Internal Auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of Central Michigan University. It assists Central Michigan University in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the university's governance, risk management, and internal control.
The function of internal audit is established at Central Michigan University to assist the Board of Trustees in fulfilling its responsibility for continuing oversight of the management of the university and to be of service to all levels of management of the university. The position of Director of Internal Audit is established and assigned responsibility for conduct of the university internal audit function. The Audit Committee Chair must concur in the appointment or removal of the Director of Internal Audit.
Internal audit shall be an independent appraisal function to examine and evaluate the activities of the university. The objective is to assist officers and employees of the university in the proper discharge of their responsibilities by providing analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed.
The Internal Audit Department will govern itself by adherence to The Institute of Internal Auditors' mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the Internal Audit Department's performance.
The Institute of Internal Auditors' Practice Advisories, Practice Guides, and Position Papers will also be adhered to as applicable to guide operations. In addition, the Internal Audit Department will adhere to Central Michigan University's relevant policies and procedures and the Internal Audit Department's standard operating procedures manual.
It is the intention of the Board that the Director of Internal Audit shall have access to the Audit Committee at any time with regard to matters affecting conduct of the internal audit function; that the Director of Internal Audit shall provide a report on his/her activities directly to the Audit Committee or its Chair describing the current status of work toward the goals of the annual audit plan; that the Director of Internal Audit shall be present to advise the Audit Committee, as may be appropriate, when the external auditor presents its audit results to the committee; and that the Director of Internal Audit, with strict accountability for confidentiality and safeguarding records and information, shall have full access to all of the university records, properties, and personnel relevant to the subject under review.
The Director of Internal Audit, in the performance of his/her duties, shall report administratively to the President and functionally to the Board Chair through the Board's Audit Committee.
The Board will:
- Approve the internal audit charter.
- Make appropriate inquiries of management and, through the Audit Committee, the Director of Internal Audit to determine where there is inappropriate scope or resource limitations.
The Director of Internal Audit will communicate and interact with the Board through the Audit Committee:
- In executive sessions and between Board meetings as appropriate.
- On the Internal Audit Department's performance relative to its plan and other matters affecting conduct of the internal audit functions.
Independence and Objectivity
The Internal Audit Department will remain free from interference by any element in the university, including matters regarding audit selection, scope, procedures, frequency, timing or report content to permit maintenance of a necessary independent and objective mental attitude.
No member of internal audit shall have authority or responsibility over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair internal auditor's judgment.
Internal auditors will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors will make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
The Director of Internal Audit will confirm to the Board, at least annually, the organizational independence of the Internal Audit Department.
The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the university's governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the university's stated goals and objectives.
While the approved annual audit plan shall prescribe assignment priorities for the Director of Internal Audit, he/she shall be concerned with any phase of institutional activity where the internal audit function may provide a beneficial service to management. This management service involves going beyond the accounting and financial records to obtain a full understanding of the operations under review and will require the following activities:
- Examination of transactions for accuracy and compliance with institutional policies.
- Evaluation of financial and operational procedures for adequate and effective internal controls and safeguarding of assets.
- Testing of the timeliness, reliability, and usefulness of institutional records and reports.
- Evaluation of the economical and efficient use of resources.
- Monitoring the development and implementation of methods, systems, procedures, and major revisions to them, including those pertinent to computer applications.
- Evaluation and monitoring of the computer center's system of internal control to ensure adequate security and controls related to hardware, software, data, and operating personnel; and to ensure retrieval of necessary data for audit purposes.
- Determination of the level of compliance with required internal policies and procedures, state and federal laws, and government regulations; and appraisal of the effectiveness and appropriateness of internal policies and procedures under current conditions.
- Program performance evaluation.
- Liaison with external auditors.
The Director of Internal Audit may use external service providers to supplement existing in-house Internal Audit functions or provide expert knowledge to help execute certain areas of the audit plan. The Director of Internal Audit will retain oversight of all outsourced arrangements.
Internal Audit Plan
An audit plan shall be prepared by the Director of Internal Audit each year to establish the general scope of audit coverage and the cycle of the plan shall coincide with the fiscal year of the university. Further, the development of the audit plan should include a two-year plan for scheduling audits of university departments and activities. In addition to the audit plan, the Director of Internal Audit shall develop a five-year goal plan.
The internal audit plan will be developed based on a prioritization of the audit universe using a risk-based methodology, including input of senior management and the Board, and the external auditor. The audit plan shall be implemented by the Director of Internal Audit upon approval by the audit committee, which approval shall occur no later than July of each fiscal year. The Director of Internal Audit will review and adjust the plan, as necessary, in response to changes in the university's business, risks, operations, programs, systems, and controls. Midyear modifications to the plan are subject to the approval of the audit committee. A formal, written program shall be prepared for each audit included in the annual plan.
Reporting and Monitoring
A written report will be prepared and issued by the Director of Internal Audit or designee following the conclusion of each internal audit engagement and will be distributed as follows:
- Chair, Board of Trustees
- Board Audit Committee
- Vice President of the audit area
- Director/Dean of the audit area
- Manager/department head of the audit area
- Members of the Board of Trustees upon request
Internal audit reports containing items concerning internal control will also be distributed to the vice president for finance and administrative services.
The internal audit report may include management's response and corrective action taken or to be taken in regard to the specific findings and recommendations. Management's response, whether included within the original audit report or provided thereafter (i.e., within thirty days) by management of the audited area should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented.
The Internal Audit Department will be responsible for appropriate follow-up on engagement findings and recommendations.
The Director of Internal Audit will periodically report to senior management and the Board on the Internal Audit Department's purpose, authority, and responsibility, as well as performance relative to its plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the Board.
Quality Assurance and Improvement Program
The Internal Audit Department will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program will include an evaluation of the Internal Audit Department's conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the Internal Audit Department and identifies opportunities for improvement.
The Director of Internal Audit will communicate to senior management and the Board on the Internal Audit Department's quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years.
This Charter was approved December 17, 2015.