Frequently Asked Questions

  • General Audit Info

    Who are internal auditors?

    As defined by the Institute of Internal Auditors (IIA), "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

    Internal Auditors' roles include monitoring, assessing, and analyzing organizational risk and controls; and reviewing and confirming information and compliance with policies, procedures, and laws. Working in partnership with management, internal auditors provide the board, the audit committee, and executive management assurance that risks are mitigated and that the organization's corporate governance is strong and effective. And, when there is room for improvement, internal auditors make recommendations for enhancing processes, policies, and procedures."

    Why does Columbia University have an internal audit function?

    The Office of Internal Audit exists by charter and by-law to assist University management and the Audit Committee of the Board of Trustees in effectively fulfilling their responsibilities. We are charged with examining and evaluating the policies, procedures, and systems which are in place to ensure: the reliability and integrity of information; compliance with policies, plans, laws, and regulations; the safeguarding of assets; and, the economical and efficient use of resources.

    What's the difference between external and internal auditors?

    External auditors, like independent public accounting firms, review the University's annual financial statements to ensure the information presented accurately portrays Columbia's financial condition and conforms to generally accepted accounting principles (GAAP). Government agencies, Columbia's Board of Trustees, and bond rating agencies rely on the independent auditor's opinion of Columbia's financial statements in making business decisions related to the University.

    External auditors can also be government, agency, or other third parties. Government auditors focus primarily on compliance with government regulations and award terms.

    How are departments or processes selected for audit?

    Internal Audit conducts a yearly university-wide risk assessment of the various business processes and financial reports through senior management discussions which results in the creation of the yearly Audit Plan.  This Audit Plan is presented and approved by the Audit Committee of the Board of Trustees.

    How can a department prepare for an audit?

    • Cooperation - on the part of the client and auditor are essential to a successful audit. In conducting routine audits, our purpose is to identify opportunities for improvement, which are in the best interests of both the University and the area being audited.
    • Acceptance of responsibility for creating and maintaining a good system of internal control over the activities (financial and non-financial) occurring within your organization. Establishment of a good system of internal control (and accountability for the lack thereof) is the responsibility of department and executive management, not the auditors. We will assist in identifying potential exposure areas and provide suggestions and recommendations as to how you might rectify these situations if and when they exist.
    • Review the audit process, best practices controls, and common audit findings section and implement corrections to any deficiencies.
    • If your area has been audited in the past by the Office of Internal Audit, it is worth reviewing the last audit report.  A standard feature of our audit approach is to review the progress of past recommendations.  It also is useful if you can make us aware of, or provide us with the information of any other reviews or inspections that have taken place in your unit.
    • Assemble appropriate and current background information about your unit that you think might help us in gaining an understanding of your administrative structure, nature of your operations and knowledge of employee roles and responsibilities. As a general guide, our work is focused upon the aims and objectives identified in your strategic plan so copies of the plan will be helpful. Other information might typically include any key procedures or policies, organization charts and financial information such as budgets and sample management reports. Copies of these documents are particularly helpful, although we recognize that many parts of the University now hold such information on their web sites – where this is the case, providing the relevant site address is useful for us.  In addition to assisting the auditor in understanding your operation more thoroughly, a well-documented strategic plan, policy/procedure manual, etc. will guide new as well as veteran employees regarding the established and approved methods of doing business.
    • Temporary workspace for the auditor(s) within reasonable proximity to the office staff and records. Since many of the original documents and records we will need to examine are located at the local department level, the auditor(s) will need a temporary work area with adequate space and lighting. The amount of time needed for the auditors to be physically present at your location will vary from audit to audit. We will attempt to perform as much of the audit as possible from our office so as to minimize any disruption of your operations.
    • Identify an audit contact person who can act as a liaison person to work with us. This member of staff should be responsible for ensuring that we have access to records and files or any other resources we need to complete our reviews as well as directing us to the appropriate colleagues who can help us complete specific areas of our review. This officer normally acts as our main point of contact as the audit progresses so that we can continue to keep you informed of how the work is going. Contact officers often find it useful to schedule meetings with us periodically throughout the audit to stay in touch with how we are progressing. We have found that this is a good way to facilitate communication, resolve issues on a timely basis, and correct any misunderstandings.
    • Access to all employees and pertinent records. As stated in the Columbia University Office of Internal Audit Charter, The Office of Internal Audit shall have full, free and unrestricted access to the University’s records, physical properties, personnel, independent auditors and other individuals relevant to an area under review. The auditor's analysis of your operation may require that several of your employees at various levels be asked to explain in detail how they perform their jobs. In addition to examining hard copy records, it may be necessary for the auditor to make photocopies, and/or obtain samples, of key documents for our files. The confidentiality of records reviewed during the course of the audit (i.e.: payroll data, student transcripts, etc.) will be maintained by the auditor(s).
    • Tell your staff about the audit. As part of our planning we provide an engagement letter that outlines in broad terms the work that we will be doing. Most units find it useful to distribute a copy of the engagement letter to their staff so that they know to expect us to be around the unit and have an idea of the type of work we will be undertaking. It also helps those staff that we need to contact, identify the sort of records and information that they need to have available when we meet with them.
    • An honest and candid appraisal of the audit process at the conclusion of the audit. As stated earlier, the department head of the area being audited will be provided with an Audit Effectiveness Questionnaire. Each member of the audit staff has been professionally trained in the practice of internal auditing. They are expected to abide by the professional standards and ethics established by the Institute of Internal Auditors as well as our own departmental standards. Your objective answers and constructive comments on the survey form will assist us in evaluating and improving the effectiveness of our program.
    • Please note that these are only general steps recommended to prepare for an audit. We recognize that specific steps and information requests that are unique to your unit will be identified and communicated to you as part of the initial contact and planning with us.

