Stanford
Office of the Chief Risk Officer

How Are Internal Audits Scheduled?

How Are Internal Audits Scheduled?

Internal Audit periodically performs assessments of University operating units and control functions to identify areas of potential institutional risk. Based on these assessments and discussions with management, the Chief Risk Officer recommends an annual audit plan, which is approved by the Committee on Audit, Compliance and Risk of the Board of Trustees.

Internal Audit also responds to special requests from University and department management, inquiries received from members of the Stanford community through the University's Code of Conduct for Business Activities (Administrative Guide Memo 1.1.1), and special requests for audits from external agencies.

Common elements of an internal audit engagement include the following:

  • Scheduling an opening conference to discuss audit objectives, timing, and intended report format and distribution
  • Evaluating internal control systems
  • Testing to ensure proper operation of internal control systems
  • Developing conclusions based on test results
  • Reviewing audit issues and draft audit reports with management and staff
  • Preparing and distributing an audit report which generally include management's responses to the issues raised
  • Following up to ensure all issues raised in audit reports have been addressed