y y y y y y

The Audit Process In general, a typical audit includes the following sequential steps: Scheduling an opening conference to discuss the audit objectives, timing, and report format and distribution. Assessing the soundness of the internal controls or business systems and operations. Testing the internal controls to ensure proper operation. Discussing with management all preliminary observations. Discussing with management the draft audit report and their responses, if available, prior to release of the final audit report. Following up on critical issues raised in audit reports to determine if they have been successfully resolved. Internal Controls Educational Seminar Any department or organization that would like a session on Internal Controls in the University Environment should contact the Director of Internal Auditing Services at Ext. 5-4818 to schedule it. The seminars are typically 1-2 hours in length and include a 20-minute video on internal controls at colleges and universities. The presentation includes time for questions and answers and can be tailored to address a department's specific needs or requests. Audits Types of Audits and Reviews: 1. Financial Audits or Reviews 2. Operational Audits 3. Department Reviews 4. Information Systems Audits 5. Integrated Audits 6. Investigative Audits or Reviews 7. Follow-up Audits Financial Audit A historically oriented, independent evaluation performed for the purpose of attesting to the fairness, accuracy, and reliability of financial data. CSULB's external auditors, KPMG, perform this type of review. CSULB's Director of Financial Reporting coordinates the work of these auditors on our campus. Operational Audit A future-oriented, systematic, and independent evaluation of organizational activities. Financial data may be used, but the primary sources of evidence are the operational policies and achievements related to organizational

objectives. Internal controls and efficiencies may be evaluated during this type of review. Department Review A current period analysis of administrative functions, to evaluate the adequacy of controls, safeguarding of assets, efficient use of resources, compliance with related laws, regulations and University policy and integrity of financial information. Information Systems (IS) Audit There are three basic kinds of IS Audits that may be performed: 1. General Controls Review A review of the controls which govern the development, operation, maintenance, and security of application systems in a particular environment. This type of audit might involve reviewing a data center, an operating system, a security software tool, or processes and procedures (such as the procedure for controlling production program changes), etc. 2. Application Controls Review A review of controls for a specific application system. This would involve an examination of the controls over the input, processing, and output of system data. Data communications issues, program and data security, system change control, and data quality issues are also considered. 3. System Development Review A review of the development of a new application system. This involves an evaluation of the development process as well as the product. Consideration is also given to the general controls over a new application, particularly if a new operating environment or technical platform will be used. Integrated Audit This is a combination of an operational audit, department review, and IS audit application controls review. This type of review allows for a very comprehensive examination of a functional operation within the University. Investigative Audit This is an audit that takes place as a result of a report of unusual or suspicious activity on the part of an individual or a department. It is usually focused on specific aspects of the work of a department or individual. All members of the campus community are invited to report suspicions of improper activity to the Director of Internal Auditing Services on a confidential basis. Her direct number is 562-985-4818. Follow-up Audit

These are audits conducted approximately six months after an internal or external audit report has been issued. They are designed to evaluate corrective action that has been taken on the audit issues reported in the original report. When these follow-up audits are done on external auditors' reports, the results of the follow-up may be reported to those external auditors. Compliance Audit Looks at whether or not an organization is adhering to specific laws, regulations and the control operations according to policy, directives, standards or contracts. This type of audit is also meant to detect breaches in security and to recommend any indicated changes in systems of control, policy and procedures. It is management s job to establish the proper control environment and system control activities that are aligned with the organization s compliance obligations. These control activities usually include the policies, directives, procedures and practices that ensure management objectives are achieved and risk mitigation strategies are carried out. Operational Audits Looks at whether or not public funds and resources have been economically, efficiently and effectively managed. This type of audit examines and reports on matters related to any or all of the following: the adequacy of the management systems, controls, and practices including those intended to control and safeguard assets and ensure due regard to economy, efficiency and effectiveness; the extent to which resources have been managed with due regard to economy and efficiency; and the extent to which programs, operations or activities of an entity have been effective. Operational auditing fulfills the demand for performance and accountability information that is not being provided by information on financial performance and on compliance with authorities. Operational auditing is based on two principles: Public business should be conducted in a way that makes the best possible use of public funds. People who conduct public business should be accountable for the prudent and effective management of the resources entrusted to them.

