HomeRole & MissionBoard of Trustees Audit, Risk, and Compliance Committee Operating Principles and Practices

Board of Trustees Audit, Risk, and Compliance Committee Operating Principles and Practices


I. Organization and Membership

The purpose of the Audit, Risk & Compliance Committee (the “Committee”) is to serve as the representative of the Board of Trustees (the “Board”) in meeting certain of the university’s statutory and fiduciary obligations.

  1. The Committee has principal oversight responsibility for management’s system of internal controls; controls over external financial reporting; internal and external audit processes; key compliance functions; institutional ethics and conflicts of interest and commitment processes; cybersecurity and privacy programs; and the institutional risk management program.
  2. The Committee shall consist of trustees, Weill Cornell Medicine fellows (non-voting) and emeritus trustees (non-voting) to be elected by the Board, none of whom may simultaneously be a member of the Investment Committee, together with the Chairperson of the Board as ex-officio member. A majority of the voting membership shall constitute a quorum.
  3. All members of the Committee shall be free from any relationship that, in the opinion of the Board or its designated Committee on Conflicts, would interfere with the exercise of his or her independent judgment as a member of the Committee.
  4. The Committee on Board Composition and Governance shall seek to include members on the Committee that possess experience in financial management and not-for-profit organizations, including an understanding of generally accepted accounting principles and internal controls, information technology (IT) and cybersecurity and privacy, risk management, and compliance.
  5. The Committee may delegate authority to a Sub-Committee which shall act on behalf of the Committee in fulfilling its oversight responsibilities. The approval of the Sub-Committee’s charter shall be construed as a delegation of authority to the Sub-Committee with respect to the responsibilities defined in the charter.
  6. The Vice President and Chief Risk Officer staffs the Committee and shall have a functional reporting role to the Committee (reporting administratively to the Executive Vice President and Chief Financial Officer). This position serves as a key advisor responsible for compliance, enterprise risks, internal audit, privacy, and risk management functions of the University.

II. Meetings

  1. The Committee will meet at least four times per year. Optional meetings may be held at the request of the Chairperson or other members of the Committee.
  2. Regular participants of the Committee meetings include the University President, the University Provost, the Executive Vice President and Chief Financial Officer, Vice President and General Counsel, Deputy General Counsel and Secretary for Weill Cornell Medicine, the Vice President and Chief Risk Officer, the Dean and Provost for Weill Cornell Medicine, the Chief Financial Officer of Weill Cornell Medicine, the Chief Operating Officer of Weill Cornell Medicine, the University Auditor, the Chief Compliance and Privacy Officer – Ithaca, the Chief Compliance and Privacy Officer – Weill Cornell Medicine, the University Controller, and the independent external auditors. Other individuals may attend and participate in the meetings as invited guests of the Committee or university management.
  3. Minutes of the Committee shall be prepared and distributed to Committee members for approval at the next regular Committee meeting. Meetings and meeting materials shall be private to Committee members and regular participants.
  4. At each regular meeting, the Committee shall meet separately in Executive Session with University management (President and Chief Financial Officer), Vice President and General Counsel, independent external auditors, Vice President and Chief Risk Officer, University Auditor and others as may be requested or invited by the Committee.

III. Authorities and Responsibilities

  1. As stipulated in the university’s bylaws, the Committee shall assist the Board in its oversight of the:
    1. Approval of the audited consolidated financial statements.
    2. Adequacy of the system of internal controls and financial reporting practices.
    3. Appointment of the independent external auditors.
    4. Internal audit function.
    5. Institutional Risk Management program.
    6. Compliance and Privacy programs.
    7. Information Security and Cybersecurity program.
    8. Risk Management and Insurance program; and
    9. Policy on conflicts of interest and commitment.
  2. The Committee shall have the following authorities and responsibilities in its oversight function:

A. General

  1. To develop and maintain free and open means of communication among the Committee, the Board, the university’s independent external auditors, the Vice President and Chief Risk Officer, the University Auditor, the University and Weill Cornell Medicine Compliance Officers, responsible executives, and the financial and general management of the university.
  2. To engage independent counsel or other advisors, as necessary, at the expense of the university to undertake investigations within the scope of its duties.
  3. To perform any other activities as the Committee deems appropriate, or as requested by the Board, consistent with these Operating Principles and Practices and the university bylaws.
  4. To review and reassess the adequacy of these Operating Principles and Practices annually and recommend any proposed substantive changes to the Board for approval.
  5. To present to the Board an annual report of the Committee’s activities and a self-evaluation of the Committee’s performance. The Chair shall provide periodic reports to the Board as required.
  6. To review annually changes in legislation and regulation that may affect the requirements relating to financial statement presentation or controls.

