Internal Audit

Internal Audit Charter

Effective: October 15, 2021

I. Purpose and Mission

The purpose of the Office of Internal Audit is to provide independent, objective assurance and consulting services designed to add value and improve the university’s operations. The mission of the Office of Internal Audit is to enhance and protect the university’s value by providing stakeholders with risk-based, objective and reliable, assurance, advice, and insight. The Office of Internal Audit helps the university accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. 

II. Standards for the Professional Practice of Internal Auditing 

The Office of Internal Audit will govern itself by adherence to the mandatory elements of The Institute of Internal Auditors’ (IIA) International Professional Practices Framework, including the Definition of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing (Standards), and the Core Principles for the Professional Practice of Internal Auditing. This mandatory guidance constitutes the fundamental requirements for the professional practice of internal auditing and the principles against which to evaluate the effectiveness of the Office of Internal Audit’s performance.  

III. Authority

The Chief Audit Officer (CAO) will report functionally to the Audit, Risk and Compliance Committee (ARCC) and administratively (i.e., day-to-day operations) to the Chancellor. To establish, maintain, and assure that the Office of Internal Audit has sufficient authority to fulfill its duties, the ARCC will: 

  • Approve the Internal Audit Charter.
  • Approve the risk-based annual internal audit plan.
  • Receive communications from the CAO on performance relative to the plan and other matters.
  • Make appropriate inquiries of management and the CAO to determine whether there is inappropriate scope or resource limitations.
  • Consult with the Chancellor and approve decisions regarding the appointment, performance evaluation, and removal of the CAO.

 The Internal Audit Charter authorizes the Office of Internal Audit to:

  • Have unrestricted access to, and communicate and interact directly with, the Chancellor and the ARCC, including in private meetings without management present.  
  • Have full, free, and unrestricted access to all functions, systems, data, records, property, and personnel pertinent to carrying out any engagement, subject to accountability for confidentiality and safeguarding of records and information.  
  • Have access to external persons and records as a result of all contracts or grants entered into by the university. 
  • Allocate resources, set frequencies, select subjects, determine scope of work, apply techniques required to accomplish audit objectives, and issue reports. 
  • Obtain assistance from the necessary personnel of the university, as well as other specialized services from within or outside the university, in order to complete the engagement.  

IV. Scope of Internal Audit Activities

The scope of internal audit activities encompasses, but is not limited to, objective examinations of evidence for the purpose of providing independent assessments to the Chancellor, the ARCC, and management, on the adequacy and effectiveness of governance, risk management, and control processes for the university. Internal audit assessments include evaluating whether: 

  • Risks relating to the achievement of the university’s strategic objectives are appropriately identified and managed. 
  • Risk management processes and internal control systems are adequate, effective, and efficient. 
  • The actions of the university’s officers, directors, employees, and contractors are in compliance with the university’s policies, procedures, and applicable laws, regulations, and governance standards. 
  • Operations or programs are being carried out efficiently and effectively.  
  • The results of operations or programs are consistent with established goals and objectives.  
  • Established processes and information systems enable compliance with the policies, procedures, laws, and regulations that could significantly impact the university.  
  • Information and the means used to identify, measure, analyze, classify, and report such information are reliable and have integrity.  
  • Resources and assets are acquired economically, used efficiently, and protected adequately. 

Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during engagements. These opportunities, and any other relevant matters, will be communicated to the appropriate level of management. 

The CAO also coordinates activities, where possible, and considers relying upon the work of other internal and external assurance and consulting service providers as needed. The Office of Internal Audit generally serves as liaison between university management and external auditors.  

The Office of Internal Audit may perform advisory and related client service activities, the nature and scope of which will be agreed with the client, provided the Office of Internal Audit does not assume management responsibility. 

V. Independence and Objectivity

The CAO will ensure that the Office of Internal Audit remains free from all conditions that threaten the ability of its employees to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report content. If the CAO determines that independence or objectivity may be impaired in fact or appearance, the details of the impairment will be disclosed to appropriate parties.  

The CAO and staff of the Office of Internal Audit will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others.  

The CAO and staff of the Office of Internal Audit will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgment, including:   

  • Assessing specific operations for which they had responsibility within the previous year. 
  • Performing any operational duties for the university or its affiliates. 
  • Initiating or approving accounting transactions external to the Office of Internal Audit. 
  • Directing the activities of any university employee not employed by the Office of Internal Audit, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the internal auditors. 

Therefore, the Office of Internal Audit will serve only in an advisory capacity regarding the matters listed above.  

Where the CAO has, or is expected to have, roles and/or responsibilities that fall outside of internal auditing, safeguards will be established to limit impairments to independence or objectivity. Safeguards to address potential impairments may include developing alternative processes to obtain assurance related to the areas of additional responsibility, either by assurance services performed by parties outside of the internal audit activity, when feasible, and at a minimum, the CAO will be recused of any oversight role for the assurance engagement.  

