skip to main content

Internal Audit

View content
The Internal Audit Department is an independent function that reports directly to the Board of Regents. The audit team provides objective assurance and consulting services designed to add value and improve operations of CSCU.


Video: Internal Auditing in Higher Education

Watch Video

The Internal Audit Department is an independent function that reports directly to the Board of Regents (BOR). The audit team provides objective assurance and consulting services designed to add value and improve operations of the Connecticut State Colleges and Universities (CSCU). The Internal Audit Department utilizes a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, controls, and governance.


  • Develop an annual risk-based audit plan for review and approval by the Audit Committee of the BOR.
  • Execute the annual audit plan and report results to the BOR and Presidents.
  • Investigate allegations of fraud.
  • Conduct follow-up reviews of audit report comments from Internal Audit and external groups (e.g., Auditors of Public Accounts, U.S. Department of Education, external auditors), and report to the BOR on the implementation status of prior audit recommendations.

The Internal Audit Department is authorized to:

  • Have unrestricted access to all functions, records, information, property, and personnel.
  • Allocate resources, determine scopes of work, and apply the techniques required to accomplish audit objectives.
  • When necessary, obtain assistance of personnel within CSCU, as well as other specialized services from outside the organization, to assist in conducting planned audit activities.

Internal Audit Department Charter

Policy Statement: It is the policy of the Board of Regents (BOR) to maintain an Internal Audit function.

Objective: The objective of the BOR Internal Audit function is to assist Connecticut State Colleges and Universities (CSCU) management and the BOR in the effective discharge of their responsibilities. To this end, Internal Audit furnishes them with analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed.

Independence: The Audit Director reports administratively to the BOR President, but functionally to the BOR Chairperson. This reporting relationship ensures departmental independence, promotes comprehensive audit coverage and assures adequate consideration of audit recommendations.

Authority: Personnel of the Internal Audit Department, in the performance of audits and with stringent accountabilities of safekeeping and confidentiality, have, to the extent permitted by law, complete and unrestricted access to any and all activities, information, records, property and employees, in all BOR and CSCU entities. Internal Audit may be concerned with any activity within any BOR or CSCU entity, and consequently, the function of Internal Audit is not restricted to matters of accounting and finance and goes beyond examining accounting controls to obtaining a full understanding of the operations under review.

Internal Audit is a staff function that has no direct authority over activities that its personnel review. The performance of these reviews does not relieve management of any assigned responsibilities, including being responsible for the internal control environment in their respective areas of the organization.

Objectivity is essential to the audit staff in the proper fulfillment of their duties. Performance of line responsibilities by internal auditors may compromise their objectivity. This practice will be limited and controlled by the Audit Director.

Professionalism: The Internal Audit function will be maintained in general compliance with the Standards set forth by the various Auditing, Accounting and Fraud associations in which membership is maintained.

Responsibility: The Internal Audit function will add value by helping the organization to improve operations and accomplish its objectives. This will be achieved by bringing a systematic, disciplined approach for evaluating and improving the effectiveness of risk management, control and governance processes. The fulfillment of this responsibility is not confined to, but includes:

  • Appraising the effectiveness and application of administrative and financial controls and reliability of data that is developed within the BOR and CSCU entities.
  • Evaluating sufficiency of and adherence to BOR and CSCU entity plans, policies and procedures and compliance with governmental laws and regulations.
  • Ascertaining the adequacy of controls for safeguarding BOR and CSCU entity assets and, when appropriate, verifying the existence of assets.
  • Performing special reviews requested by CSCU management or the BOR.


Internal control is a process for assuring achievement of an organization's objectives related to operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations, Policies, Standards, and Procedures.

Control Types

  • Preventive Control
    designed to discourage or pre-empt errors or irregularities from occurring. They are more cost-effective than detective controls. Credit checks, job descriptions, required authorization signatures, data entry checks, and physical control over assets to prevent their improper use are examples of preventive controls.
  • Detective Control
    designed to search for and identify errors after they have occurred. They are more expensive than preventive controls, but still essential since they measure the effectiveness of preventive controls. Reconciliations, periodic physical inventory counts, passwords, and transaction edits are examples of detective controls.
  • Corrective Control
    designed to prevent the recurrence of errors. They begin when improper outcomes occur and are detected and keep the "spotlight" on the problem until management can solve the problem or correct the defect. Budget variance reports are an example of corrective controls.

