. 6d 1c. 4a.6a 1a-c. 2f. 3b. 3a-b. 2a. Skills to apply advance fraud audit concepts and techniques to detect weaknesses and evaluate the processing integrity and controls of operational systems. 4 (all). Graduation from college with a major in an appropriate field such as Accounting. 3(all) 5b. 2f. 2f. 2c. 2c. 6a. 5c. 4a. and IS). 2a-c. 2b. I have read and understand both the Safety and Overtime Payment statements. 2b. management. Working knowledge of University policies and procedures. R R Working knowledge of theories and systems of internal controls (financial. 6b 1c. 3a-b. 4ab. 6a. either individually or from assigned staff. Business. 2a-c. 2c. 3 (all). 2d. Ability to demonstrate judgment and initiative to obtain high levels of performance and efficiency. Ability to evaluate the adequacy and effectiveness of administrative. 2c. faculty. 3(all). 6c. 6d 2a. 3(all). 2f 3(all). 5c. Working knowledge of health care concepts and principles. 6c. in a broad variety of responsibilities.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4100 Appendix 14 . Administration. _________________________________________________ Supervisor’s Signature _________________________________ Date University of California 6/9/2009 Page 103 . 3c. Computer Science. 5c. 6a 2 (all) Ability to perform and supervise audits and management studies of the highest level of complexity which require a high degree of ingenuity and innovation. 2f. 6a 1c. 4 (all). 6a. 6d 1c. 2a. Working knowledge of good business practices. Working knowledge of the theories and principles of IS auditing. 3c. 6a. 3a. R R R R R R Broad and thorough knowledge of theories and principles of the auditing and accounting profession and or general administration. 2a. 5c 1(all). 2c. financial and IS controls and to evaluate the effectiveness and efficiency of operations. MBA/CPA/CIA/CISA is preferred. senior administrators and staff on a wide variety of topics. 5b. 3a-b. 2b. 2b. 5c. 6a. 2c.Roles and Responsibilities Sample Job Description – Audit Manager SKILLS AND KNOWLEDGE (Page 4 of 4 ) Function/Task No. 2g.

Human Resources. Maintains a working environment that fosters professional growth and advancement. the Guidelines for Dual Reporting issued by the University Auditor and professional standards issued by the Institute of Internal Auditors (IIA). and the University adopted standards. Contributes to the enhancement of the systemwide audit program through participation in systemwide initiatives. Campus Police. fair and constructive manner. implementation and monitoring. Directs the performance of the staff of audit professionals and support staff in the conduct of a comprehensive program of financial. Provides support to the Campus Audit Committee. Ensures that the audit program adheres to the standards of the Institute of Internal Auditors. Manages the budget of the Audit Services Office. Resolves any internal or external conflicts or difficulties in a timely.Roles and Responsibilities (Page 1 of 1) Sample Job Description – Audit Director Basic Functions The Director. General Counsel and the OP Director of Investigations as appropriate. operational. Participates in campus Administrative Services meetings. prepares meeting agendas and reports of activities for the Committee and recording the actions requested/approved by the Committee. Ensures that processes are in place for feedback to and from staff on job related issues and the work environment. teamwork. Coordinates all external audit activity on campus other than the annual financial and A-133 audit conducted by the public accounting firm engaged by the UC Regents. Manages the department’s human resources. FUNCTION/TASKS Oversees the preparation and execution of an annual campus audit plan prepared on the basis of established systemwide risk assessment methodologies. including the Code of Ethics. initiative and creativity. Deals with matters of a highly confidential nature and extreme public and political sensitivity using sound judgment and discretion. Audit Services has overall responsibility for the conduct of the internal audit program as provided for by the Audit Services mission and charter. consulting with campus management and the University Auditor as appropriate. Identifies staff development and training opportunities. as requested. and procedure development. Conducts fraud investigations and coordinates with campus management. the University of California Audit Management Plan approved by The Regents. compliance and IT audits. with both academic and business and finance administration on internal control aspects of business practices and policy. Participates in or provides staff for related training purposes as appropriate and coordinates with the Director of Controls and Accountability. directs and evaluates performance of the staff of audit professionals and support staff. develops. University of California 6/9/2009 Page 104 . serves on campus committees and work groups as appropriate. Consults.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4100 Appendix 15 . sharing best practices and participating in the UC Internal Audit Quality Assurance Program. Recruits. Ensures that financial resources are organized and expended in support of Audit Services activities in the most economic manner.

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4100 Appendix 16 .Roles and Responsibilities Sample Skills Matrix – To Be Developed University of California 6/9/2009 Page 105 .

and their accomplishment should form a part of future performance evaluations (in addition to the handling of assignments and responsibilities during the year). Goal setting . and abilities included in the Recruitment and Advancement Guidelines may be useful in identifying areas requiring the enhancement of individual skills.01 The Internal Audit Program initiated a Career Development and Counseling Program in order to continuously enhance the skills and abilities.Specific goals should be established which are achievable and measurable.The focus of the meeting should be on both the short and long-term career development of the individual in a manner consistent with their aptitude and interests and the current and long-term objectives of the department. skills. An emphasis should be placed on development of skills necessary to achieve both individual career objectives and departmental objectives. Objective . Career development and counseling sessions for the staff may be conducted by Managers or Associate Directors. Each member of the professional staff should participate in an annual career development and counseling session to establish goals for the ensuing year. . Application of UC Policy for Career Counseling and Development Career Development and Counseling Session University of California 6/9/2009 Page 106 .UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4200 Policy Career Development and Counseling . Directors should conduct career development and counseling sessions with Managers and Associate Directors. Recruitment and Advancement Guidelines are included in Section 4100.02 Each local campus/lab Internal Audit Department is responsible for establishing a process for career development and counseling. System-wide or local Skills Assessment and Resource Analysis efforts and the knowledge. A career development and counseling process allows management and professional staff to work in a positive and participatory manner to establish career goals and guide the career paths of individuals interested in long-term careers within internal audit as well as for those who may be interested in internal audit as an avenue to other opportunities within the University. SARA Policies and Procedures are included in Section 4400. guide the career paths and cultivate the varied interests and abilities of its professionals.

UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

4200

Career Development and Counseling
Appropriate areas for the establishment of goals include, but are not limited to: • • • • • • • Long-term career objectives Certification and training Enhancement of existing skills as well as acquisition or development of unique skills Types of future assignments as well as expected performance criteria for them Additional responsibilities Contributions to the Internal Audit Department and support for departmental objectives Outside activities associated with the University or profession

Career Development and Counseling Session (cont'd)

Documentation and Follow-Up - Goals agreed upon by the employee and supervisor should be documented and signed by both parties. Follow-up activities necessary to support the accomplishment of the goals may be the responsibility of either party depending on the nature of the specific goal. Ultimate accomplishment of the goals is the responsibility of the employee.

Related Guidelines for Career Development and Counseling

.03 Performance Evaluation - The career development and counseling session is in addition to the annual performance evaluation. It may be appropriate to combine the two sessions, particularly when there are performance issues to be dealt with through future improvement efforts. If the two activities are combined in one meeting, documentation should be created for each part of the session. The performance evaluation component has a retrospective orientation while the career development and counseling focus is prospective. Performance Evaluation Policy and Procedures are described in Section 4500. A Career Development and Counseling Form (see template included as an Appendix 17 to this section) or a locally developed equivalent is completed to facilitate and document the counseling session.

University of California

6/9/2009

Page 107

UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

4200

Career Development and Counseling
.04 The Internal Audit Department and the University benefit from the contributions of internal audit staff with traditional skill sets as well as from the involvement of professionals from varied and diverse backgrounds. Some of these individuals may be interested after some time in career paths outside of internal audit. While applying the policy for career counseling and development, the following supplementary guidelines may be considered: Goal setting - In connection with the career development and counseling program, each professional may establish goals for developing additional or enhanced skills necessary to adapt to changing environments and increase his or her contribution to Internal Audit. Through the enhancement of individual skills, professionals prepare themselves for advancement opportunities. Following are suggested guidelines for setting career advancement goals: • Goals should be aligned with both the individual’s aptitude and interests and the objectives of the internal audit program. Goal setting should occur in a participatory environment where the short and long term interests of both the individual and the Internal Audit are considered.

Supplementary Guidelines for Career Development and Counseling
Career Advancement Goals

Career advancement counseling may be incorporated into the career development and counseling session outlined above. The supervisor should make it clear to the employee that, while enhancing one’s skill set increases one’s value to the University, it is not a guarantee of future promotion. Alternative Career Paths Rotation Opportunities - Many internal auditors are interested in career opportunities outside of the Internal Audit Department. Conversely, individuals with non-traditional backgrounds may be interested in gaining some experience through internal audit. Each local campus/lab Internal Audit Department is encouraged to explore innovative ways to bring professionals resources into and out of internal audit.

University of California

6/9/2009

Page 108

UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

4200

Appendix 17 - Career Development and Counseling University of California Career Development and Counseling Form

Employee:

Date:

Please use this form to identify development that sustains, improves and builds performance, and enables the employee to contribute to organizational effectiveness. This form should be used to identify career development activities, and should be completed by the supervisor in collaboration with the employee. Performance Development That Applies Development Time Expectations to Functions, Projects, Goals and Activities or Frame Competencies Resources

University of California

6/9/2009

Page 109

UNIVERSITY OF CALIFORNIA

INTERNAL AUDIT MANUAL

4300

Training and Professional Development

Professional Certifications

.01 All auditors are encouraged to have at least one professional auditing related certification (e.g. CIA, CPA, CISA, CFE) that is appropriate to their UC auditing responsibilities. Auditor III’s, IV’s, and Principal II’s are expected to have at least one certification. Audit Managers and above are required to have an appropriate professional auditing related certification. As an encouragement for audit professionals to obtain appropriate professional certifications, local audit offices may financially assist them by paying for preparatory examination study material, examination days and other costs directly associated with appropriate professional auditing related certifications. Such financial assistance is at the discretion of each local audit director and should be guided by a local implementing policy and procedure. UAO maintains a database that includes the professional certifications held by each UC auditor.

Participation in Professional Associations

.02 Auditors are encouraged to participate in professional auditing associations that are appropriate to their UC auditing responsibilities such as - the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), the Association of College & University Auditors (ACUA), the Association of Certified Fraud Examiners (ACFE), the Information Systems Audit and Control Association (ISACA), the Association of Healthcare Internal Auditors (AHIA), and any local chapters of the above organizations. The ACUA and IIA professional associations are considered the most closely connected with the general practice of higher education internal auditing. Each local audit office should have an institutional ACUA membership. The UC system-wide audit function holds a group IIA membership in which all professional staff are members.

University of California

6/9/2009

Page 110

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4300 Training and Professional Development As an encouragement for audit professionals to become members of appropriate professional associations. the time spent attending meetings and other costs directly associated with participation in the professional associations. Participation in Professional Associations (cont’d) University of California 6/9/2009 Page 111 . Such financial assistance is at the discretion of each local audit director and should be guided by a local implementing policy and procedure. UAO maintains a database that includes the professional association memberships held by each location institutionally as well as by each UC auditor. local audit offices may financially assist them by paying for association memberships.

Overview Principal Goals Uses of the Skills Assessment Results .01 The Professional Proficiency Initiative team from FY 2004 developed a number of Skills Self-Assessment documents for use for all professional staff throughout the system. possesses the requisite knowledge.03 In addition to demonstrating compliance with the Standards. skills.04 On a systemwide level. and other competencies to fulfill its responsibilities. necessitating further consideration and development of a plan to acquire those skills in order to complete the engagement. Without conducting some type of skills assessment. and identifying systemwide training opportunities. particularly Standard 1210 on Proficiency. it would be difficult to demonstrate that the auditor possesses the requisite knowledge. 3) determine whether some required skills are not present within the local department. The internal audit activity collectively should possess or obtain the knowledge. These assessments have been developed for a number of critical skills identified and agreed upon by all of the UC Internal Audit Directors and are intended and expected to serve multiple purposes. and other competencies needed to perform its responsibilities”. skills. 6/9/2009 Page 112 University of California . Systemwide Benefits . skills. the information gathered from the skills assessment can be used by the Directors to: 1) match auditors to planned audits in a way that best takes advantage of known competencies.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4400 Skills Assessment and Resource Analysis . and other competencies to effectively fulfill its responsibilities. which states that “Internal auditors should possess the knowledge. and other competencies needed to perform their individual responsibilities. and other competencies and that the organization. skills. collectively. skills.02 One of principal goals of completing the Skills Self-Assessments is to evidence compliance with the IIA Standards. 2) design a professional development plan for individual auditors to ensure professional growth and continuity of required skills. analyzing the summary responses from the Skills Self-Assessments will provide a basis for stating that the organization overall possesses the knowledge. .

and development of the audit staff and demonstrates compliance with IIA and departmental standards.The evaluation process uses consistent criteria to measure staff performance and.Through performance ratings and constructive comments. Application of UC Policy for Performance Evaluations Annual Performance Evaluation . the evaluation assists employees in recognizing how their performance levels compare to the expectations of management and provides recommendations for further training or actions for improvement. One of the following interim evaluation procedures should be implemented by the local campus/lab Internal Audit Department. achievement of agreed upon goals and compliance with departmental standards. Performance evaluations serve several major functions: Employee development . Interim Performance Evaluations In addition to the annual performance evaluation. therefore. An Annual Performance Evaluation Form (see template included as Appendix 18 to this section) or a locally developed equivalent should be used to facilitate and document this requirement. The director must indicate his participation in and review of any appraisal conducted by a designee. Relative rankings and individual experience levels provide input to salary and advancement decisions. Every staff member should receive a written performance evaluation at least once a year from the director or his or her designee. staff members should receive feedback on an interim basis.02 Performance evaluations should be conducted for every staff member annually by the director and periodically throughout the year by the Associate Director/Manager or appropriate project manager.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4500 Policy Performance Evaluations . quality assurance.The evaluation is one of the components of the overall process of supervision. Professional standards .01 Performance evaluations are required for every staff member to document his or her performance. University of California 6/9/2009 Page 113 . provides a basis for making relative rankings among staff members. Management decisions .

Supplementary Guidelines for Performance Evaluation . Cumulative comments from these evaluations provide a basis for the annual evaluation.03 Career Development and Counseling . Related Guidelines for Performance Evaluations .04 While applying the performance evaluation policy.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4500 Performance Evaluations • Written project evaluations .Regular project update meetings may incorporate an element of evaluation in the form of performance feedback and guidance to create a continuous dialogue on the staff member’s strengths and weaknesses as observed on the job. Associate Director/Manager. particularly when there are performance issues to be dealt with through future improvement efforts. Cumulative comments from these evaluations provide a basis for the annual evaluation. or • Periodic evaluations . or Director. Career Counseling and Development Policy and Procedures are included in Section 4200.Every staff member who works at least 100 hours on an individual project will receive a written performance evaluation from the project supervisor. documentation should be created for each part of the session. Interim Performance Evaluations (cont'd) An Interim Performance Evaluation Form (see template included as Appendix 19 to this section) or a locally-developed equivalent should be used to facilitate and document this requirement. University of California 6/9/2009 Page 114 . the following supplementary guidelines may also be considered: Continuous Feedback . These timely assessments materially affect the quality of the work done and the improvement of staff performance. The performance evaluation component has a retrospective orientation while the career development and counseling session focuses on the future. or Director at least quarterly. If the two activities are combined in one meeting. It may be appropriate to combine the two sessions.The performance evaluation session is in addition to the annual career development and counseling session.Every staff member will receive a written performance evaluation from the project supervisor. Associate Director/Manager.

