ROWAN UNIVERSITY POLICY
Title: Internal Audit
Subject: Governance
Policy No: IA: 2015:02
Applies: University-Wide
Issuing Authority: President
Responsible Officer: General Counsel
Adopted: 1/27/15
Last Revision: May 26, 2022
Last Reviewed: March 14, 2024
I. PURPOSE
To outline the roles, authority and responsibilities of the Office of Internal Audit and those of the management whose schools, departments and divisions are audited.
II. ACCOUNTABILITY
Under the direction of the Audit Committee of the Board of Trustees, the President and General Counsel, the Chief Internal Auditor shall ensure compliance with and implement this policy, which has been approved by the Audit Committee.
Ill. APPLICABILITY
This policy applies to all full-time, part-time, permanent, temporary and uncompensated employees, faculty, staff, officers, volunteers, and student employees.
IV. AUDITING STANDARDS
The Internal Audit department performs audits in accordance with the auditing standards of The Institute of Internal Auditors (IIA). The International Professional Practices Framework (IPPF)® is the conceptual framework that organizes authoritative guidance promulgated by the IlA. A trustworthy, global, guidance-setting body, The IlA provides internal audit professionals worldwide with authoritative guidance organized in the IPPF as mandatory guidance and strongly recommended guidance. Conformance with the principles set forth in mandatory guidance is required and essential for the professional practice of internal auditing.
V. DEFINITION
The Institute of Internal Auditors offers the following definition of Internal Auditing that states the fundamental purpose, nature, and scope of internal auditing:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
VI. POLICY
The University has an Internal Audit department to provide an independent and objective assurance service that will add value and improve operations through improved controls and efficiencies. Internal audit reviews are intended to assist the University in determining the adequacy and effectiveness of internal controls, adherence with applicable laws and regulations, and reliability of financial reporting. A well designed internal audit function will help the University accomplish its objectives by applying a systematic, disciplined approach to evaluate and assess the effectiveness of risk management, control and governance processes.
The Chief Internal Auditor and internal auditors must be independent in appearance as well as in fact. For this reason, they report directly to both the Chair of the Audit Committee of the Board of Trustees and to the University President and General Counsel. These reporting relationships ensure the independence of the Internal Audit function and the adequate consideration of Internal Audit findings and recommendations
Internal auditors will not be responsible for developing or implementing procedures, preparing records, or engaging in any activity which they would normally review and evaluate, since doing so could reasonably be construed as making them responsible for what they are auditing and thereby compromising their independence. In this regard, Internal Audit personnel are not to be used as accounting, finance or information systems staff. Internal Audit has neither direct responsibility for, nor authority over, the operations or activities that are reviewed.
The auditors do not make operating decisions, and do not have the authority to direct activities, including implementation of corrective actions. These activities and tasks remain the responsibility of management.
Internal Audit is authorized to obtain the necessary assistance of personnel of the University unit where they perform audits, as well as specialized services from inside or outside of the organization.
The scope of the Internal Audit activity is intended to determine whether the organization's activities of risk management, control, and governance, as represented by management, are adequate and functioning as designed. The internal audit activity, with strict accountability for confidentiality and safeguarding records and information, is authorized full, free, and unrestricted access to any and all of Rowan University records, physical properties, and personnel pertinent to carrying out any engagement. All employees are requested to assist the internal audit activity in fulfilling its roles and responsibilities. While the Internal Auditors have free and unrestricted access to senior management and the Board, they will attempt to resolve any issues related to a perceived limitation of scope through General Counsel.
Internal auditors will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors will make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
Management's Responsibility
Notify Internal Audit when changes to applications and systems are being planned that may ultimately affect data that are used in financial reporting systems.
Provide sufficient staffing and other resources as needed, including specialized technical staffing, to support Internal Audit during an engagement.
Provide a timely response to the auditor's findings and recommendations, including an achievable management action plan, within ten business days from the receipt of the draft audit report.
Promptly assign department responsibility for ensuring the management action plan is implemented and appropriate follow-up action is completed.
Respond promptly to Internal Audit's requests for status reports and updates, and attend meetings of the Audit Committee when the audit report is being considered.
VII. ATTACHMENTS
A. Attachment 1, Responsibilities of the Chief Internal Auditor
B. Attachment 2, The Internal Audit Process
ATTACHMENT 1
RESPONSIBILITIES OF THE CHIEF INTERNAL AUDITOR
- Review, with General Counsel, the President and the Audit Committee, the Internal Audit Policy, the Annual Audit Plan, other activities, staffing and organizational structure of the internal audit function.
