MUS Internal Audit Charter
Purpose and Mission
Internal audit’s purpose is to provide independent, objective assurance and advisory services to the Board of Regents (BOR) and Montana University System (MUS) executive management in order to add value and improve operations. Internal audit helps the MUS accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes. The mission of internal audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.
Standards for the Professional Practice of Internal Auditing
Internal audit will govern and comply with the mandatory elements of The Institute of Internal Auditors’ International Professional Practices Framework (IPPF), including the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing. The MUS Director of Assurance and Enterprise Risk will report periodically to executive management and the BOR’s Budget, Administration, and Audit Committee (BAAC) regarding internal audit’s conformance to the Code of Ethics and the Standards.
MUS and campus internal audit staff will provide audit services for the MUS. For campuses having an internal audit function, the campus Internal Audit Director will report functionally to the MUS Director of Assurance and Enterprise Risk and administratively (i.e. day-to-day operations) to the President or equivalent. The MUS Director of Assurance and Enterprise Risk shall report functionally to the Chair of the BAAC and administratively to the Commissioner of Higher Education or their designee. The MUS Director of Assurance and Enterprise Risk shall have the authority to direct campus internal audit functions to audit specific areas at their campuses as needed and approved by the BAAC.
To establish, maintain, and assure internal audit has sufficient authority to fulfill its duties, the BOR, as a whole, will:
- Review and approve the MUS internal audit charter, which carries through to individual campuses’ internal audit functions.
- Review and approve the MUS internal audit budget and resource plan as part of the annual approval of the MUS operating budgets.
The BAAC will:
- Review and approve the annual risk-based internal audit plan, which will include individual campuses’ internal audit plans and budgets.
- Receive communications from the MUS Director of Assurance and Enterprise Risk on internal audit’s performance relative to its plan and other matters.
- Make appropriate inquiries of management and the MUS Director of Assurance and Enterprise Risk to determine whether there is inappropriate scope or resource limitations.
- Assure that audit findings and recommendations will be afforded adequate consideration and that the effectiveness of action is communicated at the appropriate Board and public level.
The Commissioner of Higher Education will:
- In consultation with the BAAC chair, review and approve the MUS Director of Assurance and Enterprise Risk's appointment, non-renewal of contract, or changes to salary outside of the normal Board approved pay plan.
The MUS Director of Assurance and Enterprise Risk will:
- In consultation with the University President and Commissioner of Higher Education, review and approve decisions regarding a campus Internal Audit Director’s appointment, non-renewal of contract, or changes to salary outside of the normal University approved pay plan.
The MUS Director of Assurance and Enterprise Risk will have unrestricted access to, and communicate and interact directly with the BAAC, which may include private meetings without management present.
The BOR authorizes all staff of internal audit to have full, free, and unrestricted access to all MUS functions, records, physical properties, and personnel pertinent to carrying out any engagement, subject to the accountability for confidentiality and safeguarding of records and information. All employees are directed to assist internal audit staff in fulfilling their role and responsibilities. Additionally, the BOR authorizes internal audit to allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives, and issue reports.
Independence and Objectivity
The MUS Director of Assurance and Enterprise Risk will ensure that internal audit remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report content. If the MUS Director of Assurance and Enterprise Risk determines that independence or objectivity may be impaired in fact or appearance, the details of the impairment will be disclosed to appropriate parties.
Internal auditors will maintain an impartial, unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others.
Internal audit staff shall not have direct operational responsibility or authority over any of the activities they review. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity which normally could be audited. This includes assessing specific operations for which they had responsibility within the previous year; performing any operational duties for the MUS; initiating or approving transactions external to internal audit; or directing the activities of any employee not employed by internal audit, except to the extent that such employees have been appropriately assigned to auditing teams or to otherwise assist internal auditors.
Where an internal audit director has or is expected to have roles or responsibilities that fall outside of internal auditing, safeguards will be established to limit impairments to independence or objectivity. Internal auditors will:
- Disclose any impairment of independence or objectivity, in fact or appearance, to the BAAC.
- Exhibit professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined.
- Make balanced assessments of all available and relevant facts and circumstances.
- Take necessary precautions to avoid being unduly influenced by their own interests or by others in forming judgements.
The MUS Director of Assurance and Enterprise Risk will confirm to the BAAC, at least annually, the organizational independence of internal audit. The MUS Director of Assurance and Enterprise Risk will disclose to the BAAC any interference and related implications in determining the scope of internal auditing, performing work, or communicating results.