Audit Types

  • Compliance Audit
    review of adherence to laws, regulations, Policies, Standards, and Procedures. Recommendations typically call for improvements in processes and controls intended to ensure compliance.
  • Financial Audits
    examination of accounting and reporting of financial transactions, including commitments, authorizations, receipt and disbursement of funds. The purpose of this type of audit is to verify that there are adequate controls over use of resources, monetary assets and acquisition.
  • Information Technology (IT) Audit
    review of the internal control environment of automated information processing systems and how people use those systems. IT audits typically evaluate infrastructure, operating systems, application controls (e.g., input, processing, output), general controls (e.g., backup and recovery plan, change management, system security, data center), and IT projects, which can focus on existing systems, as well as systems in the development stage.
  • Investigation Audit
    in-depth review where questionable activity or irregularities are present or suspected. Specialized audit activities may be performed with scope in the area specified to determine the adequacy of internal controls. The expected result from this type of audit is to conclude on findings with recommendations aimed at preventing recurrence.
  • Operational Audit
    examination of controls pertaining to the use of resources to evaluate whether those resources are being used in the most effective and efficient manner to fulfill the institution's mission and objectives. An operational audit includes elements of the other audit types.

Frequently Asked Questions

Why and how was our department chosen for audit?

The CSCU Internal Audit Department develops an annual audit plan based upon risk. An audit may be selected because of the associated risks and included in the annual audit plan. The audit plan is approved by the Audit Committee of the BOR. Risks are evaluated by measuring likelihood and impact.

  • Likelihood is a probability or chance of an event.
  • Impact is the amount of effect an event has.

What is an audit?

An audit is an independent review of the financial, operational, or technical operations of an organization to determine the adequacy and effectiveness of Policies, Standards, and Procedures and the quality of performance in carrying out assigned responsibilities. Audit results can assist management in improving an organization's effectiveness of risk management, control, and governance processes.

An audit involves the following phases:

  • Planning phase - identification of high risk areas in order to define the scope;
  • Fieldwork phase - identification of controls and testing of implemented controls; and
  • Reporting phase - audit findings and recommendations are provided to all pertinent parties. A formal report is issued upon completion of the audit.

What is management's responsibility once the audit report is completed?

Prior to issuance of the final report, management is provided with a findings document. The document is used by management to provide their responses for each item that will be identified on the report, including steps on how identified risks will be addressed and a target date for completion. The findings document with management's responses is included in the final report. Issues identified as High risk should be addressed as soon as possible.

What is an audit follow-up?

The follow-up process is a review performed by the audit team to obtain the status of prior audit report comments.

How long do audits take?

There is no easy answer to this question as each audit's length will depend on the nature and scope of the audit. Some audits may take a month, while more complex audits can be several months in duration.

Policies, Standards, and Procedures

Policy, Standards, and Procedures Pryamid

Policies are high-level statements relating to operations across the business and should be created by senior management and approved by the BOR.

Policies outline roles and responsibilities, security objectives, and provide a high-level description of the controls that must be in place. Documented policies are frequently a requirement to satisfy laws and regulations, such as those relating to privacy, finance, and IT.

From a legal and compliance perspective, policies are often viewed as a commitment from senior management to provide expectations and set boundaries related to the control environment.

Standards consist of specific, mandatory controls that help enforce and support the high-level Policies and operations. Standards help to ensure consistency across the business and usually contain controls relating to the implementation of specific rules (e.g., password complexity).

Procedures consist of step-by-step instructions to assist employees in implementing the criteria identified in the Standards.


  • A policy may state all business information must be adequately protected when being transferred.
  • A supporting data transfer standard builds upon this, requiring that all sensitive data be encrypted using a specific encryption type and that all data transfers are logged.
  • A procedure provides step-by-step instructions for performing encrypted data transfers and ensures compliance with the associated policy and standards.