ROLE & MISSION:
The University Auditor, established by Article IX of the Bylaws of Cornell University, serves as the Chief Audit Executive and leads the University Audit Office (UAO). The UAO’s responsibilities are established and authorized by the Audit Committee of the Board of Trustees as part of its oversight and governance role.
The UAO serves as the internal auditing function of Cornell University (the University). The UAO is an independent and objective assurance and consulting activity that is guided by a mission to enhance and protect organizational value and improve and University’s operations by providing risk-based and objective assurance, advice, and insight. The UAO assists the University in accomplishing its mission and objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the University’s governance, risk management, and internal control.
The UAO governs itself by following The Institute of Internal Auditors’ (IIA) International Professional Practices Framework (IPPF), which comprises mandatory and recommended elements. The mandatory IPPF guidance consists of the Core Principles for the Professional Practice of Internal Auditing; the International Standards for the Professional Practice of Internal Auditing (Standards), which includes the Definition of Internal Auditing; and the IIA Code of Ethics. This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance.
In addition to this Charter, the UAO maintains a policy manual and related written procedures, audit management software, knowledge bases, tools, and a website to operationalize the IIA mandatory guidance.
All UAO staff will sign annually a Standards of Conduct Agreement which includes the IIA’s Code of Ethics and information regarding confidentiality and potential conflicts of interest.
The UAO, with accountability for confidentiality and safeguarding records and information, is authorized unrestricted access as needed to any and all University records, administrative data, computer-based logs, emails, systems, assets, physical properties (owned, controlled, or occupied), and personnel pertinent to carrying out its responsibilities. All University employees are expected to cooperate with the UAO in fulfilling its roles and responsibilities, as set forth herein. The UAO will also have direct access to the Audit Committee.
The Chief Audit Executive will report functionally to the Audit Committee Chair and administratively (i.e. day-to-day operations) to the Executive Vice President and Chief Financial Officer (EVP-CFO).
As part of its internal audit oversight responsibilities, the Audit Committee will:
- Approve the UAO charter.
- Approve the risk-based annual internal audit plan.
- Approve the internal audit budget and resource plan.
- Receive routine updates from the Chief Audit Executive on the UAO’s performance relative to its plan and other matters.
- Approve decisions regarding the appointment and removal of the Chief Audit Executive.
- Participate in annual performance appraisal of Chief Audit Executive.
- Make appropriate inquiries of management and the Chief Audit Executive to determine whether there are inappropriate scope or resource limitations.
The Chief Audit Executive will communicate and interact directly with the Audit Committee, including in executive sessions and between Audit Committee meetings as appropriate.
INDEPENDENCE AND OBJECTIVITY:
The UAO will remain free from interference regarding matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude. The Chief Audit Executive will disclose any such interference to senior leadership and the Audit Committee as appropriate.
University auditors will not engage in any activity that could in appearance or fact compromise the independence or objectivity of their positions. UAO professional staff will have no direct operational responsibility or authority over any of the activities, systems, or processes audited/assessed. University employees who join the UAO must not audit/assess activities, systems, or processes over which s/he had responsibility or direct influence within the preceding year.
Internal auditors will exhibit the highest level of professionalism and objectivity in gathering, evaluating, and communicating information about the activity, system, or process being examined. Internal auditors will make reasonable and balanced assessments of all relevant and known circumstances, and will not be unduly influenced by their own interests or by others in forming judgments.
Potential impairments to independence, including conflicts of interest, will be monitored and managed at the individual auditor, engagement, functional, and organizational levels. Annual attestations will be required from all UAO professionals including disclosures of potential conflicts of interest. All identified conflicts affecting UAO professionals will be managed by the Chief Audit Executive as deemed appropriate in the circumstances and consistent with University policy and this Charter.
Where the Chief Audit Executive has or is expected to have roles and/or responsibilities that fall outside of internal auditing, appropriate safeguards such as oversight and monitoring by the Audit Committee must be implemented to limit impairments to independence or objectivity. When independence or objectivity are deemed to be impaired, alternative processes to obtain assurance will be undertaken, including having a third party outside the internal audit activity oversee any assurance engagements for functions over which the Chief Audit Executive has responsibility.
The Chief Audit Executive will confirm to the Audit Committee, at least annually, the organizational independence of the UAO.
The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the University’s governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the University’s stated goals and objectives. This includes:
- Conducting internal audits of the University’s financial accounts and records.
- Conducting assurance, advisory, and consulting services related to governance, risk management, and internal control as appropriate for the University.
- Conducting fraud investigations and financial irregularity reviews.
- Monitoring and evaluating the overall effectiveness of risk management, governance, and internal control systems/processes.
- Evaluating risk exposures relating to achievement of the University’s strategic objectives and effectiveness of key operational areas.
- Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information.
- Evaluating the systems, processes, and internal controls established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the University.
- Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
- Evaluating the effectiveness and efficiency with which resources are employed.
- Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management or the Audit Committee.
- Evaluating and reporting on specific operations or matters at the request of the Audit Committee or senior management.
INTERNAL AUDIT PLAN:
The Chief Audit Executive will submit to senior management and the Audit Committee an annual internal audit plan for review and approval. The internal audit plan will consist of a work schedule as well as budget and resource requirements for the next fiscal year. The Chief Audit Executive will communicate the impact of resource limitations and significant interim changes to the plan to senior management and the Audit Committee.
The internal audit plan will be developed based on a prioritization of identified auditable risks using a risk-based methodology, including input of senior management and the Audit Committee. The Chief Audit Executive will review and adjust the plan, as necessary, in response to changes in the University’s business, operating or regulatory environment, risks, operations, programs, systems, and controls.
REPORTING AND MONITORING:
A written report, memorandum, or equivalent will be prepared by the Chief Audit Executive or designee following the conclusion of each formal UAO audit engagement and will be issued and distributed as deemed appropriate by the Chief Audit Executive. UAO reports will indicate whether the engagement was conducted in accordance with IIA Standards. Internal audit results and management’s planned corrective/mitigation actions along with the responsible parties and target completion dates will be communicated to the responsible senior leadership.
The Chief Audit Executive must communicate to senior management and the Audit Committee any management response to or acceptance of risk that, in the Chief Audit Executive’s judgment, may be unacceptable to the University.
The UAO will follow-up on planned management actions arising from UAO reports. All reported action plans will remain open and subject to ongoing UAO status monitoring and reporting until cleared by the UAO. A summary follow-up report will be provided to senior management and the Audit Committee on a semi-annual basis.
COMPETENCY AND PROFESSIONAL DEVELOPMENT:
UAO professionals and any third parties engaged outside by UAO to conduct assurance or consulting services will have the appropriate competency to conduct the requisite tasks and make appropriately informed judgments for assigned engagements. All UAO professional staff must obtain sufficient continuing professional education (CPE) or equivalent hours/credits to maintain professional certifications, designations, and necessary levels of professional competency and technical knowledge.
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM:
The UAO will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program includes ongoing quality activities and assessments as well as periodic evaluations of the internal audit activity’s general conformance with the IIA’s IPPF including the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the UAO and identifies opportunities for improvement.
The Chief Audit Executive will communicate to senior management and the Audit Committee on the UAO’s quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years.
UNIVERSITY AUDIT OFFICE CHARTER
Approved this 26th day of January, 2017.