Financial Audit Examines how government looks after its accounts and at the records of financial transactions. In financial audits, internal auditors test whether financial transactions support the amounts and disclosures recorded in the government s accounting system. The scope of the audit may include comparing the results of operations with planned results, assessing the reliability of a department s financial control systems, and checking how financial information is reported for decision-making. Internal auditors supplement these audit tests by further analysis and discussions with management. Planning decisions on the scope of a financial audit mainly involve the intended degree of audit assurance and the extent of audit work required to provide it. Information Management and Technology (IT) Audit May include the following: Reviews of existing or new information systems, before and after implementation, to ensure they are secure and meet the organization s needs; Project management reviews, before or after systems implementation, to ensure controls are in place to mitigate project risks or to identify the strengths and improvements required for future projects; and/or Specific technology and security reviews to ensure that the technologies are appropriate, and that access to government systems are secure and adequately protected. Due to the complexity and required skill sets to perform some of these reviews, Government Audit Services may work with specialized contractors to ensure high quality analysis and recommendations are provided to management. Performance Audit Asks if an entity achieving its goals and at what cost. Performance audits usually address the following questions: Are programs, functions or activities achieving desired results? Are there appropriate indicators and measures to assess performance? Are there better ways to achieve the organization s objectives at lower cost? Are there ways to improve the quality of service without increasing cost?

Does the program, function or activity comply with applicable laws and regulations? The American Accounting Association defines auditing as a systematic process of objectively obtaining and evaluating the accounts or financial records of a governmental, business, or other entity based on established criteria. While auditing focuses largely on financial information, the process also may involve examination of nonfinancial documents that reveal information about a business's conduct. Handled by a trained accountant, an audit and the auditor's report provide additional assurance to users of financial statements that the information presented in financial statements is accurate, and can help companies assess their performance and their compliance with applicable regulations. TYPES OF AUDITORS There are three types of auditors: internal, governmental, and external (i.e., independent auditors or certified public accountants). Internal auditors are employees of the organization whose activities are being examined and evaluated during an independent audit. The primary purposes of internal auditing are to review and assess a company's policies, procedures, and records and to review and assess a company's performance given its plans, policies, and procedures. Therefore, internal auditors review financial records and accounting systems, assess compliance with company policies, evaluate the efficiency of company operations, and assess the attainment of company goals. Governmental auditors include accountants employed by the U.S. General Accounting Office (GAO). The GAO serves as the accounting and auditing branch of Congress. These governmental accountants perform accounting and auditing tasks for the entire federal government. In addition, most states have their own accounting and auditing agencies, which resemble the GAO. Because the GAO and its state counterparts are separate agencies from the departments and agencies they audit, they are similar to external auditors. Consequently, federal and state departments and agencies often have their own internal auditors, who provide internal auditing services similar to those described above. Moreover, GAO auditing largely has the same focus as internal auditing: examining financial records, assessing compliance with laws and regulations, reviewing efficiency of operations, and evaluating the achievement of objectives.

In contrast, the independent auditor is not an employee of the organization being audited or an employee of the government. He or she performs an examination with the objective of issuing a report containing an opinion on a client's financial statements. The attest function of external auditing refers to the auditor's expression of an opinion on a company's financial statements. Generally, the criteria for judging an auditor's financial statements are generally accepted accounting principles. The typical independent audit leads to an attestation regarding the fairness and dependability of the statements. This is communicated to the officials of the audited entity in the form of a written report accompanying the statements. Investors and lenders are the primary users of financial statements and they rely on financial statements to make decisions such as whether to buy stocks or bonds, lend money, and extend credit. By conducting audits, external auditors make financial statements consistent and meaningful. To assess a company's position accurately, investors and lenders need credible financial information on a company's sales, profits, debt, value, and so forth. Companies usually have their own accountants and managers prepare their financial information, which could bring about a conflict of interest. Hence, users of financial statements demand the services of independent auditors to verify the accuracy of company information and lend credibility to the financial information, which is called attestation. Since individual users cannot verify information contained in financial statements, auditing by external accountants reduces the number of mistakes in financial statements and prevents companies from issuing fraudulent statements. In addition, the Auditing Standards Board in 1997 issued its statement "Consideration of Fraud in a Financial Statement Audit," which requires greater effort on the part of external auditors to ensure that financial statements are free from fraud and misstatements. TYPES OF AUDITS Major types of audits conducted by external auditors include the financial statements audit, the operational audit, and the compliance audit. A financial statement audit (or attest audit) examines financial statements, records, and related operations to ascertain adherence to generally accepted accounting principles, meaning that the audit determines whether companies have followed the financial reporting standards given by various sanctioning boards such as the Financial Accounting Standards Board. An operational audit examines an organization's activities in order to assess

