Charters

The Audit Committee (Committee) of the Regents of the University of Colorado (Board) is a standing committee. The Committee’s primary purpose is to assist the Board in fulfilling its oversight responsibilities for (1) the integrity of the university’s financial statements, (2) the adequacy of the university’s internal control structure, (3) identifying significant risks or exposures facing the university, and (4) the qualifications, independence, and performance of the university’s internal and external auditors.

The Committee’s authority to investigate or conduct reviews of any matter within its scope of responsibility is granted by the Regent Policy 2.C.5 Audit Committee. Without limitation, it is specifically empowered to:

• Oversee the university Department of Internal Audit (Internal Audit), which reports directly to the Committee.
• Oversee the work of the independent registered public accounting firm (External Auditor) contracted by the Colorado Office of the State Auditor to conduct the university’s annual financial and compliance audit (“Single Audit”). In addition to reporting directly to the Colorado Office of the State Auditor, this firm will report regularly to the Committee.
• In consultation with the president, resolve any disagreements between management and the External Auditor regarding financial reporting.
• Delegate authority to university officials, including the authority to pre-approve permitted non-audit services performed by university’s External Auditor, provided that such decisions are presented to the full Committee at its next scheduled meeting.
• To the extent the External Auditor provides any non-audit services, determine that it has considered and documented consideration of how providing these non-audit services complies with the requirements that the External Auditor (1) does not provide services that involve performing management functions or making management decisions, and (2) does not audit their own work, as stipulated in Government Auditing Standards.
• Direct university officers to select, retain or terminate, and compensate legal, accounting, auditing, and other experts it deems necessary in the performance of its duties, including in connection with any investigation undertaken by the Committee, on such terms and conditions as the Committee shall determine and at the university’s expense.
• Seek any information it requires for carrying out its responsibilities from external parties or from employees, all of whom are directed to cooperate with the Committee's requests.
• Meet with university officers, external auditors, or legal counsel, as necessary and in accordance with the requirements of the Colorado Revised Statues 24-6-401 and 402.
• Forward to the Board for consideration or action recommendations to provide direction to the president regarding financial reporting, compliance, and institutional risks.
• In consultation with the Board, request an audit or investigation to be conducted by Internal Audit. Such requests shall be carried out by Internal Audit in accordance with the Global Internal Audit Standards.

The Committee composition shall follow Regent Policy 2.C.1 Committee Governing Principles. In making appointments, the chair of the Board should consider continuity of experience on the Committee.

Each Committee member will be both independent and literate in financial and risk matters of higher education institutions comparable to the university, or shall acquire such literacy within a reasonable period of time following appointment. “Independent” means having the freedom from conditions that threaten the ability of an individual to carry out their responsibilities as a Committee member in an unbiased matter. “Financially literate” is the possession of the set of skills and knowledge that allow an individual to make informed and effective decisions, including the ability to read and understand the university’s financial statements. “Risk literate” means an ability to understand and evaluate the risk environment (e.g., compliance, ethical conduct, data privacy, cybersecurity) in which the organization operates in order to facilitate skilled and informed decision making. In addition, the Committee shall, on a continuous basis, consider whether to secure the services of a financial expert or other independent expert necessary to provide advice in fulfillment of Committee duties. “Financial expert” means a person possessing accounting or financial management expertise or relevant experience in evaluating financial statements comparable to the university’s. Service on the Committee shall not preclude service on any other Regent committee.

The Committee will meet at least quarterly and may convene additional meetings, as circumstances require, as called by the Committee chair or upon request of two Committee members. All Committee members are expected to attend each meeting, in person, telephonically, or via videoconference. To the extent permitted by law, the Committee may conduct executive sessions. Meeting agendas will be prepared and provided in advance to members, along with appropriate briefing materials. In addition to scheduled meetings of the full Committee, the Committee chair will meet with the associate vice president of Internal Audit quarterly, or more frequently as needed.

