Charter

G1.15 Internal Audit and Risk Management Charter

Purpose 

The purpose of the Office of Internal Audit and Risk Management (herein Office) is to strengthen the university’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight. The Office enhances the university’s successful achievement of objectives, governance, risk management, and control processes, decision-making and oversight, reputation and credibility with its stakeholders, and its ability to serve the public interest.  

Independence, Organizational Position, and Reporting Relationships 

To achieve the highest degree of independence, the Office reports functionally to the Board of Governors through the Risk Management and Audit Committee (RMAC), and administratively to the President. Such reporting line shall establish independence, allow for unrestricted access to the board, provide for accomplishment of responsibilities without interference from management, and give organization authority necessary to maintain objectivity.  

Mandate 

In carrying out its duties and responsibilities, the Office shall have unrestricted and timely access to all organizational activities, data, records, information, property, and personnel. To this end, the Office shall set frequencies, select subjects, determine scopes of work, apply techniques, and issue communications to accomplish the function’s objectives. Internal auditors are accountable for confidentiality and safeguarding data, records, and information collected during their course of work.  

Commitment to Adhering to the Global Internal Auditing Standards 

The Office will adhere to university policies and the Global Internal Audit Standards (GIAS) and Topical Requirements which are promulgated by the Institute of Internal Auditors.  

Board and Director Responsibilities 

To establish and maintain needed attributes of the university’s internal audit function the Board (oversight) and Director (management) will: 

  • Discuss with the appropriate authority, role, responsibilities, scope and services (assurance and/or advisory) of the internal audit function, as appropriate.  
  • Ensure the Office has unrestricted access to and ability to communicate directly with the Board through the RMAC Chair.  
  • The Director will confirm to the Board, at least annually, the organizational independence of the function, any interference encountered related to the scope, performance, or communication of internal audit work and results. The disclosure will include communicating the implications of such interference on the effectiveness of the Office and its ability to fulfill its mandate. 
  • Ensure at least a portion of one meeting annually is held without management present.  
  • The charter, and any relevant changes, are presented to the Board for review and approval at least annually.  
  • The Director must develop a risk-based audit plan that considers input of the Board and senior management. This plan will be presented to the Board and the President for review and then subsequently approved by the Board through the RMAC. The Director may review and adjust the plan, as necessary, in response to changes in the university’s risks, operations, programs, systems, and controls. Significant changes will be communicated to the RMAC Chair and President.  
  • The Director will communicate the results of all engagements conducted by the Office to the RMAC, including management’s responses, any risk that the Office determines may be unacceptable or management’s acceptance of risk beyond the university’s risk appetite. 
  • The Director will develop procedures to follow-up on findings and confirm the implementation of recommendations or action plans and communicate the results of those procedures to the Board and President as appropriate. 
  • Ensure a quality assurance and improvement program is established and results of all assessments are presented to the RMAC annually.  
  • Review the use of financial and human resources and communicate the impact of resource limitations to the Board and President.  
  • The Board will collaborate with senior management to determine the qualifications and competencies the organization expects in a director and authorize the appointment and removal of the director.  
  • The Board will provide feedback to the President regarding the Director’s performance. 

Additional Director Role and Responsibilities 

The Director will establish and ensure adherence to methodologies designed to ensure all auditors conduct their work in conformance with the GIAS, including the principles of ethics and professionalism, and all university policies and procedures unless such policies or procedures conflict with the charter or the GIAS. The Director will ensure all auditors understand, respect, meet, and contribute to the legitimate and ethical expectations of the university, be able to recognize conduct that is contrary to those expectations, encourage and promote and ethics-based culture, and report organizational behavior that is inconsistent with university expectations, as described in applicable policies and procedures.  

The Director will ensure the Office remains free from all conditions that threaten the ability to carry out the roles and responsibilities mandated in an unbiased manner, including matters of engagement selection, scope, procedures, frequency, timing, and communication. If, at any time, the Director believes independence or objectivity may be impaired in fact or appearance, the details of the impairment will be disclosed to the appropriate parties.  

In performing its function, the Office has no direct responsibility or authority over any of the activities which it reviews. Accordingly, auditors will not implement internal controls, develop procedures, install systems, or engage in other activities which may impair their judgement. The internal audit review and appraisal process does not, therefore, relieve other persons in the organization of the responsibilities assigned to them. 

The Director will ensure the Office collectively possesses or obtains the knowledge, skills, and other competencies and qualifications needed to meet the requirements of the GIAS and fulfill the internal audit mandate.  

The Director will identify and consider trends and emerging issues that could impact the university and communicate significant risk exposures and control issues, including fraud risks, governance issues, and other areas of focus to the Board and senior management as appropriate.  

The Director will develop, implement, and maintain a quality assurance and improvement program (Program) that covers all aspects of the internal audit function. The Program will include internal and external assessments of the function’s performance with the GIAS, as well as performance measures to assess the functions’ progress toward the achievement of its objectives and promotion of continuous improvement.  

Scope and Types of Internal Audit Services 

The Office’s scope of services is provided to serve the entire breadth of the university system, including all activities, assets, and personnel. This scope includes, but is not limited to, assurance, advisory, assessment, and objective examinations. The fulfillment of this accountability includes but is not limited to the following: 

  • Assessing risks related to the achievement of the university’s strategic objectives to ensure said risks are appropriately identified and managed. 
  • Examining and evaluating the adequacy and effectiveness of the overall system of administrative and financial controls. 
  • Determining the reliability and integrity of financial and operating data. 
  • Evaluating sufficiency of and adherence to university plans, policies, and procedures and compliance with State and Federal laws and regulations. 
  • Ascertaining the extent to which university assets are accounted for and safeguarded and, as appropriate, verifying the existence of such assets. 
  • Appraising the economy and efficiency with which university resources are employed. 

Line of authority

Responsible administrator and office:  Office of Internal Audit and Risk Management

Contact person in that office:  Director of Internal Audit and Risk Management

Effective date

Presidential approval:  October 18, 2024