PURPOSE

The purpose of the University of Colorado (CU or university) Department of Internal Audit (Internal Audit or department) is to strengthen the university’s ability to create, protect, and sustain value by providing the Board of Regents (Board) and university management with independent, risk-based, and objective assurance, advice, insight, and foresight. Internal Audit will carry out its mandate by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of governance, risk management, and control processes across the university system.

Through its body of work, Internal Audit will strive to enhance CU’s:

  • successful achievement of objectives;
  • governance, risk management, and control processes;
  • decision-making and oversight;
  • reputation and credibility with its stakeholders; and
  • ability to serve the public interest.

STANDARDS OF PRACTICE

Internal Audit will govern itself and conduct its internal audit activities in accordance with the mandatory elements of the Institute of Internal Auditors' (IIA) International Professional Practices Framework (IPPF), including the Global Internal Audit Standards, Topical Requirements, and Global Guidance. Internal Audit will conduct its investigations in accordance with the leading practices established by the Association of Certified Fraud Examiners (ACFE). Additionally, Internal Audit will comply with the university’s policies and standards of conduct.

AUTHORITY

The associate vice president of Internal Audit shall serve as the chief audit executive (CAE) and report functionally to the Audit Committee of the Board and administratively to the vice president, university counsel and secretary of the Board. To establish, maintain, and assure Internal Audit has sufficient authority to fulfill its duties, the Audit Committee shall carry out the duties and responsibilities described in Regent Policy 2.C.5 Audit Committee and the Audit Committee Charter.

The CAE shall have unrestricted access to, and communicate and interact directly with, the Audit Committee, including in private meetings, as permitted by law.

Internal Audit coverage is university-wide, and all units and activities of the university are included in the department’s scope. No officer, administrator, faculty, or staff member may interfere with or prohibit internal auditors from examining any relevant, non-privileged university records or interviewing any employee, student, or other individual whom the auditors believe necessary to properly conduct an engagement.

The CAE and Internal Audit personnel shall, except when otherwise authorized by the Board or the Audit Committee:

  • Have full and unrestricted access to any of the university’s and, to the extent provided to the university, the university’s affiliates’ records, physical properties, functions, and personnel relevant to university’s activities.
  • Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish engagement objectives.
  • Obtain assistance from the necessary university personnel, as well as other specialized services from within or outside of CU, in order to complete the engagements.

Internal Audit findings and recommendations are provided to assist management in establishing and maintaining effective internal controls and efficient processes. The responsibility to execute specific actions remains with management. Opportunities for improving university operations may be identified during engagements. These will be communicated to the appropriate level of management for consideration.

INDEPENDENCE AND OBJECTIVITY

The CAE shall ensure that Internal Audit personnel remains free from all conditions that threaten their ability to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report content. If the CAE determines that independence or objectivity may be impaired in fact or appearance, the details of impairment shall be disclosed to appropriate parties.

Internal Audit personnel shall:

  • Maintain an unbiased mental attitude that allows them perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others.
  • Exhibit professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined.
  • Make balanced assessments of all available and relevant facts and circumstances.
  • Take necessary precautions to avoid being unduly influenced by their own interests or by others in forming judgments.

The CAE and Internal Audit personnel shall have no direct operational responsibility or authority over any of the activities audited, and specifically will not:

  • Perform any operational duties of the university or its affiliates.
  • Implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgment.
  • Initiate or approve accounting transactions external to the department.
  • Direct the activities of any university employee not employed by the department, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the internal auditors.
  • Make management decisions or engage in any other activity that could be reasonably perceived to compromise their independence or impair their objectivity.

To provide for its independence and objectivity, Internal Audit personnel report to the CAE, who reports functionally to the Audit Committee and administratively to the vice president, university counsel and secretary of the Board. The CAE is appointed by the Board.

The CAE shall confirm to the Audit Committee, at least annually, the organizational independence of Internal Audit, including reporting relationships and responsibilities, potential impairments to independence or objectivity presented by additional roles, and safeguards that mitigate the risk of impairment to acceptable levels. The CAE shall disclose to the Audit Committee any interference and related implications in determining the scope of engagements, performing work, or communicating results.

