The Audit Committee authorizes the Internal Audit Department to have full, free and unrestricted direct access to all university activities, books, records, property and personnel relevant to the subject of review. No officer, administrator or staff member may prohibit an internal auditor from examining any university record or interviewing any employee or student that the auditor thinks is relevant to the audits and reviews. In addition, where contractually agreed, Internal Audit management has authority to inquire about or review the records of organizations required to submit financial statements to the university and third-party service providers with access to university covered data.
University management holds the primary responsibility for establishing and maintaining an adequate system of internal control. Internal Audit reviews do not substitute or relieve other university persons of this responsibility. The Internal Audit department has neither direct authority over nor responsibility for any activities reviewed. Accordingly, Internal Audit will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that could be reasonably construed to compromise its independence. In addition, Internal Audit will not direct the activities of any university employees that are not employed by the Internal Audit department, except to the extent that such employees have been appropriately assigned to auditing teams or to otherwise assist internal auditors. Where Internal Audit management has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards will be established to limit impairments to independence or objectivity. Internal Audit will recommend policies and processes for implementation by management. Internal Audit will take only an advisory role, if any, in developing policies or systems. Appropriate management are responsible for final decisions and implementation.