University Audit Office Charter

ROLE & MISSION:

The University Auditor, established by Article XI of the Bylaws of Cornell University, serves as the Chief Audit Executive and leads the University Audit Office (UAO). The UAO’s responsibilities are established and authorized by the Bylaws and the Audit, Risk, and Compliance Committee (ARCC) of the Board of Trustees as part of its oversight and governance role.

The UAO serves as the internal auditing function of Cornell University (the University). The UAO is an independent and objective assurance and consulting activity that is guided by a mission to enhance and protect organizational value and improve the University’s operations by providing risk-based and objective assurance, advice, and insight. The UAO assists the University in accomplishing its mission and objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the University’s governance, risk management, and internal control processes.

PROFESSIONALISM:

The UAO follows The Institute of Internal Auditors’ (IIA) International Professional Practices Framework (IPPF). The mandatory IPPF guidance consists of the Core Principles for the Professional Practice of Internal Auditing; the International Standards for the Professional Practice of Internal Auditing (Standards), which includes the Definition of Internal Auditing; and the IIA Code of Ethics. This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance.

In addition to this Charter, the UAO maintains a policy manual and related written procedures, audit management and documentation practices, audit knowledge bases, data analytics software and other tools, and a website to operationalize the IIA mandatory guidance.

All UAO staff will sign annually a Standards of Conduct Agreement which includes the IIA’s Code of Ethics and information regarding confidentiality and potential conflicts of interest.

AUTHORITY:

The UAO, with accountability for confidentiality and safeguarding records and information, is authorized unrestricted access as needed to any and all University functions, records, administrative data, computer-based logs, emails, systems, assets, physical properties (owned, controlled, or occupied), and personnel pertinent to carrying out its responsibilities. All University employees are expected to cooperate with the UAO in fulfilling its roles and responsibilities, as set forth herein. The UAO will also have direct access to the ARCC. The UAO is authorized to allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives, and issue reports.

ORGANIZATION:

The University Auditor serves at the pleasure of the University President and reports to the Vice President and Chief Risk Officer (VPCRO), who reports functionally to the ARCC Chair. As part of its internal audit oversight responsibilities, the ARCC will:

  • Approve the UAO charter.
  • Approve the risk-based annual internal audit plan.
  • Approve the internal audit budget and resource plan.
  • Receive routine updates from the University Auditor on the UAO’s performance relative to its plan and other matters.
  • Approve decisions regarding the appointment and removal of the University Auditor.
  • Participate in annual performance appraisal of the University Auditor.
  • Make appropriate inquiries of management and the University Auditor to determine whether there are inappropriate scope or resource limitations to the internal audit activities.

The University Auditor will communicate and interact directly with the ARCC, including in executive sessions and between ARCC meetings with the Chair, as appropriate.

INDEPENDENCE AND OBJECTIVITY:

The UAO will remain free from interference regarding matters of audit selection, scope, procedures, frequency, timing, and report content to permit maintenance of a necessary independent and objective mental attitude. The University Auditor will disclose any unresolved interference to senior leadership and the ARCC as appropriate.

University internal auditors will not engage in any activity that could in appearance or fact compromise the independence or objectivity of their positions. UAO professional staff will have no direct operational responsibility or authority over any of the activities, systems, or processes audited/assessed. Accordingly, internal auditors will not develop or implement internal controls, policies or procedures, design or install systems, prepare records, or engage in any other activity that may impair their judgment or independence. University employees who join the UAO will not conduct audit or assurance for activities, systems, or processes over which they had responsibility or direct influence within the preceding year, without appropriate UAO management oversight and independence mitigations.

Internal auditors will exhibit the highest level of professionalism and objectivity in gathering, evaluating, and communicating information about the activity, system, or process being examined. Internal auditors will make reasonable and balanced assessments of all relevant and known facts and circumstances and will take necessary precautions to avoid being unduly influenced by their own interests or by others in forming judgments.

Potential impairments to independence, including conflicts of interest, will be monitored and managed by the University Auditor or ARCC at the individual auditor, engagement, functional, and organizational levels. Annual attestations will be obtained from all UAO professionals including disclosures of potential conflicts of interest. All identified conflicts affecting UAO professionals will be managed by the University Auditor as deemed appropriate in the circumstances and consistent with University policy and this Charter. Conflicts involving the University Auditor will be disclosed to and overseen by the Chief Risk Officer and ARCC.

