Reconfirmed March 2014
Internal Auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of Rutgers, The State University of New Jersey. Internal auditors assist University management and the Board of Governors’ Committee on Audit accomplish their objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk management, control, and governance processes.
The Board of Governors’ Committee on Audit (hereafter referred to as the Committee) establishes the internal audit activity. The internal audit activity’s responsibilities are authorized by the Committee as part of its oversight role.
The internal audit activity guides its practices in accordance with The Institute of Internal Auditors’ Framework that includes the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance.
The Institute of Internal Auditors’ Practice Advisories, Practice Guides, and Position Papers will also be considered as applicable to guide internal audit’s activities. In addition, the internal audit activity will adhere to Rutgers’ relevant policies and procedures and the internal audit activity’s standard operating procedures manual.
The Internal Audit Department is authorized full, free, and unrestricted access to any and all of Rutgers’ records, physical properties, systems, and personnel necessary in achieving its goals. Department members are accountable for safeguarding records and information they use in performing their work. It is the responsibility of Rutgers management to communicate to employees the authority of the internal audit activity in fulfilling its roles and responsibilities. The internal auditors will also have free and unrestricted access to the Committee.
The Chief Audit Executive will report functionally to the Committee and administratively (i.e.. day-to-day operations) to the Chief Financial Officer.
The Committee will approve all decisions regarding the performance evaluation, appointment, or removal of the Chief Audit Executive as well as the Chief Audit Executive’s remuneration. The Chief Audit Executive will communicate and interact directly with the Committee, including in executive sessions and between Committee meetings as appropriate. The Chief Audit Executive will confirm to the Committee, at least annually, the organizational independence of the internal audit.
The internal audit activity will remain free from interference by any element in the organization, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair internal auditor’s judgment.
Internal auditors must exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors must make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
The Internal Audit Department examines and evaluates the adequacy and effectiveness of the organization’s governance, risk management, and internal control processes as they relate to the University’s stated goals and objectives. The Chief Audit Executive will communicate to management and the Committee the internal auditors’ observations and recommendations regarding the processes reviewed.
In carrying out this responsibility, the internal audit scope of activities may include:
- Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information.
- Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the organization
- Evaluating the means of safeguarding assets and, as appropriate, verifying their existence.
- Evaluating the effectiveness and efficiency with which resources are employed.
- Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.
- Monitoring and evaluating governance processes.
- Monitoring and evaluating the effectiveness of the organization’s risk management processes.
- Participating with the external audit firm in its annual examination of the University’s year-end financial statements. Evaluating the quality of performance of external auditors and the degree of coordination with internal audit.
- Performing consulting and advisory services related to governance, risk management and control as appropriate for the organization.
- Reporting periodically on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan.
- Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Committee.
- Evaluating specific operations at the request of the Committee or management, as appropriate.
- Offering training workshops to managers and their units covering internal control concepts and applications, and techniques for assessing risks.
Internal Audit Plan
At least annually, the Chief Audit Executive will submit to senior management and the Committee an internal audit plan. The Committee will review, discuss, and endorse the plan subject to the Committee members’ concurrence. The internal audit plan will include a summary of engagements and other audit activities, as well as resource requirements for the next fiscal year. The Chief Audit Executive will communicate the impact of resource limitations and significant interim changes to senior management and the Committee.
The internal audit department will develop the Plan using a risk-based methodology that includes:
- Analysis and prioritization of the audit universe.
- Input of senior management and the Committee.
- First-hand knowledge of the university and its evolving operations.
- Results of prior audits.
- Understanding of risk in higher education, and biomedical and health care services.
- Quality of management.
- Emerging needs of campus clients.
- Support to external auditors.
The CAE will communicate significant deviations from the approved internal audit plan to senior management and the Committee.
Reporting and Monitoring
The CAE will communicate results of each engagement using the appropriate format, which may include, audit reports, client service letters, emails, verbal consultations, to management responsible for implementing control improvements. The CAE will also communicate significant audit results to the Committee, the University President, senior management, and the University’s external audit firm.
The IAD will require management’s response to the specific audit observations and recommendations. Management’s response, whether included within the original audit report or provided thereafter (i.e.. within thirty days) should specify a timetable for completion of corrective actions and identify assigned people to implement control recommendations. The IAD will require a full explanation as to acceptance of identified risks where management determines corrective action will not be implemented.
The internal audit activity will be responsible for appropriate follow-up to assess management’s actions on engagement observations and recommendations.
The Chief Audit Executive will periodically report to senior management and the Committee on the internal audit activity’s purpose, authority, and responsibility, as well as performance relative to its plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the Committee.
In addition, the Chief Audit Executive will communicate to senior management and the Committee on the internal audit activity’s quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years.