Internal Audit

Introduction

The purpose of the internal audit function is to strengthen University’s ability to create, protect, and sustain value by providing the Board of Governors and Executive Management with independent, risk-based, and objective assurance, advice, insight, and foresight.
The internal audit function enhances the University’s:

• Successful achievement of its objectives;
• Governance, risk management, and control processes;
• Decision-making and oversight;
• Reputation and credibility with its stakeholders; and
• Ability to serve the public interest.

Internal auditing is most effective when:

• It is performed by competent professionals in conformance with the Global Internal Audit Standards, which are set in the public interest;
• The internal audit function is independently positioned with direct accountability to the Board of Governors; and
• Internal auditors are free from undue influence and committed to making objective assessments.

Policy

• Internal audits will be done throughout the University, and no function, activity, faculty or department is exempt from internal auditing.  Administrators, faculty and staff members must cooperate with the internal auditor by providing access to all records (including financial accounts), employees, and students they request as a part of the internal audit engagement.
• The Internal Auditor will not have direct authority over or responsibility for any of the activities reviewed during the course of work.  The Internal Auditor will not develop and implement procedures, prepare records, make management decisions, or engage in any other activity that could be reasonably construed to compromise their independence. The Internal Auditor neither substitutes for nor relieves other University personnel from their assigned responsibilities.
• Officers and administrators are responsible for implementing recommendations that result from an audit or accepting the risk of non-implementation. 

Roles and Responsibilities

Board of Governors:

• delegates the oversight of internal audit to the Audit and Risk Management Committee.
• approves the office of internal audit charter, which includes the internal audit mandate and the scope and types of internal audit services, and revisions to itapproves the office of internal audit charter and revisions to it.
• approves the internal audit work plan.

Audit and Risk Management Committee:

• discusses with the Internal Auditor and Executive Management the appropriate authority, role, responsibilities, scope, and services (assurance and/or advisory) of the internal audit function.
• participates in discussions with the Internal Auditor and Executive Management about the “essential conditions” described in the Global Internal Audit Standards, which establish the foundation that enables an effective internal audit function.
• reviews the office of internal audit charter at least annually and recommends for approval to the Board, including changes, if needed.
• reviews the internal audit work plan and recommends for approval to the Board.
• receives an executive summary of each final internal audit report.
• ensures a quality assurance and improvement program has been established and reviews its results annually.
• ensures the Internal Auditor has unrestricted access to the Committee, including in camera sessions without management present.
• participates in the decisions regarding the appointment, removal, and performance review of the Internal Auditor and the related human and financial resources.
• collaborates with Executive Management to determine the qualifications and competencies of the Internal Auditor.
• receives communications from the Internal Auditor about the internal audit function, including its performance relative to its annual work plan.
• makes appropriate inquiries of the Executive Management and the Internal Auditor to determine whether scope or resource limitations are appropriate.

Executive Management:

• communicates to the Audit and Risk Management Committee and Internal Auditor the expectations for the internal audit function to be considered when establishing the internal audit mandate.
• provides input into the development of the office of internal audit charter.
• provides input into the development of the internal audit work plan.
• receives the internal audit reports.
• requests advisory services and investigations to be performed by the Internal Auditor, when needed.
• supports the office of internal audit through regular, direct communications.

Chief Governance Officer:

• provides input to the Audit and Risk Management Committee on the appointment and removal of the Internal Auditor.
• solicits input from the Audit and Risk Management Committee on the performance evaluation of the Internal Auditor.
• engages with the Audit and Risk Management Committee to provide the office of internal audit with sufficient resources to fulfill the internal audit mandate and achieve the internal audit plan.
• determines next steps that will be taken towards a resolution where the Internal Auditor encounters a situation that cannot be resolved  with the Administrator in the area being audited.  If the issue is still not resolved, the matter will be then escalated to the President and/or the Chair of the Audit and Risk Management Committee.

