Mission/Scope of Work
The mission of Internal Audit and Advisory Services (IAAS) is to enhance and protect the University of Nebraska’s (University) value by providing risk-based and objective assurance, advice, and insight. The purpose of IAAS is to provide independent, objective assurance and consulting services designed to add value and improve the University’s operations. IAAS helps the University accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of the University’s risk management, control, and governance processes.
IAAS’s scope of work is to determine whether the University’s network of risk management, control, and governance processes, as designed and represented by management, is adequate and functioning in a manner to ensure that:
Risks are appropriately identified and managed;
Interaction with the various governance groups occurs as needed;
Significant financial, managerial, and operating information is accurate, reliable, and timely;
Employee actions are in compliance with policies, standards, procedures, and applicable laws and regulations;
Resources are acquired economically, used efficiently, and protected adequately;
Programs, plans, and objectives are achieved;
Quality and continuous improvement are fostered in the University’s control process; and
Significant legislative or regulatory issues impacting the University are recognized and addressed appropriately.
Opportunities for improving management control, profitability, and the University’s image may be identified during audits. They will be communicated to the appropriate level(s) of management.
The Director of Internal Audit and Advisory Services (Director), in the discharge of his/her duties, is accountable to management, the President, and the Audit, Risk and Compliance Committee (Audit Committee) to:
Provide an assessment annually on the adequacy and effectiveness of the University’s processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work;
Report significant issues related to the processes for controlling the activities of the University and its affiliates, including potential improvements to those processes, and provide information concerning such issues through resolution;
Provide information on the status and results of the annual audit plan and the sufficiency of IAAS resources periodically; and
Coordinate with other control and monitoring functions (such as risk management, compliance, security, legal, ethics, environmental health and safety, and external audit) to conduct risk assessments and develop or recommend monitoring activities to evaluate the adequacy and effectiveness of internal controls.
Report any internal audit projects completed, but for which no report was issued.
To maintain the independence of IAAS, all internal audit personnel report to the Director. The Director reports to the Audit Committee functionally and to the President administratively in a manner outlined in the above section on Accountability. The Director will confirm at least annually the independence of the internal audit activity to the Audit Committee and will include a section on the IAAS personnel’s credentials in the Annual Report to the Audit Committee.
IAAS staff will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others.
The Campus Directors (or Assistant Directors) will be the primary point of contact for his/her Campus Chancellors. Where there is no campus director, the Director of IAAS will be the point of contact.
The Director has the responsibility to:
- Develop a flexible annual audit plan using an appropriate risk-based methodology, including any risks or control concerns identified by management, and submit that plan to the Audit Committee for review and approval;
- Implement the annual audit plan, as approved, including special tasks or projects requested by management and the Audit Committee;
- Update the Audit Committee on the status and results of the annual audit plan periodically;
- Maintain a professional staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter;
- Evaluate and assess significant merging or consolidating functions and new or changing services, processes, operations, and control processes coincident with their development, implementation, and/or expansion;
- Issue reports to the Audit Committee and management summarizing the results of audit activities, including any instances of fraud;
- Keep the Audit Committee informed of emerging trends and successful practices in internal auditing;
- Provide a list of significant measurement goals and results to the Audit Committee;
- Assist in the investigation of significant suspected fraudulent activities within the University and notify management and the Audit Committee of the results; and
- Consider the scope of work of the external auditors and regulators, as appropriate, for the purpose of providing optimal audit coverage to the University at a reasonable overall cost.
The Director and IAAS personnel are authorized to:
Have unrestricted access to all University functions, records, property, and personnel (the University Technology Development Corporation and its entities, UNeHealth and NSRI Classified Task Orders and related activity are not in the scope/audit universe).
Have full and free access to the Audit Committee;
Allocate resources; set frequencies, select subjects, and determine scopes of work; and apply the techniques required to accomplish audit objectives; and
Obtain the necessary assistance of personnel in units of the University where they perform audits, as well as other specialized services from within or outside the University.
Members of IAAS are not authorized to:
Perform any operational duties for the University or its affiliates;
Initiate or approve accounting transactions external to IAAS;
Direct the activities of any University employee not employed by IAAS, except to the extent such employees have been assigned to auditing teams or to otherwise assist the internal auditors; or
Assess specific operations for which they had responsibility within the previous year.
Standards of Audit Practice
IAAS will govern itself by adherence to the mandatory elements of the IIA’s International Professional Practices Framework (IPPF) including its Standards, Core Principles for the Professional Practice of Internal Auditing , Definition of Internal Auditing and Code of Ethics (IIA Standards).
Quality Assurance and Improvement Program
IAAS will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity including its evaluation of conformance to IIA Standards. The Director will report periodically the results of its quality assurance and improvement program to the Audit Committee and senior management and obtain an external assessment of the activity at least once every five years.
Management is responsible for ensuring that systems of internal control are in place; good business practices are implemented and followed in all areas; compliance with federal, State, and University policies, laws, and regulations is maintained; fraud risks are identified and mitigated; and effective governance is established. This provides assurance that financial information and other management information are reliable, that University resources are used efficiently and effectively, and that the potential for fraud is minimized.
Management shall provide a written response to report recommendations issued within time frames requested by IAAS. Management is responsible for addressing issues identified by implementing recommendations or agreed-upon corrective action plans, and by providing updates to the Committee using the Audit Recommendations Tracking Document.
Access to the Audit Committee
All IAAS personnel will have access to the Audit Committee by requesting they be added to the next Audit Committee agenda.
Working Papers and Reports
All internal audit personnel have the responsibility for maintaining records as follows:
All internal audit reports, once accepted by the Audit Committee, shall be maintained in accordance with University Records Retention policies. Working papers and other audit files maintained by IAAS are privileged and confidential and may be withheld in response to a public records request. The information contained in working papers and audit files prepared pursuant to a specific audit is not subject to disclosure except to a county attorney, the Nebraska Attorney General, or University General Counsel in connection with an investigation made or action taken in the course of the official duties of the county attorney, the Nebraska Auditor of Public Accounts, or the Legislative Performance Audit Committee. University units being audited, and the federal agencies that have awarded grants to such units, shall also have access to the relevant working papers and audit files. For purposes of this subsection, working papers means those documents containing evidence to support the IAAS’s findings, opinions, conclusions, and judgments and includes the collection of evidence prepared or obtained by the auditor during the audit. The University may make the working papers available for purposes of a quality assurance review as required by IPPF.
Approved by Audit Committee on October 27, 2011 and last amended December 3, 2020.