Internal Audit Office

Internal Audit Charter

Mission

The Internal Audit Office (the “Office) serves as a resource to examine and evaluate University activities in service to the Board of Trustees. The Office is dedicated to aiding the University in accomplishing its strategic and operational initiatives by providing risk-based and objective assurance, advice, and insight through a collaborative approach that develops and maintains strong relationships. The Department will accomplish this goal through audits, advisory and consulting services designed to add value to the University’s operations and control environment. 

Purpose

The purpose of the Internal Audit Office is to use a systematic, disciplined approach to assess whether the University’s control, risk management, and governance processes, as designed and implemented by management, are adequate and functioning. The scope of the Internal Audit function shall include, but not be limited to evaluating whether: 

  • Strategic objectives and plans are achieved
  • Risks related to the achievement of the University’s strategic objectives are appropriately identified and managed
  • Interaction with various governance groups occurs as needed
  • Quality and continuous improvement are promoted in the University’s control processes
  • Operations or programs, including risk management and governance activities of the University, are being carried out effectively and efficiently.
  • Resources are acquired economically, used efficiently, and adequately protected
  • The results of operations or programs are consistent with established
  • Financial, managerial, and operational information is accurate, reliable, and available
  • Actions of the University’s officers, directors, team members, and third parties are in compliance with the University policies, procedures, applicable laws and regulations, and governance standards that could have a significant impact on operations.
  • Significant legislative and regulatory issues impacting the University are recognized and appropriately addressed
  • Information technologies are integrated and aid in accomplishing University objectives 

As necessary, the Office will make recommendations to improve the effectiveness of the overall control environment, risk management and governance process. 

Responsibility

The Office and the Chief Audit Executive have the responsibility to:

  • Submit, at least annually, to the Audit and Enterprise Risk Committee the Internal Audit Charter that includes the department’s purpose, authority and responsibility for review and approval.
  • Submit, at least annually, to the Audit and Enterprise Risk Committee a risk-based, flexible Internal Audit plan for review and The Plan will include e resources for unplanned projects.
  • Allocate resources, setting timelines, determine scope of work, and apply the techniques required to accomplish the audit objectives.
  • Communicate results of internal audits and other activities and issue written communication following the conclusion of each audit to executive management, as appropriate.
  • Communicate to executive management and the Audit and Enterprise Risk Committee the impact of resource requirements and limitations on the Internal Audit plan, if any.
  • Communicate to executive management and the Audit and Enterprise Risk Committee any significant interim changes to the Internal Audit plan and performance relative to the plan.
  • Communicate audit results, assess management responses, and conduct follow-up accordingly.
  • Report periodically to executive management and the Audit and Enterprise Risk Committee any significant mitigation plans not effectively implemented and any response to risk by management that may be unacceptable to the University.
  • Submit, at least annually, to the Audit and Enterprise Risk Committee a summary of significant findings, risks, investigations, and other key matters of importance requiring the attention of or requested by the Committee or management.
  • Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and upheld and communicate the department’s conformance with the IIA’s Code of Ethics and Standards, and action plans to address any significant conformance issues.
  • Evaluate whether the Office collectively possesses or maintains sufficient knowledge, skills, and other competencies to achieve the engagement objectives and to meet the requirements of this Charter or engage third parties as appropriate.
  • Administer the anonymous reporting program
  • Consider the scope of work of the external auditors or regulators for purposes of providing optimal audit coverage to the University.
  • Monitor, on an ongoing basis, the performance of the internal audit activity and consider emerging trends and successful practices in Internal Auditing. 

Standards for the Professional Practice of Internal Auditing

All audit activity is governed by the guidance of the Institute of Internal Auditor’s (IIA) International Professional Practices Framework, including the Core Principles for the Professional Practice of Internal Auditing, the International Standards for the Professional Practice of Internal Auditing and the Definition of Internal Auditing (Professional Standards), and the Code of Ethics. In addition, the Office will adhere to the University’s policies and procedures, the Internal Audit Office standard operating procedures, and other guidelines developed by the Chief Audit Executive to implement emerging trends and successful practices in internal auditing, as applicable. The Chief Audit Executive will report periodically to executive management and the Audit and Enterprise Risk Committee regarding the Department’s conformance to the Professional Standards and the Code of Ethics. 

Independence and Objectivity

In order to ensure that the Internal Audit activities are conducted in an independent and objective manner, the Office will remain free from interference by any element in the organization, including in matters of audit selection, scope, procedures, frequency, timing, or report content. If the Chief Audit Executive determines that independence or objectivity may be impaired in fact or appearance, the details of impairment will be disclosed to appropriate parties including the Audit and Enterprise Risk Committee. 