    What are internal auditors looking for?

    Key effective internal controls that manage risk and compliance with university policies and other external requirements. Columbia's policies (Administrative Policy Library, Essential Policies for the Columbia Community, IRB Policies and Guidance, College of Physicians and Surgeons Policies, and others) are designed to help ensure we all comply with applicable laws and regulations and operate efficiently. Not all internal controls can be codified in policy. If we find control weaknesses, we regularly make recommendations to implement a control even though it may not be specifically required by policy.

    What if Internal Audit has a finding during an audit?

    We will make recommendations for improvement. The recommendations are realistic because we want you to implement them. It is the responsibility of management to weigh possible additional costs of implementing our recommendations in terms of benefits to be derived and the relative risks involved.

    How can I learn more about risks and controls?

    We're also available to do presentations and training for your department.

    How long does an audit take?

    An audit could take from two months to six months to complete depending on the size and complexity of the area.  Although two to six months sounds like a lot of time, much of our work is done behind the scenes. Many people operate under the erroneous belief that in doing an audit we will spend lots of time with you and take time away from your other obligations. We may need to meet key personnel on the audit two or three times for maybe an hour at a time over the audit period. We may spend equal amounts of time, and perhaps less, with others in the department, but we will not be monopolizing anyone's time in the department and much of our work such as audit planning and report writing, is done in our offices.

    During the audit opening meeting, we will discuss the audit schedule and try to accommodate time constraints that you may have.

    Who will receive copies of my audit report?

    The final report, which includes comments and action plans from management of the area audited is distributed to the Executive VP for Finance, the Senior Executive VP for Finance, the Provost, the President, the Audit Committee Chair, the Independent Auditor and other management as appropriate.

    Does the Board of Trustees see what is in the audit reports?

    We prepare a quarterly report for the University Board of Trustees containing the most significant findings or systematic issues from our audits.

    Who audits the Audit Office?

    Internal Audit evaluates conformance of internal audit activities with the Institute of Internal Auditing International Professional Practices Framework (IPPF) and Code of Ethics. A quality assurance and improvement program exists to allow for the assessment of efficiency and effectiveness and identify opportunities for improvement of the internal audit practice.  The program consists of periodic internal and external assessments. The external assessment is conducted in accordance with requirements of International Standards for the Professional Practice of Internal Auditing. The Chief Audit Executive will present and discuss the results of any assessment with the Audit Committee and senior management.   The Chief Audit Executive may state that the internal audit activity conforms to the International Standards for the Professional Practice of Internal Auditing only if results of the quality assurance and improvement program support the statement.

    If I call you with information about a possible irregularity, will my identity be kept a secret?

    The Compliance Hotline  provides for anonymous report of financial or operational or other irregularities.

    How does the Office of Internal Audit conduct Investigations?

    The Office of Internal Audit is responsible for conducting investigations where there has been an allegation of an improper governmental act, such as fraud, misuse of University resources, or other policy violations.  These concerns may be reported either via the Compliance Hotline or by direct referral to the Office of Internal Audit  or the Office of the General Counsel  The goal of these reviews is to determine whether or not the allegation of the improper act is substantiated.

    Although the process for conducting an audit may apply in certain cases, the unique facts and circumstances of each investigation will determine whether the audit processes apply.  For example, similar to an audit, an investigation may include documentation review, review of electronic records and information systems, and interviews.

  • Lobbying Info

    Can I just bookmark the link to the web form, rather than using the link emailed to me on the first of the month?

    No, each month has a unique link tailored for you so you can complete your submission.  Please do not confuse links with different months.

    While on the website completing my disclosure the web form becomes nonresponsive.

    There is a timeout function with the online form, so try to complete your disclosure in one continuous sitting.

    I have been locked out of the survey. How do I get back in?

    To reactivate your link contact and a new link will be emailed to you.

    Who do I contact if I have trouble with the online form?

    For questions on the online disclosure form contact: