Frequently Asked Questions

What is the authority and role of Internal Audit?

Audit and Management Advisory Services (AMAS) serves an independent appraisal function, per UC Board of Regents policy. AMAS is authorized to have full, free and unrestricted access to information including records, computer files, property, and personnel of the University in accordance with authority granted by the UCOP Internal Audit Manual and applicable federal and state statutes.

We provide assurance and consulting services with the goal of providing an independent assessment on governance, risk management, and control processes for the University. We do so through three primary types of projects: audits, advisory reviews, and investigations. You can learn more about our services here.

 

Why are you looking at my unit?

Annually, AMAS prepares an Audit Plan identifying and scheduling the audits and advisory services to be performed during the upcoming fiscal year. The annual audit planning process includes a risk assessment which is based on a combination of interviews with senior and executive management, a survey of managers and administrative personnel, and AMAS consideration of other internal and external factors. The highest ranking topics are included on the audit plan which must be approved by the Audit Committee. Audits can also be added to the plan by management request or a mandate from Office of the President.

How long will the audit take?

From the time you are first notified until the final report is issued, which will generally be about 3-6 months. We can begin to offer estimates of how much time we will need once we complete the planning phase of the review. After the final report is issued, AMAS will follow-up on a monthly basis until MCA's are implemented and closed out.

To help streamline the process, you may wish to make the following documents available. Auditors typically seek access to these items through formal request and/or referral to the organization's website:

  • Mission and key objectives of the entity or process
  • Results of prior internal and external reviews
  • Action plans for significant management initiatives
  • Organizational charts
  • Process flowcharts
  • Summary of contracts and grants
  • Department-specific policies and procedures
  • Budgetary, financial, management, and exception reports
  • Source documents such as payroll records, travel vouchers, recharges, and cost transfers

How much of our department's time will you need?

Most work is done from our office, with intermittent meetings with clients and e-mail or phone calls.  We try to do as much as we can without interrupting the workflow of our clients.

    What do auditors look for?

    We look for best practices, such as:

      • Proper separation of duties with backups or delegates;
      • Complete written processes and procedures that match current practice and include all necessary checks and balances;
      • Adherence to information system accountability rules for initiators, approvers and reviewers;
      • Evidence of reviews, monitoring, and certifications;
      • Accountability for University assets;
      • Complete supporting documentation;
      • Clear lines of authority and responsibility within Department; and
      • Knowledge of policy.

     

    What type of access do auditors have?

    According to the University of California Internal Audit Manual:

    [AMAS] is authorized to have full, free and unrestricted access to information including records, computer files, property, and personnel of the University in accordance with the authority granted by approval of this charter and applicable federal and state statutes. Except where limited by law, the work of [AMAS] is unrestricted. [AMAS] is free to review and evaluate all policies, procedures, and practices for any University activity, program, or function.

     

    What is an MCA?

    Defined as an agreed-upon Management Corrective Action, MCA's are specific actions that management will implement to address any observations and related recommendations made by AMAS. The audit report will identify the specific MCAs to be implemented, the Management/Unit Leads responsible for implementation, and completion dates.

    For more information, including a timeline and the general follow-up process, you can visit our MCA page.

    How can I learn more?

    Our seasoned auditors offer a "How to Survive an Audit" class twice a year through Staff Development and Professional Services. For more specific questions, please arrange to attend one of these courses. 

    You can find out more about our "How to Survive an Audit" class here.