B. Financial Statements and Internal Controls

  1. To review and approve the annual audited financial statements on behalf of the Board of Trustees. It is not the responsibility of the Committee to determine that the university’s financial statements and disclosures are complete and accurate or are in accordance with generally accepted accounting principles (GAAP) or applicable rules and regulations. These are the responsibilities of management and the independent external auditors. The responsibility of the Committee is oversight and governance.
  2. To review and approve the annual Financial Statements Audit Plan; including General Scope, Risk Assessment Methodology, Engagement Letter and Fees.
  3. To review the results of financial audits or examinations conducted by governmental agencies, external auditors or consultants engaged for specific purposes, and other outside authorities.
  4. To review disclosures of all material off-balance sheet arrangements.
  5. To review and approve the federal 990 tax return.
  6. To review and approve the annual Uniform Guidance audit report.
  7. To review an annual report on the processes in place for determining the adequacy of internal controls over financial reporting and other financial systems. The review shall include an examination of any material changes or deficiencies in such controls.

C. Independent External Auditors

  1. To recommend the appointment, compensation, extension and termination of the university’s independent external auditors. The independent external auditors shall report directly to the Committee.
  2. To meet with the independent external auditors without others present in Executive Session at every Committee meeting to discuss any items the external auditors or the Committee requests.
  3. To meet annually with the independent external auditors before commencing annual audits to review the general scope, risk assessment methodology and procedures of the financial statements audit, to discuss areas where the Committee may desire special emphasis, and to evaluate the approach for testing the internal control structure.
  4. To review at least annually:
    1. Critical accounting policies and practices used in the audit.
    2. Alternative treatments of financial information within GAAP that have been discussed with university management, ramifications of the use of such alternative disclosure and treatments, and the treatment preferred by the independent external auditors; and
    3. Other material written communication between the independent external auditors and university management, such as any management letter and schedule of unadjusted differences.
  5. To review annually the performance of the independent external auditors, and to discuss annually the independence of the independent external auditors by reviewing a written communication issued by the auditors and discussing any disclosed relationships that may impact the auditor’s objectivity and independence, in accordance with applicable laws, rules and regulations.
  6. To review with the independent external auditors and university management any problems or difficulties encountered in the course of their audit work.
  7. To address any unresolved disputes between university management and the independent external auditors.
  8. To ensure the appropriate appointment and rotation of the lead (signing) partner.
  9. To approve all hiring of employees or former employees of the university’s independent external auditors into senior financial officer positions within one year of employment with the independent external auditors prior to action of the Executive Committee. The Committee shall be notified by the Executive Committee of all such appointments if the period is greater than one year.
  10. To review and approve the Audit, Risk & Compliance Committee Pre-Approval Policy for Audit and Non-Audit Services Provided by Independent External Auditors.
  11. To ensure that independent external auditors are prohibited from performing the following non-audit services, as established in the Audit, Risk & Compliance Committee Pre-Approval Policy for Audit and Non-Audit Services Provided by Independent External Auditors:
    • Bookkeeping or other services related to the accounting records or financial statements of the university.
    • Financial information systems design and implementation.
    • Appraisal or valuation services, fairness opinions, or contribution-in-kind reports.
    • Actuarial services.
    • Internal audit outsourcing services.
    • Management functions or human resources.
    • Broker or dealer, investment adviser, or investment banking services.
    • Legal services and expert services unrelated to the audit; and
    • Any service that the Committee has not approved.

D. Internal Audit Function

  1. To advise the President on the appointment, evaluation and compensation of the University Auditor. The Committee shall collaborate with senior management to determine the qualifications and competencies the organization expects in a University Auditor and collaborate with the Vice President and Chief Risk Officer to review the University Auditor’s performance annually. In recognition of the University Auditor’s responsibilities and relationship to the Committee, the President will seek concurrence of the Committee if the judgment is to terminate the appointment of the Auditor. In the event the President and the Committee disagree, the matter will be referred to the Executive Committee for review and determination.
  2. To annually review and approve the Internal Audit Charter including authority, mandate, and the scope and types of internal audit services.
  3. To review the activities, organizational structure, staffing, and qualifications of the internal audit function, its conformance with the Global Internal Audit Standards, and its ongoing quality assurance and improvement program results annually.
  4. To review and approve the risk-based annual internal audit plan and review the internal audit risk assessment used to develop the annual plan, to receive communications about performance relative to the internal audit annual plan, and to review any significant interim changes to the annual plan throughout the year.
  5. To review reports with respect to review of the operations of the university and the systems of internal controls and management’s responses thereto.
  6. To ensure the organizational independence of the internal audit function at least annually, review and approve the annual operating budget and resource plan of the internal audit function and monitor roles of the University Auditor outside of internal auditing to ensure independence and objectivity, implementing alternative processes such as third-party oversight if impairments are identified.
  7. To ensure the University Auditor has unrestricted access to and communicates and interacts directly with the Committee, to discuss cooperation provided during internal audits, limitations as to scope-restricted access to information, adequacy of audit resources, and any other matters important in maintaining the independence and functional capabilities of the Internal Audit function.
  8. To receive notification of:
    1. All financial irregularities greater than $50,000.
    2. Any irregularity deemed of interest to the Committee; and
    3. Any irregularity involving a member of the Board of Trustees, Board of Fellows, an officer or an individual with significant influence over internal controls.
  9. To oversee and evaluate the effectiveness of the established university procedures for the confidential or anonymous submission, receipt, retention, treatment and investigation of reported concerns of potential violations of university policies or the law received via the Cornell Hotline and other channels, excluding Silent Witness Program reports pertaining to potentially criminal matters that are handled directly by the Cornell University Police Department. Such oversight shall include:
    1. Reviewing the status of reported concerns and other substantive investigations on a quarterly basis.
    2. Reviewing reports of retaliation or intimidation for good faith participation.

