Internal Audit Charter

To enhance and protect organizational value by providing risk-based and objective assurance, and consulting to university management and the Audit Committee. The Internal Audit department’s professional training, in-depth knowledge of overall operating practices, and familiarity with the university’s policies and processes enable Internal Audit to assess the design and operation of controls, identify risks, and develop recommended action plans for improvement opportunities. Internal Audit considers risks to the university broadly, including but not limited to financial, operational, technological, regulatory, and reputational risks. Once assessed and identified, Internal Audit helps to improve policies and processes to manage risks, improve governance, and increase operational efficiency and effectiveness. 

The Associate Vice President, Risk Management, who is the Chief Audit Executive, is responsible to and has direct access to the Audit Committee. The Chief Audit Executive reports functionally to the Audit Committee and administratively to the Executive Vice President and Chief Financial Officer. The Chief Audit Executive and Internal Audit management shall have a private meeting with the Audit Committee at least annually and shall meet with the Audit Committee Chair periodically.

Internal Audit shall report:

• Suggested edits and approval for the Internal Audit Charter
• An annual risk based Internal Audit Plan
• An annual Internal Audit budget
• Periodic reports summarizing audit activities and results
• Periodic status updates of the annual Internal Audit Plan and use of Internal Audit Department resources
• On the organizational independence of the Internal Audit Department, at least annually
• Any impairment of independence or objectivity, in fact or appearance, to appropriate parties
• Any interference and related implications in determining the scope of internal auditing, performing work, and/or communicating results
• Conformance with The Institute of Internal Auditors' Code of Ethics and Standards, and action plans to address any significant conformance issues
• Significant risk exposures and control issues, including fraud risks, governance issues, and other matters requiring the attention of, or requested by, the audit committee

The Audit Committee authorizes the Internal Audit Department to have full, free and unrestricted direct access to all university activities, books, records, property and personnel relevant to the subject of review. No officer, administrator or staff member may prohibit an internal auditor from examining any university record or interviewing any employee or student that the auditor thinks is relevant to the audits and reviews. In addition, where contractually agreed, Internal Audit management has authority to inquire about or review the records of organizations required to submit financial statements to the university and third-party service providers with access to university covered data. 

University management holds the primary responsibility for establishing and maintaining an adequate system of internal control. Internal Audit reviews do not substitute or relieve other university persons of this responsibility. The Internal Audit department has neither direct authority over nor responsibility for any activities reviewed. Accordingly, Internal Audit will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that could be reason­ably construed to compromise its independence. In addition, Internal Audit will not direct the activities of any university employees that are not employed by the Internal Audit department, except to the extent that such employees have been appropriately assigned to auditing teams or to otherwise assist internal auditors. Where Internal Audit management has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards will be established to limit impairments to independence or objectivity. Internal Audit will recommend policies and processes for implementation by management. Internal Audit will take only an advisory role, if any, in developing policies or systems. Appropriate management are responsible for final decisions and implementation.

The general scope of audit coverage is university wide. No process, function or unit of the university is exempt from potential audit or review. All organizations directly or indirectly managed by the university will be subject to review by Internal Audit. The specific scope of work will be identified when the audit is planned, or when additional concerns develop during an audit. In general, the scope of work will include an evaluation of one or more of the following: 

• Governance, risk management, efficiency and effectiveness of internal controls and processes
• Compliance with policies, procedures, and applicable laws, regulations and governance standards
• Use and safeguarding of university assets and/or resources 
• Reliability and integrity of financial and management information
• The results of operations or programs are consistent with established goals and objectives
• Operations or programs are being carried out effectively and efficiently
• Resources and assets are acquired economically, used efficiently, and protected adequately
• Information and the means used to identify, measure, analyze, classify, and report such information are reliable and have integrity
• Specific matters, at the request of the Board or management

Internal Audit management is responsible for developing and monitoring the execution of the annual Internal Audit Plan. Internal Audit uses a risk assessment process, input from the Audit Committee and management to determine audits for the annual Internal Audit Plan. During the risk assessment process, the Internal Audit department communicates with key representatives of university management, colleges, schools and departments to identify and prioritize risks and to identify special audit requests.

Internal Audit selects processes, functions and units to review based on:

• Identified risk factors and their estimated likelihood and potential impact
• Time elapsed since the process, function or unit was last reviewed
• Results from prior audits (internal and external)
• Financial significance
• Criticality to university operations

Internal Audit may provide consulting services or perform special projects to assist management, such as:

• Design review during implementation of systems
• Investigative audits in response to specific events, fraud allegations, abuse or conflict of interest
• Incorporating internal controls and accountability in policies and processes

Internal Audit will prepare and issue a written report following the conclusion of each audit. Management of the audited area will provide feedback and agreement with the recommended action plans, the individual responsible for completing the action and an estimated completion date. The Audit Committee and the university’s President, Executive Vice President, Provost and Controller will receive copies of all final audit reports.

Internal Audit is responsible for verifying recommended action plans assigned in audit reports have been completed. If corrective action is not implemented timely, Internal Audit is responsible for communicating non-compliance to the university’s President, Executive Vice President, and Provost, and the Audit Committee.

In all of its activities, Internal Audit will govern itself by adherence to the mandatory elements of The Institute of Internal Auditors' International Professional Practices Framework, including the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing (Standards), and the Definition of Internal Auditing. Internal Audit is required to maintain its objectivity and independence. Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others.

Internal Audit will maintain a quality assurance and improvement program, including an evaluation of conformance with the Definition of Internal Auditing, Standards and Code of Ethics. Periodically, Internal Audit management will communicate to senior management and the Audit Committee on the internal audit activity’s quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years by a qualified, independent assessor or assessment team from outside the university. In addition, all members of the Internal Audit department will abide by the Family Educational Rights and Privacy Act of 1974, 20 U.S.C. 1232 (g) and all applicable rules and regulations. Internal Auditors are accountable for maintaining confidentiality and safeguarding records and information provided during the audit process.

Internal Audit has a close working relationship with the university’s independent public accounting firm. However, the responsibilities and objectives of the internal and external auditing groups are generally different. External auditors certify the university’s financial statements; internal auditors evaluate internal controls and compliance with policies, procedures and regulatory requirements. At those times when objectives of both groups coincide, Internal Audit will make every effort to coordinate its work with the external auditors to ensure maximum audit coverage is provided at a minimum cost to the university.