The mission of the Internal Audit Department is to provide independent, objective assurance and consulting services designed to add value and improve the University’s operations. Internal Audit helps the University to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal control and governance processes. Internal Audit will assist University Management and the Audit Committee of the Board of Trustees in identifying, avoiding, and mitigating risks.
To accomplish its threefold mission of teaching, research and public service, the University must maintain the confidence of its Board of Trustees, faculty, staff, students, alumni, the public, elected officials and various other constituencies. Confidence in the institution is paramount if the University is going to achieve its stated objectives. The Internal Audit Department provides valuable support in maintaining the public’s confidence by performing independent and objective reviews, and reporting to the Audit Committee and responsible administrative and academic officers on their findings so that corrective actions or enhancements can be initiated.
The Internal Audit Department is established by the Board of Trustees. The Internal Audit Department’s responsibilities are defined by the Audit Committee as part of its oversight role. The Internal Audit Department assists the University in the assessment and improvement of the effectiveness of risk management, internal control and governance processes.
The Director of Internal Audit, in the discharge of his/her duties, shall be accountable to the Chancellor and the Audit Committee of the Board of Trustees to:
- Provide annually an assessment on the adequacy and effectiveness of the University’s processes for controlling its activities and managing its risks in the areas set forth under Mission and Responsibility set forth herein.
- Report significant issues relating to the processes for controlling the activities of the University, including potential improvements to those processes, and provide information concerning such issues through resolution.
- Periodically provide information on the status and results of the annual audit plan and the sufficiency of departmental resources.
- Coordinate investigation of fraudulent activities with other control and monitoring functions (i.e., risk management, compliance, campus police, general counsel, environmental health & safety, and external audit).
The Internal Audit Department is committed to the professional practice of internal auditing. The Internal Audit Department will govern itself by adherence to the Institute of Internal Auditors “Core Principles for the Professional Practice of Internal Auditing”; “Definition of Internal Auditing”; the “International Standards for the Professional Practice of Internal Auditing”; and the “Code of Ethics”. The Institute of Internal Auditors “Position Papers”; “Practice Advisories”; and “Practice Guides” will be used for guidance in the practice of internal auditing. In addition, Internal Audit will adhere to University policies and procedures and the Internal Audit Department audit manual. This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of Internal Audit’s performance.
The Internal Audit Department is authorized to direct a broad, comprehensive program of internal auditing within the University. The Director and staff of the Internal Audit Department are authorized to:
- Have unrestricted access to all functions, records, property and personnel. Documents and other information provided to Internal Audit will be handled in the same prudent and confidential manner as by the employees normally accountable for them.
- Have full and free access to the Audit Committee.
- Allocate resources, set frequencies, select subjects, determine scopes of work and apply the techniques required to accomplish audit objectives.
- Obtain the necessary assistance of personnel in units of the University where audits are performed, as well as other specialized services from within or outside the University.
The Director will report functionally to the Audit Committee of the Board of Trustees and administratively to the Chancellor.
The Audit Committee will:
- Review the Internal Audit Charter.
- Review the risk based Internal Audit plan.
- Review the Internal Audit budget and resource plan.
- Receive communications from the Director of the Internal Audit Department as to performance relative to its plan and other matters.
- Review decisions regarding the appointment and removal of the Director.
- Review the remuneration of the Director.
- Make appropriate inquires of University Management and the Director to determine whether there are scope or resource limitations.
The Director will communicate and interact directly with the Audit Committee of the Board of Trustees, including in executive sessions and between Committee meetings as appropriate.
Independence and Objectivity
To properly perform these tasks, the Internal Audit Department must be free from interference in determining the scope of internal auditing, performing work, and communicating results.
Internal Audit will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair Internal Audit’s judgment.
Internal Audit will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal Audit will make a balanced assessment of all the relevant circumstances and not be unduly influenced by its own interests or by others in forming judgments.
The Director will disclose whether he/she has or is expected to have roles and/or responsibilities that fall outside of internal auditing to ensure that safeguards are in place to limit impairments to independence or objectivity. The Director will confirm to the Audit Committee, at least annually, the organizational independence of the Internal Audit Department.
The responsibility of the Internal Audit Department encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the University’s risk management, internal control and governance processes as well as the quality of performance in carrying out assigned responsibilities to achieve the organization’s stated goals and objectives. This includes:
- Evaluating risk exposure relating to achievement of the University’s strategic goals.
- Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information.
- Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the University.
- Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
- Evaluating the effectiveness and efficiency with which resources are employed.
- Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether operations or programs are being carried out as planned.
- Monitoring and evaluating governance processes.
- Monitoring and evaluating the effectiveness of the University’s risk management processes.
- Evaluating the quality of performance of external auditors and the degree of coordination with Internal Audit.
- Performing consulting and advisory services related to risk management, internal control and governance processes as appropriate for the University.
- Evaluating specific operations at the request of the Audit Committee or management, as appropriate.
- Maintaining a professional audit staff with sufficient knowledge, skills, experience and professional certifications to meet the requirements of this Charter.
- Keeping the Audit Committee informed of emerging trends and successful practices in internal auditing.
Internal Audit Plan
At least annually, the Director will submit to University Management and the Audit Committee an Internal Audit plan for review and approval. The Internal Audit plan will consist of a work schedule as well as budget and resource requirements for the next calendar year. The Director will communicate the impact of resource limitations to University Management and the Audit Committee.
The Internal Audit plan will be developed based on a prioritization of the audit universe using a risk-based methodology, including input of University Management and the Audit Committee. The Director will review and adjust the plan, as necessary, in response to changes in the University’s business, risks, operations, programs, systems and controls. Any significant deviation from the approved Internal Audit plan will be communicated to University Management and the Audit Committee through periodic activity reports.
Reporting and Monitoring
A written report will be prepared and issued by the Director or designee following the conclusion of each Internal Audit engagement and will be distributed as appropriate. A copy of each audit report will be forwarded to the Chancellor and other appropriate parties. Internal Audit results will also be communicated via a status report at each Audit Committee meeting.
Internal audit reports generally include management’s response and corrective action taken or to be taken in regard to the specific findings and recommendations. Management’s response should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented.
Internal Audit will be responsible for appropriate follow-up on engagement findings and recommendations. All findings will be monitored until recommendations have been implemented.
The Director will periodically report to University Management and Audit Committee on the Internal Audit Department’s purpose, authority, responsibility, as well as performance relative to its plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by University Management and the Audit Committee.
Quality Assurance and Improvement Program
Internal Audit will maintain a quality assurance and improvement program that covers all aspects of the Internal Audit activity. The program will include an evaluation of Internal Audit’s conformance with the “Definition of Internal Auditing” and the “International Standards for the Professional Practice of Internal Auditing” and an evaluation of whether Internal Audit applies the “Code of Ethics”. The program also assesses the efficiency and effectiveness of Internal Audit and identifies opportunities for improvement.
The Director will communicate to University Management and the Audit Committee on Internal Audit’s quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years.