Internal Audit

To provide independent, objective, and reasonable assurance services designed to lend positive influence and improve the Connecticut State Colleges & Universities' (CSCU) mission, operations, outcomes, and compliance. The internal audit division assists the organization in accomplishing its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of the overall control environment, leadership control over the network of enterprise business risks, and governance processes.  It is the integration of these activities, plans, attitudes, policies, systems, resources, and efforts of the Connecticut Board of Regents for Higher Education (BOR), and everyone within the CSCU system, working together to achieve its educational and/or business mission(s). 

It is imperative, per Generally Accepted Government Auditing Standards (GAGAS) and the Institute of Internal Auditors (IIA), that the internal audit function remain independent from all other departments and have a clear functional reporting structure to the BOR Audit Committee. 

Chairperson
BOR
Audit Committee

Internal Audit Division
Director of Internal Audit

Note: As the Internal Audit Division is a function of the CSCU Office of Compliance, the Director of Internal Audit will report administratively to the Deputy Chief Compliance Officer.  

It is critical to the functioning of the internal audit division that auditors be organizationally independent of leadership to enhance the audit team’s effectiveness. This independence also allows auditors to perform their work objectively, without bias or concern that they will be unduly influenced by those within CSCU leadership on audit issues. 

Personnel within the Internal Audit Division, in terms of the performance of their audit function and other duties, have strict responsibility for the safekeeping and privacy of all information received. The BOR Audit Committee authorizes the internal audit personnel to have, to the extent permitted by law, complete and unfettered access to any/all records, activities, personnel, files, financial information, and physical properties relevant to the engagement objectives and audit scope. Internal audit may be concerned with any activity within the CSCU system. As such, it must be noted that the function of internal audit is not restricted only to accounting and financial matters and goes beyond examining financial controls. Our goal is to always gain a complete understanding of the operation, system, or entity under review.  

It is recognized here that the Core Principles for the Professional Practice of Internal Auditing, Global Internal Audit Standards (Red Book), and the Code of Ethics shall guide this internal audit function.  

Internal Audit Division  

Within the internal audit division, we are to assess the organization’s enterprise risk management, control (including reporting and disclosure), and governance processes, as designed and represented by the various functional leaders throughout the CSCU system, are adequate and functioning in a manner to ensure: 

• Risks are appropriately identified and managed,
• Interaction with the various government agencies and governance bodies occurs as necessary,
• Financial, managerial, and operating information is current, accurate, complete, reliable, and timely,
• Sound practices are being utilized based upon industry, education, or governmental standards,
• Ensuring costs are allowable, allocable, and reasonable,
• Employees’ actions comply with policies, standards, procedures, union agreements, laws, and regulations,
• Resources are acquired economically, used efficiently, and safeguarded,
• Programs, plans, and objectives are measured and achieved,
• Quality and continuous improvement are fostered within the organization;
• Legislative or regulatory issues are identified and addressed appropriately and with the utmost expedience.

Internal audit strives to strengthen the organization’s ability to create, protect, and sustain value by providing independent, risk-based, and objective assurance, advice, insight, and foresight through operational, compliance, financial, investigation, and agreed-upon procedures. To that end, we communicate opportunities respectfully, responsibly, and discreetly to the appropriate level of leadership and to the BOR. 

To ensure independence, the reporting relationship, authority, and responsibility of the CSCU Internal Audit Division are established by the BOR and its Audit Committee.  The Director of Internal Audit reports directly to the BOR Audit Committee and has full independent access to the Audit Committee. 

The Director of Internal Audit, in the discharge of their duties, shall be accountable to the BOR Audit Committee to: 

• Provide an annual assessment (or more often as needed) of the adequacy and effectiveness of the system’s processes for controlling its activities and managing its risks in the areas under the system’s control.
• Report significant control-related issues and recommend improvements, and provide updates on the issues until they are resolved.
• Periodically, it provides information on the status and results of the annual internal audits and the sufficiency of the CSCU system’s resources.
• Coordinate with and provide oversight of other control and monitoring functions, including enterprise risk, controllership, treasury, governance, finance, disclosure, ethics, quality, regulatory compliance, security, legal, environmental, and external audit functions.

