UCA Office of Internal Audit Charter

Mission Statement

The Office of Internal Audit (OIA) is an independent organization within the University of Central Arkansas whose purpose is to provide independent, objective assurance and consulting services designed to add value and improve the University’s operations.  The mission of the OIA is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.  The OIA helps the University accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.

Standards for the Professional Practice of Internal Auditing

The OIA will govern itself by adherence to the mandatory elements of The Institute of Internal Auditors’ (IIA) International Professional Practices Framework, including the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing (Standards), and the Definition of Internal Auditing.  The Director of Internal Audit (Director) will report periodically to senior management and the University of Central Arkansas Audit and Finance Committee regarding the Office of Internal Audit’s conformance to the Code of Ethics and the Standards.

Authority

The OIA reports directly to the University of Central Arkansas Audit and Finance Committee (Committee) per Board Policy 213, as amended on May 30, 2014.  The Director of Internal Audit will administratively report to General Counsel for day-to-day operations (i.e., leave approval, requisition approval, etc.).  To establish, maintain, and assure that the OIA has sufficient authority to fulfill its duties, the Committee will:

  • Approve the OIA’s Charter.
  • Approve the risk-based internal audit plan.
  • Approve the OIA’s budget and resource plan.
  • Receive communications from the Director on the OIA’s performance relative to its plan and other matters.
  • Approve decisions regarding the appointment and removal of the Director.
  • Approve the remuneration of the Director.
  • Make appropriate inquiries of management and the OIA Director to determine whether there is inappropriate scope or resource limitations.

The OIA Director will have unrestricted access to, and communicate and interact directly with the Committee.  The Committee authorizes the employees of the Office of Internal Audit to:

  • Have full, free, and unrestricted access to all functions, records, property, and personnel pertinent to carrying out any engagement, subject to accountability for confidentiality and safeguarding of records and information;
  • Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives, and issue reports; and
  • Obtain assistance from the necessary personnel of the University, as well as other specialized services from within or outside the University, in order to complete the engagement.

Independence and Objectivity

The Director will ensure that the OIA remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report content.  If the Director determines that independence or objectivity may be impaired in fact or appearance, the details of impairment will be disclosed to appropriate parties.

Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others.

Internal auditors will have no direct operational responsibility or authority over any of the activities audited.  Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgment, including:

  • Assessing specific operations for which they had responsibility within the previous year;
  • Performing any operational duties for the University;
  • Initiating or approving transactions external to the OIA; or
  • Directing the activities of any University employee not employed by the OIA, except to the extent that such employees have been appropriately assigned to auditing teams or to otherwise assist internal auditors.

Where the OIA Director has or is expected to have roles and/or responsibilities that fall outside internal auditing, safeguards will be established to limit impairments to independence and objectivity.

Internal auditors will:

  • Disclose any impairment of independence or objectivity, in fact or appearance, to appropriate parties.
  • Exhibit professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined.
  • Make balanced assessments of all available and relevant facts and circumstances.
  • Take necessary precautions to avoid being unduly influenced by their own interests or by others in forming judgments.

The OIA Director will confirm to the Committee, at least annually, the organizational independence of the OIA.

The OIA Director will disclose to the Committee any interference and related implications in determining the scope of internal auditing, performing work, and/or communicating results.

Nature and Scope of Internal Audit Activities

The OIA performs assurance and consulting services.  Assurance services involve the internal auditor’s objective assessment of evidence to provide an independent opinion or conclusions regarding an entity, operation, function, process, system, or other subject matter.  The nature and scope of the assurance engagement are determined by the internal auditor.  Consulting services are advisory in nature, and are generally performed at the specific request of an engagement client.  The nature and scope of the consulting engagement are subject to agreement with the engagement client.

