Internal Audit Charter
The Internal Audit Department (Internal Audit) is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of The Ohio State University. It assists the university in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization's governance, risk management, and internal control.
Internal Audit is established by the Board of Trustees (hereafter referred to as the Board). Internal Audit’s responsibilities are defined by the Board as part of their oversight role.
Internal Audit will govern itself by adherence to The Institute of Internal Auditors' mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance.
The Institute of Internal Auditors' Practice Advisories, Practice Guides, and Position Papers will also be adhered to as applicable to guide operations. In addition, Internal Audit will adhere to the university’s relevant policies and procedures and Internal Audit's standard operating procedures manual.
Internal Audit, with strict accountability for confidentiality and safeguarding records and information, is authorized full, free, and unrestricted access to any and all university records, physical properties, and personnel pertinent to carrying out any engagement. All employees are required to assist the internal audit activity in fulfilling its roles and responsibilities. Internal Audit will also have free and unrestricted access to the Audit and Compliance Committee of the Board.
The chief audit executive (Director) will report functionally to the Board’s Audit and Compliance Committee and to the university president and administratively (i.e., day to day operations) to the senior vice president for business and finance.
The Audit and Compliance Committee will:
- Approve the internal audit charter;
- Approve the risk based internal audit plan;
- Approve the internal audit budget and resource plan;
- Receive communications from the Director on the internal audit activity’s performance relative to its plan and other matter;
- Approve decisions regarding the appointment and removal of the Director;
- Approve the remuneration of the Director;
- Make appropriate inquiries of management and the Director to determine whether there is inappropriate scope or resource limitations.
The Director will communicate and interact directly with the Audit and Compliance Committee, including in executive sessions and between Board meetings as appropriate.
Independence and Objectivity
Internal Audit will remain free from interference by any element in the organization, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair internal auditor’s judgment.
Internal auditors will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined.
Internal auditors will make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
The Director will confirm to the Audit and Compliance Committee, at least annually, the organizational independence of the Internal Audit Department.
The scope of Internal Audit encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the organization's governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the organization’s stated goals and objectives. This includes:
- Evaluating risk exposure relating to achievement of the organization’s strategic objectives;
- Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information;
- Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the organization;
- Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets;
- Evaluating the effectiveness and efficiency with which resources are employed;
- Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned;
- Monitoring and evaluating governance processes;
- Monitoring and evaluating the effectiveness of the organization's risk management processes;
- Evaluating the quality of performance of external auditors and the degree of coordination with internal audit;
- Performing consulting and advisory services related to governance, risk management and control as appropriate for the organization;
- Reporting periodically on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan;
- Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Board;
- Evaluating specific operations at the request of the Board or management, as appropriate.
Internal Audit Plan
At least annually, the Director will submit to senior management and the Audit and Compliance Committee an internal audit plan for review and approval. The internal audit plan will consist of a work schedule as well as budget and resource requirements for the next fiscal/calendar year. The Director will communicate the impact of resource limitations and significant interim changes to senior management and the Audit and Compliance Committee.
The internal audit plan will be developed based on a prioritization of the audit universe using a risk-based methodology, including input of senior management and the Board. The Director will review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls. Any significant deviation from the approved internal audit plan will be communicated to senior management and the Audit and Compliance Committee through periodic activity reports.
Reporting and Monitoring
A written report will be prepared and issued by the Director or designee following the conclusion of each internal audit engagement and will be distributed as appropriate. Internal Audit results will also be communicated to the Audit and Compliance Committee.
The internal audit report may include management’s response and corrective action taken or to be taken in regard to the specific findings and recommendations. Management's response, included within the original audit report should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented.
The internal audit activity will be responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will remain in an open issues file until cleared.
The Chief Audit Executive will periodically report to senior management and the Audit and Compliance Committee on the internal audit activity’s purpose, authority, and responsibility, as well as performance relative to its plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the Board.
Quality Assurance and Improvement Program
Internal Audit activity will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program will include an evaluation of Internal Audit’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement.
The Director will communicate to senior management and the Audit and Compliance Committee on the Internal Audit’s quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years.
Approved by The Ohio State University Board of Trustees on January 30, 2015, Resolution No. 2015-54