Internal Auditor:

• reports functionally to the Audit and Risk Management Committee of the Board of Governors. 
• reports administratively to the Chief Governance Officer, and is a member of the University Secretariat (to ensure that internal audit has no operational accountability).
• provides the Audit and Risk Management Committee with the information necessary to establish and recommend to the Board for approval the internal audit mandate, charter, and annual internal audit plan, and to update these as required.
• develops and maintains an internal audit charter that specifies, at a minimum, the internal audit function’s purpose, commitment to adhering to the Global Internal Audit Standards, mandate, organizational position, and reporting relationships.
• develops a risk-based internal audit plan that considers the input of the Audit and Risk Management Committee and Executive Management at least annually.
• reviews and adjusts the internal audit plan, as necessary, in response to changes in University’s business, risks, operations, programs, systems, and controls.
• communicates the impact of resource limitations, if any, on the internal audit plan to the Audit and Risk Management Committee and Executive Management.
• meets with the Audit and Risk Management Committee in an in camera session at every meeting or more frequently at the request of the Internal Auditor or the Chair, Audit and Risk Management Committee.
• plans, conducts, and reports on the internal audit engagements.
• follows up on internal audit engagement findings, confirming the implementation of recommendations or action plans, and communicating the results of internal audit services to the Audit and Risk Management Committee and Executive Management annually and for each internal audit engagement as appropriate.
• ensures the office of internal audit collectively possesses or obtains the knowledge, skills, and other competencies and qualifications needed to meet the requirements of the Global Internal Audit Standards and fulfill the internal audit mandate.
• considers emerging trends and successful practices in internal auditing.
• establishes and ensures adherence to methodologies designed to guide the internal audit function.
• reviews the University’s established internal control system, administrative controls and processes to ensure that these are functioning, adequate, effective and efficient.
• reviews the reliability and integrity of the accounting, financial and reporting systems and procedures.
• assesses compliance of processes and procedures with University policies, provincial and federal laws and regulations, contractual obligations and best business practices that have a significant impact on University’s operations and reporting.
• reviews the extent to which University resources are employed and determines if these resources are employed efficiently and economically.
• assesses the means in which assets are safeguarded as appropriate, verifying the existence and appropriate use of these assets.
• evaluates operational procedures to determine whether results are consistent with established objectives and goals, and whether the procedures are carried out as planned.
• evaluates the effectiveness of the University’s operational risk management processes.
• acts as a central point of contact for receiving disclosures of alleged wrongdoing that are submitted in accordance with the policy Safe Disclosure.
• coordinates investigations of allegations of wrongdoing and prepares reports to Audit and Risk Management Committee and Executive Management on allegations received, investigations performed, results of investigations, and actions pursuant to the investigations.
• engages external contractors to increase the scope of the internal audit, when necessary, or to perform specialized projects.
• provides advice when policies and procedures, financial and administrative systems, organizational structures and other related administrative activities are being reviewed.
• provides advice on the design of new processing systems and/or major modifications to existing systems prior to installation to ensure the new system has adequate, effective and efficient controls.
• identifies and considers trends and emerging issues that could impact the University and communicates to the Audit and Risk Management Committee and Executive Management as appropriate.
• develops and presents the budget for special projects and initiatives of the office of internal audit to the Audit and Risk Management Committee and Chief Governance Officer in accordance with the annual internal audit plan.
• meets with the office of the Provincial Auditor on a regular basis to ensure that each other’s activities are coordinated in order to minimize duplication of areas to be audited and/or reviewed.
• coordinates activities with other internal and external providers of assurance and advisory services, where appropriate.
• sends, upon request, internal audit reports and plans to the Provincial Auditor. If other auditors are engaged, the sharing of internal audit reports and plans will be done with the permission of the Chair, Audit and Risk Management Committee, as required.

Consequences for Noncompliance

Recommendations made by the Internal Auditor will be provided to the Administrator responsible for the Faculty/Department to implement and will be required to report progress to address recommendations to Executive Management and the Audit and Risk Management Committee, or reasons for acceptance of risk of non-compliance.  Recommendations that are not implemented or responded to with reasonable resolutions will be provided to the Executive Management and as part of the report to the Audit and Risk Management Committee for possible disciplinary action.

Processes

Internal Audit Process

1. Identify the Faculty/Department for review based on priorities identified in the Board approved work plan.
2. Meet with the Faculty/Department Administrator to explain the process.
3. Request information from Faculty/Department faculty and staff required for the internal audit engagement. 
4. Review information provided to draw a conclusion about compliance with the University’s policies and with government legislation, effectiveness of the internal controls, or other subject matter which is under review.
5. Present recommendations from the internal audit engagement to the Faculty/Department Head for implementation.
6. Provide a report on the recommendations to the Executive Management.
7. Provide a report to the Audit and Risk Management Committee.

Related Information

• Office of Internal Audit Charter
• Audit and Risk Management Committee Terms of Reference
• GOV-022-020 - Safe Disclosure
• Global Internal Audit Standards