Internal Audit Charter

The purpose of Northern Arizona University Internal Audit is to provide independent, objective assurance and consulting services that add value and improve the operations of NAU. Internal Audit reviews help NAU accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of business, risk management, control and governance processes.

Internal Audit evaluates risk exposures relating to NAU’s governance, operations, and information systems for:

• Achievement of the organization’s strategic objectives.
• Effectiveness and efficiency of operations and programs.
• Reliability and integrity of financial and operational information.
• Safeguarding of assets.
• Compliance with laws, regulations, policies, procedures, and contracts.

In order to accomplish its objectives, Internal Audit has full, free, and unrestricted access to all functions, records, reports, activities, property, and personnel, as needed, to fulfill their assigned responsibilities. Internal Audit staff will exercise discretion in the review of records to assure the necessary confidentiality of matters that come to their attention, as required by the Institute of Internal Auditors’ Code of Ethics.

University Management is responsible for the risk management and internal control structure over the areas audited. Internal auditors have no direct responsibility or any authority over any of the activities or operations that they review.

Internal Audit must be independent, and the internal auditors must be objective in performing their work. Internal Audit’s authority comes from the Arizona Board of Regents Audit Committee. The Audit Committee is responsible for auditor independence and objectivity, but delegates responsibility for ongoing oversight of the University Internal Audit function to the NAU Internal Audit Review Board.

The Chief Audit Executive of NAU Internal Audit reports functionally to the Internal Audit Review Board and administratively to the Vice President for Finance, Institutional Planning and Analysis. This authority cannot be delegated. The University Chief Audit Executive is not a member of the Internal Audit Review Board.

The reporting line for the Internal Audit activity is the ultimate source of its independence and authority. Examples of functional reporting involve:

1. Approving the internal audit charter.
2. Approving a risk-based internal audit plan.
3. Approving the internal audit budget and resource plan.
4. Receiving communications from the Chief Audit Executive on the internal audit activity’s performance relative to its plan and other matters.
5. Approving decisions regarding the appointment and removal of the Chief Audit Executive.
6. Approving the remuneration of the Chief Audit Executive.
7. Making appropriate inquiries of Management and the Chief Audit Executive to determine whether there are inappropriate scope or resource limitations.

Administrative reporting is a relationship within the organization’s management structure that facilitates day-to-day operations of the internal audit activity and provides appropriate interface and support for effectiveness. Examples of administrative reporting involve:

1. Budgeting and management accounting.
2. Human resource administration.
3. Internal communications and information flows.
4. Administration of the organization’s internal policies and procedures (expense approvals, leave approvals, floor space, etc.).

The Chief Audit Executive confers with the Arizona Board of Regents Audit Committee at least annually, outside the presence of university officials, on any subject related to Internal Audit’s areas of responsibility. The Chief Audit Executive may communicate directly with the Chair of the Audit Committee at any time.

Internal auditors must exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined and shall have an impartial, unbiased attitude and avoid conflicts of interest.

The responsibility of the Internal Audit function is to serve NAU in a manner that meets or exceeds the Institute of Internal Auditors’ Mandatory Guidance.

Internal Audit responsibilities include, but are not limited to:

1. Developing and implementing a risk-based annual audit plan and additional multi-year audit schedule that recognizes the scope of work performed by other university compliance functions and other auditors. Unless otherwise directed by the Audit Committee, the audit plan will include components of IT security.
2. Submitting the aforementioned plan to the Internal Audit Review Board for review and approval.  The Chief Audit Executive will submit the plan to the Audit Committee for approval.
3. Implementing the annual audit plan, as approved.
4. Examining and evaluating the adequacy and effectiveness of the systems of internal controls, including information systems security and control.
5. Identifying opportunities for reducing costs, improving processes and enhancing the University’s reputation.
6. Appropriately documenting the results of all audit work performed.
7. Promptly and properly reporting any frauds, abuses, internal control weaknesses, other concerns and opportunities for improvement to University Management and the Audit Committee, if appropriate.
8. Following-up on previously completed audits to ensure Management is implementing actions to address identified operational, compliance and internal control issues satisfactorily.
9. Distributing audit reports to University Management and the Audit Committee.
10. Maintaining a professional audit staff with sufficient knowledge, skills, professional certifications and competencies to meet the requirements of this charter.
11. Performing advising and consulting services, as requested, to assist Management in meeting is objectives.
12. Responding to requests and special audit projects requested by the Audit Committee.
13. Establishing a quality assurance program by which the Chief Audit Executive assures the operation of internal auditing activities are conducted in accordance with professional standards.

During each Audit Committee regularly scheduled meeting, the Chief Audit Executive will report:

1. Significant obstacles experienced in performing individual audits / projects.
2. Status or progress to approved audit plan and any concerns regarding ability to complete the annual audit plan.
3. Current internal audit staffing levels, including certifications.
4. Changes in significant risks since prior meeting.
5. Significant audit findings in audit reports issued since the prior Audit Committee meeting, irrespective of remediation. The Chief Audit Executive is to determine which findings to report.
6. Status of major corrective action plans pending.  The Chief Audit Executive is to determine which findings to include.

Annually, the Chief Audit Executive will present for Audit Committee approval:

1. University risk assessment, including a description of the heat map development.
2. Annual Internal Audit Plan for the next fiscal year, with a description of how the plan was developed and how the risk assessment influenced the plan.
3. Multiyear audit schedule.
4. Updated Internal Audit Charter for Audit Committee approval, highlighting any changes proposed since last approval, if any.

Periodically, when appropriate, the Chief Audit Executive will present Internal Audit’s completion of a Quality Assessment Review (peer review).