SCOPE OF INTERNAL AUDIT ACTIVITIES

The scope of Internal Audit work encompasses, but is not limited to, objective examinations of evidence for the purpose of providing independent assessments to the Audit Committee, university management, and outside parties on the adequacy and effectiveness of governance, risk management, and control processes, as designed and represented by CU. Specifically, Internal Audit will determine whether university processes are adequate and functioning in a manner to help reasonably ensure:

  • Risks relating to the achievement of university’s strategic objectives are appropriately identified and managed.
  • Interaction with various university governance groups occurs as needed.
  • Significant financial, managerial, and operating information is available, accurate, reliable, and timely.
  • Employees’ actions and university operations comply with policies, standards, procedures, contractual obligations, and applicable laws and regulations.
  • Resources are acquired and used in a reasonably economical and efficient manner and are adequately protected.
  • Programs, plans, and objectives are achieved.
  • Information and the means used to identify, measure, analyze, classify, and report such information are reliable and have integrity.
  • Quality and continuous improvement are fostered in the university’s control processes.
  • Significant legislative or regulatory issues impacting the university are timely recognized and addressed appropriately.

The CAE also coordinates activities, where possible, and considers relying upon the work of other internal and external assurance and consulting service providers as needed. Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during engagements and will be communicated to the appropriate level of management.

Internal Audit engagements are categorized as follows:

Assurance Services

Assurance services performed by internal auditors include objective assessments of evidence to provide opinions or conclusions regarding an entity, operation, function, process, system, or other subject matters. These engagements are also referred to as “audits” and follow the Global Internal Audit Standards. The nature and scope of an audit is determined by the internal auditors assigned to the engagement and approved by the CAE. A formal report is typically generated for assurance engagements and results and recommendations are disclosed to management and the Audit Committee. Assurance engagement conclusions must include the internal auditors’ judgment regarding the effectiveness of the governance, risk management, and control processes of the activity under review, including an acknowledgement of when processes are effective. The engagement conclusion must summarize the internal auditors’ professional judgment about the overall significance of the aggregated engagement findings.

Advisory Services

Advisory services performed by internal auditors are intended to offer advice to university stakeholders without providing assurance or taking on management responsibilities. The nature and scope of advisory services are subject to agreement with relevant stakeholders. These engagements follow the Global Internal Audit Standards. Results and recommendations are shared with management through an agreed-upon medium. If significant governance, risk, or control issues are identified, results and recommendations are also disclosed to the Audit Committee.

 Investigations

In accordance with Regent Policy 13.E Fiscal Misconduct and the Administrative Policy Statement 4012 Fiscal Misconduct Reporting, Internal Audit has the primary responsibility for coordinating the initial assessment, investigation, and internal reporting of known or suspected fiscal misconduct at the university. Investigations will follow the leading practices established by the ACFE. Internal Audit will notify management, the Audit Committee, the Board and other authorities, as appropriate, of its activities and outcomes of the investigations. Internal Audit may also serve as a resource for investigations conducted by authorities external to the university.

Other Engagements

Internal Audit may engage in both formal and informal opportunities to educate and inform the university community about various topics, such as risk management, internal controls, and emerging regulatory and compliance requirements. The work from such engagements may or may not generate a formal work product. Internal Audit may assist external auditors or investigatory bodies by performing agreed-upon procedures. This work may or may not produce a stand-alone written memo or audit report.

ACCOUNTABILITY AND RESPONSIBILITIES

The CAE is accountable to the Audit Committee and management to:

  • Provide the Audit Committee and management with the information necessary to establish the Internal Audit mandate. Periodically assess whether changes in circumstances justify a discussion with the Audit Committee and senior management about the Internal Audit mandate and assess whether the authority, role, and responsibilities outlined in the Charter continue to enable Internal Audit to achieve its strategy and accomplish its objectives.
  • Maintain a work environment where internal auditors demonstrate integrity, objectivity, and competency in their work and behavior as defined and required by the Global Internal Audit Standards, and apply due professional care in planning and performing Internal Audit services.
  • Ensure department staff is familiar with and follows the relevant policies, procedures, laws, and regulations when using information provided or obtained while performing Internal Audit services.
  • Develop, implement, and periodically review a department strategy that supports the university’s strategic objectives and success and aligns with the expectations of the Board, university senior management, and other key stakeholders.
  • Establish methodologies to guide Internal Audit in a systematic and disciplined manner to implement the strategy, develop the Internal Audit plan, and conform with the Global Internal Audit Standards.
  • Evaluate the effectiveness of the methodologies and update them as necessary to improve the department’s performance and respond to significant changes that affect Internal Audit.
  • Establish and implement methodologies to promote accurate, objective, clear, concise, constructive, complete, and timely communications.
  • Provide internal auditors with training on the developed audit and communication methodologies.
  • Keep the Audit Committee informed of the Internal Audit policies, procedures, and practices for conducting engagements, as well as emerging trends and successful practices in internal auditing.
  • Recruit, develop, and retain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter and provide information on the sufficiency of department human resources. Evaluate the competencies of individual internal auditors and encourage professional development. Collaborate with internal auditors to help them develop their individual competencies through training, supervisory feedback, and mentoring.
  • Develop a flexible audit plan that supports the achievement of the CU objectives using an appropriate risk-based methodology, including any risks or control concerns identified by management, and submit that plan to the Audit Committee for review and approval at least annually. Review and revise the plan as necessary and communicate the changes timely.
  • Effectively deploy resources in a way that optimizes the achievement of the approved Internal Audit strategy, plan, mandate, and any special tasks, projects, or engagements, as suggested by management or the Audit Committee and deemed appropriate by the CAE.
  • Develop a budget that enables the successful implementation of the Internal Audit strategy and achievement of the plan. Include in the budget the resources necessary for the department’s operation, including training and acquisition of technology and tools. Manage the daily activities of the department effectively and efficiently, in alignment with the budget. Communicate promptly the impact of insufficient financial resources.
  • Ensure that Internal Audit has technology to support department processes and services. Regularly evaluate the technology used and pursue opportunities to improve effectiveness and efficiency. When implementing new technology, provide appropriate training for the staff and collaborate with University Information Services to deploy the resources properly. Communicate the impact of technology limitations on the effectiveness or efficiency of Internal Audit processes.
  • Coordinate with other assurance, control, and monitoring functions (e.g. risk management, compliance, police, legal, environmental, external audit).
  • Develop an approach for Internal Audit to build relationships and trust with key stakeholders, including the Board, university management, regulators, internal and external assurance providers, and other consultants.
  • Engage, and ensure appropriate supervision of university personnel or external subject matter experts to successfully complete the approved audit plan or provide technical expertise, where such expertise is not present on the Internal Audit team.
  • Consider the scope of work of the external auditors and regulatory agency reviewers, as appropriate, for the purpose of providing optimal audit coverage to the university at a reasonable overall cost.
  • Establish a list of significant departmental objectives, performance measurement methodology to assess progress toward achieving the objectives, assess Internal Audit performance, and report results to the Audit Committee.
  • Communicate timely insights, advice, conclusions, and themes related to the university’s governance, risk management, and control processes.
  • Report significant issues related to the processes for controlling the activities of and managing risks to the university and its affiliates, including potential improvements to those processes, and provide information concerning such issues through resolution.
  • Establish and maintain a quality assurance and improvement program (QAIP) by which the CAE assures the effective operation of internal auditing activities. The program will include an evaluation of the Internal Audit’s conformance with the Global Internal Audit Standards and an evaluation of whether internal auditors apply The IIA Code of Ethics. The program will also assess the efficiency and effectiveness of Internal Audit and identify opportunities for improvement. The CAE shall promote the continuous improvement of the Internal Audit processes, and will communicate on the Internal Audit QAIP, including the results of internal assessments (both ongoing and periodic) and external assessments conducted at least once every five years by a qualified, independent assessor or assessment team from outside the university.
  • Monitor the implementation of the agreed-upon management action plans and control improvements to ensure the improvements are adequate, effective, and timely, and report periodically to senior management and the Audit Committee any actions not effectively implemented.
  • Promote formal and informal communication between Internal Audit and stakeholders, contributing to the mutual understanding of CU interests and concerns; approaches for identifying and managing risks and providing assurance; roles and responsibilities of relevant parties and opportunities for collaboration; relevant regulatory requirements; and significant organizational processes, including financial reporting.
  • Manage the CU EthicsLine, established to receive and respond to ethics and compliance reports, and assess reports received for appropriate follow-up by designated Internal Audit, university system or campus personnel.
  • Review the Internal Audit Charter annually for continued sufficiency, applicability, and relevance based on the mandatory elements of the IIA IPPF, the ACFE leading practices, and the Internal Audit mandate, purpose, authority, and responsibility. Advise the Audit Committee on updates that it should consider to the Internal Audit Charter.

As adopted by the Board of Regents November 2, 2006; revised June 3, 2015; March 7, 2018; June 9, 2021; March 13, 2024.