University of Illinois System

Internal Audit Charter

Purpose

The internal audit function aims to strengthen the University of Illinois System’s and its related organizations’ (U of I System) ability to create, protect, and sustain value. It provides the Board of Trustees through its Audit, Budget, Finance and Facilities Committee (ABFFC) and management with independent, risk-based, and objective assurance, advice, insight and foresight.

The internal audit function enhances the U of I System’s:

  • Successful achievement of its objectives.
  • Governance, risk management, and control processes.
  • Decision-making and oversight.
  • Reputation and credibility with its stakeholders.
  • Ability to serve the public interest.

The U of I System’s internal audit function is most effective when:

  • Internal auditing is performed by competent professionals in conformance with The Institute of Internal Auditors’ (IIA) Global Internal Audit Standards™, which are set in the public interest.
  • The internal audit function is independently positioned with direct accountability to the Board of Trustees through its ABFFC.
  • Internal auditors are free from undue influence and committed to making objective assessments.

Mandate

The Fiscal Control and Internal Auditing Act (30 ILCS 10/Articles 1, 2, and 3) (FCIAA) is the state legislation which provides mandates for internal audit activities of state agencies. It is the policy of the State of Illinois that the chief executive officer of every State agency is responsible for effectively and efficiently managing the agency and establishing and maintaining an effective system of internal control. The U of I System, defined as a designated agency within and for the purposes of this Act, is required to maintain a full-time program of internal auditing. The President, as the chief executive officer of the U of I System, is responsible for the development and implementation of the program of internal auditing. The President has delegated the chief audit executive (positioned within the Office of University Audits), jointly with the Board of Trustees through its ABFFC, to establish guidelines which give direction to the overall internal audit function of the U of I System. This Charter constitutes these guidelines, and as developed and amended, will be transmitted to the President for concurrence and to the ABFFC for approval.

In accordance with FCIAA Article 2, the State of Illinois Internal Audit Advisory Board has adopted the mandatory elements of The Institute of Internal Auditors’ International Professional Practices Framework, which are the Global Internal Audit Standards and Topical Requirements, as the standard of performance to which all State internal auditors must adhere. The chief audit executive will report annually to the ABFFC and senior management regarding the internal audit function’s conformance with the Standards, which will be assessed through a quality assurance and improvement program.

Authority

The internal audit function’s authority is created by its direct functional reporting to the President of the U of I System and the Board of Trustees through its ABFFC. Such authority allows for unrestricted access to the Board of Trustees and/or the ABFFC.

The President and the Board of Trustees through its ABFFC authorize the internal audit function to:

  • Have full and unrestricted access to all functions, data, records, information, physical property, and personnel pertinent to carrying out internal audit responsibilities. Internal auditors are accountable for confidentiality and safeguarding records and information.
  • Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques, and issue communications to accomplish the function’s objectives.
  • Obtain assistance and/or other specialized services from within or outside the U of I System to complete internal audit services, as deemed necessary.

Independence, Organizational Position, and Reporting Relationships

The chief audit executive is positioned at a level in the organization that enables internal audit services and responsibilities to be performed without interference from management, thereby establishing the independence of the internal audit function. The chief audit executive reports functionally to the President and the Board of Trustees through its ABFFC, and administratively to the Comptroller of the Board of Trustees, who is also the Vice President and Chief Financial Officer. This positioning provides the organizational authority and status to bring matters directly to senior management and escalate matters to the ABFFC, when necessary, without interference and supports the internal auditors’ ability to maintain objectivity.

The chief audit executive will confirm to the ABFFC, at least annually, the organizational independence of the internal audit function. If the governance structure does not support organizational independence, the chief audit executive will document the characteristics of the governance structure limiting independence and any safeguard employed to achieve the principle of independence. The chief audit executive will disclose to the ABFFC any interference internal auditors encounter related to the scope, performance, or communication of internal audit work and results. The disclosure will include communicating the implications of such interference on the internal audit function’s effectiveness and ability to fulfill its mandate.

