FAQ

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

In higher education, internal auditors play a critical role in areas such as:

• Ensuring compliance with federal and state regulations
• Protecting institutional assets
• Enhancing financial reporting
• Verifying grants and research expenditure compliance
• Reviewing cybersecurity and data privacy controls
• Promoting operational efficiency and academic integrity

By identifying risks and recommending improvements, an internal audit function supports the mission of education and research while helping ensure public trust and stewardship of resources.

Internal auditors are employees of the University. The purpose of an internal audit function is to evaluate the adequacy and effectiveness of internal controls to manage risk and to serve in a consultative capacity regarding controls, processes, operations, and systems. There are many different types of external audits that the University may be subject to including the annual financial statement and Uniform Guidance audits performed by an independent accounting firm. The financial statement audit’s objectives are primarily concerned with the completeness, accuracy, and fair presentation of the University’s financial statements and the financial condition of the institution while the Uniform Guidance looks at compliance with government regulations over use of federal funds.

Yes, IA&AS follows the Global Internal Audit Standards (Standards) set forth by the Institute of Internal Auditors. These Standards guide the worldwide professional practice of internal auditors across all industries and serve as a basis for evaluating and elevating the quality of the internal audit function. These standards include a Code of Ethics and require periodic external quality assessments. In fact, in December 2024, IA&AS underwent its own external assessment (the auditors were audited!) and received a “Generally Conforms” on its assessment, which is the highest ranking a department can receive on this assessment.

While both IA&AS and CIDA provide Advisory Services as part of their portfolio of services, the biggest difference lies in our reporting structure and independence. IA&AS functionally reports to the Audit Committee Chair and is required by Standards to remain independent. We can add value by evaluating whether internal controls are operating as designed, working effectively, and operations are in compliance with policies, regulations, and standards. Because of our independence, we can offer an unbiased perspective and can assist in escalating issues that might otherwise go unaddressed.

CIDA can provide a collaborative and often more hands-on strategy in the design and problem-solving approach to their projects. They can act quickly to assist with change management or risk mitigation before issues arise.

CIDA can help management design the right path forward and IA&AS can validate that the path was followed and risks were managed along the way. Having both units—distinct but coordinated—creates a balance that supports a holistic approach to strengthen governance, risk management, and operational effectiveness at BU.

IA&AS conducts an annual audit planning and risk assessment process, which includes a quantitative and qualitative review of risk factors at the University to develop a comprehensive audit plan. We look at units, processes, and information technology elements and review risk factors such as financial impact, reputational risk, operational complexity, compliance requirements, inherent process risk, and use of technology among others. We also conduct interviews with senior leadership, review higher education trends and current industry best practices, as well as compare areas that our peers may be focusing on and build a proposed plan that is then presented to the Audit Committee for their approval.

First and foremost, don’t be nervous! The process for most audits follows a pretty typical path, and we are committed to work with you to cause minimal disruption to your normal course of business operations. There are 4 main phases of an audit:

1. Planning – Through both pre-planning work, data analysis, and preliminary meetings with management, our goal is to understand your organization, your primary function and objectives, and identify potential risks that may impact achieving those objectives. This phase also includes a comprehensive scoping process to clearly determine the areas that we will and will not be looking at during the audit, which are discussed in an official Kick-off meeting.

2. Fieldwork – Our audit team will develop audit procedures, including interviews, walkthrough, transaction testing, etc., that will assist us in assessing the design and effectiveness of your control environment and activities.

3. Reporting – We will summarize our review along with any reportable findings or opportunities for improvement in a formal audit report. Don’t worry! As the auditee, you will have the opportunity to review and provide feedback on a draft report before it is finalized and issued.

4. Follow-up – In the event your review results in reportable findings, you are required to provide a management action plan to address the risk and recommendation. In that case, the team will reach out in accordance with the timeline set by you in the management action plan to obtain a status towards implementation progress.

Internal control as a whole refers to the policies, procedures, and systems implemented by an organization to ensure its objectives are achieved effectively and efficiently. These controls are designed to safeguard assets, ensure reliability of financial reporting, and promote compliance with laws and regulations. Often when people think of a specific internal control, they think of control activities like approvals, segregation of duties, or physical security. All of these elements make up a broader internal control landscape.

Examples of internal controls include:

• Segregation of duties – Custodian, transaction preparer, approver and reconciler should be different individuals.
• Transaction approvers should be at an appropriate level of authority
• Transaction approvers should be familiar with the terms and conditions of restricted gifts, endowments and sponsored projects.
• Reconciliation of financial information should be prepared and approved on a monthly basis
• Errors should be identified and corrected on a timely basis
• Department Chairs and Principal Investigators should review expense detail and budget-actual on a monthly basis
• All valuable assets should be reviewed to ensure proper insurance coverage
• Records should be retained for the time periods set forth in University policy

University Management is responsible for designing, implementing, and maintaining an adequate system of internal controls.

Fraud refers to intentional deception or misrepresentation of facts, dishonest, or illegal practices by individuals or institutions that mislead others for personal, financial, or reputational gain. It can occur at many levels—students, faculty, administrators, or even entire institutions.

There are several ways to report known or suspected cases of fraud, waste, or abuse. You can utilize the University’s anonymous Reporting Hotline, contact BUPD, the University Ombuds Office, or Internal Audit & Advisory Services. If you’re unsure how to proceed, we are happy to assist in helping you determine the best avenue for reporting. Visit our “Contact Us” page to connect with someone from our team.