9.      Who audits OAC?
1.  How are audits selected?
OAC conducts an annual risk assessment, which includes identifying the audit universe (i.e., auditable entities, which takes into consideration financial, operational, and compliance risks to the University).  Based on the risk assessment and other risk factors (e.g., use of technology, prior audit observations), the annual audit plan is developed and approved by the Committee on Audit and Compliance (ACC).  See the Annual Audit Plan for additional information.
      Back to the Top
2.  How long will the audit take? How much of my time will be required?
The length of each audit depends primarily on the scope of the audit. OAC appreciates the time devoted to this process and will work with you so the audit does not negatively interrupt daily responsibilities.  Typically, there is a central point of contact for the audit who OAC works with in order to obtain any documentation or schedule meetings.  It should also be noted our auditors are involved with multiple projects whereby our time in your area will not necessarily be continuous.  OAC will keep you updated about the status throughout the process.
      Back to the Top
3.  What should I expect of the basic audit process?
The typical audit process at Princeton is broken down into four phases - Risk Assessment/Audit Scope, Preliminary/Process Review, Fieldwork, and Reporting/Follow-up.  Please see our Audit Process for more details.  During our kickoff meeting, we explain the audit process and can address any questions at that time.
      Back to the Top
  4.  What information will I need to provide to the auditors?
OAC seeks to provide reasonable assurance to University management and the Board of Trustees regarding the operation and design of internal controls in order to manage risk.  Documentation or information provided to OAC should confirm an entity's or function's execution of internal controls (e.g., policies, procedures, checklists, manuals).  However, documentation should not exist or be maintained for the sole purposes of OAC; instead, it should support and actively be part of an entity's internal control practices.
      Back to the Top
5.  Can a department request Internal Audit services?
Any office or department at the University may request Internal Audit services or reach out to OAC for assistance.  Please contact the appropriate Director for more information.  Depending on the priorities of the University and OAC, we may or may not be able to immediately accommodate your request, but will certainly discuss your needs and expectations, and can offer initial thoughts for your consideration. 
      Back to the Top
  6.  What is the difference between internal and external auditors? What should I do if an auditor contacts me?
The Institute of Internal Auditors defines internal auditing as, "an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."  Essentially, the purpose of Internal Audit is to evaluate the adequacy and effectiveness of internal controls to manage risk and to serve in a consultative capacity regarding controls, processes, operations, and systems. 

Princeton University's independent accounting firm (external auditors) is primarily concerned with the completeness, accuracy, and fair presentation of the University's financial statements and the financial condition of the institution.
Government (External) Auditors are concerned with the University's compliance with government regulations and sponsored research grants.  Internal Auditors are part of the University and concerned with the adequacy and effectiveness of internal controls.
If you are contacted by internal audit, you should notify your supervisor about an impending audit if that was the purpose of the contact and review this website to understand the audit process.  If you are contacted by an external auditor, you should immediately contact your Office of Research and Project Administration or Sponsored Research Accounting liaison for further instruction and assistance as all external auditors should be going through one of these offices for any requests or information involving Princeton. 
      Back to the Top
7.  Who does Internal Audit report to? What is the authority of OAC?
The Chief Audit and Compliance Officer functionally reports to the Chair of the ACC and administratively to the Executive Vice President.  OAC reports to the Chief Audit and Compliance Officer.  For additional information on OAC and its reporting structure, please refer to the OAC Organizational Chart.

Per our Internal Audit Charter, "Internal Audit has full, free, and unrestricted access to any and all University books, records, information systems, physical properties, and personnel relevant to any function under review, as required to satisfy its audit and compliance responsibilities.  All employees are expected to assist Internal Audit in fulfilling its function."
      Back to the Top
8.  Who receives copies of audit reports? How confidential is my report?
Copies of audit reports will be shared with relevant members of management as well as the Executive Compliance Committee (ECC) and a summary to the ACC.  Princeton's external accounting firm is also updated with the results of audits throughout the year.  Any sensitive information provided to OAC related to an audit, ranging from hardcopy documentation to verbal discussions will be kept strictly confidential and will only be shared with key members of management who receive the final audit report.
      Back to the Top
9.  Who audits OAC?
OAC is subject to a quality assurance review, which includes an external assessment conducted at least once every five years by a qualified and independent review team as required by the “International Standards for the Professional Practice of Internal Auditing” set forth by the Institute of Internal Auditors, which OAC follows.  We also perform internal self-assessments.
      Back to the Top
10.  If I have information about a possible irregularity, violation, crime or concern, what should I do?
If you suspect a possible irregularity, you should report all concerns to your department chair or supervisor.  In instances where you are uncomfortable with this approach or unable to report your concern to your department chair or supervisor, you may report directly to the Office of the Dean of the Faculty or the Office of Human Resources.  In instances where you are uncomfortable with both of these options, if you wish to remain anonymous, or if all avenues have been exhausted and a sufficient response has not been received, you may report concerns using the University Hotline
There are situations that should be reported directly to law enforcement as well, such as where there is a suspected crime in progress or a suspected crime posing an imminent or serious threat to individual safety.  In these situations, you should contact the Department of Public Safety, and then notify your department chair or supervisor (or the Office of the Dean of the Faculty or the Office of Human Resources).
      Back to the Top