Customer feedback may also be sought and incorporated into staff performance evaluations.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4500 Performance Evaluations Ongoing discussions of the staff member’s strengths and weaknesses may be documented and used as support for or updates to annual evaluations. Supplementary Guidelines for Performance Evaluation (cont’d) University of California 6/9/2009 Page 115 .

and demonstrates poise. and effectively develops and motivates others. • • • • • • EE ME NI NA Develops and maintains a strong relationship with customer personnel. needs and expectations. and well-organized) Is adequately prepared for Entrance and Exit meetings. Communicates audit plans and schedules to audit clients to avoid disruptions. Works as part of a team.Performance Evaluations Sample Annual Performance Evaluation Form University of California Performance Evaluation (Page 1 of 3) Evaluation Ratings: EE – Exceeds expectations. complete.g. • • • • • Demonstrates workpaper documentation skills (e. NA – Not applicable Period Under review: QUALITY CUSTOMER SERVICE and RELATIONSHIP BUILDING • Demonstrates knowledge of customer’s business.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4500 Appendix 18 . • Develops audit programs timely after completing preliminary survey/risk assessment. crossedreferenced. in order to benefit customer service. if necessary. maturity and self-confidence. and uses common sense in making decisions. Makes personal sacrifices. AUDIT PROJECT SKILLS and TECHNICAL KNOWLEDGE • Demonstrates good judgment and analytical ability. NI – Needs Improvement. Presents a positive image of the UCxx audit department. • Identifies high risk areas and designs appropriate tests to achieve audit objectives. Demonstrates knowledge of professional auditing standards.well documented. Identifies and references necessary research and analysis of UC policies and procedures. Demonstrates knowledge and use of technology to improve customer service/assignment efficiency. . ME – Meets expectations. Is well respected. University of California 6/9/2009 Page 116 . and considers feelings and perspectives of others.

.Performance Evaluations Sample Annual Performance Evaluation Form Performance Evaluation COMMUNICATION SKILLS • Demonstrates written communication proficiency (e. • Demonstrates verbal communication proficiency (e. and technical issues.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4500 Appendix 18 . . scheduling. Completes and submits department forms and reports timely.communication is clear. supported by workpapers. and makes timely revisions to audit reports. TIME MANGEMENT and ADMINISTRATION • Meets time and budget deadlines while meeting quality requirements • • • • • (Page 2 of 3 ) EE ME NI NA Is well organized.g. Follows directions and requires minimal supervision. and minimizes 'down time'.reports are well written and require minimal edits). CAREER DEVELOPMENT • Made progress towards achieving previous years’ goal/objectives. • Produces reports that are factual. Recognizes and promptly advises Manager of important budget. Is responsive to Manager/Director concerns. concise). effectively prioritizes assignments.g. OVERALL EVALUATION: EE ME NI University of California 6/9/2009 Page 117 . and include only relevant information.

and Audit Director.Performance Evaluations Sample Annual Performance Evaluation Form Performance Evaluation (Page 3 of 3 ) Employee Comments (Comment particularly on areas rated “exceeds”): Manager Comments: The above Performance Evaluation was discussed with the employee and agreed upon by the employee. Signatures: ____________________ Auditor Date _____________________ Manager Date ______________________ Director Date University of California 6/9/2009 Page 118 .UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4500 Appendix 18 . Audit Manager.

5 – Exceeded expectations. H. Planning the Audit Performing the Preliminary Survey Examine. Very high quality work. 3 – Met expectations in material respects. Rating 1 A. G. E1. B.Performance Evaluations Sample Interim Evaluation Form University of California Interim Evaluation Form (Project Based) Auditor:_______________________________ Report Issue Date: ______________________ Budgeted Hours: ________________ Audit #: _________________ Audit Title: _______________ Actual Hours: __________ Rating Scale: 1 – Did not meet expectations in basic and fundamental respects 2 – Expectations mot met in one or more material respects. I. Exemplary performance. E2. Improvement needed. F.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 4500 Appendix 19 . C. 4 – Fully meets expectations in all respects. Document and Evaluate Information Working Paper Preparation Communicating Results Orally Communicating Results in Writing Staff Relationships Audit Client Relationships Use and Organization of Resources Professional Proficiency and Development 2 3 4 5 N/A Signature: __________________________________ Supervising Auditor/Manager Date University of California 6/9/2009 Page 119 . Satisfactory performance. D.

the State Auditor General.01 This Section describes the relationships between Internal Audit and the campus controllers. the Office of the General Counsel. and the Department of Energy.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 5000 LIAISONS . Section Overview University of California 6/9/2009 Page 120 . law enforcement agencies.

01 Internal Audit works in liaison with the Campus Controllers in order to strengthen the University's control environment. implementing and maintaining controls to mitigate risks and achieve objectives.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 5100 Campus Controllers .02 In November of 1996. certain groups of employees are charged with more specific and interrelated responsibilities with respect to the control environment.Assists management in their oversight and operating responsibilities through independent audits and consultations designed to evaluate and promote the system of internal controls. Faculty and Staff – Responsible for ensuring that operations are conducted consistent with University values. the controllers have primary responsibility for providing leadership to ensure effective internal control and accountability practices at the campus. procedures and regulatory requirements. the University launched a controls initiative intended to heighten management’s ownership and responsibility for the internal control environment. However. Internal Audit . Campus Controllers .As part of Academic and Administrative Management.) For many members of the University community.03 All employees share responsibility for ensuring an effective and efficient control environment. (Medical Centers and the national labs already had financial controllership functions in place.Responsible for developing. The creation of the controller’s position reaffirmed the concept that management is responsible for controls. Overview Background Control Environment & Responsibilities . Academic and Administrative Management . . policies. University of California 6/9/2009 Page 121 . Internal Auditors had been viewed as primarily responsible for controls. At the center of the controls initiative was the creation of a controllership position at each campus.

. Control Self Assessment (CSA) has evolved as a useful tool for monitoring and evaluating controls and in most organizations is principally utilized by auditors to supplement traditional audit techniques. Internal Auditors also provide advice and consultation on the design. However. Internal Auditors sometimes assist in specific CSA activities. identification of risks and utilization of risk mitigation techniques. However. While the Controllers have structured programs to use this tool as part of their initiative this does not preclude auditors from using CSA as a tool in their audit program. development of appropriate policies and procedures.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 5100 Campus Controllers . responsibility for the controls remains with management. Both groups have a natural interest in promoting sound controls through such activities as training. For University campus and medical center activities. efforts should be coordinated so as not to confuse our customers or produce duplicative efforts. These activities are carried out jointly and separately as determined locally. In addition to evaluating controls through traditional audit activities. typically through advisory services. it should be remembered that CSA does not substitute for the validation of functioning controls that occurs within an audit. again as determined locally. controllers lead management’s efforts to design. the Controllers utilize CSA to assist line management in evaluation of controls and their effectiveness. may have a more structured role in a campus’ use of CSA. That is. and should be viewed as mutual interests rather than conflicting responsibilities. implement and monitor internal controls while auditors evaluate the effectiveness of the controls as designed and functioning. or may have little or no role in the Controllers’ CSA activities.04 The relationship between the Internal Auditors and Controllers is best characterized by their definitional responsibilities for controls. Whether auditors or Controllers employ CSA. CSA is a tool for assessing controls. Interrelationship of Controllers’ and Internal Auditors’ Responsibilities University of California 6/9/2009 Page 122 . implementation and monitoring of controls.

assessment and mitigation of institutional risks Interrelationship of Controllers’ and Internal Auditors’ Responsibilities (cont’d) University of California 6/9/2009 Page 123 . Internal Auditors should seek the Controllers' input into the annual risk assessment process. Jointly Internal Auditors and Controllers have an opportunity to assist others in the identification. Likewise.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 5100 Campus Controllers Internal Audit should gain an understanding of the Controllers’ control initiative activities as part of their understanding of the control environment and in connection with the annual risk assessment.

02 Normal communications between Internal Auditors and University Counsel are not covered by an attorney client privilege. including required communications. Internal Audit Guidance University of California 6/9/2009 Page 124 . including many sensitive investigation matters. However.03 In general. Note: The guidance in this Section does not purport to represent a legal determination regarding when an internal auditor’s work may be determined to fall under a privilege. .UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 5200 Office of the General Counsel . it may be appropriate for Internal Auditors to undertake work for the General Counsel’s Office so long as their professional obligations. The Internal Auditor must retain the ability to exercise professional judgment as to the necessary scope and nature of procedures to be carried out. Internal Audit may be requested to perform fact finding with respect to a matter already in litigation or otherwise subject to a privilege. are not compromised. but intends only to guide internal auditors on certain procedural requirements when performing services for the Office of the General Counsel. There are three principal professional obligations to consider: 1) The Internal Auditor’s independence must not be compromised by agreeing to perform work “at the direction of counsel”. These or other matters may lead to a request to perform Internal Audit services for the General Counsel on a privileged basis.01 Internal Audit works in liaison with the Office of the General Counsel (including Resident Counsel) on a number of matters. In addition. Overview Background . certain Internal Audit services (principally investigations) occasionally give rise to a request from management to perform the services on a privileged basis with the General Counsel’s Office as the client and recipient of the report. This Section provides guidance on working with the Office of General Counsel.

05 It is expected that work will be undertaken for the General Counsel only in rare circumstances. and as a result of special considerations. Internal Audit Guidance (cont’d) 3) Scope and Procedures . This does not preclude sharing report drafts with attorneys. The Internal Auditor’s obligation to communicate with Senior Management and The Regents (through the Office of the University Auditor) must not be compromised. but the auditor must retain the freedom to report facts that are both favorable and unfavorable to the University’s interests. As a practical matter. the Office of the General Counsel frequently handles such communications in the normal course of the University’s management of the matter. the Vice President & General Counsel and the University Auditor should be informed of each such instance. which includes a standard reference to the conditions enumerated above should be prepared for each such arrangement and issued by the local IAD to the responsible University Counsel with copies to the Vice President &General Counsel and University Auditor. Counsel may opt to participate in some of the fieldwork interviews or may conduct some of the work themselves. University of California 6/9/2009 Page 125 . Required Communications . The Internal Auditor’s responsibility is met by ensuring that the communication occurs—the Internal Auditor does not have to communicate directly with management or The Regents. The Internal Auditor must retain the ability to report fraud and other irregularities to management and The Regents.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 5200 Office of the General Counsel 2) The Internal Auditor’s obligation to report in a fair and unbiased manner must not be compromised. Any changes to the scope of the approved program should be discussed with and approved by UAO and Counsel before any additional work is undertaken. and without undue influence. Therefore.04 Counsel to approve audit program and direct us to perform the work according to the approved program. An engagement letter.

If an attorney-client privilege audit is being conducted systemwide (that is. and accounted for. e. No parties other than the audit team or Counsel may be part of such communications.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 5200 Office of the General Counsel Communications concerning attorney-client privilege audits are considered to be conducted at the request of Counsel and are privileged. Care should be exercised in the use of informal communications. all copies should be numbered. and OP locations are performing concurrent work using a uniform audit program under the direction of Counsel) or in multiple locations. Particular attention should be paid to the handling and distribution of draft audit reports. communications will typically occur on the bi-weekly Directors’ Conference Calls (if less than all locations are involved. e-mail should be used only for administrative purposes. such as e-mail. To the extent possible. Draft reports should contain a “DRAFT” marking to clearly identify them as such. Draft reports should be shared with as few people as possible (only those on a “need to know” basis) and should be carefully guarded.06 All workpapers created specifically by the auditor to document fieldwork and/or auditor judgments and evaluations should be marked “In Strict Confidence – Attorney/Client Privilege and Work Product”. If copies are distributed at meetings. lab.g. The agenda will clearly note that the item is being conducted under the attorney-client privilege.. scheduling matters. only those locations conducting work under the direction of Counsel will participate on the call). In contrast with normal procedures. collected at the end of the meeting. . Draft reports should not be distributed electronically. Correspondence and substantive e-mail related to the audit should be formally incorporated into the workpapers. all campus. Counsel will participate in regular communications (either in person or on conference calls) concerning status of the audit and strategies for moving forward. Regular Communication Systemwide Reviews Informal Communication Draft Audit Reports Documentation University of California 6/9/2009 Page 126 . draft reports should be reviewed by the University Auditor and Counsel before any outcomes are discussed with campus/lab management outside of Internal Audit. The item will be handled first on the agenda.

hard copies of University reports and any other documents collected in connection with the audit but not included in the workpapers should be destroyed/shredded pursuant to existing Audit Manual instructions. The auditor should use discretion in determining what documents or portions of documents to include in the workpapers. if practical. University of California 6/9/2009 Page 127 . Documentation (cont’d) TeamMate TeamMate workpapers are encrypted and password protected. Any permanent file or hard copy versions of the report or portions of the workpapers should be double-checked for appropriate labeling and separately stored. the workpapers can be stored as they normally would be and backed up according to local practices. Access to the workpapers should be allowed only to those working on the audit (meaning there would be no “guest visitor” or “general” access granted). Because of the encryption feature. such as documents obtained from University personnel (which would otherwise be available to the public via Public Records Act requests) should be marked “In Strict Confidence – Attorney/Client Work Product”. only those few pages that directly relate to the work or conclusions should be included in the workpapers. Other documents. After completion of the audit (final report submitted to Counsel). (For example. the auditor’s notes. These documents would be protected from disclosure and would not be released if requests were made under the Public Records Act or litigation discovery. Workpaper retention periods are not affected by the attorney/client nature of the audit. if only a few pages of a multi-page document are relevant to the work or the conclusions drawn.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 5200 Office of the General Counsel These documents would be protected from disclosure in the event of Public Records Act requests or litigation discovery. Only those documents or portions of documents that are relevant to the audit work being performed and the judgments or evaluations being made should be included in the workpapers.) Whether action plans developed in response to the audit will be considered protected will be determined in consultation with the attorneys. assuming all relevant documents have been scanned into the workpapers.

and OP audit reports will be written and addressed to Counsel with copies to the University Auditor. All communications to The Regents about the audit and the results obtained will occur through Counsel. lab.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 5200 Office of the General Counsel . As previously noted. lab. Inclusion in Audit Tracker and normal or special reporting of follow-up on action plans will be determined in consultation with Counsel. All action plans will be subject to follow-up practices. and OP reports. action plans developed in response to the audit may be considered protected. Reporting University of California 6/9/2009 Page 128 .07 Local campus. The University Auditor’s Office may consolidate and summarize the individual campus.

including for this purpose. The most significant contact points are the State Auditor and his/her Director of Investigations.01 It is the responsibility of the University Auditor to maintain a liaison relationship with the Bureau of State Audits (BSA). The University Auditor’s Office should be involved in all matters involving the BSA and has specific responsibility for: Assuring that Senior Management at the Office of the President and The Regents are kept apprised of BSA audits and investigations. the BSA operates a whistleblower hotline and is the State’s official investigative arm for allegations of improper governmental activities. the Joint Legislative Committee on Audit. Coordinating responses to audit and investigation reports. the University of California. This Audit Manual Section deals principally with special considerations for coordination of investigation activities. the BSA is empowered to conduct audits of any California State Agency. and Coordinating follow-up reports of University actions in response to audit or investigation report recommendations . and will conduct entrance and exit conferences.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 5300 Bureau of State Audits . In addition. University of California 6/9/2009 Page 129 . Overview Background . For investigations. Investigations may also be launched at the request or direction of the BSA’s legislative oversight body. When conducting audits. the BSA will allow Internal Audit or other University designees to fulfill a normal external audit coordination role. With the exception of the added responsibility to involve the University Auditor’s Office.02 By statute. normal procedures and guidance for External Audit Coordination should be followed for BSA audits. the BSA does not acknowledge the role of an external audit coordinator and has statutory authority that allows direct access to University employees and records.