- Provide assessments for the entity under review on the adequacy and effectiveness of processes for controlling its activities and managing its risks to ensure controls are effective and functioning as intended.
- Inform and advise the audit committee and management of all audit findings with recommendations for appropriate corrective measures.
- Provide the Audit Committee, Senior Management and auditees with an overall assessment of financial, operational, compliance and information technology controls necessary to minimize the risk of material loss and meet the University's functional objectives.
- Conduct follow-up inquiries (informal) and reviews (formal) as appropriate to ensure satisfactory actions are taken by management to resolve significant audit findings.
- Provide periodic updates to the Audit Committee on the status of engagements contained in the Annual Audit Plan, including any findings warranting the attention of the Audit Committee.
- Coordinate Internal Audit activities with other control and monitoring functions (compliance, ethics, risk management, security, legal, and external audit firms) to best achieve the objectives of the internal audit function, as well as the objectives of the University. This includes, where appropriate, coordination with and assistance to the independent public accounting firms.
- Lead or assist in the investigation of significant suspected fraudulent activities and notify executive management and the Audit Committee of the results
- Maintain a professional audit staff with sufficient knowledge, skills, experience, training and professional certifications to meet the requirements of this charter. Periodically assess the overall effectiveness of department training program.
- Keep the Audit Committee and senior leaders informed of emerging trends and successful best practices in internal auditing.
Communicate periodically with General Counsel, the President and the Audit Committee on the internal audit activity's purpose, authority, responsibility, and performance relative to planned audit activities. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board. The frequency and content of reporting are determined in discussion with General Counsel, the President and the Audit Committee and depend on the importance of the information to be communicated and the urgency of the related actions to be taken by senior management or the board.
ATTACHMENT 2
THE INTERNAL AUDIT PROCESS
A. Audit Process
- Internal Audit will prepare and send an "Engagement Letter" describing the purpose, scope and timing of the audit to the head of the department, school or college to be audited and schedule an Entrance Conference to discuss the purpose and scope of the upcoming audit. During the initial meeting, the auditors will discuss the audit process and present a preliminary request for documents to examine as the audit commences. Because internal audits are designed to be a highly interactive process, the audit staff will be talking directly to managers and staff asking for additional documents as needed.
- During the course of the engagement, audit staff will perform specific audit procedures and discuss preliminary findings with management to validate the auditors' understanding, to solicit management's input on interpretation and remediation, and to facilitate early corrective action. The early communication of any issues will hopefully allow management time to begin thinking about how the department may address the issues. Candid feedback is important in reaching a consensus on any recommendations and to implement changes in processes, policies and procedures.
- Draft reports, including, Audit Summary Reports, as requested by the Audit Committee, will be discussed with management during an Exit Conference. These reports address Internal Audit's assessment of internal controls, audit findings, and the status of the audit follow-up process. Management will be asked to provide a written response to the recommendations offered in the draft report that includes a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented, within ten (10) days of the meeting.
- Management's responses will be incorporated into the draft audit report, and a final report and audit summary reports will be issued by Internal Audit to management and, as appropriate, to senior level executives. Internal audit results are communicated to the Audit Committee of the Board and the President of the University.
- All significant findings will remain in an open issues file until cleared. Internal Audit will follow up with management on the status of management's implementation of any corrective action and will communicate the status to the Audit Committee and the President of the University.
B. Scope of Activity
The scope of the internal audit activity is intended to determine whether the organization's activities of risk management, control, and governance, as designed and represented by management, are adequate and functioning in a manner to ensure that:
- Risks are appropriately identified and managed by management through an effective internal controls environment at a reasonable cost.
- Significant financial, mission, managerial and operating information is accurate, reliable and timely.
- Employee actions are in compliance with established policies, procedures, governmental regulations and contractual obligations in support of the Compliance Program.
- Personnel and the organization are upholding the principles and standards included in the Code of Conduct/Statement of Principles.
- Resources are acquired economically, used efficiently, and adequately protected in accordance with University policies and procedures.
- Programs, plans, and objectives are achieved; quality and continuous improvement are fostered in control processes; significant legislative or regulatory issues impacting each organization are recognized and addressed properly.
C. Assessment of the Control Environment
In assessing the control environment, Internal Audit will consider:
1. The condition of the system of internal controls and quality of operations.
2. The criticality of area to the organization/business.
3. Inherent business risks.
4. Staffing levels and experience.
5. The adequacy of management supervision and cognizance of controls.
6. The unit/department's audit history and criticality and severity of audit findings, if any.
7. Resolution of previous audit recommendations.
8. Compensating controls.