Learn about the Investigation Process

Learn about the internal audit investigation process at Columbia University. 


The Office of Internal Audit is responsible for conducting investigations where there has been an allegation of an improper governmental act, such as fraud, misuse of University resources, or other policy violations. These concerns may be reported either via the Compliance Hotline, or by direct referral to the Office of Internal Audit or the Office of the General Counsel.

The goal of these reviews is to determine whether or not the allegation of the improper act is substantiated.

Although the process for conducting an audit may apply in certain cases, the unique facts and circumstances of each investigation will determine whether the audit processes apply. For example, similar to an audit, an investigation may include documentation review, review of electronic records and information systems, and interviews.

Step 1: Report of a Complaint

If we are notified by management, Human Resources, Public Safety, or other offices, we will obtain basic information about the situation and, if necessary, arrange a time to meet to discuss the situation. If the notice comes from a member of management, we will advise the individual of the need to report the situation to other offices as deemed appropriate.

If we are notified anonymously or by someone other than a member of University management, we should obtain as much information as possible from the individual making the complaint. At minimum, we need to identify the nature of the caller’s concerns, the area where the potential misuse has occurred or the names of individuals believed to be involved, and obtain copies of any documentation that may be available.

Step 2: Initial Assessment

Internal Audit reviews each report and determines whether or not Internal Audit needs to investigate the issues identified in the report.

We will generally limit our investigations to situations involving loss or misuse of funds or other types of misuse that may have occurred due to breakdown in controls.

Step 3: Investigation

The goals of investigations of potential misuse are to determine if the allegations of misuse are valid, then to identify control weaknesses or breakdowns in procedure that allowed the situation and any related problems to occur, determine the extent of any loss and recommend corrective action to prevent the situation from recurring.

The type of investigative procedures used will depend on the nature of the potential misuse and the results of the preliminary review.

The investigation may stop with the preliminary review if that shows the allegations are not valid, or if the issues are minor and can be resolved through meetings with management of the area involved.

If the allegations are found to be valid, the investigation may involve complex analyses of processes, reviews of access capabilities, and extensive tests of records.

There may be a need to extend the review into areas and activities not identified in the initial complaint. An auditor performing a misuse investigation must exercise considerable judgment in selecting the type and extent of procedures to be performed.

The two most important steps in the investigative process are:

  • determining where the allegations are likely to be valid and
  • identifying control weaknesses that allowed any misuse to occur.

If allegations are clearly invalid, there is no need to perform extensive work to investigate them. We need to understand how a loss occurred and what weaknesses are involved in order to know what we should investigate and how. Investigations of potential misuse must be conducted in a confidential manner and with respect for the rights of the individual involved.

Whenever possible, Internal Audit will notify appropriate members of management prior to beginning an investigation. Advance notice may not be possible in rare situations when even a small delay could allow additional funds to be lost or records destroyed. In these situations, Internal Audit will notify management as soon as possible after the investigation begins.

If allegations involve possible misuse by management of an area, Internal Audit will coordinate any investigation through an organizational level to which this area reports.

If an investigation reveals a potential violation of any federal, state, or local law, we will consult with the Office of General Counsel for guidance. If appropriate, we will also obtain guidance from the Public Safety.

Step 4: Investigation Reporting

The results of investigations are provided to University Leadership and others who have a need to know.

Reports may be prepared for the audit committee regarding the status of the fraud theft prevention and detection program. The investigator will meet with University officers and senior administrators to discuss the status of ongoing investigations, suggest recommended courses of action, and follow up.

The audit committee chair receives reports of Investigations and their status on a quarterly basis.

Compliance Hotline

Visit the Compliance Hotline website to anonymously report or seek guidance on possible compliance issues, via telephone or online. 

Office of the General Counsel 

You are invited and encouraged to contact the Office of the General Counsel for assistance on matters affecting the University.

Audit Preparation FAQs

If I call you with information about a possible irregularity, will my identity be kept a secret?

The Compliance Hotline  provides for anonymous report of financial or operational or other irregularities.

Still have questions?

Visit our Service Center.