Internal Audit

• Overview
• About Internal Audit
• Documents
• Information Security and IT Audit
• Resources, External Links
• Contact Information

Institutional Compliance Program

• Overview
• Compliance Initiative
• Offices and Officers
• Code of Conduct
• Committee Highlights
• Relevant Policies
• Compliance Helpline

STARS

• Overview
• STARS Help

Related Pages

• Business Affairs
• Office of the General Counsel
• Information Security Office

• Internal Audit & Institutional Compliance
• Documents
• Internal Audit Standard Operating Procedures

Standard Operating Procedures

Outlined below are the procedures that will normally be followed for conducting internal audits at Stanford University, including Stanford Linear Accelerator Center (SLAC), Stanford Management Company (SMC), Stanford Hospital and Clinics (SHC), and Lucile Packard Children's Hospital (LPCH). Note that these procedures may not be followed for special projects for management, projects requested by University counsel, and irregularity audits.

1. Prepare Annual Internal Audit Plan

• In cooperation with the senior and line management, conduct a preliminary risk assessment session utilizing a facilitated group interview.
• Gather top management input on the preliminary risk assessment.
• Prepare a Draft Annual Internal Audit Plan based upon the results of the risk assessment process.
• Obtain the Board of Trustees Committee on Audit comments and formal approval.

This plan will be subject to quarterly reviews to ensure that focus continues to be on the higher risk areas, given changes in the University’s environment. In addition, the need to conduct reviews of alleged irregularities or special projects for management or counsel may require the deferral of planned audits.

2. Communicate Annual Internal Audit Plan

• Distribute the Annual Internal Audit Plan to senior and line managers.
• Keep senior and line managers informed of any changes to the Annual Internal Audit Plan.
• Ensure that appropriate senior and line managers are informed at least a month prior to each planned audit.

Note that reviews of alleged irregularities or special projects for counsel may require different procedures involving little or no notification to involved management.

3. Conduct Internal Audit Planning and Notification

• Contact department management at least three weeks in advance of scheduled audit date to discuss risk considerations that led to the audit being on the annual plan, expected scope of the audit, and current management concerns.
• Develop preliminary audit plan outlining anticipated scope, risk assessment, procedures, schedule, audit staffing.
• Hold Opening Conference with department management and staff, other stakeholders as appropriate, to go over and finalize the audit plan, obtain documents, schedule interviews, shape expectations for audit deliverables.

4. Perform Audit Fieldwork

• Carry out fieldwork as indicated in the audit plan.
• Conduct fieldwork with minimal disruption to department operations; for example, whenever possible, obtain information from central sources rather than from departmental staff or line management.
• Obtain cooperation from the line management and department staff as necessary in identifying and obtaining documentation, conducting interviews, etc.

5. Report Results

• In general, share important and sensitive findings with responsible managers immediately upon verification by the audit staff; memo reports may be used in this process.
• Prepare a first draft final report and discuss it with responsible managers immediately following the fieldwork.

6. Wrap Up Audit

• Schedule a Closing Conference after responsible managers have received the first draft report; this conference will provide the opportunity for responsible managers to discuss findings, conclusions, and recommendations with the auditors and the cognizant audit manager.
• During or immediately after the Closing Conference, ask responsible managers to provide their responses to the auditor’s findings and recommendations, either in writing or in sufficient detail for the auditors to capture them and reduce them to writing in the final draft report.

7. Review Final Report

• Send final draft report to responsible managers and discuss suggested changes.
• After processing changes, issue the final report to the distribution indicated on the cover of the final draft.

Note: All reports will contain an executive summary which summarizes the primary observations, management responses, and auditor’s conclusion.

8. Disseminate Report

• Provide the Provost’s representative, the CFO, and the Controller with copies of all reports.
• Provide the Chair of the Audit Committee with periodic summaries of audit findings, with access to summaries or full reports if requested.

9. Evaluate and Follow Up

• At the completion of each audit, the cognizant audit manager will send an evaluation survey form to the primary clients of the audit. These should be completed and returned to the Executive Director of Internal Audit, in order to ensure continuous improvement of these procedures and the internal audit function.
• Approximately six months following completion of each audit, the internal audit staff will conduct a follow up review to verify the completion of agreed-upon management actions and ascertain the status of open recommendations. A follow up report will be generated annually for distribution to Senior Management and the Audit Committee.