Skip to main content

Charter

Internal Audit Charter

Purpose and Definition

The Office of Internal Audit (Internal Audit) performs independent and objective assurance and advising activities that are guided by a philosophy of adding value to improve the operations of Norfolk State University (NSU), as defined by the Audit, Risk and Compliance Committee.   The purpose of the internal audit function is to strengthen Norfolk State University’s ability to create, protect, and sustain value by providing the Board of Visitors, President of the University and management with independent, risk-based, and objective assurance, advice, insight, and foresight.

 

 The internal audit function enhances Norfolk State University’s:

  • Successful achievement of its objectives.
  • Governance, risk management, and control processes.
  • Decision-making and oversight.
  • Reputation and credibility with its stakeholders.
  • Ability to serve the public interest.

 

Norfolk State University’s internal audit function is most effective when:

  • Internal auditing is performed by competent professionals in conformance with The IIA’s Global Internal Audit StandardsTM, which are set in the public interest.
  • The internal audit function is independently positioned with direct accountability to the Board of Visitors.

 

Commitment to Adhering to the Global Internal Audit Standards

The Norfolk State University internal audit function will adhere to the mandatory elements of The Institute of Internal Auditors' International Professional Practices Framework, which are the Global Internal Audit Standards and Topical Requirements. The Chief Audit Executive will report annually to the Board of Visitors, President of the University and senior management regarding the internal audit function’s conformance with the Standards, which will be assessed through a quality assurance and improvement program. Internal Audit may report that its operations are conducted in conformance with the Internal Auditors' International Professional Practices Framework, only if the results of the quality assurance and improvement program support the statement.

 

Mandate

The Virginia Acts of Assembly (Senate Bill 1477, Chapter 871 and House Bill 2076, Chapter 798) and the Code of Virginia (§ 2.2-307, § 2.2-313); establishes the Office of the State Inspector General (OSIG) and charges the office with oversight of all state internal audit programs. Per OSIG General Directive 001, October 2023, such oversight includes ensuring internal audit programs:

1. Are reporting to the proper management level to conform with IIA standards to preserve maximum independence. 

2. Are following the appropriate standards, as evidenced by compliance with periodic quality assessment reviews (QAR). 

3. Are operating at an acceptable performance level in order to: 

a. Produce risk-based audit plans. 

b. Provide acceptable agency coverage. 

c. Produce appropriate reports for management, with an effective follow-up process in place to ensure corrective action is taken.

 

In addition, the internal audit activity will adhere to relevant University policies, Institute of Internal Auditors, and the Governmental Auditing Standards of the Government Accountability Office.  Any aspects of financial auditing will be conducted in accordance with Generally Accepted Accounting Principles (GAAP.) Information Technology audits will utilize the Commonwealth of Virginia Information Technology Resource Management Information Security Standard SEC530 as guidance.

 

Authority

The internal audit function’s authority is created by its dual reporting relationship to the Board of Visitors and the President of the University.   Such authority allows for unrestricted access to the Board of Visitors and the Audit Committee.  Norfolk State University's President, through the Board of Visitors, grants the internal audit function the mandate to provide the Board and senior management with objective assurance, advice, insight, and foresight. 

 

The President and the Board authorizes the internal audit function to: 

  • Have full and unrestricted access to all functions, data, records, information, physical property, and personnel pertinent to carrying out internal audit responsibilities.  Internal auditors are accountable for confidentiality and safeguarding records and information. 
  • Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques, and issue communications to accomplish the function's objectives.
  • Obtain assistance from the necessary personnel of Norfolk State University and other specialized services from within or outside Norfolk State University to complete internal audit services.

 

The CAE will be a de facto, non-voting, member of Executive Management and President’s Extended Cabinet.

 

Independence, Organization and Reporting

The Chief Audit Executive will be positioned at a level in the organization that enables internal audit services and responsibilities to be performed without undue influence, thereby establishing the independence of the internal audit function. The Chief Audit Executive will report functionally to the Board of Visitors and administratively (including essential business functions) to the President of the University. This positioning provides the organizational authority and status to bring matters directly to senior management and escalate matters to the Audit Committee, when necessary, and supports the internal auditors’ ability to maintain objectivity. 

