The Role of Internal Audit

CSU management is responsible and held accountable for assuring adequate internal controls are in place and operating effectively and efficiently.   Internal Audit’s fiduciary responsibility, as defined in the “Standards for the Professional Practice of Internal Auditing” published by the Institute of Internal Auditors (IIA) is to review, verify and assess that internal control adequately protects the interests of the University and its constituents.  In addition, our responsibility extends into areas where opportunity exists to facilitate the improvement of internal control.  Internal Auditing fulfills its role in many ways, which are described in this document (click on "Role" to see a graphical representation of our role).  Our primary role has not changed over time, however, our methods to achieve results have changed considerably.

All the work we perform is based upon the relative risk of an activity and its potential exposure to the University.  This exposure can be in areas such as fraud, loss, errors, inefficiency, non-compliance with the law and/or ineffective operations.  Once an area of risk is identified, our approach will vary.  We use different tools for different issues, all of which are focused on reducing risk and improving efficiency and effectiveness.   

We use global networks to assess business risks and to identify areas of Internal Auditing activity on a global basis, in effect, organizing ourselves according to the structure of our client organizations.  Internal Audit maintains contact with client organizations to establish a current risk profile and to determine the most effective way to address internal control risks.

In order to help CSU meet future challenges, Internal Auditing’s approach must be active in facilitating business performance while maintaining and/or improving internal control.  The Detection and Opportunity quadrant activities correct internal control and business performance deficiencies by focusing on current state issues, while prevention and solution activities are more forward looking.

Prevention and solution activities are ways to reduce existing as well as future risks and lead to effective and efficient internal control.  By using tools such as System Development Reviews, Internal Control Education, Self Assessment and others, Internal Auditing adds considerable shareholder value to the business process before risks directly affect business performance.  In this way, Internal Audit enables each business and/or function to reach peak performance and helps optimize performance over time.

Internal Auditing uses a variety of tools, all of which are focused on improving internal control by reducing risk, improving efficiency and effectiveness and/or insuring compliance with the law. Internal audit offers a variety of services as detailed below:

System Development Review (SDR) - System Development reviews are conducted as part of the prevention quadrant of Internal Auditing’s process. An SDR promotes the inclusion of cost effective controls into systems prior to implementation and assures that the controls will operate as intended when implemented.

Business Process Improvement (BPI) - Internal Auditing may initiate or participate in internal control related business process improvement activities.  BPI is used to identify and minimize control deficiencies in business processes and is designed to assist CSU in making process changes that result in strengthened internal control and optimal performance.

Internal Control Education - This offering assists CSU by preparing and performing training sessions in an effort to reduce risks and increase internalcontrol awareness.  Internal Audit gains an enhanced understanding of the business value of internal control and business ethics and applies this to training methodologies.  Instructional sessions may be conducted by Internal Auditing or by the client with Internal Auditing support.

Internal Control Assessment - This product provides the client with an overall opinion or assessment of the current state of internal control and future risks.  Internal control assessments are conducted periodically on a corporate, regional, business unit and functional basis.

Consulting - This is an Internal Auditing activity normally provided in response to a request from management.  It is designed to provide expertise in the resolution of internal control issues.  Consulting may involve answering questions, developing solutions to problems, recommending courses of action and/or formulating an opinion.  Consulting may also involve the review of proposed procedures for internal control content.

Self Assessment - Self assessments are performed by the client based upon a framework to be provided by Internal Auditing. Internal Auditing will be an active participant in self assessment activities which involve an assessment of risk and control activities within the business and/or function under review.

Process Audits - Internal Auditing undertakes comprehensive analyses and appraisals of all phases of business activities and provides management appropriate recommendations concerning the activities reviewed.  The product includes business process audits which appraise the adequacy and efficiency of accounting, financial and operating controls; information system audits which focus on technical IS audit activities, system development and application reviews, reviews of emerging technology; and, new site reviews which occur in the early stages of start-up operations, joint ventures or acquisiitons to ensure that cost-effective internal control is in place.

Investigations - This service provides CSU with an independent review of facts and circumstances surrounding an event or series of events and presents recommendations to management for appropriate resolution/action.  Investigations are often associated with known or suspected wrong doing, waste, fraud, abuse of University assets, other business ethics violations and/or serious mismanagement.

For additional information, please see the Role of Internal Audit presentation to Fiscal Officers and the President's Executive Council.