Audit Services provides internal audit and consulting services to San Francisco State University and its auxiliary organizations, assists in coordinating visits of outside auditors, and acts as a liaison between management and auditors. Audit Services conducts and reports to management on reviews of internal controls in the following categories: operational, compliance, and financial reporting.
Audit Reports for SF State
| Name of Audit | Responsible Department | Status |
| Software Licensing | Information Technology Services Academic Technology |
Announced |
For more information, please visit the CSU's Internal Audit Reports page.
Audit Process
The audit process provides security and credibility to the campus and aligns with the CSU’s strategic objectives while reducing its exposure to risk. Although each audit is unique, the typical audit process consists of the following steps: initiation, fieldwork, exit conference, reporting, and follow-up. To ensure a successful and effective process, collaborative effort and clear communication are required between the auditor and campus management and personnel.
CSU's Office of Audit and Advisory Services:
The Office of Audit and Advisory Services (AAS) works with CSU campuses and the Office of the Chancellor executive management to identify high-risk areas within the CSU system and creates an annual audit plan using a risk assessment methodology. AAS conducts the following audit types: Auxiliary Organizations, Delegations of Authority, Construction, Special Investigations, and Subject Areas (i.e., sensitive data, international programs, financial aid, student health centers, risk management, and insurance, credit cards, athletics administration, police services, lottery funds, contract and grants, facilities management, etc.).
SF States' Audit Services:
- SF State's Audit Services role in the process is facilitating the audit initiation and coordinating with campus management. It is the management’s responsibility to comply with the deliverables and deadlines stated to them by AAS.
- SF State’s audit team does not write the campus response to the recommendations in the draft report, nor any follow-up reporting responses, as these are the duties of the audited department. If deadlines for reporting to the AAS are not met, Audit Services must escalate this to the Vice President of Administration and Finance and/or the University President as needed.
| Title | Description |
| What are internal controls? |
Internal control consists of five interrelated components.
|
| Why are internal controls important? |
Internal controls are designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
|
| Step | Description |
| Audit Announcement | Planned audit start dates for the most recent 12-weeks are provided at Chief Administrators and Business Officers (CABO) meetings. The assigned AAS audit manager contacts the campus audit contact (i.e., Audit Services) normally 6 - 8 weeks prior to the audit start date to formally announce the audit. |
| Internal Control Questionnaire and Request For Documents (ICQRFD) | An ICQRFD is typically included with the audit announcement. The campus audit contact is requested to work with the affected parties to complete the ICQRFD and to submit the completed ICQ and provide all the requested documents to Audit Services one (1) week prior to the AAS auditor arriving on campus, unless otherwise requested. |
| Entrance Letter | An entrance letter is sent to the campus president about two (2) weeks before the audit start date to provide some background information for the review. |
| Step | Description |
| Audit Fieldwork | The AAS auditor visits the campus to complete the audit program, which normally takes about 3 - 5 weeks depending on the nature of the audit subject. |
| Audit Entrance Conference | The audit entrance conference takes place the first day the AAS auditor is on campus. Representatives from the affected area(s) are invited, and the AAS auditor outlines audit objectives, approximate time schedules, types of audit tests, and the audit report process. |
| Weekly Status Meeting | Representatives from the affected area(s) are invited, and the AAS auditor discusses any potential audit observations and outstanding document requests. This allows the campus parties to discuss or clarify issues before they become audit observations and helps keep the audit on schedule. |
| Informal Exit Conference | The informal exit conference takes place on the last day the AAS auditor is on campus. The division VP or designee and representatives from the affected parties are invited. The AAS auditor discusses the observations and answers any questions. The campus still has an opportunity to provide more information if it disagrees with any of the observations. |
| Step | Description |
| Preliminary Draft Report | AAS issues a preliminary draft report 4 - 8 weeks after the audit fieldwork. The campus has seven (7) days to review and propose any changes to the draft report and exercise the option to forgo the formal exit conference. The assigned AAS Assistant Vice Chancellor and Audit Manager review the proposed changes, seeks concurrence from the Vice Chancellor and Chief Audit Officer (VCCAO), and either accepts (all or partial), denies the changes, or proposes alternate text. The campus can then immediately review the preliminary draft again until an agreement is reached. |
| Formal Exit Conference | If there is no agreement for the preliminary draft report, the campus can request a formal exit conference to discuss the audit results with the VCCAO. |
