HomeRole & MissionBoard of Trustees Audit, Risk, and Compliance Committee Operating Principles and Practices

Board of Trustees Audit, Risk, and Compliance Committee Operating Principles and Practices

Organization and Membership

The purpose of the Audit, Risk, & Compliance Committee (the “Committee”) is to serve as the representative of the Board in meeting certain of the university’s statutory and fiduciary obligations. The Committee has principal oversight responsibility for management’s system of internal controls; controls over external financial reporting; internal and external audit processes; key compliance functions; institutional ethics and conflicts of interest and commitment processes; cybersecurity programs; and the institutional risk management program. The Committee provides an avenue of communication among the certified public accountants, risk area responsible executives, University Audit and Compliance Office, and the Board.

  1. The Committee shall consist of trustees, Weill Cornell Medicine fellows and emeritus trustees to be elected by the Board of Trustees (“the Board”), none of whom may simultaneously be a member of the Investment Committee, together with the Chairperson of the Board as an ex officio member. A majority of the voting membership shall constitute a quorum.
  2. All members of the Committee shall be free from any relationship that, in the opinion of the Board or its designated Committee on Conflicts, would interfere with the exercise of his or her independent judgment as a member of the Committee.
  3. The Committee on Board Composition and Governance shall seek to include members on the Committee that possess experience in financial management and not-for-profit organizations, including an understanding of generally accepted accounting principles and internal controls, information technology (IT) and cybersecurity, and compliance.

Meetings

  1. The Committee will meet at least four times per year. Optional meetings may be held at the request of the Chairperson or other members of the Committee. Regular participants of the Committee meetings include the University President, the University Provost, the Executive Vice President and Chief Financial Officer, General Counsel, the Vice President and Chief Risk Officer, the Dean and Provost for Weill Cornell Medicine, the University Auditor, the Chief Compliance Officer, the University Controller, and the certified public accountants. Other individuals may attend and participate in the meetings as invited guests of the Committee or university management. Minutes of the Committee shall be prepared by the Vice President and Chief Risk Officer or designee and distributed to Committee members for approval at the next regular Committee meeting.
  2. At each regular meeting, the Committee will meet separately in Executive Session with University management (President and Chief Financial Officer), General Counsel, certified public accountants, Chief Risk Officer, and others invited by the Committee.

Authorities and Responsibilities 

The Committee shall oversee the adequacy of the University’s system of internal controls, financial reporting practices, institutional risk management program, key compliance programs, and administration of the University’s policy on conflicts of interest. The Committee shall additionally oversee the adequacy of the university’s systems for addressing cybersecurity through its Sub-Committee on Cybersecurity. The Committee appoints the certified public accountants as auditors to examine the accounts of the university, receive and study the reports of such auditors make its report and recommendations on the audited financial statements to the Board at the first regular meeting in the next following fiscal year.

