Office of Internal Audit Services Charter
“Committed to excellence, committed to you and your goals”
Approved by the Corporation on September 30, 2010
Brown University’s Office of Internal Audit Services helps the Corporation protect University resources and enhance the achievement of enterprise-wide strategies by evaluating and monitoring risks, processes and policies significant to the University’s mission.
Internal auditing at Brown University is an independent, objective assurance and consultative activity designed to add value to the organization. The internal audit program is intended to assist the University in accomplishing its objectives by bringing a systematic, disciplined approach to increase the effectiveness and efficiency of risk management, control, and governance processes.
The Office of Internal Audit Services (Office) assists the Corporation and University management in the effective discharge of their:
- Risk management responsibilities by evaluating the leadership’s process for identifying, assessing, avoiding and, as necessary, mitigating and managing risks. Risks include any activities that may pose strategic, governance, financial, operational, technological, regulatory, or reputational risk to the University.
- Control responsibilities by assessing how the leadership plans, organizes, and directs the performance of key functions and activities to ensure that the University’s objectives and goals will be achieved. This may include reviewing the reasonableness of policies, procedures and practices; the adequacy of compliance with internal and external rules, laws and regulations; and the commitment to integrity and ethical values.
- Governance responsibilities by assessing the effectiveness of the structure and processes implemented by the leadership to inform, direct, manage, and monitor the activities of the University towards the achievement of its goals and objectives.
The Office is established by the Corporation and its responsibilities are defined by the Audit Committee of the Corporation as part of their oversight function.
This charter shall be reviewed and approved by the Audit Committee at least annually. The charter shall be updated as appropriate or necessary by the Chief University Auditor to reflect changes in the scope or objectives of the Office relative to the University’s mission.
Functionally, the Office is accountable to the Corporation through the Audit Committee of the Corporation (Committee). The Chief University Auditor reports to the Committee on the operations of internal audit activities, presents audit plans for review and approval, reports on significant audit issues and recommendations, attends Committee meetings, meets with the Committee in executive sessions, and responds to other matters as requested by the Committee. The internal audit activity will have free and unrestricted access to all members of the Corporation. Administratively, the Office reports to the Executive Vice President for Finance and Administration, and has access to the President of the University as necessary.
Members of the Office or their designee are authorized to have free, full, and unrestricted access as necessary to all and any University information, activities, records, property, manual and automated systems, and personnel for the purpose of carrying out their responsibilities. Employees are expected to cooperate with and assist the Office in fulfilling its roles and responsibilities.
In executing the internal audit program, members of the Office have no direct authority over, or responsibility for, any systems, procedures, or activity which the Office would be responsible to review. Therefore, the Office may not develop or institute procedures, prepare records, install systems, make management decisions, or engage in any activity which could reasonably be construed to compromise its objectivity or independence. Such tasks are the sole responsibility of operating management.
INDEPENDENCE AND OBJECTIVITY
Members of the Office must exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. They must make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming their judgments.
The internal audit activity will remain free from interference by any element in the University, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude. The Chief University Auditor will confirm to the Committee, at least annually, the organizational independence of the internal audit activity.
SCOPE OF WORK
All organizations directly or indirectly managed by Brown University will be subject to review by the Office. The specific scope of work will be developed when a scheduled audit is about to commence, when the need for an unscheduled audit is established, or when additional concerns develop during an audit. In general, the scope of work for audits will focus on assessing if the University’s policies, procedures, and other components of control are adequate and functioning in a manner to ensure one or more of the following objectives:
- Financial, managerial, and operating information is reasonably accurate, reliable, measurable, and timely, and related record-keeping and reporting are adequate and effective;
- Risks to information systems on which the integrity of information relies are adequately mitigated;
- University activities are organized within related legal restrictions, and employee actions comply with applicable laws and regulations, policies, procedures, and standards, including ethical business standards;
- Resources are acquired economically, used efficiently, and adequately protected/safeguarded;
- Compliance, quality, and continuous improvement are fostered in the University’s system of control; and
- Significant legislative, regulatory, or other risk exposure and control issues, including fraud risks, governance issues, and other matters impacting the organization are recognized, addressed, and reported to appropriate governance groups by management.
As appropriate, the Office may undertake Advisory or Consultative Services. Such projects may involve the analysis or evaluation of real-time/continuous/forward-looking data or value-based information that may or may not include financial information, for relevant and reliable management decision making.
Opportunities for improving the governance structure, risk management process, management controls, compliance, net revenue, and the University’s reputation/image may be identified during audits, consultations and advisory services. If so, the results of these activities will be communicated to management as deemed appropriate, through discussions, formal reports or advisories.
The Chief University Auditor has responsibility to:
- Develop a broad, comprehensive program of internal auditing that encompasses the University’s strategic objectives.
- Establish, manage and direct the technical and administrative functions of the Office.
- Recruit, train and maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certification to meet the objectives of the Office. To the extent that additional or expert/specialized skills are needed to supplement our work, such activities may be co-sourced or out-sourced as necessary.
- Develop, submit for Committee approval, and implement a flexible risk-based audit plan. Provide periodic reports to the Committee and senior management on the status of the audit plan including significant changes to the plan.
- Assess the adequacy of management’s corrective actions to audit issues through follow-up reviews.
- Coordinate audit activities with external auditors and other constituencies to maximize audit coverage and minimize duplication of efforts.
- Undertake special projects as requested by the Committee or management.
- Assist in the investigation of significant suspected fraudulent activities within the University and notify senior management and/or the Committee of the results.
- Consult with and participate in an advisory capacity to University constituents with defined significant risk management responsibilities.
- Inform senior management and the Committee of the results of significant issues reported through the Ethics And Compliance Reporting System (EARS).
- Communicate to senior management and the Committee, the results of external quality assurance and program improvement assessments of the internal audit activity to be conducted at least every five years.
- Ensure that the work of the Office is performed in accordance with the “Code of Ethics” and is consistent with the International Standards for the Professional Practice of Internal Auditing, as promulgated by the Institute for Internal Auditors.