This Charter shall be effective this 6th day of October, 2017.
Purpose and Mission
The purpose of the Colorado State University System (System) Internal Audit (IA) department is to provide the Colorado State University System Board of Governors, the Chancellor, and senior management with independent, objective assurance and consulting services designed to add value and improve the System’s operations. The mission of IA is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. IA helps the System accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes. This IA Charter of Operations is intended to supplement Article VIII of the Bylaws relating to the Director of IA and is authorized by Article XII of the Bylaws.
Standards for the Professional Practice of Internal Auditing
IA will govern itself by adherence to the mandatory elements of The Institute of Internal Auditors' International Professional Practices Framework, including the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing. The Information Systems Audit and Assurance professionals will additionally adhere to the mandatory standards of the Information Technology Assurance Framework (ITAF) and the Code of Ethics of the Information Systems Audit and Control Association (ISACA). Members of the IA Department are responsible for maintaining the high standards of conduct, independence, and character necessary to provide proper and meaningful internal auditing for the System.
The Director of IA will have unrestricted access to, and communicate and interact directly with, the Chancellor and Audit and Finance Committee, including in private meetings without management present.
The Audit and Finance Committee authorizes the Director of IA and IA staff to:
- Have full, free, timely, and unrestricted access to all functions, records, property, information systems, consultants, contractors, and other personnel pertinent to carrying out any engagement, subject to accountability for confidentiality and safeguarding of records and information.
- Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives, and issue reports.
- Obtain assistance from the necessary personnel of any of the System institutions, as well as other specialized services from within or outside the organization, in order to complete the engagement.
Independence and Objectivity
The Director of IA will ensure that IA remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report content. If the Director of IA determines that independence or objectivity may be impaired in fact or appearance, the details of impairment will be disclosed to appropriate parties.
The Director of IA will report functionally to the Audit and Finance Committee and administratively (i.e., day-to-day operations) to the Chancellor. The Director of IA is ultimately accountable to the Board and shall have a direct reporting relationship to the Board through its Audit and Finance Committee. The following activities undertaken by the Audit and Finance Committee are examples of functional reporting to the Board:
- Approving the IA charter.
- Approving the risk-based internal audit plan.
- Approving IA’s budget and resource plan.
- Receiving communications from the Director of IA on IA’s performance relative to its plan and other matters.
- Approving decisions regarding the appointment and removal of the Director of IA.
- Approving the remuneration of the Director of IA.
- Making appropriate inquiries of management and the Director of IA to determine whether there is inappropriate scope or resource limitations.
Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgment, including:
- Assessing specific operations for which they had responsibility within the previous year.
- Performing any operational duties for the System, its campuses, or its affiliates.
- Initiating or approving transactions external to IA.
- Directing the activities of any System employee not employed by IA, except to the extent that such employees have been appropriately assigned to auditing teams or to otherwise assist internal auditors.
Where the Director of IA has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards will be established to limit impairments to independence or objectivity.
Internal auditors will:
- Disclose any impairment of independence or objectivity, in fact or appearance, to appropriate parties.
- Exhibit professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined.
- Make balanced assessments of all available and relevant facts and circumstances.
- Take necessary precautions to avoid being unduly influenced by their own interests or by others in forming judgments.
The Director of IA will confirm to the Audit and Finance Committee, at least annually, the organizational independence of IA.
The Director of IA will disclose to the Audit and Finance Committee any interference and related implications in determining the scope of internal auditing, performing work, and/or communicating results.
Scope of Internal Audit Activities
The scope of internal audit activities encompasses, but is not limited to, objective examinations of evidence for the purpose of providing independent assessments to the Audit and Finance Committee, the Chancellor, senior management, and outside parties on the adequacy and effectiveness of governance, risk management, and control processes for the System. IA assessments include evaluating whether:
- Risks relating to the achievement of the System’s strategic objectives are appropriately identified and managed.
- The actions of the System’s officers, directors, employees, and contractors are in compliance with the System’s policies, procedures, and applicable laws, regulations, and governance standards.
- The results of operations or programs are consistent with established goals and objectives.
- Operations or programs are being carried out effectively and efficiently.
- Established processes and systems enable compliance with the policies, procedures, laws, and regulations that could significantly impact the System.
