The State Board of Regents provides governance and oversight to the university, but they have delegated their authority of developing policies and maintaining the control environment to the President. In turn, the President has delegated the authority of implementing policies and managing the control environment to the colleges and departments. The Office of Internal Audit does not have the authority or responsibility for writing policies or maintaining the control environment, but rather is responsible for monitoring the effectiveness of the university’s processes and control environment.
The Office of Internal Audit reports administratively through the Office of the President. All employees (other than the Chief Audit Executive) are University of Iowa employees. As a result, the Office of Internal Audit reports functionally to the President. In order to ensure its independence, the Chief Audit Executive administratively reports to the Executive Director of the Board Office and functionally to the Audit and Compliance Committee.
The State Board of Regents has approved the Internal Audit Charter, which clearly defines Internal Audit's role and authority within the institution.
Internal Audit Charter
Approved by the State Board of Regents – September 18, 2019
Mission and Scope of Work
The mission of Internal Audit is to provide independent, objective assurance and consulting services designed to add value to and strengthen the management of the Board of Regents and its institutions. Bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes, Internal Audit helps the organization achieve its objectives.
The scope of work of Internal Audit encompasses, but is not limited to the examination and evaluation of the adequacy and effectiveness of the organization's risk management, internal controls, and governance processes, as designed and represented by management in a manner to ensure:
- Risks are appropriately identified and managed.
- Interaction with the various governance groups occurs as needed.
- Significant financial, managerial, and operating information is accurate, reliable, and timely.
- Operations are in compliance with policies, standards, procedures, and applicable laws and regulations.
- Resources are acquired economically, used efficiently, and adequately protected.
- Programs, plans, and objectives are achieved.
- Quality and continuous improvement are fostered in the organization’s control process.
- Significant legislative or regulatory issues impacting the organization are recognized and addressed properly.
The Chief Audit Executive is appointed by the Board of Regents (BOR) and reports functionally to the Audit and Compliance Committee and administratively to the Executive Director of the BOR Office. University Internal Audit personnel report directly to the Chief Audit Executive and indirectly to their respective university presidents. Audit activities and reports are communicated to the university presidents and the BOR. This reporting relationship promotes independence and provides adequate consideration of audit issues, recommendations, and management action plans.
The internal audit activity will remain free from interference by any element in the organization, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independence as required by internal audit professional standards.
The Chief Audit Executive and staff should have an impartial, unbiased attitude and avoid conflicts of interest, as well as be independent in fact and appearance.
The Chief Audit Executive shall be accountable to the Audit and Compliance Committee and presidents at the universities to:
- Report significant issues related to the processes for controlling the activities of the organizations and its affiliates, including potential improvements to those processes, and provide information concerning such issues through resolution.
- Provide information periodically on the status and results of the annual audit plan and the sufficiency of internal audit resources.
The Chief Audit Executive and staff of Internal Audit have responsibility to:
- Develop a flexible annual audit plan using appropriate risk-based methodology, including any risks or control concerns identified by management, and submit that plan to the BOR for review and approval.
- Implement the annual audit plan, as approved, including, and as appropriate, any special tasks or projects requested by management and the BOR.
- Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter.
- Establish a quality assurance program by which the Chief Audit Executive assures the operation of internal auditing activities.
- Evaluate and assess new or changing services, processes, operations, and controls concurrent with their development, implementation, and/or expansion.
- Perform consulting services, beyond internal auditing's assurance services, to assist management in meeting its objectives. Examples may include facilitation, process design, training, and advisory services.
- Issue periodic reports to the BOR and management summarizing results of audit activities.
- Inform the BOR of emerging trends and successful practices in internal auditing.
- Provide a list of significant measurement goals and results to the BOR.
- Assist in the investigation of significant suspected fraudulent activities within the organization and notify management and the BOR of the results.
- Consider the scope of work of the external auditors and regulators, as appropriate, for the purpose of providing optimal audit coverage to the organization.
The Chief Audit Executive and staff of Internal Audit are authorized to:
- Have unrestricted access to all functions, records, property, and personnel.
- Have full and free access to the BOR.
- Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish audit objectives.
- Obtain the necessary assistance of personnel in units of the organization where they perform audits, as well as other specialized services from within or outside the organizations.
The Chief Audit Executive and staff of Internal Audit are not authorized to:
- Perform any operational duties for the organization or its affiliates.
- Initiate or approve financial transactions external to Internal Audit.
- Direct the activities of any organization employee not employed by Internal Audit, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the internal auditors.
Limitation of Authority and Responsibility
In performing their functions, the Chief Audit Executive and staff have no direct authority over, or responsibility for, any of the activities reviewed. Internal auditors will not develop and implement procedures, prepare records, make management decisions, or engage in any other activity which could be reasonably construed to compromise their independence. Therefore, review and appraisal by Internal Audit do not in any way substitute for or relieve other persons in the Regent institutions of the responsibilities assigned to them.
Standards of Audit Practice
Audit activities will be performed in accordance with the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics of The Institute of Internal Auditors.