Frequently Asked Questions (FAQ)

Internal control is a process in which all University employees participate. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as follows:

Internal control is a process, effected by an entity’s board of directors, management, and other personnel designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

Examples of internal controls could include, but are not limited to: segregation of duties, physical controls, reconciliations, policies and procedures, and transaction and activity reviews.

University management is charged with the responsibility for establishing and maintaining an adequate system of internal control. Internal Audit evaluates the adequacy of existing controls and makes recommendations for improvement. Internal Audit neither seeks nor accepts responsibility for day-to-day processing functions and does not wish to place itself in the position of auditing its own performance.

The Office of Internal Audit conducts regular, ongoing examinations of the University’s  internal controls. In addition to routine rotational audits of the University’s Colleges, Campuses, and Administrative Units, and annual compliance audits, Internal Audit, consistent with audit profession standards, employs a risk-based approach for the development of the annual audit plan. A risk-based approach is one whereby, through various interviews and assessments, an audit plan is designed to target those areas, processes, and specific functions that present the greatest risk to the University and the relevant area’s operations and strategic goals if internal controls were not in place or not functioning properly.  Once developed, the plan is reviewed with the Senior Vice President for Finance and Business/Treasurer, and approved by  the Committee on Audit and Risk of the Board of Trustees.

Exceptions to the above audit selection process include special investigations, which are matters brought to the attention of Internal Audit through the hotline reporting process, or from other reporting means of specific concerns related to fraud, waste, abuse, or compliance with government or University policies or procedures.

Typically, a representative from the Office of Internal Audit will contact you to schedule a meeting to discuss the planned objectives, scope, timing, and any other logistics. A regularly scheduled audit typically has four phases: planning, fieldwork, reporting and follow-up. Refer to our section regarding the audit process here. 

Please do not stress when you receive an audit announcement! We are here to help. We will discuss all aspects of the audit with you and are happy to answer any questions you have. Here are a few things you can do to prepare once you receive an audit announcement:

• Review our website to become familiar with our audit processes
• Inform individuals in your area that we are conducting an audit and stress the importance of responding to our audit inquiries in a timely manner
• Determine if there are systems or internal sites that Internal Audit may need access to review (for example, intranet sites that contain internal policies or procedure manuals)
• Assess whether you have any concerns or challenges within your unit for which we may be of assistance.  Leverage the audit process as an opportunity to obtain an independent evaluation of areas with which you may have concerns or to obtain confirmation that areas of strength are indeed operating as such.

Each audit is unique and the time necessary to complete an audit is dependent upon the objectives and scope.  Upon finalization of the audit scope, the audit team assigned to the audit will be able to give you an estimate of the time anticipated to complete the audit. We acknowledge that you have daily job responsibilities and demands beyond the audit and will make every effort to keep disruption from your area’s usual routine to a minimum. You can help meet the timeline provided by responding to our audit requests in a timely manner. We appreciate your assistance and cooperation.

Please do not hesitate to submit your report to the Penn State Hotline. Concerns can be reported anonymously. 

As required by the Institute of Internal Auditors standards of professional practice, the internal audit function must complete ongoing monitoring to evaluate the performance of the internal audit activity. One of ways that Internal Audit evaluates the performance of the internal audit activity is by soliciting and reviewing feedback from audit clients and other stakeholders.

At the conclusion of the audit, you may receive a request for feedback. This will be received via email with a link for a Microsoft Forms survey from our department’s email address, [email protected].