Southern Utah University's Centurium

Internal Audit Charters and Policy

The purpose of Southern Utah University’s (SUU) internal audit department is to provide an independent, objective assessment and consulting role designed to add value to and improve University operations. Internal Audit helps the organization accomplish its objectives by providing a systematic, disciplined approach to evaluate and recommend improvements to the effectiveness of risk management, control, and governance processes. The mission of SUU’s internal audit department is to protect and enhance organizational value by providing risk-based, objective assessment, advice, and insight.


Authority

The function of Internal Audit is authorized and required by, Utah Code Chapter 63I-5-201, Utah Internal Audit Act, Utah State Board of Higher Education policy R567, Internal Audit Program, and Southern Utah University Policy 7.1: Internal Audit Policy.


Standards

Internal Audit activities are conducted in accordance with the mandatory elements of the Institute of Internal Auditors’ (IIA) International Professional Practices Framework (IPPF), including the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, and the Definition of Internal Auditing.


Reporting

The Director of Internal Audit reports functionally to the SUU Trustee Audit Committee and administratively to the Vice President of Finance and Administration (CFO). The Director of Internal Audit regularly reports the following:

  • Results of audits and reviews to affected administrators, the Vice President of Finance and Administration, and the Audit Committee.

  • Results of the annual Institutional risk assessment to the Audit Committee including a prioritized list of the highest-risks needing to be monitored and addressed.

  • Regular updates to the Vice President of Finance and Administration and the Audit Committee regarding the department’s performance and progress of internal audit activity.

  • Confirmation to the Audit Committee of the organizational independence of the internal audit activity and conformance with the IIA’s Code of Ethics.

  • Reports of ethical, accounting, and internal control violations, fraud, or violations of other institutional policies and procedures reported in person, through email, or through EthicsPoint, SUU’s anonymous reporting hotline.


    Access

    The Audit Committee authorizes appropriate access to data, information, records, and personnel needed to fulfill Internal Audit’s activities purposes and responsibilities. The Audit Committee further authorizes Internal Audit to:

  • Receive full, unrestricted access to records, property, and personnel pertinent to carrying out approved engagements

  • Allocate resources and determine scope of engagements

  • Apply techniques required to accomplish audit objectives and issue audit reports

  • Obtain assistance from SUU personnel, as well as independent specialists, to complete engagements Internal Audit has unrestricted access to the University President and the Board of Trustees, Audit Committee.


    Independence and Objectivity


    Internal Audit is an independent function established within SUU to examine and evaluate activities. The Internal Auditor will:

  • Disclose any impairment of independence or objectivity, in fact or appearance, to appropriate parties

  • Exhibit professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined

  • Make balanced assessments of all available and relevant facts and circumstances


    Scope of Internal Audit Activities

    The scope of internal audit activities includes independent, objective examinations of evidence to provide assurance to the Audit Committee, University management, and others of the effectiveness and efficiency of governance, risk management, and operations. Assurances provided by internal audit include evaluating whether:

  • Risks facing the University are identified, mitigated, or accepted as appropriate

  • The actions of University officers, directors, employees, and outside parties associated with the school comply with applicable Federal and State laws, University policies, and standards

  • Organizational operations are consistent with University goals and carried out effectively and efficiently

  • Controls established to prevent, or detect and correct, errors are designed and operating effectively

  • University resources and assets are acquired economically, used efficiently, and safeguarded adequately

    Opportunities for improving the efficiency of governance, risk management, and control processes identified during engagements are communicated to the appropriate level of management.


    Responsibility

    The Director of Internal Audit has the responsibility to:

  • Submit, at least annually, to senior management and the Audit Committee a risk-based internal audit plan for review and approval

  • Review and adjust the internal audit plan, as necessary, in response to changes in SUU's business, risks, operations, programs, systems, and controls

  • Ensure each engagement of the internal audit plan is executed, including the establishment of objectives and scope, the assignment of appropriate and adequately supervised resources, the documentation of work programs and testing results, and the communication of engagement results with applicable conclusions and recommendations to appropriate parties

  • Follow up on engagement findings and corrective actions, and report periodically to senior management and the Audit Committee any corrective actions not effectively implemented

  • Ensure the IIA’s Code of Ethics principles of integrity, objectivity, confidentiality, and competency are applied and upheld

  • Ensure the internal audit department collectively possesses or obtains the knowledge, skills, and other competencies needed to meet the requirements of the internal audit charter

  • Ensure trends and emerging issues that could impact SUU are considered and communicated to senior management and the Audit Committee as appropriate

  • Ensure emerging trends and successful practices in internal auditing are considered

  • Establish and ensure adherence to policies and procedures designed to guide the internal audit department


Quality Assurance and Improvement Program

The Internal Audit department maintains a quality assurance and improvement program that covers all aspects of the its operations. The program includes an evaluation of the department's conformance with the IIA’s Standards and an evaluation of whether internal auditors apply The IIA's Code of Ethics. The program also assesses the efficiency and effectiveness of the department, identifying opportunities for improvement. The Director of Internal Audit communicates to senior management and the Audit Committee on the department's quality assurance and improvement program, including results of internal assessments (both ongoing and periodic) and external assessments conducted at least once every five years by a qualified, independent assessor or assessment team from outside SUU.

