Internal Audit Charter
(Charter Revised November 2015)
It is the policy of the University of California to maintain an independent and objective internal audit function to provide the Regents, President, and campus Chancellors with information and assurance on the governance, risk management and internal control processes of the University. Further, it is the policy of the University to provide the resources necessary to enable Internal Audit to achieve its mission and discharge its responsibilities under its charter. Internal Audit is established by the Regents, and its responsibilities are defined by the Regents' Committee on Compliance and Audit as part of their oversight function.
UC Internal Audit will be a universally recognized knowledgeable, collaborative and trusted resource on governance, risk management and control.
The mission of the University of California (UC) internal audit (IA) is to provide the Regents, President, campus Chancellors and Laboratory Director independent and objective assurance and consulting services designed to add value and to improve operations. We do this through communication, monitoring and collaboration with management to assist the campus community in the discharge of their oversight, management, and operating responsibilities. IA brings a systematic and disciplined approach to evaluating and improving the effectiveness of risk management, control and governance processes.
IA functions under the policies established by the regents of the University of California and by university management under delegated authority.
IA is authorized to have full, free and unrestricted access to information including records, computer files, property, and personnel of the university in accordance with the authority granted by approval of this charter and federal and state statutes. Except where limited by law, the work of IA is unrestricted. IA is free to review and evaluate all policies, procedures, and practices for any university activity, program, or function.
In performing the audit function, IA has no direct responsibility for, nor authority over any of the activities reviewed. The internal audit review and approval process does not in any way relieve other persons in the organization of the responsibilities assigned to them.
Independence and Reporting Structure
To permit the rendering of impartial and unbiased judgment essential to the proper conduct of audits, internal auditors will be independent of the activities they audit. This independence is based primarily upon organizational status and objectivity and is required by external industry standards.
The Senior Vice President - Chief Compliance and Audit Officer (CCAO) has a direct, independent reporting relationship to the Regents, communicating directly with the Board of Regents and the Regents Committee on Compliance and Audit regarding all elements of meaningful compliance and audit programs, including providing annual reports on compliance with applicable laws, regulations, and University policies. The CCAO shall also consult with and advise the President on compliance and audit activities. The CCAO has established an active channel of communication with the Chair of the Regents' Committee on Compliance and Audit, as well as with campus executive managements, on audit matters. The CCAO has direct access to the president and the Regents’ Committee on Compliance and Audit. In addition, the CCAO serves as a participating member on all campus compliance oversight/audit committees.
Campus/Laboratory Internal Audit Directors (IADs) report administratively to the Chancellor/Laboratory Director and directly to the Regents' Committee on Compliance and Audit through the CCAO. IADs have direct access to the CCAO and to the president or the Regents' Committee on Compliance and Audit as circumstances warrant.
Campus IADs will report periodically to the campus compliance oversight/audit committees on the adequacy and effectiveness of the organization’s processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work; the status of the annual audit plan, and the sufficiency of audit resources. The local audit functions will coordinate with and provide oversight of other control and monitoring functions involved in governance such as risk management, compliance, security, legal, ethics, environmental health & safety, external audit, etc.
IADs may take directly to the respective chancellor or laboratory director, the CCAO, the president, or the regents matters that they believe to be of sufficient magnitude and importance. IADs shall take directly to the CCAO who shall report to the president and the Regents' Committee on Compliance and Audit Chair, any credible allegations of significant wrongdoing (including any wrongdoing for personal financial gain) by or about a Chancellor, Executive Vice Chancellor or Vice President, or any other credible allegations that if true could cause significant harm or damage to the reputation of the University.
The Chancellors/Laboratory Director may delegate other IAD administrative oversight responsibilities such as time and expense approval and departmental budget oversight to a position no lower than the Vice Chancellor/Associate Laboratory Director or Chief Operating Officer level. To maintain organizational independence, this position should generally not have responsibility over key operating units routinely reviewed by internal audit. The Chancellor/Laboratory Director shall retain responsibility for: approval of the campus/laboratory annual audit plan; approval of local audit committee/work group charter; and shall meet with the IAD regularly to review the state of the internal audit function and the state of internal controls locally. The Regents have the ultimate authority to approve and/or amend the systemwide audit plan, which is a consolidation of all campus and laboratory audit plans.
Scope of Work
The scope of IA work is to determine whether UC’s network of risk management, control, and governance processes, as designed and represented by management at all levels, is adequate and functioning in a manner to ensure:
- Risk management processes are effective and significant risks are appropriately identified and managed.
- Ethics and values are promoted within the organization.
- Financial and operational information is accurate, reliable, and timely.
- Employee’s actions are in compliance with policies, standards, procedures, and applicable laws and regulations.
- Resources are acquired economically, used efficiently, and adequately protected.
- Programs, plans, and objectives are achieved.
- Quality and continuous improvement are fostered in the organization’s risk management and control processes.
- Significant legislative or regulatory compliance issues impacting the organization are recognized and addressed properly.
- Effective organizational performance management and accountability is fostered.
- Coordination of activities and communication of information among the various governance groups occur as needed.
- The potential occurrence of fraud is evaluated and fraud risk is managed.
- Information technology governance supports UC strategies, objectives, and the organization’s privacy framework.
- Information technology security practices adequately protect information assets and are in compliance with applicable policies, rules and regulations.
Opportunities for improving management control, quality and effectiveness of services, and the organization’s image identified during audits are communicated by IA to the appropriate levels of management.
Nature of Assurance and Consulting Services
IA performs three types of projects:
- Audits are assurance services defined as examinations of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples include financial, performance, compliance, systems security and due diligence engagements.
- Consulting services, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include reviews, recommendations (advice), facilitation, and training.
- Investigations are independent evaluations of allegations generally focused on improper governmental activities including misuse of university resources, fraud, financial irregularities, significant control weaknesses and unethical behavior or actions.
IA serves the university in a manner that is consistent with the standards established by the SVP/CCAO and acts in accordance with university policies and UC Standards for Ethical Conduct. At a minimum, it complies with relevant professional standards, and the Institute of Internal Auditors’ mandatory guidance including the Definition of Internal Auditing, the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing. This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance.
Certain Personnel Matters
Action to appoint, demote or dismiss the SVP/CCAO requires the approval of the Regents. Action to appoint an IAD requires the concurrence of the SVP/CCAO. Action to demote or dismiss an IAD requires the concurrence of the president and chair of the Compliance and Audit Committee, upon the recommendation of the SVP/CCAO.