Skip to main content Skip to navigation
Office of Internal Audit Frequently Asked Questions

In addition to the questions and answers included here, the Executive Ethics Board also has a Frequently Asked Questions site that focuses on ethical situations.

Please revisit this site again as we will periodically update with new questions and answers. As always, contact us if you have questions or need assistance.


What do Internal Auditors do?

Internal Auditors provide a service to the University. We examine University activities for compliance with applicable policies, procedures, laws and regulations. We also perform reviews and issue audit reports which address the effectiveness of accounting, financial and other controls. Our office is available to assist with concerns, questions, or reviews of new systems, ethics and compliance issues, and, as a liaison for external audit interactions.

How do you decide what to audit?

Internal Audit schedules audit and consulting projects according to its annual plan, which is reviewed by the President.

We begin the planning process by performing an enterprise-wide risk assessment to identify the significant risks to the University’s operations, reputation and strategic goals. The assessment of these risks helps to identify possible audits. Certain programs or functions may be subject to audit by policy or regulatory requirements. External auditors may raise questions or report findings that suggest the need for detailed internal reviews. University administrators may request audits of specific programs or operations. Our own Internal Audit team also suggests audits based on our broad knowledge of the University, its projects and risks, prior audit issues, and related work in another area.

Because of time and staff constraints, we cannot audit all possible areas identified. In preparing our annual audit plan, we evaluate the risks and possible benefits from each project. We give priority to higher-risk and higher-benefit projects, required audits, and new initiatives, subject to our skills and resources. We also allocate a percentage of available time to unanticipated audits (such as fraud or ethics investigations) so that we can effectively respond to such needs.

What are good internal controls? Why should I be concerned?

Good internal controls safeguard or make more efficient and effective use of University assets. They are good business practices that assist you in achieving your objectives. Good internal controls are cost effective, timely and flexible. Good controls are placed where they are most effective and identify both the problem and the cause.

Senior administrators are responsible for developing a good system of internal controls, but all employees should be concerned about maintaining good internal controls because they help to achieve the agency’s objectives. See Internal Controls for more information.

What are good business risks?

Business risks are those circumstances, events or activities, that can adversely affect the achievement of the University’s objectives. Some examples include: misappropriation or unauthorized use of funds or assets, receipt of substandard or excess supplies, purchases made from suppliers related to buyers, system-wide IT disruptions, or negative publicity from confidentiality breaches. See Risk Assessment.

Who audits the auditor?

Everyone audits the auditors – there is no single person or group with that responsibility. The President evaluates Internal Audit performance and receives our report on the progress and results of our plan. The University’s external auditors assess the effectiveness and adequacy of our operations during their annual examination of the financial statements and statutory compliance audit. Our clients evaluate us and provide feedback on our performance at the conclusion of our projects.

Who gets copies of the audit report?

All final audit reports will be distributed to the relevant administrators of the area audited, and made available to the President, the AAG Division Chief and the State Auditor’s Office. Results of planned audits are also shared with the Board of Regents as posted in their meeting agenda material online.

What about confidentiality?

Internal Auditors have access to all records and assets of the University, and we understand we have an obligation to maintain the confidentiality of that information. Each Internal Auditor receives specific instruction on confidentiality requirements and signs confidentiality agreements on an annual basis.

What if I suspect fraud?

Any person who suspects or has knowledge of fraud or unethical activities at the University should contact Internal Audit  to make a confidential report.  If you are a University employee, you have a responsibility to report any known or suspected fraud.

You will not be required to identify yourself, but you will be asked to provide as much detailed information as you can, in writing, about the alleged wrongdoing, so that an adequate and thorough investigation may be performed. Additional information on Fraud is available at Fraud, Waste, and Abuse.

How long should records be maintained?

Departments are responsible for retaining and disposing of University records in accordance with retention periods approved by the Washington State Records Committee. All records and copies of records made or received in the conduct of WSU business, regardless of physical form, are considered public records for purposes of retention and disposition. Departments are responsible for securely maintaining the records for the retention period indicated on the retention schedule. See BPPM 90.01 for more information on Record Retention and Disposition.

If an audit, legal action, or public records request is in progress, do not dispose of related records even if disposition is authorized by the retention schedule. Special care must be taken with the maintenance and disposition of confidential records. If you have records that are not on the retention schedule, contact the Records Officer.

How do I ensure that duties are properly segregated for a small department?

It can often be difficult for small departments to properly segregate specific functions that it performs. For example, if a department has one employee to perform payroll processes and initiate and coordinate purchases, it can be a challenge to ensure proper controls over these procedures. In situations such as these, management oversight becomes so important. Managerial oversight is a strong control in any system. However, in small departments, management will be required to provide more intense, direct oversight than in the larger, well-segregated departments. Management should review all payroll records, receipts, and thoroughly review monthly financial reports and reconciliations. We would also recommend management sign off on any records they review. See Internal Controls for more information.