Typically. The Internal Audit Director may be the designee. University Auditor and Chancellor of the affected campus announcing that an investigation is to be conducted. The announcement will identify the auditor in charge and the approximate start date and invites to addressee to call the BSA for additional information. such a communication will yield little additional information. to work with or through the University’s process. if the matter is recognized as one already under review or investigation internally. this should not be taken as implying that Internal Audit should undertake an “advance” investigation to forewarn the University of possible findings by the BSA. the BSA may agree. University of California 6/9/2009 Page 130 .03 The BSA initiates an investigation by sending a letter to the President. It has been agreed that the University may assign an individual to serve as a central point of contact for employees during the course of an investigation. Notwithstanding the BSA’s statutory authority to “stand in the shoes” of the University. The subject matter is only very broadly stated and may or may not trigger recognition as an issue of which management is already aware. it has been mutually recognized that the University needs a process by which University employees can be advised of the BSA’s rights of access to employees and records. Nothing prevents the University from conducting a separate investigation if warranted. The central contact point will be the Vice Chancellor—Administration or his/her/ designee. the Office of General counsel should be consulted before releasing any privileged information. at its sole discretion. as the confidentiality of BSA investigations is provided for in statute. General Counsel.04 While the BSA does not conduct investigations through normal external audit coordination channels. but the University may not insist on such an arrangement. However. It is appropriate to offer the University’s assistance in gathering information and facilitating access to employees and records. BSA Investigations BSA Coordination . Conversely. A single investigation would generally be viewed as in the University's best interest and Internal Auditors should agree to share access to their working papers and investigation findings in preliminary form.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 5300 Bureau of State Audits .

The University Auditor’s Office should be involved in the response process and is responsible for coordination with other Office of the President officials. . exculpatory data).g. Therefore every effort should be made to correct the draft report through direct contact with BSA in contrast to putting the University’s objections in the written response. The University frequently has little advance knowledge about the conclusions being drawn by the BSA investigators or the evidentiary support for the conclusions. the University has the right to review the BSA workpapers that support the investigator’s conclusions (but not all workpapers. thought the central contact point. Unlike their audit reports. There is a brief five-day turnaround time for the University’s response and so the draft’s deliverance. e. The BSA will typically be responsive to concerns of factual inaccuracies in the draft report. the BSA does not commit to full inclusion of the University’s response in the investigation report. BSA investigators are not obligated by statute to inform employees of these rights. The University.06 The BSA will distribute draft investigation reports to the University for comment. should be carefully coordinated in advance. University Employees’ Rights BSA Investigation Reports University of California 6/9/2009 Page 131 . and the review and response process. a supervisor) when interviewed by investigators from the BSA or become “targets” of BSA investigations. During this brief review period. Therefore the risk of disagreement with the findings is increased.g.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 5300 Bureau of State Audits .05 University Employees have rights to representation or support (e. is within its rights to inform employees of their rights without interfering in the conduct of the investigation.

For instance. Management consultation and other possible resource avenues should be considered in those circumstances. Internal Audit should normally provide support and assistance to the extent requested by law enforcement agencies. they should be the agency to which all investigation conclusions of potential criminality are initially referred.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 5400 Law Enforcement Agencies . a determination should be made as to the extent to which the person is authorized to speak for the department. In investigations involving law enforcement agencies. Consultation with the Office of General Counsel should be sought in those circumstances. This Section provides policy and guidance for these circumstances. there may be circumstances where Internal Audit may question whether the support represents the best utilization of resources for the University. The IAD may wish to consult the local UC Police unit or the Director of Investigations for aid in making such a determination. However.02 Investigation results that conclude that a crime has probably been committed shall be reported to the District Attorney or other appropriate law enforcement officials for the purpose of determining whether or not to pursue the matter criminally. Such a determination depends on the nature of the suspected criminality and local conditions. and under what circumstances the IAD should be involved. Overview UC Policy Internal Audit Guidance University of California 6/9/2009 Page 132 . In situations where the UC Police do not have jurisdiction. . a case of embezzlement at a rural co-operative unit may be more appropriately handled at the level of County Sheriff than a local police department with few resources. In addition.01 Investigation activities may give rise to interactions with law enforcement agencies. If the liaison person is other than the IAD. then the IAD needs to determine what the appropriate agency may be. there may be circumstances where the nature of the support or assistance raises questions about the appropriateness of the activity.03 In cases where the UC Police have jurisdiction. . The UC Police are normally the conduit for communications with law enforcement agencies. Internal Audit should normally appoint a person to act as liaison with the law enforcement agency.

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 5400 Law Enforcement Agencies Law enforcement officials may instruct Internal Audit to hold confidential information about the investigation matter being jointly addressed. [See also Section 7100 Law Enforcement] Internal Audit Guidance (cont’d) University of California 6/9/2009 Page 133 . Such instructions do not override the Auditors obligation to communicate with local senior management or the Office of the University Auditor.

shall be submitted or made available to the contracting officer. when the UC Office of the President maintained an internal audit function at each of the three UC/DOE Laboratories. The results of such audits. History and Overview The origins of the University of California internal audit presence at the labs dates back to early 1970's. A separate contract with DOE provided funding for the internal audit activities that were centrally managed through The University Auditor's Office. including working papers. satisfactory to DOE. assigning the function to the Laboratories. Imbedded in each contract is the "standard" Department of Energy Acquisition Regulation (DEAR 970. and transactions with respect to costs claimed to be allowable under this contract annually. University of California manages and operates the following three laboratories for the DOE: • • • Lawrence Berkeley National Laboratory (LBNL) Lawrence Livermore National Laboratory (LLNL) Los Alamos National Laboratory (LANL) Overview These longstanding relationships are governed by separate management contracts with the DOE. to more closely align the internal audit structure to that of the UC campuses and to meet the newly required internal audit clause in our contracts with DOE.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 5500 Department of Energy ." University of California 6/9/2009 Page 134 . expenses. of records. and such other times as may be mutually agreed upon. the University decentralized its DOE Contracts Audit Group. In late 1992. operations.01 UC Internal Audit maintains a liaison relationship with the United States Department of Energy (DOE) with respect to the audit services provided to three laboratories.5204-9(h)) that requires the UC/DOE Labs to: "…conduct an internal audit examination.

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 5500 Department of Energy To provide a basis for interpreting the standard internal audit clause. The Strategy’s governing principles include: • • • • • • • assuring internal audit staffs meet professional standards providing consistent guidance coordinating audits based on acceptable risk assessment methodology assessing and tracking the audit work performed at each management and operating contractor relying on the work of contractor internal audit staffs improving communications between the OIG. and the Contractor Internal Audit staffs developed the Cooperative Audit Strategy. and contractor internals audit staffs working with audit partners to ensure the Cooperative Audit Strategy is modified to address changing conditions with the DOE History and Overview (cont'd) DOE Audit Criteria The DOE Acquisition Guide entitled Cooperative Audit Strategy provides the following criteria to more fully define the contractors internal audit functions requirement to "…conduct an audit and examination satisfactory to DOE…": • • • • Organizational independence Sufficient size and training Performing financial. financial related. the Office of Inspector General (OIG). Operations Offices. in 1992 the DOE Contracting Officers. performance and specific audits as requested by the contracting officer Meeting Institute of Internal audit standards or similar standards as prescribed by the Comptroller General of the United States (Yellow Book) Preparing a satisfactory audit plan for each fiscal year by April 15th that is based upon an acceptable risk assessment and considers guidance provided by the DOE Office of the Inspector General • University of California 6/9/2009 Page 135 .

Reporting Fraud . the OIG performs annual reviews of selected working papers as prescribed in the DOE Office of Inspector General Audit Manual. These reviews provide the basis for DOE's reliance on work performed by the UC/DOE audit groups as well as the required external peer review. Additionally.Audit Resolution and Follow-up 2320.Coordination of GAO Activities DOE Orders Contract Oversight The Laboratory Administration Office (LAO) is responsible for overseeing the UC/DOE lab contracts.1C . • • • • • 2030. Further. DOE Audit Criteria (cont'd) • Annual Reviews The DOE Contracting Officer is required to interpret and assess the compliance of the internal audit functions with the Cooperative Audit Strategy criteria. University of California 6/9/2009 Page 136 . formal responses and final reports. All final internal audit reports should be distributed to LAO. The following DOE Orders are relevant to maintaining contract compliance and appropriate liaisons with the DOE Contracting Officer. Performing external peer review every three years. the Office of Inspector General and the US General Accounting Office.1B . Specific DOE Orders are accepted into the UC/DOE management contracts. external audits coordinated by the laboratory internal audit functions should be appropriately communicated to LAO through opening announcements.1C . and Abuse to the OIG 2300.Cooperation with the OIG 2321.1B . Waste.4B .Auditing of Programs and Operations 2340. LAO approves the settlement of questioned costs on contracts with the Department of Energy.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 5500 Department of Energy • Providing an annual report of activities for the previous fiscal year by January 31st or prepare a report data sheet with each audit report.

01 This section of the manual outlines the entire internal audit process from the initial assignment through reporting and followup. Flowcharts of the internal audit process and general audit process are included on the following pages to give the auditor an overview of these processes.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6000 AUDIT SERVICES . (Appendix 20 and 21.) Section Overview University of California 6/9/2009 Page 137 .

issues to University Auditor Audit Prg developed Final Audit Report is issued To General Audit Process University of California 6/9/2009 Page 138 . and Investigation projects Investigation activities referred to Audit Director from LDO or Whistleblower calls Auditors follow UC Audit Manual and Professional Standards Audit Director or Manager assigns projects Audit Planning Audit notification is sent to audit client and entrance meeting held Auditor performs fieldwork Detailed Work Auditor examines and evaluates business activity in accordance with audit program Audit results are communicated to client Reporting Formal exit meeting is held to discuss results Audit Report Distributed to client Follow-up Follow-up on corrective actions Preliminary scope and objectives are defined and discussed Interview notes.AUDIT SERVICES Flowchart of Internal Audit Process University of California Flowchart of Internal Audit Process Internal Audit Process Audit Director receives unscheduled management requests Audit Director focuses on projects identified in local audit plan Audit Director prioritizes Audit.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6000 Appendix 20 . and conclusions documented in workpapers Auditor obtains corrective action plan from client Update Audit Comm. Advisory Service. testing results. on audit results and plan status Auditor performs prelim audit survey Audit Manager and Director review audit workpapers Draft report issued to client to assure factual accuracy Directors report plan activity and sig.

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6000 Appendix 21 .AUDIT SERVICES Flowchart of General Audit Process University of California Flowchart of General Audit Process General Audit Process Locations perform an annual risk assessment of audit issues and areas Risk assessment results used to generate local and consolidated Audit Plans UA presents Annual Audit Plan to the Regents’ Committee on Audit for approval UA reports audit results to the Regents’ Committee on Audit UA summarizes info in the Annual Report of Audit Activities University Auditor (UA) distributes audit plan and risk assessment guidance Directors develop local Audit Plans with emphasis on addressing high risk and Core issues Annual Audit Plan includes audit coverage analysis. and discussion University Auditor prepares Regental Quarterly Reports that include Plan status and highlights Locations have interviews with management and perform analytical reviews Audit Directors forward preliminary Audit Plans to the UA Once approved. locations schedule and perform audit work Quarterly Report includes a list of final audit reports that are available for review by the Regents Risk assessment results sent to UA for consolidation and analysis UA and Audit Committees review and approve local audit plans Locations follow Internal Audit Process and report results to the UA Consolidated risk assessment results are shared with Audit Directors Approved local audit plans are forwarded to the UA for consolidation To Internal Audit Process University of California 6/9/2009 Page 139 .

The following individuals should be invited and encouraged to attend the meeting: • • • Directors and department heads responsible for the area being audited Manager(s) and any of his or her subordinates who work in the specific audit area Internal audit director. Documentation of these planning activities is also required. develop an audit plan. For information on planning policies and procedures related to the Annual Audit Plan. This section provides information on planning policies and procedures related to individual audits. establish an appropriate scope that addresses relevant business risks. Preliminary Scope and Objectives .UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6100 Policy Planning an Audit . Notification – The auditor-in-charge should notify the parties responsible for an organization or area to be audited that an audit is scheduled. Notification should be sent via written memo or email to the audit client with copies to senior officials as appropriate. This information may be included in entrance meeting materials. obtain the approval of the Associate Director/Manager and Director.The entrance conference should be conducted with the client in order to discuss the preliminary scope and objectives.02 Adequate audit planning requires that the auditor conduct a preliminary survey.The audit timing and preliminary objectives should be communicated to the client in writing in advance of the beginning of fieldwork. Entrance Conference . schedules and handouts distributed to the client during the meeting. for all high-risk audits Communication with the Client University of California 6/9/2009 Page 140 . such as agendas. and communicate with the client.01 Internal Audit performs adequate planning for every audit prior to the commencement of audit fieldwork. see Section 3200. Application of UC Policy for Planning .

in order to identify key controls and gain an understanding of the related audit risk. processes and transactions which should be examined University of California 6/9/2009 Page 141 . laws. risks. plans. etc. The possibility of fraud should be considered in the assessment of risk. which may include flowcharts. the auditor should review systems and processes to identify key controls.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6100 Planning an Audit Preliminary Survey . details about recent changes.As part of the preliminary survey. process flowcharts. procedures. regulations and contracts having significant impact on operations Organizational information. correspondence files and relevant authoritative and technical literature Audit Plan and Program Development • • Risk Assessment . Audit Program . operating results and financial data Prior audit workpapers and audit reports (including reports of external auditors and other external parties). questionnaires. and interviews or other inquiries.The auditor-in-charge should obtain and review the following types of background information about the area being audited: • • • Objectives and goals Policies. job descriptions. The audit program is developed to test these high-risk areas. such as number and names of employees. analyzing. The auditor generally uses various tools and techniques. Budget information. interpreting and documenting information during the audit Technical aspects.The audit program should be prepared in advance of field work and outlines: • • • • Objectives of the audit Scope and degree of testing required to achieve the audit objectives in each phase of the audit Procedures for collecting.

and client contacts. may be utilized in order to enhance efficient planning and execution of audits. signed by the Associate Director/Manager and Director (Sample at Appendix 23) Preliminary survey summary memo. budget. such as the data warehouse. signed by the Associate Director/Manager and Director Documentation • • Supplementary Guidelines for Audit Planning . list-serves and internal networks that exist within and outside the system-wide program. the auditor may also consider the following supplementary guidelines: Communication . which includes the auditor’s assessment of risk. objectives. with scope.Sharing mechanisms. purpose.The preliminary objectives and audit timing may be communicated to the client 4 to 6 weeks in advance of the beginning of fieldwork to provide adequate preparation time for the client. Shared Resources . University of California 6/9/2009 Page 142 .04 While applying the planning policy. timing.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6100 Planning an Audit Documentation to evidence the planning procedures includes: • • Copy of engagement or notification letter (Sample at Appendix 22) Assignment sheet. shared workpaper files. signed by the Associate Director/Manager and Director (Sample at Appendix 24) Approved audit program.