| Incomplete Draft Report | AAS issues an incomplete draft report once an agreement has been reached on the preliminary draft report. The campus has 15 days to submit a management response and corrective action plan with a time estimate for completion for each observation. |
| Acceptance of Audit Report and Clearance of Recommendation | After AAS accepts the management response, the campus needs to submit appropriate documentation to support the completion of the corrective action in accordance with the estimated timeline provided in the management response (normally within six (6) months of the report date). Once AAS accepts the campus supporting documentation, the recommendations will be cleared and the audit is complete. |
Notification of External Audits
On occasion, San Francisco State University or its constituents may receive notification of an audit/review/investigation by an outside entity from state and federal entities such as the State Auditor’s Office, State Controller’s Office, Department of Finance, National Institute of Health, and the National Science Foundation, among others (Please note, this does not apply to accreditation reviews). While ownership for handling and coordinating such an audit would remain with the campus and/or entity, the Audit and Advisory Services (AAS) should be informed of audits happening on campus to inform the Chancellor's Office since some audits may impact multiple campuses or have other systemwide implications. Additionally, AAS may be able to provide guidance and resources should there be a need. Please notify audit@sfsu.edu to inform of potential audit reviews and to request assistance.
For additional questions, concerns, or guidance please contact Jessica Perkinson, the Audit and Policy Coordinator for San Francisco State University.
The Audit Charter
The Audit Charter is a formal document that describes the purpose, rights, obligations, reporting structure, and authority and responsibility of Audit Services. The Charter also defines departments' responsibility for providing access and cooperation during audits or other reviews.
For more information on this document, please view the following sections:
Audit & Advisory Services (A&AS) conducts independent and objective assurance and consulting activities that are guided by a philosophy of adding value to improve the operations of San Francisco State University. A&AS assists San Francisco State University in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization's governance, risk management, and internal controls so that:
- University assets are safeguarded;
- Information is accurate and reliable;
- University policies and procedures and external laws and regulations are followed;
- Resources are used efficiently and economically;
- Operations and programs are being carried out as planned and results are consistent with the University's objectives;
- Significant legislative or regulatory issues impacting the University are recognized and addressed properly.
To provide independence, the Director of A&AS shall report functionally to the Executive Director of Administration as well as a dotted line to the University President as appropriate. A&AS employees shall have organizational independence and strive to carry out their responsibilities with professional objectivity, regardless of structural reporting constraints.
A&AS is authorized to have full, complete, and unrestricted access to all University records, physical properties, and personnel relevant to an audit or advisory project. A&AS will handle any documents and information obtained or reviewed during an assignment in a prudent and responsible manner. Auditors however, are to have no authority or responsibility for the activities they audit.
A&AS shall maintain the University's anonymous reporting system whereby stakeholders may report instances of fraud, ethics, or compliance related concerns. A&AS shall review all reports received and make a determination regarding the reported claim. The Executive Director of Administration shall determine next steps based on the reports and findings provided by A&AS and shall make recommendations on any actions to be taken as a result of such reports or findings.
A&AS shall have the responsibility to:
- Develop a flexible annual audit plan using an appropriate risk-based methodology;
- Submit the annual audit plan to the Executive Director of Administration, Administration & Finance as a whole, and the broader campus community for input and consideration;
- Plan and perform audits and reviews as noted on the audit plan;
- Perform special administrative requests, special projects, investigations, and consulting· Services as requested by management and deemed high risk;
- Make recommendations for improvements to the systems of risk management, internal control, and governance processes;
- Report the results of audit work to the appropriate level of management (Executive Director of Administration, the Vice President Administration & Finance and CFO, and the President)
- Work with the external auditors and other agencies to seek to avoid redundancies in audit effort;
- Maintain appropriate professional development to ensure that its staff has the skills and abilities to perform audit assignments;
- Keep the Executive Director of Administration, Administration & Finance as a whole, and the broader campus community aware of emerging trends regarding internal controls, risk management, governance, and internal auditing;
- Strive to comply with The Institute of Internal Auditors' mandatory guidance including the Definition of lnternal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards).
[Archived Approved PDF for reference: Audit Charter]