There is created by Regent Policy R565-3.2 “…a standing Audit Committee to assist the full Board in fulfilling its oversight responsibilities for financial matters.”

The Trustee Audit Committee (Committee) is created to assist the University Board of Trustees in fulfilling its oversight responsibilities for financial reporting processes, the system of internal controls, audit processes, and processes for monitoring compliance with laws and regulations.


Composition

The Committee will include at least three (3) and no more than five (5) members, at least three (3) of whom shall be members of the institutional Board of Trustees and up to two (2) of whom may be appointed from the community. Committee members should have appropriate business expertise and must be independent and free from any relationship that might interfere with their exercise of judgment as a Committee member. The Chair of the Board of Trustees appoints Committee members and may select the Chair of the Committee or leave the Committee Chair selection to members of the Committee.


Terms

Members of the Committee appointed from the Board shall have terms that coincide with their term on the Board. Members appointed from the community shall be appointed to four-year terms. Initial terms may be staggered in such a way that no community members’ terms will expire in the same year. To the extent possible, terms should be staggered to provide Committee continuity. Members may be reappointed to subsequent terms.


Meetings

The Committee shall meet a minimum of three times per year, with the ability to convene additional meetings as necessary.


Responsibilities

With the assistance of SUU administrative staff, agendas will be prepared in advance of meetings along with supporting materials and minutes of previous meetings. Specific responsibilities are outlined in the Utah System of Higher Education Policy R565. Presently, those responsibilities include the following:

  • Schedule meetings and correspondence as necessary to maintain regular, independent communication and information flow between the trustee audit committee and external auditors.

  • Review the institution’s financial statements, including significant accounting and reporting issues. This includes reviewing the management discussion and analysis of the financial statements, along with any analyses prepared by institutional administration and/or external auditors setting forth significant financial reporting issues and judgments made in connection with the preparation of the financial statements.

  • Review with the administration and the external auditors the results of the annual financial statement audit, including audit scope and approach, any restrictions on the auditor’s activities or on access to requested information, and any significant disagreements with institutional representatives. 

  • Review information regarding the institution’s control environment, means of communicating standards of conduct, and practices with respect to risk assessment and risk management. 

  • Confer with external and internal auditors regarding the quality of institutional systems of internal control. 

  • Review information regarding the receipt, retention, and treatment of complaints, including anonymous complaints about accounting, auditing, internal control, and other related issues. 

  • Review with campus administrators and other institutional representatives the adequacy of the institution’s auditing personnel, staffing levels, and controls. 

  • Review information provided by the administration regarding systems for monitoring compliance with all applicable laws and regulations. 

  • Obtain regular updates from institutional administrators and/or legal counsel regarding instances of material noncompliance that might have implications for the institution. 

  • Review with the administration and the chief internal audit executive the charter, plans, activities, staffing and organizational structure of the internal audit function. 

  • Review any restrictions and limitations on internal auditing activities.

  • Consult with University Administration on the Appointment, evaluation, and if necessary, the dismissal of the institution’s chief internal audit executive. 

  • Receive and review internal audit reports and/or periodic summaries of internal audit activities prepared by the chief internal audit executive.

  • Schedule meetings and correspondence as necessary to maintain regular, independent communication and information flow between the committee and the institution’s chief internal audit executive.

  • Results of audits and reviews to affected administrators, the Vice President of Finance and Administration, and the Audit Committee.

  • Results of the annual Institutional risk assessment to the Audit Committee including a prioritized list of the highest-risks needing to be monitored and addressed.

  • Regular updates to the Vice President of Finance and Administration and the Audit Committee regarding the department’s performance and progress of internal audit activity.

  • Confirmation to the Audit Committee of the organizational independence of the internal audit activity and conformance with the IIA’s Code of Ethics.

  • Reports of ethical, accounting, and internal control violations, fraud, or violations of other institutional policies and procedures reported in person, through email, or through EthicsPoint, SUU’s anonymous reporting hotline.