Mission and Scope of Work
The scope of work of the Department of Internal Audit is to determine whether University processes, as designed and represented by management, are adequate and functioning in a manner to help reasonably ensure:
- Risks are appropriately identified and managed;
- Interaction with various governance groups occurs as needed;
- Significant financial, managerial, and operating information is available, accurate, reliable, and timely;
- Employees’ actions and University operations are in compliance with policies, standards, procedures, contractual obligations, and applicable laws and regulations;
- Resources are acquired and used in a reasonably economical and efficient manner and are adequately protected;
- Programs, plans, and objectives are achieved;
- Quality and continuous improvement are fostered in the University’s control processes; and
- Significant legislative or regulatory issues impacting the University are timely recognized and addressed appropriately.
The Department of Internal Audit work products (referred to collectively as the “engagements”) are categorized as follows:
These are projects that follow the standards included in The International Professional Practices Framework published by the Institute of Internal Auditors (“IIA IPPF”). Audit engagements involve the internal auditor’s objective assessment of evidence to provide opinions or conclusions regarding an entity, operation, function, process, system, or other subject matters. The nature and scope of an audit engagement are determined by the internal auditors assigned to the engagement and approved by the Department of Internal Audit Associate Vice President/Chief Audit Executive. An audit report is typically generated for audit engagements and disclosure of results and recommendations is made to management and the Audit Committee of the Board of Regents.
These are projects where the Department of Internal Audit is acting in an advisory capacity, and may include management requests, monitoring specific projects, or participation in steering committees. These projects follow the standards included in the IIA IPPF and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. A written memo is typically generated for consulting projects and disclosure of results and recommendations is made to management. If significant governance, risk, or control issues are identified, disclosure of results and recommendations will also be made to the Audit Committee. When performing consulting engagements, the Department of Internal Audit will maintain objectivity and not assume management responsibility.
In accordance with Regent Policy 13.E Fiscal Misconduct and the Administrative Policy Statement 4012 Fiscal Misconduct Reporting, the Department of Internal Audit has the primary responsibility for coordinating the initial assessment, investigation, and internal reporting of known or suspected fiscal misconduct at the University. The Internal Audit Department will notify management, the Audit Committee, the Board of Regents and other authorities, as appropriate, of its activities and outcomes of the investigations. Furthermore, the Department of Internal Audit may act as a resource for investigations conducted by authorities external to the University.
The Department of Internal Audit may engage in both formal and informal opportunities to help educate and inform the University community about various topics, such as risk management, internal controls, and emerging regulatory and compliance requirements. The work from such engagements may or may not generate a formal work product. The Department of Internal Audit may assist external auditors or investigatory bodies by performing agreed-upon procedures. This work may or may not produce a stand-alone written memo or audit report.
Accountability and Responsibilities
The Associate Vice President/Chief Audit Executive and personnel of the Department of Internal Audit, in the discharge of their duties, shall be accountable to the Audit Committee and management to:
- Keep the Audit Committee informed of the Department of Internal Audit policies, procedures and practices for conducting engagements, as well as emerging trends and successful practices in internal auditing.
- Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter and provide information on the sufficiency of department resources.
- Effectively deploy resources in a way that optimizes the achievement of the approved plan.
- Coordinate with other assurance, control and monitoring functions (e.g. risk management, compliance, police, legal, environmental, external audit).
- Engage, and ensure appropriate supervision of, University personnel or external subject matter experts as needed to successfully complete the approved audit program or provide technical expertise, where such expertise is not present on the Internal Audit team.
- Consider the scope of work of the external auditors and regulatory agency reviewers, as appropriate, for the purpose of providing optimal audit coverage to the University at a reasonable overall cost.
- Develop a flexible audit plan using an appropriate risk-based methodology, including any risks or control concerns identified by management, and submit that plan to the Audit Committee for review and approval, as well as periodic updates.
- Establish a list of significant departmental measurement goals and report results to the Audit Committee.
- Execute the audit plan, including any special tasks, projects or engagements, as suggested by management or the Audit Committee and deemed appropriate by the Associate Vice President/Chief Audit Executive.
- Periodically provide information summarizing the status and results of the audit plan and departmental activities, goals, and quality assurance and improvement program.
- Report significant issues related to the processes for controlling the activities of and managing risks to the University and its affiliates, including potential improvements to those processes, and provide information concerning such issues through resolution.
- Provide annually an assessment on the adequacy and effectiveness of the University’s processes for controlling its activities and managing its risks.
- Establish a quality assurance and improvement program by which the Associate Vice President/Chief Audit Executive assures the effective operation of internal auditing activities.
- Monitor the implementation of the agreed-upon management action plans and control improvements on a timely basis, performing such follow-up work as Department of the Internal Audit deems necessary to ensure the improvements are adequate, effective, and timely.
- Manage the CU EthicsLine, established to receive and respond to anonymous ethics and compliance reports, and assess reports received for appropriate follow-up by designated Internal Audit, University system or campus personnel.
The Associate Vice President/Chief Audit Executive and personnel of the Department of Internal Audit shall, except as otherwise directed by the Board of Regents or the Audit Committee:
- Have full and unrestricted access to any of the University’s and, to the extent provided to the University, the University’s affiliates’ manual or electronic records, physical properties, functions, and personnel relevant to University’s activities.
- Have full and free access to the Audit Committee and the Board of Regents.
- Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish engagement objectives.
The Associate Vice President/Chief Audit Executive and personnel of the Department of Internal Audit are not authorized to:
- Perform any operational duties of the University or its affiliates.
- Initiate or approve accounting transactions external to the Department of Internal Audit.
- Direct the activities of any University employee not employed by the Department of Internal Audit, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the internal auditors.
- Prescribe or implement procedures, prepare records, make management decisions, or engage in any other activity that could be reasonably perceived to compromise their independence or impair their objectivity.
The Department of Internal Audit findings and recommendations are provided to assist management. The responsibility to execute specific actions remains with management. Opportunities for improving University operations may be identified during engagements. These will be communicated to the appropriate level of management for consideration.
Standards of Audit Practice
As adopted by the Board of Regents November 2, 2006; revised June 3, 2015; March 7, 2018; June 9, 2021.