Department Mission Statement.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6100 Appendix 22 . if applicable. Department-specific policies and procedures. and Objectives. The purpose of this audit will be to perform a general review of the program to assess business risk and internal controls. Goals. at which we will further define the scope of this review. Any other department information you feel would be helpful. within the context of -------------------.Planning an Audit Sample Audit Engagement Letter DATE TO: Subject: Audit & Advisory Services will be conducting a planned internal audit of the ------Program/Department. Please invite other members of your staff that you feel should be included in this discussion. Please contact me if you have any questions prior to our meeting. Audit Director University of California 6/9/2009 Page 143 . We will be contacting you soon to schedule a formal entrance conference. We would appreciate if the following information were available at the entrance conference: • • • • Current Organizational Chart. and.

position titles> <brief background statement> <overview of project> Project Information: Additional Comments: <initial risk assessment concerns> <specify as necessary> Project Objectives: <specific objectives> Audit Department Approvals: <signature/date of Audit Manager and/or Audit Director) University of California 6/9/2009 Page 144 . Campus/Lab Assignment Sheet FY Project Title: Project Number: Primary Audit Universe Code: Auditor in Charge: Assisting Auditors (if any): Budget: Audit Timeframe: Client Contact(s) Background: Project Narrative: <FY> <title> <number> (universe code> <auditor name> <auditor name> <budget hours> <estimated timeframe> <names.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6100 Appendix 23 .Planning an Audit Sample Audit Assignment Sheet.

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6100 Appendix 24 . Risk Assessment Significance .What would be the impact on the university (or the function) if the risks materialized and the unit couldn’t perform its major functions? How significant would the ramifications be? Likelihood of Occurrence How likely is it that these risks would materialize? Testing? Based on the risk assessment. <date> University of California 6/9/2009 Page 145 .Planning an Audit Sample Preliminary Survey Template (Summary) Business Objective What does the unit do? What is its purpose? What services is it providing (or supposed to be providing) to the university? What are its major functions? Risks What would prevent the unit from being able to accomplish its business objectives? What things could go wrong? What would happen if the unit couldn’t or didn’t perform its intended functions? Consider both internal and external risks. is testing to be performed? Only high risks should be tested. (Yes or No response) Controls What processes are in place to prevent the risks from occurring? What processes are in place to ensure the unit can perform its intended functions? What controls have been designed to help the unit meet its business objectives? Testing Plan What tests should be performed to evaluate whether the controls (processes designed to ensure that the unit can effectively perform its intended functions) are adequate and effective? Objective #1 Objective #2 Objective #3 Objective #4 Approved by: <Audit Director/Manager>.

The Supervisor and staff should maintain regular communication throughout the audit to ensure risks. risks and findings are addressed and resolved. Communication . Supervision and workpaper documentation and review throughout the audit process ensures goals. University of California 6/9/2009 Page 146 . Every audit is properly supervised to ensure that audit staff are adequately guided and have the requisite knowledge and skills to meet the audit objectives as well as to minimize audit risk. risks and other relevant information to the auditorin-charge in order to provide the guidance and understanding necessary to conduct a high quality audit. Audit objectives and other relevant information should be documented.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6200 Policy Conducting an Audit . Quality Assurance Policies and Procedures are included in Section 9000.The supervisor should communicate the goals and objectives. Most importantly. the auditor's fieldwork and the final report. objectives. audit procedures.01 Internal Audit maintains adequate workpaper documentation to support the audit conclusions reached. Supervision Workpaper Documentation Purpose . fieldwork and other documents relating to the audit. Workpapers contain the records of planning and preliminary surveys. The workpapers also provide a basis for evaluating the local campus/lab Internal Audit Department's Quality Assurance Program.The workpaper file documents the work the auditor has done. findings and errors are adequately addressed and resolved. The workpapers serve as the connecting link between the audit assignment. the workpapers document the auditor's conclusions and the reasons those conclusions were reached. evaluating and documenting the information pertinent to the area under audit in order to support audit results. Application of UC Policy for Conducting an Audit .02 Conducting an audit involves examining. the audit program.

The supervisor of the auditor-incharge should perform a detailed review of the workpapers. Director’s Responsibilities . All changes to the scope or audit plan should be documented and approved by the Associate Director/Manager and/or Director. etc.Workpapers should include the audit program along with documentation supporting findings. interviews and other analyses. Workpapers that are created and later determined to be unnecessary should be deleted. appropriate backup procedures should be developed and followed. The Associate Director/Manager should also review and approve all changes to the scope of the audit and to the approved audit program. University of California 6/9/2009 Page 147 . Findings and recommendations should be crossreferenced to the audit report or to their final disposition.Audit workpapers may be in any form prescribed by audit management (paper. Format . the Director performs the detailed review and no summary review is required. diskettes. If workpapers are in a form other than paper. the Director should perform at least a summary review.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6200 Conducting an Audit Contents . the audit program. The Director should review and approve significant changes to the scope of the audit and to the approved audit program. The Director should perform a detailed review of any workpapers that have not been subjected to a detailed review by the Associate Director/Manager or have been prepared by the Associate Director/Manager. Workpaper Documentation (cont'd) Workpaper Review All workpapers should be independently reviewed to ensure there is sufficient evidence to support conclusions and all audit objectives have been met. Responsibilities for workpaper review are summarized as follows: Manager’s Responsibilities .For each audit engagement. testing. A summary review consists of a review of audit planning documents. If a detailed review of the workpapers has not been performed (as in the case where the auditor-in-charge reports directly to the Director). tapes. and the summary of audit findings and their disposition.). Policies and Procedures for Electronic Workpapers are included in Section 6500.

another experienced member of the staff should review the workpapers. Timing and extent of review . if there is no Associate Director/Manager. the Associate Director/Manager or. manager and director should attest that the workpapers have.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6200 Conducting an Audit If the Director prepares the workpapers. Sample attestation statements are included as Appendices 25. been prepared in accordance with IIA and University standards. Workpapers should be signed off and dated by the preparer and the reviewer.The auditor in charge.The level and frequency of review and communication during the audit depends upon the experience of the audit staff. 26 and 27. to the best of their knowledge. Workpaper Review (cont'd) University of California 6/9/2009 Page 148 . Attestation . the risk associated with the audited area and the significance of the findings.

___________________________________________ signature _______________________ date University of California 6/9/2009 Page 149 . in my opinion. In my opinion. or investigation) program and working papers or reviewed all working papers prepared by the staff assigned to this project. and the report complies with IIA and University standards and department policies. the working papers support the findings and conclusions in the report. advisory service. Also. advisory service. or investigation) of (project name and number).UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6200 Appendix 25 .Conducting an Audit UNIVERSITY OF CALIFORNIA INTERNAL AUDIT SAMPLE ATTESTATION STATEMENT – Auditor in Charge Auditor in Charge I have been the Auditor in Charge for our (audit. the working papers were prepared in accordance with professional standards established by the IIA and the University of California Internal Audit Program and comply with our department policies. I prepared the (audit. In this capacity. I also prepared or assisted in the preparation of the report to be issued.

I approved the (audit. In my opinion. in my opinion. I also reviewed the report to be issued. or investigation) of (project name and number). the working papers support the findings and conclusions in the report. In this capacity. ___________________________________________ signature _______________________ date University of California 6/9/2009 Page 150 . or investigation) program and reviewed all working papers prepared by the assigned staff.Conducting an Audit UNIVERSITY OF CALIFORNIA INTERNAL AUDIT SAMPLE ATTESTATION STATEMENT – Manager/Associate Director Manager (if assigned) or Associate Director I have been the Manager (or Associate Director) assigned to our (audit. Also. advisory service. advisory service. and the report complies with IIA and University standards and department policies. the working papers were prepared in accordance with professional standards established by the IIA and the University of California Internal Audit Program and comply with our department policies.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6200 Appendix 26 .

in my opinion. advisory service. I also reviewed the report to be issued. the working papers were prepared and reviewed in accordance with professional standards established by the IIA and the University of California Internal Audit Program and comply with our department policies. the working papers support the findings and conclusions in the report. ___________________________________________ signature _______________________ date University of California 6/9/2009 Page 151 . or investigation) of (project name and number) has been conducted under my supervision and direction.Director Director Our (audit. and the department. In my opinion. the University of California Internal Audit Program.Conducting an Audit UNIVERSITY OF CALIFORNIA INTERNAL AUDIT SAMPLE ATTESTATION STATEMENT .UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6200 Appendix 27 . I approved the (audit. As the Director. Also. advisory service. and the report complies with IIA and University standards and department policies. or investigation) program and reviewed the working papers to the extent required by professional standards established by the IIA.

Long form audit reports should include the following elements: • Letter of transmittal signed by the director (signature attests that the director fully endorses and supports report contents) Title page Contents page (as appropriate considering report length) Executive summary (no more than one page) Purpose of the audit. as appropriate Scope of the audit.Functions or processes reviewed. etc. reviewing records.01 Internal Audit maintains a formal process for communicating to UC management and The Regents the results and recommendations for all audits conducted. travel. accounts receivable.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6300 Policy Reporting Results .02 A standard audit report is issued upon the completion of each audit examination. information technology. such as payroll. The process for reporting results includes draft report preparation and reviews. etc. • Background information related to the audited organization or activity University of California 6/9/2009 Page 152 . including Application of UC Policy for Reporting Results Report Elements • • • • • .Time period covered . analytical auditing procedures. quality assurance reviews and final audit report issuance and distribution. more informal letter form. . if the situation warrants. including origin or source of the audit. in a shorter. such as interviewing. cashiering. . testing transactions.Audit techniques used. Reports can be issued in long (report) form or. procurement. Reporting of audit results and recommendations assists all levels of UC management and members of the Board of Regents in the effective discharge of their responsibilities.

conclusions or opinions reached. • Reports should be reviewed in draft form with responsible operating management on a timely basis following completion of audit work. A management response should be requested within a prescribed time frame in order to ensure timely issuance of the final report. The Audit Report Pre-issuance Quality Assurance Checklist included as Appendix 28 to this section or a locally-developed equivalent should be used to facilitate and document this process. Refer to Section 5200. chairperson or department head directly responsible for the audited activity or activities. Report Distribution Audit reports should be addressed to the director. including findings. University of California 6/9/2009 Page 153 . and recommendations for improvement (or its equivalent) Management response or management action plan Schedules and attachments as appropriate to support or provide additional detail to audit findings and conclusions Report Elements (cont'd) • • Draft audit reports should be clearly labeled as a draft. The Director should establish processes for ensuring the timely issuance of audit reports.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6300 Reporting Results • Audit results.07 regarding report addressees for audits conducted under attorney-client privilege. The audit report may be issued without the response in the event of undue management delays in responding. The Director should review and approve the final report prior to issuance. • Audit Report Quality Assurance A pre-issuance quality assurance review of draft and final audit reports should be performed by the auditor-in-charge of the engagement or an independent party and be reviewed by the Associate Director/Manager or Director. Report Timeliness Reports should be issued as soon as practical following the completion of the audit work.

The Department of Energy (Laboratory audit reports). • • • • • • When reports are distributed by electronic means. Other University personnel requesting a report copy. a hard copy version signed by the director should be kept on file. The Laboratory Administration Office at the Office of the President (Laboratory audit reports). Vice Chancellor and equivalent positions at the DOE Laboratories) as deemed appropriate. The local executive to whom the Audit Director reports (typically the Vice Chancellor for Administration or Deputy Director of the DOE Laboratory). Other University officials on a need-to-know basis.g. University of California 6/9/2009 Page 154 . Management personnel in the chain of command above the report addressee (e.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6300 Reporting Results Draft audit reports . University Auditor. Policies and Procedures for Electronic Workpapers are included in Section 6500. Provost.Report copies should be distributed to: • • The director. Report Distribution (cont'd) Final audit reports . chairperson or department head directly responsible for the audited activity or activities.. as determined by the Audit Director. Higher level management where necessary to obtain authorized commitment to recommended actions.Report copies should be distributed to: • • Management personnel directly responsible for the audited activity or activities. Dean. at the discretion of the Audit Director in consultation with audit client management and other University officials as deemed appropriate.

as appropriate Scope of the audit. The audit report includes: • • • • • • Transmittal letter (transmittal letter for final audit report must be signed by the director) Title page Table of contents. as appropriate Background information describing the audited organization or activity Audit results − Audit findings − Audit conclusions (opinions) − Audit recommendations (or its equivalent) • • • Management’s response or management’s action plan Schedules and attachments. including the origin/source. functions or processes reviewed. if appropriate Report summary (one page Executive Summary preferred) Purpose of the audit. and audit techniques used. as appropriate. including time period covered.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6300 Appendix 28 . such as from the COSO model (not to exceed one page) 2. to support or provide additional detail for report content • • Addendum containing standard definition of internal control objectives and methods.Reporting Results AUDIT REPORT PRE-ISSUANCE QUALITY ASSURANCE CHECKLIST (page 1 of 2) REPORT ELEMENTS Draft Final N/A 1. Draft report is clearly labeled as a draft University of California 6/9/2009 Page 155 .

