HomeInternal Audit Charter for Cornell University

Internal Audit Charter for Cornell University

Purpose

The University Auditor, established by Article XI of the Bylaws of Cornell University (Bylaws), serves as the Chief Audit Executive and leads the University Audit Office (UAO). The UAO’s responsibilities are established and authorized by the Bylaws and the Audit, Risk, and Compliance Committee (ARCC) of the Board of Trustees as part of its oversight and governance.

The UAO serves as the internal auditing function of Cornell University (the University). The purpose of the UAO is to strengthen the University’s ability to create, protect, and sustain value by providing the ARCC and management with independent, risk-based, and objective internal audits, assurance, investigations, and advisory services. The UAO enhances the University’s:

  • Successful achievement of its mission and objectives.
  • Governance, risk management, and internal control processes.
  • Decision-making and oversight.
  • Reputation and credibility with its stakeholders.
  • Ability to serve the public interest.

Commitment to Adhering to the Global Internal Audit Standards

The UAO adheres to the mandatory elements of The Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF), which are the Global Internal Audit Standards (the “Standards”) and Topical Requirements. The UAO will report annually to the ARCC and senior management regarding UAO’s conformance with the Standards, which will be assessed through a quality assurance and improvement program.

In addition to this Charter, the UAO maintains a policy manual and related written procedures, audit management and documentation practices, audit knowledge bases, data analytics software and other tools, and websites to operationalize UAO functional activities and IIA mandatory guidance.

Mandate

Authority

The ARCC grants the UAO the mandate to provide the ARCC and senior management with objective assurance, advice, insight, and foresight when conducting internal audits, assurance, investigations or advisory services (all collectively “internal audit services”). The UAO’s authority is created by its direct reporting relationship to the ARCC. Such authority allows for unrestricted access to the ARCC. The ARCC authorizes the UAO to:

  • Have full and unrestricted access to all functions, data, records, information, physical property, and personnel pertinent to carrying out internal audit responsibilities. Internal auditors are accountable for confidentiality and safeguarding records and information.
    University Audit Office Charter
  • Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques, and issue communications to accomplish the function’s objectives.
  • Obtain assistance from the necessary personnel of the University and other specialized services from within or outside the University to complete internal audit services

Circumstances may justify a follow-up discussion between the University Auditor, ARCC, and senior management on the internal audit mandate or other aspects of the internal audit charter. Such circumstances include but are not limited to:

  • A significant change in the Global Internal Audit Standards.
  • A significant acquisition or reorganization within the organization.
  • Significant changes in the UAO, ARCC, or senior management.
  • Significant changes to the organization’s strategies, objectives, risk profile, or the environment in which the organization operates.
  • New laws or regulations that may affect the nature and/or scope of internal audit services.

Independence, Organizational Position, and Reporting Relationships

The University Auditor is appointed and serves pursuant to the University Bylaws and consistent with the ARCC’s Operating Principles and Practices. The University Auditor reports functionally to the ARCC and administratively to the Vice President and Chief Risk Officer (VPCRO) and shall have the authority to make specific reports directly to senior leadership, the President, the ARCC, and/or Executive Committee. The University Auditor will communicate and interact directly with the ARCC, including in executive sessions and between ARCC meetings with the Chair, as appropriate. This positioning provides the organizational authority and status to perform internal audit services and responsibilities effectively and to bring matters directly to senior management and escalate matters to the ARCC, when necessary, without interference, thereby establishing the independence of the UAO and supporting internal auditors’ ability to maintain objectivity.

The University Auditor will confirm to the ARCC, at least annually, the organizational independence of the UAO along with any factors limiting UAO’s independence and any safeguards employed. The University Auditor will disclose to the ARCC any interference internal auditors encounter related to the scope, performance, or communication of internal audit work and results. The disclosure will include communicating the implications of such interference on UAO’s effectiveness and ability to fulfill its mandate.

Scope and Types of Internal Audit Services

The scope of internal audit services covers the entire breadth of the organization, including all of the University’s activities, assets, and personnel. Internal audit activities encompass but are not limited to objective examinations of evidence to provide independent internal audits, assurance, investigations or advisory services to the ARCC and/or management on the adequacy and effectiveness of governance, risk management, and internal control processes as well as the quality of performance in carrying out assigned responsibilities to achieve the University’s stated goals and objectives. This includes:

  • Internal audits, assurance, investigations or advisory services related to governance, risk management, compliance, and internal control as appropriate for the University.
  • Specific operations or matters at the request of the ARCC or senior management.
  • Conducting and coordinating financial irregularity investigations.
  • Administering the Cornell Hotline on behalf of the University.

