Audit FAQ

We work with administrative leadership to evaluate their academic, research, and administrative processes and identify opportunities for improvement. To that end, we:

• Perform operational, information technology, financial, and compliance audits and advising.
• Evaluate processes to determine if they’re working effectively to control risk.
• Make recommendations to improve processes and encourage management to adopt these recommendations
• Offer insight to assist administrative leadership as they develop new or improved processes.

Review more of Internal Audit’s Mission and Purpose
Learn more about our Services and Processes

We collaborate with central administrative units to understand and respond to the changing regulatory and risk environment that the Institute faces. But we don’t:

• Perform university-wide financial statement audits.
• Develop policies.
• Perform operational activities for departments. 
• Implement the audit recommendations.

Internal Audit assesses each department’s control environment and compliance with regulations. We provide recommendations and suggestions to improve the overall efficiency and effectiveness of procedures and processes, which can help you achieve your goals. Internal Audit provides assurance that critical systems and processes are working as intended to support the University’s mission. By identifying inefficiencies, control gaps, and emerging risks, Internal Audit helps departments strengthen their operations, safeguard resources, and make informed decisions. We’re not just auditors—we’re partners in institutional improvement and resilience. 

An internal audit is an opportunity—not a disruption. It offers a fresh, expert perspective on operations and provides insights that help units operate more efficiently, reduce risks, and improve service delivery. We work collaboratively to identify solutions, not just problems.

The Office of Audit, Enterprise Risk and Operational Excellence offers both internal audit and ERM services. While Internal Audit and ERM serve distinct roles, they are mutually reinforcing. ERM provides a framework for identifying and managing risks before they materialize, while Internal Audit provides independent assurance that risk mitigation efforts and controls are functioning as intended.

Internal Audit ? Independent Assurance and Insight

Role: Internal Audit operates as an independent and objective assurance and consulting function, reporting functionally to the board (or audit committee) and administratively to senior leadership. Its independence enables it to provide unbiased evaluations of the University’s control environment and governance processes.

Focus and Methodology: Internal Audit delivers point-in-time assessments of how well key controls and processes are functioning. It evaluates operations, systems, and activities to ensure they are efficient, effective, and aligned with the University’s objectives. Through risk-based audit planning, data-driven analysis, and collaborative engagement with departments, Internal Audit not only detects issues but also recommends actionable improvements that strengthen the University’s overall control environment.

Enterprise Risk Management (ERM) ? Proactive, Strategic Risk Oversight

Role: ERM is a continuous, structured, and enterprise-wide process designed to identify, assess, and respond to risks and opportunities that may impact the University’s ability to achieve its mission and strategic goals. It involves leadership at all levels and is deeply integrated into planning and decision-making processes.

Focus and Methodology: ERM is forward-looking and strategic in nature. It uses a centralized framework to identify, evaluate, and monitor risks across academic, administrative, research, financial, and operational areas. The ERM function works closely with stakeholders across the institution to assess risk likelihood and impact, implement mitigation strategies, and integrate risk considerations into strategic planning and performance measurement.

Internal and external auditors both examine a company’s records and operations, but they differ fundamentally in their purpose, independence, and audience. Internal auditors are employees of the University and work to improve the organization from within for management, while external auditors provide an independent review for outside stakeholders
External auditors can be government auditors, a contracted audit firm, professional organizations, or independent public accounting firms that the University hires. 

• The university’s independent accounting firm focuses primarily concerned with the completeness, accuracy, and fair presentation of the university’s financial statements and the financial condition of the institution as well as major grant programs. 
• Government auditors focus primarily on compliance with government regulations and award terms. Since both federal and state governments fund a significant portion of the University’s activities, they want to make sure we use their money as they intended.

External auditors’ findings are often reported to external stakeholders or the public while internal audit findings are reported to the appropriate parties within the University.

An internal control is any policy, procedure, practice, or mechanism designed to provide reasonable assurance that the organization’s objectives will be achieved. This includes controls designed to safeguard assets, ensure the timeliness, accuracy and reliability of financial and management reporting and to promote operational efficiency, effectiveness and compliance with all applicable laws, regulations, policies and procedures.  It is the responsibility of management to ensure that appropriate controls are implemented and functioning to support the achievement of unit objectives.   

There are two types of internal controls: preventative and detective controls.

• Preventative Controls are designed to prevent errors or irregularities from occurring. (Example: processing vouchers only after approval signatures have been obtained; system input validations that require a particular type of data.)
• Detective Controls are designed to find errors or irregularities after they have occurred. (Example: reconciling monthly account statements.) 


While Internal Audit considers the possibility of fraud in nearly all audit projects, employees and management also need to be aware of “red flags” of suspicious activity and take corrective action if needed or report the activity. When something suspicious is identified, Internal Auditors can help determine its effect and evaluate the situation with financial analysis, observation or other methods to review and test a weakness of established controls. If a review confirms potential fraud, a formal investigation is often the next step, which may include the Office of Legal Counsel and the campus police department. 

Internal Audit is implementing a Fraud Risk Management Program which will provide overall fraud management guidance and specifically review business areas for fraud risks and controls.

Suspected fraudulent activity can be reported on the Purdue Hotline

Any office or department at the university may request Internal Audit services or reach out for assistance. We may or may not be able to immediately accommodate your request, but will certainly discuss your needs and expectations, and can offer initial thoughts for your consideration.

Request audit services

Internal Audit is subject to a quality assurance review, which includes an external assessment conducted at least once every five years by a qualified and independent review team as required by the “Global Internal Audit Standards” set forth by the Institute of Internal Auditors, which Internal Audit follows.

Why This Matters:

• Ensures compliance with professional standards (e.g., IIA’s Global Standards)
• Confirms that Internal Audit remains independent, objective, and effective
• Identifies areas for improvement in audit methodology, governance, and reporting