CSU management is responsible and held accountable for assuring adequate internal
controls are in place and operating effectively and efficiently. Internal Audit’s
fiduciary responsibility, as defined in the “Standards for the Professional Practice
of Internal Auditing” published by the Institute of Internal Auditors (IIA) is to
review, verify and assess that internal control adequately protects the interests
of the University and its constituents. In addition, our responsibility extends into
areas where opportunity exists to facilitate the improvement of internal control.
Internal Auditing fulfills its role in many ways, which are described in this document
(click on "Role" to see a graphical representation of our role). Our primary role has not changed
over time, however, our methods to achieve results have changed considerably.
All the work we perform is based upon the relative risk of an activity and its potential
exposure to the University. This exposure can be in areas such as fraud, loss, errors,
inefficiency, non-compliance with the law and/or ineffective operations. Once an
area of risk is identified, our approach will vary. We use different tools for different
issues, all of which are focused on reducing risk and improving efficiency and effectiveness.
We use global networks to assess business risks and to identify areas of Internal
Auditing activity on a global basis, in effect, organizing ourselves according to
the structure of our client organizations. Internal Audit maintains contact with
client organizations to establish a current risk profile and to determine the most
effective way to address internal control risks.
In order to help CSU meet future challenges, Internal Auditing’s approach must be
active in facilitating business performance while maintaining and/or improving internal
control. The Detection and Opportunity quadrant activities correct internal control
and business performance deficiencies by focusing on current state issues, while prevention
and solution activities are more forward looking.
Prevention and solution activities are ways to reduce existing as well as future risks
and lead to effective and efficient internal control. By using tools such as System
Development Reviews, Internal Control Education, Self Assessment and others, Internal
Auditing adds considerable shareholder value to the business process before risks
directly affect business performance. In this way, Internal Audit enables each business
and/or function to reach peak performance and helps optimize performance over time.
Internal Auditing uses a variety of tools, all of which are focused on improving internal
control by reducing risk, improving efficiency and effectiveness and/or insuring compliance
with the law. Internal audit offers a variety of services as detailed below:
System Development Review (SDR) - System Development reviews are conducted as part of the prevention quadrant of Internal
Auditing’s process. An SDR promotes the inclusion of cost effective controls into
systems prior to implementation and assures that the controls will operate as intended
Business Process Improvement (BPI) - Internal Auditing may initiate or participate in internal control related business
process improvement activities. BPI is used to identify and minimize control deficiencies
in business processes and is designed to assist CSU in making process changes that
result in strengthened internal control and optimal performance.
Internal Control Education - This offering assists CSU by preparing and performing training sessions in an effort
to reduce risks and increase internalcontrol awareness. Internal Audit gains an enhanced
understanding of the business value of internal control and business ethics and applies
this to training methodologies. Instructional sessions may be conducted by Internal
Auditing or by the client with Internal Auditing support.
Internal Control Assessment - This product provides the client with an overall opinion or assessment of the current
state of internal control and future risks. Internal control assessments are conducted
periodically on a corporate, regional, business unit and functional basis.
Consulting - This is an Internal Auditing activity normally provided in response to a request
from management. It is designed to provide expertise in the resolution of internal
control issues. Consulting may involve answering questions, developing solutions
to problems, recommending courses of action and/or formulating an opinion. Consulting
may also involve the review of proposed procedures for internal control content.
Self Assessment - Self assessments are performed by the client based upon a framework to be provided
by Internal Auditing. Internal Auditing will be an active participant in self assessment
activities which involve an assessment of risk and control activities within the business
and/or function under review.
Process Audits - Internal Auditing undertakes comprehensive analyses and appraisals of all phases
of business activities and provides management appropriate recommendations concerning
the activities reviewed. The product includes business process audits which appraise
the adequacy and efficiency of accounting, financial and operating controls; information
system audits which focus on technical IS audit activities, system development and
application reviews, reviews of emerging technology; and, new site reviews which occur
in the early stages of start-up operations, joint ventures or acquisiitons to ensure
that cost-effective internal control is in place.
Investigations - This service provides CSU with an independent review of facts and circumstances surrounding
an event or series of events and presents recommendations to management for appropriate
resolution/action. Investigations are often associated with known or suspected wrong
doing, waste, fraud, abuse of University assets, other business ethics violations
and/or serious mismanagement.
For additional information, please see the Role of Internal Audit presentation to Fiscal Officers and the President's Executive Council.