About Internal Audit
Internal Audit and Institutional Compliance (IAIC) strives to be a valued partner and advisor to management, faculty, and the Audit and Compliance Committees of the Boards.
The mission of Internal Audit and Institutional Compliance (IAIC) is to provide independent, objective assurance and consulting services designed to add value and improve the operations of Stanford University and the Stanford University Hospitals. IAIC helps these organizations accomplish their objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.<top>
The Department's charter, as approved by the Stanford University Board of Trustees, follows:
The scope of work of IAIC is to
determine whether the organization’s network of risk
management, control, and governance processes, as designed and
represented by management, is adequate and functioning effectively to
- Risks are appropriately identified and managed
- Significant financial, managerial, and operating information is accurate, reliable, and timely.
- Employees’ actions are in compliance with applicable laws, regulations, contract/grant provisions, and internal policies, plans, and procedures.
- Resources are acquired economically, used efficiently, accounted for accurately, and protected adequately.
- Programs, plans, and objectives are achieved.
- Quality and continuous improvement are fostered in the organization’s control process.
- Significant legislative or regulatory issues impacting the organization are recognized and addressed properly.
The Associate Vice President
for IAIC shall be accountable to management and the University Board of
Trustees Audit and Compliance Committee and the Hospitals’
Boards of Directors’ Audit and Compliance Committees to:
- Provide annually an assessment on the adequacy and effectiveness of the organization’s processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work.
- Report significant issues related to the processes for controlling the activities of the organization its affiliates, including potential improvements to those processes, and provide information concerning such issues through resolution.
- Provide information periodically on the status and results of the annual audit and compliance plan and the sufficiency of department resources.
- Coordinate with, and provide
oversight of, other compliance, control, and monitoring functions.
IndependenceTo provide for the independence of IAIC, the Associate Vice President reports administratively to the University Vice President of Business Affairs and Chief Financial Officer (CFO) and functionally to the Audit and Compliance Committees of the University Board of Trustees and the Hospitals’ Boards of Directors in a manner outlined in the above section on Accountability.
IAIC is authorized to:
- Have unrestricted access to all functions, records, property, and personnel.
- Make specific reports directly to the University President and Provost.
- Have full and free access to the Audit and Compliance Committees.
- Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish audit objectives.
- Obtain the necessary assistance of personnel in units of the organization where they perform audits, as well as other specialized services from within or outside the organization.
IAIC is not authorized to:
- Perform any operational duties for the organization or its affiliates.
- Initiate or approve accounting transactions external to IAIC.
- Direct the activities of any organization employee not employed by IAIC, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the internal auditors.
ResponsibilitiesIAIC has responsibility to:
- Maintain a professional staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this charter.
- Establish a quality assurance program by which the Executive Director assures the operation of IAIC activities.
Audit and Advisory Services
IAIC conducts financial, operational, and information technology audits in accordance with approved plans and its established policies and procedures. In addition, IAIC conforms with the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing promulgated by The Institute of Internal Auditors, as well as other professional auditing standards which may be applicable to the performance of work assignments.
Audit and Advisory services
include, but are not limited to:
- Developing and implementing a flexible annual audit plan using appropriate risk-based methodology, including risks or control concerns identified by management. These plans are submitted to the Audit and Compliance Committees for review and approval.
- Considering the scope of work of external auditors and regulators, as appropriate, for the purpose of providing optimal audit coverage to the University and Hospitals at a reasonable overall cost.
- Examining and evaluating the adequacy and effectiveness of the systems of internal controls.
- Evaluating and assessing significant new or changing services, processes, operations, and controls coincident with their development and implementation.
- Identifying opportunities for reducing costs, improving processes, or enhancing the organization’s reputation.
- Reviewing the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information.
- In conjunction with the Office of General Counsel, assessing compliance with laws, regulations, contract/grant provisions, and internal policies, plans, and procedures.
- Verifying that resources are acquired economically, used efficiently, accounted for accurately, and protected adequately.
- Reviewing operations or programs to ascertain whether results are consistent with established objectives.
- Conducting investigations of suspected fraudulent activities in conjunction with other University resources and notifying management and the Audit and Compliance Committee of the results.
- Performing consulting services, beyond IAIC’s assurance services, to assist management in meeting its objectives. Examples may include facilitation, process design, training, and advisory services.
- Facilitating and coordinating external audits.
- Evaluating emerging audit trends and implementing best practices.