The Committee shall carry out the below described responsibilities and duties with respect to its areas of oversight. While the Committee will review and assess the university’s financial statements, university management is responsible for planning, preparing, and certifying the university financial statements, and determining that such financial statements are complete and accurate in accordance with generally accepted accounting principles, and applicable laws and regulations. Management is responsible for maintaining appropriate accounting policies, practices, and estimates, financial reporting principles, internal control over financial reporting, disclosure controls and procedures, and procedures designated to assure compliance with accounting standards and applicable laws and regulations. The External Auditor, appointed by the Colorado Office of the State Auditor, is responsible for planning and performing audits and reviews of the university’s financial statements and shall report directly to the Colorado Office of the State Auditor, with regular communication with the Committee.

Each Committee member shall be entitled to rely, to the maximum extent permitted under applicable law, on (1) the integrity of persons and organizations within and outside the university from which the Committee receives information, opinions, reports or statements, (2) the information, opinions, reports or statements presented to the Committee by any such persons or organizations, and (3) the accuracy of the financial and other information provided to the Committee by such persons and organizations.

The Committee shall carry out the following oversight responsibilities:

Financial Statements

• Inquire of the president and the chief financial officer regarding the fiscal health of the university, as well as the completeness and accuracy of financial reporting.
• Review significant accounting and reporting issues and understand their impact on the financial statements.
• Review legal matters and matters of compliance with federal, state, and local laws and regulations that may have a material impact on the financial statements or the reputation of the university.
• Review with management and the External Auditor the university’s annual financial report, related audit reports, and other audit-related matters.

​Internal Control and Compliance

• Oversee processes and procedures (1) whereby employees may confidentially and anonymously report concerns or complaints regarding fiscal misconduct, legal or policy violations, or ethical matters without fear of retaliation, and (2) for the receipt, retention, and handling of concerns or complaints received by the university regarding fiscal misconduct or ethical matters. The Committee shall review periodically, with management and Internal Audit as appropriate, these procedures and any significant concerns or complaints received.
• Inquire of management, the associate vice president of Internal Audit, and the External Auditor about significant risks or exposures facing the university and advise the Board of such risks or exposures.
• Review with management the effectiveness of the university’s internal controls, including those related to risk assessment, risk management, compliance, and financial reporting.

Internal Audit

• Establish and periodically review the Internal Audit mandate documented in the Internal Audit charter that specifies the authority, role, responsibilities, and the scope and types of internal audit services. Champion the university’s Internal Audit to enable it to fulfill its purpose and pursue its strategy and objectives.
• Review and notify the Board of Regents of the plans, activities, results, staffing, organizational structure, and budget of the Internal Audit function, and evaluate its effectiveness and compliance with the mandatory elements of the Global Internal Audit Standards.
• Ensure there are no unjustified restrictions or limitations on the Internal Audit function, including direct access of the associate vice president of Internal Audit to the Committee. Work with university’s management to enable Internal Audit’s unrestricted access to the data, records, information, personnel, and physical properties necessary to fulfill the Internal Audit mandate.
• Review and make recommendations to the Board on the appointment, replacement, reassignment or dismissal, and compensation of the university’s associate vice president of Internal Audit.
• Support the associate vice president of Internal Audit in carrying out the Internal Audit mandate and responsibilities described in the Internal Audit charter through regular, direct communications. Oversee and evaluate the performance of the associate vice president of Internal Audit.
• Review and approve of the Internal Audit charter annually, or more frequently as needed.
• Review with the associate vice president of Internal Audit the function’s strategic plan, annual internal audit plan, deviations from the original plan, results of completed audits, status of outstanding audit recommendations and any restrictions on the scope of work or access to required information.

External Audit

• Review and notify the Board of the External Auditor’s proposed audit scope, approach and findings.
• Review the qualifications, independence and performance of the External Auditor, and provide feedback to the Colorado Office of the State Auditor on their performance, including recommendations on the hiring or termination of the external auditors.
• Meet separately with External Auditor to discuss any matters that the Committee or auditors believe should be discussed privately, as permitted by law.

Reporting

• Regularly report to the Board about Committee activities and issues that arise with respect to the university’s financial statements, compliance, risk assessment and risk management processes, and audit functions.
• Review any other reports the university issues that relate to Committee responsibilities.

Other

• Perform other activities related to this charter as requested by the Board.
• Confirm annually that all responsibilities described in this charter and related implementing guidance have been carried out.
• Annually review and assess the adequacy of this charter. Submit any recommended revisions of the charter to the Board for approval.
• Annually review and assess the adequacy of the Committee Work Plan. Carry out the responsibilities as outlined in the Work Plan.

