7.1.3 Internal Auditing Charter

Purpose

The purpose of the internal audit function is to strengthen Illinois State University's ability to create, protect, and sustain value by providing management and the Board of Trustees with independent, risk-based, and objective assurance, advice, insight and foresight. 

The internal audit function enhances Illinois State University's: 

• Successful achievement of its objectives.
• Governance, risk-management, and control processes.
• Decision-making and oversight.
• Reputation and credibility with its stakeholders.
• Ability to serve the public interest. 

Illinois State University's internal audit function is most effective when: 

• Internal auditing is performed by competent professionals in conformance with the Institute of Internal Auditor's Global Internal Audit Standards™,  which are set in public interest. 
• The internal audit function is independently positioned with direct accountability to the Board of Trustees. 
• Internal auditors are free from undue influence and committed to making objective assessments. 

Commitment to Adhering to the Global Internal Audit Standards

Illinois State University's internal audit function will adhere to the mandatory elements of The Institute of Internal Auditor's International Professional Practices Framework, which are the Global Internal Audit Standards and Topical Requirements. The chief audit executive, Director of Internal Audit, will report annually to the Board of Trustees' Audit Committee, the President, and senior management regarding the internal audit function's conformance with the Standards, which will be assessed through quality assurance and improvement program.  Internal Audit may report that its operations are conducted in conformance with the International Standards for the Professional Practice of Internal Auditing, only if the results of the quality assurance  and improvement program support the statement. 

Mandate

The Fiscal Control and Internal Auditing Act (30 ILCS 10/) is the State law that provides guidance for the internal audit activities of state agencies.  The Act states the Chief Executive Officer, University President, is responsible for the establishment, maintenance, and evaluation of an agency's system of internal controls.  Illinois State University is required to maintain a full-time program of internal auditing and the President is responsible for the development and implementation for this program of internal auditing.  The President has delegated the chief audit executive duties to the Director of Internal Audit, to establish and direct the overall internal audit function of the University.  This charter constitutes these guidelines and as a Policy of the University, the charter will be approved by the President and communicated to the Board of Trustees as developed and amended. 

Under the University's Board of Trustees Governing documents, the Board of Trustees has delegated responsibility for the administration and management of the University to the President.  The Governing documents further state the Director of Internal Audit shall report directly to the President with access to the Board and that the duties of the Director of Internal Audit are prescribed by the Internal Auditing Charter.  Additionally, the Governing documents states that the Audit Committee shall provide general oversight of external and internal auditing functions of the University, review the nature of any significant accounting and/or auditing problems, and make recommendations for changes to improve any practice or function under the Committee's purview. 

Authority

The internal audit function is implemented by the Director of Internal Audit's authority which is created by its direct reporting relationship to the Board of Trustees.  Such authority allows for unrestricted access to the Board of Trustees and the Audit Committee.  Illinois State University's President, through the Board of Trustees, grants the internal audit function the mandate to provide the Board and senior management with objective assurance, advice, insight, and foresight. 

The President and the Board authorizes the internal audit function to: 

• Have full and unrestricted access to all functions, data, records, information, physical property, and personnel pertinent to carrying out internal audit responsibilities.  Internal auditors are accountable for confidentiality and safeguarding records and information. 
• Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques, and issue communications to accomplish the function's objectives.
• Obtain assistance from the necessary personnel of Illinois State University and other specialized services from within or outside Illinois State University to complete internal audit services.

Independence, Organizational Position, and Reporting Relationships

The Director of Internal Audit is positioned at a level in the organization that enables internal audit services and responsibilities to be performed without interference from management, thereby establishing the independence of the internal audit function.  The Director of Internal Audit will report functionally to the Board of Trustees and administratively, for day-to-day operations, to the University President.  This positioning provides the organizational authority and status to bring matters directly to senior management and escalate matters to the Board, when necessary, without interference and supports the internal auditors' ability to maintain objectivity. 

The Director of Internal Audit will confirm to the Audit Committee, at least annually, the organizational independence of the internal audit function.  If the governance structure does not support organizational independence of the internal audit function.  If the governance structure does not support organizational independence, the Director of Internal Audit will document the characteristics of the governance structure limiting independence and any safeguards employed to achieve the principle of independence.  The Director of Internal Audit will disclose to the Audit Committee any interference internal auditors encounter related to the scope, performance, or communication of internal audit work and results.  The disclosure will include communicating the implications of such interference on the internal audit function's effectiveness and ability to fulfill its mandate.  The Director of Internal Audit also serves as the University Ethics Officer as as previously noted has a functional reporting line to the Board. 