The Director of Internal Audit has the responsibility to:

• Develop a flexible internal audit plan using an appropriate risk-based methodology, including any risks or control concerns identified by the BOR or system leadership, and submit the plan to the BOR Audit Committee for review and/or comment,
• Implement the annual internal audit plan, including, as appropriate, any special tasks or projects requested by the BOR or senior leadership,
• Develop and maintain a reporting system for internal “whistleblower” complaints or concerns pertaining to fraud, waste, abuse, misuse of public funds/property, or ethical lapses.
  • Devote necessary resources, based upon urgency and risk, to identify and investigate if a complaint is to be of merit or to be unsubstantiated.  If the complaint is found to be of merit after investigation, it will be forwarded to the Chief Compliance Officer for further action.
  • If a complaint is found to be unsubstantiated after investigation, the issue will be closed with a follow-up (unless anonymous) to the referring party.
• Act as the primary liaison between the Auditors of Public Accounts and any other external auditors to ensure that:
  • Requests for information from an external auditor to the CSCU system are provided efficiently, accurately, and with expedience.
  • Responses to audit findings are answered consistently across the CSCU system, and directly in response to the Condition cited.
• Investigate any whistleblower complaints that have been delegated to CSCU by the Auditors of Public Accounts, and provide a written report to the Board of Regents Audit Committee, as well as the two State Auditors, at the conclusion of the investigation; and
• Maintain a professional audit staff with sufficient knowledge, skill, experience, and ability to meet the requirements of this audit division and its functions.

There are three overall purposes of internal control that aid an organization in achieving its mission.  They are: 

• Operational Objectives – pertaining to the effectiveness and efficiency of the entity’s operations, including operational and financial performance goals. These objectives promote orderly, economical operations and help produce quality products and services consistent with the organization's mission. They also help safeguard resources from loss due to waste, abuse, inadequate leadership, errors, and fraud.
• Reporting Objectives - relating to internal and external financial and non-financial reporting. These objectives may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard setters, or the organization’s policies.
• Compliance Objectives - dealing with adherence to laws, regulations, contracts, and BOR policies and directives to which the system is subject.

Internal controls help an organization to achieve its objectives. They are the checks and balances to support the mission while helping prevent fraud, waste, and abuse, and ensuring the efficient use of resources. Internal controls are the first line of defense and the best mechanism an organization has to safeguard its assets and resources, even though they can provide only reasonable—not absolute—assurance. All organizations need internal controls to: 

• Accomplish their mission(s),
• Reduce opportunities for fraud,
• Prevent loss of funds or resources,
• Establish standards of performance,
• Ensure compliance with laws, regulations, policies, procedures, and best practices,
• Preserve integrity,
• Avoid negative publicity,
• Ensure public confidence; and
• To protect employees and students.

The consequences of weak internal controls can range from inaccurate or incomplete information to the waste or misuse of assets, and even to embezzlement or theft. One of the most dangerous things about a weak internal control system is that it engenders a lack of accountability. If adverse events occur, such as theft or severe failures, it can be difficult to identify the specific cause of the problem and determine who or what is responsible if accountability is not established. As a result, innocent staff can fall under suspicion. Strong controls can help to identify who or what went wrong, and what corrective actions are needed. On a broader level, a lack of accountability can erode public confidence and support and hamper an organization’s ability to serve the public effectively. 

1. Advisory Engagement in Emerging Priorities: Internal audit plays a proactive advisory role by offering thought leadership and process guidance in areas of strategic importance and new and emerging issues. These engagements allow internal audit to:
   1. Embed internal control considerations early in the design phase.
   2. Help departments navigate compliance and operational risks.
   3. Serve as a sounding board for new initiatives, even if in their infancy.
2. Pressure Test Controls Through Operational Audits: Internal audit applies a rigorous operational audit methodology grounded in Generally Accepted Government Auditing Standards (GAGAS). This includes:
   1. Evaluating the design and effectiveness of internal controls.
   2. Testing real-world applications of controls under operational conditions.
   3. Identifying control gaps and recommending corrective actions.
3. Driving Policy and Process Improvements: Internal audit contributes to the development and refinement of system policies by:
   1. Recommending best practices used within government and business.
   2. Reviewing and advising on draft policies or proposals before implementation.
   3. Following up on corrective actions to ensure sustained improvement.
4. Enhancing Governance Through Strategic Audit Planning: The internal audit function uses a risk-based planning model (also known as a heat map) that incorporates:
   1. Input from the BOR and CSCU system leadership.
   2. Use of previous audit findings, whether internal or external.
   3. Alignment with system priorities and possible resource constraints.
   4. Emerging issues to the CSCU system, whether internal or external to the system.
   5. Judgement from the Director of Internal Audit, and the varied Accounts Examiners within the Internal Audit Division.

Brian Green, CFE, MSAT

Director of Internal Audit
860-723-0320
brian.green2@ct.edu