ROLE & MISSION
The University Auditor, established by Article IX of the Bylaws of Cornell University (Bylaws), serves as the Chief Audit Executive and leads the University Audit Office (UAO). The UAO’s responsibilities are established and authorized by the Bylaws and the Audit, Risk, and Compliance Committee (ARCC) of the Board of Trustees as part of its oversight and governance role.
The UAO serves as the internal auditing function of Cornell University (the University). The UAO is an independent and objective assurance and consulting activity that is guided by a mission to enhance and protect organizational value and improve the University’s operations by providing risk-based and objective assurance, advice, and insight. The UAO assists the University in accomplishing its mission and objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the University’s governance, risk management, and internal control processes.
The UAO follows The Institute of Internal Auditors’ (IIA) International Professional Practices Framework (IPPF). The mandatory IPPF guidance consists of the Core Principles for the Professional Practice of Internal Auditing; the International Standards for the Professional Practice of Internal Auditing (Standards), which includes the Definition of Internal Auditing; and the IIA Code of Ethics. This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance.
In addition to this Charter, the UAO maintains a policy manual and related written procedures, audit management and documentation practices, audit knowledge bases, data analytics software and other tools, and a website to operationalize the IIA mandatory guidance.
All UAO staff will sign annually a UAO Standards of Conduct Agreement which includes the IIA’s Code of Ethics and information regarding confidentiality and potential conflicts of interest.
The UAO, with accountability for confidentiality and safeguarding records and information, is authorized unrestricted access as needed to any and all University functions, records, administrative data, computer-based logs, emails, systems, assets, physical properties (owned, controlled, or occupied), and personnel pertinent to carrying out its responsibilities. All University employees are expected to cooperate with the UAO in fulfilling its roles and responsibilities, as set forth herein. The UAO will also have direct access to the ARCC. The UAO is authorized to allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives, and issue reports.
The University Auditor serves at the pleasure of the University President, reports directly to the ARCC Chair and administratively (i.e. day-to-day operations) to the Executive Vice President and Chief Financial Officer (EVP-CFO).
As part of its internal audit oversight responsibilities, the ARCC will:
- Approve the UAO Charter.
- Approve the risk-based annual internal audit plan.
- Approve the internal audit budget and resource plan.
- Receive routine updates from the University Auditor on the UAO’s performance relative to its plan and other matters.
- Approve decisions regarding the appointment and removal of the University Auditor.
- Participate in annual performance appraisal of the University Auditor.
- Make appropriate inquiries of management and the University Auditor to determine whether there are inappropriate scope or resource limitations to the internal audit activities.
The University Auditor will communicate and interact directly with the ARCC, including in executive sessions and between ARCC meetings with the Chair, as appropriate.
INDEPENDENCE AND OBJECTIVITY
The UAO will remain free from interference regarding matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude. The University Auditor will disclose any unresolved interference to senior leadership and the ARCC, as appropriate.
University auditors will not engage in any activity that could in appearance or fact compromise the independence or objectivity of their positions. UAO professional staff will have no direct operational responsibility or authority over any of the activities, systems, or processes audited/assessed. Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgment or independence. University employees who join the UAO will not conduct audit or assurance for activities, systems, or processes over which they had responsibility or direct influence within the preceding year, without appropriate UAO management oversight and independence mitigations.
Internal auditors will exhibit the highest level of professionalism and objectivity in gathering, evaluating, and communicating information about the activity, system, or process being examined. Internal auditors will make reasonable and balanced assessments of all relevant and known facts and circumstances, and will take necessary precautions to avoid being unduly influenced by their own interests or by others in forming judgments.
Potential impairments to independence, including conflicts of interest, will be monitored and managed by the University Auditor or ARCC at the individual auditor, engagement, functional, and organizational levels. Annual attestations will be obtained from all UAO professionals including disclosures of potential conflicts of interest. All identified conflicts affecting UAO professionals will be managed by the University Auditor as deemed appropriate in the circumstances and consistent with University policy and this Charter.