Changes to the Mandate and Charter

Circumstances may justify a follow-up discussion between the Director of Internal Audit, Audit Committee, and senior management on the internal audit mandate or other aspects of the internal audit charter.  Such circumstances may include but are not limited to:

• A significant change in the Global Internal Audit Standards.
• A significant acquisition or reorganization within the organization.
• Significant changes in the Director of Internal Audit, Board, and/or senior management.
• Significant changes to the organization's strategies, objectives, risk profile, or the environment in which the organization operates.
• New laws or regulations that may affect the nature and/or scope of internal audit services.

Board Oversight

The responsibilities of the Audit Committee are outlined in the Board of Trustees Governing documents.  To establish, maintain, and ensure that Illinois State University's internal audit function has sufficient authority to fulfill its duties, the Audit Committee will: 

• Discuss with the Director of Internal Audit and senior management the appropriate authority, role, responsibilities, scope and services (assurance and/or advisory) of the internal audit function.
• Ensure the Director of Internal Audit has unrestricted access to, communicates, and interacts directly with the Board, including in private meetings without senior management present.
• Participates in discussions with the Director of Internal Audit about the "essential conditions," described in the Global Internal Audit Standards, which establish the foundation that enables an effective internal audit function.
• Review results of the quality assurance and improvement program.
• Makes appropriate inquiries of the Director of Internal Audit and management to determine whether the scope or resource limitations are inappropriate.

President Oversight

To establish, maintain, and ensure that Illinois State University's internal audit function has sufficient authority to fulfill its duties, the President will: 

• Discuss with the Director of Internal Audit and senior management the appropriate authority, role, responsibilities, scope and services (assurance and/or advisory) of the internal audit function.
• Discuss with the Director of Internal Audit and senior management other topics that should be included in the internal audit charter.
• Participate in discussions with the Director of Internal Audit and senior management about the "essential conditions," described in the Global Internal Audit Standards, which establish the foundation that enables an effective internal audit function. 
• Approve the internal audit function's charter, which includes the internal audit mandate and the scope and types of internal audit services. 
• Review the internal audit charter periodically with the Director of Internal Audit to consider changes affecting the organization, such as the employment of a new Director of Internal Audit or changes in the type, severity, and interdependencies of risks to the organization. 
• Approve the risk-based internal audit plan.
• Approve the internal audit function's human resources administration and budgets.
• Approve the internal audit function's expenses. 
• Collaborate with senior management to determine the qualifications and competencies the organization expects in a Director of Internal Audit, as described in the Global Internal Audit Standards. 
• Authorize the appointment and removal of the Director of Internal Audit.
• Approve the remuneration of the Director of Internal Audit. 
• Review the Director of Internal Audit's performance. 
• Receive communications from the Director of Internal Audit about the internal audit function including its performance relative to its plan.
• Ensure a quality assurance and improvement program has been established. 
• Review the results of the quality assurance and improvement program.
• Make appropriate inquiries of the Director of Internal Audit and management to determine whether scope or resource limitations are inappropriate. 

Director of Internal Audit Roles and Responsibilities 

Ethics and Professionalism

The Director of Internal Audit will ensure that internal auditors:

• Conform with Global Internal Audit Standards, including the principles of Ethics and Professionalism: integrity, objectivity, competency, due professional care, and confidentiality. 
• Understand, respect, meet, and contribute to the legitimate and ethical expectations of the organization and be able to recognize conduct that is contrary to those expectations.
• Encourage and promote an ethics-based culture in the organization.
• Report organizational behavior that is inconsistent with the organization's ethical expectations, as described in applicable policies and procedures. 

Objectivity

The Director of Internal Audit will ensure that the internal audit function remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of engagement selection, scope, procedures, frequency, timing, and communication.  If the Director of Internal Audit determines that objectivity may be impaired in fact or appearance, the details of the impairment will be disclosed to appropriate parties.

Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively such that they believe in their work product, do not compromise quality, and do not subordinate their judgment on audit matters to others, either in fact or appearance. 

Internal auditors will have no direct operational responsibility or authority over any of the activities they review.  Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, or engage in other activities that may impair their judgment, including: 

• Assessing specific operations for which they had responsibility within the previous year.  
• Performing operational duties for Illinois State University or its affiliates. 
• Initiating or approving transactions external to the internal audit function.
• Directing the activities of any Illinois State University employee that is not employed by the internal audit function, except to the extent that such employees have been appropriately assigned to internal audit terms or to assist internal auditors. 

Internal auditors will: 

• Disclose impairments of independence or objectivity at least annually, in fact or appearance, to appropriate parties such as the Director of Internal Audit, Board, management or others.
• Exhibit professional objectivity in gathering, evaluating, and communicating information.
• Make balanced assessments of all available and relevant facts and circumstances.
• Take necessary precautions to avoid conflicts of interest, bias, and undue influence. 