The Chief Audit Executive will confirm to the Board of Visitors, at least annually, the organizational independence of the internal audit function. If the governance structure does not support organizational independence, the Chief Audit Executive will document the characteristics of the governance structure limiting independence and any safeguards employed to achieve the principle of independence. The Chief Audit Executive will disclose to the Board of Visitors any interference internal auditors encounter related to the scope, performance, or communication of internal audit work and results. The disclosure will include communicating the implications of such interference on the internal audit function’s effectiveness and ability to fulfill its mandate.

Changes to the Mandate and Charter 

Circumstances may justify a follow-up discussion between the Chief Audit Executive, Board of Visitors, and President of the University on the internal audit mandate or other aspects of the internal audit charter. Such circumstances may include but are not limited to:

·      A significant change in the Global Internal Audit Standards.

·      A significant reorganization within the organization.

·      Significant changes in the Chief Audit Executive, Board of Visitors, and/or senior management.

·      Significant changes to the organization’s strategies, objectives, risk profile, or the environment in which the organization operates.

·      New laws or regulations that may affect the nature and/or scope of internal audit services.

 

Board of Visitors Oversight

The responsibilities of the Audit Risk and Compliance Committee are outlined in the Board of Visitors governing documents or Bylaws. To establish, maintain, and ensure that Norfolk States University’s internal audit function has sufficient authority to fulfill its duties, the Board of Visitors will ensure the following “essential conditions,” or activities which enable the function’s success:

·      Discuss with the Chief Audit Executive and senior management the appropriate authority, role, responsibilities, scope, and services (assurance and/or advisory) of the internal audit function.

·      Ensure the Chief Audit Executive has unrestricted access to and communicates and interacts directly with the Board of Visitors.

·      Discuss with the Chief Audit Executive and senior management other topics that should be included in the internal audit charter.

·      Participate in discussions with the Chief Audit Executive and senior management about the “essential conditions,” described in the Global Internal Audit Standards, which establish the foundation that enables an effective internal audit function.

·      Approve the internal audit function’s charter, which includes the internal audit mandate and the scope and types of internal audit services.

·      Review the internal audit charter annually with the Chief Audit Executive to consider changes affecting the organization, such as the employment of a new Chief Audit Executive or changes in the type, severity, and interdependencies of risks to the organization; and approve the internal audit charter annually.

·      Approve the risk-based internal audit plan.

·      Advocate to senior management, for sufficient budget and resources allowing the internal audit function to fulfill its mandate and accomplish its audit plan.

·      Provide input to the President on the appointment and removal of the Chief Audit Executive, ensuring adequate competencies and qualifications and conformance with the Global Internal Audit Standards.

·      Receive communications from the Chief Audit Executive about the internal audit function including its performance relative to its plan.

·      Ensure a quality assurance and improvement program has been established and review the results annually.

  • Make appropriate inquiries of senior management and the Chief Audit Executive to determine whether scope or resource limitations are inappropriate.

President of the University Oversight

To establish, maintain, and ensure that Norfolk State University's internal audit function has sufficient authority to fulfill its duties, the President will: 

 

  • Discuss with the Chief Audit Executive and senior management the appropriate authority, role, responsibilities, scope and services (assurance and/or advisory) of the internal audit function.
  • Discuss with the Chief Audit Executive and senior management other topics that should be included in the internal audit charter.
  • Participate in discussions with the Chief Audit Executive and senior management about the "essential conditions," described in the Global Internal Audit Standards, which establish the foundation that enables an effective internal audit function. 
  • Approve the internal audit function's charter, which includes the internal audit mandate and the scope and types of internal audit services. 
  • Review the internal audit charter periodically with the Chief Audit Executive to consider changes affecting the organization, such as the employment of a new Chief Audit Executive or changes in the type, severity, and interdependencies of risks to the organization. 
  • Approve the risk-based internal audit plan.
  • Approve the nature and scope of special projects.
  • Approve the internal audit function's human resources administration and budgets.
  • Approve the internal audit function expenses. 
  • Collaborate with senior management to determine the qualifications and competencies the organization expects in a Chief Audit Executive of Internal Audit, as described in the Global Internal Audit Standards. 
  • Authorize the appointment and removal of the Chief Audit Executive.
  • Approve the remuneration of the Chief Audit Executive. 
  • Receive communications from the Chief Audit Executive about the internal audit function including its performance relative to its plan.
  • Ensure a quality assurance and improvement program has been established. 
  • Review the results of the quality assurance and improvement program.
  • Make appropriate inquiries of the Chief Audit Executive and management to determine whether scope or resource limitations are inappropriate. 
  •  

