What is Internal Auditing?

We provide the Board of Governors with an independent, objective assurance and consulting activity which is designed to add value and improve the University’s operations. We do this by systematically evaluating the effectiveness of risk management, control, and governance processes.

Why does the CSU System have an internal audit function?

As an expression of the commitment of CSU management and the CSU System Board of Governors to effective, efficient, and ethical operations, the department of Internal Auditing was created in 1967 and is charged with examining and evaluating the policies, procedures, and systems which are in place to ensure: the reliability and integrity of information; compliance with policies, plans, laws, and regulations; the safeguarding of assets; and, the economical and efficient use of resources.

Where does the audit function fit in the organization?

Internal Auditing has a solid-line reporting relationship to the Board of Governors' Audit and Finance Committee.  In order to promote effective management, the Director also reports to the Chancellor for purposes of administration and for assurance of adequate and appropriate consideration of audit findings within the organization.

Are Internal Auditors employees of CSU/CSU-Pueblo/CSU-Global Campus?

No.  All employees of the Internal Auditing Department are Colorado State University System employees.  Our offices are located on the campuses of CSU and CSU-Pueblo, and we enjoy being part of the campus communities.

Are there any other auditors that I might encounter at CSU/CSU-Pueblo/CSU-Global Campus?

Yes, the combined financial statement of the CSU System is audited annually.  In addition, the Colorado State Auditor may audit areas of each institution. Auditors from federal (or state) agencies may be on campus reviewing programs or research they have funded.  Auditors working on campus should be able to appropriately identify themselves. If you have any questions regarding auditors’ work or requests for information, feel free to give us a call.

How do you select areas for review? 

Most audits are scheduled following an annual risk assessment performed by the Director of Internal Audit and approved by the Board of Governors.  The risk assessment considers several factors (such as the size of the unit, its inherent complexity, its resources, recent changes in management or organizational structure) to schedule audit projects that can be useful in helping the institutions reach their goals.

How long do audits take?

The length of time it takes to complete an audit varies significantly, depending on the size, complexity and strength of the area's internal controls. Some take as little as a couple of weeks and others can take several months. The audit is a dynamic process, the scope of which can be expanded or reduced at any time depending on the issues.

What if I don't have the time to deal with the auditors? What if it's a bad time for an audit because (choose one):

  • we're short-staffed
  • the finance director just quit
  • it's budget season
  • we're crawling with students!
  • we're trying to close out the year.

During the audit opening meeting, we will discuss the audit schedule, try to accommodate time constraints that you may have, and be respectful of your job responsibilities, We will probably want to meet with key personnel on the audit two or three times for maybe an hour at a time over the audit period. We may spend equal amounts of time, and perhaps less, with others in the department, but we will not be monopolizing anyone's time in the department.  Much of our work, such as audit planning and report writing, is done in our offices.

Are auditors looking for fraud when performing audits?

Auditors are not specifically searching for the existence of fraud when performing audits; however, the performance of generally accepted auditing procedures could identify situations which may allow fraud to go undetected.  An adequate system of internal control and a control conscious organizational environment will reduce the risk of fraud.

What are internal auditors looking for?

Primarily compliance with university policies and sound internal controls. By following these policies we help protect the university from unnecessary risks and help ensure sound business practices are consistent throughout the university. However, not all internal controls can be codified in policy. If we find control weaknesses, we regularly make recommendations to implement a control even though it may not be specifically required by policy.

How can I prepare for an audit?

Learn about the audit process.

What are internal controls?

A control is any policy, procedure, practice, or mechanism designed to provide reasonable assurance that the organization's objectives will be achieved. This includes controls designed to safeguard assets, ensure the timeliness, accuracy and reliability of financial and management reporting and to promote operational efficiency, effectiveness and compliance with all applicable laws, regulations, policies and procedures.  It is the responsibility of management to ensure that appropriate controls are implemented and functioning to support the achievement of unit objectives.

How are the results of the audit reported?

You will be kept informed of the auditor’s findings throughout the course of the audit.  If an issue is identified during the audit where improvements can be made in operations or internal control, it will be described in the audit report, together with a recommendation to improve internal control or implement changes. The issues and a draft of the report will be discussed with your unit management to ensure that the information is accurate.  All recommendations will be thoroughly discussed, and management will be asked to develop a plan to address any issues noted in the recommendations, and identify a target date for implementation.  Management’s response to recommendations will be included in the audit report.

Who gets copies of audit reports?

In general, an audit report is issued to those in a position to see that corrective actions are taken and those with a need to know. Standard audit reports are addressed to the President of the institution. Copies of the Audit Report and Executive Summary are sent to the following:

  • Members of the Board of Governors' Audit and Finance Committee
  • Chancellor
  • The division vice president responsible for the audited area
  • The auditee
  • Any other official who is responsible for corrective action on recommendations
  • Associate Vice President for Finance
  • Director of Business and Financial Services/Campus Audit Liaison

Copies of the Executive Summary only are sent to the following:

  • CSUS Board of Governors
  • CSUS General Counsel
  • CSUS Chief Financial Officer

Can a department request an audit?

Yes. We consider requests for audit work, although our ability to perform the audit might be affected by our staffing levels or current obligations. We may review your concern within the audit risk assessment process and consider it for the next year’s audit plan.

We're also available to do presentations and training for your department.

What should I do if I suspect someone is involved in something illegal?

The CSU System provides the Compliance Reporting Hotline for employees, students, and constituents of all three campuses to report issues, in good faith, regarding compliance with laws, regulations, and policies. This Reporting Hotline allows anyone to report issues anonymously if they wish to do so. The issues reported will be reviewed by the appropriate officials to determine if further investigation and actions are warranted.  Click here for more information.

If I call you with information about a possible irregularity, will my identity be kept a secret?

The Hotline provides for anonymous reporting if you desire; however issues can often be investigated more efficiently and thoroughly if we are able to contact you to ask for clarification of issues and facts.  As a general rule, even if you identify yourself to us we will use discretion in our reviews, but we cannot guarantee that your identify will not become known to others.

What if I have more questions?

Please contact the Director of Internal Auditing, Susy Serrano, at (970) 491-2750 or susy.serrano@colostate.edu.