Skip to main content

Charter

Internal Audit Charter

Purpose and Definition:

This charter provides the framework for the Internal Audit Department, its activities and functions in the University, as defined by the Audit, Risk and Compliance Committee.   The purpose of Internal Audit is to provide independent and objective assurance, advisory, and investigative services designed to add value, improve internal controls, and strengthen the University’s operations. It helps the University accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.  The mission of Internal Audit, as defined by the Institute of Internal Auditors, is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight into the University’s financial, operational and informational systems. 

 

Role:

The University is committed to the professional practice of internal auditing.  The function was established by the Board of Visitors (Board) through the Audit, Risk and Compliance Committee to assist the University in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the University’s governance, risk management, and internal controls.  The activities performed by internal audit assist the University in the assessment and improvement of the effectiveness of the internal control framework, risk management, governance, and compliance processes.  This includes processes designed to evaluate the effectiveness and efficiency of operations, ability to execute on strategic initiatives, reliability of financial reporting, and compliance with applicable laws and regulations. 

 

Professionalism:

The work of the Internal Audit Department will be conducted in accordance to the Institute of Internal Auditors' mandatory guidance including the Core Principles for the Professional Practice of Internal Auditing, Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards).

 

The Institute of Internal Auditors' Practice Advisories, Practice Guides, and Position Papers will also be adhered to, as applicable, to guide operations. In addition, the internal audit activity will adhere to relevant University policies and procedures as well as the Governmental Auditing Standards of the Government Accountability office.  Any aspects of financial auditing will be conducted in accordance to Generally Accepted Accounting Principles (GAAP.)

 

Authority:

The Internal Audit Department, with strict accountability for confidentiality and safeguarding records and information, is authorized full, free, and unrestricted access to any and all of the University’s records, physical properties, and personnel pertinent to carrying out any engagement, including third parties, independent auditors and other individuals relevant to an area under review.   

 

All employees are requested to assist the Internal Audit Department in fulfilling its roles and responsibilities. Internal Audit, through the Chief Audit Executive, (CAE), will also have free and unrestricted access to the Board and the Audit, Risk and Compliance Committee.  The CAE will be a de facto, non-voting, member of Executive Management (President’s Cabinet.)

 

Organization:

The CAE will report functionally to the Audit, Risk and Compliance Committee of the Board of Visitors and administratively to the President of the University.  The CAE will have direct access to the Audit, Risk and Compliance Committee and the President in any instance in which the CAE believes that such access is needed to fulfill the stated mission of the Department. 

 

 The Audit, Risk and Compliance Committee will:

  • Approve the internal audit charter.
  • Approve the risk based internal audit plan.
  • Approve the internal audit budget and resource plan.
  • Receive communications from the CAE on the Internal Audit Department’s performance relative to its plan and other matters.
  • Approve decisions regarding the appointment and removal of the CAE.
  • Approve the remuneration of the CAE.
  • Make appropriate inquiries of management and the CAE to determine whether there is inappropriate scope or resource limitations.

 

The CAE will communicate and interact directly with the Board and its members, including in closed meeting and between Board meetings, as appropriate.

 

Independence and Objectivity:

Internal Audit will remain free from interference by any element in the organization, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent, and objective mental attitude. Internal Auditors will not perform any operational duties, develop and install systems and procedures, initiate or approve accounting transactions, prepare records, or engage in any other activity which they would normally review and appraise and which could reasonably be construed to compromise in appearance or fact, the independence and/or objectivity of the internal auditor. 

 

Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others.

 

Internal Audit’s objectivity and independence depend largely on having no responsibility for or authority over any of the activities or operations subject to its review.  Further, the internal audit review and appraisal does not relieve other personnel in the organization of the responsibilities assigned to them. 

Where the CAE has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards will be established to limit impairments to independence or objectivity.

Internal auditors will:

 

  • Disclose any impairment of independence or objectivity, in fact or appearance, to appropriate parties.
  • Exhibit professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined.
  • Make balanced assessments of all available and relevant facts and circumstances.
  • Take necessary precautions to avoid being unduly influenced by their own interests or by others in forming judgments.

