Standard Operating Procedure: University of Michigan (U-M) Departmental Audit Protocol

This Standard Operating Procedure (SOP) serves as a comprehensive framework for internal departmental audits at the University of Michigan. It is designed to ensure compliance with U-M Standard Practice Guides (SPGs), Sponsored Programs (ORSP) regulations, and generally accepted accounting principles (GAAP). Adherence to this protocol minimizes audit risk, optimizes resource allocation, and ensures transparency across university units. All financial and administrative staff are required to utilize this checklist to facilitate internal reviews prior to formal audits by the University Audits Department or external regulatory bodies.

Phase 1: Financial Stewardship and Reconciliation

• Monthly Reconciliation Verification: Confirm that all M-Pathways financial transactions have been reconciled against original supporting documentation (invoices, receipts, and P-Card statements).
• Grant Account Review: Verify that expenditures on sponsored projects align with the terms and conditions outlined in the Notice of Award (NoA) and are within the designated budget period.
• Cost Transfer Validation: Ensure all journal entries moving expenses between accounts include sufficient justification and evidence of benefit to the receiving project.
• P-Card Compliance: Audit a 20% sample of P-Card transactions to ensure the absence of prohibited items and verify that the business purpose is clearly documented in Concur.
• Effort Certification: Confirm that all Faculty and Staff effort reports have been certified in the Effort Certification System (ECS) within the required university timeframe.

Phase 2: Administrative and Personnel Records

• Onboarding/Offboarding Documentation: Verify that all personnel files contain signed offer letters, completed I-9 verification forms, and documented offboarding equipment recovery.
• Conflict of Interest (COI) Disclosures: Ensure all unit personnel have submitted or updated their annual Conflict of Interest disclosures via the M-Inform system.
• Asset Management: Conduct a physical inventory of all sensitive university property (laptops, high-value lab equipment) and reconcile the physical count against the M-Pathways Asset Management module.
• Authorization Hierarchy: Audit current departmental signature authorities to ensure that approver roles in M-Pathways align with the current Organizational Chart and delegated authority policies.

Phase 3: Regulatory and Security Compliance

• Data Security Review: Confirm that all unit-level servers and workstations are compliant with the U-M Information Technology (UMIT) security standards, specifically regarding sensitive research data (HIPAA/FERPA).
• Record Retention: Verify that all physical and electronic documents are retained in accordance with the U-M Records Retention and Disposition Schedule.
• Safety and Environmental Audit: Ensure laboratory spaces have current hazard signage, up-to-date chemical inventories, and that all staff have completed required EHS (Environment, Health & Safety) training.

Pro Tips & Pitfalls

• Pro Tip: Maintain an "Audit Ready" file system throughout the fiscal year. Digital documentation should be organized by project/grant number, not by person, to facilitate faster retrieval during sampling.
• Pro Tip: Leverage M-Reports to generate automated exception reports. Focus your internal review on items flagged by the system as "unusual" or "out of cycle."
• Pitfall: Do not wait for the formal audit notice to initiate cleanup. Retrospective documentation (backdating or writing justifications months late) is the most common cause of audit findings.
• Pitfall: Avoid silos. Often, administrative issues stem from a lack of communication between the PI (Principal Investigator) and the financial administrator; ensure both parties review the monthly financial summary.

Frequently Asked Questions (FAQ)

1. How often should a department conduct an internal self-audit? Best practice dictates a quarterly internal review of high-risk areas (grants and P-Cards) and an annual comprehensive audit of all administrative and physical assets to remain in compliance with U-M internal control standards.

2. What should I do if I discover a discrepancy during my audit? Do not attempt to hide the error. Document the finding, consult with your department's Financial Lead or the Office of Sponsored Programs (if applicable), and execute a correcting journal entry (with full documentation of the error) immediately.

3. Does this audit checklist replace the University Audits Department’s formal review? No. This checklist is a preparatory tool designed to increase your department's "Audit Readiness." Formal audits will still be conducted independently by the University Audits Department based on institutional risk assessments.

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "FAQPage", "mainEntity": [ { "@type": "Question", "name": "What is the purpose of the U-M Departmental Audit Protocol?", "acceptedAnswer": { "@type": "Answer", "text": "The protocol serves as a framework to ensure compliance with U-M Standard Practice Guides (SPGs), Sponsored Programs regulations, and GAAP to minimize audit risk." } }, { "@type": "Question", "name": "How often should P-Card transactions be audited?", "acceptedAnswer": { "@type": "Answer", "text": "The protocol recommends auditing a 20% sample of P-Card transactions to ensure the absence of prohibited items and verify business purpose documentation in Concur." } }, { "@type": "Question", "name": "What systems are involved in U-M departmental audits?", "acceptedAnswer": { "@type": "Answer", "text": "Key systems include M-Pathways for financial and asset data, Concur for expense reporting, the Effort Certification System (ECS), and M-Inform for COI disclosures." } } ] } </script> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "SoftwareApplication", "name": "University of Michigan Departmental Audit Protocol", "applicationCategory": "Compliance Management", "operatingSystem": "Web-based", "description": "Standard Operating Procedure framework for financial and administrative audits at the University of Michigan.", "provider": { "@type": "Organization", "name": "University of Michigan" } } </script>