Standard Operating Procedures

Outlined below are the procedures that will normally be followed for conducting internal audits at the University of San Francisco. These procedures may not be followed for certain special projects requested by the Audit Committee of the Board of Trustees and/or the President, during financial irregularity audits, and during other special circumstances.

1. Conduct Enterprise-Wide Risk Management Assessment

  • From time to time, in cooperation with senior management and department management, conduct an enterprise-wide risk assessment.
  • Gather senior management and department management input, as appropriate, on the enterprise-wide risk assessment.
  • 2. Prepare Annual Internal Audit Plan

  • Prepare a Draft Annual Internal Audit Plan based upon the results of the enterprise-wide risk assessment process.
  • Obtain comments and formal approval of the Audit Committee of the Board of Trustees for the Annual Internal Audit Plan.
  • This plan will be subject to periodic review to ensure that it continually focuses on the University’s higher risk areas, which may change from time to time. Of course, the need to conduct reviews or audits of alleged irregularities or special projects for the Audit Committee of the Board of Trustees and/or the President may require the deferral of otherwise planned audits.

    3. Communicate Annual Internal Audit Plan

  • After formal approval by the Audit Committee of the Board of Trustees, distribute the Annual Internal Audit Plan as directed by the Audit Committee of the Board of Trustees.
  • Ensure that appropriate senior managers or department managers are informed in a timely manner prior to each regularly scheduled internal audit.
  • Notwithstanding the foregoing, it is important to note that reviews of alleged irregularities or special projects for the Audit Committee of the Board of Trustees and/or the President may require different procedures involving little or no notification to those involved.

    4. Conduct Internal Audit Planning and Notification

  • If appropriate, meet with senior management and/or department management before the beginning of scheduled audits to discuss the risk considerations that led to the audit being included in the Annual Internal Audit Plan, the expected scope of the audit, and current management concerns.
  • If appropriate, hold an Opening Conference with senior management or department management and staff and other stakeholders to go over the audit plan, obtain documents, schedule interviews, and shape expectations for audit deliverables.
  • 5. Perform Audit Fieldwork

  • Carry out fieldwork as indicated in the Annual Internal Audit Plan.
  • Obtain cooperation from senior management, department management, and department staff, as necessary, in identifying and obtaining documentation, conducting interviews, etcetera.
  • Whenever practical, conduct fieldwork with minimal disruption to department operations.
  • 6. Report Results

  • In general, share important and sensitive findings with senior management and/or department management, as appropriate, immediately upon verification; memorandums and/or e-mails may be used to facilitate this process.
  • Immediately following the fieldwork, prepare a First Draft Final Audit Report and discuss it with senior management and/or department management, as appropriate.
  • 7. Conclude Audit

  • Schedule a Closing Conference after senior management and/or department management, as appropriate, has received the First Draft Final Audit Report; this conference will provide an opportunity for management to discuss findings, conclusions, and recommendations with the Director of Internal Audit and Tax Compliance.
  • During or immediately after the Closing Conference, ask senior management and/or department management to provide their responses to the Director of Internal Audit and Tax Compliance’s findings and recommendations in writing.
  • 8. Review Final Audit Report

  • Send the Final Draft Audit Report to senior management and/or department management and discuss suggested changes with the appropriate level of management.
  • After processing any relevant changes, issue the Final Audit report to relevant parties.
  • 9. Disseminate Final Audit Reports

    Provide the Audit Committee of the Board of Trustees and the President with periodic summaries of audit findings as well as complete copies of all Final Audit Reports.