On February 8, 2010, signed by:
Chair, Board of Trustees Audit and Compliance Committee,
Stanford University President,
Stanford VP Business Affairs and Chief Financial Officer, and
Associate Vice President
for Stanford IAIC
Integrity – We are committed to the highest degree of ethical conduct in the performance of our work. Our actions are consistent with our words.
Communication – We communicate openly, constructively, and with respect in all interactions with each other.
Accountability – We are responsible for our performance and results and can be relied upon to meet our obligations to each other.
Teamwork – We utilize our individual skills and abilities in a collaborative way to achieve departmental goals. We are committed to supporting each other to achieve individual and departmental success.
Personal Development – We are committed to helping each team member develop their skills and abilities to the maximum extent possible by providing education, training, and professional opportunities. We are each responsible for our personal growth.
Commitment to Quality – We will continuously improve the accuracy, reliability, usefulness, and timeliness of our products and services to ensure they are valuable to our customers.<top>
SHCSHC Board Audit and Compliance Committee Charge
LPCHLPCH Board Audit and Compliance Committee Charge
- Board of Trustees
- Faculty, staff and students
- General Counsel
- University management
- Defense Contract Audit Agency
- Department of Energy Inspector General
- Independent Public Accountants
- Office of Naval Research
- Sponsoring Agencies
Answers to Typical Questions About Auditing at Stanford
- 1. Who are the auditors at Stanford?
Internal auditors are Stanford employees reporting to the Associate Vice President of Internal Audit and Institutional Compliance.
External auditors include independent public accounting firms, the Defense Contract Audit Agency (DCAA), and others who carry out engagements including the annual financial statement audit, reviews of Stanford's compliance with government rules and regulations, and audits of indirect costs associated with government sponsored research.
The Department of Internal Audit and Institutional Compliance (IAIC) performs liaison functions for all external auditors working on campus.
- 2. How are internal audits scheduled?
The IAIC periodically performs assessments of University operating units and control functions to identify areas of potential institutional risk. Based on these assessments and discussions with management, the Associate Vice President of Internal Audit and Institutional Compliance recommends an annual audit plan, which is approved by the Committee on Audit and Complaince of the Board of Trustees.
The IAIC also responds to special requests from University and department management, inquiries received from members of the Stanford community through the University's Code of Conduct for Business Activities (Administrative Guide Memo #1), and special requests for audits from external agencies.
- 3. What does a typical internal audit include?
Common elements of an internal audit engagement include the following:
- Scheduling an opening conference to discuss audit objectives, timing, and intended report format and distribution
- Evaluating internal control systems
- Testing to ensure proper operation of internal control systems
- Developing conclusions based on test results
- Reviewing audit issues and draft audit reports with management and staff
- Preparing and distributing an audit report which generally include management's responses to the issues raised
- Following up to ensure all issues raised in audit reports have been addressed
For details of the above look in Internal Audit Standard Operating Procedures
- 4. How can I best work with auditors at Stanford?
Each audit engagement has a defined scope and objectives. Any auditor requesting information from you should be able to explain the audit's purpose and objectives so you can understand the reasons for questions being asked and provide accurate answers.
When you understand the audit's purpose, you can assist by either providing relevant information or, if you are not the best source of the requested information, directing the auditor to the right person or office.
If you have questions or concerns about information being requested, it is appropriate to discuss those concerns with the auditor, an Internal Audit manager or director, or the Associate Vice President of Internal Audit and Institutional Compliance.
- 5. Who audits the Internal Audit Department?
The IAIC follows the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing promulgated by The Institute of Internal Auditors (IIA). Accordingly, periodically an outside review team performs a peer review and assesses the quality of our function and makes recommendations directly to the Committee on Audit and Compliance.
- 6. How do you help ensure quality client service?
At the completion of each audit engagement, the Associate Vice President of Internal Audit and Institutional Compliance requests primary audit clients to complete and return a client service evaluation form to identify areas for improving our service. The Associate Vice President also welcomes comments at any time regarding the quality, timeliness, and responsiveness of internal and external audit engagements.
- 7. How can I contact the Internal Audit Department?
The IAIC is organized with directors, managers and staff responsible for the University, Stanford Management Company, School of Medicine, SLAC, Stanford Hospital & Clinics, and Lucile Packard Children's Hospital. The Associate Vice President of Internal Audit and Institutional Compliance and all auditors may be reached by calling (650) 725-0074, faxing (650) 725-0073, email to Internal-Audit@lists.stanford.edu, or by sending inter-campus mail to: Mail Stop 6212.