Internal Audit Charter

PURPOSE
The authority and responsibilities of the Oregon University System Internal Audit Division (IAD) are defined in this charter, which is approved by the Chancellor and Oregon State Board of Higher Education Finance and Administration Committee.

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The IAD shall uphold the principles of integrity, objectivity, confidentiality, and competency as defined in the Institute of Internal Auditors Code of Ethics and shall adhere to the International Standards for the Professional Practice of Internal Auditing (Standards). The IAD is to utilize the Committee of Sponsoring Organizations (COSO) as the model for evaluating the adequacy of internal controls within the Oregon University System.

AUTHORITY
The Chief Audit Executiveof Internal Audit reports administratively to the Chancellor and functionally to the Finance and Administration Committee of the State Board of Higher Education.

Authorization is granted for full and complete access to any of the organization's records (either manual or electronic), physical properties, and personnel relevant to an audit engagement. Documents and information given to internal auditors during a periodic review will be handled in a confidential and prudent manner, as required by the Institute of Internal Auditors Code of Ethics.

University management is responsible for the risk management and internal control structure over the areas audited. Internal auditors have no direct responsibility or any authority over any of the activities or operations that they review. They should not develop and install procedures, prepare records, or engage in activities, which would normally be reviewed by the IAD.

RESPONSIBILITY
The IAD is responsible for developing and implementing an annual internal audit plan that outlines the engagements to be performed using an appropriate risk-based methodology. The annual plan is to include the consideration of any risks or control concerns identified by management and is reviewed and approved by the Chancellor and the Finance and Administration Committee of the State Board of Higher Education. IAD performs four types of engagements.

  1. Assurance Services. Assurance services are objective examinations of evidence for the purpose of providing an independent assessment. This includes assessing and reporting on the adequacy and effectiveness of the internal controls and the quality of performance in carrying out assigned responsibilities. The scope includes reviewing and evaluating:
    • internal controls established to ensure compliance with applicable policies, plans, procedures, laws, regulations, and contracts
    • the means with which assets are safeguarded
    • the reliability and integrity of financial and operating information
    • the economy, efficiency, and effectiveness with which resources are employed
    • IT systems to determine if they are appropriately managed, controlled, and protected.
  2. Consulting Services. Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.
  3. Investigative Engagements. Investigations evaluate allegations of unethical business practices and/or financial and operational misconduct to determine if allegations are substantiated and to prevent future occurrences.
  4. Follow-up Engagements. Follow-up engagements evaluate plans and actions taken to correct reported conditions.

A written report will be prepared and issued by the Chief Audit Executiveof Internal Audit following the conclusion of each engagement and will be distributed appropriately. University management shall respond in a timely manner. This response will indicate what actions were taken or are planned, and an anticipated completion date in regard to the specific recommendations. Copies of final reports will be distributed to the University president and Chancellor as well as appropriate university and Oregon University System personnel.

ADDITIONAL RESPONSIBILITIES FOR THE IAD CHIEF AUDIT EXECUTIVE INCLUDE:

  • Ensuring operations comply with the Standards;
  • Obtaining an external quality assurance review in accordance with the Standards and reviewing all recommendations with the Chancellor and Finance and Administration Committee;
  • Maintaining a professional audit staff with sufficient knowledge, skills, experience, and professional certifications;
  • Ensuring coordinated audit efforts with external auditors;
  • Maintaining the OUS Fraud, Waste, and Abuse Hotlineand coordinating investigations with university management and the Oregon Secretary of State Audits Division;
  • Keeping the Chancellor, campus executives, and the Finance and Administration Committee apprised of high-risk engagement issues as they arise; and  
  • Issuing quarterly progress reports to the Chancellor and Finance and Administration Committee summarizing the results of engagement activities.

Board approval: May 24, 2013