The purpose of the University of Colorado (CU or university) Department of Internal Audit (Internal Audit or department) is to strengthen the university’s ability to create, protect, and sustain value by providing the Board of Regents (Board) and university management with independent, risk-based, and objective assurance, advice, insight, and foresight. Internal Audit will carry out its mandate by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of governance, risk management, and control processes across the university system.

Through its body of work, Internal Audit will strive to enhance CU’s:

• successful achievement of objectives;
• governance, risk management, and control processes;
• decision-making and oversight;
• reputation and credibility with its stakeholders; and
• ability to serve the public interest.

Internal Audit will govern itself and conduct its internal audit activities in accordance with the mandatory elements of the Institute of Internal Auditors' (IIA) International Professional Practices Framework (IPPF), including the Global Internal Audit Standards, Topical Requirements, and Global Guidance. Internal Audit will conduct its investigations in accordance with the leading practices established by the Association of Certified Fraud Examiners (ACFE). Additionally, Internal Audit will comply with the university’s policies and standards of conduct.

The associate vice president of Internal Audit shall serve as the chief audit executive (CAE) and report functionally to the Audit Committee of the Board and administratively to the vice president, university counsel and secretary of the Board. To establish, maintain, and assure Internal Audit has sufficient authority to fulfill its duties, the Audit Committee shall carry out the duties and responsibilities described in Regent Policy 2.C.5 Audit Committee and the Audit Committee Charter.

The CAE shall have unrestricted access to, and communicate and interact directly with, the Audit Committee, including in private meetings, as permitted by law.

Internal Audit coverage is university-wide, and all units and activities of the university are included in the department’s scope. No officer, administrator, faculty, or staff member may interfere with or prohibit internal auditors from examining any relevant, non-privileged university records or interviewing any employee, student, or other individual whom the auditors believe necessary to properly conduct an engagement.

The CAE and Internal Audit personnel shall, except when otherwise authorized by the Board or the Audit Committee:

• Have full and unrestricted access to any of the university’s and, to the extent provided to the university, the university’s affiliates’ records, physical properties, functions, and personnel relevant to university’s activities.
• Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish engagement objectives.
• Obtain assistance from the necessary university personnel, as well as other specialized services from within or outside of CU, in order to complete the engagements.

Internal Audit findings and recommendations are provided to assist management in establishing and maintaining effective internal controls and efficient processes. The responsibility to execute specific actions remains with management. Opportunities for improving university operations may be identified during engagements. These will be communicated to the appropriate level of management for consideration.

The CAE shall ensure that Internal Audit personnel remains free from all conditions that threaten their ability to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report content. If the CAE determines that independence or objectivity may be impaired in fact or appearance, the details of impairment shall be disclosed to appropriate parties.

Internal Audit personnel shall:

• Maintain an unbiased mental attitude that allows them perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others.
• Exhibit professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined.
• Make balanced assessments of all available and relevant facts and circumstances.
• Take necessary precautions to avoid being unduly influenced by their own interests or by others in forming judgments.

The CAE and Internal Audit personnel shall have no direct operational responsibility or authority over any of the activities audited, and specifically will not:

• Perform any operational duties of the university or its affiliates.
• Implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgment.
• Initiate or approve accounting transactions external to the department.
• Direct the activities of any university employee not employed by the department, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the internal auditors.
• Make management decisions or engage in any other activity that could be reasonably perceived to compromise their independence or impair their objectivity.

To provide for its independence and objectivity, Internal Audit personnel report to the CAE, who reports functionally to the Audit Committee and administratively to the vice president, university counsel and secretary of the Board. The CAE is appointed by the Board.

The CAE shall confirm to the Audit Committee, at least annually, the organizational independence of Internal Audit, including reporting relationships and responsibilities, potential impairments to independence or objectivity presented by additional roles, and safeguards that mitigate the risk of impairment to acceptable levels. The CAE shall disclose to the Audit Committee any interference and related implications in determining the scope of engagements, performing work, or communicating results.

