Internal Audit

If warranted and an internal audit is to be performed by Compliance and Internal Control (CIC), CIC has full and complete access to various records of California State University, East Bay (CSUEB) and its auxiliary organizations. A systematic approach to audits is to be expected with progression of several phases as follows:

  • (Phase I) Preliminary Survey and Audit Scope – Towards the beginning of this phase, an informal
    entrance email will be communicated to appropriate partner(s) to socialize the audit, including expectations (e.g., what is included in the audit scope, potential number of items to sample or
    test, etc.).
    • Primary objective of this phase is to gather program information (e.g., risk assessments, documented policies and/or procedures, documented flowcharts, etc.) to gain understanding of audit subject and prioritizing audit objective.
  • (Phase II) Fieldwork – May entail observing operations, interviewing key personnel, requesting fieldwork items (e.g., additional documents, files tied to the selected samples, etc.) to examine and/or test relevant data, including analyzing pertinent information to satisfy audit objective.
  • (Phase III) Analysis – Summarize issue(s), observation(s), finding(s), and recommendation(s) for discussion with management and staff. Draft report may also be prepared for discussion with the auditee.
  • (Phase IV) Reporting – Issuance and distribution of an independent and objective report for CSUEB leadership and/or management, including auditee response to audit issue(s), observation(s), finding(s), and recommendation(s).
    • If the issue(s), observation(s), finding(s), and recommendation(s) has more than one action item, each action item will have an Assigned Owner tasked to complete the item.
    • The auditee will propose a Completion Date for the overall issue(s), observation(s), finding(s), and recommendation(s). The expectation is all individual action item(s) per issue(s), observation(s), finding(s), and recommendation(s) will be completed by the agreed Completion Date.
  • (Phase V) Follow-Up and Remediation – Every four to six weeks, an email will be sent to the auditee and/or Assigned Owner(s) to inquire on the issue(s), observation(s), finding(s), and recommendation(s)’ progress. Auditee and/or Action Owner(s) should reply to CIC, provide percentage of completion for each action item(s) and/or overall issue(s), observation(s), finding(s), and recommendation(s). Auditee and/or Action Owner(s)’ response will be recorded by CIC to track progress.
    • Documents evidencing completion of action item(s) will be submitted to CIC for review. If supporting documentation provided does not appear sufficient to close the issue(s), observation(s), finding(s), and recommendation(s), it will be communicated to the auditee and/or Action Owner(s); item to remain open in the CIC tracking sheet.
    • NOTE:
      • If auditee and/or Action Owner(s) is/are unable to resolve the issue(s), observation(s), finding(s), and recommendation(s) by the agreed Completion Date, an extension request within 60 calendar days or less from the original Completion Date) should be communicated via email to CIC.
      • An email extension request greater than 60 calendar days from the original Completion Date will require the Risk Management & Internal Control (RMIC) AVP’s email approval.
      • The first extension request will not require the RMIC AVP’s approval; however, a subsequent email request sent to CIC to extend the Completion Date will require RMIC AVP’s email approval.