E. Institutional Risk Management Program

  1. To review on an annual basis the Institutional Risk Management Program related to the identification, assessment, mitigation, and monitoring of risks to achieve the University’s mission and goals.
  2. To ensure risks identified as high or significant risks are regularly reviewed and discussed at the Institutional Risk Council (comprising of senior leaders of the University) and the Committee to drive critical risk-mitigation strategies that effectively balance risks and the University’s mission.

F. Compliance and Privacy Program

  1. The Committee assists the Board in fulfilling its fiduciary responsibilities relating to compliance with applicable laws, regulatory requirements and policies.
  2. To obtain reasonable assurances from management that the university is in compliance with pertinent laws and regulations and is maintaining effective controls pertaining to employee and Board member conflict of interest and fraud.
  3. To review and approve the annual Compliance and Privacy program/plan.
  4. To review and approve the annual Clinical Compliance Program related to Weill Cornell Medicine. The program shall include the Professional Billing Compliance Program.
  5. To periodically receive reports about performance relative to the annual compliance and privacy program/plans, and to review any significant interim changes to the annual plan throughout the year.
  6. To receive updates on the design, implementation, and results of any internal or external audits as well as any compliance and privacy program reviews.
  7. To review annually the organizational structure and the adequacy of staffing and qualifications of the Compliance and Privacy functions.

G. Information Security and Data Privacy Program

  1. To review practices, procedures, and controls that management uses to identify, assess, and manage its Information Security and Data Privacy Programs.
  2. To receive regular report/s any issues that arise with respect to the performance, quality, or integrity of the institution’s Information Security or Data Privacy Programs, compliance with legal or regulatory requirements, or any other matter.
  3. To review periodic reports on the state of their overall information security risk posture; information security and data protection risk assessments; incident response plans, and changes to related policies.
  4. To review and assess the impact of new and emerging regulations and cyber threats on information technology assets and infrastructure, university policies, and security practices.
  5. To review periodically the IT recovery and contingency capabilities in response to potential university-wide emergencies, distributed cyber- attacks, or unforeseen disruptions in core technology-dependent services.
  6. To receive reports relating to cybersecurity and data protection priorities based, in part, on assessing risk associated with various perceived threats and vulnerabilities and compliance requirements.
  7. To review annually the appropriateness and adequacy of the university’s cyber-insurance coverage.

H. Risk Management and Insurance Program:

  1. To review the insurance portfolio to align with the organization’s overall risk management strategy with the aim of reducing potential losses through risk mitigation, risk transfer, and risk financing strategies.
  2. To review and approve the annual insurance policy coverage and premiums to ensure they are appropriate and aligned with the risk profile.
  3. To review reports on claims management to ensure claims are handled effectively and efficiently.

I. Conflict of Interest and Commitment:

  1. To review periodically and determine the adequacy of, and to approve all proposed revisions and amendments to:
    • University Policy 4.6 Standards of Ethical Conduct.
    • University Policy 4.14 Conflicts of Interest and Commitment; and
    • University Policy 1.7 Financial Conflict of Interest Related to Research.
  2. To review periodically University’s procedures related to disclosure and management of Conflicts of Interest and Commitment.

Other Matters

  1. To review the results of all financial, compliance, statutory or other audits or examinations conducted by governmental agencies, external auditors or consultants engaged for specific purposes, and other outside authorities, including any reported findings along with management’s planned corrective actions, which shall be reported to the Committee at least annually until closed.
  2. To review periodically the Audit, Risk & Compliance Committee Pre-Approval Policy for Audit and Non-Audit Services Provided by Independent External Auditors.
  3. To include in each meeting’s Executive Session an opportunity for Committee members to discuss new relationships or other matters that could affect their ability to serve as a committee member.
  4. The Committee shall be advised of any loan or extension of credit (including housing assistance) made by the University to a senior officer and approved by the Executive Committee.

Revised December 2024