  1. As stipulated in the university’s bylaws, the Committee shall assist the Board in its oversight of the:
    1. Adequacy of the university’s system of internal controls and financial reporting practices;
    2. Appointment of the certified public accountants;
    3. Annual review and approval of the audited financial statements;
    4. Performance of the university’s internal audit function, and review of the scope of activities, findings and recommendations of internal audit;
    5. Institutional Risk Management Program;
    6. Key regulatory compliance programs; and
    7. Administration of the university’s policy on conflicts of interest and commitment.
  2. It is not the responsibility of the Committee to plan or conduct audits, or to determine that the university’s financial statements and disclosures are complete and accurate or are in accordance with generally accepted accounting principles or applicable rules and regulations. These are the responsibilities of management and the certified public accountants. The responsibility of the Committee is an oversight and governance function.
  3. The Committee shall have the following authorities and responsibilities:
    1. General
      1. To develop and maintain free and open means of communication among the Committee, the Board, the university’s certified public accountants, the university’s internal auditors, risk area responsible executives, and the financial and general management of the university.
      2. To engage independent counsel or other advisors, as necessary, at the expense of the university to undertake investigations within the scope of its duties.
      3. To perform any other activities as the Committee deems appropriate, or as are requested by the Board, consistent with these Operating Principles and Practices and the university’s bylaws.
      4. To review and reassess the adequacy of these Operating Principles and Practices annually and recommend any proposed substantive changes to the Board for approval.
      5. To present to the Board an annual report of the Committee’s activities and a self-evaluation of the Committee’s performance. The Chair shall provide periodic reports to the Board as required.
      6. To review annually changes in legislation that may affect the requirements relating to financial statement presentation or controls.
    2. Financial Statements and Internal Controls
      1. To review with university management and the certified public accountants the annual audited financial statements. To approve the annual financial statements and present them to the Board.
      2. The Committee reviews the results of financial audits or examinations conducted by governmental agencies, external auditors or consultants engaged for specific purposes, and other outside authorities.
      3. To review an annual report from the University Controller on the processes in place for determining the adequacy of controls over financial reporting and other financial systems. The review shall include an examination of any material changes or deficiencies in such controls.
      4. To review disclosures of all material off-balance sheet arrangements.
      5. To review the federal 990 tax return.
    3. Certified Public Accountants
      1. To recommend the appointment, compensation, and termination of the university’s certified public accountants. The accountants shall report directly to the Committee.
      2. To meet with the certified public accountants without university management or internal audit present at every Committee meeting to discuss any item the accountants or the Committee requests.
      3. To meet annually with the certified public accountants before commencing annual audits to review the general scope, risk assessment methodology and procedures of the financial statements audit, to discuss areas where the Committee may desire special emphasis, and to evaluate the approach for testing the internal control structure.
      4. To review at least annually:
        1. Critical accounting policies and practices used in the audit;
        2. Alternative treatments of financial information within GAAP that have been discussed with university management, ramifications of the use of such alternative disclosure and treatments, and the treatment preferred by the certified public accountants; and
        3. Other material written communication between the certified public accountants and university management, such as any management letter and schedule of unadjusted differences.
      5. To review annually the performance of the certified public accountants and discuss with the accountants all significant relationships the accountants have with the university in accordance with the Securities Act of 1934 and the Independent Standards Board.
      6. To approve, as articulated and delegated within the Audit Committee Pre-Approval Policy for Audit and Non-Audit Services Provided by Independent Auditors, all audit and non-audit services provided by the certified public accountants, including tax services.
      7. To review with the certified public accountants and university management any problems or difficulties encountered in the course of the audit work.
      8. To address any unresolved disputes between university management and the certified public accountants.
      9. To ensure the appropriate rotation of the lead partner.
      10. To approve all hiring of employees or former employees of the university’s certified public accountants into senior financial officer positions within one year of employment with the certified public accountants prior to action of the Executive Committee. The Committee shall be notified by the Executive Committee of all such appointments if the period is greater than one year.
      11. To ensure that the certified public accountants are prohibited from performing the following non-audit services:
        • Bookkeeping or other services related to the accounting records or financial statements of the university;
        • Financial information systems design and implementation;
        • Appraisal or valuation services, fairness opinions, or contribution-in-kind reports;
        • Actuarial services;
        • Internal audit outsourcing services;
        • Management or human resources;
        • Broker or dealer, investment adviser, or investment banking services;
        • Legal services and expert services unrelated to the audit; and
        • Any service that the Committee has not approved.
    4. Internal Audit Function
      1. To advise the President on the appointment, evaluation and compensation of the University Auditor. In recognition of the University Auditor’s responsibilities and relationship to the Committee, the President will seek concurrence of the Committee if the judgment is to terminate the appointment of the Auditor. In the event the President and the Committee disagree, the matter will be referred to the Executive Committee for the review and determination.
      2. To review and approve the University Audit Office Charter.
      3. To review the activities, organizational structure, staffing, and qualifications of the internal audit function and its ongoing Quality Assurance and Improvement Program (QAIP) results annually.
      4. To review with the Chief Risk Officer / University Auditor the internal audit risk assessment used to develop the audit plans including, but not limited to, the process applied, the methodology, the final results and the resulting annual internal audit plans.
      5. To review and approve the annual internal audit plan in consultation with the Chief Risk Officer, and to review any material changes to the plans throughout the year.
      6. To receive and review summaries of reports from the Chief Risk Officer / University Auditor with respect to its review of the operations of the university and the systems of internal controls and management’s responses thereto.
      7. To meet with the Chief Risk Officer without university management or certified public accountants present at every Committee meeting to discuss cooperation provided during internal audits, limitations as to scope restricted access to information, adequacy of the internal audit department’s budget and staffing, and any other matters important in maintaining the independence of the internal auditors.
      8. To receive notification from the Chief Risk Officer / University Auditor of:
        1. All financial irregularities greater than $50,000;
        2. Any irregularity deemed of interest to the Committee; and
        3. Any irregularity involving a member of the Board of Trustees, Board of Overseers, an officer or an individual with significant influence over internal controls.
      9. To oversee and evaluate annually the effectiveness of the established university procedures for the:
        1. Confidential or anonymous submission and receipt, retention, and treatment of complaints via calls or hotline website of concerns regarding questionable accounting, compliance matters, risk management issues, internal controls, or auditing matters (i.e., Cornell Hotline Reports); and
        2. Reporting of Cornell Hotline statistics and substantive complaints to the Committee on a quarterly basis.
    5. Risk Management
      1. To review on an annual basis the Institutional Risk Management Program and discuss with responsible executives those university major risk exposures which the Board has assigned to the Committee for high level oversight including the following:
        1. To monitor the Weill Cornell Medicine Professional Billing Compliance Program.
        2. To monitor IT Security and Systems Recovery through periodic reports from the Cybersecurity Sub-Committee.
      2. Provide to the Board an annual report of roles and responsibilities of Board Committees and management in regards to the Institutional Risk Management Program and its key activities. (Institutional Risk Management Program Annual Report).
      3. To consult with the Institutional Risk Council on those high risk areas that are commanding the Council’s attention and are expected to be presented to the Board as part of the Council’s annual report.
    6. Compliance Oversight
      1. The Committee assists the Board in fulfilling its fiduciary responsibilities relating to university legal and financial compliance with applicable laws, regulatory requirements and policies. The Committee obtains reasonable assurances from management that the university is in compliance with pertinent laws and regulations and is maintaining effective controls pertaining to employee and Board member conflict of interest and fraud.
      2. Review the University Compliance Program Annual Report and Annual Plan, the structure of the key compliance programs and the identified institutional compliance risks and their related mitigations.
      3. The Committee reviews the results of compliance audits or examinations conducted by governmental agencies, external auditors or consultants engaged for specific purposes, and other outside authorities.
    7. Other Matters
      1. To review periodically and determine the adequacy of:
          University Policy 4.6 Standards of Ethical Conduct;
          University Policy 4.14 Conflicts of Interest and Commitment; and
          University Policy 1.7 Financial Conflict of Interest Related to Research
         
        Approve all proposed revisions and amendments.
      2. To review periodically the Audit, Risk, & Compliance Committee Pre-Approval Policy for Audit and Non-Audit Services Provided by Independent Auditors.
      3. To include in each meeting Executive Session, an opportunity for Committee members to discuss new relationships that could affect his/her ability to serve as a Committee member.
      4. Loans to Officers. If any loan or indirect extension of credit (including housing assistance) is made by the University to a senior officer and approved by the Executive Committee, the Audit Committee shall be advised of any such transaction.