As part of the services provided, the UAO may evaluate:

  • Risk exposures relating to achievement of the University’s objectives and effectiveness of key operational areas.
  • Reliability and integrity of information and the means used to identify, measure, classify, and report such information.
  • Systems, processes, and internal controls established to ensure compliance with those policies, plans, agreements, procedures, laws, and regulations which could have a significant impact on the University.
  • The means of safeguarding assets, verifying the existence of such assets, and appropriate institutional data access, availability, integrity, security and privacy.
  • The effectiveness and efficiency with which resources are employed.

Internal audit engagements may include evaluating whether:

  • Risks relating to the achievement of the University’s strategic objectives are appropriately identified and managed.
  • The actions of the University’s officers, directors, management, employees, and contractors comply with University policies and procedures, and applicable laws, regulations, and governance standards.
  • Results of operations and programs are consistent with established goals and objectives.
  • Operations and programs are being carried out effectively and efficiently.
  • Established processes and systems enable compliance with the policies, procedures, laws, and regulations that could significantly impact the University.
  • The integrity of information and the means used to identify, measure, analyze, classify, and report such information is reliable.
  • Resources and assets are acquired economically, used efficiently and sustainably, and protected adequately.

The UAO may perform advisory and related client service activities, the nature and scope of which will be agreed with the client, provided the UAO does not assume management responsibility. Opportunities for improving the efficiency of governance, risk management, and internal controls may be identified during advisory engagements. These opportunities will be communicated to the appropriate level of management.

ARCC Oversight

To ensure that the University’s internal audit function has sufficient authority to fulfill its duties, the ARCC will provide oversight as delineated in its Operating Principles and Practices.

Chief Audit Executive Roles and Responsibilities

Ethics and Professionalism

The University Auditor will ensure that internal auditors:

  • Conform with the Global Internal Audit Standards, including the principles of Ethics and Professionalism: integrity, objectivity, competency, due professional care, and confidentiality.
  • Understand, respect, meet, and contribute to the legitimate and ethical expectations of the organization and be able to recognize conduct that is contrary to those expectations.
  • Encourage and promote an ethics-based culture in the organization.
  • Report organizational behavior that is inconsistent with the organization’s ethical expectations, as described in applicable policies and procedures.

All UAO staff will complete annually a Conduct, Confidentiality and Conflicts Attestation which includes the requirements in the Ethics and Professionalism domain of the Standards.

Objectivity

The University Auditor will ensure that UAO remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of engagement selection, scope, procedures, frequency, timing, and communication. If the University Auditor determines that objectivity may be impaired in fact or appearance, the details of the impairment will be disclosed to senior leadership and the ARCC as appropriate.

Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively such that they believe in their work product, do not compromise quality, and do not subordinate their judgment on audit matters to others, either in fact or appearance. Potential impairments to independence, including conflicts of interest, affecting UAO professionals will be monitored and managed by the University Auditor at the individual auditor, engagement, functional, and organizational levels, as deemed appropriate in the circumstances and consistent with University policies and this Charter.

UAO professional staff will have no direct operational responsibility or authority over any of the activities they review. Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, or engage in other activities that may impair their judgment, including:

  • Assessing specific operations for which they had responsibility within the previous year.
  • Performing operational duties for the University or its affiliates.
  • Initiating or approving transactions external to the UAO.
  • Directing the activities of any University employee that is not employed by the UAO, except to the extent that such employees have been appropriately assigned to internal audit teams or to assist internal auditors.

Internal auditors will:

  • Disclose impairments of independence or objectivity, in fact or appearance, to the University Auditor and others as appropriate.
  • Exhibit professional objectivity in gathering, evaluating, and communicating information.
  • Make balanced assessments of all available and relevant facts and circumstances.
  • Take necessary precautions to avoid conflicts of interest, bias, and undue influence.

Where the University Auditor has or is expected to have roles and/or responsibilities that fall outside of internal auditing, appropriate safeguards such as oversight and monitoring by the ARCC will be implemented to limit impairments to independence or objectivity. When independence or objectivity are deemed to be impaired, alternative processes to obtain independence will be undertaken, including having a third party outside the internal audit activity oversee any internal audits, assurance, investigations or advisory engagements for functions over which the University Auditor has responsibility. Conflicts involving the University Auditor will be disclosed to and overseen by the VPCRO and ARCC.

