Office Charter

Objective and Scope

The objective of Internal Auditing is to provide an independent, objective assurance and consulting service designed to add value and improve the operations of the University of Florida and its affiliated organizations, including its direct support organizations and the Faculty Practice Plan corporations (collectively, the University). The Office of Internal Audit (OIA) helps the University to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The State University System Florida Board of Governors (BOG) Regulation 4.002(1) requires that each university shall have an office of chief audit executive (CAE) as a point for activities that promote accountability, integrity, and efficiency in the operations of the university. The scope of work of internal audit encompasses the examination and evaluation of all activities of the University and includes determining whether the University’s risk management, internal controls, and governance processes, as designed and represented by management, are adequate and functioning effectively to provide a reasonable level of assurance that:

• Exposure to risk and fraud is managed in an effective and efficient manner.
• Significant financial, managerial, and operating information is accurate, reliable, and timely.
• Services are delivered efficiently and effectively to obtain best value for money.
• Resources are acquire economically, used efficiently, and accounted for accurately.
• Programs, plans and objectives are achieved.
• Employees’ actions are in compliance with applicable laws, regulations, contract provisions, and University policies and procedures.
• Accountability, quality and continuous improvement are fostered in the University’s control processes.
• Significant legislative or regulatory issues impacting the University are recognized and addressed.

Organization, Independence, and Authority

This charter, which defines the duties and responsibilities of the OIA, derives its authority through BOG Regulation 4.002 and adoption by the Audit and Compliance Committee of the University of Florida Board of Trustees. In accordance with BOG Regulation 4.002(3), this charter shall be reviewed every three (3) years, and as deemed necessary, for consistency with applicable BOG and University regulations, professional standards and best practices. A copy of the approved charter and any subsequent changes shall be provided to the BOG.

The CAE will report administratively to the University President and to the Vice President and General Counsel, and functionally to the Board of Trustees through the Audit and Compliance Committee to ensure independence of the OIA.

In order to fulfill its responsibilities, the CAE and staff of the OIA are authorized to:

• Have unrestricted access to all functions, records, property, and personnel.
• Have full and free access to the Audit and Compliance Committee and the University President, including notification of any restrictions in scope, resources, and access to information that may impair the satisfactory completion of internal audit activities.
• Allocate resources, select areas of focus, determine scopes of work, and apply the techniques required to accomplish audit objectives.
• Maintain a professional staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this charter.
• Obtain the necessary assistance of personnel in units of the University where they perform audits, as well as other specialized services from within or outside the University.
• Inform the UF Board of Trustees through the Audit and Compliance Committee when contracting for specific instances of audit or investigative assistance.

The CAE and staff of the OIA are not authorized to:

• Perform any operational duties for the University or its affiliated organizations.
• Initiate or approve accounting transactions external to the OIA.
• Direct the activities of any University employee not employed by the OIA, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the OIA staff.

Accountability

The CAE, in the discharge of his/her duties, shall be accountable to the Audit and Compliance Committee to:

• Provide assessments on the adequacy and effectiveness of the University’s processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work.
• Report significant issues related to the processes for controlling the activities of the University and its affiliated organizations, including potential improvements to internal controls and key business processes through internal audit report recommendations.
• Provide information to the University Presient and the Audit and Compliance Committee, at least annually, regarding the organizational independence of the OIA, the status and results of the annual audit plan and the sufficiency of department resources.
• Promote, in collaboration with other appropriate university officials, the effective coordination between the university and the Florida Auditor General, federal auditors, accrediting bodies, and other governmental or oversight bodies.
• Coordinate activities with other control and monitoring functions (e.g., risk management, compliance, and the external auditors) to promote proper coverage and minimize duplication of efforts.

Internal Audit Services

Internal Audit shall conduct financial, operational, compliance, and information technology audits in accordance with approved plans and its established policies and procedures, in conformance with the Institute of Internal Auditors’ Code of Ethics and the International Professional Practices Framework, as well as other professional auditing standards which may be applicable to the performance of work assignments. The OIA may also follow the Government Auditing Standards (published by the United States Government Accountability Office) and the Information Systems Auditing Standards (as promulgated by the Information Systems Audit and Control Association), as appropriate. The Institute of Internal Auditors’ Practice Guides and Position Papers will also be adhered to, as applicable.

Internal Audit services and activities include but are not limited to the following:

• Develop and implement a flexible audit plan using an appropriate risk-based methodology, including risks or control concerns identified by management. These plans, including any revisions, shall be submitted to the Audit and Compliance Committee for review and approval and a copy of the approved audit plan will be provided to the BOG.
• Examine and evaluate the adquacy and effectiveness of the systems of internal controls, including any significant new or changing services, processes, operations, and controls coincident with their development and implementation.
• Identify opportunities for reducing costs, improving processes, and enhancing the University’s reputation.
• Review the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information.
• Assess compliance with laws, regulations, contract/grant provisions, and internal policies, plans, and procedures.
• Verify that resources are acquired economically, used efficiently, accounted for accurately, and protected adequately.
• Review operations or programs to ascertain whether results are consistent with established objectives.
• Perform advisory services to assist management in managing risks, improving internal controls, and governance processes. Examples might include facilitation, process design, education and training.
• Assess steps taken by management to embed a risk and control culture that is committed to lawful and ethical behavior in the University.
• Provide training and outreach to promote accountability and address topics such as fraud awareness, risk management, controls, and other related subject matter, as appropriate.
• Have a mechanism (third-party hotline) whereby University staff, faculty, students, trustees, and the general public may anonymously report allegations of fraud or improprieties related to the University or allegations about questionable accounting, internal controls or auditing matters.
• Establish policies which articulate the steps for reporting and escalating matters of alleged misconduct, including criminal conduct.
• Receive statutory whistleblower information and coordinate all activities of the University as required by the Whistle-blower’s Act and in accordance with the University policy on Reporting and Investigating Fraudulent or Other Wrongful Acts and the University of Florida Investigation Protocols, as approved by the UF Board of Trustees.
• Conduct, supervise, or coordinate activities for the purpose of preventing and detecting fraud and abuse within the University.
• Keep the Audit and Compliance Committee, the President, and the Vice President and General Counsel informed concerning significant and credible allegations and known occurrences of waste, fraud, mismanagement, abuses, and internal control deficiencies relating to programs and operations.
• Facilitate initiation of corrective actions and report on the progress made in implementing corrective actions.
• Develop and maintain a quality assurance and improvement program covering all aspects of the OIA and communicate the results of the quality assurance and improvement program to University management and the Audit and Compliance Committee. This program shall include an external quality assessment conducted at least once every five (5) years. The external quality assessment report and any related improvement plans shall be presented to the Audit and Compliance Committee, with a copy provided to the BOG.
• Prepare and provide an annual report summarizing the activities of the OIA for the preceding year. The report shall be provided to the President, the Vice President and General Counsel, the Audit and Compliance Committee, and the BOG.

In the performance of these services, the Office of Internal Audit will ensure that an appropriate balance is maintained between audit, investigative and other activities outlined under this Charter.