Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Mission and Scope of Work
The mission of the Office of Internal Audit is to provide independent, objective assurance and consulting services, using a risk-based approach, to add value and improve the operations of the University of Florida and its affiliated organizations, including its direct support organizations and Faculty Practice Plan corporations. The OIA will serve as a central point for coordination of and oversight for activities that promote accountability, integrity, and efficiency in the operations of the university.
The scope of work of the OIA is to determine whether the university's network of risk management control and governance processes as designed and represented by management is adequate and functioning in a manner to ensure:
- Risks are appropriately identified and managed
- Interaction with the various governance groups occurs as needed
- Significant financial, managerial, and operating information is accurate, reliable, and timely
- Employee’s actions are in compliance with policies, standards, procedures, and applicable laws and regulations
- Resources are acquired economically, used efficiently, and protected adequately.
- Programs, plans, and objectives are achieved
- Quality and continuous improvement are fostered in the university’s controls process
- Significant legislative or regulatory issues impacting the university are recognized and addressed properly
Opportunities for improving management control may be identified during audits. They will be communicated to the appropriate level of management.
Organization, Independence, and Authority
This charter, which defines the duties and responsibilities of the Chief Audit Executive (CAE) and the OIA, derives its authority through adoption by the Committee on Audit and Operations Review. This charter shall be reviewed at least every three (3) years for consistency with applicable Board of Governors and university regulations, professional standards, and best practices.
To provide for the independence of the OIA, its staff report to the CAE, who is appointed by and operates under the general oversight of the university President. The CAE reports administratively to the university President and to the Senior Vice President and Chief Operating Officer, and reports functionally to the Board of Trustees through its Committee on Audit and Operations Review as to the process and content of its reports. This reporting relationship promotes independence and assures adequate consideration of audit findings and planned actions.
The CAE and staff of the OIA are authorized to:
- Have unrestricted access to all functions, records, property, and personnel.
- Have full and free access to the Committe on Audit and Operations Review.
- Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish audit objectives.
- Obtain the necessary assistance of personnel in units of the university where they perform audits, as well as other specialized services from within or outside the university (other universities, federal, state or local government entities).
The CAE and staff of the OIA are not authorized to:
- Perform any operational duties for the university or its affiliated organizations.
- Initiate or approve accounting transactions external to the OIA.
- Direct the activities of any university employee not employed by the OIA, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the OIA staff.
The CAE, in the discharge of his/her duties, shall be accountable to management and the Committee on Audit and Operations Review to:
- Provide assessments on the adequacy and effectiveness of the university’s processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work
- Report significant issues related to the processes for controlling the activities of the university and its affiliated organizations, including potential improvements to those processes, and provide information concerning such issues through resolution.
- Provide information periodically on the status and results of the annual audit plan and the sufficiency of department resources. Inform the Committee on Audit and Operations Review when contracting for specific instances of audit or investigative assistance.
- Coordinate with other control and monitoring functions (e.g., risk management, compliance, security, information technology legal, ethics, environmental, and external audit)
- Communicate the results of the quality assurance and improvement program and the external quality assessment review.
Duties and Responsibilities
- Develop a flexible three-year audit work plan using appropriate risk-based methodology, including any risks or control concerns identified by management, and submit that plan to the Board of Trustees for approval. The flexible audit work plan will be revised annually and approved by the Committee on Audit and Operations Review. Approved audit work plans will be provided to the Board of Governors.
- Implement the audit plan as approved, including, as appropriate, any special tasks or projects requested by management and the Committee on Audit and Operations Review.
- Conduct and coordinate audits, investigations, and management reviews which promote economy, efficiency, and effectiveness in the administration of programs and operations of the university and its affiliated organizations. A copy of final audit reports will be provided to the Board of Governors.
- Perform, or coordinate, other consulting services or activities carried out or financed by the university for the purpose of assisting management in meeting its objectives, promoting economy and efficiency in the administration of, or preventing and detecting fraud and abuse in its programs and operations. These may include facilitation, training and advisory services/
- Issue periodic reports to the Committee on Audit and Operations Review and management summarizing results of audit activities.
- Provide and maintain a mechanism (third-party hotline) whereby university staff, faculty, students and trustees, and the general public may anonymously report allegations of improprieties related to the university.
- Receive complaints and coordinate all activities of the university as required by the Whistle-blower's Act pursuant to Sections 112.3187-112.31895, Florida Statutes.
- In accordance with the university’s Policy on Fraudulent and Dishonest Acts, receive and consider complaints that do not meet the criteria for an investigation under the Whistle-blower's Act and conduct, supervise, or coordinate such inquiries, investigations, or reviews pursuant to the Standards for Complaint Handling and Investigations for the State University System of Florida.
- Keep the President, the Senior Vice President and Chief Operating Officer, management and the Committee on Audit and Operations Review informed concerning significant and credible allegations and known occurrences of waste, fraud, mismanagement, abuses, and internal control deficiencies relating to programs and operations; facilitiate initiation of corrective actions; and report on the progress made in implementing corrective actions.
- Consider the scope of work and ensure effective coordination and cooperation between the Auditor General, federal auditors, and other governmental bodies and external auditors with a view toward avoiding duplication.
- Review, as appropriate, rules and procedures relating to the programs and operations of the university and make recommendations concerning their impact.
- Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this charter.
- Confirm to the Committee on Audit and Operations Review, at least annually, the organizational independence of the OIA.
- Develop and maintain a quality assurance and improvement program covering all aspects of the OIA and communicate the results of the quality assurance and improvement program to management and the Committee on Audit and Operations Review. This program shall include an external quality assessment review conducted at least once every five (5) years. The external quality assessment report and any related improvement plans shall be presented to the Committee on Audit and Operations Review, with a copy provided to the Board of Governors.
- Keep the Committee on Audit and Operations Review informed of emerging trends and successful practices in internal auditing.
- By September 30th of each year, prepare and provide an annual report summarizing the activities of the OIA for the preceding year. The report shall be provided to the President, the Committee on Audit and Operations Review, and the Board of Governors.
In the performance of these services, the Office of Internal Audit will ensure that an appropriate balance is maintained between audit, investigative, and other activities. Detailed operational procedures for the OIA will be established and maintained.
Standards of Audit Practice
The OIA will meet or exceed the Institute’s International Standards for the Professional Practice of Internal Auditing. As appropriate given the engagement, the OIA may also follow Government Auditing Standards (published by the United States Government accountability Office) or the Information Systems Auditing Standards (ISACA, Information Systems Audit and Control Association).
The OIA staff members have a responsibility to the interest of those they serve and should refrain from entering into any activity that may create a conflict of interest. They have an obligation of self-discipline above and beyond the requirements of laws and regulations. They should uphold and demonstrate qualities of integrity, honesty, loyalty, morality, dignity, and confidentiality consistent with the Institute of Internal Auditors Code of Ethics.