performances and develop recommendations for improved use of business resources. A compliance audit has as its objective the determination of whether an organization is following established procedures or rules. Auditors also perform statutory audits, which are performed to comply with the requirements of a governing body, such as a federal, state, or city government or agency. Internal auditors also perform financial statement audits, operational audits (which are also referred to as performance auditing and management auditing), and compliance audits, although their audits have a different scope and their reports a different purpose. Because of the potential for conflicts of interest, internal auditors perform financial statement audits for internal use only. Nevertheless, much of the work internal auditors do is similar to the work external auditors do, except that it is not intended for external use. In addition, an operational audit involves reviewing an organization's activities to evaluate performance, attainment of business goals, and efficient use of resources. Internal auditors also perform compliance audits to ensure conformity with company policies as well as with applicable government laws and regulations. Even though internal auditors are employees of the companies they audit, they nevertheless strive for independence insofar as possible. AUDITING STANDARDS The auditing process is based on standards, concepts, procedures, and reporting practices, primarily imposed by the American Institute of Certified Public Accountants (AICPA). While these standards and procedures constitute the foundation of auditing for all three types of auditors, other organizations such as the Institute of Internal Auditors and the General Accounting Office impose their own standards and procedures, which apply to internal auditing and governmental auditing, respectively. The auditing process relies on evidence, analysis, conventions, and informed professional judgment. General standards are brief statements relating to such matters as training, independence, and professional care. AICPA general standards are: The examination is to be performed by a person or persons having adequate technical training and proficiency as an auditor. In all matters relating to the assignment, an independence in mental attitude is to be maintained by the auditor or auditors.

Due professional care is to be exercised in the performance of the examination and the preparation of the report. Standards of fieldwork provide basic planning standards to be followed during audits. AICPA standards of field work are: The work is to be adequately planned and assistants, if any, are to be properly supervised. There is to be a proper study and evaluation of the existing internal control as a basis for reliance thereon and for the determination of the resultant extent to which auditing procedures are to be restricted. Sufficient competent evidential matter is to be obtained through inspection, observation, inquiries, and confirmation to afford a reasonable basis for an opinion regarding the financial statements under examination. Standards of reporting outline the required auditing standards relating to the audit report and its contents. AICPA standards of reporting are: The report shall state whether the financial statements are presented in accordance with generally accepted accounting principles. The report shall state whether such principles have been consistently observed in the current period in relation to the preceding period. Informative disclosures to the financial statements are to be regarded as reasonably adequate unless otherwise stated in the report. The report shall contain either an expression of opinion regarding the financial statements, taken as a whole, or an assertion to the effect that an opinion cannot be expressed. When an overall opinion cannot be expressed, the reasons therefore should be stated. In all cases where an auditor's name is associated with financial statements, the report should contain a clear-cut indication of the character of the auditor's examination, if any, and the degree of responsibility he or she is taking. THE AUDITING PROCESS Auditors generally conduct audits following four general steps: planning, gathering evidence, evaluating evidence, and issuing a report. In planning the audit, the auditor develops an audit program that identifies and schedules audit procedures that are to be performed to obtain the evidence. The auditor must be aware of potential problems involved in the auditing process, such as whether company property and debt actually exist or whether company transactions actually took place. In addition, the auditor usually formulates a hypothesis about company financial