Fonts and formatting are proper and consistent 22. technical language. as appropriate 14. TONE. Spacing is proper and consistent 21. Tone is balanced 15. Transmittal and report cc’s are correct. to convey points and/or additional information 20. Report is broken down into sections. free of unnecessary detail 2. clichés. AND APPEARANCE Draft Final N/A 1. Report is easily understood and logically presented 6. Active voice predominates 9. Opening sentences are strong and attention-getting 12. names and titles are correctly spelled 24. and colloquialisms are avoided 7.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6300 Reporting Results AUDIT REPORT PRE-ISSUANCE QUALITY ASSURANCE CHECKLIST (page 2 of 2) REPORT QUALITY. Sections are: • Brief • Clearly labeled 4. Findings are worded constructively 16. Report has proper spelling. Main points are presented first 13. as appropriate. Findings referenced to COSO elements. Acronyms are defined before being used 8. grammar. are summarized 5. report summary. Report is direct and to the point 10. Report is clear and concise. Report makes use of graphics and attachments. Report addressee name and title are proper and correctly spelled 23. and body of report are consistent 3. Jargon. Recommendations are directed toward achieving desired results without prescribing step by step actions 17. Report has a professional appearance 19. Descriptions of operating procedures. Conclusions expressed in Executive Summary. if required. Headings are informative and descriptive 11. Audit number and subject title are included on the report and are correct University of California 6/9/2009 Page 156 . and punctuation 18.

the auditor responsible for monitoring the completion of the MCA and other information that can be used for summary reporting.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6400 Policy Audit Follow-up . Document the results of follow-up in Audit Tracker. the Audit Tracker information is consolidated from all the UC audit departments to enable reporting on the work of the consolidated audit program. The process involves assessing the adequacy and effectiveness of actions taken by management and documenting and communicating outstanding follow-up issues to higher levels of management when appropriate actions have not yet been taken. Every audit office uses “Audit Tracker” or equivalent software to enable the auditor to track outstanding and incomplete management corrective actions.02 The audit follow-up process assists management and The Regents in monitoring and controlling potential risk exposures related to significant audit concerns. University of California 6/9/2009 Page 157 .01 Internal Audit maintains an audit follow-up process to monitor whether significant audit concerns for which corrective actions are recommended have been adequately addressed by management. Decide whether there is a need for additional follow-up or close out the audit. Audit Tracker is a system with a repository of audit findings and the corresponding management corrective actions (MCA). Compile an inventory of outstanding corrective action items or open audits. the date the MCA will be completed. Application of UC Policy for Audit FollowUp Audit Tracker Follow-Up Procedures The auditor should follow-up on promised management corrective actions on a timely basis. . Follow-up requires that the auditor: • • • • Ascertain the implementation status of each corrective action item and evaluate the adequacy and progress of actions taken. Quarterly. The MCA information captured in Audit Tracker includes the responsible manager. The Audit Tracker system contains standard reports to facilitate the monitoring of open MCAs and enable the reporting of exception and summary information to the local audit committee.

The follow-up work should be documented in Audit Tracker and reviewed by audit management.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6400 Audit Follow-up • Advise the local audit committee of follow-up activities and any material open items at least annually. Workpaper Documentation Policies and Procedures are included in Section 6200. Documentation . Audit management should notify the next higher level of management and/or the audit committee of any unsatisfactory responses or actions as well as those corrective actions which are overdue. University of California 6/9/2009 Page 158 .

The system should capture the following information at a minimum: • • • • • • • Type of project (audit. Scope limitations. investigation) Audit Universe identifier Line of business (campus. and quarterly reports for submission to the University Auditor. lab.The Project Management system is the basis for preparing periodic reports for Internal Audit and campus/lab management. Dispute resolution. Client satisfaction surveys. health science) Hours budgeted Actual hours expended Draft report issuance date Final report issuance date Application of UC Policy for Other Audit Matters Project Management and Reporting Audit department management uses the information generated by their local project management system to oversee and monitor department operations. advisory service.01 Internal Audit maintains policies for managing administrative and other matters related to the audit process in order to facilitate the continuing effective and efficient operation of its function. Access to audit information and Electronic workpapers.02 Policies for the following other audit matters are described in this section: Project management and reporting.Each audit department must have a project management system in place. .UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6500 Policy Other Audit Matters . the local audit committee. University of California 6/9/2009 Page 159 . Record retention. . such as: • • • Adherence to approved budgeted hours Elapsed time since the start of the project Timely issuance of audit reports Reporting . Capturing Information .

They may be in electronic or hardcopy form. The Director should use these meetings to communicate current and material risk issues identified by audit projects and impending high profile projects and investigations.Campus and Lab audit departments must submit four quarterly activity reports a year to the University Auditor. Submission of Audit Tracker information to the University Auditor follows the same reporting schedule as the quarterly activity reports. documents. Audit work products – Audit work products include reports and workpapers for all audit.Administrative records consist of reports. such as the quarterly reports submitted to the University Auditor.Each campus and lab has a local audit committee as specified in the UC Policy regarding Local Audit Committees. As part of the audit committee meetings. and advisory service projects. and other materials generated to support the department’s functions. • University Auditor . investigation. which are subject to the retention requirements set forth below.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6500 Other Audit Matters • Campus/Lab Management . Project Management and Reporting (cont'd) • Guidelines for Local Audit Committees are included in Section 2500. Administrative records include: • • • • • Quarterly and annual reports Client Satisfaction Surveys and summarized results Support for system-wide and local audit plans Audit planning documents Risk assessment analyses University of California 6/9/2009 Page 160 . Internal Audit maintains custody of all audit work products. Due dates and content for quarterly reports will be communicated to audit departments prior to July 1 each year. Administrative records . Internal Audit Directors may choose to share information regarding activity of the department.Internal Audit Directors should meet with their supervisor on a regular basis. analyses. Campus/Lab Audit Committee . Record Retention Audit work products are the property of the University.

Audit work products should be retained as follows: • • One signed copy of the final report . Record Retention (cont'd) Retention Periods . Government Records .Record retention for audit work products and supporting documents are retained according to mutually agreed (with the Department of Energy) Records Retention Schedules at each respective laboratory. Annual and Quarterly Reports to The Regents. All versions of the draft audit report should also be destroyed after the final report has been issued. such as those set forth above – 7 years Other administrative records – at local discretion • • All other notes. documents and reports relating to a completed audit that are not included in the workpapers (i.e. to the extent they are not covered by other UC record retention requirements. University of California 6/9/2009 Page 161 .permanently Workpapers .7 years Administrative records should be retained as follows: • Special administrative records. such as Audit Committee minutes. Privileged Records .Audit work products and administrative records that are covered by attorney-client privilege or related to a lawsuit or other court action are not to be destroyed until the lawsuit or other court action has been closed or the 7 year workpaper retention period has been reached.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6500 Other Audit Matters • • • Internal QAR materials Training records Interim project performance reviews. whichever is later..The retention period begins with the end of the fiscal year in which the report is issued. retained in auditor’s desk files) should be destroyed after the final report has been issued. and Annual Plans – permanently Administrative records that support our professional program. UC retention periods should be used as guidelines in negotiating retention periods for UC laboratory internal audit reports and workpapers.

Audit work products and administrative records should be destroyed in a manner that gives appropriate consideration to the sensitivity of the information contained in the documents to prevent the unauthorized release of proprietary or confidential information.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6500 Other Audit Matters Disposition Process . there is no reason that their retention period should be extended).. It is not intended for personnel matters such as job assignments and performance appraisals where separate University policy exists. Notification .Audit work products and administrative records will be destroyed by December 31 of the year in which the records have reached the end of their retention period.The exercise of professional judgment involved in determining reportable conditions and the expression of conclusions in audit reports may lead to differences in professional opinions.e. This process applies only to disagreements having to do with the contents and conclusions in audit reports. University of California 6/9/2009 Page 162 . The director will be responsible for reviewing the inventory listing of records scheduled for destruction to ensure that they should be destroyed (i.A reminder will be sent by the University Auditor’s Office at the beginning of each fiscal year specifying the fiscal year audit work product and administrative records to be destroyed. It is likewise not intended for administrative matters such as audit budgets and departmental management matters. Record Retention (cont'd) Dispute Resolution Disputes Between Audit Staff & Audit Management . A process is needed to resolve such differences while respecting both the chain of command within audit management and the obligation of the staff to exercise independent professional judgment.

The University Auditor will review draft reports and other written materials. the University Auditor shall be consulted. and those dealing with the appropriateness of conclusions or recommendations (the "fairness" of the audit report in total or specific matters). the final judgment of the University Auditor will prevail insofar as the issuance of the audit report is concerned. Policies and Procedures for Scope Limitations are included in this section. or if the disagreement originally involves the Internal Audit Director. interview the disputing parties and/or convene a meeting for the purpose of forging a consensus or compromise among the disputing parties. and outcomes shall be created and maintained outside of the working papers. Such disputes are separate from scope limitations imposed by audit clients. no individual’s rights as an employee of the University will be compromised by invoking this process or by its outcome. If this process is unsuccessful. No specific record of dispute resolution at this level needs to be created or maintained. associate director or equivalent. Dispute Resolution (cont'd) University of California 6/9/2009 Page 163 . A written record of this dispute resolution process.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6500 Other Audit Matters Dispute Resolution Process . Disputes Between the Audit Client & Auditors . in the normal course of providing supervision. Every effort shall be made to resolve all questions of factual accuracy before the final audit report is issued.Disputes which may arise between internal auditors and audit clients can be generally categorized into those regarding the factual accuracy of reported findings. efforts.In the event that there is a disagreement of professional opinion between audit staff and an audit manager. However. shall reach an independent conclusion on the matter and attempt to forge a consensus or compromise among the members of the engagement team. If consensus or compromise is not achieved from these processes. the Internal Audit Director.

reports. Resolution Process . and personnel required to perform their work. audit clients do not have the authority to "appeal" an audit report to the University Auditor or to higher local management. The matter should be brought to the attention of the Local Audit Committee. The written response to the audit report is the recourse and appropriate vehicle for audit clients to communicate their views. records.Scope limitations include situations in which a client is uncooperative.The auditor should bring all matters involving scope limitations to the attention of Internal Audit management. assets or other information necessary to complete the audit. Dispute Resolution (cont'd) Scope Limitations Definition .UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6500 Other Audit Matters Conclusions and recommendations represent the professional judgment of internal auditors and cannot be overridden or unduly influenced by audit clients. in exercising their professional judgment. The Management Charter provides Internal Audit unrestricted access to all assets. The Mission and Management Charter is included in Section 1100. information. Policies and Procedures for Workpaper Documentation are included in Section 6200. All scope limitation discussions should be documented in the audit workpapers. as warranted. attempts to limit the scope of planned work or denies access to records. personnel. Internal Audit Directors should aggressively seek compromise and consensus views that communicate issues clearly and completely and deal with identified audit issues effectively. University of California 6/9/2009 Page 164 . Policy for Local Audit Committee Guidelines is included in Section 2500. Therefore. the University Auditor should be notified and involved in the process to assist in its resolution. If Internal Audit management is unable to resolve the matter at the local level. The judgment of the local Internal Audit Director is the prevailing position. However.

The Management Survey included as an appendix to this section or a locally-developed equivalent should be used. Audit reports with significant limitations on scope will be distributed to the Chancellor/Lab Director and other University officials. persons to whom the audit director reports and. as determined by the University Auditor.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6500 Other Audit Matters Impact on Audit Report . including The Regents. Management Survey . to the Local Audit Committee. the audit report should state that the audit team was unable to perform the planned tests. University of California 6/9/2009 Page 165 . The surveys should be returned to the campus/lab audit department director.This type of survey is used to elicit management’s perception of the audit program’s ability to fulfill its mission assisting members of the organization in the effective discharge of their responsibilities.This type of survey should be used to elicit the client’s perception of the service rendered and identify opportunities for improvement in those instances where a report is issued. audit director. as considered appropriate. no later than 30 days after issuance of the final audit report. The Client Satisfaction Survey included as Appendix 29 to this section or a locally-developed equivalent should be used. at least annually. A standard rating scale should be implemented in order to facilitate the measuring of results. Transactional Survey .In the event a scope limitation significantly impacts the planned scope of the audit and is not resolved to the satisfaction of Internal Audit. Transactional surveys should be sent to the addressee of the audit report and other audit participants. Results of the surveys should be tabulated and shared with the auditor-in-charge. Scope Limitations (cont'd) Client Satisfaction Surveys Each internal audit department should measure and monitor the satisfaction level of its clients in order to continuously maintain and improve the quality of services provided.

along with copies of the individual survey documents.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6500 Other Audit Matters Management surveys will be sent from the University Auditor to upper management. A standard rating scale will be implemented to facilitate the measuring of results.The audit director should normally approve requests for audit materials by external audit agencies or firms duly engaged by the UC Regents and other authorized audit agencies where the report and/or workpaper content is pertinent to the external audit scope. audit reports from University personnel other than management responsible for the audited activity are subject to the discretion and approval of the audit director. Policies and Procedures for Liaison with the State Auditor are included in Section 5300. University of California 6/9/2009 Page 166 . The audit director should follow the policy established in the Liaisons section of the Audit Manual in responding to requests for audit materials by the State Auditor’s Office. or copies of. audit reports and audit workpapers are subject to the approval of the audit director. Results of the surveys should be tabulated and shared with the Local Audit Committee and. External Audit Requests . and Local Audit Committee members at least annually. or copies of. including the Chancellor or Lab Director.The audit director should normally grant approval of requests for audit reports by management responsible for the audited activity. Client Satisfaction Surveys (cont'd) Access to Audit Information All requests for access to. Requests for access to. Internal Campus/Lab Requests . the campus/lab audit director. The audit director should inform the University Auditor of all requests for audit materials related to investigations or other sensitive matters in advance of their release. The audit director should inform client management of any requests for access to or copies of audit materials by internal or external parties. Surveys will be returned to the University Auditor.

All other requests for access to and/or copies of audit materials by external parties should be coordinated with campus counsel. The audit director should inform the University Auditor of all requests for copies of audit reports by news media in advance of their release. Access to Audit Information (cont'd) Electronic Workpapers Section is under development. University of California 6/9/2009 Page 167 . or General Counsel at locations not having local counsel.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6500 Other Audit Matters The audit director should coordinate requests from external audit agencies with the campus/lab external audit coordinator at locations where the audit director does not serve in that capacity. Outside Party Requests . and with the local information practices officer and media relations director as appropriate. The audit director should authorize release of materials only after legal counsel affirms the legal requirement to do so.

and a constructive and positive approach. purpose and scope were clearly communicated to me. The auditor(s) demonstrated technical proficiency in the audit areas. 3. The auditor(s) demonstrated effective communication skills. 8. My business concerns and perspective on key operating areas were adequately considered during the audit. The audit took an acceptable amount of time (from entrance to exit).Other Audit Matters UNIVERSITY OF CALIFORNIA INTERNAL AUDIT DEPARTMENT CLIENT SATISFACTION SURVEY (page 1 of 2) Audit Title: Audit Conducted by: Audit Client: Client Department: Neither Agree Nor Disagree Survey Questions 1. Strongly Agree Agree Disagree Strongly Disagree No Basis University of California 6/9/2009 Page 168 . 4. The audit report was clearly written and logically organized. 5. The audit objectives. 6. 2.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6500 Appendix 29 . professionalism. Communication of audit results and status to me during the audit was timely and adequate. 7. The auditor(s) demonstrated courtesy. The disruption of daily activities was minimized as much as possible during the audit. 9.

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6500 Appendix 29 . 14. 11. Audit report was issued timely. Strongly Agree Agree Disagree Strongly Disagree No Basis Please feel free to provide additional comments regarding the performance of Internal Audit in the space provided below. 15. 12. We are especially interested in any thoughts you might have on how we can improve our efforts to provide value at the University of California.Other Audit Matters UNIVERSITY OF CALIFORNIA INTERNAL AUDIT DEPARTMENT CLIENT SATISFACTION SURVEY (page 2 of 2) Neither Agree Nor Disagree Survey Questions 10. Survey Completed by: Date: Please return the completed survey to: Address Audit Director or designee University of California 6/9/2009 Page 169 . the audit was "value added" to my organization. Overall. The conclusions and opinions of the auditor(s) were logical and well documented. 13. Audit recommendations were constructive and actionable. Audit results were accurately reported and appropriate perspective was provided. The objectives of the audit were met.

