Internal Audit Department Charter
I. Role of Internal Audit
Internal Audit provides an independent and objective assurance service designed to add value and improve operations through improved controls. Internal Audit helps UMDNJ accomplish its objectives by applying a systematic, disciplined approach to evaluate and assess the effectiveness of risk management, control and governance processes.
Internal Audit reviews will determine the effectiveness of internal controls, adherence with
applicable laws and regulations, and reliability of financial reporting. In assessing the control environment, Internal Audit will consider:
- The condition of the system of internal control and quality of operations;
- The criticality and severity of audit findings;
- The criticality of area to the organization/business;
- Inherent business risks;
- Staffing levels and experience;
- The adequacy of management supervision and cognizance of controls;
- Resolution of previous audit recommendations; and,
- Compensating controls.
Independence is essential for an effective internal audit function. This independence is achieved primarily through organizational status and also the adherence by Internal Audit and its personnel to the professional standard of objectivity.
Organizational Status: Internal Audit reports functionally to the UMDNJ Board of Trustees Audit Committee and administratively to the President of UMDNJ.
These reporting relationships ensure the independence of the Internal Audit function and the adequate consideration of Internal Audit findings and recommendations. Every effort will be made to ensure that reporting relationships continue to maintain the independence of Internal Audit.
Objectivity: Internal Audit personnel will not be responsible for developing or implementing procedures, preparing records, or engaging in any activity, which they would normally review and appraise and which could reasonably be construed as compromising their independence. In this regard, Internal Audit personnel are not to be used as auxiliary line accounting, finance or information systems staff.
III. Authority and Responsibility
In carrying out their duties, Internal Audit is authorized to have full, free, and unrestricted access to all records, properties, systems, and personnel relevant to the subject areas reviewed. Internal Audit will have authority to review at periodic intervals any processes, functions, departments, business units or entities. These reviews will provide an assessment of the operational, financial, and compliance controls necessary to minimize the risk of material loss and meet the University’s functional objectives.
Internal Audit has access to review and appraise policies, procedures, plans and any other records necessary to effectively perform their audit responsibilities. Internal Audit is authorized to obtain the necessary assistance of personnel in units of UMDNJ where they perform audits, as well as specialized services from within or outside the organization.
The responsibilities of Internal Audit are as follows:
- Review with the Board of Trustees Audit Committee and UMDNJ President, the Internal Audit Charter, plans, activities, staffing and organizational structure of the internal audit function.
- Provide assessments for the entity under review on the adequacy and effectiveness of processes for controlling its activities and managing its risks to ensure controls are effective and functioning as intended.
- Provide the Audit Committee, Senior Management and auditees with an overall assessment of financial, operational, compliance and information technology controls necessary to minimize the risk of material loss and meet the University’s functional objectives
- Conduct follow-up reviews to ensure satisfactory actions are taken by management to resolve significant audit findings.
- Provide periodic updates to the Audit Committee on the status of engagements contained in the Annual Audit Plan, including any findings warranting the attention of the Audit Committee.
- Coordinate Internal Audit activities with other control and monitoring functions (Compliance & Ethics, Risk Management, Security, Legal, and external audit firm) to best achieve the objectives of the internal audit function, as well as the objectives of UMDNJ. This includes, where appropriate, coordination with and assistance to the independent public accounting firms.
- Lead or assist in the investigation of significant suspected fraudulent activities and notify executive management and the Audit Committee of the results.
- Maintain a professional audit staff with sufficient knowledge, skills, experience, training and professional certifications to meet the requirements of this charter. Periodically assess the overall effectiveness of department training program.
- Keep the Audit Committee informed of emerging trends and successful best practices in internal auditing.
IV. Scope and Objectives
The scope of the Internal Audit activity is to determine whether the organization’s activities of risk management, control, and governance processes, as designed and represented by management, are adequate and functioning in a manner to ensure:
- That risks are appropriately identified and managed by management through an effective internal controls environment at a reasonable cost.
- That significant financial, mission, managerial and operating information is accurate, reliable and timely.
- Employee’s actions are in compliance with established policies, procedures plans, governmental regulations and contractual obligations in support of the Compliance Program.
- That personnel and the organization are upholding the principles and standards included in the Code of Conduct.
- That resources are acquired economically, used efficiently, and adequately protected in accordance with UMDNJ policies and procedures.
- Programs, plans, and objectives are achieved.
- That quality and continuous improvement are fostered in control processes. Significant legislative or regulatory issues impacting each organization are recognized and addressed properly.
- That audit will be notified when areas are planning to make changes to applications and systems that affect or ultimately affect data that is used in financial reporting systems.
- Since all levels of management are relying on the accuracy of financial data, Internal Audit will be notified at least one month in writing when operational and technology areas are planning to make changes to applications and systems that affect or ultimately affect data that is used in financial reporting systems. Failure of senior management to comply with this responsibility presents an extremely high risk that inaccurate financial data is used to make business decisions.
- Participate in the planning, design, development, implementation, and operation of major information technology based systems to determine whether: (a) adequate controls are incorporated in the systems, (b) thorough systems’ testing is performed at appropriate stages, (c) system documentation is complete and accurate; and (d) the needs of the user organizations are met.
V. Management Support
Internal Audit has neither direct responsibility, nor authority over, the operations or activities that are reviewed. Thus, Internal Audit review and appraisal does not relieve management of their assigned responsibilities. Internal Audit does not make operating decisions, and does not have the authority to direct activities, including implementation of corrective actions. These activities and tasks remain the responsibility of appropriate operating management.
Risk management is a key responsibility of management. Also, operational areas are responsible for the identification, assessment, mitigation, and monitoring of significant risk exposures within their areas of responsibility. This process is facilitated by support functions including Finance, Legal Management, Risk & Claims Management, Internal Audit, and Compliance & Ethics.
UMDNJ management is responsible to ensure:
- Operations are reviewed at appropriate intervals to determine whether they are effectively carrying out their functions of planning, accounting, custody, and control in accordance with management instructions, policies and procedures, and in a manner that is consistent both with objectives and the high standards of administrative practice.
- Results of reviews performed by Internal Audit and the recommendations made are promptly reported to management personnel with responsibility for ensuring appropriate action is taken.
- Timely action is taken by management in response to Internal Audit findings and responses in the form of a management action plans are provided to Internal Audit within fifteen business days from the receipt of the draft audit report.
- Sufficient staffing and other resources are provided, including specialized technical staffing as needed, to support the Internal Audit function.