Internal Audit

Introduction

Internal Audit assists the University in accomplishing its objectives and meeting its fiduciary and administrative responsibilities by providing independent, objective assurance and consulting activities that are guided by a philosophy of adding value to improve the University’s operations.  This is done by bringing a systematic, disciplined and risk-based approach to evaluate and improve the effectiveness of University governance, risk management, and the system of internal controls and administrative processes when related to:

• enhancing the efficiency and effectiveness of University functions;
• improving internal controls;
• ensuring compliance with University policies and procedures and other applicable acts and regulations;
• contributing to the assessment of institutional risk; and
• meeting the University’s fiduciary requirements.

Policy

• Internal audits will be done throughout the University, and no function, activity, faculty or department is exempt from an internal audit.  Administrators, faculty and staff members must cooperate with the internal auditor by providing access to all records (including financial accounts), employees, and students they request as a part of the audit.
• Internal Auditor will not have direct authority over or responsibility for any of the activities reviewed during the course of work.  Internal Auditor will not develop and implement procedures, prepare records, make management decisions, or engage in any other activity that could be reasonably construed to compromise their independence.  Internal Auditor neither substitutes for nor relieves other University personnel from their assigned responsibilities.
• Officers and administrators are responsible for implementing recommendations that result from an audit or accepting the risk of non-implementation. 

Roles and Responsibilities

Board of Governors:

• delegates the oversight of internal audit to the Audit and Risk Management Committee.
• approves the internal audit work plan.
• approves the office of internal audit charter and revisions to it.

Audit and Risk Management Committee:

• reviews the internal audit work plan and recommends for approval to the Board.
• receives an executive summary of each final internal audit report.
• reviews the office of internal audit charter at least annually and recommends changes for approval to the Board, if needed.
• reviews the results of the quality assurance and improvement program for the internal audit activity.
• determines the frequency of meetings with the Internal Auditor.
• participates in the decisions regarding the appointment, removal, and performance review of the Internal Auditor.

University Executive Team:

• provides input into the development of the internal audit work plan.
• receives the audit reports.
• requests consulting services and investigations to be performed by the Internal Auditor, when needed.

Executive Director, University Governance:

• determines next steps that will be taken towards a resolution where the Internal Auditor encounters a situation that cannot be resolved  with the Administrator in the area being audited.  If the issue is still not resolved, the matter will be then escalated to the President and/or the Chair of the Audit and Risk Management Committee.

The Internal Auditor:

• reports functionally through the President to the Audit and Risk Management Committee of the University of Regina Board of Governors. 
• reports administratively to the Executive Director, University Governance, and is a member of the University Secretariat (to ensure that internal audit has no operational accountability).
• will meet with the Audit and Risk Management Committee in an in camera session at every meeting or more frequently at the request of the Internal Auditor, or the Chair, Audit and Risk Management Committee. 
• reviews the University’s established internal control system, administrative controls and processes to ensure that these are functioning, adequate, effective and efficient;
• reviews the reliability and integrity of the accounting, financial and reporting systems and procedures;
• assesses compliance of University processes and procedures with University policies and procedures; provincial and federal laws and regulations, contractual obligations and best business practices that have a significant impact on University operations and reporting;
• reviews the extent to which University resources are employed and determining if these resources are employed efficiently and economically;
• assesses the means in which assets are safeguarded as appropriate, verifying the existence and appropriate use of these assets;
• evaluates operational procedures to determine whether results are consistent with established objectives and goals, and whether the procedures are carried out as planned;
• evaluates the effectiveness of the University’s operational risk management processes;
• investigates and/or supports investigations or alleged violations of policies, procedures, errors, fraud or misuse of University assets or resources, including the activities that relate to research and other grants.  This may require liaising with law enforcement authorities as appropriate;
• engages external contractors to increase the scope of the internal audit, when necessary, or to perform specialized projects. This requires approval of the Audit and Risk Management Committee;
• consults when policies and procedures, financial and administrative systems, organizational structures and other related administrative activities are being reviewed;
• consults on the design of new processing systems and/or major modifications to existing systems prior to installation to ensure the new system has adequate, effective and efficient controls;
• seeks input of the University Executive Team to develop the internal audit work plan for the upcoming year by prioritizing using a risk-based methodology to identify those areas as ‘high risk'
• presents the internal audit plan to the Audit and Risk Management Committee for review and further recommendation to the Board for approval;
• presents the internal audit activity charter to the Audit and Risk Management Committee for review at least annually and further recommendation to the Board for approval, if changes are needed;
• develops and presents the budget for special projects and initiatives of the office of internal audit to the Audit and Risk Management Committee and Executive Director, University Governance, in accordance with the annual internal audit plan;
• meets with the Provincial Auditor on a regular basis to ensure that each other’s activities are coordinated in order to minimize duplication of areas to be audited; and,
• sends, upon request, internal audit reports to the Provincial Auditor, providing no confidentiality issues exist.  If other auditors are engaged, the sharing of internal audit reports will be done with the permission of the Chair of the Audit and Risk Management Committee and the Provincial Auditor (or other auditors), as required. 

Consequences for Noncompliance

Recommendations made by the Internal Auditor will be provided to the Administrator responsible for the Faculty/Department to implement and will be required to report progress to address recommendations to the University Executive Team and Audit and Risk Management Committee, or reasons for acceptance of risk of non-compliance.  Recommendations that are not implemented or responded to with reasonable resolutions will be provided to the University Executive Team and as part of the report to the Audit and Risk Management Committee for possible disciplinary action.

Processes

Internal Audit Process

1. Identify the Faculty/Department for review based on priorities identified in the Board approved work plan.
2. Meet with the Faculty/Department Administrator to explain the review process.
3. Request information from Faculty/Department faculty and staff required for the audit. 
4. Review information provided to draw a conclusion about compliance with the University’s policies and with government legislation, effectiveness of the internal controls, or other subject matter which is under review.
5. Present recommendations from the audit to the Faculty/Department Head for implementation.
6. Provide a report on the recommendations to the University Executive Team.
7. Provide a report to the Audit and Risk Management Committee.

Related Information

GOV-022-020 - Safe Disclosure (Whistleblower Protection)

Professional Standards

• International Standards for the Professional Practice of Internal Auditing
• Definition of Internal Auditing
• Code of Ethics
• Core Principles

Other

• Audit and Risk Management Committee Terms of Reference
• Office of Internal Audit Charter (373 KB)