Chief Audit Executive Roles and Responsibilities

Ethics and Professionalism

The Chief Audit Executive will ensure that internal auditors:

·      Conform with the Global Internal Audit Standards, including the principles of Ethics and Professionalism: integrity, objectivity, competency, due professional care, and confidentiality.

·      Understand, respect, meet, and contribute to the legitimate and ethical expectations of the organization and be able to recognize conduct that is contrary to those expectations.

·      Encourage and promote an ethics-based culture in the organization. 

  • Report organizational behavior that is inconsistent with the organization’s ethical expectations, as described in applicable policies and procedures.

Objectivity 

The Chief Audit Executive will ensure that the internal audit function remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of engagement selection, scope, procedures, frequency, timing, and communication. If the Chief Audit Executive determines that objectivity may be impaired in fact or appearance, the details of the impairment will be disclosed to appropriate parties. 

Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively such that they believe in their work product, do not compromise quality, and do not subordinate their judgment on audit matters to others, either in fact or appearance.

Internal auditors will have no direct operational responsibility or authority over any of the activities they review. Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, or engage in other activities that may impair their judgment, including:

  • Assessing specific operations for which they had responsibility within the previous year. 

·      Performing operational duties for Norfolk State University or its affiliates.

·      Initiating or approving transactions external to the internal audit function.

  • Directing the activities of any Norfolk State University employee that is not employed by the internal audit function, except to the extent that such employees have been appropriately assigned to internal audit teams or to assist internal auditors.

Internal auditors will:

·      Disclose impairments of independence or objectivity, in fact or appearance, to appropriate parties and at least annually, such as the Chief Audit Executive, Board of Visitors, President of the University, management, or others.

·      Exhibit professional objectivity in gathering, evaluating, and communicating information. 

·      Make balanced assessments of all available and relevant facts and circumstances.

  • Take necessary precautions to avoid conflicts of interest, bias, and undue influence.

Managing the Internal Audit Function

The Chief Audit Executive has the responsibility to:

·      At least annually, develop a risk-based internal audit plan that considers the input of the Board of Visitors and President of the University. Discuss the plan with the Board of Visitors and President of the University and submit the plan to the Board of Visitors for review and approval. 

·      Communicate the impact of resource limitations on the internal audit plan to the Board of Visitors, President and senior management.

·      Review and adjust the internal audit plan, as necessary, in response to changes in Norfolk State University’s business, risks, operations, programs, systems, and controls.

·      Communicate with the Board of Visitors and President of the University if there are significant interim changes to the internal audit plan.

·      Ensure internal audit engagements are performed, documented, and communicated in accordance with the Global Internal Audit Standards and laws and/or regulations. 

·      Follow up on engagement findings and confirm the implementation of recommendations or action plans and communicate the results of internal audit services to the Board of Visitors and President of the University quarterly and for each engagement as appropriate. 

·      Ensure the internal audit function collectively possesses or obtains the knowledge, skills, and other competencies and qualifications needed to meet the requirements of the Global Internal Audit Standards and fulfill the internal audit mandate.

·      Identify and consider trends and emerging issues that could impact Norfolk State University and communicate to the Board of Visitors and President of the University as appropriate.

·      Consider emerging trends and successful practices in internal auditing.

·      Establish and ensure adherence to methodologies designed to guide the internal audit function.

·      Ensure adherence to Norfolk State University’s relevant policies and procedures unless such policies and procedures conflict with the internal audit charter or the Global Internal Audit Standards. Any such conflicts will be resolved or documented and communicated to the Board of Visitors and the President of the University.

