(Effective October 2, 2015)
DEFINITION OF INTERNAL AUDITING:
The Internal Audit Department is an independent and objective assurance and consulting activity guided by a philosophy of adding value to improve the operations of the University. It assists the University in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the University’s governance, risk management, and internal controls.
To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.
First published in July 2015, these principles articulate internal audit effectiveness. For an internal audit function to be considered effective, all Principles should be present and operating effectively.
- Demonstrates integrity.
- Demonstrates competence and due professional care.
- Is objective and free from undue influence (independent).
- Aligns with the strategies, objectives, and risks of the organization.
- Is appropriately positioned and adequately resourced.
- Demonstrates quality and continuous improvement.
- Communicates effectively.
- Provides risk-based assurance.
- Is insightful, proactive, and future-focused.
- Promotes organizational improvement.
The Internal Audit Department will govern itself by adherence to The Institute of Internal Auditors' mandatory guidance that includes the Mission, Core Principles, Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). This mandatory guidance along with additional Supplemental Guidance constitutes the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance. In addition, the internal audit activity will adhere to relevant policies and procedures in the State Internal Audit Manual published by the Council of Internal Auditing for the State of North Carolina, guidance issued by UNC General Administration, and the department’s standard operating procedures manual.
The department, with strict accountability for confidentiality and safeguarding records and information, is authorized full, free, and unrestricted access to any and all of the University’s records, physical properties, and personnel pertinent to the scope of any engagement. All University employees are requested to assist the department in fulfilling its roles and responsibilities. The department will also have free and unrestricted access to the Audit, Compliance, and Enterprise Risk Management Committee of the Board of Trustees (the Committee).
The Chief Audit Officer reports directly to the Chancellor with a clear and recognized reporting relationship to the chair of the Audit, Compliance, and Enterprise Risk Management Committee.
Upon consideration of the recommendations of the Chancellor, the Committee will:
- Approve the internal audit charter.
- Approve the annual risk-based internal audit plan.
- Review the internal audit budget and resource plan.
- Receive communications from the Chief Audit Officer on the internal audit activity’s performance relative to its plan and other matters.
- Review decisions regarding the appointment and removal of the Chief Audit Officer.
- Review the remuneration of the Chief Audit Officer.
- Determine whether there are scope or resource limitations that should be addressed.
The Chief Audit Officer will communicate and interact directly with the Committee, including in executive sessions and between Committee meetings as appropriate.
INDEPENDENCE AND OBJECTIVITY:
The Internal Audit Department will remain free from interference by any element in the University, including matters of audit selection, scope, procedures, frequency, timing, or report content to maintain their necessary independent and objective judgment.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair the auditor’s judgment.
Internal auditors will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors will make a balanced assessment of all the relevant circumstances and will not be unduly influenced by their own interests or by others. The Chief Audit Officer will confirm to the Committee, at least annually, the organizational independence and objectivity of the internal audit activity.
The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the University’s governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the organization’s stated goals and objectives. This includes:
- Evaluating risk exposure relating to achievement of the University’s strategic objectives.
- Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information.
- Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations that could have a significant impact on the University.
- Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
- Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out efficiently and effectively.
- Monitoring and evaluating governance processes.
- Monitoring and evaluating the effectiveness of the University’s risk management processes.
- Performing consulting and advisory services related to governance, risk management, and control as appropriate for the organization.
- Reporting periodically on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan.
- Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Board.
- Evaluating specific issues and operations at the request of the Board or management, as appropriate.
INTERNAL AUDIT PLAN:
At least annually, the Chief Audit Officer will submit to senior management and the Committee an internal audit plan for review and approval. The internal audit plan will consist of a work schedule as well as budget and resource requirements for the next fiscal/calendar year. The Chief Audit Officer will communicate the impact of any resource limitations and significant interim changes to senior management and the Committee. The internal audit plan will be developed using a risk-based methodology, including input of senior management and the Committee. The Chief Audit Officer will review and adjust the plan, as necessary, in response to changes in the University’s risks, operations, programs, systems, and controls. Any significant deviation from the approved internal audit plan will be communicated to senior management and the Committee through periodic activity reports.
REPORTING AND MONITORING:
A written report will be prepared and issued by the Chief Audit Officer or designee following the conclusion of each internal audit engagement and will be distributed as appropriate. Internal audit results will also be communicated to the Committee. The internal audit report will include management’s response and corrective action taken or to be taken in regard to the specific findings and recommendations. Management's response will include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented.
The department will be responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will remain in an open issues file until cleared.
The Chief Audit Officer will periodically report to senior management and the Committee on the department’s purpose, authority, and responsibility, as well as performance relative to its plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the Committee. The Committee will periodically meet privately with the CAO to allow for discussion of sensitive topics.
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM:
The Internal Audit Department will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program will include an evaluation of the department’s conformance with the mandatory guidance published by the Institute of Internal Auditors and an evaluation of whether internal auditors apply the Code of Ethics. The program will also assesses the efficiency and effectiveness of the department and identify opportunities for improvement. The Chief Audit Officer will communicate to senior management and the Committee on the department’s quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years.