Agenda Office of Audit and Advisory Services Annual Audit Planning Process Individual Audit Planning Process 2013 Subject Audits 2014 Subject Audits Questions Contact Information
Office of Audit and Advisory Services
Audit Planning Process Audit Survey sent to all 23 campuses in the last quarter of each year. This information is combined with other input, including: Discussions with Chancellors Office Management. Discussion with audit committee chair. External trends and input. We present the audit plan at the January Board of Trustees meeting each year for approval of audit assignments.
Individual Audit Planning Process Determined by a subject-specific risk assessment that includes, but is not limited to: Review of CSU policies, laws, regulations, and other criteria. Specialized training in the subject area. Discussions with CO management. Discussions with campus personnel including Vice Presidents of Administration and Department Managers Review of previous and related audits, both from inside the CSU and from the outside: state auditors, the UC system, other universities.
2013 Subject Audits Eight audits were approved by the Board of Trustees for 2013: Credit Cards International Programs (Round 2) Hazardous Materials Sensitive Data Security and Protection (2011) Centers and Institutes Student Health Services Sponsored Programs – Post Award Conflicts of Interest (not performed) Finalized audit reports can be reviewed on our website at
2013 Systemwide Audits Credit Cards /2013/1323CreditCardsSYS.pdf Remaining systemwide audits for 2013 have not yet been finalized, but will be available on our website when they are complete.
Credit Cards – Observations and Trends Policies and Procedures – Campuses often did not have adequate policies and procedures for credit card programs, outside of the main procurement card program. Personal Liability Cards – Applications were not always appropriately approved and cardholder agreements obtained. Personal Liability Cards – Use of personal liability cards was not monitored to ensure that only business- related expenses were incurred and payments made in a timely manner.
Credit Cards – Best Practices Many campuses performed a 100% audit of all procurement card reconciliation packages. The key here was to ensure that violations are documented and sanctions enforced. Include both procurement/travel cards and personal liability cards on separation checklists. Automate notification of separated employees to alert the appropriate credit card administrators.
International Programs – Observations and Trends Authority – Many programs were not properly approved. Third-party Providers - Non-compliance with specific requirements regarding due diligence, and acceptance of material benefits from vendor. Student Orientations - For CSU students going abroad, and for international students arriving for CSU courses.
International Programs – Best Practices Some campuses had strong centralized departments that effectively identified and administered all IP programs from various initiating areas: the CO, the individual colleges, and from outside universities. Some colleges strategically integrated curriculum development with IP opportunities to maximize the benefits to participants. One campus requires all students to participate in an international program as part of the graduation requirement.
Hazardous Materials Management – Observations and Trends Roles and Responsibilities - I thought EH&S did this for us. Hazard Communication Program - The requirement to inform employees and students of the hazards in the workplace – labelling was nearly always an issue. Inspections - Required as part of the Injury and Illness Prevention Program, often the process was in disarray. Laboratory Safety – Lack of an adequate Chemical Hygiene Plan and/or designation of a Chemical Hygiene Officer
Hazardous Materials Management – Best Practices All campuses had well-qualified, experienced and knowledgeable management. Best practices would include an inspection program that identifies and quantifies the risks; tailors an inspection schedule on perceived risk; clearly identifies and educates responsible parties; and includes processes to monitor completion of assigned inspections and follow up on required remediation.
Sensitive Data – Observations and Trends GOVERNANCE! No inventory of protected data or complete listing of electronic and paper records. Data ownership had not been consistently assigned. Protected data held in paper documents was not adequately controlled. New employees with access to sensitive data had not received security awareness training. Sensitive data stored on servers were not always behind secure campus firewalls or other network controls, and protected data was not always stored in an encrypted format. Equipment disposition processes did not ensure that data had been wiped from computers prior to being surplused or donated.
Sensitive Data – Best Practices A best practice would be to survey or inventory sensitive data annually, in order to know what data is out there, and who is responsible for it. Campuses with more centralized IT operations seemed to have a better grasp of overall campus data and the controls in place for that data.
Centers and Institutes – Observations and Trends Definition for centers and institutes could be improved to ensure that entities are recognized and reported by the campus. Reviews of centers were not always performed in accordance with campus policy. Center fiscal administration needed improvement – most often in receipt of funds and use of written agreements and contracts.