Changes to the Mandate and Charter

Circumstances may justify a follow-up discussion between the chief audit executive, the ABFFC, and senior management on the internal audit mandate or other aspects of the internal audit charter. Such circumstances may include but are not limited to:

  • A significant change in the Global Internal Audit Standards.
  • A significant reorganization within the organization.
  • Significant changes in the chief audit executive, composition of the ABFFC, and/or senior management.
  • Significant changes to the U of I System’s strategies, objectives, risk profile, or the environment in which the U of I System operates.
  • New laws or regulations that may affect the nature and/or scope of internal audit services.

ABFFC Oversight

The responsibilities of the ABFFC are outlined in the University of Illinois Audit, Budget, Finance and Facilities Committee Audit Function Charter.

Chief Audit Executive Roles and Responsibilities

Ethics and Professionalism

The chief audit executive will ensure that internal auditors:

  • Conform with the Global Internal Audit Standards, including the principles of Ethics and Professionalism: integrity, objectivity, competency, due professional care, and confidentiality.
  • Understand, respect, meet, and contribute to the legitimate and ethical expectations of the U of I System and be able to recognize conduct that is contrary to those expectations.
  • Encourage and promote an ethics-based culture in the organization.
  • Report organizational behavior that is inconsistent with the U of I System’s ethical expectations, as described in applicable policies and procedures.

Objectivity

The chief audit executive will ensure that the internal audit function remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of engagement selection, scope, procedures, frequency, timing, and communication. If the chief audit executive determines that objectivity may be impaired in fact or appearance, the details of the impairment will be disclosed to appropriate parties.

Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively such that they believe in their work product, do not compromise quality, and do not subordinate their judgment on audit matters to others, either in fact or appearance.

Internal auditors will have no direct operational responsibility or authority over any of the activities they review. Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, or engage in other activities that may impair their judgment, including:

  • Assessing specific operations for which they had responsibility within the previous year.
  • Performing operational duties for the U of I System.
  • Initiating or approving transactions external to the internal audit function.
  • Directing the activities of any U of I System employee that is not employed by the internal audit function, except to the extent that such employees have been appropriately assigned to internal audit teams or to assist internal auditors.

Internal auditors will:

  • Disclose impairments of independence or objectivity, in fact or appearance, to the chief audit executive at least annually. The chief audit executive will consider whether impairments should be reported to others and will do so as deemed necessary, including the ABFFC or management.
  • Exhibit professional objectivity in gathering, evaluating, and communicating information.
  • Make balanced assessments of all available and relevant facts and circumstances.
  • Take necessary precautions to avoid conflicts of interest, bias, and undue influence.

Managing the Internal Audit Function

The chief audit executive has the responsibility to:

  • Annually develop a flexible two-year risk-based internal audit plan that considers the input of the ABFFC and management. Discuss the plan with senior management and submit the plan to the ABFFC for feedback and concurrence. In accordance with FCIAA, submit the audit plan to the President in order for the President to approve by June 30 of each year.
  • Report to the Board of Trustees and ABFFC by September 30 of each year the scope and results of audits and the adequacy of management’s corrective actions.
  • Communicate the impact of resource limitations on the internal audit plan to the ABFFC and senior management.
  • Review and adjust the audit plan, as necessary, in response to changes in the U of I System’s risks, operations, programs, systems, and controls.
  • Communicate with the ABFFC and senior management if there are significant interim changes to the internal audit plan.
  • Ensure internal audit engagements are performed, documented, and communicated in accordance with the Global Internal Audit Standards.
  • Follow up on engagement findings and confirm the implementation of recommendations or action plans and communicate the results of internal audit services to the ABFFC and senior management on a quarterly basis for each engagement as appropriate.
  • Ensure the internal audit function collectively possesses or obtains the knowledge, skills, and other competencies and qualifications to meet the requirements of the Global Internal Audit Standards and fulfill the internal audit mandate.
  • Identify and consider trends and emerging issues that could impact the U of I System and communicate to the ABFFC and senior management as appropriate.
  • Consider emerging trends and successful practices in internal auditing.
  • Establish and ensure adherence to methodologies designed to guide the internal audit function.
  • Ensure adherence to the U of I System’s relevant policies and procedures unless such policies and procedures conflict with the internal audit charter or the Global Internal Audit Standards. Any such conflicts will be resolved or documented and communicated to the ABFFC and senior management.
  • Coordinate activities and consider relying upon the work of other internal and external providers of assurance and advisory services. If the chief audit executive cannot achieve an appropriate level of coordination, the issue must be communicated to senior management and if necessary escalated to the ABFFC.

