Reaching Others University at Buffalo - The State University of New York
Skip to Content
Serving all your human resources, business and financial needs

Internal Audit

On this page:

Internal Audit is an independent, objective, assurance and consulting activity, assisting the university in meeting its objectives and improving the effectiveness of risk management, control and governance processes.


The Internal Audit department complies with professional standards and brings a systematic, disciplined approach to each audit assignment.


Routine Audits

Generally, a routine internal audit is an independent review of the control systems inherent in a unit's operating policies and procedures. Internal auditing can be thought of as a control that functions by reviewing other controls. Internal audit reviews can provide you with important and useful information. They can help you determine whether there are appropriate internal controls over your activities and show you ways to improve the efficiency and effectiveness of your operations.

Our audits examine controls over:

  • Timely and accurate recording of financial transactions
  • Efficient use of University resources
  • The safeguarding of University assets
  • Compliance with applicable laws, regulations, policies, and procedures
  • Effectiveness in achieving departmental goals and objectives

Depending on its specific purpose, an audit may concentrate on one or all of these areas.

Understanding the audit process is made easier if we know how an audit is selected, what are the phases of an audit, and the types of audits that could be performed.  With this information, we may better understand the age old question — Why would I request audit services?

Routine Audit Selection

Annually, the Director of Internal Audit prepares an audit plan. The goal of the annual planning process is to identify what units can most benefit from assurance services and ensure that Internal Audit resources are being focused to best meet the needs of the university. Typically, a risk assessment is performed of the major functional areas using industry trends, past audit experience and campus input. In addition, random selection ensures periodic service to all units. Some factors considered in the assessment of risk include: 

  • Critical nature of the unit in meeting university objectives
  • Length of time since and results of previous audits — internal and external
  • The size and complexity of the operation
  • Changes in personnel, operations, programs, systems or controls
  • Regulatory requirements of the operation
  • Sensitivity of unit's operations to the university’s image and reputation
  • Amount of fiscal activity and resources

Routine Audit Phases

Entrance Conference

An audit begins with an initial meeting between the auditor and management from all interested offices and units. The entrance conference provides an opportunity for discussion of the audit process, the scope and objectives of the audit, the estimated completion date, and on-site work space requirements. It also provides management with an opportunity to discuss any questions or concerns they may have. Management's input at this stage will help us to establish a work plan to minimize audit time and avoid disruption of ongoing activities to the greatest extent possible.


The first step of the actual audit consists of interviews with managers and staff, and a review of documents and data to gain a better understanding of the unit's operations. Transactions and records are then tested to determine if controls are operating as intended. Informal communication between the audit and unit management is maintained to avoid misunderstandings, and to ensure that there are no surprises in later stages of the audit.

Draft Audit Report

After all fieldwork is completed, a draft report is prepared by the auditor. The report documents our objectives, procedures performed, our conclusions as to the adequacy of controls, and specific observations and recommendations for improvement if necessary. Internal Audit management reviews the draft thoroughly before it is presented to the unit's management. This draft report is prepared only for the unit's operating management and it provides the basis for discussions at the exit conference.

Exit Conference

A meeting is scheduled with the same individuals who attended the entrance conference. At the exit conference, the report draft is reviewed so that all of the parties understand the nature of the recommendations and agree upon the possible solutions. This meeting is also an opportunity to ensure any misunderstandings, possible misstatements or factual errors contained in the report are identified and resolved. Any issues identified during the engagement which were not significant enough to be included in the report, but still represent a potential risk, are also presented and discussed.

Management Responses

After the exit conference the draft report is finalized including any agreed upon changes from the exit conference.  In addition, the unit head will be responsible for formulating management's response to the recommendations and forwarding them to Internal Audit. The management response is a critical element of the feedback loop. The response serves to reinforce the proactive nature of the audit process by demonstrating to the reader that improvements are being made. The response should contain three elements:

  1. A statement of whether management agrees or disagrees with the recommendations
  2. An action plan of activities to take place
  3. A timeline by which the activities will be completed

Final Audit Report

Once any changes and managements responses have been incorporated the draft is now considered final.  Final reports are distributed to the appropriate managers involved in the audit and to senior executives.  Audit reports are considered confidential documents.

Audit Report Follow-Up

There will be a follow-up review of all audit recommendations approximately six to twelve months after the engagement. The purpose of the follow-up is to verify that you have implemented the agreed-upon activities. The auditor may send a request for status, interview staff, perform additional tests or review new procedures.

Routine Audit Types

An audit  can usually be classified into one of the following four categories:

Operational Audit

An operational audit examines an operating process to determine if resources are being used in the most efficient and effective ways to meet the unit's mission and objectives. Internal control reviews are a major portion of an operational review. Activities such as human resources services, cash handling, procurement, and equipment inventories are generally subject to this type of audit.

