Governance

The State Board of Regents provides governance and oversight to the university, but they have delegated their authority of developing policies and maintaining the control environment to the President. In turn, the President has delegated the authority of implementing policies and managing the control environment to the colleges and departments. The Office of Internal Audit does not have the authority or responsibility for writing policies or maintaining the control environment, but rather is responsible for monitoring the effectiveness of the university's processes and control environment.

The Office of Internal Audit reports administratively through the Office of the President. All employees (other than the Chief Audit Executive) are Iowa State University employees. As a result, the Office of Internal Audit reports functionally to the President. In order to ensure its independence, the Internal Audit Director administratively reports to the Executive Director of the Board Office and the Chair of the Audit and Compliance Committee.

The State Board of Regents has approved the Internal Audit Charter which clearly defines Internal Audit's role and authority within the institution.

Board of Regents Logo

INTERNAL AUDIT CHARTER

Approved by State Board of Regents - September 27, 2023

MISSION AND SCOPE OF WORK

The mission of the Office of Internal Audit is to provide independent, objective assurance and consulting services designed to add value to and strengthen the management of the Board of Regents and its institutions. The Office of Internal Audit helps the organization achieve its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.

 

The scope of work for the Office of Internal Audit encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the organization’s risk management, internal controls, and governance processes, as designed and represented by management in a manner to ensure:

  • Risks are appropriately identified and managed.
  • Interaction with the various governance groups occurs as needed.
  • Significant financial, managerial, and operating information is accurate, reliable, and timely.
  • Operations are in compliance with policies, standards, procedures, and applicable laws and regulations.
  • Resources are acquired economically, used efficiently, and are adequately protected.
  • Programs, plans, and objectives are achieved.
  • Quality and continuous improvement are fostered in the organizations’ control process.
  • Significant legislative or regulatory issues impacting the organizations are recognized and addressed properly.

 

INDEPENDENCE

The Chief Audit Executive is appointed by the Board of Regents (BOR) and reports functionally to the Audit and Compliance Committee and administratively to the Executive Director of the BOR Office. All audit staff report directly to the CAE and as of July 1, 2021, are employees of the BOR Office. Audit activities and reports are communicated to the university presidents and the BOR. This reporting relationship promotes independence and provides adequate consideration of audit issues, recommendations, and management action plans.

 

The internal audit activity will remain free from interference by any element in the organization, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of the necessary independence as required by the International Standards for the Professional Practice of Internal Auditing. Any interference or scope limitation must be reported to the BOR for discussion and resolution.

 

The Chief Audit Executive and staff should have an impartial, unbiased attitude and avoid conflicts of interest, as well as be independent in fact and appearance.

 

ACCOUNTABILITY

The Chief Audit Executive shall be accountable to the Audit and Compliance Committee:

  • Report significant issues related to the processes for controlling the activities of the organizations and its affiliates, including potential improvements to those processes, and provide information concerning such issues through resolution.
  • Provide information periodically on the status and results of the annual audit plan and the sufficiency of internal audit resources.

 

RESPONSIBILITY

The Chief Audit Executive and staff  have the responsibility to:

  • Develop a flexible annual audit plan using appropriate risk-based methodology, including any risks or control concerns identified by management, and submit that plan to the BOR for review and approval.
  • Implement the annual audit plan, as approved, including, and as appropriate, any special tasks or projects requested by management and the BOR.
  • Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter.
  • Establish a quality assurance program by which the Chief Audit Executive assures the operation of internal auditing activities.
  • Evaluate and assess new or changing services, processes, operations, and controls concurrent with their development, implementation, and/or expansion.
  • Perform consulting services, beyond internal auditing's assurance services, to assist management in meeting its objectives. Examples may include facilitation, process design, training, and advisory services.
  • Issue periodic reports to the BOR and management summarizing results of audit activities.
  • Inform the BOR of emerging trends and successful practices in internal auditing.
  • Provide a list of significant measurement goals and results to the BOR.
  • Assist in the investigation of significant suspected fraudulent activities within the organization and notify management and the BOR of the results.
  • Consider the scope of work of the external auditors and regulators, as appropriate, for the purpose of providing optimal audit coverage to the organization.

 

AUTHORITY

The Chief Audit Executive and staff are authorized to:

  • Have unrestricted access to all functions, records, property, and personnel.
  • Have full and free access to the BOR.
  • Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish audit objectives.
  • Obtain the necessary assistance of personnel in units of the organization where they perform audits, as well as other specialized services from within or outside the organizations.

 

The Chief Audit Executive and staff are not authorized to:

  • Perform any operational duties for the organization or its affiliates.
  • Initiate or approve financial transactions external to Internal Audit.
  • Direct the activities of any organization employee not employed by Internal Audit, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the internal auditors.

 

LIMITATION OF AUTHORITY AND RESPONSIBILITY

In performing their functions, the Chief Audit Executive and staff have no direct authority over, or responsibility for, any of the activities reviewed. Internal auditors will not develop and implement procedures, prepare records, make management decisions, or engage in any other activity which could be reasonably construed to compromise their independence. Therefore, review and appraisal by the Office of Internal Audit does not in any way substitute for or relieve other persons in the Regent institutions of the responsibilities assigned to them.

 

STANDARDS OF AUDIT PRACTICE

Audit activities will be performed in accordance with the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics of The Institute of Internal Auditors.