Chapter 05.03 - Audit and Compliance Services
REGENTS’ POLICY
PART V – FINANCE AND BUSINESS MANAGEMENT
Chapter 05.03 - Audit and Compliance Services
P05.03.010. Purpose of P05.03.010 - 05.03-030
By adopting P05.03.010 - 05.03.030, the board establishes the general authority and responsibilities of the university's office of audit and compliance services. (02-24-23)
P05.03.012. Introduction and Mission.
- The Institute of Internal Auditors defines internal auditing as an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of internal control, institutional compliance, risk management, and governance processes. It is established within the university to examine and evaluate its activities to meet the needs of the board and executive management. Internal audits may include financial, performance, operational and compliance audits.
- The mission of the office of audit and compliance services is to assist the board and management in the effective discharge of their fiduciary, compliance oversight, and administrative responsibilities by providing analysis, appraisals, counsel, information and recommendations concerning activities reviewed and by promoting effective controls for the recording and reporting of operational activities and for the custody and safeguarding of assets, and for addressing significant federal and state laws, regulations, university policy and other requirements impacting the university. (02-24-23)
P05.03.014. Role.
A. The office of audit and compliance services is established by the Board of Regents, and its responsibilities are defined by the Audit and Finance Committee of the Board of Regents as part of their oversight function.
B. Chancellors have the primary responsibility for ensuring the compliance of their respective university to achieve the highest level of compliance with applicable ethical, legal, regulatory and system standards and requirements by faculty, staff and students in the system and promoting an organizational culture that encourages ethical conduct and a commitment to compliance with such standards and requirements.
C. The president, as chief executive officer of the Â鶹´«Ã½, is responsible for ensuring the design, implementation, and enforcement of an effective compliance and ethics program for the Â鶹´«Ã½ system and will ensure system support, coordination and oversight among the universities in implementing this chapter. (02-24-23)
P05.03.016. Professional Standards.
A. The office of audit and compliance services will govern itself by adherence to the Institute of Internal Auditors’ (IIA) mandatory guidance including the Definition of Internal Auditing, the Code of Ethics and the Core Principles and International Standards for the Professional Practice of Internal Auditing. This mandatory guidance provides fundamental principles for the professional practice of internal auditing and for performance evaluation.
B. The IIA’s Implementation Guidance and Practice Guides will also be adhered to as applicable to guide operations. In addition, the department will adhere to the Governmental Auditing Standards published by the Comptroller General of the United States, university policies and procedures, and the departmental procedures manual.
C. The university’s institutional compliance program will strive to implement the best practices of effective compliance programs as guided by the Federal Requirements of an Effective Compliance and Ethics Program (§8B2.1.). (02-24-23)
P05.03.018. Authority.
- The chief audit executive and staff of the office of audit and compliance services shall have full, free, and unrestricted access to all university operations, information, records, either manual or electronic, property, and personnel as may be required for the efficient conduct of their audit responsibilities. All employees are directed to assist the office of audit and compliance services staff in fulfilling their role and responsibilities.
- The institutional compliance program shall be headed by a senior compliance professional that will develop the infrastructure for the effective operation of the institutional compliance program. This role is a fundamental part of the management structure of the Â鶹´«Ã½ in developing and maintaining a compliance program to assist the universities in complying with federal, state and local rules and regulations.
- All documents and information provided to the audit and compliance staff shall be handled in the same prudent manner as expected of those who are normally accountable for them.
- The chief audit executive shall have free and unrestricted access to the chair of the Audit and Finance Committee and the chair of the board. (02-24-23)
P05.03.020. Organization.
- The chief audit executive shall report administratively to the chief finance officer and functionally to the chair of the Audit and Finance Committee. The chief finance officer shall appoint and may remove the chief audit executive with the advice and consent of the Audit and Finance Committee.
- The chief audit executive shall report any matters which in the chief audit executive’s sole opinion warrant direct attention or action by the board to the chair of the Audit Committee and to management any matters that warrant direct attention or action by management.
- The chief finance officer shall supervise the chief audit executive except for matters relating to the establishment of the scope of audit activities and the reporting of audit findings and recommendations.
- The senior compliance professional reports to the chief audit executive, and through that position, indirectly to the Audit and Finance Committee.
- Senior management may request special audits by the department in order to meet the its responsibilities. Special request audits will be discussed with the chair of the Audit and Finance Committee prior to acceptance by the chief audit executive.
- Senior management shall be responsible for and have the authority to require the implementation of recommendations or other resolution of audit findings. (02-24-23)
P05.03.022. Independence.