10. Return the survey to <address>. The audit services work performed (audits. Criteria 1. Overall. 8. 3. Please mark the appropriate box below and provide any additional comments at the end of the questionnaire. The audit program is meeting the needs of the University. advisory services. This survey is a valuable tool in assessing our audit program and we appreciate your honest feedback. Audit reports and other written materials are of high quality. 9. 6. 2. investigations) met my needs and expectations. 7. My communication with the Audit Director is sufficient. Strongly Agree Agree Disagree Strongly Disagree No Basis University of California 6/9/2009 Page 170 . and/or improved operational effectiveness and efficiency within my unit. The audit work performed contributed to improved control. The results and comments will be shared with the respective Internal Audit Department. 5. The audit staff promotes an image of professionalism and competency. 4. The audit staff identified and addressed relevant and significant issues and risks.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6500 Appendix 30 . There was an appropriate balance between audits and advisory service/consultative work in my area.Other Audit Matters UNIVERSITY OF CALIFORNIA INTERNAL AUDIT DEPARTMENT MANAGEMENT SATISFACTION SURVEY (page 1 of 2) TO: _________________________________ CAMPUS/LAB: ______________________ In an effort to improve the quality of the UC Internal Audit Program. the Internal Audit Program provides value to my organizational unit and the University. My involvement with the annual audit planning process was adequate. <xxxxxx> requests your feedback and comments about your respective Internal Audit Department. for FY XX.

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6500 Appendix 30 .Other Audit Matters UNIVERSITY OF CALIFORNIA INTERNAL AUDIT DEPARTMENT MANAGEMENT SATISFACTION SURVEY (page 2 of 2) 11. Are there any specific changes we can make to improve our audit process? ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ 12. Any additional comments? ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ Signature: ____________________________Date: ____________________ Title: ________________________________________________________ Please send completed survey to: <address> University of California 6/9/2009 Page 171 .

Continuous Auditing . for which an entity’s management is responsible and uses a series of auditors’ reports issued virtually simultaneously with. and compliance functions. risk will be assessed and scored with the corresponding organizational unit where that unit appears in the universe. Application of UC Policy for IT Audit Topics .UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6600 Policy Conducting Information Technology Audits . University of California 6/9/2009 Page 172 . The use of continuous audit is consistent with the business-reporting model of the future whereby tools are developed for continuous audit. or a short period of time after. A program of continuous audit and continuous monitoring supports both assurance activities. Distributed Computing Environments – For distributed computing environments.Internal Audit should also determine whether the use of a continuous audit program is appropriate. This will provide for consistent treatment for all distributed computing environments. Campuses may also perform integrated or highly technical reviews using other resources as required.Audits of functional areas incorporating information technology components and not specifically identified in the G section of the universe will be risk ranked in the functional area assessment and separately identified via the applicable G index code to provide discernable evidence of IT risk coverage. Integrated Audits of Functional Areas . This is accomplished through the use of integrated audits of functional areas (generally performed by IT audit generalists) and more specific technical information system reviews (generally conducted by an IT audit specialist).01 Each Campus is responsible for assuring a program that provides for audit coverage of information technology risks at each location. either at tier three (system-wide) or at tier four (local additions). The methodology enables independent auditors to provide written assurance on a subject matter. and can be transitioned to management for continuous monitoring of activity.02 Specific standards for providing audit coverage of information technology topics at each location are described in this section. the occurrence of events underlying the subject matter.

financial investment in technology resources as well as the state of the physical and logical components of the campus/medical center inter/intranet.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6600 Conducting Information Technology Audits Some UC locations are good candidates for the application of continuous audit techniques for selected focus areas. regulatory and reputational risks. . The risk assessment should incorporate a robust evaluation of the business line IT Infrastructure including consideration of the institution's strategic. and the operational. University of California 6/9/2009 Page 173 . Bishop & Carpenter July 2008. however. IT Internal Audit Risk Assessment. This determination will be made independently of whether the project can be staffed exclusively with existing Internal Audit personnel based on current skill sets. LLP. and include IT audit coverage for areas determined to be high risk using the risk assessment model described in Section 3200 using the same criteria and weighting for evaluating other line of business universe topics (i.03 Planned coverage for specific technical IT topics (Section G of the audit universe lists the specific information technology topics) will be evaluated and determined each year as part of the annual comprehensive risk assessment process. Application of UC Policy for IT Audit Topics (cont'd) Information Technology Risk Assessment1 1 Risk Universe adapted from Deloitte & Touche. the complexity and number of financial and management processes at UC locations effectively preclude the application of continuous audit concepts on widespread basis within a short time frame.e. campus and Health Sciences).

Includes operating systems.). integration and consolidation. management (software. and technical support. and executive oversight for the portfolio of infrastructure and application system components. vendor/product selection. messaging. executing. human resources. and electronic data interchange. IT Governance/Strategy & Planning (G.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6600 Conducting Information Technology Audits The risk assessment process for IT related topics/functions should also take into consideration the annual IT audit coverage by the University's external auditors to ensure adequate audit coverage and prevent the duplication of efforts. IT risk management. database and data warehouse structures. implementation/deployment. data conversion practices. architecture design.c) . acquire/build standards.Includes the mission of the centralized IT functions. and controls as they relate to the IT Strategic Plan and its execution. Project Management (G.b) . hardware. deployment options. Information Technology Risk Assessment (cont’d) University of California 6/9/2009 Page 174 . planning. and security). infrastructure. and closing). telecommunications (voice/data). support and maintenance). controlling. metrics. strategic sourcing. physical sites.d) .a. the IT policy setting function. Following are brief descriptions of the (Section G tier 2) areas to be assessed on a relative risk basis.Includes the project management development/deployment methodology (initiating. the systems development life cycle (design. centrally maintained and managed email/calendaring. asset management.Includes technology planning. and post-implementation processes. local standards. alignment of the IT infrastructure with core administrative business processes. strategy and long-term planning including the organizational structure. Infrastructure (G. project pre-implementation. analysis/assessment of emerging technologies. Architecture (G. networks (intra/inter and perimeter). budgets. documentation and training development. test and quality assurance functions.

Under all options. root cause analysis). security strategy and compliance.e) . Disaster Recovery (G. maintenance and updates.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6600 Conducting Information Technology Audits Operations (G. disaster recovery/business continuity planning. privacy. availability. virus protection and detection. user roles. intrusion prevention. and data retention and backup (scheduling. and data protection). vendor/third party management. facilities and equipment maintenance and management. and concurrently enhancing the IT audit skills of existing audit personnel. administrative access. crisis management plans including communications. service level management. third party access) and threat and vulnerability management (intrusion detection and response. end-user computing support/management. networks. application/database capacity. remote access. hardware and related utilities. incident response.f) – Includes problem management (help desk. databases. business continuity processes and procedures development. Enterprise Security (G.g) . identity and access management (user provisioning.Includes security configuration and management for applications. security penetration and vulnerability testing. software licensing.Includes data centers and related physical security and processing (batch scheduling and on-line processing). off-site storage. processing. operating systems.Includes business impact assessment.h) . Support (G. retrieval and restoration). emphasis will be made on completing the audit project with the required IT audit skills set. disaster recovery testing. and performance management and monitoring. Information Technology Risk Assessment (cont’d) University of California 6/9/2009 Page 175 . security awareness and training.

auditors should first validate the accuracy and completeness of the data before conducting any detailed analysis. • Use of Computer Aided Audit Techniques (CAAT's) – Auditors should be familiar with tools for extracting and analyzing data. The preliminary survey for each audit will include a risk assessment of information technology environment and where detailed testing of IT controls may be deemed appropriate on a relative risk basis or an explanation of why such a risk assessment is not appropriate. . General tools for analyzing data include MS Excel. When extracted data is provided by others. and MS Access. More specialized tools include the following: Structured Query Language (SQL). Audit Planning University of California 6/9/2009 Page 176 .UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6600 Conducting Information Technology Audits .04 Documentation of the planning for each audit assignment must evidence consideration of: • An Integrated Audit Approach – The integrated audit approach provides for coverage of IT topics within an audit of a business unit or process. Audit Command Language (ACL). and Interactive Data Extraction and Analysis (IDEA). where the information systems environment is one element of the preliminary survey risk assessment.

as follows. business continuity – disaster recovery planning. physical and logical security controls.). databases.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6600 Conducting Information Technology Audits . management of systems acquisition and implementation.g. and governance and management controls. components. transaction logging and audit trails.. and data for a given IT unit (information security policy. operation.. The IT audit skills required to perform and supervise IT audits may be classified in two broad categories. preventive controls. change management. Determination of Skill Sets Needed – In all cases.). Internal Audit at each location will evaluate the IT skills available in-house.05 Each campus should strive to have both IT audit generalist and specialist on staff to provide coverage of IT risks recognizing that most functional area reviews require IT audit generalist knowledge and skills. error and exception reporting. etc. IT audit projects will be staffed with auditors and supervisors that have IT audit skills commensurate to meet the Institute for Internal Auditors professional standards. Subsequent to the development of the annual audit plan. applications. the following base level IT audit skills are required: • • Working knowledge about common technology infrastructure components (e.). administration. and determine if additional skills are needed to complete the planned IT audits. Working knowledge about application risks and control concepts. Required Information Technology Audit Skills2 • • These requirements are in addition to a working knowledge of internal control concepts in general e. etc. and control (i. hardware/software. Competence in evaluating the general and application controls. networks.g. etc. data center operations. against defined standards and recognized best practices. 2 University of California 6/9/2009 Page 177 . separation of key application processing duties. Working knowledge about general controls that apply to all systems. operating systems. Information Systems Auditor – Generalist – for all IT audit projects. input/processing/output controls. and how programmed procedures and logic provide for workflow. detective controls. as designed and implemented. corrective controls. separation of key IT administrative duties.e.

Working knowledge of the Health Insurance Portability and Accountability Act (HIPAA) technical security requirements. evaluating results. National Institute of Security Standards (NIST). Computer forensic skills and/or computer law (for investigations). Working knowledge of Payment Card Industry (PCI) Standards for IT environments storing credit card information. etc). intrusion detection. IT audit projects will be staffed with auditors and supervisors that have IT audit skills commensurate to meet the Institute for Internal Auditors professional standards.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6600 Conducting Information Technology Audits Information Systems Auditor – Specialist – for certain IT audit projects and topics. more specialized technical skills may be required.. switches and firewalls.). Working knowledge of technical security measures deployed to address threats and vulnerabilities at various layers (e... Shibboleth. ISO 17799. as needed. Of special concern are audits that appear to require the skills of an Information Systems Auditor – Specialist. out-sourcing. Familiarity with encryption technologies. etc. Detailed understanding of authentication and authorization technologies (e. For example.06 In all cases. routers.g.g. Deployment of Resources . operating system hardening. etc. Hands-on experience using vulnerability assessment tools. virus protection. and debriefing with IT operations staff. including Control Objectives for Information and related Technology (COBIT). In instances where local skills and resources are insufficient or not available alternative coverage models must be utilized such as cosourcing. Others. the following skills may be appropriate: Required Information Technology Audit Skills (cont’d) • • • • • • • • • Working knowledge of IT control frameworks. and/or shared resources. University of California 6/9/2009 Page 178 . Various approaches may be utilized to assure compliance with IIA professional standards. RACF.

Certified Fraud Examiner (CFE). the audit scope assigned to guest auditors should be areas that were outside their area of responsibility for at least the last year. Certified Internal Auditor (CIA). Shared Resources . the following options are available: • • • Co-sourcing . and concurrently enhancing the IT audit skills of existing audit personnel. Rotation/guest auditor program – Coordinating with local management to rotate operational IT staff through audit to perform audits. University of California 6/9/2009 Page 179 . Deployment of Resources (cont’d) Under all options.Providing audit coverage with a team of auditors from multiple UC locations. To this end. Professional Development and Audit Designations . importing needed technical skills if available. Certified Information Systems Security Professional (CISSP). emphasis will be made on completing the audit project with the required IT audit skills set. IT auditors should be encouraged to pursue the following designations: • • • • • Certified Information Systems Auditor (CISA). and impact on IT controls. Certified Public Accountant (CPA).07 IT auditors should be encouraged to pursue educational opportunities to ensure adequate knowledge regarding changes in technology.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 6600 Conducting Information Technology Audits For audit projects where additional skills are required. Under this approach.Contracting with an external party for agreed upon procedures via a professional services agreement.

These investigation standards supplement the audit services standards described in the 6000 Section. therefore.01 This Section of the manual establishes the standards for conducting investigations. It includes criteria for determining whether an engagement qualifies as an investigation and. becomes subject to these investigation standards. Section Overview University of California 6/9/2009 Page 180 .UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 7000 INVESTIGATION SERVICES .

Therefore the standards for conducting an audit contained in Section 6000 of the manual are generally applicable. An investigation is a special purpose type of audit. or criminal proceedings. They should also be conducted in compliance with applicable standards set forth by professional bodies representing internal auditors (the Institute of Internal Auditors) and fraud examiners (Certified Fraud Examiners).02 The investigation standards shall apply for an internal audit engagement when: • The primary purpose is to gather. the extent of damage caused by the improper act and the causal factors permitting or contributing to the improper act (including internal control or policy violations or deficiencies).01 The investigations section of the UC Audit Manual is intended to implement and supplement UC Investigations Policy (such as Policy on Reporting and Investigating Allegations of Suspected Improper Governmental Activities (the “Whistleblower Policy”) and any successors) as such Policy pertains to investigations conducted by UC Internal Audit. whether in the form of hearings. And • Allegations of an improper act which carry with them the possibility of legal action. litigation. It is intended to supplement the audit standards as set forth in this Audit Manual for certain types of engagements as defined below. develop. Application of Investigations Standards . such law. It is expected that such an engagement would also determine the techniques used in committing the improper act. regulation or official policy. University of California 6/9/2009 Page 181 . examine and/or evaluate evidence to determine if there has been an improper act (as defined herein) committed by a person or entity. regulation or policy shall rule.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 7100 Purpose Introduction . In the event of a direct conflict between a section of this chapter and law. UC investigations conducted by Internal Audit are expected to comply with relevant standards set forth by appropriate sets of law such as federal and state civil and criminal procedure and rules of evidence.

. The Client Roles and Relationships University Auditor University of California 6/9/2009 Page 182 . the local procedures do not override Internal Audit's authority to conduct investigations.04 The ultimate clients of the investigations conducted by Internal Audit are The Regents of the University of California.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 7100 Introduction There are matters related to fraud that are not covered by the investigation standards set forth in this manual.03 For purposes of this manual. However. Accordingly.05 Following are the primary roles and related responsibilities for conducting investigation services: The University Auditor is responsible for general oversight of all audit investigations as well as for communication with The Regents and Senior Management. Developing fraud prevention or detection programs. . Auditing for fraud in the absence of an allegation or reasonable suspicion. They include: • • • An examination for the purpose of improvement of controls involved in an allegation of an improper act. an improper act is an improper governmental activity as defined in statute and serious or substantial violations of University Policy as defined in the University Policy on Reporting and Investigating Known or Suspected Improper Governmental Activities. Such activities are normally coordinated with designated channels at each location. Application of Investigations Standards (cont'd) Such engagements are governed by either the audit or advisory service standards whichever are more appropriate in the circumstances. the University Auditor is responsible for reporting summary information on all audit investigations to The Regents annually. In addition. the Internal Audit function of the University of California acts with independence and derivative authority to initiate investigations on its own for the benefit of the client. Definition of Improper Act .

