Audit & Advisory Services (A&AS) provides internal audit and consulting services to San Francisco State University and its auxiliary organizations, assists in coordinating visits of outside auditors, and acts as a liaison between management and auditors. A&AS conducts and reports to management on reviews of internal controls in the following categories: operational, compliance, and financial reporting.
The Audit Charter is a formal document that describes the purpose, rights, obligation, reporting structure, and authority and responsibility of Audit & Advisory Services (A&AS). The Charter also defines others' responsibility for providing access and cooperation during audits or other reviews.
For more information, please review the Audit Charter.
|What are internal controls?||
Internal control consists of five interrelated components.
|Why are internal controls important?||
Internal controls are designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
The audit process provides security and credibility to the campus and aligns it with the CSU’s strategic objectives and exposes it to less risk. Although each audit is unique, the typical audit process consists of the following steps: initiation, field work, exit conference, reporting, and follow-up. For the process to be successful and effective, collaborative effort and clear communication is required between the auditor and campus management and personnel.
CSU's Office of Audit and Advisory Services:
The Office of Audit and Advisory Services (OAAS) works with CSU campuses and Office of the Chancellor executive management to identify high-risk areas within the CSU system, and creates an annual audit plan using a risk assessment methodology. OAAS conducts the following audit types: Auxiliary Organizations, Delegations of Authority, Construction, Special Investigations, and Subject Areas (i.e., sensitive data, international programs, financial aid, student health centers, risk managements and insurance, credit cards, athletics administration, police services, lottery funds, contract and grants, facilities management, etc.).
SFSU's Audit & Advisory Services:
- SFSU's Audit & Advisory Services (A&AS)’s role in the process is to facilitate the audit initiation, and to coordinate with campus management. It is management’s responsibility to comply with the deliverables and deadlines stated to them by OAAS.
- SFSU’s audit team does not write the campus response to the recommendations in the draft report, nor any follow-up reporting responses, as these are the duties of the audited department. If deadlines for reporting to the OAAS are not met, A&AS must escalate this to the Vice President of Administration and Finance and/or the University President as needed.
|Audit Announcement||Planned audit start dates for the most recent 12-weeks are provided at Chief Administrators and Business Officers (CABO) meetings. The assigned OAAS audit manager contacts the campus audit contact (i.e., A&AS) normally 6 - 8 weeks prior to the audit start date to formally announce the audit.|
|Internal Control Questionnaire and Request For Documents (ICQRFD)||An ICQRFD is typically included with the audit announcement. The campus audit contact is requested to work with the affected parties to complete the ICQRFD and to submit the completed ICQ and provide all the requested documents to A&AS one (1) week prior to the OAAS auditor arriving on campus, unless otherwise requested.|
|Entrance Letter||An entrance letter is sent to the campus president about two (2) weeks before the audit start date to provide some background information for the review.|
|Audit Fieldwork||The OAAS auditor visits the campus to complete the audit program, which normally takes about 3 - 5 weeks depending on the nature of the audit subject.|
|Audit Entrance Conference||The audit entrance conference takes place the first day the OAAS auditor is on campus. Representatives from the affected area(s) are invited, and the OAAS auditor outlines audit objectives, approximate time schedules, types of audit tests, and the audit report process.|
|Weekly Status Meeting||Representatives from the affected area(s) are invited, and the OAAS auditor discusses any potential audit observations and outstanding document requests. This allows the campus parties to discuss or clarify issues before they become audit observations and helps keep the audit on schedule.|
|Informal Exit Conference||The informal exit conference takes place on the last day the OAAS auditor is on campus. The division VP or designee and representatives from the affected parties are invited. The OAAS auditor discusses the observations and answers any questions. The campus still has an opportunity to provide more information if it disagrees with any of the observations.|
|Preliminary Draft Report||OAAS issues a preliminary draft report 4 - 8 weeks after the audit fieldwork. The campus has seven (7) days to review and propose any changes to the draft report and exercise the option to forgo the formal exit conference. The assigned OAAS Assistant Vice Chancellor and Audit Manager review the proposed changes, seeks concurrence from the Vice Chancellor and Chief Audit Officer (VCCAO), and either accepts (all or partial) or denies the changes or proposes alternate text. The campus can then immediately review the preliminary draft again until an agreement is reached.|
|Formal Exit Conference||If no agreement can be reached for the preliminary draft report, the campus can request a formal exit conference to discuss the audit results with the VCCAO.|
|Incomplete Draft Report||OAAS issues an incomplete draft report once an agreement has been reached on the preliminary draft report. The campus has 15 days to submit a management response and corrective action plan with a time estimate for completion for each observation.|
|Acceptance of Audit Report and Clearance of Recommendation||After OAAS accepts the management response, the campus needs to submit appropriate documentation to support completion of the corrective action in accordance with the estimated timeline provided in the management response (normally within six (6) months of the report date). Once OAAS accepts the campus supporting documentation, the recommendations will be cleared and the audit is complete.|
Audit Reports for SF State
|Name of Audit||Responsible Department||Timeline||Objective|
For more information, please visit the CSU's Internal Audit Reports page.