Audit Charter
Introduction
The Internal Auditing Division (IAD) provides independent and objective assurance and consulting services to the University of Georgia (University) in order to add value and improve operations. The IAD activity helps the University accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, compliance, and internal control processes.
Role of the Internal Audit Function
IAD will provide internal audit services for the University. The Chief Audit Executive (CAE) shall have a direct reporting relationship to both the President of the University and to the Chief Audit Officer/Vice Chancellor of Internal Audit (CAO) of the University System of Georgia (USG) as required by Board of Regents (BOR) Policy Manual, Section 7.10.2. The President may designate additional administrative reporting relationships to facilitate day-to-day IAD operations. The CAE will report all appropriate audit issues and act under the authority of the President of the University and the USG.
Professionalism
IAD will govern itself by adherence to The Institute of Internal Auditors' mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards).
IAD will also adhere to the Institute of Internal Auditors' Practice Advisories, Practice Guides, and Position Papers, as applicable, to guide operations. In addition, IAD will adhere to the University’s relevant policies and procedures and IAD’s standard operating procedures manual.
Authority
To the extent permitted by law, IAD has full access to all activities, records, properties, and personnel within the University of Georgia to the extent necessary for IAD to perform its duties. IAD is authorized to review and appraise all operations, policies, plans, and procedures to the extent necessary for IAD to perform its duties. Documents and other materials provided to IAD will be handled in the same prudent manner as handled by those employees normally accountable for them.
In performing its function, IAD has no direct responsibility or authority over any of the activities which it reviews. Therefore, the internal audit review and appraisal does not relieve other persons in the University of the responsibilities assigned to them.
Responsibility
1. The CAE has the responsibility to develop an institution-wide rolling audit plan using appropriate risk-based methodology, including input from senior management and the USG BOR. The President will review this annual plan and approve it before it is submitted to the CAO for approval by the BOR Committee on Internal Audit, Risk, and Compliance. At the discretion of the CAE, changes to the audit plan may be made throughout the year. Notice of significant changes shall be made to the President and the CAO.
2. The CAE is responsible for performing and/or providing functional coordination and guidance for the following institution-wide audit activities:
a. Implement the annual audit plan, as approved, including and as appropriate, any
special tasks or projects requested by the appropriate levels of management and approved
by the President and CAO.
b. Recruit, train, and maintain a professional audit staff with sufficient knowledge,
skills, experience, and professional certifications to meet the objectives of IAD.
To the extent that additional or expert/specialized skills are needed to supplement
the work, such activities may be co-sourced or out-sourced as necessary.
c. Establish a quality assurance and improvement program which assesses the effective
and efficient operations of IAD and identifies opportunities for improvement.
d. Evaluate and assess significant new or changing services, processes, operations,
and control processes coincident with their development, implementation, and/or expansion.
e. Analyze operational issues impacting enterprise-wide processes and organizational
areas.
f. Conduct follow-up reviews on previously reported recommendations.
g. Issue periodic reports to the President and CAO summarizing results of audit activities.
h. Make memorandum reports pursuant to BOR Policy to the CAO on issues of malfeasance.
i. Keep the President informed of emerging trends regarding risk management, internal
controls, and successful practices in internal auditing.
j. Co-Administer the University’s Compliance and Ethics Reporting Hotline.
k. Chair the University’s Triage Committee that addresses allegations of fraud, waste
and abuse.
3. IAD will operate independently of all University operational activities to assure
complete objectivity when conducting reviews and evaluations.
Definition of Audit Engagement Scope
The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the organization’s system of governance, risk management, compliance, internal control and the quality of performance in carrying out assigned responsibilities to achieve the organization’s objectives. The scope will vary by area and may include:
1. Review the effectiveness of governance processes to include the:
a. Promotion of ethical behavior within the organization;
b. Efficiency of organizational performance, management, and accountability;
c. Communication of risk and control information to appropriate areas of the organization; and
d. Coordination of activities and information among the BOR, external and internal auditors, and management.
2. Review the effectiveness of risk management processes to include the:
e. Alignment of organizational objectives in support of the University mission;
f. Identification and assessment of significant risks;
g. Alignment of risk responses with the University’s risk appetite; and,
h. Capturing and communication of relevant risk information across the USG and its institutions so as to enable staff, management, and BOR to carry out their responsibilities.
3. Review the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information.
4. Review the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations that could have a significant impact on operations and reports and whether the University is in compliance.
5. Review the means of safeguarding assets and, as appropriate, verify the existence of such assets.
6. Review and appraise the economy and efficiency with which resources are employed.
7. Review operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.
8. Review the status of Enterprise Information Technology System policies and procedures, verifying that required hardware, software and process controls have been implemented and that the controls are functioning properly.
9. Conduct special audits at the request of institution’s management or the CAO.
10. Investigate reported occurrences of fraud, waste, and abuse and recommend controls to both prevent and detect such occurrences.
11. Provide consulting services at the request of institution management and with the CAO’s approval consistent with the Institute of Internal Auditors’ standards governing consulting engagements. Consulting engagements undertaken by IAD should have the potential to contribute to the improvement of governance, risk management, compliance, and/or internal controls within the University.
Reporting Procedures
IAD will request that the institutional areas receiving an internal audit report from IAD respond within 30 days. This response should indicate agreement or disagreement, proposed actions, and the dates for completion for each specific finding and recommendation. If a recommendation is not accepted, the reason should be given. A final written report will be prepared and issued by IAD.
Approved by Jere W. Morehead, President of the University of Georgia on March 27, 2017, and Terry Thompson, Vice Chancellor of Internal Audit and Chief Audit Officer of the Board of Regents, University System of Georgia on April 6, 2017.