Managing the UAO

The University Auditor has the responsibility to:

  • At least annually, develop a risk-based internal audit plan that considers the input of the ARCC and senior management. Discuss the plan with the ARCC and senior management and submit the plan to the ARCC for review and approval. The internal audit plan will consist of work schedules as well as overall UAO budget and resource requirements for each fiscal year. The internal audit annual plan will be developed based on prioritization of identified auditable risks using as risk-based methodology, with input from senior management and the ARCC. Where circumstances warrant, certain internal audit activities may be conducted on a co-sourced basis with a third-party professional services firm, subject to approval of the ARCC.
  • Communicate the impact of resource limitations on the internal audit plan or other UAO functional activities to the ARCC and senior management. Engage third-party professional services firms to provide internal audit resource augmentation as may be required to fulfill the internal audit mandate and complete necessary internal audit functional activities, including the approved annual internal audit plan and investigations.
  • Review and adjust the internal audit plan, as necessary, in response to changes in the University’s business, risks, operations, programs, systems, and controls.
  • Communicate with the ARCC and senior management if there are significant interim changes to the internal audit plan and rationale for new priorities.
  • Ensure internal audit engagements are performed, documented, and communicated in accordance with the Global Internal Audit Standards.
  • Follow up on engagement findings and confirm the implementation of recommendations or action plans and communicate the results of internal audit services to the ARCC and senior management.
  • Ensure UAO collectively possesses or obtains the knowledge, skills, and other competencies needed to meet the requirements of the Standards and fulfill the internal audit mandate.
  • Identify and consider trends and emerging issues that could impact the University and communicate to the ARCC and senior management as appropriate.
  • Consider emerging trends and successful practices in internal auditing.
  • Establish and ensure adherence to methodologies designed to guide UAO functional activities.
  • Ensure adherence to the University’s relevant policies and procedures unless such policies and procedures conflict with the internal audit charter or the Standards. Any such conflicts will be resolved or documented and communicated to the ARCC and senior management.
  • Coordinate activities and, where possible, consider relying upon the work of other internal and external providers of audit, assurance and advisory services. If the University Auditor cannot achieve an appropriate level of coordination, the issue must be communicated to senior management and, if necessary, escalated to the ARCC.

The UAO assists management and governance in the oversight and assessment of external auditors. The UAO is not responsible for the fair presentation of the university’s financial statements, which are the responsibility of management and the independent external auditors (third-party CPA firms) engaged by the university for such purposes. As part of the UAO’s functional activities and pursuant to university policy, the University Auditor has the authority to engage third-party financial statement auditors, which shall be done in consultation with management, and for the university’s independent external auditors, the express approval of the ARCC, as per the ARCC Operating Principles and Practices.

Communication with the ARCC and Senior Management

A written report, memorandum, or equivalent will be prepared by the University Auditor or designee following the conclusion of each formal UAO audit engagement. UAO reports will indicate whether the engagement was conducted in accordance with Global Internal Audit Standards. Internal audit results and recommended mitigation actions will be communicated to the responsible unit and senior leadership.

The University Auditor will communicate to the ARCC, President and senior managment any management response to findings or acceptance of risk that, in the University Auditor’s judgment, may be an unacceptable level of residual risk that is beyond the risk appetite of the University.

The UAO will follow-up on management action plans arising from UAO reports with responsible parties. Action plans will remain open and subject to reporting until closed by the UAO.

At each Committee meeting, the University Auditor will provide to senior management and the ARCC summaries of issued UAO reports and status of management action plans, focusing on high-risk observations.

The University Auditor will report periodically to the ARCC and senior management regarding significant risk exposures and control issues, including fraud risks, governance issues, and other areas of focus for the board.

Quality Assurance and Improvement Program

The University Auditor will develop, implement, and maintain a quality assurance and improvement program that covers all aspects of the UAO. The program will include internal and external assessments of UAO’s conformance with the Global Internal Audit Standards, including plans to address any identified deficiencies and opportunities for improvement, as well as assessment of UAO’s achievement of its objectives and promotion of continuous improvement. The program also will assess compliance with applicable laws and/or regulations relevant to internal auditing.

Annually, the University Auditor will communicate with the ARCC and senior management about UAO’s quality assurance and improvement program, including the results of internal assessments (ongoing monitoring and periodic self-assessments) and external assessments. External assessments will be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the University, consistent with the Standards.

Competency and Professional Development

UAO professionals and any third parties engaged by UAO to conduct internal audits, assurance, investigations or advisory services will have the appropriate competency to conduct the requisite tasks and make appropriately informed judgments for assigned engagements. UAO professional staff will obtain sufficient continuing professional education or equivalent hours/credits to maintain professional licenses/certifications, designations, and necessary levels of professional competency and technical knowledge.

* * * * *

Approved by the ARCC at its meeting on March 20, 2025.

Mark Perry
University Auditor and Chief Audit Executive

Robert Selander
Chair of the Audit, Risk and Compliance Committee

Aditya Misra
Vice President and Chief Risk Officer