Frequently Asked Questions

1. Who does our GC Internal Auditor report to? 
University Internal Auditor reports to the University President, as well as the Board of Regents Chief Audit Officer and Associate Vice Chancellor for Internal Auditing. 

2. How are departments and offices selected for audit?
See the Yearly Risk Assessment link. In summary, each year the Internal Auditor prepares an audit plan based on management input and an assessment of a unit's perceived audit risk. Our risk assessment analysis has the following factors: 

  • Audit History which considers prior findings and/or the date of the last audit. 
  • Regulatory Compliance/Public Scrutiny which rates sponsor expectations. 
  • Reliance on Information Technology which considers system security and data accuracy vulnerabilities. 
  • Transaction Volume which determines the financial size of the area. 
  • Organization Change and Economic Transition which highlights areas adapting to change or that have had a period of transformation.

3. As a unit head, how may I request the services of the Internal Audit Department?
Management may contact the Internal Auditor, Stacy Mulvaney, via telephone or email, to request services for an audit, special review or advisory services. Your request will be reviewed, and I will determine how to meet your needs and coordinate review activities based on our audit plan commitments. What is audit planning?

It is a process by which a perceived risk is identified, management input is solicited, and a determination is made of what will be included in the review (i.e. audit scope). It includes assessing various university documents, discussing with management, establishing audit objectives, and developing a plan that is shared with applicable personnel. 

4. How long do audits take? 
It depends on the depth and scope of the engagement. Generally speaking, full-scope audits will take approximately two months.

5. How often are the departments reviewed? 
It depends on the results of the risk analysis performed and the corresponding priority ranking for each auditable unit. Based on the audit resources available, the annual audit schedule is defined and reviewed by executive management. The audit plan is then submitted to the Board of Regents Internal Audit Office and approved by the Board of Regents.

6. Why are departments always under audit? 
What may be interpreted as being under audit may not be the case. Auditors may be in departments to gather information, as part of another department's audit, to follow-up on outstanding issues, or to perform a special review requested of management. Keep in mind that many university activities interrelate with other department activities and frequently the audit scope crosses departmental or divisional lines.

7. What can I do to facilitate the audit process? 
Be honest and open; understand that the University Internal Auditor serves to assist you and your department by recommending solutions that may save your organization time and money while ensuring your operation has sound business practices and is in compliance with University, Board of Regents and State policies and procedures. I ask that you participate in the planning process and discussions. It is important that you not only voice your opinions regarding areas of weakness and issues of concern, but to give an honest assessment of the anticipated effectiveness and feasibility of our proposed suggestions for improvement.

8. What should I expect during an audit? 
View the audit process link to get a detailed description of the audit steps. 

9. Who gets audit reports? 
Audit reports are distributed to the applicable department head, applicable executive management, the Associate Vice Chancellor for Internal Audit at the Board of Regents Internal Audit Office, and the State of Georgia Auditors. Why do you sometimes recommend actions that are not contained in campus policies or procedures?

My objective is to offer suggestions to mitigate identified risks. We believe the head of a university organization would want to mitigate identified risks, even though campus policy might not yet specifically address a given situation. 

10. Why are you conducting follow-up activities when less than a year ago you were conducting the audit?
I have an obligation to the University management, the Board of Regents, and the professional practice of Internal Auditing to report progress on actions to implement audit recommendations. I typically perform follow-up procedures within 6 months of the audit.

11. What if I become aware of fraud, waste or abuse? Is the Internal Auditor interested?
I am interested in feedback should you become aware of these situations and would like to have your input. You should contact the Internal Auditor at 478-445-1549 or email

12. Where can I find the University document retention policy? 
Please refer to the University System of Georgia Record Retention Guidelines at This document provides guidance on the minimum retention time for a particular record. The guidelines are organized in 19 categories and a search engine is provided for your convenience. 

13. Where can I find the University conflict of interest policy? 
I need to know if my activities outside of the campus are in conflict with the campus's policies. 
Please refer to GC conflict of interest policy located in your GC Employee Handbook and on the Office of Legal Affairs website.

14. Where can I find GC purchasing card (P-card) policies and procedures?
The GC Policy Manual explains all GC policies and procedures including P-cards.  Contact the Office of Administrative Services for additional details on P-cards.