The CAO and staff of the Office of Internal Audit will:  

  • Disclose any impairment of independence or objectivity, in fact or appearance, to appropriate parties. 
  • Exhibit professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. 
  • Make balanced assessments of all available and relevant facts and circumstances. 
  • Take necessary precautions to avoid being unduly influenced by their own interests or by others in forming judgments. 

VI. Responsibilities

 1. Adhering to Ethics

The CAO has the responsibility to:

  • Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and upheld.
  • Ensure conformance of the Office of Internal Audit with the Standards, with the following qualifications:  
    • If the Office of Internal Audit is prohibited by law or regulation from conformance with certain parts of the Standards, the CAO will ensure appropriate disclosures and will ensure conformance with all other parts of the Standards 
    • If the Standards are used in conjunction with requirements issued by the Institute of Internal Auditors, the CAO will ensure that the Office of Internal Audit conforms with the Standards, even if the Office of Internal Audit also conforms with the more restrictive requirements of the Institute of Internal Auditors.  
  • Ensure adherence to the university’s policies and procedures, unless such policies and procedures conflict with this Charter. Any such conflicts will be resolved or otherwise communicated to the Chancellor and the ARCC. 
  • Ensure adherence to the North Carolina Internal Audit Act (North Carolina General Statute 143, Article 79).

2. Performing a Risk Assessment and Creating the Audit Plan

The CAO has the responsibility to: 

  • Develop a flexible annual audit plan using an appropriate risk-based methodology, including any risks or control concerns identified by management and the ARCC.  
  • Submit, at least annually to the Chancellor and the ARCC, a risk-based internal audit plan for review and approval. 
  • Communicate to the Chancellor and the ARCC the impact of resource limitations on the internal audit plan.  
  • Review and adjust the internal audit plan, as necessary, in response to changes in the university’s business, risks, operations, programs, systems, and controls. 
  • Communicate to the Chancellor and the ARCC any significant interim changes to the internal audit plan.  
  • Ensure each engagement of the internal audit plan is executed, including the establishment of objectives and scope, the assignment of appropriate and adequately supervised resources, the documentation of work programs and testing results, and the communication of engagement results with applicable conclusions and recommendations to appropriate parties. 
  • Ensure emerging trends and successful practices in internal auditing are considered.  
  • Establish and ensure adherence to policies and procedures designed to guide the Office of Internal Audit. 
  • Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter. 

3. Reporting

The CAO has the responsibility to: 

  • Report quarterly to the Chancellor, and to the ARCC, results of audit engagements, follow up engagements, and corrective actions that have not been effectively implemented. 
  • Report quarterly to the Chancellor, and to the ARCC, significant risk exposures and control issues, including fraud risks, governance issues, and other matters requiring the attention of, or requested by, the Chancellor and the ARCC.  
  • Report quarterly, or sooner if the need arises, any response to risk by management that may be unacceptable to the university.  
  • Communicate trends and emerging issues that could impact the university to the Chancellor, senior management, and the ARCC as appropriate.  
  • Disclose to the Chancellor and the ARCC any interference and related implications in determining the scope of internal auditing, performing work, and/or communicating results.  
  • Provide a mechanism for whistleblowing, including receiving, resolving, and retaining records of complaints.   
  • Assist and/or conduct the investigation of suspected inappropriate activities within the university in cooperation with General Counsel and other applicable campus units, notify the Chancellor and the ARCC of the results, and report as required to outside agencies.   
  • Report annually to the Chancellor and the ARCC regarding the Office of Internal Audit’s purpose, authority, and responsibility; the Office of Internal Audit’s audit plan and performance relative to its plan; and allocated resources. 
  • Confirm to the Chancellor and the ARCC, at least annually, the organizational independence of the Office of Internal Audit.  
  • Report periodically to the Chancellor and the ARCC regarding the Office of Internal Audit’s conformance with the IIA’s Code of Ethics and the Standards, and action plans to address any significant conformance issues. 

4. Maintaining a Quality Assurance and Improvement Program

The Office of Internal Audit will maintain a quality assurance and improvement program that covers all aspects of the Office of Internal Audit. The program will include an evaluation of the Office of Internal Audit’s conformance with the Standards and an evaluation of whether the CAO and staff of the Office of Internal Audit apply the IIA’s Code of Ethics. The program will also assess the efficiency and effectiveness of the Office of Internal Audit and identify opportunities for improvement.  

The CAO will communicate to the Chancellor and the ARCC on the Office of Internal Audit’s quality assurance and improvement program, including results of internal assessments (both ongoing and periodic) and external assessments conducted at least once every five years by a qualified, independent assessor or assessment team from outside the university.