IU Internal Audit Charter
August 12, 2016
The mission of IU Internal Audit ("IUIA") is to provide independent and objective assurance and consulting services for Indiana University ("IU" or "the University") including IU management ("Management") and the Board of Trustees of Indiana University (the "Board"). IUIA assists the University in accomplishing its mission and priorities by bringing a systematic, disciplined, and value-added approach to evaluate and improve the effectiveness of the University's governance structures, risk management processes, and internal controls by providing independent appraisals of the University's financial, operational, information technology and control activities.
The core values by which IUIA will seek to achieve its mission and support the University's mission and principles of excellence include:
- Professional Service: IUIA will provide timely, high quality, value-added service in a manner that fosters collaboration, and treats clients and colleagues with respect.
- Compliance: IUIA will adhere to all applicable laws and regulations, comply with the Institute of Internal Auditors ("IIA") standards and code of ethics, and comply with all Indiana University policies.
- Integrity: IUIA will always strive to do the right thing for the right reason; communicate in an honest, direct and transparent manner; be accountable, trustworthy and engaged team members; and earn and maintain the trust of the university community.
- Excellence: IUIA will demonstrate a commitment to professional excellence, maintain high professional standards through continuing professional development, be a results focused organization, and IUIA team members will exercise initiative in providing solutions and generating insights for our clients.
- Intentionality: IUIA will be intentional about our work by planning, analyzing, evaluating, measuring, deliberating, adjusting, and then moving forward. IUIA will be intentional about our people by mentoring, training, developing and encouraging personal and professional growth.
The internal audit activity is established by the Finance, Audit and Strategic Planning Committee of the Board. IUIA responsibilities are defined by the Board as part of their oversight role.
IUIA, with strict accountability for confidentiality and safeguarding records and information, is authorized full, free, and unrestricted access to any and all of the University's information, records, systems, physical properties, and personnel pertinent to carrying out any engagement. All relevant University employees are required to assist IUIA in fulfilling its roles and responsibilities. IUIA will also have free and unrestricted access to senior management and the Board.
IU Internal Audit will govern itself by adherence to The Institute of Internal Auditors' mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity's performance. In addition, IUIA will adhere to the University's relevant policies and procedures and IUIA's standard operating procedures manual.
The Associate Vice President & Chief Audit Officer ("AVP & CAO") will report functionally to the Board and administratively (i.e. day to day operations) to the Vice President & General Counsel. The Board will:
- Approve the internal audit charter.
- Review the risk based internal audit plan and the internal audit budget and resource plan.
- Receive communications from the AVP & CAO on IU Internal Audit's performance relative to its plan and other matters.
- Approve decisions regarding the appointment and removal of the AVP & CAO.
- Make appropriate inquiries of management and the AVP & CAO to determine whether there is inappropriate scope or resource limitations.
The AVP & CAO will communicate and interact directly with the Board, including in executive sessions and between Board meetings as appropriate.
INDEPENDENCE AND OBJECTIVITY:
IUIA will remain free to conduct assurance and consulting services, including matters of audit selection, scope, procedures, frequency, timing, or report content, in a manner that maintains independent and objective mental attitude.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, approve policies, develop procedures, install systems, prepare records, or engage in any other activity that may impair internal auditor's judgment.
Internal auditors will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors will make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
The AVP & CAO will confirm to the Board, at least annually, the organizational independence of the internal audit activity.
The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the organization's governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the organization's stated goals and objectives. This includes:
- Evaluating risk exposure relating to achievement of the University's strategic objectives.
- Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information.
- Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the University.
- Evaluating the means of safeguarding University assets and, as appropriate, verifying the existence of such assets.
- Evaluating the effectiveness and efficiency with which resources are employed.
- Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals.
- Evaluating governance processes.
- Evaluating the effectiveness of the risk management processes.
- Reporting periodically on IUIA's purpose, authority, responsibility, and performance relative to its plan.
- Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Board.
- Administering the whistleblower hotline policy and reporting web site, which includes coordinating the investigation of all reports submitted in a timely and discreet manner.
INTERNAL AUDIT PLAN:
At least annually, the AVP & CAO will submit to senior management and the Board an internal audit plan for review and approval. The internal audit plan will consist of a work schedule as well as budget and resource requirements for the next fiscal year. The AVP & CAO will communicate the impact of resource limitations and significant interim changes to senior management and the Board.
The internal audit plan will be developed based on a prioritization of the audit universe using a risk-based methodology, including input of senior management and the Board. The AVP & CAO will review and adjust the plan, as necessary, in response to changes in the organization's business, risks, operations, programs, systems, senior leadership and controls. Any significant deviation from the approved internal audit plan will be communicated to senior management and the Board through periodic activity reports.
REPORTING AND MONITORING:
A written report will be prepared and issued by the AVP & CAO or designee following the conclusion of each internal audit engagement and will be distributed as appropriate. Internal audit results will also be communicated to the Board. The internal audit report will include client/management's response and action plans taken or to be taken in regard to the specific findings and recommendations. Management's response should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented.
IUIA will be responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will remain in an open issues file until cleared.
The AVP & CAO will periodically report to senior management and the Board on IUIA's performance relative to its plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the Board. The AVP & CAO will also report on instances of fraud or fiscal misconduct that may have a material financial, compliance or reputational impact on the University.
QUALITY ASSURANCE IMPROVEMENT PROGRAM:
IU Internal Audit will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program will include an evaluation of the internal audit activity's conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement.
The AVP & CAO will communicate to senior management and the Board on the quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years.
The IU Internal Audit Charter is hereby:
Approved this 12th day of August, in the year 2016.