University of Virginia Internal Audit Charter (PDF)
- Internal Auditing Policy
Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The UVA Office of Audit and Compliance assists UVA’s Board of Visitors and University management in the discharge of their oversight, management, and operating responsibilities by providing independent assurance and consulting services to the University community. Our services add value by improving the control, risk management and governance processes to help the University achieve its business objectives.
It is the policy of the of the University to establish and support the Office of Audit and Compliance to assist the University in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the University’s governance, risk management, and internal controls. The internal audit activity’s responsibilities are defined by the Audit, Compliance, and Risk Committee (ACR Committee) of the Board of Visitors (Board) as part of its oversight role.
The internal auditor, with strict accountability for confidentiality and safeguarding records and information, is authorized to have full, free, and unrestricted access to any and all of the University’s records, physical properties, and personnel pertinent to carrying out an engagement. All employees are requested to assist the Audit Department in fulfilling its roles and responsibilities. The internal audit activity will also have free and unrestricted access to the ACR Committee and its chairman.
The Chief Audit Executive will report on behalf of the internal audit activity to the ACR Committee chairman, and administratively (day to day operations) to the Executive Vice President and Chief Operating Officer of the University.
The ACR Committee will:
- Periodically review and approve changes to the Audit Department charter.
- Approve the risk-based audit plan.
- Approve the internal audit budget and resource plan.
- Receive communications from the Chief Audit Executive on the Audit Department’s performance relative to its plan and other matters.
- Approve decisions regarding the performance evaluation, appointment, or removal of the Chief Audit Executive
- Approve the remuneration of the Chief Audit Executive
- Make appropriate inquiries of management and the Chief Audit Executive to determine whether there is inappropriate scope or resource limitations.
The Chief Audit Executive will communicate and interact directly with the ACR Committee, including in executive sessions and between ACR Committee meetings as appropriate.
- Professional Standards
UVA’s Office of Audit and Compliance will govern itself by adherence to The Institute of Internal Auditors’ mandatory guidance, which includes the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing. The Office of Audit and Compliance will adhere to the University’s relevant policies and procedures as well as the Generally Accepted Governmental Auditing Standards of the Government Accountability Office.
- Independence and Objectivity
The internal audit activity will remain free from interference by any element in the University, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective function. The Chief Audit Executive must disclose such interference to the ACR Committee and discuss the implications.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair internal auditors’ independence or judgment. Internal auditors may provide assurance services for areas previously consulted, provided the consulting services did not impair objectivity.
Internal auditors will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors will make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
The Chief Audit Executive will annually evaluate reporting lines and responsibilities and confirm to the ACR Committee the organizational independence of the Office of Audit and Compliance.
The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the University’s governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the University’s stated goals and objectives. This includes:
- Evaluating the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities.
- Evaluating risk exposure relating to achievement the University’s strategic objectives.
- Assessing whether the information technology governance of the organization supports the organization’s strategies and objectives.
- Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information. To enable this responsibility, the Office of Audit and Compliance will participate in the planning, development, implementation, and modification of major computer- based and manual systems to ensure that:
- adequate controls are incorporated into the system;
- thorough system testing is performed at appropriate stages;
- system documentation is complete and accurate; and
- the resultant system is a complete and accurate
- implementation of the system specifications.
- Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the University.
- Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
- Evaluating the effectiveness and efficiency of resource utilization.
- Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.
- Assessing and making appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
- Promoting appropriate ethics and values within the organization.
- Ensuring effective organizational performance management and accountability.
- Communicating risk and control information to appropriate areas of the organization.
- Coordinating the activities of and communicating information among the board, external and internal auditors, and management.
- Monitoring and evaluating the effectiveness of the organization’s risk management processes.
- Performing consulting services related to governance, risk management, and control.
- Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the ACR Committee or management.
- Evaluating specific operations at the request of the ACR Committee or management, as appropriate.
- Reporting periodically on the purpose, authority, and responsibility of the Office of Audit and Compliance and performance relative to its plan.
- Internal Audit Plan
At least annually, the Chief Audit Executive will submit to senior management and the ACR an internal audit plan for review and approval. The internal audit plan will consist of a work schedule as well as budget and resource requirements for the next year. The Chief Audit Executive will communicate the impact of resource limitations and significant interim changes to senior management and the Board.
The internal audit plan will be developed based on a prioritization of the audit universe using a risk-based methodology, including input of senior management, the ACR, and Board.
The Chief Audit Executive will review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls. Any significant deviation from the approved internal audit plan will be communicated to senior management and the ACR through periodic activity reports.
- Audit Department Services
The Chief Audit Executive is empowered to conduct assurance services, special audit projects, reviews, or investigations at the request of the Board, ACR Committee, President, General Counsel, EVP Provost, EVP Chief Operating Officer, EVP Health Affairs, or their designee, to assist management in meeting its objectives, promoting economy and efficiency in the administration of, or preventing and detecting fraud and abuse in its programs and operations. The Office of Audit and Compliance may also provide consulting services, beyond assurance services, to assist management in meeting its objectives. Examples may include facilitation, process design, training, and advisory services.
- Coordination with External Auditing Agencies
The Chief Audit Executive, with the goal of avoiding duplication of work, will coordinate the office’s audit efforts with those of the Commonwealth of Virginia’s Auditor of Public Accounts, or other external auditing agencies as applicable, by participating in the planning and definition of the scope of proposed audits so the work of all auditing groups is complementary and their combined efforts provide comprehensive, cost- effective audit coverage for the University.
- Reporting and Monitoring
A written report will be prepared and issued by the Chief Audit Executive or designee following the conclusion of each internal audit engagement and will be distributed as appropriate. Internal audit results will be available for review by the ACR and the Board of Visitors.
The internal audit report will include management’s response and corrective action taken or to be taken regarding the specific findings and recommendations.
Management's response to audit findings and recommendations should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented.
The Office of Audit and Compliance will be responsible for appropriate follow up on its engagement findings and recommendations. All significant findings will remain in an open issues file until cleared. The ACR will receive periodic reporting from the Chief Audit Executive on the status of management’s action plan implementation.
The Chief Audit Executive will periodically report to senior management and the ACR on the internal audit activity’s purpose, authority, and responsibility, as well as performance relative to its plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management, ACR, or the Board.
- Quality Assurance and Improvement Program
In alignment with the IIA Standards the Chief Audit Executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program must include both internal and external assessments to evaluate the internal audit activity’s conformance with the Standards and an evaluation of whether internal auditors abide by the Code of Ethics.
Internal assessments are conducted at the conclusion of each engagement in accordance with the quality standards described in greater detail in the Internal Audit Policies and Procedures Manual. The results of ongoing internal assessments are communicated to the ACR on an annual basis.
External assessments must be conducted at least once every five years by a qualified independent assessor or assessment team from outside the organization. The Chief Audit Executive must discuss with the ACR Committee:
- The form and frequency of external assessment.
- The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest.
The program will also assess the efficiency and effectiveness of the internal audit activity and identify opportunities for improvement. The Chief Audit Executive must communicate results of the quality assurance and improvement program to senior management and the ACR Committee.
Approved June 3, 2021