Office of Internal Audit
Purpose and Mission
The purpose of the internal audit activity at the University of Denver (the University) is to provide independent, objective assurance and advisory services designed to add value and improve the University’s operations. The mission of internal audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. The internal audit activity will foster a culture of continuous improvement and transparency, aligning its services with the strategic goals of the University. The internal audit activity helps the University accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes. The internal audit activity is an essential component of the University’s governance structure.
Assurance and advisory services are defined by the Institute of Internal Auditors (IIA) as follows:
- Assurance services: Services through which internal auditors perform objective assessments to provide assurance. Examples of assurance services include compliance, financial, operational/performance, and technology engagements. Internal auditors may provide limited or reasonable assurance, depending on the nature, timing, and extent of procedures performed.
- Advisory services: Services through which internal auditors provide advice to an organization’s stakeholders without providing assurance or taking on management responsibilities. The nature and scope of advisory services are subject to agreement with relevant stakeholders. Examples include advising on the design and implementation of new policies, processes, systems, and products; providing forensic services; providing training; and facilitating discussions about risks and controls. “Advisory services” are also known as “consulting services."
Internal Audit Department Charter
-
Standards for the Professional Practice of Internal Auditing
The internal audit activity will govern itself by adherence to the mandatory elements of The Institute of Internal Auditors' International Professional Practices Framework, including Global Internal Audit Standards, Topical Requirements, and Global Guidance. The Chief Audit Executive (the University's Internal Audit Manager) will report periodically to senior management and the Audit Committee regarding the internal audit activity’s conformance to the Code of Ethics and the Standards.
The Institute of Internal Auditors' Practice Advisories, Practice Guides, and Position Papers will also be adhered to, as applicable, to guide operations. In addition, the internal audit activity will adhere to the University's relevant policies and procedures. In the event that there is a conflict between the University's policies and procedures and the Standards, the University's policies and procedures will prevail. The Standards will serve as the internal audit activity's standard operating procedures manual.
-
Authority and Organization
The internal audit activity is established by the Audit Committee of the Board of Trustees (the Audit Committee). The internal audit activity's responsibilities are defined by the Audit Committee as part of its oversight role.
The Chief Audit Executive will report functionally to the Audit Committee and administratively (i.e., day-to-day operations and expense approval) to the Associate Vice Chancellor of Risk and Compliance. To establish, maintain, and assure that the University’s internal audit activity has sufficient authority to fulfill its duties, the Audit Committee will:
- Approve the internal audit charter.
- Approve the risk-based internal audit plan.
- Assess the adequacy of resources of the internal audit activity during the budget cycle and offer recommendations, if any, to the administration.
- Receive communications from the Chief Audit Executive on the internal audit activity's performance relative to its plan and other matters.
- Approve decisions regarding the appointment and removal of the Chief Audit Executive.
- Approve the remuneration of the Chief Audit Executive.
- Approve the performance reviews of the Chief Audit Executive.
- Make appropriate inquiries of management and the Chief Audit Executive to determine whether there is inappropriate scope or resource limitations.
- Receive from the Chief Audit Executive regular reports on the status of all open audit recommendations.
The Chief Audit Executive will have unrestricted access to, and communicate directly with, the Audit Committee, including in private meetings without management present. The Audit Committee authorizes the internal audit activity to:
- Have full, free, and unrestricted access to all functions, records, property, and personnel pertinent to carrying out an engagement, subject to accountability for confidentiality and safeguarding of records and information.
- Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives, and issue reports.
- Obtain assistance from necessary University personnel, as well as other specialized services from within or outside the University, to complete the engagement.
-
Independence and Objectivity
The Chief Audit Executive will ensure that the internal audit activity remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report content. If the Chief Audit Executive determines that independence or objectivity may be impaired in fact or appearance, the details of impairment will be disclosed to appropriate parties.
Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others. All internal auditors will participate in annual training on ethics and independence.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgment, including:
- Assessing specific operations for which they had responsibility within the previous year.
- Performing any operational duties for the University or its affiliates.
- Initiating or approving transactions external to the internal audit activity.
- Directing the activities of any University employee not employed by the internal audit activity, except to the extent that such employees have been appropriately assigned to auditing teams or to otherwise assist internal auditors.
Where the Chief Audit Executive has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards will be established to limit impairments to independence or objectivity. Internal auditors will:
- Disclose any impairment of independence or objectivity, in fact or appearance, to appropriate parties.
- Exhibit professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined.
- Make balanced assessments of all available and relevant facts and circumstances.
- Take necessary precautions to avoid being unduly influenced by their own interests or by others in forming judgments.
The Chief Audit Executive will confirm to the Audit Committee, at least annually, the organizational independence of the internal audit activity. The Chief Audit Executive will disclose to the Audit Committee any interference and related implications in determining the scope of internal auditing, performing work, and/or communicating results.
-
Scope of Internal Audit Activities
The scope of internal audit activities encompasses, but is not limited to, objective examinations of evidence for the purpose of providing independent assessments to the Audit Committee, management, and outside parties on the adequacy and effectiveness of governance, risk management, and control processes for the University. Internal audit assessments include evaluating whether:
- Risks relating to the achievement of the University’s strategic objectives are appropriately identified and managed.
