The role of Internal Audit is defined by the Audit Charter which is contained in the OU Regents’ Policy Manual and is reproduced in full below. The Charter defines the purpose of the audit office, gives authority to conduct audits and defines areas of responsibility. The Charter also defines others’ responsibilities for providing access and cooperation during audits or other reviews.
The mission of University of Oklahoma Internal Audit is to assist management and staff of the universities under the governance of the University of Oklahoma Board of Regents in the effective discharge of its responsibilities by providing them and the Board with independent and objective analysis, appraisals, recommendations, and pertinent comments with reference to:
- the adequacy and effectiveness of the internal control structure,
- the safeguarding of assets,
- compliance with applicable laws, regulations and university policies, and
- the achievement of management’s objectives.
Definition of Internal Auditing
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Authority and Organization
Oklahoma law provides that the University of Oklahoma Board of Regents (‘the Board’) shall establish an internal audit function that employs a sufficient number of internal auditors to meet the Board’s fiduciary responsibilities.
The internal audit function shall be responsible to the Board and the University of Oklahoma President. The Chief Audit Executive will report functionally to the Board and administratively (i.e. day-to-day operations) to the President.
University of Oklahoma Internal Audit (‘Internal Audit’) will govern itself by adherence to the Institute of Internal Auditors' guidance including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing.
The Chief Audit Executive is authorized by the Board to direct a broad, comprehensive program of internal auditing throughout the universities under the governance of the Board (‘universities’). This includes University of Oklahoma activities in Norman, Oklahoma City and Tulsa, and activities at Cameron University, Rogers State University and at any other locations for which the Board has responsibility.
Internal Audit will determine whether the universities’ control, risk management, and governance processes, as designed and implemented by management, are adequate and functioning. In order to accomplish these objectives, the Chief Audit Executive and the Internal Audit staff are authorized by the Board and the President to have full, free, and unrestricted access to all the universities’ functions, records, property, and personnel. In the event any officer, agent, or employee of the universities shall fail to co-operate fully with the Chief Audit Executive or shall otherwise hinder or prevent or attempt to hinder or prevent any audit, the Chief Audit Executive shall immediately and simultaneously report the same to the President and to the Finance and Audit Committee of the Board. Under Oklahoma law, any person who alters or destroys records needed for the performance of an audit or causes or directs a subordinate to do such acts shall be guilty of a felony punishable by imprisonment and/or a fine, and also subject to immediate removal from office or employment.
The Board shall:
- With the advice of the President, appoint and terminate the Chief Audit Executive
- Approve the Internal Audit Charter
- Annually, review and approve the plan of work to be performed by Internal Audit
- Quarterly, receive communications from the Chief Audit Executive on the internal audit activity relative to the plan and other matters.
- Make enquiries of management and the Chief Audit Executive regarding scope and resources.
Independence and Objectivity
The Chief Audit Executive and Internal Audit staff will have no direct operational responsibility or authority over the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair independent and objective judgment.
To permit the maintenance of a fully independent and objective approach, the internal audit activity will remain free from interference by any element in the organization, including matters of audit selection, scope, procedures, frequency, timing, or report content.
Internal auditors will exhibit professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors will make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
The Chief Audit Executive will confirm to the Board, at least annually, the organizational independence of the internal audit activity.
The Chief Audit Executive will have the responsibility for the direction, personnel, budget, and day-to-day operation of the internal audit function.
Internal Audit shall:
- Develop a risk analysis to identify the higher risk activities of the universities.
- Annually prepare and submit a risk-based Audit Plan for review by the Finance and Audit Committee and approval by the Board.
- In accordance with the annual Audit Plan, perform audits that review and evaluate internal controls and the quality of ongoing operations to help ensure management compliance with laws and regulations, university and departmental policies, plans and procedures.
- Prepare an Audit Report for each audit that will comment on the adequacy of internal controls and recommend action for management to correct any deficiencies. Obtain a written response from management with an agreed timetable for corrective action.
- Submit a copy of each final Audit Report to the President, and to the Vice President for University Governance for distribution to the Board, and to the executive officer responsible for the audited activity and appropriate administrative personnel. The Regents shall have the opportunity to discuss reports with the Chief Audit Executive.
- Perform follow-up procedures to ensure that recommended corrective action has been implemented. Report to the Finance and Audit Committee instances where recommendations have not been fully implemented by management after a reasonable period of time.
- Submit quarterly activity reports to the Finance and Audit Committee that summarize audit work performed.
- Report annually on the adequacy of the internal control structure for the universities according to the audit work carried out during the year.
- Conduct special reviews and consulting services as directed by the Presidents or the Board. Special reviews and consulting services requested by departmental management may be performed at the discretion of the Chief Audit Executive.
- Investigate reported or suspected acts of theft, fraud, or misuse, abuse or misappropriation of resources, and report to the Finance and Audit Committee accordingly.
- Serve as facilitator and coordinator for federal, state, and other external audit agencies. External audit agencies shall contact the Chief Audit Executive for entrance and exit audit conferences.
Quality Assurance and Improvement Program
Internal Audit will maintain a quality assurance and improvement program. The program will include an evaluation of the conformance of the activities of Internal Audit with the Institute of Internal Auditors’ Definition of Internal Auditing and the International Standards for the Professional Practice of Internal Auditing and an evaluation of whether internal auditors apply the Code of Ethics. The program will also assess the efficiency and effectiveness of the internal audit activity and identify opportunities for improvement.
The Chief Audit Executive will communicate to senior management and the Board on the internal audit activity’s quality assurance and improvement program, including results of ongoing internal and external assessments.
University employees have a duty to report instances of suspected theft, fraud, or misuse of funds to Internal Audit or via the University Fraud Reporting Hotline. Internal Audit will coordinate internal investigations with the appropriate university officials (e.g., Office of Legal Counsel, Campus Police, the Compliance Office, university officers, and/or departmental personnel). The responsibility of the Chief Audit Executive and Internal Audit with regard to fraud investigation is set out in the Fraud Prevention, Reporting and Whistleblower Policy.
Board Approved March 2015