Skip to header Skip to Content Skip to Footer

Uncw Internal Audit Charter

Office of Internal Audit

Below you will find more information about the Office of Internal Audit Internal Audit Charter.

Effective: February 6, 2025

  1. Purpose The purpose of the Office of Internal Audit is to strengthen the University of North Carolina Wilmington’s (University’s) ability to create, protect, and sustain value by providing the Board of Trustees (through the Audit, Risk and Compliance Committee), and management with independent, risk-based, and objective assurance, advice, insight, and foresight.The Office of Internal Audit enhances the University’s:

    • Successful achievement of its objectives.
    • Governance, risk management, and control processes.
    • Decision-making and oversight.

    The University’s internal audit function is most effective when:

    • Internal auditing is performed by competent professionals in conformance with the Institute of Internal Auditors (IIA) Global Internal Audit Standards, which are set in the public interest.
    • The internal audit function is independently positioned with direct accountability to the Audit, Risk and Compliance Committee (ARCC) of the Board of Trustees.
    • Internal auditors are free from undue influence and committed to making objective assessments.

  2. Standards for the Professional Practice of Internal Auditing The Office of Internal Audit will adhere to the mandatory elements of the IIA’s International Professional Practices Framework, which are the Global Internal Audit Standards and Topical Requirements. The Chief Audit Officer (CAO) will report periodically to the ARCC and senior management regarding the internal audit function’s conformance with the Standards, which will be assessed through a quality assurance and improvement program.

  3. Mandate and Authority The University of North Carolina Wilmington is required to establish a program of internal auditing pursuant to North Carolina General Statute (NCGS) 143-746. In addition, UNC Policy Manual 1300.7.1[R], Regulation Regarding Internal Audit Reporting Relationships at Constituent Institutions, requires all special constituent institutions to establish appropriate reporting lines for their respective internal audit functions.The University’s Office of Internal Audit shall be accountable to the Board of Trustees through the Audit, Risk and Compliance Committee (ARCC) and the University Chancellor.The authority of the Office of Internal Audit is created by its direct reporting relationship to the ARCC. The CAO reports functionally to the ARCC and administratively (i.e., day-to-day operations) to the Chancellor.The ARCC and Internal Audit Charter authorizes the Office of Internal Audit to:

    • Have unrestricted access to, and communicate and interact directly with, the Chancellor and the ARCC, including in private meetings without senior management present.
    • Have full, free, and unrestricted access to all functions, data, records, information, physical property, and personnel pertinent to carrying out any engagement, subject to accountability for confidentiality and safeguarding of records and information.
    • Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques, and issue communications to accomplish audit objectives.
    • Obtain assistance from the necessary personnel of the University, as well as other specialized services from within or outside the University, to complete internal audit services.
    • Have access to external persons and records as a result of all contracts and grants entered into by the University.

  4. Independence, Organizational Position, and Reporting Relationships The Chief Audit Officer (CAO) will be positioned at a level in the organization that enables internal audit services and responsibilities to be performed without interference from management, thereby establishing the independence of the internal audit function.The CAO reports functionally to the ARCC and administratively (i.e., day-to-day operations) to the Chancellor. This positioning provides the organizational authority and status to bring matters directly to senior management and escalate matters to the ARCC, when necessary, without interference and supports the internal auditors’ ability to maintain objectivity.The CAO will confirm to the ARCC, at least annually, the organizational independence of the Office of Internal Audit. The CAO will disclose to the Chancellor and the ARCC any interference internal auditors encounter related to the scope, performance, or communication of internal audit work and results. The disclosure will include communicating the implications of such interference on the internal audit function’s effectiveness and ability to fulfill its mandate.

  5. Audit, Risk and Compliance Committee (ARCC) Oversight To establish, maintain, and ensure that the Office of Internal Audit has sufficient authority to fulfill its duties, the ARCC will:

    • Ensure the CAO has unrestricted access to and communicates and interacts directly with the ARCC, including in private meetings without senior management present.
    • Participate in discussions with the CAO and the Chancellor about the “essential conditions” described in the Global Internal Audit Standards, which establish the foundation that enables an effective internal audit function.
    • Review and approve the Internal Audit Charter, which includes the internal audit mandate and the scope and types of internal audit services.
    • Approve the annual risk-based internal audit plan and significant changes to the plan.
    • Receive communications from the CAO on the Office of Internal Audit’s performance relative to its plan and other matters.
    • Ensure a quality assurance and improvement program has been established and review the results annually.
    • Review the internal audit function’s performance objectives annually.
    • Make appropriate inquiries of senior management and the CAO to determine whether there are inappropriate scope or resource limitations that impede the ability of the internal audit function to execute its responsibilities.
    • Review and ensure the Office of Internal Audit has appropriate budget and staff resources.
    • Review and provide input to the Chancellor regarding the appointment, replacement, or dismissal of the CAO, including the CAO’s performance evaluation and remuneration.
    • Resolve disagreements between internal audit and management concerning audit findings and recommendations, audit scope, or other aspects of the internal audit activity.

