Oregon University System > Departments > Internal Audit

Charters

---

Internal Audit Charter

Purpose

The authority and responsibilities of the Oregon University System Internal Audit Division (IAD) are defined in this charter, which is approved by the Chancellor and Oregon State Board of Higher Education Finance and Administration Committee.

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve the organization's operations.  It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The IAD shall uphold the principles of integrity, objectivity, confidentiality, and competency as defined in the Institute of Internal Auditors Code of Ethics and shall adhere to the International Standards for the Professional Practice of Internal Auditing (Standards).  The IAD is to utilize the Committee of Sponsoring Organizations (COSO) as the model for evaluating the adequacy of internal controls within the Oregon University System. 

Authority

The Executive Director of Internal Audit reports administratively to the Chancellor and functionally to the Finance and Administration Committee of the State Board of Higher Education.

Authorization is granted for full and complete access to any of the organization's records (either manual or electronic), physical properties, and personnel relevant to an audit engagement.  Documents and information given to internal auditors during a periodic review will be handled in a confidential and prudent manner, as required by the Institute of Internal Auditors Code of Ethics.

University management is responsible for the risk management and internal control structure over the areas audited.  Internal auditors have no direct responsibility or any authority over any of the activities or operations that they review.  They should not develop and install procedures, prepare records, or engage in activities, which would normally be reviewed by the IAD.

Responsibility

The IAD is responsible for developing and implementing an annual internal audit plan that outlines the engagements to be performed using an appropriate risk-based methodology.  The annual plan is to include the consideration of any risks or control concerns identified by management and is reviewed and approved by the Chancellor and the Finance and Administration Committee of the State Board of Higher Education.  IAD performs four types of engagements.

1. Assurance Services.  Assurance services are objective examinations of evidence for the purpose of providing an independent assessment.  This includes assessing and reporting on the adequacy and effectiveness of the internal controls and the quality of performance in carrying out assigned responsibilities.  The scope includes reviewing and evaluating:

• internal controls established to ensure compliance with applicable policies, plans, procedures, laws, regulations, and contracts
• the means with which assets are safeguarded
• the reliability and integrity of financial and operating information
• the economy, efficiency, and effectiveness with which resources are employed
• IT systems to determine if they are appropriately managed, controlled and protected

2. Consulting Services.  Consulting services are advisory and other service activities including counsel, advice, facilitation, process design, and training.  The objective of consulting services is to add value in the development or modification of processes, procedures, and controls to minimize risk and achieve objectives.  The nature and scope of particular consulting services are agreed upon with management.  Consulting services may include participation on various committees and task forces, including but not limited to, the design/development of new business and computer systems.

3. Investigative Engagements.  Investigations evaluate allegations of unethical business practices and/or financial and operational misconduct to determine if allegations are substantiated and to prevent future occurrences.

4. Follow-up Engagements.  Follow-up engagements evaluate plans and actions taken to correct reported conditions.

A written report will be prepared and issued by the Executive Director of Internal Audit following the conclusion of each engagement and will be distributed appropriately.  University management shall respond in a timely manner.  This response will indicate what actions were taken or are planned, and an anticipated completion date in regard to the specific recommendations.  Copies of final reports will be distributed to the University President and Chancellor as well as appropriate university and Oregon University System personnel. 

Additional responsibilities for the IAD Executive Director include:

• Ensuring operations comply with the Standards;
• Obtaining an external quality assurance review in accordance with the Standards and reviewing all recommendations with the Chancellor and Finance and Administration Committee;
• Maintaining a professional audit staff with sufficient knowledge, skills, experience, and professional certifications;
• Ensuring coordinated audit efforts with external auditors;
• Maintaining the OUS financial irregularity hotline and coordinating investigations with university management and the State of Oregon Audits Division;
• Keeping the Chancellor, campus executives, and the Finance and Administration Committee apprised of high-risk engagement issues as they arise; and
• Issuing quarterly progress reports to the Chancellor and Finance and Administration Committee summarizing the results of engagement activities.

Board Approved: September 4, 2009

 

Finance and Adminstration Committee

Charter as of July 10, 2009