Anyone who works in campus administration is used to internal audits. On several occasions, offices I have headed have been audited, and even more often I have ordered audits or investigations of departments that report to me. I have noticed over the years that many people become flustered and uptight about a scheduled audit, and that when they finally face the auditor they become noticeably tense, anxious, and uneasy.
"It's like when you're driving and suddenly look in your rearview mirror and discover that a cop is following you," one university auditor told me. "Even though you are perfectly innocent of any traffic violations, you become nervous and perhaps even a little paranoid. You slow down well below the speed limit and drive a little too carefully."
Some of us may well respond anxiously to university auditors, but they are not really internal law-enforcement officers. In fact, an auditor can be an administrator's best friend. I know some administrators who typically ask that their department be audited whenever they accept a new appointment, because they want to begin their new position fully aware of any risks or concerns.
Perhaps knowing a bit about the craft of auditing will help us to approach university auditors not as enforcers and adversaries but as colleagues and allies who potentially can save us from embarrassment—or worse.
Rather than focusing on ensnaring someone, the auditor's true mission is to protect the institution from risk, all kinds of risk. Is the department (or official) exposing the institution to a lawsuit? Or a fine from a regulatory body? Or liability resulting from a safety hazard? Or the likelihood of fraud or some future infraction because there are insufficient internal controls to prevent it? (An internal control is a policy or procedure established to prevent violations, as when a policy dictates that more than one official be required to sign a form in order for someone to access university money from an account.)
Auditors are valuable to institutions because they provide an independent perspective on a department. If an office is out of compliance, especially with state or federal regulations, it is much preferable to learn about that internally, so that the problems can be corrected, than to have an external agency discover the violations. One lawsuit or federal fine could cost an institution millions of dollars, so preventing or minimizing risk is a valuable exercise.
Most auditors perform several kinds of reviews, but the two most common are audits and investigations. An audit is a planned activity, usually conducted on a regular basis—perhaps every few years—although "special audits" can also be requested at any time. An investigation is an effort to discover whether something has occurred: a law broken, a regulation ignored, a rule violated. An investigation is narrower in scope than an audit, and is usually initiated by an allegation.
An auditor may begin an initial interview by asking a department head to identify the top three potential risks and then ask what steps have been taken to mitigate them. The reviewer might then ask, "What type of monitoring do you have in place to ensure that those risks are properly managed?"
The reviewer might eventually ask, "Are there any activities your department performs that could lead to adverse publicity because of the nature of your operations?" Examples might include hazardous-waste disposal or research involving controlled substances or human or animal subjects. Just as a violation of rules or laws can expose the institution to risk, so, can adverse publicity if something were to go awry. It's much better to identify, assess, and manage the risks in advance than to be blindsided later.
Auditors are likely to inquire whether your department has experienced a change in key personnel over the past year and whether procedures are clearly documented so that successors can continue their duties without a major disruption. That question is meant to determine whether you have taken appropriate measures to cross-train essential staff members. Otherwise you have placed the institution at risk were you suddenly to lose an indispensable employee.
A typical area that all auditors will examine is whether any conflicts of interest exist in a department. Has the chair hired his daughter's restaurant to cater all department functions? Has the supervisor accepted any "gifts" from a provider who hopes to sign a contract with the department? In short, are there any circumstances in which an accountable officer has the opportunity to obtain personal gain from an official decision that only he or she makes? Those are the kinds of areas of risk that auditors are trained to ferret out.
University auditors also perform focused investigations, usually of specific people: A faculty member is accused of charging a vacation trip to a grant account, a department chair is alleged to have misappropriated department money for personal use, a staff member is said to have engaged in petty theft, a dean is accused of "cooking the books."
Unlike audits, which are usually broad probes into the practices of a department, investigations are meant to determine if a specific person (or group of people) has engaged in an inappropriate act. But even in formal investigations, the role of the auditor is to determine the facts in a case, not to determine guilt or innocence. The appropriate administrator will do that based on the auditor's report.
Over the years, the role of university auditor has become increasingly professionalized. Auditors today must undergo substantial training. Many are certified public accountants. Others are certified internal auditors, and still others are certified fraud examiners. Some have all three types of training. Those specialists are supported by a number of national professional groups, including the Association of College & University Auditors, the Institute of Internal Auditors, and the Association of Certified Fraud Examiners.
University auditors may make us uncomfortable as they ask us the tough questions that we should be asking ourselves, but their role is not to trap us; it is to protect us and the institution.
One auditor I know said that good auditors do not approach clients with suspicion. He has adopted the familiar Reagan-era phrase as his office's motto: "Trust but verify."
"Our job is simply to find the facts," he told me—a goal that auditors share with all of us in academe.