information at this step, such as "Company financial reports are accurate" or "Company financial reports are inaccurate." Audit evidence is proof obtained to support these hypotheses and ultimately the audit's conclusions. After the planning is completed, the auditor must collect the evidence necessary to support the audit's conclusions. Evidence-gathering procedures include observation, confirmation, calculations, analysis, inquiry, inspection, and comparison. An audit trail is a chronological record of economic events or transactions that have been experienced by an organization. The audit trail enables an auditor to evaluate the strengths and weaknesses of internal controls, system designs, and company policies and procedures. The auditor must evaluate the initial hypothesis based on the evidence and accept or reject the hypothesis as a result. Finally, the auditor prepares a report based on the findings of the other steps, which involves making a decision about company records and claims and whether the actual evidence supports company records and claims. AUDIT REPORTS The independent audit report sets forth the independent auditor's opinion regarding the financial statements. The auditor's opinion indicates whether the financial statements are fairly presented in conformity with generally accepted accounting principles, and applied on a basis consistent with that of the preceding year (or in conformity with some other comprehensive basis of accounting that is appropriate for the entity). A fair presentation of financial statements is generally understood by accountants to refer to whether: The accounting principles used in the statements have general acceptability. The accounting principles are appropriate in the circumstances. The financial statements are prepared so they can be used, understood, and interpreted. The information presented in the financial statements is classified and summarized in a reasonable manner. The financial statements reflect the underlying events and transactions in a way that presents the financial position, results of operations, and cash flows within reasonable and practical limits. The auditor's unqualified report contains three paragraphs. The introductory paragraph identifies the financial statements audited, states

that management is responsible for those statements, and asserts that the auditor is responsible for expressing an opinion on them. The scope paragraph describes what the auditor has done and specifically states that the auditor has examined the financial statements in accordance with generally accepted auditing standards and has performed appropriate tests. The opinion paragraph expresses the auditor's opinion on whether the statements are in accordance with generally accepted accounting principles. Various audit opinions are defined by the AICPA's Auditing Standards Board as follows: Unqualified opinion: An unqualified opinion states that the financial statements present fairly, in all material respects, the financial position, results of operations, and cash flows of the business in conformity with generally accepted accounting principles. Explanatory language added to the auditor's standard report: Circumstances may require that the auditor add an explanatory paragraph (or other explanatory language) to the report. Qualified opinion: A qualified opinion states that, except for the effects of the matter(s) to which the qualification relates, the financial statements present fairly, in all material respects, the financial position, results of operations, and cash flows of the business in conformity with generally accepted accounting principles. Adverse opinion: An adverse opinion states that the financial statements do not represent fairly the financial position, results of operations, or cash flows of the business in conformity with generally accepted accounting principles. Disclaimer of opinion: A disclaimer of opinion states that the auditor does not express an opinion on the financial statements. The fair presentation of financial statements does not mean that the statements are fraud-proof. The independent auditor has the responsibility to search for errors or irregularities within the recognized limitations of the auditing process. An auditor is subject to risks that material errors or irregularities, if they exist, will not be detected. Investors should examine the auditor's report for citations of problems such as debt-agreement violations or unresolved lawsuits." Going concern" ' references can suggest that the company may not be able to survive as a functioning operation. If an "except for" statement appears in the report the investor should understand that there are certain problems or

departures from generally accepted accounting principles in the statements that question whether the statements present fairly the company's financial statements and that will require the company to resolve the problem or somehow make the accounting treatment acceptable. In contrast to the standardized report of external auditors, internal and governmental auditors prepare a variety of reports that serve a variety of purposes, depending on the auditing assignment and goals. Both internal and governmental reports strive to communicate information clearly and concisely. Government reports tend to emphasize the efficient use of resources by the government departments being audited, whereas internal reports tend to vary greatly because of the plethora of interests and purposes companies may have for auditing. LEGAL RESPONSIBILITIES The legal responsibilities of the auditor are determined primarily by the following: Specific contractual obligations undertaken. Statutes and common law governing the conduct and responsibilities of public accountants. Rules and regulations of voluntary professional organizations.