Internal Audit

Audit, Risk and Compliance Committee Charter

Effective: October 15, 2021

I. Purpose

The purpose of the Audit, Risk and Compliance Committee (ARCC) is to assist the Board of Trustees in fulfilling its responsibilities related to:

  • Adequacy and effectiveness of systems of internal control
  • Integrity of the university’s financial statements and other financial reporting
  • Independence and performance of the external and internal audit functions
  • Sufficiency of the university’s process to manage enterprise, including business, legal, and financial, risk
  • Adequacy of the university’s process to ensure regulatory compliance

The ARCC’s duties do not replace or duplicate established management responsibilities and delegations. Instead, the ARCC serves in an advisory capacity to guide the direction of management’s actions and sets broad policy for ensuring accurate financial reporting, sound risk management, and ethical behavior.  

II. Organization

1. Charter

At least annually, this charter shall be reviewed and reassessed by the Committee and any proposed changes shall be submitted to the Board of Trustees for approval.

2. Members

The ARCC shall be a standing committee of the Board of Trustees. The number of members is set within the Board of Trustees Procedural Policies. Each ARCC member must be independent of management of the university and free of any relationship that would impair such independence. Members may not receive consulting, advising or other fees from the university. If possible, at least one member should be a financial expert, and the other members should be able to understand financial information and statements. A financial expert is someone who has an understanding of generally accepted accounting principles and financial statements; experience in applying such principles; experience in preparing, auditing, analyzing or evaluating financial information; experience with internal controls and procedures for financial reporting; or an understanding of the audit, risk and compliance committee function. 

3. Meetings

The ARCC shall meet no fewer than four (4) times a year. The ARCC will invite members of management, auditors, university legal counsel, and others to attend the meetings and to provide pertinent information as requested. The ARCC may requirst to meet privately with the Chief Audit Officer (CAO) from the Office of Internal Audit. Minutes of the meetings shall be maintained. 

III. Responsibilities

The ARCC's principal duties and responsibilities shall be the following:

1. Internal Controls

A. Monitor Controls

Monitor internal control systems at the university through reports of the activities of the internal and external auditors. Obtain assurance that the university is performing self-assessments of operating risks and evaluations of internal control on a regular basis.

B. Internal Control Review

Consider the adequacy and effectiveness of the university’s business, financial, and information systems controls. 

C. Whistleblowing Procedures

Oversee the university’s mechanisms for receiving, resolving, and retaining records of complaints. Receive briefings from management or the CAO regarding any significant complaints or misuse of State property.

2. Financial Reporting

A. External Communications

Receive the audit engagement letter and other significant audit related communications from the Office of the State Auditor and any other external auditors as applicable. The Office of the State Auditor will be directed to copy the ARCC on any such communications. 

B. Consultations with Auditors

Be available to meet with the State Auditor, his/her staff, and other external auditors for consultation purposes or to discuss judgments about the quality, not just the acceptability, of the university’s accounting principles and underlying estimates in its financial statements. 

C. Financial Reporting

Receive information on significant management initiatives involving financial reporting matters.

3. External and Internal Audit Functions

A. Internal Audit Operations

Review and approve the Internal Audit Charter, audit schedules, goals, annual audit plans, and resource plans. Confirm with the CAO efforts to coordinate the work of the Office of Internal Audit, the Office of the State Auditor, and other external auditors to ensure complete audit coverage, reduce duplication of work, and use audit resources effectively.

B. Audit Reports

Review internal audit reports and summaries of external and internal audit activities. Ensure that management is devoting adequate attention to issues raised.

C. Consultations with Auditors

Review and resolve any significant disagreement between management and the Office of the State Auditor, the Office of Internal Audit, or other external auditors in connection with the preparation of the financial statements or with other audits. 

D. Request of Audits and Other Reviews

Request supplemental reviews or other audit procedures by the Office of Internal Audit, the Office of the State Auditor, or other advisors. The university shall provide appropriate funding as determined by the ARCC for payment to advisors. 

E. Communication

Provide a direct channel of communication to the Board of Trustees for the Office of Internal Audit and the Office of the State Auditor.

F. Chief Audit Executive

Consult with the Chancellor and approve decisions regarding the appointment, performance evaluation, and removal of the CAO.

4. Enterprise Risk Management and Compliance

A. Risk Management

Annually review management’s processes with respect to enterprise risk management and meet with the individual(s) responsible for enterprise risk management as needed.

B. Compliance

Annually review management’s processes with respect to compliance and meet with the individual(s) responsible for compliance as needed.

C. Legal Matters

Consult with the General Counsel to review any risks and legal matters that may have a material impact on the university.

5. Information Technology

A. Information Technology Governance

Review and discuss audit activity related to information technology matters and address issues of importance in information technology governance at scheduled meetings. Request information and reporting related to the university's IT governance program, as needed. 

B. Information Security

Ensure that information security is addressed in the annual audit planning and risk assessments that are conducted by the Office of Internal Audit. Include, periodically, an agenda item for emerging information security matters at scheduled meetings. Receive a report, at least annually, on the university’s information security program and information technology security controls from the designated senior officer with information security responsibility 

The ARCC may modify or supplement these duties and responsibilities as needed.