The scope of internal audit activities will encompass, but is not limited to,  objective examinations of evidence for the purpose of providing independent assessments to the Committee, management, and outside parties on  the adequacy and effectiveness of governance, risk management, and control processes for the University. Internal audit assessments include evaluating whether:

  • Risks relating to the achievement of the University’s strategic objectives are appropriately identified and managed.
  • The action of the University’s officers, directors, employees, and contractors comply with the University’s policies, procedures, and applicable laws, regulations, and governance standards.
  • The results of operations or programs are consistent with established goals and objectives.
  • Operations or programs are being carried out effectively and efficiently.
  • Established processes and systems enable compliance with the policies, procedures, laws, and regulations that could significantly impact the University.
  • Information and the means used to identify, measure, analyze, classify, and report such information are reliable and have integrity.
  • Resources and assets are acquired economically, used efficiently, and protected adequately.

The OIA Director will report periodically to senior management and the Committee regarding:

  • The OIA’s purpose, authority, and responsibility.
  • The OIA’s plan and performance relative to its plan.
  • The OIA’s conformance with IIA’s Code of Ethics and Standards, and action plans to address to address any significant conformance issues.
  • Significant risk exposures and control issues, including fraud risks, governance issues, and other matters requiring the attention of, or requested by, the Committee.
  • Results of audit engagements or other activities.
  • Resource requirements.
  • Any response to risk by management that may be unacceptable to the University.

The OIA Director also coordinates activities, where possible, and considers relying upon the work of other internal and external assurance and consulting service providers as needed.

Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during engagements.  These opportunities will be communicated to the appropriate level of management.

Responsibility

The OIA Director has the responsibility to:

  • Submit, at least annually, to senior management and the Committee a risk-based internal audit plan for review and approval.
  • Communicate to senior management and the Committee the impact of resource limitations on the internal audit plan.
  • Review and adjust the internal audit plan, as necessary, in response to changes in the University’s business risks, operations, programs, systems, and controls.
  • Communicate to senior management and the Committee any significant changes to the internal audit plan.
  • Ensure each engagement of the internal audit plan is executed, including the establishment of objectives and scope, the assignment of appropriate and adequately supervised resources, the documentation of work programs and testing results, and the communication of engagement results with applicable conclusions and recommendations to appropriate parties.
  • Follow up on engagement findings and corrective actions, and report periodically to senior management and the Committee any corrective actions not effectively implemented.
  • Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and upheld.
  • Ensure the OIA collectively possesses or obtains the knowledge, skills, and other competencies needed to meet the requirements of the Internal Audit Charter.
  • Ensure trends and emerging issues that could impact the University are considered and communicated to senior management and the Committee as appropriate.
  • Ensure emerging trends and successful practices in internal auditing are considered.
  • Establish and ensure adherence to the University’s relevant policies and procedures, unless such policies and procedures conflict with the internal audit charter. Any such conflicts will be resolved or otherwise communicated to senior management and the Committee.
  • Ensure conformance of the OIA with the Standards, with the following qualifications:
    • If the OIA is prohibited by law or regulation from conformance with certain parts of the Standards, the OIA Director will ensure appropriate disclosures and will ensure conformance with all other parts of the Standards.
    • If the Standards are used in conjunction with requirements issued by other authoritative guidance (e., Government Accountability Office (GAO) ISACA, etc.), the OIA Director will ensure that the OIA also conforms with the more restrictive requirements.

Quality Assurance and Improvement Program

The OIA will maintain a quality assurance and improvement program that covers all aspects of the OIA.  The program will include an evaluation of the OIA’s conformance with the Standards and an evaluation of whether internal auditors apply the IIA’s Code of Ethics.  The program will also assess the efficiency and effectiveness of the OIA and identify opportunities for improvement.

The OIA Director will communicate to senior management and the Committee on the internal audit’s quality assurance and improvement program, including the results of internal assessments (both ongoing and periodic) and external assessments conducted at least once every five years by a qualified, independent assessor or assessment team from outside the University.

 

Approved: May 25, 2023