What is the difference between the audit services provided through SOU’s contractor, the Center for Internal Audit (C4IA) and external auditors that audit SOU?
SOU has an intergovernmental agreement with the Center for Internal Audit at Portland State University. The C4IA assists SOU in achieving its mission and objectives by providing independent and objective assessments specific to SOU’s needs. The C4IA also offers advisory services and trainings to improve internal controls and risk mitigation processes.
External auditors perform the A-133 single audit, which audits SOU’s comprehensive annual financial statement as well as compliance with federal regulations.
SOU may be audited periodically by organizations such as the Secretary of State – Oregon Audits Division, the Office of Inspector General, grantors, and/or organizations tasked with laws and regulations relating to health, safety, environmental requirements, and animal welfare.
How do you decide what to audit?
Audit topics are identified as part of an annual risk assessment. Audit topics are chosen to provide value to SOU’s governance processes and will provide reasonable assurance on the operating effectiveness of key operations. See the annual audit plan here.
What is a risk assessment?
A risk assessment serves as a tool for management to share concerns that may prevent the university from meeting its objectives. Internal auditors gather information that helps to classify risks as high-risk, moderate risk, or low-risk events to the university as a whole. The Center for Internal Audit considers multiple factors when assessing risk such as internal and external factors, the likelihood of a negative event occurring, and the severity that event would have to SOU if it were to occur, trends within finances over a multi-year time period, and time elapsed since the last time an audit has occurred in an auditable area. The Center for Internal Audit then works with executive management and the Audit Committee of the Board of Trustees on next steps to address the results of the risk assessment. The results are used to develop an annual internal audit plan which is vetted by university leadership and approved by the President of SOU and the Board of Trustees.
Who audits the Center for Internal Audit?
The Center for Internal Audit must go through an external peer review every 5 years to comply with the International Standards for the Professional Practice of Internal Auditing Standards (the “Standards“). The results of the peer review are shared with the President of SOU and members of the Board of Trustees. Moreover, the internal audit function at SOU may be selected for an audit by external organizations such as:
- Secretary of State – Oregon Audits Division;
- An external audit firm hired by SOU; and/or
- Federal agencies like the Office of Inspector General
What authority does SOU’s internal audit function have?
The Internal Audit Charter, which is regularly reviewed and approved by the SOU Board of Trustees, defines the purpose, authority, and responsibility of the SOU’s internal audit function. The charter grants internal audit full and complete access to any of the University’s records, physical properties, and personnel.
May I request to have an internal audit performed of my department and/or process?
Yes, if you would like some assurance, even if your department was not selected to be on this year’s internal audit plan, please review this with your Dean, Director, etc. and request that they make a formal request to the Center for Internal Audit. The request will be reviewed with the President of SOU and a decision communicated back to appropriate personnel. Due to finite resources, requests may not be able to be accommodated in the timeframe requested.
Does the department have an opportunity to respond to audit findings and recommendations?
Yes, the Center for Internal Audit provides audit status updates on a regular basis to the applicable management representative. Throughout the audit project, management has the ability to provide further records and/or updated information to address initial audit observations denoted. In addition, management must provide a management response to all formal recommendations made at the audit Exit Conference. This response is included in the final audit results provided to applicable management, the President of SOU, and the members of the Board of Trustees.
What standards do internal auditors follow?
- International Professional Practices Framework of the Institute for Internal Auditors, which includes the Global Internal Audit Standards
- Committee of Sponsoring Organizations of the Treadway Commission internal control framework and enterprise risk management frameworks