Internal Audit has no direct operating responsibility or authority for management processes, internal controls, or any of the activities or operations it reviews; thereby, maintaining its independence and objectivity. Accordingly, Internal Audit will generally not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair judgment or objectivity, including: 

  • Assessing specific operations for which auditors had responsibility within the previous year.
  • Performing any operational duties for the University.
  • Initiating or approving transactions external to the Internal Audit Office.
  • Directing the activities of any the University team member not employed by the Internal Audit Office, except to the extent that such team members have been appropriately assigned to auditing teams or to otherwise assist Internal Auditors. 

Internal Audit staff will:

  • Disclose any impairment of independence or objectivity, in fact or appearance, to the Chief Audit Executive.
  • Exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the University, or any activity or process being examined.
  • Make balanced assessments of all available and relevant facts and circumstances.
  • Take necessary precautions to avoid being unduly influenced by its own interests or by others in forming judgments. 

The Office may perform advisory activities, the nature and scope of which will be agreed with the applicable stakeholders, provided the Internal Audit’s independence and objectivity are not impaired. Any such advisory activity performed by the Office which are intended to assist University management in effectively executing their responsibilities do not substitute or otherwise relieve University management of their managerial responsibilities. 

The Chief Audit Executive will disclose to the Audit and Enterprise Risk Committee any interference and related implications in determining the scope of internal auditing, performing work, and/or communicating results. 

Reporting

The Internal Audit Office reports administratively to the Treasurer of the University and functionally to the Audit and Enterprise Risk Committee of the Board of Trustees. This structure is in accordance with The Bylaws of the Trustees Article IV, Section 6: 

“The Treasurer of the Corporation shall maintain an internal audit office independent of any other office of the Corporation or of the University. The Director of Audits shall submit to the Board annually a written report on the work of the internal audit office for the preceding calendar year. In addition, the Director of Audits, prior to the presentation of the written annual report, shall make an annual oral presentation concerning the work of the internal audit office to the Audit and Enterprise Risk Committee, which shall be made in the presence of the Treasurer. Immediately following the completion of each oral presentation, the Director of Audits shall confer with the Audit and Enterprise Risk Committee, outside the presence of the Treasurer or any other officer of the University on any subject germane to the area of responsibility of the internal audit office. The written annual report to the Board shall be made at a stated meeting selected by the Audit and Enterprise Risk Committee, but in no event shall it be deferred beyond July 1 of each year without the consent of the Chairman. In addition, at any time when in the judgment of the Director of Audits circumstances warrant or in response to a request from the Chairman of the Audit and Enterprise Risk Committee, the Director of Audits shall make a written or oral report to the Chairman of the Audit and Enterprise Risk Committee without informing the Treasurer or any other University officer. Subject to the foregoing, the Treasurer shall attend the meetings of the Audit and Enterprise Risk Committee and serve as its Secretary and keep a record of its proceedings.” 

Authority

The Chief Audit Executive, Internal Audit will report functionally to the Audit and Enterprise Risk Committee of the Board of Directors and administratively to the Chief Financial Officer. The Audit and Enterprise Risk Committee has the following responsibilities to establish, maintain, and assure that the University’s Internal Audit Department has sufficient authority to fulfill its duties, including:

  • Oversee the Internal Audit Department’s activities.
  • Review and approve the Internal Audit Charter and any revisions there to on an annual basis.
  • Concur on the appointment, replacement, reassignment, or dismissal of the Chief Audit Executive.
  • Approve the annual Internal Audit plan and any significant changes made to it thereafter.
  • Review Internal Auditor independence, activities, staffing, organizational structure, and credentials of the Internal Audit Department.
  • Review and discuss the progress and results of executing the Internal Audit plan.
  • Receive written quarterly reports from the Chief Audit Executive on the status of significant findings, risks, investigations, and other key matters of importance.
  • Review the annual performance of the Internal Audit function.
  • Make appropriate inquires of the Chief Audit Executive to determine whether there are scope or resource limitations.
  • Conduct executive sessions with the Chief Audit Executive, as needed. 

The Internal Audit Office, with strict accountability for confidentiality and safeguarding records and information, provides system-wide audit coverage and has unrestricted access to all University functions, records, property, and personnel, subject to state and federal law and is authorized by the Audit and Enterprise Risk Committee to: 

  • Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives, and issue reports.
  • Obtain assistance from necessary personnel of the University, as well as other specialized services from within or outside the University, in order to assist the Office in fulfilling its role and responsibilities. Assistance from outside the University is to be reviewed with the Chief Financial Officer prior to engaging in vendor selection and procurement and entering into any agreement.
  • Have free and unrestricted access to the Audit and Enterprise Risk Committee of the Board of Directors.
Purdue University, Purdue Northwest, Indiana University Purdue University Fort Wayne