  6. Scope and Types of Internal Audit Services The scope of internal audit services covers the entire breadth of the University, including all of the University’s activities, assets, information in any form, and personnel. The scope of internal audit activities encompasses, but is not limited to, objective examinations of evidence to provide independent assurance and advisory services to the Chancellor, the ARCC, and management on the adequacy and effectiveness of governance, risk management, and control processes for the University. Internal audit engagements may include evaluating whether:

    • Risks relating to the achievement of the University’s strategic objectives are appropriately identified and managed.
    • Risk management processes and internal control systems are adequate, effective, and efficient.
    • The actions of the University’s officers, directors, management, employees, and contractors or other relevant parties comply with the University’s policies, procedures, and applicable laws, regulations, and governance standards.
    • The results of operations and programs are consistent with established goals and objectives.
    • Operations and programs are being carried out effectively, efficiently, ethically, and equitably.
    • Established processes and systems enable compliance with the policies, procedures, laws, and regulations that could significantly impact the University.
    • The integrity of information and the means used to identify, measure, analyze, classify, and report such information is reliable.
    • Resources and assets are acquired economically, used efficiently and sustainably, and protected adequately.

    The Office of Internal Audit may perform advisory and related client service activities, the nature and scope of which will be agreed with the party requesting the service, provided the Office of Internal Audit does not assume management responsibility. Opportunities for improving the efficiency or effectiveness of governance, risk management, and control processes may be identified during advisory engagements. These opportunities will be communicated to the appropriate level of management.

  7. ObjectivityThe CAO will ensure that the Office of Internal Audit remains free from all conditions that threaten the ability of its employees to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and communication. If the CAO determines that independence or objectivity may be impaired in fact or appearance, the details of such actual or apparent impairment will be disclosed to appropriate parties.The CAO and staff of the Office of Internal Audit will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, do not compromise quality, and do not subordinate their judgment on audit matters to others, either in fact or appearance.The CAO and staff of the Office of Internal Audit will have no direct operational responsibility or authority over any of the activities they review. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in other activities that may impair their judgment, including:

    • Assessing specific operations for which they had responsibility within the previous year.
    • Performing operational duties for the University or its affiliates.
    • Initiating or approving transactions external to the Office of Internal Audit.
    • Directing the activities of any University employee not employed by the Office of Internal Audit, except to the extent that such employees have been appropriately assigned to internal audit teams or to otherwise assist the internal auditors.

    Therefore, the Office of Internal Audit will serve only in an advisory capacity regarding the matters listed above.Where the CAO has, or is expected to have, roles and/or responsibilities that fall outside of internal auditing, safeguards will be established to limit impairments to independence or objectivity. Safeguards to address potential impairments may include developing alternative processes to obtain assurance related to the areas of additional responsibility, either by assurance services performed by parties outside of the internal audit activity, when feasible, and at a minimum, the CAO will be recused of any oversight role for the assurance engagement.The CAO and staff of the Office of Internal Audit will:

    • Disclose any impairment of independence or objectivity, in fact or appearance, to appropriate parties.
    • Exhibit professional objectivity in gathering, evaluating, and communicating information.
    • Make balanced assessments of all available and relevant facts and circumstances.
    • Take necessary precautions to avoid conflicts of interest, bias, and undue influence.

  8. Chief Audit Officer Roles and Responsibilities

    1. Ethics and Professionalism

      The CAO will ensure that internal auditors:

      • Apply and uphold the principles of Ethics and Professionalism: integrity, objectivity, competency, due professional care, and confidentiality.
      • Understand, respect, meet, and contribute to the legitimate and ethical expectations of the University and be able to recognize conduct that is contrary to those expectations.
      • Encourage and promote an ethics-based culture in the University.
      • Report University behavior that is inconsistent with the University’s ethical expectations, as described in applicable policies and procedures.
      • Conform with the Global Internal Audit Standards, with the following qualifications:
        • If the Office of Internal Audit is prohibited by law or regulation from conformance with certain parts of the Standards, the CAO will ensure appropriate disclosures and will ensure conformance with all other parts of the Standards.
        • If the Standards are used in conjunction with requirements issued by the Institute of Internal Auditors, the CAO will ensure that the Office of Internal Audit conforms with the Standards, even if the Office of Internal Audit also conforms with the more restrictive requirements of the Institute of Internal Auditors.