Where the University Auditor has or is expected to have roles and/or responsibilities that fall outside of internal auditing, appropriate safeguards such as oversight and monitoring by ARCC will be implemented to limit impairments to independence or objectivity. When independence or objectivity are deemed to be impaired, alternative processes to obtain assurance will be undertaken, including having a third party outside the internal audit activity oversee any assurance engagements for functions over which the University Auditor has responsibility.

The University Auditor will confirm to ARCC, at least annually, the organizational independence of the UAO.

RESPONSIBILITY:

The scope of internal auditing encompasses, but is not limited to, objective examinations of evidence for the purpose of providing independent assessments to senior leadership and the ARCC and certain outside parties of the adequacy and effectiveness of the University’s governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the University’s stated goals and objectives. This includes:

  • Conducting internal audits of the University’s financial accounts and records.
  • Conducting assurance, advisory, and consulting services related to governance, risk management, information technologies (IT), and internal control as appropriate for the University.
  • Conducting and coordinating fraud investigations and financial irregularity reviews and administering the Cornell Hotline on behalf of the University.
  • Monitoring and evaluating the overall effectiveness of risk management, governance, and internal control systems/processes.
  • Evaluating risk exposures relating to achievement of the University’s strategic objectives and effectiveness of key operational areas.
  • Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information.
  • Evaluating the systems, processes, and internal controls established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the University.
  • Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
  • Evaluating the effectiveness and efficiency with which resources are employed.
  • Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management or the ARCC.
  • Evaluating and reporting on specific operations or matters at the request of the ARCC or senior management.

The University Auditor also coordinates activities, where possible, and considers relying upon the work of other internal and external audit and assurance resources, and consulting service providers as needed. The UAO may perform advisory and related client service activities, the nature and scope of which will be agreed with the client, provided the UAO does not assume management responsibility.

INTERNAL AUDIT PLAN:

Annually, the University Auditor will submit to senior management and the ARCC the fiscal year risk-based internal audit work plan for review and approval. The internal audit plans will consist of work schedules as well as overall UAO budget and resource requirements for each fiscal year. The internal audit annual plan will be developed based on a prioritization of identified auditable risks using a risk-based methodology, with input from senior management and the ARCC. The University Auditor will communicate the impact of resource limitations to senior management and the ARCC.

The University Auditor will review and adjust the plans, as necessary, in response to changes in the University’s business, operating or regulatory environment, risks, operations, programs, systems, or controls. The University Auditor will communicate significant changes to the plans and rationale for new priorities to senior management and the ARCC.

REPORTING AND MONITORING:

A written report, memorandum, or equivalent will be prepared by the University Auditor or designee following the conclusion of each formal UAO audit engagement. UAO reports will communicate internal audit results and corresponding recommendations and indicate whether the engagement was conducted in accordance with IIA Standards. For each issued report, UAO will obtain management’s planned corrective/mitigation actions with responsible parties and target completion dates.

The University Auditor will communicate any management response to findings or acceptance of risk that, in the University Auditor’s judgment, may be an unacceptable level of residual risk to the University.

The UAO will follow-up on planned management actions arising from UAO reports. Action plans will remain open and subject to ongoing UAO status monitoring and reporting until closed by the UAO.

At each Committee meeting, the University Auditor will provide summaries of issued UAO reports and status of follow-up on planned management actions to senior management and the ARCC.

COMPETENCY AND PROFESSIONAL DEVELOPMENT:

UAO professionals and any third parties engaged by UAO to conduct assurance or consulting services will have the appropriate competency to conduct the requisite tasks and make appropriately informed judgments for assigned engagements. UAO professional staff will obtain sufficient continuing professional education or equivalent hours/credits to maintain professional licenses/certifications, designations, and necessary levels of professional competency and technical knowledge.

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM:

The UAO will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program includes ongoing quality activities and assessments as well as annual internal evaluations and external assessments conducted at least every five years of the internal audit activity’s general conformance with the IIA’s IPPF including the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the UAO and identifies opportunities for improvement.

The University Auditor will communicate to senior management and the ARCC on the UAO’s quality assurance and improvement program, including results of both internal and external assessment activities.

Revised December 2022