·      Coordinate activities and consider relying upon the work of other internal and external providers of assurance and advisory services. If the Chief Audit Executive cannot achieve an appropriate level of coordination, the issue must be communicated to President of the University and senior management and if necessary escalated to the Audit Committee.

 

Communication with the Board of Visitors, President of the University and Senior Management 

The Chief Audit Executive will report annually to the Board of Visitors, President of the University and senior management regarding:

·      The internal audit function’s mandate.

·      The internal audit plan and performance relative to its plan.

·      Significant revisions to the internal audit plan and budget. 

·      Potential impairments to independence, including relevant disclosures as applicable. 

·      Results from the quality assurance and improvement program, which include the internal audit function’s conformance with The IIA’s Global Internal Audit Standards and action plans to address the internal audit function’s deficiencies and opportunities for improvement.

·      Significant risk exposures and control issues, including fraud risks, governance issues, and other areas of focus for the Board of Visitors and the University President that could interfere with the achievement of Norfolk State University’s strategic objectives.

·      Results of assurance and advisory services.

  • Resource requirements.

Quality Assurance and Improvement Program

The Chief Audit Executive will develop, implement, and maintain a quality assurance and improvement program that covers all aspects of the internal audit function. The program will include external and internal assessments of the internal audit function’s conformance with the Global Internal Audit Standards, as well as performance measurement to assess the internal audit function’s progress toward the achievement of its objectives and promotion of continuous improvement. The program also will assess, if applicable, compliance with laws and/or regulations relevant to internal auditing. Also, if applicable, the assessment will include plans to address the internal audit function’s deficiencies and opportunities for improvement. 

Annually, the Chief Audit Executive will communicate with the Board of Visitors, President of University and senior management about the internal audit function’s quality assurance and improvement program, including the results of internal assessments (ongoing monitoring and periodic self-assessments) and external assessments. External assessments will be conducted at least once every five years by a qualified, independent assessor or assessment team from outside Norfolk State University; qualifications must include at least one assessor holding an active Certified Internal Auditor® credential. 

 

Scope and Types of Internal Audit Services 

The scope of internal audit services covers the entire breadth of the organization, including all of Norfolk State University’s activities, assets, data security and personnel.  The scope of internal audit activities also encompasses but is not limited to objective examinations of evidence to provide independent assurance and advisory services to the Board of Visitors and management on the adequacy and effectiveness of governance, risk management, and control processes for Norfolk State University. 

The Chief Audit Executive is authorized to develop and adjust the internal audit plan as a result of requests from management to undertake advisory services and reviews that are not in the internal audit plan.  The nature and scope of advisory services may be agreed upon with the party requesting the service, provided the internal audit function does not assume management responsibility. Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during advisory engagements. These opportunities will be communicated to the appropriate level of management.

Requests to perform special projects must be coordinated with senior management and the nature of the project must be approved by the President of the University to ensure safeguards will be established to limit impairments to independence and objectivity.

Internal audit engagements may include evaluating whether: 

·      Risks relating to the achievement of Norfolk State University’s strategic objectives are appropriately identified and managed.

·      The actions of Norfolk State University’s officers, management, employees, and contractors or other relevant parties comply with Norfolk State University’s policies, procedures, and applicable laws, regulations, and governance standards.

·      The results of operations and programs are consistent with established goals and objectives.

·      Operations and programs are being carried out effectively, efficiently, ethically, and fairly.

·      Established processes and systems enable compliance with the policies, procedures, laws, and regulations that could significantly impact Norfolk State University.

·      The integrity of information and the means used to identify, measure, analyze, classify, and report such information is reliable.

·      Controls over program development, change control, applications, system security, databases, logical security and physical security are appropriately managed.

·      Any system that processes any data of which the compromise with respect to confidentiality, integrity, and/or availability could have a material adverse effect on NSU interests, the conduct of NSU programs, or the privacy to which individuals are entitled.

  • Resources and assets are acquired economically, used efficiently and sustainably, and protected adequately.