Learn About Internal Audit and its Role at the University
Learn about the Office of Internal Audit, its role, and risk assessments at Columbia University.
The Office of Internal Audit works in support of the Board of Trustees and in collaboration with management and external auditors to assess the effectiveness of the internal controls framework devised by the University. The internal controls framework consists of policies, procedures, and activities that safeguard the assets of the organization and ensure that the financial reporting of the University is reliable. Internal Audit accomplishes this by evaluating business processes, strategy and the risks that are present within.
Internal Audit performs audits with a focus on financial, operational, compliance, strategic and reputation risks. Internal Audit is also responsible for auditing information systems and the controls embedded within those systems to support organizational processes and goals. Our audits are designed to ensure that the University is functioning in the most efficient manner, and that controls are adequate and effective. We perform our audits based on an annual risk-based audit plan, as well as at the request of the Board, University Management, Deans, and Department Heads.
Finally, Internal Audit also works in collaboration with the Office of General Counsel and the Department of Public Safety to conduct investigations of reports of theft or misappropriation of University assets. We also collaborate to address all issues that are reported to the Compliance Hotline.
Who are internal auditors?
As defined by the Institute of Internal Auditors (IIA), "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Internal Auditors' roles include monitoring, assessing, and analyzing organizational risk and controls; and reviewing and confirming information and compliance with policies, procedures, and laws. Working in partnership with management, internal auditors provide the board, the audit committee, and executive management assurance that risks are mitigated and that the organization's corporate governance is strong and effective. And, when there is room for improvement, internal auditors make recommendations for enhancing processes, policies, and procedures."
Why does Columbia University have an internal audit function?
The Office of Internal Audit exists by charter and by-law to assist University management and the Audit Committee of the Board of Trustees in effectively fulfilling their responsibilities. We are charged with examining and evaluating the policies, procedures, and systems that are in place to ensure: the reliability and integrity of information; compliance with policies, plans, laws, and regulations; the safeguarding of assets; and, the economical and efficient use of resources.
What's the difference between external and internal auditors?
External auditors, like independent public accounting firms, review the University's annual financial statements to ensure the information presented accurately portrays Columbia's financial condition and conforms to generally accepted accounting principles (GAAP). Government agencies, Columbia's Board of Trustees, and bond rating agencies rely on the independent auditor's opinion of Columbia's financial statements in making business decisions related to the University.
External auditors can also be government, agency, or other third parties. Government auditors focus primarily on compliance with government regulations and award terms.
The Office of Internal Audit works in support of the Board of Trustees and in collaboration with management and external auditors to assess risks within the University and evaluates the effectiveness of the internal controls in place which mitigate risks. Risks can be classified as financial, operational, compliance, strategic and reputational.
Our audits are designed to ensure that the University is operating effectively and efficiently, through a robust system of internal controls. Our audits include a Board approved risk-based audit plan, as well as other requests from the Board, University Management, Deans, and Department Heads.
Internal Audit is also responsible for auditing information systems and the controls embedded within technology operations and those systems to support organizational processes and goals.
Internal Audit also conducts investigations of Compliance Hotline and internal or external reports of theft or misappropriation of University assets. We work in collaboration with the Office of General Counsel and the Department of Public Safety on all investigative matters.
Risk management is the responsibility of all employees of the University. Senior managers, deans, and department heads are responsible more directly for risk management within their areas of business.
Internal Audit is responsible for an independent and collaborative assessment of risks, the yearly risk assessment, which helps develop a risk-based audit plan that is presented and approved by the Audit Committee of the Board of Trustees. The assessment is conducted in partnership with management, in order to ensure that all areas of risk are identified and relevant to the University.
Insurance and Risk Management
Separately, the University's Insurance and Risk Management department is responsible for providing assistance to procure mitigating mechanisms such as insurance for those activities that can be insured.
Risk Assessment is the identification and analysis of risks to the achievement of an organization's objectives, for the purpose of determining how those risks should be managed. Risk assessment implies an initial determination of operating objectives, then a systematic identification of those activities or events that could prevent a business unit from reaching its objectives. In other words, it's an analysis of what could go wrong.
A yearly review of the various business processes and financial reports coupled with senior management discussions results in the creation of the yearly Audit Plan which is presented and approved by the Audit Committee of the Board of Trustees.
What could go wrong, or what could prevent my business/school/department from achieving its goals?
- How do I determine how important it is?
- How much would it impact my area?
- How often could it occur?
- How will you know that something has gone wrong?
- When do you know that something has gone wrong?
- How do you communicate the event to the right people at the right time?
- Do you know what you need to do to address a potential problem?
- How long should it take to correct?
- Was the correction effective?
Who is responsible for Risk Assessments?
- Internal Audit – to develop its plan
- Management – to understand areas of weakness or opportunity
- Senior Management – Central, Enterprise Risk Management
- Middle Management – School
- Lower Management – Department, Division, Center, Business Area
This Audit Charter primarily aims to define and establish:
- The Role of the Office of Internal Audit within Columbia University.
- The objectives and scope of the Office of Internal Audit.
- The Office of Internal Audit's position within Columbia University, its access to various records, departments and activities, its responsibility and accountability.
Visit the Compliance Hotline website to anonymously report or seek guidance on possible compliance issues, via telephone or online.
Office of the General Counsel
You are invited and encouraged to contact the Office of the General Counsel for assistance on matters affecting the University.
Contact the Office of Internal Audit by phone at 212-851-7234 or by email at [email protected].