Internal Audit: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 27: Line 27:
Policy No.: '''8016'''<br />
Policy No.: '''8016'''<br />
Effective Date: '''09/08/15'''<br />
Effective Date: '''09/08/15'''<br />
Revised Date: <br />
Revised Date: '''DRAFT 03/16/18'''<br />
Reviewed Date: <br /><br />
Reviewed Date: <br /><br />
<big>'''Internal Audit Policy'''</big>
<big>'''Internal Audit Policy'''</big>
==Basis for Policy==
==Basis for Policy==
The University of Nebraska Medical Center (UNMC) shall comply with all applicable federal, state and local laws and regulations and University of Nebraska and UNMC Policies and Procedures.  
The University of Nebraska Medical Center (UNMC) shall comply with all applicable federal, state and local laws, regulations and University of Nebraska and UNMC Policies and Procedures. The [https://nebraska.edu/administration/internal-audit-and-advisory-services/charter.html University of Nebraska Internal Audit Charter] is approved by the Board of Regents and gives authority to the Chief Audit Executive and personnel of the internal audit activity to assess, evaluate and improve the University’s effectiveness of risk management, control, and governance processes by providing independent, objective assurance and consulting services.
==Internal Audit Structure==
== Mission/Scope of Work==
The mission of the internal audit activity is to provide independent, objective assurance and consulting services designed to add value and improve the UNMC’s operations. It helps UNMC accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.  
The mission of the internal audit activity is to provide independent, objective assurance and consulting services designed to add value and improve the University’s operations. It helps the University accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. <br />
 
<br />
The scope of work of the internal audit activity is to determine whether UNMC’s network of risk management, control and governance processes, as designed and represented by management, is adequate and functioning in a manner to ensure:
The scope of work of the internal audit activity is to determine whether the University’s network of risk management, control and governance processes, as designed and represented by management, is adequate and functioning in a manner to ensure:
*Risks are appropriately identified and managed.
*Risks are appropriately identified and managed.
*Interaction with the various governance groups occurs as needed.
*Interaction with the various governance groups occurs as needed.
Line 42: Line 42:
*Resources are acquired economically, used efficiently and adequately protected.
*Resources are acquired economically, used efficiently and adequately protected.
*Programs, plans, and objectives are achieved.
*Programs, plans, and objectives are achieved.
*Quality and continuous improvement are fostered in UNMC’s control process.
*Quality and continuous improvement are fostered in the University’s control process.
*Significant legislative or regulatory issues impacting UNMC are recognized and addressed appropriately.
*Significant legislative or regulatory issues impacting the University are recognized and addressed appropriately.
*Opportunities for improving management control, profitability, and UNMC’s image may be identified during audits. They will be communicated to the appropriate level of management.  
Opportunities for improving management control, profitability, and the University’s image may be identified during audits. They will be communicated to the appropriate level of management.  
==Accountability==
==Accountability==
The Internal Audit Director, shall be accountable to the Chancellor and provide information, on request for the chief audit executive, to be presented at the Audit, Risk and Compliance Committee including:
The Assistant Vice President and Director of Internal Audit and Advisory Services (Director), in the discharge of his/her duties, shall be accountable to management, the President and the audit committee to:
*Provide annually an assessment on the adequacy and effectiveness of the campus processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work.
*Provide annually an assessment on the adequacy and effectiveness of the University’s processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work.
*Report significant issues related to the processes for controlling the activities of the campus and its affiliates, including potential improvements to those processes, and provide information concerning such issues through resolution.
*Report significant issues related to the processes for controlling the activities of the University and its affiliates, including potential improvements to those processes, and provide information concerning such issues through resolution.
*Periodically provide information on the status and results of the annual audit plan and the sufficiency of activity resources.
*Periodically provide information on the status and results of the annual audit plan and the sufficiency of activity resources.
*Coordinate with other control and monitoring functions (risk management, compliance, security, legal, ethics, environmental, external audit) to conduct risk assessments and develop or recommend monitoring activities to evaluate the adequacy and effectiveness of internal controls.
*Coordinate with other control and monitoring functions (risk management, compliance, security, legal, ethics, environmental, external audit) to conduct risk assessments and develop or recommend monitoring activities to evaluate the adequacy and effectiveness of internal controls.
==Responsibility==
==Independence ==
*Develop a flexible annual audit plan using an appropriate risk-based methodology, including any risks or control concerns identified by management, and submit that plan to the Chancellor for review and approval as well as periodic updates. The Plan shall be presented to the Audit, Risk and Compliance Committee annually.
To provide for the independence of the internal auditing activity, all internal audit personnel report to the Director, who reports functionally to the audit committee and administratively to the President in a manner outlined in the above section on Accountability. The Director will include as part of the annual report to the audit committee a section on internal audit personnel. <br />
*Implement the annual audit plan, as approved, including as appropriate, any special tasks or projects requested by management and the Audit, Risk and Compliance Committee.
<br />
The campus directors will be the primary point of contact for their campus chancellor.
==Responsibility ==
The director has the responsibility to:
*Develop a flexible annual audit plan using an appropriate risk-based methodology, including any risks or control concerns identified by management, and submit that plan to the audit committee for review and approval as well as periodic updates.
*Implement the annual audit plan, as approved, including as appropriate, any special tasks or projects requested by management and the audit committee.
*Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter.  
*Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter.  
*Evaluate and assess significant merging/consolidating functions and new or changing services, processes, operations, and control processes coincident with their development, implementation, and/or expansion.
*Evaluate and assess significant merging/consolidating functions and new or changing services, processes, operations, and control processes coincident with their development, implementation, and/or expansion.
*Issue periodic reports to the chief audit executive and management summarizing results of audit activities.
*Issue reports to the audit committee and management summarizing results of audit activities.
*Keep the audit committee informed of emerging trends and successful practices in internal auditing.
*Provide a list of significant measurement goals and results to the audit committee.
*Assist in the investigation of significant suspected fraudulent activities within the University and notify management and the audit committee of the results.
*Consider the scope of work of the external auditors and regulators, as appropriate, for the purpose of providing optimal audit coverage to the University at a reasonable overall cost.
Each campus director has a responsibility to:
*Meet with their chancellor on a quarterly basis.
*Keep the chief audit executive informed of emerging trends and significant issues, as it relates to their campus.
*Keep the chief audit executive informed of emerging trends and significant issues, as it relates to their campus.
*Provide a list of significant measurement goals and results to the chief audit executive.
*Be the point of contact for their campus chancellor, including incidents of fraud, assisting the chancellor in performing the campus risk assessment, if requested to, and management requests for audits or consulting work, as authorized by the director.
*Assist in the investigation of significant suspected fraudulent activities within their campus and notify management and the chief audit executive of the results.
==Authority==
*Consider the scope of work of UNMC-selected external auditors for the purpose of providing optimal audit coverage to UNMC at a reasonable overall cost.
The chief audit executive and personnel of the internal audit activity are authorized to:
==Independence ==
*Have unrestricted access to all functions, records, property and personnel (the University Technology Development Corporation and its entities and NSRI Classified Task Orders and related activity are not in the scope/audit universe).
To provide for the independence of the internal auditing activity, administration’s personnel report to the chief audit executive, who reports functionally to the Audit, Risk and Compliance Committee and administratively to the President in a manner outlined in the above section on Accountability. The chief audit executive will include as part of the annual report to the Audit, Risk and Compliance Committee a section on internal audit personnel.  
*Have full and free access to the audit committee.
 
*Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish audit objectives.
The campus directors will report to their campus Chancellor and provide information to the chief audit executive as outlined in the above section on Accountability.
*Obtain the necessary assistance of personnel in units of the University where they perform audits, as well as other specialized services from within or outside the University.
Members of the internal audit activity are not authorized to:
*Perform any operational duties for the University or its affiliates.
*Initiate or approve accounting transactions external to the internal auditing activity.
*Direct the activities of any University employee not employed by the internal auditing activity, except to the extent such employees have been appropriately assigned to auditing teams or otherwise assist the internal auditors.
==Standards of Audit Practice ==
==Standards of Audit Practice ==
The internal audit activity will meet or exceed the [https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx International Standards for the Professional Practice of Internal Auditing] and [https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx Code of Ethics] of The [https://na.theiia.org/Pages/IIAHome.aspx Institute of Internal Auditors].
The internal audit activity will meet or exceed the [https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx International Standards for the Professional Practice of Internal Auditing], mandatory guidance including the Definition of Internal Auditing and [https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx Code of Ethics] of The Institute of Internal Auditors.
==Management's Responsibilities==
Management is responsible for ensuring that systems of internal control are in place, good business practices are implemented and followed in all areas, compliance is maintained, fraud risks are identified and mitigated, and effective governance is established. This provides assurance that financial information and other management information are reliable, that University resources are used efficiently and effectively and that the potential for fraud is minimized. <br />
<br />
Management shall provide a written response to report recommendations issued within time frames requested by internal audit. Management is responsible to address issues identified by implementing recommendations or agreed-upon corrective action plans.
==Access to the Audit Committee==
All internal audit personnel will have access to the Audit Committee by requesting they be added to the next Audit Committee agenda.  
==Additional Information==
==Additional Information==
*Contact the [mailto:mjustus@nebraska.edu Asst. Vice President and Director, Internal Audit], 402-472-7109
*Contact the [mailto:barb.brey@unmc.edu Director, Internal Audit], 402-559-5824  
*Contact the [mailto:barb.brey@unmc.edu Director, Internal Audit], 402-559-5824  
*UNMC Policy No. 8000, [[Compliance Program]]
*UNMC Policy No. 8000, [[Compliance Program]]
*[https://nebraska.edu/administration/internal-audit-and-advisory-services/charter.html University of Nebraska Internal Audit Charter]
*[https://na.theiia.org/Pages/IIAHome.aspx Institute of Internal Auditors]
*[https://na.theiia.org/Pages/IIAHome.aspx Institute of Internal Auditors]
:*[https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx International Standards for the Professional Practice of Internal Auditing]  
:*[https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx International Standards for the Professional Practice of Internal Auditing]  
:*[https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx Code of Ethics]
:*[https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx Code of Ethics] of The Institute of Internal Auditors




This page maintained by [mailto:dpanowic@unmc.edu dkp].
This page maintained by [mailto:dpanowic@unmc.edu dkp].