    2. Managing the Internal Audit FunctionThe CAO has the responsibility to:

      • Develop a flexible annual internal audit plan, using an appropriate risk-based methodology, including any risk or control concerns identified by management and the ARCC.
      • Submit, at least annually to the Chancellor and the ARCC, a risk-based internal audit plan for review and approval.
      • Communicate to the Chancellor and the ARCC the impact of resource limitations on the internal audit plan.
      • Review and adjust the internal audit plan, as necessary, in response to changes in the University’s business, risks, operations, programs, systems, and controls.
      • Communicate to the Chancellor and the ARCC any significant interim changes to the internal audit plan.
      • Ensure internal audit engagements are performed, documented, and communicated in accordance with the Global Internal Audit Standards.
      • Consider emerging trends and successful practices in internal auditing.
      • Establish and ensure adherence to policies/procedures/methodologies designed to guide the Office of Internal Audit.
      • Ensure the Office of Internal Audit collectively possesses or obtains the knowledge, skills, and other competencies and qualifications needed to meet the requirements of the Global Internal Audit Standards and fulfill the internal audit mandate.
      • Ensure adherence to the University’s relevant policies and procedures, unless such policies and procedures conflict with this Charter or the Global Internal Audit Standards. Any such conflicts will be resolved or documented and communicated to the Chancellor and the ARCC.
      • Ensure adherence to the North Carolina Internal Audit Act (North Carolina General Statute 143, Article 79).
      • Provide a mechanism for whistleblowing, including receiving, resolving, and retaining records of complaints.
      • Assist and/or conduct the investigation of suspected inappropriate activities within the University in cooperation with General Counsel and other applicable campus units, notify the Chancellor and the ARCC of the results, and report as required to outside agencies.
      • Follow up on engagement findings and confirm the implementation of recommendations or action plans and communicate the results of internal audit services to the Chancellor and the ARCC periodically and for each engagement as appropriate.
      • Identify and consider trends and emerging issues that could impact the University and communicate to the Chancellor, senior management, and the ARCC as appropriate.
      • Coordinate activities, when possible, and consider relying upon the work of other internal and external providers of assurance and advisory services. If the CAO cannot achieve an appropriate level of coordination, the issue must be communicated to the Chancellor and if necessary escalated to the ARCC. The Office of Internal Audit generally serves as a liaison between University management and external auditors.

    3. Communication with the ARCC and Senior ManagementThe CAO will report periodically to the Chancellor and the ARCC regarding:

      • The internal audit function’s mandate.
      • The internal audit plan and performance relative to its plan.
      • Allocated resources, including the internal audit budget.
      • Significant revisions to the internal audit plan and budget.
      • Potential impairments to independence.
      • Results from the quality assurance and improvement program, including action plans to address any deficiencies and opportunities for improvement.
      • Significant risk exposures and control issues, including fraud risks, governance issues, and other matters requiring the attention of, or requested by, the Chancellor and the ARCC.
      • Results of audit engagements, advisory services, investigations, follow-up engagements, and corrective actions that have not been effectively implemented.
      • Resource requirements.
      • Any response to risk by management that may be unacceptable to the University.

    4. Quality Assurance and Improvement ProgramThe Office of Internal Audit will maintain a quality assurance and improvement program that covers all aspects of the Office of Internal Audit. The program will include external and internal assessments of the Office of Internal Audit’s conformance with the Global Internal Audit Standards, as well as performance measurement to assess the internal audit function’s progress toward the achievement of its objectives and promotion of continuous improvement. The assessment will include plans to address the internal audit function’s deficiencies and opportunities for improvement.Annually, the CAO will communicate to the Chancellor and the ARCC about the Office of Internal Audit’s quality assurance and improvement program, including the results of internal assessments (ongoing monitoring and periodic self-assessments) and external assessments. External assessments will be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the University; qualifications must include at least one assessor holding an active Certified Internal Auditor credential.