Managing the Internal Audit Function

The Director of Internal Audit has the responsibility to: 

• Develop a flexible two-year audit plan, in accordance with the Fiscal Control and Internal Auditing Act (30 ILCS 10/), that considers input from the President, senior management and the Audit Committee.  This plan will be approved by the President and will be reviewed with the Audit Committee annually. 
• Communicate the impact of resource limitations on the internal audit plan to the President, senior management, and the Audit Committee. 
• Review and adjust the internal audit plan, as necessary, in response to changes in Illinois State University's business, risks, operations, programs, systems, and controls.
• Communicate to the President, senior management, and the Audit Committee if there are significant interim changes to the internal audit plan. 
• Ensure internal audit engagements are performed, documented and communicated in accordance with the Global Internal Audit Standards.
• Follow up on engagement findings and confirm the implementation of recommendations or action plans and communicate with the results of internal audit services to the President, senior management, and the Audit Committee annually as appropriate. 
• Ensure the internal audit function collectively possesses or obtains the knowledge, skills and other competencies needed to meet the requirements of the Global Internal Audit Standards and fulfill the internal audit mandate. 
• Identify and consider trends and emerging issues that could impact Illinois State University and communicate to the President, senior management, and the Audit Committee as appropriate. 
• Consider emerging trends and successful practices in internal auditing.
• Establish and ensure adherence to methodologies designed to guide the internal audit function. 
• Ensure adherence to Illinois State University's relevant polices and procedures unless such polices and procedures conflict with the internal audit charger or the Global Internal Audit Standards. Any such conflicts will be resolved or documented and communicated to the Board and senior management. 
• Coordinate activities and consider relying upon the work of other internal and external providers of assurance and advisory services.  If the Director of Internal Audit cannot achieve an appropriate level of coordination, the issue must be communicated to the President and senior management and if necessary escalated to the Audit Committee. 

Communication with Senior Management and the Audit Committee

The Director of Internal Audit will report annually to the President, senior management, and the Audit Committee regarding:

• The internal audit function's mandate.
• The internal audit plan and performance relative to its plan.
• Internal audit budget.
• Significant revisions to the internal audit plan and budget.
• Potential impairments to independence, including relevant disclosures as applicable.
• Results from the quality assurance and improvement program, which include the internal audit function's conformance with the IIA's Global Internal Audit Standards and action plans to address the internal audit function's deficiencies and opportunities for improvement. 
• Significant risk exposures and control issues, including fraud risk, governance issues, and other areas of focus for the board. 
• Results of assurance and advisory services.
• Resource requirements.
• Management's responses to risk that the internal audit function determines may be unacceptable or acceptance of a risk that is beyond Illinois State University's risk appetite. 

Quality Assurance and Improvement Program

The Director of Internal Audit will develop, implement and maintain a quality assurance and improvement program that covers all aspects of the internal audit function.  The program will include external and internal assessments of the internal audit function's conformance with the Global Internal Audit Standards, as well as performance measurement to assess the internal audit function's progress toward the achievement of its objectives and promotion of continuous improvement.  The program also will assess, if applicable, compliance with laws and/or regulations relevant to internal auditing.  Also, if applicable, the assessment will include plans to address the internal audit function's deficiencies and opportunities for improvement. 

The Director of Internal Audit will communicate with President, senior management, and the Audit Committee about the internal audit function's quality assurance and improvement program, including the results of internal assessments (ongoing monitoring and periodic self-assessments) and external assessments on an annual basis.  External assessments, conducted under the guidelines provided by the State Internal Audit Advisory Board, will be conducted at least once every five years by a qualified, independent assessor or assessment team from outside Illinois State University.

Scopes and Types of Internal Audit Services

The scope of internal audit services covers the entire breadth of the organization, including all of Illinois State University's activities, assets, and personnel.  The scope of internal audit activities also encompasses but is not limited to objective examinations of evidence to provide independent assurance and advisory services to the President, senior management, and the Audit Committee on the adequacy and effectiveness of governance, risk management and control processes for Illinois State University. 

The nature and scope of the advisory services may be agreed with the party requesting the service, provided the internal audit function does not assume management responsibility.  Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during advisory engagements.  These opportunities will be communicated to the appropriate level of management. 

Internal audit engagements may include evaluating whether:

• Risks relating to the achievement of Illinois State University's strategic objectives are appropriately identified and managed.
• The actions of Illinois State University's officers, directors, management, employees and contractors comply with Illinois State University's policies, procedures, and applicable laws, regulations and governance standards. 
• The results of operations and programs are consistent with established goals and objectives.
• Operations and programs are being carried out effectively and efficiently.
• Established processes and systems enable compliance with the policies, procedures, laws, and regulations that could significantly impact Illinois State University.
• The integrity of information and the means used to identify, measure, analyze, classify and report such information is reliable.
• Resources and assets are acquired economically, used efficiently and sustainably, and protected adequately.