The scope of Internal Audit work encompasses, but is not limited to, objective examinations of evidence for the purpose of providing independent assessments to the Audit Committee, university management, and outside parties on the adequacy and effectiveness of governance, risk management, and control processes, as designed and represented by CU. Specifically, Internal Audit will determine whether university processes are adequate and functioning in a manner to help reasonably ensure:

• Risks relating to the achievement of university’s strategic objectives are appropriately identified and managed.
• Interaction with various university governance groups occurs as needed.
• Significant financial, managerial, and operating information is available, accurate, reliable, and timely.
• Employees’ actions and university operations comply with policies, standards, procedures, contractual obligations, and applicable laws and regulations.
• Resources are acquired and used in a reasonably economical and efficient manner and are adequately protected.
• Programs, plans, and objectives are achieved.
• Information and the means used to identify, measure, analyze, classify, and report such information are reliable and have integrity.
• Quality and continuous improvement are fostered in the university’s control processes.
• Significant legislative or regulatory issues impacting the university are timely recognized and addressed appropriately.

The CAE also coordinates activities, where possible, and considers relying upon the work of other internal and external assurance and consulting service providers as needed. Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during engagements and will be communicated to the appropriate level of management.

Internal Audit engagements are categorized as follows:

Assurance Services

Assurance services performed by internal auditors include objective assessments of evidence to provide opinions or conclusions regarding an entity, operation, function, process, system, or other subject matters. These engagements are also referred to as “audits” and follow the Global Internal Audit Standards. The nature and scope of an audit is determined by the internal auditors assigned to the engagement and approved by the CAE. A formal report is typically generated for assurance engagements and results and recommendations are disclosed to management and the Audit Committee. Assurance engagement conclusions must include the internal auditors’ judgment regarding the effectiveness of the governance, risk management, and control processes of the activity under review, including an acknowledgement of when processes are effective. The engagement conclusion must summarize the internal auditors’ professional judgment about the overall significance of the aggregated engagement findings.

Advisory Services

Advisory services performed by internal auditors are intended to offer advice to university stakeholders without providing assurance or taking on management responsibilities. The nature and scope of advisory services are subject to agreement with relevant stakeholders. These engagements follow the Global Internal Audit Standards. Results and recommendations are shared with management through an agreed-upon medium. If significant governance, risk, or control issues are identified, results and recommendations are also disclosed to the Audit Committee.

 Investigations

In accordance with Regent Policy 13.E Fiscal Misconduct and the Administrative Policy Statement 4012 Fiscal Misconduct Reporting, Internal Audit has the primary responsibility for coordinating the initial assessment, investigation, and internal reporting of known or suspected fiscal misconduct at the university. Investigations will follow the leading practices established by the ACFE. Internal Audit will notify management, the Audit Committee, the Board and other authorities, as appropriate, of its activities and outcomes of the investigations. Internal Audit may also serve as a resource for investigations conducted by authorities external to the university.

Other Engagements

Internal Audit may engage in both formal and informal opportunities to educate and inform the university community about various topics, such as risk management, internal controls, and emerging regulatory and compliance requirements. The work from such engagements may or may not generate a formal work product. Internal Audit may assist external auditors or investigatory bodies by performing agreed-upon procedures. This work may or may not produce a stand-alone written memo or audit report.

The CAE is accountable to the Audit Committee and management to:

• Provide the Audit Committee and management with the information necessary to establish the Internal Audit mandate. Periodically assess whether changes in circumstances justify a discussion with the Audit Committee and senior management about the Internal Audit mandate and assess whether the authority, role, and responsibilities outlined in the Charter continue to enable Internal Audit to achieve its strategy and accomplish its objectives.
• Maintain a work environment where internal auditors demonstrate integrity, objectivity, and competency in their work and behavior as defined and required by the Global Internal Audit Standards, and apply due professional care in planning and performing Internal Audit services.
• Ensure department staff is familiar with and follows the relevant policies, procedures, laws, and regulations when using information provided or obtained while performing Internal Audit services.
• Develop, implement, and periodically review a department strategy that supports the university’s strategic objectives and success and aligns with the expectations of the Board, university senior management, and other key stakeholders.
• Establish methodologies to guide Internal Audit in a systematic and disciplined manner to implement the strategy, develop the Internal Audit plan, and conform with the Global Internal Audit Standards.
• Evaluate the effectiveness of the methodologies and update them as necessary to improve the department’s performance and respond to significant changes that affect Internal Audit.
• Establish and implement methodologies to promote accurate, objective, clear, concise, constructive, complete, and timely communications.
• Provide internal auditors with training on the developed audit and communication methodologies.
• Keep the Audit Committee informed of the Internal Audit policies, procedures, and practices for conducting engagements, as well as emerging trends and successful practices in internal auditing.
• Recruit, develop, and retain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter and provide information on the sufficiency of department human resources. Evaluate the competencies of individual internal auditors and encourage professional development. Collaborate with internal auditors to help them develop their individual competencies through training, supervisory feedback, and mentoring.
• Develop a flexible audit plan that supports the achievement of the CU objectives using an appropriate risk-based methodology, including any risks or control concerns identified by management, and submit that plan to the Audit Committee for review and approval at least annually. Review and revise the plan as necessary and communicate the changes timely.
• Effectively deploy resources in a way that optimizes the achievement of the approved Internal Audit strategy, plan, mandate, and any special tasks, projects, or engagements, as suggested by management or the Audit Committee and deemed appropriate by the CAE.
• Develop a budget that enables the successful implementation of the Internal Audit strategy and achievement of the plan. Include in the budget the resources necessary for the department’s operation, including training and acquisition of technology and tools. Manage the daily activities of the department effectively and efficiently, in alignment with the budget. Communicate promptly the impact of insufficient financial resources.
• Ensure that Internal Audit has technology to support department processes and services. Regularly evaluate the technology used and pursue opportunities to improve effectiveness and efficiency. When implementing new technology, provide appropriate training for the staff and collaborate with University Information Services to deploy the resources properly. Communicate the impact of technology limitations on the effectiveness or efficiency of Internal Audit processes.
• Coordinate with other assurance, control, and monitoring functions (e.g. risk management, compliance, police, legal, environmental, external audit).
• Develop an approach for Internal Audit to build relationships and trust with key stakeholders, including the Board, university management, regulators, internal and external assurance providers, and other consultants.
• Engage, and ensure appropriate supervision of university personnel or external subject matter experts to successfully complete the approved audit plan or provide technical expertise, where such expertise is not present on the Internal Audit team.
• Consider the scope of work of the external auditors and regulatory agency reviewers, as appropriate, for the purpose of providing optimal audit coverage to the university at a reasonable overall cost.
• Establish a list of significant departmental objectives, performance measurement methodology to assess progress toward achieving the objectives, assess Internal Audit performance, and report results to the Audit Committee.
• Communicate timely insights, advice, conclusions, and themes related to the university’s governance, risk management, and control processes.
• Report significant issues related to the processes for controlling the activities of and managing risks to the university and its affiliates, including potential improvements to those processes, and provide information concerning such issues through resolution.
• Establish and maintain a quality assurance and improvement program (QAIP) by which the CAE assures the effective operation of internal auditing activities. The program will include an evaluation of the Internal Audit’s conformance with the Global Internal Audit Standards and an evaluation of whether internal auditors apply The IIA Code of Ethics. The program will also assess the efficiency and effectiveness of Internal Audit and identify opportunities for improvement. The CAE shall promote the continuous improvement of the Internal Audit processes, and will communicate on the Internal Audit QAIP, including the results of internal assessments (both ongoing and periodic) and external assessments conducted at least once every five years by a qualified, independent assessor or assessment team from outside the university.
• Monitor the implementation of the agreed-upon management action plans and control improvements to ensure the improvements are adequate, effective, and timely, and report periodically to senior management and the Audit Committee any actions not effectively implemented.
• Promote formal and informal communication between Internal Audit and stakeholders, contributing to the mutual understanding of CU interests and concerns; approaches for identifying and managing risks and providing assurance; roles and responsibilities of relevant parties and opportunities for collaboration; relevant regulatory requirements; and significant organizational processes, including financial reporting.
• Manage the CU EthicsLine, established to receive and respond to ethics and compliance reports, and assess reports received for appropriate follow-up by designated Internal Audit, university system or campus personnel.
• Review the Internal Audit Charter annually for continued sufficiency, applicability, and relevance based on the mandatory elements of the IIA IPPF, the ACFE leading practices, and the Internal Audit mandate, purpose, authority, and responsibility. Advise the Audit Committee on updates that it should consider to the Internal Audit Charter.