Internal Audit Standard Operating Procedures

Outlined below are the procedures that will normally be followed for conducting internal audits at the
University of San Francisco. These procedures may not be followed for certain special projects
requested by the Audit Committee of the Board of Trustees and/or the President, during financial
irregularity audits, and during other special circumstances.

1. Conduct Enterprise-Wide Risk Management Assessment

From time to time, in cooperation with senior management and department management,
conduct an enterprise-wide risk assessment.

Gather senior management and department management input, as appropriate, on the

enterprise-wide risk assessment.

2. Prepare Annual Internal Audit Plan

Prepare a Draft Annual Internal Audit Plan based upon the results of the enterprise-wide risk
assessment process.

Obtain comments and formal approval of the Audit Committee of the Board of Trustees for
the Annual Internal Audit Plan.

This plan will be subject to periodic review to ensure that it continually focuses on the Universitys
higher risk areas, which may change from time to time. Of course, the need to conduct reviews or
audits of alleged irregularities or special projects for the Audit Committee of the Board of Trustees
and/or the President may require the deferral of otherwise planned audits.

3. Communicate Annual Internal Audit Plan

After formal approval by the Audit Committee of the Board of Trustees, distribute the Annual
Internal Audit Plan as directed by the Audit Committee of the Board of Trustees.

Ensure that appropriate senior managers or department managers are informed in a timely
manner prior to each regularly scheduled internal audit.

Notwithstanding the foregoing, it is important to note that reviews of alleged irregularities or special
projects for the Audit Committee of the Board of Trustees and/or the President may require different
procedures involving little or no notification to those involved.

4. Conduct Internal Audit Planning and Notification

If appropriate, meet with senior management and/or department management before the
beginning of scheduled audits to discuss the risk considerations that led to the audit being
included in the Annual Internal Audit Plan, the expected scope of the audit, and current
management concerns.

If appropriate, hold an Opening Conference with senior management or department

management and staff and other stakeholders to go over the audit plan, obtain documents,
schedule interviews, and shape expectations for audit deliverables.

5. Perform Audit Fieldwork

Carry out fieldwork as indicated in the Annual Internal Audit Plan.

Obtain cooperation from senior management, department management, and department

staff, as necessary, in identifying and obtaining documentation, conducting interviews, etcetera.

Whenever practical, conduct fieldwork with minimal disruption to department operations.

6. Report Results

In general, share important and sensitive findings with senior management and/or
department management, as appropriate, immediately upon verification; memorandums and/or
e-mails may be used to facilitate this process.

Immediately following the fieldwork, prepare a First Draft Final Audit Report and discuss it
with senior management and/or department management, as appropriate.

7. Conclude Audit

Schedule a Closing Conference after senior management and/or department management,

as appropriate, has received the First Draft Final Audit Report; this conference will provide an
opportunity for management to discuss findings, conclusions, and recommendations with the
Director of Internal Audit and Tax Compliance.

During or immediately after the Closing Conference, ask senior management and/or
department management to provide their responses to the Director of Internal Audit and Tax
Compliances findings and recommendations in writing.

8. Review Final Audit Report

Send the Final Draft Audit Report to senior management and/or department management
and discuss suggested changes with the appropriate level of management.

After processing any relevant changes, issue the Final Audit report to relevant parties.

9. Disseminate Final Audit Reports

Provide the Audit Committee of the Board of Trustees and the President with periodic
summaries of audit findings as well as complete copies of all Final Audit Reports.