 

The CAE will confirm to the Audit, Risk and Compliance Committee, at least annually, the organizational independence of the Internal Audit Department and any interference and related implications in determining the scope of internal auditing, performing work and /or communicating results.

 

Scope and Responsibility:

The scope of internal auditing is to determine whether the University’s network of risk management, control and compliance processes, as designed and represented by management, is adequate and functioning.  Outside services, where appropriate, may be obtained for specific expertise which is not available internally to meet the requirements of this charter.  Internal audit will coordinate with other control, monitoring and compliance functions with the organization for the purpose of providing optimal audit coverage to the organization. 

 

The scope includes, but is not limited to, evaluation of the following: 

  • Risks are appropriately identified and mitigated as they relate to achievement of the University’s strategic objectives, including the reliability and integrity of management information that is used to identify, measure, classify, and report such information.
  • Management reporting of financial, operational, and managerial information is accurate, reliable, and timely.
  • University’s governance processes, including management oversight and reporting.
  • Procedures in place for compliance with University and Commonwealth of Virginia policies, plans, procedures, laws, and federal regulations which could have a significant impact on the University
  • Quality and continuous improvement of the University’s control process.
  • Significant legislative and regulatory issues impacting the University and confirm they are recognized, evaluated, and addressed appropriately. 

 

Internal Audit will have responsibility for the following:

  • Performing assurance services to independently assess the operation, function, process, system or other subject matter within the University.  The nature and scope of the assurance engagement is determined by the internal auditor.  Assurance services are not provided to parties outside of the University.    
  • Performing advisory services related to governance, risk management and control as appropriate for the University and consistent with the Internal Audit Department’s mission and independence.   Advisory services are generally performed at the request of management.  The nature and scope of the advisory engagement is subject to agreement with management.
  • Maintaining a professional staff with sufficient knowledge, skills and experience to meet the objectives of this Charter, and communicate to the Audit, Risk and Compliance Committee the impact of resource limitations.
  • Specific operations at the request of the Board or management, as appropriate.
  • Monitoring and Investigation of signification fraudulent activities within the organization, including calls received from the State Fraud, Waste, and Abuse Hotline. 

 

Internal Audit Plan:

At least annually, the CAE will submit to senior management and the Audit, Risk and Compliance Committee a risk based internal audit plan for review and approval. The internal audit plan will consist of a work schedule as well as budget and resource requirements for the next year. The CAE will communicate the impact of resource limitations and significant interim changes to senior management and the Board.

 

The internal audit plan will be developed based on a prioritization of the audit universe using a risk-based methodology, including input from senior management and the Board. Both assurance and advisory engagements are included in the audit plan.  The CAE will review and adjust the plan, as necessary, in response to changes in the University’s strategic goals, risks, operations, programs, systems, and controls. Any significant deviation from the approved internal audit plan will be communicated to senior management and the Board through periodic activity reports.

Reporting and Monitoring:

The CAE will communicate the results of internal audits and recommendations for improvement to the Audit, Risk and Compliance Committee and the most senior management responsible for implementing corrective action. 

 

The internal audit report will include management’s response and corrective action taken or to be taken in regard to the specific findings and recommendations. Management's response to audit findings and recommendations should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented. The Internal Audit Department will be responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will remain in an open issues file until cleared. The CAE will provide the Audit, Risk and Compliance Committee with quarterly updates on the status of corrective action plans. 

 

The CAE will periodically report to senior management and the Board on:

  • The internal audit activity’s purpose, authority, and responsibility, as well as performance relative to its plan.
  • The internal audit activity’s conformance to the IIA Code of Ethics and the Standards.
  • Significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management, the Audit, Risk and Compliance Committee or the Board.
  • Results of audit engagements or other activities.

 

Quality Assurance and Improvement Program:

The CAE shall develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program will enable the evaluation of the Internal Audit Department’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors abide by the Code of Ethics. The program will also assess the efficiency and effectiveness of the internal audit activity and identify opportunities for improvement. Part of this will include performance of quality review checklist for select internal audit projects on a quarterly basis, to verify quality and adherence to the Standards. 

 

The CAE will communicate to senior management and the Audit, Risk and Compliance Committee on the internal audit activity’s quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years by a qualified, independent assessor.