The Office of Internal Audit Charter outlines the purpose, authority, independence, responsibilities, audit standards and ethics followed by the department.
WASHINGTON UNIVERSITY in ST. LOUIS
INTERNAL AUDIT DEPARTMENT
I. Purpose and Mission
The purpose of the Internal Audit department at Washington University in St. Louis (University) is to provide independent, objective assurance and consulting services designed to add value and improve the University’s operations. The mission of internal audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. The Internal Audit department helps the University accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, compliance, and governance processes.
The Internal Audit department is established as a service to management and the Audit Committee of the Board of Trustees. It is the policy of the University to maintain an internal audit function as an integral component of the internal control environment. This charter sets forth the purpose, authority, and responsibilities which enable the Internal Audit department to continually meet the expectations of the University and its Audit Committee.
II. Standards for the Professional Practice of Internal Auditing
The Internal Audit department will govern itself by adherence to the mandatory elements of The Institute of Internal Auditors’ International Professional Practices Framework, including the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing. The chief audit executive will report periodically to senior management and the Audit Committee regarding the Internal Audit department’s conformance to the Code of Ethics and the Standards.
The chief audit executive will report functionally to the Audit Committee of the Board of Trustees and administratively to the Chancellor of the University. To establish, maintain, and assure that the University’s Internal Audit department has sufficient authority to fulfill its duties, the Audit Committee will:
- Approve the Internal Audit department’s charter
- Approve the risk-based internal audit plan
- Approve the Internal Audit department’s budget and resource plan
- Receive communications from the chief audit executive on the Internal Audit department’s performance relative to its plan and other matters
- Approve decisions regarding the appointment and removal of the chief audit executive
- Approve the remuneration of the chief audit executive
- Make appropriate inquires of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations
The chief audit executive will have unrestricted access to, and communicate and interact directly with, the Audit Committee, including in private meetings without management present. The Audit Committee authorizes the Internal Audit department to:
- Have full, free, and unrestricted access to all functions, records, property, and personnel pertinent to carrying out any engagement, subject to accountability for confidentiality and safeguarding of records and information
- Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives, and issue reports
- Obtain assistance from necessary personnel, as well as other specialized services from within or outside the University, in order to complete the engagement.
IV. Independence and Objectivity
The chief audit executive will ensure that the Internal Audit department remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report content. If the chief audit executive determines that independence or objectivity may be impaired in fact or appearance, the details of the impairment will be disclosed to the appropriate parties.
Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgment.
The chief audit executive will confirm to the Audit Committee, at least annually, the organizational independence of the Internal Audit department and will disclose to the Audit Committee any interference and related implications in determining the scope of internal auditing, performing work, and/or communicating results.
V. Scope of Internal Audit Activities
The scope of internal audit activities encompasses, but is not limited to, objective examinations of evidence for the purpose of providing independent assessments to the Audit Committee, management, and outside parties on the adequacy and effectiveness of governance, risk management, and control processes. Internal Audit assessments include evaluating whether:
- Risks related to the achievement of strategic objectives are appropriately identified and managed
- The actions of officers, directors, employees, and contractors are in compliance with policies, procedures, and applicable laws, regulations, and governance standards
- The results of operations or programs are consistent with established goals and objectives
- Operations or programs are currently operating effectively and efficiently
- Established processes and systems enable compliance with the policies, procedures, laws, and regulations that could significantly impact the University
- Information and the means used to identify, measure, analyze, classify, and report such information are reliable and have integrity
- Resources and assets are acquired economically, used efficiently, and protected adequately.
The chief audit executive will report periodically to senior management and the Audit Committee regarding:
- The Internal Audit department’s purpose, authority, and responsibility
- The Internal Audit department’s annual internal audit plan and performance relative to its plan
- The Internal Audit department’s conformance with The IIA’s Code of Ethics and Standards, and action plans to address any significant conformance issues
- Significant risk exposures and control issues, including fraud risks, governance issues, and other matters requiring the attention of, or requested by, the Audit Committee
- Results of audit engagements or other activities
- Resource requirements
- Any response to risk by management that may be unacceptable to the University.
The chief audit executive also coordinates activities, where possible, and considers relying upon the work of other internal and external assurance and consulting service providers as needed. The Internal Audit department may perform advisory and related client service activities, the nature and scope of which will be agreed with the client, provided the Internal Audit department does not assume management responsibility.
Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during engagements. These opportunities will be communicated to the appropriate level of management.
The chief audit executive has the responsibility to:
- Develop, submit to senior management and the Audit Committee for approval, at least annually, and implement a flexible internal audit plan using appropriate risk-based methodology, including any risks or control concerns identified by management
- Communicate to senior management and the Audit Committee the impact of resource limitations on the internal audit plan
- Review and adjust the internal audit plan, as necessary, in response to changes in the University’s business, risks, operations, programs, systems, and controls
- Communicate to senior management and the Audit Committee any significant interim changes to the internal audit plan
- Ensure each engagement of the internal audit plan is executed, including the establishment of objectives and scope, the assignment of appropriate and adequately supervised resources, documentation of work programs and testing results, and communication of engagement results with applicable conclusions and recommendations to appropriate parties
- Follow up on engagement findings and corrective actions, and report periodically to senior management and the Audit Committee those that were not effectively implemented
- Ensure that the principles of integrity, objectivity, confidentiality, and competency are applied and upheld
- Ensure that the Internal Audit department collectively possesses or obtains the knowledge, skills, and other competencies needed to meet the requirements of the Internal Audit charter
- Ensure trends and emerging issues that could impact the University are considered and communicated to senior management and the Audit Committee as appropriate
- Ensure emerging trends and successful practices are considered
- Establish and ensure adherence to policies and procedures designed to guide the Internal Audit department’s activity
- Ensure adherence to the University’s relevant policies and procedures, unless they conflict with the Internal Audit charter, in which case such conflicts will be resolved or otherwise communicated to senior management and the Audit Committee.
VII. Quality Assurance and Improvement Program
The Internal Audit department will maintain a quality assurance and improvement program that covers all aspects of the Internal Audit department. The program will include an evaluation of the Internal Audit department’s conformance with the Standards and an evaluation of whether internal auditors apply The IIA’s Code of Ethics. The program will also assess the efficiency and effectiveness of the Internal Audit department and identify opportunities for improvement.
The chief audit executive will communicate to senior management and the Audit Committee on the Internal Audit department’s quality assurance and improvement program, including results of internal assessments (both ongoing and periodic) and external assessments conducted at least once every five years by a qualified, independent assessor or assessment team from outside the University.