Financial Audit

A financial audit reviews the recording and reporting of financial transactions. The purpose of this type of audit is to provide management with assurance that financial information is accurately recorded in the University's financial records and that these records support the information shown in the financial reports.

Compliance Audit

A compliance audit evaluates the University's adherence to laws, regulations, and internal and external policies governing the activity being reviewed. Examples of these requirements include Federal and State laws, NCAA and OSHA regulations, and SUNY and UB policies and procedures.

Information System Audit

An information system (IS) audit reviews the internal control environment and the use of an automated information and transaction processing system. These audits typically evaluate system input, processing, and output; system development, security and privacy; backup and recovery plans; and governance.

Investigative Audit

Investigations evaluate allegations of irregularities, abuse, and fraud to determine whether the allegations are substantiated and to prevent future occurrences. Internal Audit will coordinate investigations with university management and SUNY Office of Audits, as appropriate.


Besides performing routine audits, we are available for consulting.  This encompasses a wide variety of services that allows the University community to utilize our financial, operational, and IT controls expertise.  This may be participation in committees, reviews of changes to operations or processes, or evaluation of draft policies and procedures.  This may be a simple phone call for advice or a request for training.  Where possible, we work in collaboration with other units, such as Procurement Card Administration, on consulting engagements.

Special Projects

Internal Audit may be engaged in miscellaneous special projects at the request of The President and Executive Management.  These may include but are not limited to, special committee membership, membership in teams, and performing research.

Fraud and Irregularities

The university is committed to the highest standards of moral, legal and ethical behavior, but we need your help to reach that goal.  By “doing what’s right” every day, you’ll help us build a reputation for excellence and integrity.

If you suspect waste, abuse, irregularities or fraud resulting in inappropriate use of funds or other university resources, you are required to report it. All reports are handled in confidence and with extreme discretion. All reports are taken seriously and are assessed. If you report anonymously an examination will occur, but we will not be able to provide you with the results.

Reporting Fraud and Irregularities


Fraud encompasses an array of acts characterized by intentional deception or theft which produces a loss or misuse of resources or property. Fraud can be perpetrated for the benefit of individuals or the organization or may be detrimental to the organization. Fraud may be committed by persons outside as well as inside the organization.


  • Economically wasteful consumption, mismanagement, use or squandering of university resources to the detriment or potential detriment of the university 
  • Violation of or non-compliance with any UB, RF, UBF, SUNY, New York State or federal law, regulation, policy or procedure
  • Gross misconduct, unethical, improper or dishonest acts

Fraud and irregularities include, but are not limited to:

  • Theft of any asset including, but not limited to money, tangible property, trade secrets or intellectual property
  • Misappropriation, misapplication, destruction, removal, or concealment of records, funds, supplies, furniture, fixtures, equipment or other assets
  • Inappropriate use of computer systems, including hacking and software piracy
  • Unauthorized disclosure of confidential or proprietary information
  • Unauthorized disclosure of personal information, medical information or student educational records
  • Authorizing or receiving compensation for hours not worked or covered by appropriate and available leave including timesheet tampering
  • Deceptive financial reporting
  • Credit card and travel expense fraud
  • Use of staff to perform personal errands, services or tasks
  • Alteration or falsification of a check, bank draft, account or other university document
  • False claims by students, employees, vendors or others associated with the university
  • Bribery, kickbacks, bid rigging and conflicts of interest

Report Your Suspicions To One Of the Following:

Leave Investigation To The Experts

If what you suspect is dishonest or criminal, do not try to question anyone or otherwise investigate the matter yourself.

Contact Information
Your supervisor As appropriate
UB provost, vice president, dean As appropriate
Chief of Staff to the VPFA Phone: 716-645-5144
Internal Audit

Phone: 716-829-6950


UB Police, Investigative Division Phone: 716-645-2222
University at Buffalo Police Silent Witness Reporting
State University of New York Report Fraud Hotline

Phone: 518-320-1539

Fax: 518-320-1564

Research Foundation Ethics Hotline

Phone: 800-670-7225

University at Buffalo Foundation Executive Director Phone: 716-645-3013

Contact an Expert

No Picture

Internal Audit Department

148 Parker Hall, Buffalo, NY 14214

Phone: 716-829-6950; Fax: 716-829-6042


Carolann Lazarus

Internal Audit

Phone: 716-829-6947


Terrance McGuire

Internal Audit

Phone: 716-829-6948


Related Links

Contact an Expert

No Picture

Internal Audit Department

148 Parker Hall, Buffalo, NY 14214

Phone: 716-829-6950; Fax: 716-829-6042


Carolann Lazarus

Internal Audit

Phone: 716-829-6947


Terrance McGuire

Internal Audit

Phone: 716-829-6948


Related Resources

Didn't Find What You Were Looking For?

(We'd like to respond to you.)