INTERNAL AUDIT CHARTER

MISSION:

The Office of Internal Audit is dedicated to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

PURPOSE:

The Office of Internal Audit provides independent, objective assurance and consulting services designed to add value and improve the Governors State University’s (University) operations.  It helps the University accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The internal audit function is an integral part of the University’s internal control system; however, the internal audit review and appraisal process does not in any way relieve other University personnel of the responsibilities assigned to them.

PROFESSIONALISM:

The internal audit activity will govern itself by adherence to the Institute of Internal Auditors’ (IIA) mandatory guidance including the Core Principles for the Professional Practice of Internal Auditing, the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards).  This mandatory guidance constitutes the fundamental requirements for the professional practice of internal auditing and the principles against which to evaluate the effectiveness of the internal audit activities’ performance.

Core Principles for the Professional Practice of Internal Auditing (Core Principles):  The Core Principles are the key elements that describe internal audit effectiveness.  The Core Principles underpin the Code of Ethics and the Standards.  In adherence to the IIA’s Core Principles, the University’s internal audit function demonstrates integrity; demonstrates competence and due professional care; is objective and free from undue influence (independent); aligns with the strategies, objectives and risks of the University; is appropriately positioned and adequately resourced; demonstrates quality and continuous improvement; communicates effectively; provides risk-based assurance; is insightful, proactive, and future-focused; and promotes organizational improvement.

IIA’s Definition of Internal Auditing:  Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.  It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. 

Code of Ethics:  The Code of Ethics states the principles and expectations governing the behavior of individuals and organizations in the conduct of internal auditing.  It describes the minimum requirements for conduct, and behavioral expectations rather than specific activities.  The purpose of the IIA’s Code of Ethics is to promote an ethical culture in the profession of internal auditing.  Adherence to the IIA’s Code of Ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about governance, risk management, and control.  The University’s Chief Internal Auditor and the rest of the Office of Internal Audit staff (Internal Auditors) are expected to apply and uphold the principles of integrity, objectivity, confidentiality, and competency as well as the rules of conduct relating to these principles as set forth in the IIA’s Code of Ethics.

Professional Standards:  The Office of Internal Audit has the responsibility to carry out its duties in accordance with the State of Illinois’ Fiscal Control and Internal Auditing Act (FCIAA) (30 ILCS 10/).  FCIAA created the State Internal Audit Advisory Board (SIAAB) responsible for promulgating a uniform set of professional standards and a code of ethics to which all State internal auditors must adhere, serving as a clearinghouse for the correlation of internal audit training needs, and coordinating peer review activities among the State’s internal audit units (30 ILCS 10/2005).  SIAAB has adopted the IIA Standards for the practice of internal auditing in all State internal audit organizations.  Other professional standards may be followed by the Office of Internal Audit, where appropriate (e.g., IIA Implementation Guidance, IIA Supplemental Guidance, Government Auditing Standards, standards or guidance issued by the American Institute of Certified Public Accountants, among others).  All audit reports issued shall include a statement that the audit was conducted pursuant to the appropriate standards or disclose any non-conformance with standards, as required by SIAAB.

ORGANIZATION:

The University Chief Internal Auditor reports directly to the University President and the Board of Trustees (30 ILCS 10/2002), and administratively to the Vice President for Administration and Finance.  The Budget and Finance Committee of the University Board of Trustees maintains oversight of the internal audit function.

INDEPENDENCE AND OBJECTIVITY:

Internal Auditors shall have no direct operational responsibility or authority over any of the activities audited and shall remain free of influence on matters related to audit selection, scope, procedures, frequency, timing, and report content in order to permit maintenance of a necessary independent and objective mental attitude.  Accordingly, Internal Auditors will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activities that may impair their judgment. 

To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the Chief Internal Auditor shall have direct and unrestricted access to the University President and the Board of Trustees.