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 7100 Introduction The Director of Investigations is responsible for assisting the University Auditor in his oversight role as well as for tracking investigations reported to the University Auditor’s office. the IAD shall also be responsible for recommending strengthening of related controls. It is expected that UC Police will normally handle all communication with other law enforcement bodies. University of California 6/9/2009 Page 183 . At the DOE Laboratories. The Director of Investigations also provides investigative resources and consultation where requested or needed. policies or procedures to reduce future vulnerability to similar improper acts. the Director of Investigations has the responsibility for coordinating the multiple efforts and ensuring the overall cohesiveness of investigative efforts. An example of such assistance might be the analysis of accounting and other business records. In situations involving multiple campus/labs. In the event that campus police conduct a criminal investigation initiated under this policy Internal Audit investigators shall share information and also lend assistance to the extent specialized skills or expertise are needed or desired. campus police and Office of the General Counsel shall be consulted to determine appropriate action with regard to the investigation and legal proceedings. the investigation responsibilities may be assigned to someone other than the IAD. In the event of an actual or perceived conflict of interest on the part of campus Internal Audit the Director of Investigations shall assume responsibility as provided for in the Audit Management Plan. The IAD shall also be responsible for required communications with the University Auditors Office. When an investigation substantiates improper acts. Director of Investigations Internal Audit Directors Law Enforcement If it appears that a crime may have been committed. The IAD is responsible for conducting audit investigations at the local level.

constitutes an improper governmental activity under law or a serious or substantial violation of University policy. it is advisable to document your understanding of the whistleblower’s allegations and obtain their concurrence with your articulation of their assertions. is not sufficient to begin an investigation. When an investigation is undertaken based on reported allegations by a person making an informal whistleblower report. "fairness" of compensation.01 While the specific reasons for initiating an investigation will vary. Matters that result from the normal exercise of management judgment are rarely susceptible to investigation.g. The primary factors to consider are: • The allegation or suspicion if true. University of California 6/9/2009 Page 184 .). and frequently not appropriate for review as an advisory service (e. For example. An allegation should be accompanied by information specific enough to be investigated. In addition to assuring that all of the whistleblower’s allegations are captured. corroborating evidence that can give the allegation credibility. Initiating an Investigation • • Matters referred to Internal Audit for investigation that do not meet the above criteria may be appropriately reviewed as an advisory service to management provided the requisite expertise exists within or is available to Internal Audit. Such evidence may be testimonial or documentary. If not. there must be an adequate basis for suspecting a possible improper act. A decision to end an inquiry without an investigation or to discontinue and investigation must be documented. this documentation will assist in referral of matters outside of Internal Audit’s jurisdiction. then no matter how egregious a situation or behavior may appear. adequacy of supervision. An allegation should have or directly point to. If the initial communication is verbal. it would not provide a basis for an investigation under this standard. etc. "There is fraud in the hospital" by itself. care should be taken to clarify the matters to be reviewed.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 7200 Conducting an Investigation .

What assistance may have been required to commit the alleged improper act and is there a possibility of collusion What resources including specialized skill sets.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 7200 Conducting an Investigation . Planning not pertaining to allegations or evidence (e. Planning for Investigations • • • Documentation . Administrative Documentation University of California 6/9/2009 Page 185 . are likely needed? What notifications are required? What methodologies should be used to gather. Administrative documentation pertains to the management of the case within the University that does not have a direct bearing on evidence. the allegations reached Internal Audit’s attention. Administrative documentation includes but is not limited to materials evidencing: • • • Chronologies of important events.02 The planning of an investigation includes determining: • • • • • What is the nature of the allegations? What other investigative bodies need to be involved? What type of evidence is needed to sustain or disprove the allegations? What records or other evidence needs to be secured. When. secure and analyze evidence? The methodology should include coordination of the case as a whole with nonaudit personnel. and how. personnel scheduling). whether internal to the UC or an outside party.03 Within audit investigations there are two types of documentation: administrative and evidentiary.g. The two types of documentation should be kept discrete.

If the case has a significant chance of a civil or criminal action being taken there should be documentation as to: • • • • When evidence was gathered. in accordance with BFB G-29 and other management policies) Personnel considerations such as if and when a subject employee was placed on investigatory leave and/or terminated.In all cases that have the possibility of litigation or criminal proceedings.Care should be taken to gather evidence so as not to compromise its admissibility.g.g. How a chain of custody was maintained. electronic communications policy) which impact. Internal Auditors’ access authority as provided by The Regents. due care must be taken to preserve the integrity of all original evidence. University of California 6/9/2009 Page 186 . How the integrity of the evidence was preserved. Engagement administration Administrative Documentation (cont'd) • • Evidentiary Documentation Gathering Evidence . In cases that result in a deposition or a trial the person who gathered the evidence may have to testify as to the means and authority to gather the evidence. This includes: • • • Taking steps to ensure that evidence is not destroyed either by the subject or inadvertently by someone else. but do not override. University policies exist in certain areas (e. The investigator should ensure that steps are taken to secure and protect all original evidence. How evidence was gathered. The use of "working copies" rather than originals for analysis The use of "image copies" for securing information on computer storage media.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 7200 Conducting an Investigation • • Internal Audit notifications (e. Care of Evidence . Operational considerations such as emergency or interim procedures that may be necessary. if applicable.

The interviewer should have the witness acknowledge that permission was granted on the tape.Interviews are made for the purpose of gathering information. [see also witness statements] In cases where an interview is recorded. an interrogation is defined as a special purpose interview that has the aim of eliciting an admission of responsibility. In cases which have been reported to the Senior Vice President—Business & Finance pursuant to policy. the name[s] of the interviewer[s]. Such a situation is often impractical and yet obtaining an admission is often necessary in order to solve a case. it is strongly recommended that two persons should conduct interviews of material witnesses including subjects. A formal record of the interview should be generated of the interviews of all material witnesses. Handwritten statements are acceptable if legible.Statements prepared by a witness should be signed by the witness in such a way as to acknowledge authorship. the tape must still be preserved. a statement should be obtained if possible. Evidentiary Documentation (cont'd) University of California 6/9/2009 Page 187 . Witness Statements . It is strongly suggested that planned interrogations handled by internal audit should only be performed by seasoned investigators with the IAD present.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 7200 Conducting an Investigation Interviews . In all cases of interrogations in which an admission is made. All statements prepared by a witness should be maintained “as is” without editing or corrections of any sort. Tapes are considered original evidence. the Director of Investigations should be consulted in advance of planned interrogations that have clear criminal implications. If the subject refuses to make a formal statement that refusal must be noted in the record of the interview. the interviewee[s] and the time and date of the interview.For purposes of this manual. In the law enforcement arena. interrogations are most often performed after a subject is in custody. In addition. Such a record should have at a minimum. If a transcript made from the tape is used. there must be clear permission given by the witness. Planned Interrogations . in addition to the substance of the interview.

Evidentiary Documentation (cont’d) University of California 6/9/2009 Page 188 . The statement should be prepared with a paragraph just above the witness signature that the statement represents the views.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 7200 Conducting an Investigation If a statement [including interview notes] is prepared by the interviewer careful proofreading must be done prior to signing by the witness. thoughts etc. of the witness.

01 The IAD (or other designated official at the DOE Laboratories) shall notify the Office of the University Auditor in writing of any audit investigation as soon as it appears that the investigation: • • • • • Involves resources with a value of $1. University of California 6/9/2009 Page 189 . 3rd party etc. The same form should be prepared by the IAD for investigations reported to the Senior Vice President—Business & Finance independent of any other notification sent pursuant to policy. • The source type of allegation (i. • The alleged or potential dollar value of the activity. Is likely to receive media or other public attention.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 7300 Communications and Reporting . Concerns corruption Is the result of control deficiencies which are likely to be present at other locations.).e. formal whistleblower. May be significant for other reasons in the judgment of the IAD. • Identification of the department or operational unit involved. management. or.000 or more. • The source of funding involved. Initial Notification of OP The notification to the Office of the University Auditor shall be in writing and shall to the extent known at the time of reporting include: • Sufficient description of the allegation(s) to enable a judgment of potential significance as well as type of known or suspected improper activity. • A summary of the investigative workplan A standard intake form should be used for initial notifications by IAD’s to the University Auditor.

which for example.02 Reports of changes in the status of information provided above shall be made to apprise the Office of the University Auditor of the progress of investigations. Such evidence includes but is not limited to copies of original documents. a more detailed report may be advisable. serious consideration should be given to creating a detailed report that includes references to exhibits of evidentiary matter (in addition to exhibits. In such cases. a memo or a letter format for the report may be used. the entry of law enforcement or other authorized investigative body into the case. signed witness statements. For purposes of normal distribution to University officials a report does not need to contain the evidentiary exhibits. In those cases that are inactive or for which there has been no change. . Otherwise a formal report should be issued. In reports of investigations intended to be used by attorneys and law enforcement as in litigation or criminal legal proceedings. which may in turn depend on whether any administratively or legally actionable matters were sustained in the course of the investigation. media or other public interest and new estimates of dollars involved. However. Interim Communications Communication of Results University of California 6/9/2009 Page 190 .03 There are different types of reports that can be issued. For those investigations not reportable to the Senior Vice President—Business and Finance that result in null findings. transcripts of interviews etc. Such reports should be made whenever there is a development in the investigation that materially affects the information previously provided above including but not limited to new allegations. there should be a communication of this fact monthly. certain allegations shown to be untrue. there may be cases where evidence is found that affirmatively clears a subject who is clouded with a suspicion of an improper act. Such a report should include all information that is relevant to a case. tabulate a loss). Generally the differences depend on the end-users of the reports. changes in the principal subject.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 7300 Communications and Reporting .

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 7300 Communications and Reporting For audit investigations requiring notice to the Senior Vice President-Business and Finance. Matters dealing with the allegations or theories of improper acts should either be in a separate report from one dealing with control issues or they should be in a separate section. The draft should be provided before findings. Communication of Results (cont'd) Report Format For purposes of formal reporting.What must be sustained or not sustained by the investigation or preliminary evaluation. Hypothesis/Allegation .The method used to gather and analyze evidence. which are those dependent on the principal ones for veracity or relevance. These elements are: Predicate . Principal allegations should be dealt with and concluded upon individually. University of California 6/9/2009 Page 191 . Secondary allegations. regardless of previous reporting requirements. it is expected that there will normally be both an executive summary and a detailed section of the report unless the case is so simple that such a breakdown would not be warranted. Report Elements Each report must contain certain elements no matter what type of report is issued.The reason for initiating an investigation. All final investigation reports or a closing memorandum shall be distributed to the University Auditor at the completion of an investigation. may be addressed within the principal allegation to which it is related. conclusions and recommendations have been finally communicated to management or others so as not to preclude meaningful editorial review or opportunity for changes to the draft report. a draft investigation report shall be sent to the University Auditor’s Office for comment prior to the issuance of a final report. Methodology .

University of California 6/9/2009 Page 192 ." Report Elements (cont'd) If the allegations are not sustained there are two main types of situations. There may also be situations wherein the suspicions are put to rest or the allegations are affirmatively proven to lack merit.The reasoning that connects the methodology and evidence to support the conclusion. 1." Rather the report should state something like "the subject is responsible for a loss of $X million and the case has been turned over to the DA for possible criminal charges. one should avoid saying that "the employee is guilty of embezzlement. In matters of policy one should state that a violation of policy occurred. If the allegations are sustained. A. 2. In memo and summary reports this section can be abbreviated. but suspicions cannot be put to rest. independent party to reach the same conclusion as that of the investigator. Conclusion . one should avoid making a legal conclusion.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 7300 Communications and Reporting Analysis .There are two overall types of conclusions: either the allegations are sustained or the allegations are not sustained. In these cases the conclusion should state that fact. For example. in a factual manner. In reports that are intended for direct use by counsel or a DA it may include virtually all of what would be considered the evidentiary workpapers. B. but must be sufficient enough to enable an uninformed. In a situation wherein the investigator simply does not have the evidence to sustain an allegation. In matters of litigation or criminality however. the conclusion should state so. the report should say that there is not sufficient evidence to conclude on the allegations.

In addition.Unless there are reasons to withhold the report from the subject such as in the case of certain criminal matters where the police investigation is not complete. This does not relieve the investigator of the responsibility to review material facts of the case with the subject. However. certain special report distribution considerations may exist. Accordingly. subjects should be included on the distribution of audit investigative reports. Subject . Care should be taken to ensure that the addressee is at an appropriately high level of management. care should be exercised not to break any confidentiality in such a distribution. Report Distribution University of California 6/9/2009 Page 193 . Whistleblower .UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 7300 Communications and Reporting Investigation reports are a special purpose type of audit report.Unless there are significant reasons to withhold the report from the original whistleblower(s). including copies to OP are applicable. all normal draft and final report distribution policies and practices. the whistleblowers should be given a copy of the final report.

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 8000 ADVISORY SERVICES CONTENTS SECTION 8000 8100 ADVISORY SERVICES Advisory Services Overview Definition Inclusion in the Audit Plan Use in Risk Assessment Service Limitations Disclosure of Impairments 8200 Planning an Advisory Services Engagement Communication with the Client Advisory Services Work Plan Development Documentation 8300 Conducting an Advisory Services Engagement Supervision Workpaper Documentation Workpaper Review 8400 Reporting Results of an Advisory Services Engagement Written Report Elements Oral Report Elements Advisory Services Report Quality Assurance Report Timeliness Management Responses Report Distribution Significant Internal Control Concerns 8500 8600 Performing Follow-up for Advisory Services Other Advisory Services Matters Record Retention Client Feedback University of California 6/9/2009 Page 194 .

Internal Audit’s annual plan of engagements should include anticipated advisory services.01 Internal Audit should perform advisory services in a manner consistent with its charter. Disclosure of potential impairments to independence and objectivity should be made to the engagement client prior to accepting the engagement. improve operations. advice.02 Policies for the types of advisory services engagements which are performed. Advisory services engagements should be accepted when the engagement’s objectives are consistent with the current or prospective values and goals of the University. and training. Application of UC Policy Definition Inclusion in Audit Plan Use in Risk Assessment Service Limitations Disclosure of Impairments University of California 6/9/2009 Page 195 . Specific engagements that have been accepted should be included in the Annual Audit Plan along with unallocated hours for non-specified but anticipated advisory services projects. process design. The audit planning process may include consideration of advisory services engagements to address areas considered high risk. Internal auditors should incorporate knowledge of risks gained in advisory service engagements into the process of identifying and evaluating significant risk exposures of the organization. Further. . counsel. the Audit Director/Manager should decline to perform the engagement or should obtain the necessary competence either through internal or external sources. and issues concerning objectivity and independence are discussed in this section. The Audit Director/Manager should refrain from providing advisory services for engagements where they feel that the audit staff cannot be objective. skills. facilitation. or other competencies needed to perform all or part of the engagement. Advisory services are defined as activities designed to mitigate risk. in which the nature and scope of the engagements are agreed upon with the client. Examples include informational resources. and/or assist management in achieving its business objectives.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 8100 Policy Advisory Services Overview . if the internal audit staff lacks the knowledge.

and a formal report may be waived by the local Audit Director for fairly informal consultations such as brief telephone conversations or individual committee meetings involving limited scope contact with an audit client. the requirements for an advisory services plan. advisory services engagements will be treated n accordance with this policy. notification to the engagement client. Exceptions to Policy University of California 6/9/2009 Page 196 . workpapers.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 8100 Advisory Services Overview In most cases. However.

