The Department of Internal Audit is established within the University of Colorado by the Board of Regents. Its role and responsibilities are defined by the Board of Regents as set forth in this charter. The Audit Committee of the Board of Regents provides oversight of the Department of Internal Audit. The Director of the Department of Internal Audit is appointed by the Board of Regents, reports functionally to the Audit Committee and reports administratively to the President.
Control: Any action taken by management, the Board of Regents, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
Governance: The combination of processes and structures implemented by the Board of Regents in order to inform, direct, manage and monitor the activities of the university toward the achievement of its objectives.
Risk management: A process to identify, assess, manage and control potential events or situations, to provide reasonable assurance regarding the achievement of the university's objectives.
The Department of Internal Audit’s role is to provide independent, objective assurance and consulting activity designed to add value and improve the university’s operations. It helps the university accomplish its objectives by bringing a systematic, disciplined approach to the evaluation and improvement of university processes related to university-wide risk management, control, and governance.
More specifically, the Department of Internal Audit evaluates whether university processes, as designed and represented by management, are adequate and functioning in a manner to help ensure:
- risks are appropriately identified and managed
- interaction with various constituents occurs as needed
- significant financial, managerial, and operating information is accurate, reliable, and timely
- employees’ actions are in compliance with policies, standards, procedures, and applicable laws and regulations
- resources are acquired and used in a reasonably economical and efficient manner, and are adequately protected
- programs, plans, and objectives are achieved
- quality and continuous improvement are fostered in the university’s control process
- significant legislative or regulatory issues impacting the University are recognized and addressed appropriately
Opportunities for improving university operations may be identified during audits. They will be communicated to the appropriate level of management for its consideration.
At the conclusion of each audit, the Department of Internal Audit will issue a report that provides its independent opinion or conclusions regarding the process, system or other subject matter reviewed. The risk associated with each matter reported will be identified and the report will incorporate the responsible campus or university system administration's response. The Department of Internal Audit will conduct follow-up activity to ascertain the status of actions taken with regard to significant risks identified.
The department also assists in the investigation of significant suspected fraudulent activities within the university and notifies management, the Audit Committee, the Board of Regents and other authorities, as appropriate, of its activities and results.
To provide for its independence and objectivity, Department of Internal Audit personnel report to the director of the Department of Internal Audit, who reports functionally to the Audit Committee and administratively to the president in a manner outlined in the below section on Accountability and Responsibility. It will include, as part of its reports to the Audit Committee, a regular report on the independence of Department of Internal Audit personnel.
The Department of Internal Audit will conduct its activities in accordance with The Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing. In addition to university policies and standards of conduct, Department of Internal Audit personnel shall adhere to The Institute of Internal Auditors' "Code of Ethics."
Accountability and Responsibility
The director and personnel of the Department of Internal Audit, in the discharge of their duties, shall be accountable to the Audit Committee and management to:
- keep the Audit Committee informed of the Department of Internal Audit's policies, procedures and practices for conducting audits, investigations and consulting activity, as well as emerging trends and successful practices in internal auditing
- maintain a professional audit staff with sufficient knowledge, skills, experience and professional certifications to meet the requirements of this charter, and provide information on the sufficiency of department resources
- allocate resources, set frequencies, select subjects, determine scopes of work and apply the techniques required to accomplish its objectives
- coordinate with other control and monitoring functions (e.g. risk management, compliance, police, legal, environmental, external audit)
- utilize the assistance of personnel in units of the university where they perform work and seek other specialized services from within or outside the university
- consider the scope of work of the external auditors and regulators, as appropriate, for the purposes of providing optimal audit coverage to the university at a reasonable cost
- develop a flexible annual audit plan using an appropriate risk-based methodology, including any risks or control concerns identified by management, and submit that plan to the Audit Committee for review, as well as periodic updates
- establish a list of significant goals
- implement the annual audit plan, including, as deemed appropriate by the director, any special tasks or projects suggested by management and/or the Audit Committee
- periodically provide information summarizing the status and results of the annual audit plan, activities and goals
- report significant issues related to the processes for controlling the activities of the university and its affiliates, including potential improvements to those processes, and provide information concerning such issues through resolution
- provide annually an assessment on the adequacy and effectiveness of the university's processes for controlling its activities and managing its risks
The director and personnel of the Department of Internal Audit shall, except as otherwise directed by the Board of Regents or Audit Committee:
- have full and complete access to any of the university's and, to the extent provided to the university, the university's corporate affiliates' manual or electronic records, physical properties, functions and personnel relevant to its activities
- have full and free access to the Audit Committee and the Board of Regents
The director and personnel of the Department of Internal Audit are not authorized to:
- perform any operational duties for the university or its affiliates
- initiate or approve accounting transactions external to the Department of Internal Audit and the Board of Regents office
- direct the activities of any university employee not employed by the Department of Internal Audit, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the internal auditors
As adopted by the Board of Regents November 2, 2006