CSU System logo
Global shield logo.
CSU ram head logo.
CSU Pueblo wolf head logo.

POLICY AND PROCEDURES MANUAL

Policy 111: CSUS Board Audit Charter Policy

Subject: Governance

Board Policy

The Internal Auditing Department (IA) shall provide the Board, the Chancellor, and the university administrations with an independent and objective evaluation of governance, risk management, and control processes to assist the Colorado State University System (System) in achieving its objectives. This Charter of Operations for the IA Department is intended to supplement Article VIII of the Bylaws relating to the Director of IA and is authorized by Article XII of the Bylaws.

Purpose

The purpose of the internal audit function is to strengthen the CSU System’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.

Internal Auditing supports the CSU System’s mission by:

  • Assisting in the successful achievement of its objectives.
  • Independently evaluating governance, risk management, and control processes.
  • Providing value-added insights to assist with decision-making and oversight.
  • Enhancing the System’s reputation and credibility with stakeholders.
  • Assisting in its ability to serve the public interest.

The CSU System’s internal audit function is most effective when:

  • Internal auditing is performed by competent professionals in conformance with the Institute of Internal Auditors’ (IIA) Global Internal Audit StandardsTM, which are set in the public interest.
  • The internal audit function is independently positioned with direct accountability to the board.
  • Internal auditors are free from undue influence and committed to making objective assessments.

Commitment to Adhering to the Global Internal Audit Standards

CSU System IA will take reasonable steps to adhere to the mandatory elements of The Institute of Internal Auditors’ International Professional Practices Framework, which are the Global Internal Audit Standards and Topical Requirements (Standards). The Director will report periodically to the Board and senior management regarding the internal audit function’s conformance with the Standards, which will be assessed through a quality assurance and improvement program.

The Information Systems audit professionals will additionally take reasonable steps to adhere to the mandatory standards of the Information Technology Assurance Framework (ITAF) and the Code of Ethics of the Information Systems Audit and Control Association (ISACA). Members of the IA Department are responsible for maintaining the high standards of conduct, independence, and character necessary to provide proper and meaningful internal auditing for the CSU System.

Authority

The CSU System’s Board grants the internal audit function the mandate to provide the Board and senior management with objective assurance, advice, insight, and foresight.

IA’s authority is created by its direct reporting relationship to the Board. Such authority allows for unrestricted access to the Board.

The Board authorizes the Director of IA and IA staff to:

  • Have full, free, timely, and unrestricted access to all functions, data, records, physical property, information systems, consultants, contractors, and other personnel pertinent to carrying out any engagement, subject to accountability for confidentiality and safeguarding of records and information, including, but not limited to, attorney-client privileged information.
  • Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives, and issue reports.
  • Obtain assistance from the necessary personnel of any of the CSU System institutions, as well as other specialized services from within or outside the organization, in order to complete the engagement.

Independence, Organizational Position, and Reporting Relationships

The Director will be positioned at a level in the organization that enables internal audit services and responsibilities to be performed without interference from management, thereby establishing the independence of the internal audit function. The Director will report functionally to the Board and administratively (for example, day-to-day operations) to the Chancellor. This positioning provides the organizational authority and status to bring matters directly to senior management and escalate matters to the Board, when necessary, without interference, and supports the internal auditors’ ability to maintain objectivity.

The Director will confirm to the Board, at least annually, the organizational independence of the internal audit function. If the governance structure does not support organizational independence, the Director will document the characteristics of the governance structure limiting independence and any safeguards employed to achieve the principle of independence. The Director will disclose to the Board, through the Audit and Finance Committee Chair, any interference internal auditors encounter related to the scope, performance, or communication of internal audit work and results. The disclosure will include communicating the implications of such interference on the internal audit function’s effectiveness and ability to fulfill its mandate.

Changes to the Internal Auditing Mandate and Charter

Circumstances may require follow-up discussions between the Director, Board, and senior management on the roles and responsibilities of IA or elements of the internal audit charter. Such circumstances may include, but are not limited to:

  • A significant change in the Global Internal Audit Standards.
  • A significant reorganization within the organization.
  • Significant changes in the Director, Board, and/or senior management.
  • Significant changes to the organization’s strategies, objectives, risk profile, or the environment in which the organization operates.
  • New laws or regulations that may affect the nature and/or scope of internal audit services.