The following individuals should be invited and encouraged to attend the meeting: • • • Management and their invitees responsible for the area under review In-charge advisory service auditor Internal audit director.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 8200 Policy Planning an Advisory Services Engagement . For larger engagements requiring more than forty hours. Documentation of these planning activities is also required. Internal Audit should develop and record a plan for advisory services engagements. timing. and reporting of the review. Entrance Conference – For larger engagements.02 Adequate engagement planning requires that the advisory service auditor establish an appropriate scope that addresses client concerns and relevant business risks. Notification – Internal Audit management or its designate should notify appropriate parties and organizations concerning management’s and audit’s mutual agreement to perform a review. notification should generally be sent via written memo or e-mail to the engagement client with copies to senior officials as appropriate.01 In most cases. an entrance conference should normally be conducted with the client in order to reach mutual agreement on the scope. For smaller engagements requiring less than forty hours. obtain the approval of the Associate Director/Manager and Director. Preliminary Scope and Objectives . . notification may be informal. objectives. and communicate with the client. develop an advisory services plan.The review timing and preliminary engagement objectives should be mutually agreed to with the client in advance of the beginning of fieldwork. for all high-risk advisory service engagements Application of UC Policy for Planning Communication with the Client University of California 6/9/2009 Page 197 .

etc. Budget information. the advisory service auditor should address risk consistent with the engagement’s objectives and should be alert to additional significant risks. and interviews or other inquiries. details about recent changes. procedures. an advisory services work plan should be prepared in advance of field work and should outline: • Objectives of the engagement • Scope and degree of testing required to achieve the objectives in each phase of the review • Procedures for collecting. questionnaires. laws. operating results and financial data Results of prior reviews (including reports of external auditors and other external parties). job descriptions. plans.The advisory service auditor-in-charge should obtain and review relevant information about the advisory services area being reviewed that may include but are not limited to the following: • Objectives and goals • • Policies. interpreting documenting information during the review and • Technical aspects. processes and transactions which should be examined University of California 6/9/2009 Page 198 . regulations and contracts having significant impact on operations Organizational information.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 8200 Planning an Advisory Services Engagement Overview . In general. such as number and names of employees. analyzing. Advisory Services Work Plan – Work plans for advisory service engagements should vary in form and content depending upon the nature of the engagement. correspondence files and relevant authoritative and technical literature Advisory Services Work Plan Development • • Risk Assessment . in order to identify key controls and gain an understanding of the related risk. such as flowcharts. process flowcharts.As part of planning for the engagement. risks. Various tools and techniques useful for audit engagements may also be useful for advisory services. The possibility of fraud should be considered in the preliminary assessment of risk related to the engagement.

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 8200 Planning an Advisory Services Engagement Documentation Documentation to evidence the planning procedures should include: • A record of mutual agreement with the engagement client of the procedures to be performed. purpose. This may take the form of an engagement letter or other communication. signed by the Associate Director/Manager and Director • University of California 6/9/2009 Page 199 . and client contacts. timing. budget. assignment sheet/workplan with scope. For larger engagements requiring over 40 hours. objectives.

The Supervisor and staff should maintain regular communication throughout the advisory services engagement to ensure risks. and communication of engagement results • Relative complexity and extent of work needed to achieve the engagement’s objectives • Cost of the advisory services engagement in relation to the potential benefits. Supervision and workpaper documentation and review throughout the advisory services process ensures goals. Application of UC Policy for Conducting an Advisory Services Engagement . Every engagement is properly supervised to ensure that advisory service audit staff are adequately guided and have the requisite knowledge and skills to meet the engagement objectives. observations. University of California 6/9/2009 Page 200 . Supervision Workpaper Documentation Purpose . The workpapers serve as the connecting link between the work performed by the advisory service auditor and the final report. risks and observations are addressed and resolved. Workpapers contain the work plan. risks and other relevant information to the advisory service auditor-in-charge in order to provide the guidance and understanding necessary to conduct a high quality engagement.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 8300 Policy Conducting an Advisory Services Engagement . including the nature. Due professional care is exercised by considering the: • Expressed expectations of engagements clients. Communication – The supervisor should communicate the goals and objectives. timing. objectives.The workpaper file documents the work the advisory service auditor has done.01 Internal Audit maintains adequate workpaper documentation to support the advisory services conclusions reached. evaluating and documenting the information pertinent to the area under review in order to support review results.02 Conducting advisory services involves examining. fieldwork and other documents relating to the review. and conclusions are adequately addressed and resolved. Advisory services objectives and other relevant information should be documented.

the Director should perform at least a summary review. diskettes. and the summary of observations and conclusions. etc. The Director should perform a detailed review of any workpapers that have not been subjected to a detailed review by the Associate Director/Manager or have been prepared by the Associate Director/Manager. Responsibilities for workpaper review are summarized as follows: Manager’s Responsibilities .). The Associate Director/Manager should also review and approve all changes to the scope of the engagement and the approved advisory services work plan. All changes to the scope or advisory services work plan should be documented and approved by the Associate Director/Manager and/or Director. Format – Advisory services engagement workpapers may be in any form prescribed by audit management (paper. University of California 6/9/2009 Page 201 .Workpapers may include the work plan along with documentation supporting interviews. If workpapers are in a form other than paper.For each larger advisory services engagement. analyses and conclusions reached. Director’s Responsibilities . appropriate backup procedures should be developed and followed. Policies and Procedures for Electronic Workpapers are included in Section 6500. A summary review consists of a review of planning documents. tapes. The Director should review and approve significant changes to the scope of the engagement and to the approved advisory services work plan.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 8300 Conducting an Advisory Services Engagement Contents . Workpaper Documentation (cont’d) Workpaper Review All workpapers should be independently reviewed to ensure there is sufficient evidence to support conclusions and that advisory services objectives have been met. the work plan.The supervisor of the advisory service auditor-in-charge should perform a detailed review of the workpapers.

if there is no Associate Director/Manager. Workpaper Review (cont’d) University of California 6/9/2009 Page 202 .The level and frequency of review and communication during an advisory services engagement depends upon the experience of the assigned staff and the risk associated with the review. Workpapers should be signed off and dated by the preparer and the reviewer.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 8300 Conducting an Advisory Services Engagement If a detailed review of the workpapers has not been performed (as in the case where the advisory service auditor-in-charge reports directly to the Director). If the Director prepares the workpapers. Timing and extent of review . the Associate Director/Manager or. another experienced member of the staff should review the workpapers. the Director performs the detailed review and no summary review is required.

scope. background. A management response to an advisory services engagement is not required. and observation statements would be useful to management.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 8400 Policy Reporting Results of an Advisory Services Engagement . Application of UC Policy for Reporting Results Written Report Elements Oral Report Elements Advisory Services Report Quality Assurance Report Timeliness Management Responses University of California 6/9/2009 Page 203 . Policies and Procedures for Quality Assurance report reviews are included in Section 6500. The process for reporting results generally includes draft report preparation and reviews. In drafting an advisory services report. Written and oral reports should be issued as soon as practical following the completion of advisory services work. with the agreement of the Audit Director/Manager.02 Communication of the progress and results of advisory services engagements should be tailored to meet the needs of engagement clients. The Director should review and approve the final report prior to issuance. In these cases. The form and content of such reports may vary depending on the nature of the engagement and the services requested. quality assurance reviews and final report issuance and distribution. the workpapers should contain a record of communications with the client. summary. In some circumstances. advisory services results may be communicated orally. a pre-issuance quality assurance review of draft and final written reports should normally be performed by the advisory service auditor-in-charge of the engagement or an independent party and be reviewed by the Associate Director/Manager or Director. All results should be reviewed with management prior to being placed in final format to assure that management’s needs and expectations have been met. Reports can be issued in a variety of formats.01 Internal Audit maintains a process for communicating the results and recommendations for all advisory services engagements to the management requesting the services. In these cases. presentations should be reviewed in advance with the Audit Director/Manager. the advisory service auditor should consider whether the inclusion of any and all traditional audit report elements such as purpose. . For larger advisory services projects.

at the discretion of the Audit Director in consultation with client management and other University/laboratory officials as deemed appropriate.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 8400 Reporting Results of an Advisory Services Engagement Written advisory services reports should be addressed to the management requesting the services. Report Distribution • • When reports are distributed by electronic means. These concerns should also be communicated to the University Auditor. In addition: • Information copies should be provided to the University Auditor as well as the person to whom the Audit Director/Manager reports locally. as determined by the Audit Director. University of California 6/9/2009 Page 204 . a hard copy version signed by the director should be kept on file. Significant Internal Control Concerns Significant internal control concerns coming to the attention of the advisory service auditor during the course of the advisory services engagement should be communicated in writing by Internal Audit to appropriate laboratory/campus personnel who can ensure that the results re given due consideration. Other University and Laboratory officials should receive reports on a need-to-know basis. Other University personnel may receive a report copy.

normal follow-up procedures described in Section 6400 should be followed. In these cases. Follow-Up Policy and Procedures University of California 6/9/2009 Page 205 . or where significant internal control concerns have come to the attention of the advisory service auditor during the course of the engagement.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 8500 Performing Follow-up for Advisory Services The advisory service auditor should conduct follow-up only in instances where the advisory services client requests that followup be performed.

Client Surveys For advisory services projects requiring over forty hours to complete.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 8600 Policy Other Advisory Services Matters . Application of UC Policy for Other Advisory Services Matters Records Retention Advisory service projects are considered audit work products for records retention purposes.02 Policies for the following other advisory services matters are described in this section: records retention and client satisfaction surveys. .01 Internal Audit maintains policies for managing administrative and other matters related to the advisory service process in order to facilitate the continuing effective and efficient operation of its function. See related information on client surveys in Section 6500. . client surveys should be processed. See related information on records retention in Section 6500. University of California 6/9/2009 Page 206 .

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 9000 QUALITY ASSURANCE . It includes standards for local as well as system-wide quality assurance processes.01 This Section of the manual describes the quality assurance processes practiced by Internal Audit at the University of California to ensure that audit work conforms to IIA and University standards. Section Overview University of California 6/9/2009 Page 207 .

Supervision is performed throughout the audit process. The post-report issuance internal review provides assurance that workpapers are complete and meet Internal Audit Department policies. Supervision Policies and Procedures are included in Section 6200. University of California 6/9/2009 Page 208 . Policies and Procedures for Client Satisfaction Surveys are included at Section 6500. Supervision ensures that staff members receive the appropriate guidance to perform the audit work in a quality manner. Policies and Procedures for the system-wide Quality Assurance Program are included in Section 9200. in accordance with the audit program and that findings are adequately supported by evidence included in the workpapers.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 9100 Policy Quality Assurance Processes at the Local Level . These elements of quality assurance are embedded into Internal Audit’s processes rather than existing as separate processes. Application of UC Policy for Local Quality Assurance Supervision .01 Each local Internal Audit department maintains a quality assurance program in order to assist in effectively performing its appraisal function and in controlling audit risk. accurately.02 The local quality assurance program consists of supervisory procedures and internal reviews. Client Satisfaction Surveys are another element of the Internal Audit Department’s post-report issuance quality assurance program. Internal Reviews Pre-report issuance internal reviews ensure that audit work has been performed completely. They seek the client’s perspective on the quality of services delivered by members of the audit department. The local quality assurance program provides reasonable assurance that audit work conforms to IIA and University standards. The internal auditor should complete the Pre-filing Checklist included as Appendix 31 to this section or a locallydeveloped equivalent to evidence compliance with this policy. Pre-report issuance quality assurance requirements are embedded within the audit process policies included in Section 6000.

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 9100 Appendix 31 .Quality Assurance Processes at the Local Level UNIVERSITY OF CALIFORNIA INTERNAL AUDIT DEPARTMENT PRE-FILING REVIEW CHECKLIST Audit __________________________________________ Pre-filing review conducted by ______________________________ Date ______________ Standard W/P Ref. 4. Workpapers contain the following: • Audit assignment sheet with time budget and milestone dates • • • • • • Audit announcement letter Entrance conference notes Risk assessment/audit survey results Audit programs approved by the manager and/or director Exit conference notes Budget to actual variance analysis for material time and milestone variances • Summary of findings • • − − Final report. 5. Yes N/A 1. 3. Workpapers were: • Cross-referenced from the audit program. University of California 6/9/2009 Page 209 . Coaching notes have been removed from the workpapers. cross-reference to findings Attestation statements signed by the: auditor manager − director 2. All versions of draft audit reports have been removed from the workpapers. Extraneous materials have been removed from the workpapers. • Signed off by the preparer and reviewer.

as needed to staff the review team. Application of UC Policy for System-wide Quality Assurance Peer Review Program . The Peer Review Program reviews all local campus/lab audit organizations over a three to five year period. Under this Program. External Quality Assurance Review An External Quality Assurance Review is conducted once every five to seven years by a team of audit professionals from outside the University. Policies and Procedure for local quality assurance activities are included in Section 9100.UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 9200 Policy System-wide Quality Assurance Program . The three UC labs are operated under contract with the Department of Energy (DOE). the Internal Audit Departments at each of the UC labs must undergo a peer review on a three-year cycle. Peer review teams are comprised of Directors from other campuses/labs. The Quality Assurance Program provides reasonable assurance that audit work conforms to both IIA and University standards. University of California 6/9/2009 Page 210 .01 Internal Audit maintains a system-wide Quality Assurance Program in order to assist in effectively performing its appraisal function and in controlling audit risk. More information on the UC Quality Assurance Manual is included in Section9300. The team reviews the overall system-wide University audit program. which requires that they participate in the DOE Management and Operating Contractor Peer Review Program. The review is performed in accordance with the UC Quality Assurance Manual.02 The system-wide Quality Assurance Program consists of peer reviews and external quality assurance reviews. Peer review teams for the labs are comprised of at least one Director from another UC lab and auditors from other DOE contractors.

UNIVERSITY OF CALIFORNIA INTERNAL AUDIT MANUAL 9300 Policy Quality Assurance Review Manual . The UC Quality Assurance Review Manual can be located at the University Auditors website.01 Internal Audit maintains a system-wide Quality Assurance Review Manual. University of California 6/9/2009 Page 211 . The Manual serves as the basis for the work performed by peer review teams in connection with the Systemwide Peer Review Program.

Sign up to vote on this title
UsefulNot useful