Centers and Institutes – Best Practices SLO had a well defined and clear organizational structure that made responsibility for centers and institutes on campus very clear. Some campuses tied the periodic review to renewal of the center charter. Northridge had a very robust center and institute policy that included a one-stop shop for operating procedures (revenue, expenses, human resources, travel, etc.)
Student Health Services – Observations and Trends Governance and Oversight - The provision that the campus designate accountability for all university health services, including those offered in Athletics and in the academic areas, was not always met. Types of Services Offered at the SHC – Provisions regarding the vetting and approval of augmented services were not always met. Pharmacy – Issues regarding segregation of duties noted at smaller campus pharmacies, and exceptions related to appropriate inventory practices.
Student Health Services – Best Practices All campuses substantially met requirements for the minimum basic services available. One campus had a robust health education program that was directly tied to relevant information regarding student needs, delivered by a well-trained and supervised peer health team of students pursuing degrees in health education.
Post Award – Observations and Trends PI Conflict of Interest statements not always obtained timely. Effort certifications were not always accurate or include adequate supporting documentation (additional employment, cost share effort) Sub-Recipient risk assessments – Documentation, timeliness, signatures and dates.
Post Award – Best Practices Cost sharing at Chico: Cost sharing is reviewed every time the sponsor is invoiced. Use of cost share commitment forms and agreements helps to quantify and track cost share. Effort reporting: Use of reimbursed-time purchase orders at some campuses provides easy tracking for faculty time. Northridge conflict of interest disclosure forms for federal awards include review signatures and actions.
2014 Subject Audits Seven audits were approved by the Board of Trustees for 2014: Conflict of Interest (carryover from 2013) ADA Web Accessibility (renamed to Accessible Technology) Lottery Funds Executive Travel Sponsored Programs – Post Award (Round 2) Information Security Continuing Education
Conflict of Interest Audit Scope: General administration of the conflict of interest program. Review and identification of designated positions. Timely and accurate completion of conflict-of-interest disclosure statements and related ethics training. Employee/vendor relationships. Gift to agency reporting. Audit Status: Fieldwork completed for first three audits.
Accessible Technology Audit Scope: Compliance with section 508 and CSU Accessible Technology Initiative requirements. Student and employee accessibility to technology (i.e., physical structures excluded) Campus governance and executive support Coordination between various constituent groups Campus responsiveness to requests or complaints Audit Status: Fieldwork for pilot audit in progress.
Lottery Funds Audit scope: Review of campus lottery fund allocation and expenditure policies and procedures to ensure compliance with CSU and state requirements. Review of internal campus processes for monitoring, reviewing and approving campus discretionary allocations to specific programs and/or areas Examination of specific programs receiving lottery funding to confirm the expenditures are in conformance with state and CSU restrictions. Audit Status: Fieldwork complete at two campuses.
Executive Travel BOT Agenda: Proposed audit scope would include review of campus travel policies and procedures to ensure alignment and compliance with CSU requirements; review of internal campus processes for monitoring, reviewing and approving travel expense claims; and examination of senior management travel and travel expense claims for proper approvals and compliance with campus and CSU travel policy.
Sponsored Programs – Post Award Audit Scope: Training Conflict of Interest Filings Effort Reporting Cost Sharing Sub Recipient Monitoring Fiscal Administration
Information Security BOT Agenda: Proposed audit scope would include review of the systems and managerial/technical measures for ongoing evaluation of data/information collected; identifying confidential, private or sensitive information; authorizing access; securing information; detecting security breaches; and security incident reporting and response.
Continuing Education BOT Agenda: Audit scope includes review of the processes for administration of continuing education and extended learning operations as self-supporting entities; budgeting procedures, fee authorizations, and selection and management of courses; faculty workloads and payments to faculty and other instructors; enrollment procedures and maintenance of student records; and reporting of continuing education activity and maintenance of CERF contingency reserves. CA State Auditor Report:
Questions?? Ann Hough Wendee Shinsato Greg Dove (IT audits) Mike Caldera (Advisory Services)