Board Oversight

In accordance with the bylaws, the Audit and Finance Committee of the Board of Governors oversees the functional reporting responsibilities for IA. The following activities undertaken by the Board are examples of functional reporting to the Board:

  • Discuss with the Director and senior management the appropriate authority, role, responsibilities, scope, and services (assurance and/or advisory) of the internal audit function.
  • Ensure the Director has unrestricted access to and communicates and interacts directly with the Board, including in private meetings without senior management present.
  • Discuss with the Director and senior management other topics that should be included in the internal audit charter.
  • Participate in discussions with the Director and senior management about the “essential conditions,” described in the Global Internal Audit Standards, which establish the foundation that enables an effective internal audit function.
  • Approve the internal audit function’s charter, which includes the internal audit mandate and the scope and types of internal audit services.
  • Review the internal audit charter annually with the Director to consider changes affecting the organization, such as the employment of a new Director or changes in the type, severity, and interdependencies of risks to the organization; and approve the internal audit charter periodically.
  • Approve the risk-based internal audit plan.
  • Approve the internal audit function’s human resources administration and budgets. • Approve the internal audit function’s budget.
  • Collaborate with senior management to determine the qualifications and competencies the organization expects in a Director, as described in the Global Internal Audit Standards.
  • Authorize the appointment and removal of the Director.
  • Approve the remuneration of the Director.
  • Review the Director’s performance.
  • Receive communications from the Director about the internal audit function, including its performance relative to its plan.
  • Ensure a quality assurance and improvement program has been established.
  • Review of the results of the quality assurance and improvement program annually.
  • Make appropriate inquiries of management and the Director to determine whether scope or resource limitations are inappropriate.

Director Roles and Responsibilities

Ethics and Professionalism

The Director will ensure that internal auditors:

  • Conform with the Global Internal Audit Standards, including the principles of Ethics and Professionalism: integrity, objectivity, competency, due professional care, and confidentiality.
  • Understand, respect, meet, and contribute to the legitimate and ethical expectations of the organization and be able to recognize conduct that is contrary to those expectations.
  • Encourage and promote an ethics-based culture in the organization.
  • Report organizational behavior that is inconsistent with the organization’s ethical expectations, as described in applicable policies and procedures.

Objectivity

IA will remain free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of engagement selection, scope, procedures, frequency, timing, and communication. If the Director determines that objectivity may be impaired in fact or appearance, the details of the impairment will be disclosed to appropriate parties.

Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, do not compromise quality, and do not subordinate their judgment on audit matters to others, either in fact or appearance.

Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgment, including:

  • Assessing specific operations for which they had responsibility within the previous year.
  • Performing any operational duties for the CSU System, its campuses, or its affiliates.
  • Initiating or approving transactions external to IA.
  • Directing the activities of any CSU System employee not employed by IA, except to the extent that such employees have been appropriately assigned to auditing teams or to otherwise assist internal auditors.

Where the Director of IA has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards will be established to limit impairments to independence or objectivity.

The Director of IA and Internal Audit staff will:

  • Disclose any impairment of independence or objectivity, in fact or appearance, to appropriate parties, such as the Director, Board, management, or others.
  • Exhibit professional objectivity in gathering, evaluating, and communicating information.
  • Make balanced assessments of all available and relevant facts and circumstances.
  • Take necessary precautions to avoid being unduly influenced by their own interests or by others in forming judgments.

Managing the Internal Audit Function

The Director has the responsibility to:

  • At least annually, develop a risk-based internal audit plan that considers the input of the Board and senior management. Discuss the plan with the Board and senior management and submit the plan to the Board for review and approval.
  • Communicate the impact of resource limitations on the internal audit plan to the Board and senior management.
  • Review and adjust the internal audit plan, as necessary, in response to changes in the CSU System’s business, risks, operations, programs, systems, and controls.
  • Communicate with the Board and senior management if there are significant interim changes to the internal audit plan.
  • Ensure internal audit engagements are performed, documented, and communicated in accordance with the Global Internal Audit Standards.
  • Follow up on engagement findings and confirm the implementation of recommendations or action plans, and communicate the results of internal audit services to the Board and senior management at least quarterly and for each engagement as appropriate.
  • Ensure the internal audit function collectively possesses or obtains the knowledge, skills, and other competencies needed to meet the requirements of the Global Internal Audit Standards and fulfill the internal audit purpose.
  • Identify and consider trends and emerging issues that could impact the CSU System and communicate to the Board and senior management as appropriate.
  • Consider emerging trends and successful practices in internal auditing.
  • Establish and ensure adherence to methodologies designed to guide the internal audit function.
  • Assist in the investigation of significant suspected fraudulent activities within the CSU System and notify the Chancellor and Audit and Finance Committee of the results.
  • Assist in assessing and addressing reports generated through the Compliance Reporting Hotline.
  • Ensure adherence to the CSU System’s relevant policies and procedures unless such policies and procedures conflict with the internal audit charter or the Global Internal Audit Standards. Any such conflicts will be resolved or documented, and communicated to the Board and senior management.
  • Coordinate activities and consider relying upon the work of other internal and external providers of assurance and advisory services. If the Director cannot achieve an appropriate level of coordination, the issue must be communicated to senior management and, if necessary, escalated to the Board.

Communication with the Board and Senior Management

The Director will report periodically to the Board and senior management regarding:

  • The internal audit function’s purpose, authority, and responsibility.
  • The internal audit plan and performance relative to its plan.
  • The internal audit budget.
  • Significant revisions to the internal audit plan and budget.
  • Potential impairments to independence, including relevant disclosures as applicable.
  • Results from the quality assurance and improvement program, which include the internal audit function’s conformance with The IIA’s Global Internal Audit Standards and action plans to address the internal audit function’s deficiencies and opportunities for improvement.
  • Significant risk exposures and control issues, including fraud risks, governance issues, and other areas of focus for the Board.
  • Results of assurance and advisory services.
  • Resource requirements.
  • Management’s responses to risk that the internal audit function determines may be unacceptable or acceptance of a risk that is beyond the CSU System’s risk appetite.

Quality Assurance and Improvement Program

The Director will maintain a quality assurance and improvement program that covers all aspects of IA. The program will develop, implement, and maintain a quality assurance and improvement program that covers all aspects of the internal audit function. The program will include external and internal assessments of the internal audit function’s conformance with the Global Internal Audit Standards, as well as performance measures to assess the internal audit function’s progress toward the achievement of its objectives and promotion of continuous improvement. The program also will assess, if applicable, compliance with laws and/or regulations relevant to internal auditing. If applicable, the assessment will include plans to address the internal audit function’s deficiencies and opportunities for improvement.

Annually, the Director will communicate with the Board and senior management about the internal audit function’s quality assurance and improvement program, including the results of internal assessments (ongoing monitoring and periodic self-assessments) and external assessments. External assessments will be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the CSU System; qualifications must include at least one assessor holding an active Certified Internal Auditor® credential.

Scope of Internal Audit Activities

The scope of internal audit services covers the entire breadth of the organization, including all of the CSU System’s activities, assets, and personnel. The scope of internal audit activities encompasses, but is not limited to, objective examinations of evidence for the purpose of providing independent assurance and advisory services to the Board and management, on the adequacy and effectiveness of governance, risk management, and control processes for the CSU System.

The nature and scope of advisory services may be agreed with the party requesting the service, provided the internal audit function does not assume management responsibility. Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during advisory engagements. These opportunities will be communicated to the appropriate level of management.

IA engagements may include evaluating whether:

  • Risks relating to the achievement of the CSU System’s strategic objectives are appropriately identified and managed.
  • The actions of the System’s officers, directors, employees, and contractors comply with the System’s policies, procedures, and applicable laws, regulations, and governance standards.
  • The results of operations or programs are consistent with established goals and objectives.
  • Operations or programs are being carried out effectively and efficiently.
  • Established processes and systems enable compliance with the policies, procedures, laws, and regulations that could significantly impact the System.
  • The integrity of information and the means used to identify, measure, analyze, classify, and report such information is reliable.
  • Resources and assets are acquired economically, used efficiently, and protected adequately.

History

  • Effective Oct. 4, 2013, by Board Resolution
  • Amended Aug. 2, 2017, by Board Resolution
  • Amended Oct. 4, 2018, by Board Resolution
  • Amended June 10, 2022, by Board Resolution
  • Amended June 9, 2023, by Board Resolution
  • Amended June 7, 2024, by Board Resolution