Audit Services

Audit Services provides internal audit and consulting services to San Francisco State University and its auxiliary organizations, assists in coordinating visits of outside auditors, and acts as a liaison between management and auditors. Audit Services conducts and reports to management on reviews of internal controls in the following categories: operational, compliance, and financial reporting. 

The Audit Charter is a formal document that describes the purpose, rights, obligations, reporting structure, and authority and responsibility of Audit Services. The Charter also defines departments' responsibility for providing access and cooperation during audits or other reviews. 

For more information, please review the Audit Charter.

Title Description
What are internal controls? 

Internal control consists of five interrelated components.

  1. Control environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. Control environment factors include the integrity, ethical values, and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by the University. 
  2. Risk assessment: Risk assessment is the identification and analysis of relevant risks to the achievement of the objectives, forming a basis for determining how the risks should be managed.
  3. Control activities: Control activities are the policies and procedures that help ensure management directives are carried out. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
  4. Information and Communication: Pertinent information must be identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities. Information systems produce reports containing operational, financial, and compliance-related information that make it possible to run and control the organization. Effective communication also must occur in a broader sense, flowing down, across, and up the organization.
  5. Monitoring: Internal control systems need to be monitored - a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Constant monitoring occurs in the course of operations. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the President.
Why are internal controls important? 

Internal controls are designed to provide reasonable assurance regarding the achievement of objectives in the following categories:     

  • Safeguarding of assets
  • Compliance with applicable laws and regulations.
  • Accomplishing objectives and goals
  • Reliability and integrity of financial reporting
  • Economic and efficient use of resources

For more information, please visit the CSU's Internal Controls page.

Audit Process

The audit process provides security and credibility to the campus and aligns it with the CSU’s strategic objectives and exposes it to less risk. Although each audit is unique, the typical audit process consists of the following steps: initiation, field work, exit conference, reporting, and follow-up. For the process to be successful and effective, collaborative effort and clear communication is required between the auditor and campus management and personnel.

CSU's Office of Audit and Advisory Services:

The Office of Audit and Advisory Services (AAS) works with CSU campuses and the Office of the Chancellor executive management to identify high-risk areas within the CSU system and creates an annual audit plan using a risk assessment methodology. AAS conducts the following audit types: Auxiliary Organizations, Delegations of Authority, Construction, Special Investigations, and Subject Areas (i.e., sensitive data, international programs, financial aid, student health centers, risk management, and insurance, credit cards, athletics administration, police services, lottery funds, contract and grants, facilities management, etc.).

SF States' Audit Services:

  • SF State's Audit Services role in the process is facilitating the audit initiation and coordinating with campus management. It is the management’s responsibility to comply with the deliverables and deadlines stated to them by AAS.
  • SF State’s audit team does not write the campus response to the recommendations in the draft report, nor any follow-up reporting responses, as these are the duties of the audited department. If deadlines for reporting to the AAS are not met, Audit Services must escalate this to the Vice President of Administration and Finance and/or the University President as needed.
Step Description
Audit Announcement Planned audit start dates for the most recent 12-weeks are provided at Chief Administrators and Business Officers (CABO) meetings. The assigned AAS audit manager contacts the campus audit contact (i.e., Audit Services) normally 6 - 8 weeks prior to the audit start date to formally announce the audit.
Internal Control Questionnaire and Request For Documents (ICQRFD) An ICQRFD is typically included with the audit announcement. The campus audit contact is requested to work with the affected parties to complete the ICQRFD and to submit the completed ICQ and provide all the requested documents to Audit Services one (1) week prior to the AAS auditor arriving on campus, unless otherwise requested.
Entrance Letter An entrance letter is sent to the campus president about two (2) weeks before the audit start date to provide some background information for the review.
Step Description
Audit Fieldwork The AAS auditor visits the campus to complete the audit program, which normally takes about 3 - 5 weeks depending on the nature of the audit subject.
Audit Entrance Conference The audit entrance conference takes place the first day the AAS auditor is on campus. Representatives from the affected area(s) are invited, and the AAS auditor outlines audit objectives, approximate time schedules, types of audit tests, and the audit report process.
Weekly Status Meeting Representatives from the affected area(s) are invited, and the AAS auditor discusses any potential audit observations and outstanding document requests. This allows the campus parties to discuss or clarify issues before they become audit observations and helps keep the audit on schedule.
Informal Exit Conference The informal exit conference takes place on the last day the AAS auditor is on campus. The division VP or designee and representatives from the affected parties are invited. The AAS auditor discusses the observations and answers any questions. The campus still has an opportunity to provide more information if it disagrees with any of the observations.
Step Description
Preliminary Draft Report AAS issues a preliminary draft report 4 - 8 weeks after the audit fieldwork. The campus has seven (7) days to review and propose any changes to the draft report and exercise the option to forgo the formal exit conference. The assigned AAS Assistant Vice Chancellor and Audit Manager review the proposed changes, seeks concurrence from the Vice Chancellor and Chief Audit Officer (VCCAO), and either accepts (all or partial), denies the changes, or proposes alternate text. The campus can then immediately review the preliminary draft again until an agreement is reached.
Formal Exit Conference If there is no agreement for the preliminary draft report, the campus can request a formal exit conference to discuss the audit results with the VCCAO.
Incomplete Draft Report AAS issues an incomplete draft report once an agreement has been reached on the preliminary draft report. The campus has 15 days to submit a management response and corrective action plan with a time estimate for completion for each observation.
Acceptance of Audit Report and Clearance of Recommendation After AAS accepts the management response, the campus needs to submit appropriate documentation to support the completion​ of the corrective action in accordance with the estimated timeline provided in the management response (normally within six (6) months of the report date). Once AAS accepts the campus supporting documentation, the recommendations will be cleared and the audit is complete.

On occasion, San Francisco State University or its constituents may receive notification of an audit/review/investigation by an outside entity from state and federal entities such as the State Auditor’s Office, State Controller’s Office, Department of Finance, National Institute of Health, and the National Science Foundation, among others (Please note, this does not apply to accreditation reviews). While ownership for handling and coordinating such an audit would remain with the campus and/or entity, the Audit and Advisory Services (AAS) should be informed of audits happening on campus to inform the Chancellor's Office since some audits may impact multiple campuses or have other systemwide implications. Additionally, AAS may be able to provide guidance and resources should there be a need. Please notify audit@sfsu.edu to inform of potential audit reviews and to request assistance.

For additional questions, concerns, or guidance please contact Jessica Perkinson, the Audit and Policy Coordinator for San Francisco State University.

Audit Reports for SF State