Communication with the ABFFC and Senior Management

The chief audit executive will report periodically to the ABFFC and senior management regarding:

  • The internal audit function’s mandate.
  • The internal audit plan and performance relative to its plan.
  • Internal audit budget.
  • Significant revisions to the internal audit plan and budget.
  • Potential impairments to independence, including relevant disclosures as applicable.
  • Results from the quality assurance and improvement program, which include the internal audit function’s conformance with the Global Internal Audit Standards and action plans to address the internal audit function’s deficiencies and opportunities for improvement.
  • Significant risk exposures and control issues, including fraud risks, governance issues, and other areas of focus for the ABFFC that could interfere with the achievement of the U of I System’s strategic objectives.
  • Results of assurance and advisory services.
  • Resource requirements.

Quality Assurance and Improvement Program

The chief audit executive will develop, implement, and maintain a quality assurance and improvement program that covers all aspects of the internal audit function. The program will include external and internal assessments of the internal audit function’s conformance with the Global Internal Audit Standards, as well as performance measures to assess the internal audit function’s progress toward the achievement of its objectives and promotion of continuous improvement. The program also will assess, if applicable, compliance with laws and/or regulations relevant to internal auditing. Also, if applicable, the assessment will include plans to address the internal audit function’s deficiencies and opportunities for improvement.

Annually, the chief audit executive will communicate with the ABFFC and senior management about the internal audit function’s quality assurance and improvement program, including the results of internal assessments (ongoing monitoring and periodic self-assessments) and external assessments. Periodic internal and external assessments will be conducted under the guidelines provided by the State Internal Audit Advisory Board. External assessments will be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the U of I System. Qualifications must include at least one assessor holding an active Certified Internal Auditor® credential. Public sector competencies and knowledge as well as knowledge of the Global Internal Audit Standards should be considered when selecting external assessors.

Scope and Types of Internal Audit Services

The scope of internal audit services covers the entire breadth of the organization, including all the activities, assets, and personnel of the U of I System which includes its related organizations, and organizations required to submit financial statements to the U of I System. The scope of internal audit activities also encompasses but is not limited to objective examinations of evidence to provide independent assurance and advisory services to the Board of Trustees and management on the adequacy and effectiveness of governance, risk management, and control processes for the U of I System.

The nature and scope of advisory services may be agreed with the party requesting the service, provided the internal audit function does not assume management responsibility. Advisory services may also include those less formal in nature such as providing advice, facilitation, and training. Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during advisory engagements. These opportunities will be communicated to the appropriate level of management.

Internal audit engagements may include evaluating whether:

  • Risks relating to the achievement of the U of I System’s strategic objectives are appropriately identified and managed.
  • The actions of the U of I System’s officers, directors, management, employees, and contractors or other relevant parties comply with the U of I System’s policies, procedures, and applicable laws, regulations, and governance standards.
  • The results of operations and programs are consistent with established goals and objectives.
  • Operations and programs are being carried out effectively, efficiently, ethically, and equitably.
  • Established processes and systems enable compliance with policies, procedures, laws, and regulations that could significantly impact the U of I System.
  • The integrity of information and the means used to identify, measure, analyze, classify, and report such information is reliable.
  • Resources and assets are acquired economically, used efficiently and sustainably, and protected adequately.

Internal audit engagements also include conducting or assisting in the investigation of significant suspected fraudulent activities within or against the U of I System and notifying management and the ABFFC of the results, as well as law enforcement as appropriate. In collaboration with the University Ethics Officer, the internal audit function conducts reviews and/or investigations of financial fraud-related allegations received by the University Ethics Office.

Charter Approved by Audit, Budget, Finance, and Facilities Committee September 18, 2024