Audit Services provides internal audit and consulting services to San Francisco State University and its auxiliary organizations, assists in coordinating visits of outside auditors, and acts as a liaison between management and auditors. Audit Services conducts and reports to management on reviews of internal controls in the following categories: operational, compliance, and financial reporting.
The Audit Charter is a formal document that describes the purpose, rights, obligations, reporting structure, and authority and responsibility of Audit Services. The Charter also defines departments' responsibility for providing access and cooperation during audits or other reviews.
For more information, please review the Audit Charter.
Title | Description |
What are internal controls? |
Internal control consists of five interrelated components.
|
Why are internal controls important? |
Internal controls are designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
|
For more information, please visit the CSU's Internal Controls page.
Audit Process
The audit process provides security and credibility to the campus and aligns with the CSU’s strategic objectives while reducing its exposure to risk. Although each audit is unique, the typical audit process consists of the following steps: initiation, fieldwork, exit conference, reporting, and follow-up. To ensure a successful and effective process, collaborative effort and clear communication are required between the auditor and campus management and personnel.
CSU's Office of Audit and Advisory Services:
The Office of Audit and Advisory Services (AAS) works with CSU campuses and the Office of the Chancellor executive management to identify high-risk areas within the CSU system and creates an annual audit plan using a risk assessment methodology. AAS conducts the following audit types: Auxiliary Organizations, Delegations of Authority, Construction, Special Investigations, and Subject Areas (i.e., sensitive data, international programs, financial aid, student health centers, risk management, and insurance, credit cards, athletics administration, police services, lottery funds, contract and grants, facilities management, etc.).
SF States' Audit Services:
- SF State's Audit Services role in the process is facilitating the audit initiation and coordinating with campus management. It is the management’s responsibility to comply with the deliverables and deadlines stated to them by AAS.
- SF State’s audit team does not write the campus response to the recommendations in the draft report, nor any follow-up reporting responses, as these are the duties of the audited department. If deadlines for reporting to the AAS are not met, Audit Services must escalate this to the Vice President of Administration and Finance and/or the University President as needed.
Step | Description |
Audit Announcement | Planned audit start dates for the most recent 12-weeks are provided at Chief Administrators and Business Officers (CABO) meetings. The assigned AAS audit manager contacts the campus audit contact (i.e., Audit Services) normally 6 - 8 weeks prior to the audit start date to formally announce the audit. |
Internal Control Questionnaire and Request For Documents (ICQRFD) | An ICQRFD is typically included with the audit announcement. The campus audit contact is requested to work with the affected parties to complete the ICQRFD and to submit the completed ICQ and provide all the requested documents to Audit Services one (1) week prior to the AAS auditor arriving on campus, unless otherwise requested. |
Entrance Letter | An entrance letter is sent to the campus president about two (2) weeks before the audit start date to provide some background information for the review. |
Step | Description |
Audit Fieldwork | The AAS auditor visits the campus to complete the audit program, which normally takes about 3 - 5 weeks depending on the nature of the audit subject. |
Audit Entrance Conference | The audit entrance conference takes place the first day the AAS auditor is on campus. Representatives from the affected area(s) are invited, and the AAS auditor outlines audit objectives, approximate time schedules, types of audit tests, and the audit report process. |
Weekly Status Meeting | Representatives from the affected area(s) are invited, and the AAS auditor discusses any potential audit observations and outstanding document requests. This allows the campus parties to discuss or clarify issues before they become audit observations and helps keep the audit on schedule. |
Informal Exit Conference | The informal exit conference takes place on the last day the AAS auditor is on campus. The division VP or designee and representatives from the affected parties are invited. The AAS auditor discusses the observations and answers any questions. The campus still has an opportunity to provide more information if it disagrees with any of the observations. |
Step | Description |
Preliminary Draft Report | AAS issues a preliminary draft report 4 - 8 weeks after the audit fieldwork. The campus has seven (7) days to review and propose any changes to the draft report and exercise the option to forgo the formal exit conference. The assigned AAS Assistant Vice Chancellor and Audit Manager review the proposed changes, seeks concurrence from the Vice Chancellor and Chief Audit Officer (VCCAO), and either accepts (all or partial), denies the changes, or proposes alternate text. The campus can then immediately review the preliminary draft again until an agreement is reached. |
Formal Exit Conference | If there is no agreement for the preliminary draft report, the campus can request a formal exit conference to discuss the audit results with the VCCAO. |
Incomplete Draft Report | AAS issues an incomplete draft report once an agreement has been reached on the preliminary draft report. The campus has 15 days to submit a management response and corrective action plan with a time estimate for completion for each observation. |
Acceptance of Audit Report and Clearance of Recommendation | After AAS accepts the management response, the campus needs to submit appropriate documentation to support the completion of the corrective action in accordance with the estimated timeline provided in the management response (normally within six (6) months of the report date). Once AAS accepts the campus supporting documentation, the recommendations will be cleared and the audit is complete. |
On occasion, San Francisco State University or its constituents may receive notification of an audit/review/investigation by an outside entity from state and federal entities such as the State Auditor’s Office, State Controller’s Office, Department of Finance, National Institute of Health, and the National Science Foundation, among others (Please note, this does not apply to accreditation reviews). While ownership for handling and coordinating such an audit would remain with the campus and/or entity, the Audit and Advisory Services (AAS) should be informed of audits happening on campus to inform the Chancellor's Office since some audits may impact multiple campuses or have other systemwide implications. Additionally, AAS may be able to provide guidance and resources should there be a need. Please notify audit@sfsu.edu to inform of potential audit reviews and to request assistance.
For additional questions, concerns, or guidance please contact Jessica Perkinson, the Audit and Policy Coordinator for San Francisco State University.
Audit Reports for SF State
Name of Audit | Responsible Department | Status |
Police Services | University Police Department | Complete No observations for follow-up |
Information Security | Information Technology Services | Follow Up |
Supplier Administration and Payments | Financial Services | Announced |
For more information, please visit the CSU's Internal Audit Reports page.