Approval Date: 2017-05-11
Effective Date: 2017-05-11
Review Date: 2021-05-11
The Board of Regents
- To define the roles and responsibilities relating to Audit Activity.
- To establish principles and guidelines that govern Internal Audit for the University.
- To outline the authority of the Office of Internal Audit as per the Internal Audit Charter.
- To differentiate the Audit Activities among the Office of Internal Audit and other Units conducting Audit Activity.
Any type of activity undertaken by Members of the University, including Separately Incorporated Entities that is directly related to or arises out of the operations of the University and utilizes University resources.
Audit Activity– an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. Audit Activity may be either External Audit or Internal Audit.
Control Environment– the set of standards, processes and structures that provide the basis for carrying out Internal Control activities across the University. The control environment is comprised of the following:
- Core Values including integrity and ethical values
- Parameters enabling the Board of Regents to carry out its governance oversight responsibilities
- Structure and assignment of authority and responsibility
- Process for attracting, developing and retaining competent individuals
- Establishing, implementing and assessing processes that drive accountability.
The control environment sets the tone of the University regarding the importance of Internal Control.
External Audit– Audit Activity performed by an auditor who is external to the University. Normally, External Audits are required by external regulators and/or legislation. Operations throughout the University may be subject to audit by agencies external to the University in the areas of finance, environmental health and safety, research, taxation, etc.
Fraudulent Activity– a deliberate or unlawful deception, misrepresentation or concealment of facts practiced to secure advantage, benefit or gain (including benefit to the University) and/or to cause loss to another. Examples may include but are not limited to: claims for expenses not incurred, claims for overtime not worked, misuse of funds, and accounting practices that do not follow professional accounting standards.
Internal Audit– Audit Activity administered by University employees through a systematic, disciplined approach to evaluate and improve effectiveness of risk management, strategic, operational, compliance and reporting activities.
Internal Control– activity designed to support the University in the achievement of its objectives relating to operations, compliance, and reporting. Control activities are designed to manage Risks and may be established through policies and procedures. They may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and monitoring process effectiveness.
Member of the University– an employee or other individual acting at the request of and on behalf of the University.
Risk– the effect of uncertainty on objectives, resulting in positive and/or negative impact on the University’s mission.
Risk Appetite - The amount and type of risk that the university is willing to take in order to meet its strategic objectives.
Unit– Academic or administrative unit as defined in the University Calendar.
Unit Head– Deans, Department Heads, Division Heads, Heads of Schools, Directors, Executive Directors, University Librarian, University Registrar or other senior administrators of a comparable level; Associate Vice-Presidents, Vice-Presidents, or the President and Vice- Chancellor.
University– Memorial University of Newfoundland
University Records– See Information Management policy.
1.1 This policy should be read in conjunction with the Board of Regent’s Internal Audit Charter and the Terms of Reference for the Board of Regents Audit and Risk Committee. The Internal Audit Charter establishes the purpose, authority and responsibility of the Office of Internal Audit.
1.2 In addition to the University’s Office of Internal Audit, other Units conduct Internal Audits.
1.3 This policy defines the roles and responsibilities of Members of the University with regard to Audit Activity. Audit Activity is conducted to determine whether the University’s risk management, control, and governance processes, as designed and represented by administration, are adequate and functioning in a manner to ensure:
- Risks are appropriately identified and managed in relation to goals and objectives, as per the Enterprise Risk Management policy.
- Controls designed to manage Risks are adequate and are working effectively.
- Interaction with Members of the University occurs, as needed.
- Financial, managerial, and operating data are accurate, reliable, and timely.
- Actions by Members of the University are in compliance with policies, contracts, standards, procedures, and applicable laws and regulations.
- Resources are acquired economically, used efficiently, and adequately protected.
- Quality and continuous improvement are fostered in control processes.
- Legislative or regulatory issues and changes are recognized and addressed properly.
1.4 Audit Activity is concerned with University operations and involves obtaining a comprehensive understanding of the activity(s) under review.
2.0 ROLES AND RESPONSIBILITIES
2.1 As per Section 33. General Powers of the Board of the Memorial University Act and the Board of Regents bylaws, the Board of Regents fulfills its statutory and stewardship roles by ensuring appropriate controls are in place to achieve the University's objectives. This responsibility is executed through the appointed Audit and Risk Committee, which provides assistance to the Board of Regents in relation to the oversight of strategic, operational, compliance and reporting Risk, including the work of the Office of Internal Audit as follows:
- Approval of the annual internal audit work plan.
- Receiving an executive summary of each final internal audit report.
- Monitoring / ensuring adequacy of assurance.
- Engaging external financial auditors and other audit specialists, as needed.
2.2 The President and Vice-Presidents are responsible for:
- Demonstrating commitment to a Control Environment where Risk is appropriately monitored and managed.
- Receiving and reviewing audit reports by the Office of Internal Audit, and other auditors, as applicable.
- Ensuring that audit findings arising from Audit Activity are addressed, as applicable.
2.3 Unit Heads are responsible for:
- Notifying appropriate Members of the University that an audit will be conducted and providing sufficient information regarding the type of audit and expectations of those Members.
- Ensuring cooperation is extended to the Office of Internal Audit by providing the Office with full, free and unrestricted access to functions, University records, property, systems, physical assets and Members of the University as requested by the Office of Internal Audit in the conduct of the audit.
- Ensuring that responses are submitted in a timely manner.
- Developing action plans for implementing the recommendations contained in the audit report or developing alternatives that meet the objectives of the recommendations, thereby ensuring that Risks are mitigated within the University’s Risk Appetite.
- Overseeing execution of the action plan(s).