- The actions of the University’s officers, directors, employees, and contractors comply with the University’s policies, procedures, and applicable laws, regulations, and governance standards.
- The results of operations or programs are consistent with established goals and objectives.
- Operations or programs are carried out effectively and efficiently.
- Established processes and systems enable compliance with the policies, procedures, laws, and regulations that could significantly impact the University.
- Information and the means used to identify, measure, analyze, classify, and report such information are reliable and have integrity.
- Resources and assets are acquired economically, used efficiently, and protected adequately.
The Chief Audit Executive will report periodically to senior management and the Audit Committee regarding:
- The internal audit activity’s purpose, authority, and responsibility.
- The internal audit activity’s plan and performance relative to its plan.
- The internal audit activity’s conformance with The Institute of Internal Auditor (IIA)’s Code of Ethics and Standards, and action plans to address any significant conformance issues.
- Significant risk exposures and control issues, including fraud risks, governance issues, and other matters requiring the attention of, or requested by, the Audit Committee.
- Results of audit engagements or other activities.
- Resource requirements.
- Any response to risk by management that may be unacceptable to the University.
- Emerging trends and issues that could impact the University.
The Chief Audit Executive also coordinates activities, where possible, and considers relying upon the work of other internal and external assurance and advisory service providers as needed. The internal audit activity may perform advisory and related client service activities, the nature and scope of which will be agreed with the client, provided the internal audit activity does not assume management responsibility. Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during engagements. These opportunities will be communicated to the appropriate level of management.
The internal audit activity will also manage the Ethics, Compliance, & Financial Hotline established to receive anonymous reports and will investigate reports received as appropriate.
-
Responsibility
At least annually, the Chief Audit Executive will submit to senior management and the Audit Committee an internal audit plan for review and approval. The internal audit plan will consist of a work schedule as well as budget and resource requirements for the next fiscal year. The Chief Audit Executive will communicate the impact of resource limitations and significant interim changes to senior management and the Audit Committee.
The internal audit plan will be developed based on a prioritization of the audit universe using a risk-based methodology, including input from senior management and the Audit Committee. The Chief Audit Executive will review and adjust the plan, as necessary, in response to changes in the organization's business, risks, operations, programs, systems, and controls. Any significant deviation from the approved internal audit plan will be communicated to senior management and the Audit Committee through periodic activity reports.
The Chief Audit Executive has the responsibility to ensure the following:
- Each engagement of the internal audit plan is executed, including the establishment of objectives and scope, the assignment of appropriate and adequately supervised resources, the documentation of work programs and testing results, and the communication of engagement results with applicable conclusions and recommendations to appropriate parties.
- The principles of integrity, objectivity, confidentiality, and competency are applied and upheld.
- The internal audit activity collectively possesses or obtains the knowledge, skills, and other competencies needed to meet the requirements of the internal audit charter.
- Emerging trends and successful practices in internal auditing are considered.
- Adherence to policies and procedures designed to guide the internal audit activity.
- Adherence to the University’s relevant policies and procedures unless such policies and procedures conflict with the internal audit charter. Any such conflicts will be resolved or otherwise communicated to senior management and the audit committee.
- Conformance of the internal audit activity with the Standards, with the following qualifications:
- If the internal audit activity is prohibited by law or regulation from conformance with certain parts of the Standards, the Chief Audit Executive will ensure appropriate disclosures and will ensure conformance with all other parts of the Standards.
- If the Standards are used in conjunction with requirements issued by other authoritative bodies, the Chief Audit Executive will ensure that the internal audit activity conforms with the Standards, even if the internal audit activity also conforms with the more restrictive requirements of other authoritative bodies.
-
Reporting and Monitoring
A written report will be prepared and issued by the Chief Audit Executive or designee following the conclusion of each internal audit engagement and will be distributed as appropriate. Internal audit results will also be communicated to the Audit Committee.
The internal audit report may include management's response and corrective action to be taken in regard to the specific findings and recommendations. Management's response, whether included within the original audit report or provided thereafter (i.e. within thirty days) by management of the audited area should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented.
The internal audit activity will be responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will remain in an open issues file until cleared.
The Chief Audit Executive will periodically report to senior management and the Audit Committee on the internal audit activity's purpose, authority, and responsibility, as well as performance relative to its plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the Audit Committee.
-
Quality Assurance and Improvement Program
The internal audit activity will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program will include an evaluation of the internal audit activity's conformance with the Global Internal Audit Standards and achievement of performance objectives. The program will also assess the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement.
The Chief Audit Executive will communicate to senior management and the Audit Committee on the internal audit activity's quality assurance and improvement program, including results of internal assessments (both ongoing and periodic) and external assessments conducted at least once every five years by a qualified, independent assessor or assessment team from outside the University. When selecting the independent assessor or assessment team, the Chief Audit Executive will ensure at least one person holds an active Certified Internal Auditor (CIA) designation.