Guidance for External Auditors Working at Stanford University
policy is that we will provide all
available information pertinent to the scope of approved external
audits in a reasonable period of time. However, this policy
requires preparation and cooperation by the external auditor.
This guidance is designed to provide you with the basics you need to
carry out your work successfully.
You should arrange with the
Stanford Internal Audit Department
(650-725-0074) or (email)
to obtain approval
prior to beginning any fieldwork on
campus. Approval normally requires an Entrance Conference
the Associate Vice President
of Internal Audit and Institutional Compliance,
or his/her representative, at which we will ask you to describe the
intended scope, objectives, and time frame for your planned audit.
Before contacting any University staff, you must be able to answer three questions about your work:
- What audit organization are
- What is the purpose of the
audit procedures you are performing,
- Has your audit been approved
by and coordinated with Internal
Before contacting departmental staff to obtain information, you should first try to obtain the information from central University data sources. Internal Audit & Institutional Compliance will provide instructions on how to do this, or, in some cases, will assist you obtain the information, or provide you with the data directly.
If it becomes necessary to contact Stanford staff, they will make reasonable efforts to provide the information you need in an acceptable time frame. If you have pressing time constraints, you should carefully explain those constraints to the person(s) from whom you are requesting information, and should work with Internal Audit & Institutional Compliance to facilitate access to the needed information if delays arise.
In some cases, Stanford
requires that auditors make their
information requests in writing. Normally, this occurs if the
information being requested requires special analyses or extensive
efforts to obtain, or is sensitive. You should keep this in
when planning your audit.
Remember that Stanford staff may not know who you are, what you are looking for, or why. We recommend that you preface all contacts with a brief explanation of the basic rationale for and scope of your audit procedures. This is especially important if the information is being requested by phone or electronic mail. Furthermore, we recommend that you be as specific in your requests as possible. Sometimes, if you tell the staff clearly what information you are trying to locate or what issue you are trying to address, they can direct you to a better source than the one you are looking for.
Be careful about using jargon. Words that make perfect sense to you, such as Final Cost Objective, or Object Code, may make no sense to Stanford staff. Likewise, if we use Stanford jargon with you, please ask for clarification.
If you have problems reaching
someone at Stanford, feel free to
request assistance from Internal Audit & Institutional
Compliance. Often we can help you
identify an alternative, and more easily contacted, source.
Finally, please be aware that Stanford staff have been instructed to refuse to answer any questions which appear to be inappropriate to the scope of the audit being conducted, or which are asked in an inappropriate manner. In such cases, Internal Audit & Institutional Compliance will be called to intervene.
Thank you for your
understanding and cooperation.
The Stanford Internal Audit
& Institutional Compliance Department
Requests for IT Access
For External Agents who need