- Information and the means used to identify, measure, analyze, classify, and report such information are reliable and have integrity.
- Resources and assets are acquired economically, used efficiently, and protected adequately.
The Director of IA will report periodically to senior management and the Audit and Finance Committee regarding:
- IA’s purpose, authority, and responsibility.
- IA’s plan and performance relative to its plan.
- IA’s conformance with The IIA’s Code of Ethics and Standards, and action plans to address any significant conformance issues.
- Significant risk exposures and control issues, including fraud risks, governance issues, and other matters requiring the attention of, or requested by, the Audit and Finance Committee or senior management.
- Results of audit engagements or other activities.
- Resource requirements.
- Any response to risk by management that may be unacceptable to the System.
- The Director of IA considers relying upon the work of other internal and external assurance and consulting service providers as needed. IA may perform advisory and related client service activities, the nature and scope of which will be agreed with the client, provided IA does not assume management responsibility.
- Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during engagements. These opportunities will be communicated to the appropriate level of management.
The Director of IA and the IA staff have a responsibility to:
- Submit, at least annually, to senior management and the Audit and Finance Committee a risk-based internal audit plan for review and approval.
- Communicate to senior management and the Audit and Finance Committee the impact of resource limitations on the internal audit plan.
- Review and adjust the Internal Audit plan, as necessary, in response to changes in the System’s business, risks, operations, programs, systems, and controls.
- Communicate to senior management and the Audit and Finance Committee any significant interim changes to the Internal Audit plan.
- Ensure each engagement of the Internal Audit plan is executed, including the establishment of objectives and scope, the assignment of appropriate and adequately supervised resources, the documentation of work programs and testing results, and the communication of engagement results with applicable conclusions and recommendations to appropriate parties.
- Follow up on engagement findings and corrective actions, and report periodically to senior management and the Audit and Finance Committee any corrective actions not effectively implemented.
- Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and upheld.
- Ensure IA collectively possesses or obtains the knowledge, skills, and other competencies needed to meet the requirements of the Internal Audit charter.
- Ensure trends and emerging issues that could impact the System are considered and communicated to senior management and the Audit and Finance Committee as appropriate.
- Ensure emerging trends and successful practices in internal auditing are considered.
- Establish and ensure adherence to policies and procedures designed to guide IA.
- Assist in the investigation of significant suspected fraudulent activities within the System and notify the Chancellor and Audit and Finance Committee of the results.
- Assist in assessing and addressing reports generated through the Compliance Reporting Hotline.
- Ensure adherence to the relevant policies and procedures of the System and its campuses, unless such policies and procedures conflict with the Internal Audit Charter. Any such conflicts will be resolved or otherwise communicated to senior management and the Audit and Finance Committee.
- Ensure conformance of IA with the Standards, with the following qualifications:
- If IA is prohibited by law or regulation from conformance with certain parts of the Standards, the Director of IA will ensure appropriate disclosures and will ensure conformance with all other parts of the Standards.
- If the Standards are used in conjunction with requirements issued by other authoritative bodies, the Director of IA will ensure that IA conforms with the Standards, even if IA also conforms with the more restrictive requirements of the other authoritative bodies.
A written report will be prepared and issued by the Director of IA or designee following the conclusion of each audit. A copy of each audit report will be forwarded to the Chancellor, the Audit and Finance Committee and to other affected parties. The Director of IA or designee may include in the audit report the auditee’s response and corrective action taken or to be taken in regard to the specific findings and recommendations. Management’s response should include a timetable for anticipated completion of the corrective action to be taken and an explanation for any recommendations not addressed by corrective action.
Quality Assurance and Improvement Program
IA will maintain a quality assurance and improvement program that covers all aspects of IA. The program will include an evaluation of IA’s conformance with the Standards and an evaluation of whether internal auditors apply The IIA’s and ISACA’s Code of Ethics. The program will also assess the efficiency and effectiveness of IA and identify opportunities for improvement. The Director of IA will communicate to senior management and the Audit and Finance Committee on IA’s quality assurance and improvement program, including results of internal assessments (both ongoing and periodic) and external assessments conducted at least once every five years by a qualified, independent assessor or assessment team from outside the System.