The scope of internal audits may include assurance or advisory services in order to add value and improve operations. Assurance services are objective examinations of evidence for the purpose of providing an independent assessment to the BOR, management, and outside parties on the adequacy and effectiveness of governance, risk management, and control processes for the MUS. The scope includes reviewing and evaluating:
- Risks relating to the achievement of the university system’s strategic objectives are appropriately identified and managed;
- The means with which assets are safeguarded;
- The actions and internal controls established by the officers, directors, employees, and contractors follow policies, procedures, applicable laws, regulations, contracts, and governance standards;
- The results of operations or programs are consistent with established goals and objectives;
- The reliability and integrity of financial and operating information;
- Operations or programs are being carried out effectively and efficiently;
- The economy, efficiency, and effectiveness with which resources are employed; and
- Information and the means used to identify, measure, analyze, classify, and report such information is reliable and have integrity. This includes whether IT systems are appropriately managed, controlled, and protected.
The MUS Director of Assurance and Enterprise Risk will report periodically to the BAAC regarding:
- The internal audit purpose, authority, and responsibility.
- The annual internal audit annual plan and performance relative to the plan, including any significant interim changes or requests for review and approval.
- The internal audit conformance with the Institute of Internal Auditors’ Code of Ethics and Standards, and action plans to address any significant conformance issues.
- Significant risk exposures and control issues, including fraud risks, governance issues, and other matters requiring the attention of, or requested by the BAAC.
- Results of audit engagements or other activities.
- Resource requirements.
- Any response to risk by management that may be unacceptable to the MUS.
Internal audit may perform advisory services regarding risk management, control, and governance as agreed upon with management, provided the internal audit does not assume management responsibility. Advisory services are intended to add value and improve an organization’s governance, risk management, and control processes. Examples include counsel, advice, facilitation, and training.
Internal audit may administer a compliance hotline and perform investigative engagements to evaluate allegations of unethical business practices or financial and operational misconduct.
To help ensure key business risks are being managed appropriately at the MUS level and that the system of internal controls is operating effectively, the MUS Director of Assurance and Enterprise Risk’s role has been expanded to include facilitation of the MUS enterprise risk management (ERM) process. The role includes championing the establishment of ERM; facilitation of the process to identify, evaluate, manage, and monitor risks; advising, challenging, coaching, and supporting management’s decisions on risk, as opposed to making risk management decisions; coordinating ERM activities; consolidating the reporting on risks; communicating with management and the BAAC when management accepted a level of risk that may be unacceptable to the MUS. To maintain independence and objectivity, the MUS Director of Assurance and Enterprise Risk does not own risks and management remains responsible for risk management and compliance.
To help ensure proper coverage and minimize duplication of efforts, internal auditors will coordinate activities, where possible, and consider relying upon the work of other internal and external assurance and consulting service providers as needed. Coordination should include control and monitoring functions (e.g., risk management, compliance, security, legal, ethics, environmental health and safety and external audit).
Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during engagements. These opportunities will be communicated to the appropriate level of management.
Internal Audit Directors have the responsibility to:
- Submit an annual, flexible, risk-based internal audit plan to executive management and the BAAC for review and approval.
- Communicate to executive management and the BAAC the impact of resource limitations on the internal audit plan.
- Review and adjust the internal audit plan, as necessary, in response to changes in the risks, operations, programs, systems, and controls.
- Communicate to executive management and the BAAC any significant interim changes to the internal audit plan.
- Ensure each engagement of the internal audit plan is executed, including the establishment of objectives and scope, the assignment of appropriate and adequately supervised resources, the documentation of work programs and testing results, and the communication of engagement results with applicable conclusions and recommendations to appropriate parties.
- Follow up on engagement findings and corrective actions, and report periodically to executive management and the BAAC any corrective actions not effectively implemented.
- Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and upheld.
- Ensure internal audit collectively possesses or obtains the knowledge, skills, and other competencies needed to meet the requirements of the internal audit charter.
- Ensure trends and emerging issues that could impact the MUS are considered and communicated to executive management and the BAAC as appropriate.
- Ensure emerging trends and successful practices in internal auditing are considered.
- Establish and ensure adherence to policies and procedures designed to guide the internal audit.
- Ensure adherence to relevant policies and procedures, unless such policies and procedures conflict with the internal audit charter. Any such conflicts will be resolved or otherwise communicated to executive management and the BAAC committee.
- Ensure compliance with the Standards and disclose any areas of noncompliance to executive management and the BAAC.
Quality Assurance and Improvement Program
Internal audit will maintain a quality assurance and improvement program that covers all aspects of internal audit. The program will include an evaluation of the internal audit conformance with the Standards and an evaluation of whether internal auditors apply the Institute of Internal Auditors’ Code of Ethics. The program will also assess the efficiency and effectiveness of internal audit and identify opportunities for improvement. The MUS Director of Assurance and Enterprise Risk will communicate to executive management and the BAAC on the internal audit’s quality assurance and improvement programs, including results of internal assessments (both ongoing and periodic) and external assessment conducted at least once every five years by a qualified, independent assessor or assessment team from outside of the MUS.