- Providing the Office of Internal Audit with details of any completed corrective actions and/or status of the action plan(s).
- Reporting to the Office of Internal Audit any findings coming from an Internal Audit other than those conducted by the Officer of Internal Audit, or an External Audit that are deemed significant in accordance with the University’s Risk Appetite.
2.4 The role of Members of the University is to cooperate with the Office of Internal Audit and others conducting Audit Activity by providing access to all University Records and Members of the University as requested and in accordance with the mandate and the objectives of the audit.
2.5 The Office of Internal Audit, under the direction of the University Auditor, is responsible for Internal Audit, University-wide. The role of the Office of Internal Audit is to assist the Board of Regents and administration in the effective discharge of their fiduciary and administrative responsibilities. This is achieved by providing information, analysis, appraisals, counsel and recommendations concerning activities reviewed, and by promoting effective controls. See also the Internal Audit Charter.
2.6 Other Auditors within the University conduct reviews and provide advice on operations and activities in relation to a particular Unit and /or a particular activity. They have been assigned to use a systematic, disciplined approach to evaluate and improve effectiveness in the Unit or with the particular activity. They make a balanced assessment of the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments. These auditors conduct reviews through quality management systems, environmental health and safety audits, etc. These auditors prepare a written report of their audit work and provide it to the applicable Unit Head. These reports may include the objective of the audit, nature and scope of review, summary of findings, recommendations and any conclusions.
3.0 AUTHORITY OF THE OFFICE OF INTERNAL AUDIT
3.1 In accordance with the Internal Audit Charter, the Office of Internal Audit is authorized to:
- Have full, free and unrestricted access to all functions, University records, property, systems, physical assets and Members of the University including access to the Board of Regents through its Audit and Risk Committee, as well as to the President.
- Allocate Office of Internal Audit resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish audit objectives.
- Obtain the necessary assistance of Members of the University where audits are being performed.
- Engage specialized expertise, as needed.
- Determine the contents of Internal Audit reports or investigations summarizing the results of their work.
- Conduct investigations of possible Fraudulent Activity.
3.2 Normally, notice is provided to the Unit being audited, however, the Office of Internal Audit may conduct an Internal Audit or investigation without providing prior notice, in extenuating circumstances.
3.3 Unless authorized by the Board of Regent’s Audit and Risk Committee, the Office of Internal Audit is not authorized to:
- Perform any operational duties for the University.
- Initiate or approve accounting transactions external to the Office of Internal Audit.
- Direct the activities of Members of the University not employed by the Office of Internal Audit, unless those activities are necessary to the conduct of an audit or investigation by the Office of Internal Audit, or to the extent such Member of the University has been assigned to assist Internal Audit.
- Evaluate the content and quality of teaching and/or research.
4.0 INDEPENDENCE AND OBJECTIVITY OF THE OFFICE OF INTERNAL AUDIT
4.1 Independence, objectivity, and integrity are the foundation of an effective Internal Audit and assurance system.
4.2 The Office of Internal Audit shall:
- have an impartial, unbiased frame of mind, avoid conflicts of interest and be independent in fact and appearance. Internal auditors have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement Internal Controls, develop procedures, install systems, prepare records, or engage in any other activity which could reasonably be construed to compromise their independence and/or impair their judgement. The Internal Audit function’s work of reviewing, appraising, and reporting on established policies, plans, and procedures does not in any way relieve Unit Heads of responsibilities assigned to them.
- make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
- remain free of inappropriate influence, including matters of audit selection, scope, procedures, frequency, timing, report content and communication of results.
- confirm to the Board of Regent’s Audit and Risk Committee, at least annually, the organizational independence of Internal Audit activity, including disclosure of any impaired objectivity and how it was addressed.
5.0 POSSIBLE FRAUDULENT ACTIVITY
5.1. The Office of Internal Audit conducts its reviews with an attitude of professional skepticism and neutrality, recognizing that the application of internal auditing procedures may identify indicators of fraud risk. However, the Office of Internal Audit is not solely responsible for the detection and prevention of Fraudulent Activity. Members of the University share that responsibility in the execution of their duties.
5.3 Fraudulent Activity by any Member of the University is prohibited. Any Member of the University who observes Fraudulent Activity may report it in accordance with the Procedure for Reporting and Investigating Fraudulent Activity.
6.0 AUDIT REPORTS
When conducting reviews and audits, the Office of Internal Audit prepares a final written report. Each report states the objective(s) of the audit, nature and scope of review, summary of findings, recommendations and conclusions. See Procedure for Office of Internal Audit Reports.
To inform the University audit plan and where appropriate, the Office of Internal Audit shall coordinate with and provide assessments of other control and monitoring functions and other Audit Activity across the University, including: risk management, compliance in various units, security, legal, ethics, health and safety. This coordination role extends to sharing in training and development initiatives, sharing relevant information, and advising on a standard of quality and consistency of audit approach, execution and reporting.
8.0 RECORDS AND CONFIDENTIALITY
8.1 With strict accountability for confidentiality and safeguarding records and information, those who conduct Internal Audit activity are authorized full, free, and unrestricted access to any University records, property, systems, physical assets and Members of the University within the scope of the particular audit.
8.2 Information is handled in accordance with the Access to Information and Protection of Privacy Act, 2015, SNL 2015, C A-1.2 (ATIPPA), other legislation to which the University is subject, and University policies.
8.3 Those who conduct Internal Audit activity shall be the official custodian of records created as a result of that activity and investigations and shall manage those records in accordance with the University’s Information Management policy.
- Procedure for Office of Internal Audit Reports
- Procedure for Reporting and Investigating Fraudulent Activity