Internal Audit Charter

In September 2014, the Board of Trustees approved an Internal Audit Charter, the guiding document for the Office of Internal Audit. This charter was amended by the Executive and Audit Committee on December 9, 2019.


Feet of the Pioneer Father statue with people on bikes on campus

Purpose

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve university operations.  It helps the university accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.  The Office of Internal Audit enhances and protects the University’s value by providing risk-based and objective assurance, advice, and insight.

Mission Statement:
Driven by the highest professional and ethical standards, the Office of Internal Audit helps the University accomplish its objectives by evaluating and identifying opportunities to improve the effectiveness of governance processes, risk management, and internal controls.

Professional Standards:
The responsibility of the Office of Internal Audit is to serve the University in a manner that is consistent with the standards established by the internal audit community.  At a minimum it shall comply with the Institute of Internal Auditors’ (“IIA”) mandatory guidance including the Definition of Internal Auditing, the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing (“IPPF”).  Additionally, the Office of Internal Audit references other appropriate audit frameworks, such as the Generally Accepted Government Auditing Standards. 

The Office of Internal Audit will undergo external peer reviews pursuant to the IPPF.  The Executive and Audit Committee shall have input into peer reviews and results of peer reviews will be available to the Committee upon completion.

Authority

To ensure the independence of the Office of Internal Audit, the Chief Auditor reports administratively to the Office of the President and functionally to the Executive and Audit Committee of the University of Oregon’s Board of Trustees.  The Chief Auditor will provide written quarterly progress reports to trustees and will present at regular meetings of the Board or an appropriate committee thereof, summarizing the results of engagement activities and issued audit reports.  In addition, the Chief Auditor will keep Board leadership, the President, and campus leadership, apprised of high-risk engagement issues.

The Office of Internal Audit is granted full and unrestricted access to all functions, records, systems, property, and personnel.  Any documents or information obtained by the Office of Internal Audit through the course of work will be handled with the confidentiality defined by the IIA’s Code of Ethics. The Office of Internal Audit has authority to audit any function, program, account or system deemed necessary and appropriate in the judgment of the Chief Auditor, notwithstanding a flexible pre-approved audit plan.

University management is responsible for risk management, control, and governance of the areas audited.  The Office of Internal Audit has no direct responsibility or authority over any of the areas audited.  Staff shall not perform any operational duties for the University, initiate or approve accounting transactions of areas under review, or direct the activities of any University employee, except to the extent such employees have been appropriately assigned to an audit team or to otherwise assist the auditors.

All university employees are expected to comply fully and timely with requests made by the Office of Internal Audit.  This includes, but is not limited to, timely provision of information, access to information, or responses to draft reports.  Recommendations made by the Office of Internal Audit shall be taken seriously and steps shall be taken to assess and determine a course of action in response to the recommendations.  The Chief Auditor may report any non-compliance on the part of university programs or employees to the President and the Executive and Audit Committee.

Responsibility

The Office of Internal Audit is responsible for developing and implementing a flexible annual audit plan using an appropriate risk-based methodology.  The annual audit plan should include consideration of any risks or control concerns identified by management, and should be reviewed and approved by the President and Executive and Audit Committee.

The Office of Internal Audit shall perform engagements in the following areas:

  • Assurance services:  Performed within the context of the IPPF, these services are independent and objective evaluations designed to provide reasonable assurance regarding the achievement of objectives over the effectiveness and efficiency of operations, reliability of financial reporting, or compliance with applicable laws and regulations. 
  • Consulting services:  Performed within the context of the IPPF, these services may be requested by managers and other department and unit leaders to help identify a variety of areas for improvement.  The scope and objectives are agreed upon by the Office of Internal Audit and management of the area. 
  • Investigative services:  These services evaluate allegations of fraud, waste, abuse or unethical business practices.  The Fraud and Ethics Hotline is free, confidential, and available to employees, students, and the community to report unlawful or unethical concerns.  Operated by EthicsPoint, reports are managed by the Office of Internal Audit.  Reports can also be made directly to the Office of Internal Audit.
  • Other services:  These services include coordination and oversight for external auditing agencies, and follow-up work.  External auditing agencies include agencies such as the Secretary of State and the NCAA.  Follow-up work is performed within the context of the IPPF to ensure plans and actions are taken to correct report conditions.  Additionally, the Office of Internal Audit provides awareness training covering topics such as fraud, risks, and internal controls.