- All activities conducted by the office of audit and compliance services shall remain free of influence by other elements of the university, including matters of audit selection, scope, procedures, frequency, timing, or report content, to permit maintenance of an independent and objective mental attitude necessary in rendering reports.
- All staff of the office of audit and compliance services have the independence necessary to be able to carry out duties effectively and without fear of retaliation.
- Internal auditors shall have no direct operational responsibility or authority over any of the activities they review. Accordingly, they shall not develop nor install systems or procedures, prepare records, or engage in any other activity which would normally be audited. (02-24-23)
P05.03.024. Audit and Compliance Scope.
- The scope of internal auditing encompasses the examination and evaluation of the adequacy
and effectiveness of the university’s governance, risk management process, system
of internal controls, and the quality of performance in carrying out assigned responsibilities.
This scope includes:
- Reviewing the reliability and integrity of financial and operational information and the means used to identify, measure, classify and report such information;
- Monitoring compliance with the policies, plans, procedures, laws and regulations that have an impact on university operations;
- Reviewing the means of safeguarding assets and verifying their existence when appropriate;
- Appraising the economy and efficiency with which resources are employed;
- Reviewing financial and operational activities and programs to determine if results are consistent with established goals, objectives and authorized plans;
- Reviewing specific operations at the request of the Audit and Finance Committee or management, as appropriate;
- Monitoring and evaluating the effectiveness of the university’s risk management processes;
- Serving as liaison for coordination of all external audit activities. The chief finance officer and the administrative vice chancellors are responsible for notifying the chief audit executive of all external audit engagements scheduled or taking place at their respective university. The chief audit executive shall have the discretion to determine the authority of the external auditors to conduct the audit, advise the auditor and auditees on the conduct of the audit, facilitate the audit if the chief audit executive considers it appropriate, and report on the status of the audit to the Audit and Finance Committee;
- Assisting in fraud and theft assessment at the request of legal counsel and senior management. The chief audit executive shall provide support for such reviews under the direction of legal counsel; and
- Providing staff guidance to university staff and managers on matters relating to audits and internal control functions.
B. The scope of institutional compliance is to enhance a culture within the university that promotes prevention, detection, and resolution of instances of noncompliance with federal and state laws, regulations, the university policy and other requirements. This scope includes to:
1. Collaborate with distributed compliance partners and management to support the compliance and ethics culture;
2. Educate and inform university staff and management of the importance of ethics and compliance processes and procedures;
3. Serve as a source of compliance information for staff, management and the internal auditors;
4. Maintain a process for disseminating information and guidance on applicable
federal and state laws, regulations, the university
policy and other requirements;
5. Monitor the process utilized by departments and distributed compliance
partners to document compliance with the policies, plans,
procedures, laws and regulations that have an impact on university
operations;
6. Assess and respond to allegations of noncompliance by engaging with
the Office of General Counsel or other university leadership
to conduct reviews of reported issues, and
7. Address significant federal and state laws, regulations, the university policy and other requirement issues. (02-24-23)
P05.03.026. Audit and Compliance Planning.
- The chief audit executive shall independently develop the annual audit plan using a risk based prioritization of the audit universe.
- The chief audit executive shall present the audit plan to the Audit and Finance Committee for review and approval.
- Significant deviations from the formally approved plan will be communicated to senior management and the Audit and Finance Committee through periodic status reports.
- The senior compliance professional shall develop and implement a risk-based work plan that addresses the highest priority compliance areas. (02-24-23)
P05.03.028. Reporting.
- The chief audit executive shall provide a written report on the status of all internal and external audit and institutional compliance activities to the Audit and Finance Committee quarterly.
- Formal audit reports shall be issued to the senior managers who will be responsible for the implementation of recommendations or other resolution of audit findings. Copies of all formal audit reports, including management's response, will be provided to the chief finance officer, general counsel, president, and the Audit and Finance Committee before the next scheduled committee meeting.
- Recommendations for improvement or correction shall be reported to the appropriate individuals or management staff.
- Institutional compliance will periodically provide reports to the Audit and Finance Committee.
- The chief audit executive shall be responsible for appropriate follow-up on audit findings and recommendations. All significant findings will remain in an open status until cleared or waived by the chief audit executive. (02-24-23)
P05.03.030. Periodic Assessment
This policy is intended to be consistent with the charter recommended by the Institute of Internal Auditors and periodically shall be assessed to determine if the purpose, authority, and responsibility, as defined in this policy, continue to be adequate to enable the office of audit and compliance services to accomplish its objectives. The result of the periodic assessment shall be communicated to senior management and the board. (02-24-23)