Audit & Advisory Services

Audit & Advisory Services (A&AS) provides internal audit and consulting services to San Francisco State University and its auxiliary organizations, assists in coordinating visits of outside auditors, and acts as a liaison between management and auditors. A&AS conducts and reports to management on reviews of internal controls in the following categories: operational, compliance, and financial reporting. 

The Audit Charter is a formal document that describes the purpose, rights, obligation, reporting structure, and authority and responsibility of Audit & Advisory Services (A&AS). The Charter also defines others' responsibility for providing access and cooperation during audits or other reviews. 

For more information, please review the Audit Charter.

Title Description
What are internal controls? 

Internal control consists of five interrelated components.

  1. Control environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by the University. 
  2. Risk assessment: Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed.
  3. Control activities: Control activities are the policies and procedures that help ensure management directives are carried out. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
  4. Information and Communication: Pertinent information must be identified, captured and communicated in a form and timeframe that enables people to carry out their responsibilities. Information systems produce reports containing operational, financial and compliance-related information that make it possible to run and control the organization. Effective communication also must occur in a broader sense, flowing down, across and up the organization.
  5. Monitoring: Internal control systems need to be monitored - a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the President.
Why are internal controls important? 

Internal controls are designed to provide reasonable assurance regarding the achievement of objectives in the following categories:     

  • Safeguarding of assets
  • Compliance with applicable laws and regulations.
  • Accomplishing objectives and goals
  • Reliability and integrity of financial reporting
  • Economic and efficient use of resources

Audit Process

The audit process provides security and credibility to the campus and aligns it with the CSU’s strategic objectives and exposes it to less risk. Although each audit is unique, the typical audit process consists of the following steps: initiation, field work, exit conference, reporting, and follow-up. For the process to be successful and effective, collaborative effort and clear communication is required between the auditor and campus management and personnel.

CSU's Office of Audit and Advisory Services:

The Office of Audit and Advisory Services (OAAS) works with CSU campuses and Office of the Chancellor executive management to identify high-risk areas within the CSU system, and creates an annual audit plan using a risk assessment methodology. OAAS conducts the following audit types: Auxiliary Organizations, Delegations of Authority, Construction, Special Investigations, and Subject Areas (i.e., sensitive data, international programs, financial aid, student health centers, risk managements and insurance, credit cards, athletics administration, police services, lottery funds, contract and grants, facilities management, etc.).

SFSU's Audit & Advisory Services:

  • SFSU's Audit & Advisory Services (A&AS)’s role in the process is to facilitate the audit initiation, and to coordinate with campus management. It is management’s responsibility to comply with the deliverables and deadlines stated to them by OAAS.
  • SFSU’s audit team does not write the campus response to the recommendations in the draft report, nor any follow-up reporting responses, as these are the duties of the audited department. If deadlines for reporting to the OAAS are not met, A&AS must escalate this to the Vice President of Administration and Finance and/or the University President as needed.
Step Description
Audit Announcement Planned audit start dates for the most recent 12-weeks are provided at Chief Administrators and Business Officers (CABO) meetings. The assigned OAAS audit manager contacts the campus audit contact (i.e., A&AS) normally 6 - 8 weeks prior to the audit start date to formally announce the audit.
Internal Control Questionnaire and Request For Documents (ICQRFD) An ICQRFD is typically included with the audit announcement. The campus audit contact is requested to work with the affected parties to complete the ICQRFD and to submit the completed ICQ and provide all the requested documents to A&AS one (1) week prior to the OAAS auditor arriving on campus, unless otherwise requested.
Entrance Letter An entrance letter is sent to the campus president about two (2) weeks before the audit start date to provide some background information for the review.

 

Step Description
Audit Fieldwork The OAAS auditor visits the campus to complete the audit program, which normally takes about 3 - 5 weeks depending on the nature of the audit subject.
Audit Entrance Conference The audit entrance conference takes place the first day the OAAS auditor is on campus. Representatives from the affected area(s) are invited, and the OAAS auditor outlines audit objectives, approximate time schedules, types of audit tests, and the audit report process.
Weekly Status Meeting Representatives from the affected area(s) are invited, and the OAAS auditor discusses any potential audit observations and outstanding document requests. This allows the campus parties to discuss or clarify issues before they become audit observations and helps keep the audit on schedule.
Informal Exit Conference The informal exit conference takes place on the last day the OAAS auditor is on campus. The division VP or designee and representatives from the affected parties are invited. The OAAS auditor discusses the observations and answers any questions. The campus still has an opportunity to provide more information if it disagrees with any of the observations.

 

Step Description
Preliminary Draft Report OAAS issues a preliminary draft report 4 - 8 weeks after the audit fieldwork. The campus has seven (7) days to review and propose any changes to the draft report and exercise the option to forgo the formal exit conference. The assigned OAAS Assistant Vice Chancellor and Audit Manager review the proposed changes, seeks concurrence from the Vice Chancellor and Chief Audit Officer (VCCAO), and either accepts (all or partial) or denies the changes or proposes alternate text. The campus can then immediately review the preliminary draft again until an agreement is reached.
Formal Exit Conference If no agreement can be reached for the preliminary draft report, the campus can request a formal exit conference to discuss the audit results with the VCCAO.
Incomplete Draft Report OAAS issues an incomplete draft report once an agreement has been reached on the preliminary draft report. The campus has 15 days to submit a management response and corrective action plan with a time estimate for completion for each observation.
Acceptance of Audit Report and Clearance of Recommendation After OAAS accepts the management response, the campus needs to submit appropriate documentation to support completion​ of the corrective action in accordance with the estimated timeline provided in the management response (normally within six (6) months of the report date). Once OAAS accepts the campus supporting documentation, the recommendations will be cleared and the audit is complete.

 

Audit Reports for SF State

Name of Audit Responsible Department Status
Associated Students    Associated Students Completed on May 23, 2022
Decentralized Computing

Advancement Services
Associated Students
College of Health & Social Sciences
Disability Programs and Resource Center 
Graduate College of Education
Library Administration

Ongoing