Where the University Auditor has or is expected to have roles and/or responsibilities that fall outside of internal auditing, appropriate safeguards such as oversight and monitoring by ARCC will be implemented to limit impairments to independence or objectivity. When independence or objectivity is deemed to be impaired, alternative processes to obtain assurance will be undertaken, including having a third party outside the internal audit activity oversee any assurance engagements for functions over which the University Auditor has responsibility. The University Auditor, in addition to UAO responsibilities, also provides project management and assistance to senior leadership and the University Risk Management Council with the University’s Institutional Risk Management (IRM) Program, as approved and overseen by the EVP-CFO and Chair of ARCC.
The University Auditor will confirm to ARCC, at least annually, the organizational independence of the UAO.
The scope of the internal audit function encompasses, but is not limited to, objective examinations of evidence for the purpose of providing independent assessments to senior leadership and the ARCC and outside parties of the adequacy and effectiveness of the University’s governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the University’s stated goals and objectives. This includes:
- Conducting internal audits of the University’s financial accounts and records.
- Conducting assurance, advisory, and consulting services related to governance, risk management, information technologies (IT), and internal control as appropriate for the University.
- Conducting and coordinating fraud investigations and financial irregularity reviews, and administering the Cornell Hotline on behalf of the University.
- Monitoring and evaluating the overall effectiveness of risk management, governance, and internal control systems/processes.
- Evaluating risk exposures relating to achievement of the University’s strategic objectives and effectiveness of key operational areas.
- Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information.
- Evaluating the systems, processes, and internal controls established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the University.
- Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
- Evaluating the effectiveness and efficiency with which resources are employed.
- Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters as needed or requested by senior management or the ARCC.
- Reporting certain financial irregularities to the ARCC, including any involving $50,000 or more and those involving senior leadership or members of the Board of Trustees or Weill Cornell Medicine Board of Overseers.
- Evaluating and reporting on specific operations or matters at the request of the ARCC Committee or senior management.
The University Auditor also coordinates activities, where possible, and considers relying upon the work of other internal and external audit and assurance resources, and consulting service providers as needed. The UAO may perform advisory and related client service activities, the nature and scope of which will be agreed with the client, provided the UAO does not assume management responsibility.
INTERNAL AUDIT PLAN
The University Auditor will submit to senior management and the ARCC an annual internal audit plan for review and approval. The internal audit plan will consist of a work schedule as well as budget and resource requirements for the next fiscal year. The internal audit plan will be developed based on a prioritization of identified auditable risks using a risk-based methodology, with input from senior management and the ARCC. The University Auditor will communicate the impact of resource limitations to senior management and the ARCC.
The University Auditor will review and adjust the plan, as necessary, in response to changes in the University’s business, operating or regulatory environment, risks, operations, programs, systems, and controls. The University Auditor will communicate significant interim changes to the plan to senior management and the ARCC.
REPORTING AND MONITORING
A written report, memorandum, or equivalent will be prepared, issued, and distributed as deemed appropriate by the University Auditor or designee following the conclusion of each formal UAO audit engagement. UAO reports will indicate whether the engagement was conducted in accordance with IIA Standards. Internal audit results and management’s planned corrective/mitigation actions with responsible parties and target completion dates will be communicated to the responsible senior leadership and the ARCC
The University Auditor will communicate any management response to findings or acceptance of risk that in the University Auditor’s judgment may be an unacceptable level of risk to the University.
The UAO will follow-up on planned management actions arising from UAO reports. All reported action plans will remain open and subject to ongoing UAO status monitoring and reporting until closed by the UAO. Semi-annual summary follow-up report will be provided to senior management and the ARCC on a semi-annual basis.
COMPETENCY AND PROFESSIONAL DEVELOPMENT
UAO professionals and any third parties engaged by UAO to conduct assurance or consulting services will have the appropriate competency to conduct the requisite tasks and make appropriately informed judgments for assigned engagements. UAO professional staff will obtain sufficient continuing professional education or equivalent hours/credits to maintain professional certifications, designations, and necessary levels of professional competency and technical knowledge.
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM
The UAO will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program includes ongoing quality activities and assessments as well as periodic evaluations of the internal audit activity’s general conformance with the IIA’s IPPF including the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the UAO and identifies opportunities for improvement.
The University Auditor will communicate to senior management and the ARCC on the UAO’s quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years.
UNIVERSITY AUDIT OFFICE CHARTER
Approved this 14th day of June, 2018:
Chair of the Audit, Risk, and Compliance Committee
University Auditor, Chief Audit Executive