Internal Auditors will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined.  Internal Auditors will make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.  Any conflicts of interest or impairments, whether in fact or appearance, must be disclosed and discussed to appropriate parties and considered when making staff assignments.  Members of the Office of Internal Audit are required to sign an annual independence statement confirming their understanding of the independence requirements and disclosing potential or actual threats to independence and objectivity.

The Chief Internal Auditor will confirm to the University President and Board of Trustees, at least annually, the organizational independence of the internal audit function.

AUTHORITY:

The Office of Internal Audit, with strict accountability for confidentiality and safeguarding of records and information, is authorized full, free, and unrestricted access to any and all of the University’s records, physical properties, and personnel pertinent to carrying out any audit engagements.  All University employees are requested to assist the Office of Internal Audit in fulfilling its roles and responsibilities and in no way should the Office of Internal Audit be hindered in carrying out these duties as set forth.  No University official, administrator, or staff member may interfere with nor prohibit the Office of Internal Audit from examining University records or interviewing any employees that the Office of Internal Audit believes is necessary to carry out its duties.  Any denial of these rights would be an impairment of the internal audit function’s independence and objectivity.

SCOPE:

The scope of internal audit activities encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the University’s governance, risk management, and internal control processes as well as the quality of performance in carrying out assigned responsibilities to achieve University goals and objectives.  The Office of Internal Audit shall determine the scope of internal audit work to be performed and communicate the results of the work without interference.  No function, activity, or division of the University is exempt from audit and review.

CONSULTING AND ADVISING:

The Office of Internal Audit may perform consulting services that are advisory in nature and are generally requested by University management and Board of Trustees.  These advisory services may range from ad-hoc advice regarding an item of concern to formal consulting engagements.  The nature and scope of consulting engagements will be agreed upon by the requestor and the Office of Internal Audit.  In performance of consulting and advisory services, Internal Auditors must maintain objectivity and will not assume management responsibility.  The Office of Internal Audit does not perform consulting services outside of the University.

OFFICE OF INTERNAL AUDIT RESPONSIBILITIES:

General

  • Determine that the University’s overall system of internal control and the controls in each departmental unit or activities under audit are adequate, effective, efficient and functioning by conducting audits on a periodic basis so that all major systems are reviewed.
  • Review the reliability and integrity of the accounting, financial, and operating information, and the means used to identify, measure, classify, and report such information.
  • Review the systems established to ensure compliance with policies, procedures, laws, and regulations, and University and employee compliance with such.
  • Review the means of safeguarding assets and, as necessary, verify their existence.
  • Review and appraise the efficiency and economy with which resources are employed.
  • Review operations and programs to ascertain whether the operations or programs are being carried out as planned.
  • Review management’s processes for identifying and managing risks.
  • Review management’s approach to promote an appropriate governance atmosphere.
  • Perform consulting and advisory services related to governance, risk management, and control as appropriate.
  • Report periodically to the University President and Board of Trustees on the internal audit activity’s purpose, authority, and responsibility (audit charter); the independence of the internal audit activity; the audit plan and progress against the plan; resource requirements; results of audit activities; conformance with the Code of Ethics and the Standards and action plans to address any significant conformance issues; and management’s response to risk that, in the Chief Internal Auditor’s judgment, maybe unacceptable to the University.
  • Report to the University President and Board of Trustees any inappropriate scope or resource limitations in the performance of internal audit function.
  • Report significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the University Board of Trustees.
  • Evaluate specific operations at the request of University management or Board of Trustees, as appropriate.
  • Assist in the University President’s evaluation of the University’s compliance with the required internal control systems and the related certification provided to the Office of the Auditor General in accordance with the FCIAA (30 ILCS 10/Article 3).
  • Consider the scope of work of external auditors and regulators, as appropriate, for the purpose of reducing duplication of audit and providing optimal audit coverage to the University.
  • Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications; and maintain an adequate training program in order to meet the requirements of this Charter and the qualifications defined in the FCIAA.
  • When necessary, the Chief Internal Auditor shall have the authority to employ the services of a consultant in order to acquire appropriate audit expertise.

Audit Planning

Annually, prior to July 1, the Chief Internal Auditor shall submit to the University President for review and approval a two-year audit plan identifying internal audits and activities scheduled for the forthcoming fiscal years.  The audit plan will be based on University-wide risk assessment that will seek inputs from University management and various units/functional areas.  In addition, FCIAA required audits and activities will be scheduled to achieve compliance with the State requirements.

Adjustments to the audit plan can be made by the Chief Internal Auditor, as necessary, in response to unforeseen circumstances; changes in the University’s risks, operations, programs, systems, and controls; or at the request of management, University President, or the Board of Trustees.  Any significant changes to the approved annual internal audit plan will be presented to the University President and Board of Trustees for review and approval, as deemed necessary.

Audit Process

The Office of Internal Audit will follow an established, consistent, and effective audit process that includes, but is not limited to:

  • Adequate planning of the audit project including a preliminary assessment of risks.
  • Communication with management and auditees on areas of concern, audit coverage, and expectations.
  • Establishment of relative audit objectives, scope, and audit procedures, and the related communication to auditees.
  • Adequate documentation supporting the audit procedures performed, the results of testing, analyses, and conclusions.
  • A written report of the Office of Internal Audit’s evaluation of the risks and controls, including the results of testing, exceptions noted, weaknesses identified, and recommendations.
  • Review of management responses and corrective action plans to findings and recommendations.
  • Follow-up to determine the implementation status of corrective action plans.

Internal audit reports are confidential information and are exempt from disclosure under the Freedom of Information Act (5 ILCS 140/7(m)).  Internal audit reports should not be released outside of the University without written consent of the Chief Internal Auditor or University President.

Internal Auditors will be alert for indicators of fraud when performing their duties and, if identified, the Chief Internal Auditor will notify the University’s General Counsel of the situation.  As appropriate, a complaint will be filed with the Illinois Office of the Executive Inspector General for investigation.

Potential issues that arise during the course of an audit will be discussed with the appropriate level of management to ensure accuracy of the Office of Internal Audit’s understanding of the situation and to inform management of concerns identified. 

Audit Reporting

By September 30 of each year, the Chief Internal Auditor will submit to the University President a written report detailing how the audit plan for the prior fiscal year was carried out, the significant findings, and the extent to which recommended changes were implemented (30 ILCS 10/2003).  Information in this annual internal audit report will also be presented to the University Board of Trustees.

MANAGEMENT RESPONSIBILITIES:

Management is responsible for establishing and maintaining an effective system of internal control, including proper accounting records and other management information.

University management, Board of Trustees, and University President all play an important role in the success of an internal audit function and are responsible for ensuring that the Office of Internal Audit receives:

  • The cooperation and support of management;
  • Adequate resources to maintain a full-time program of internal auditing;
  • Assistance from appropriate personnel in acquiring records, documents, and files;
  • Adequate consideration of audit reports and recommendations, and appropriate action as necessary;
  • Direct access and freedom to report to senior management;
  • Responses to requests in a timely manner.

QUALITY ASSURANCE:

The Office of Internal Audit will schedule and complete quality assurance reviews in accordance with the IIA Standards.  Results of the quality assurance reviews will be communicated by the Chief Internal Auditor to senior management and Board of Trustees.

To ensure Internal Auditors maintain and improve their technical competence, IIA Standards and the SIAAB require auditors to obtain 80 hours of continuing professional education in a two-year cycle (two consecutive, non-rolling calendar years).  At least 20 of the 80 hours should be completed in any one year of the two-year period, and at least 24 of the 80 hours must be governmental related.  Internal Auditors shall maintain memberships in and attend meetings of professional organizations that serve to promote the practice of internal auditing and related fields.

Original Charter Approved by the Board of Trustees February 15, 2008
Revision Approved by the Board of Trustees December 9, 2016