Penn State University rock wall sign

Internal Audit Charter

Internal Audit Charter

Purpose

The purpose of the internal audit function is to strengthen Penn State University’s ability to create, protect, and sustain value by providing the Committee on Audit and Risk of the Board of Trustees (Committee on Audit and Risk) and management with independent, risk-based, and objective assurance, advice, insight, and foresight.

The internal audit function enhances Penn State University’s:

  • Successful achievement of its objectives.
  • Governance, risk management, and control processes.
  • Decision-making and oversight.
  • Reputation and credibility with its stakeholders.
  • Ability to serve the public interest.

Penn State University’s internal audit function is most effective when:

  • Internal auditing is performed by competent professionals in conformance with The IIA’s Global Internal Audit Standards, which are set in the public interest.
  • The internal audit function is independently positioned with direct accountability to the Committee on Audit and Risk.
  • Internal auditors are free from undue influence and committed to making objective assessments.

Commitment to Adhering to the Global Internal Audit Standards

The Penn State University’s internal audit function will adhere to the mandatory elements of The Institute of Internal Auditors' International Professional Practices Framework, which are the Global Internal Audit Standards and Topical Requirements. The Director will report annually to the Committee on Audit and Risk regarding the internal audit function’s conformance with the Standards, which is assessed through a quality assurance and improvement program.

Mandate

Authority

The internal audit function’s authority is created by its direct functional reporting relationship to the Chair of the Committee on Audit and Risk. Such authority allows for unrestricted access to the Committee on Audit and Risk.

The Committee on Audit and Risk authorizes the internal audit function to:

  • Have full and unrestricted access to all functions, data, records, information, physical property, and personnel pertinent to carrying out internal audit responsibilities. Internal auditors are accountable for confidentiality and safeguarding records and information.
  • Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques, and issue communications to accomplish the function’s objectives.
  • Obtain assistance from the necessary personnel of Penn State University and other specialized services from within or outside Penn State University to complete internal audit services.

Independence, Organizational Position, and Reporting Relationships

The Director of Internal Audit (Director) will be positioned at a level in the organization that enables internal audit services and responsibilities to be performed without interference from management, thereby establishing the independence of the internal audit function. (See “Mandate” section.) The Director reports functionally to the Chair of the Committee on Audit and Risk and administratively (for example, day-to-day operations) to the Senior Vice President for Finance & Busies/Treasurer. In addition, the Director has direct and full access to the President of the University as necessary.  This positioning provides the organizational authority and status to bring matters directly to senior management and escalate matters to the Committee on Audit and Risk, when necessary, without interference and supports the internal auditors’ ability to maintain objectivity.

The Director will confirm to the Committee on Audit and Risk, at least annually, the organizational independence of the internal audit function. The Director will disclose to the Committee on Audit and Risk any interference internal auditors encounter related to the scope, performance, or communication of internal audit work and results.

Committee on Audit and Risk Oversight

To establish, maintain, and ensure that Penn State University’s internal audit function has sufficient authority to fulfill its duties, the Committee on Audit and Risk will:

  • Discuss with the Director and senior management the appropriate authority, role, responsibilities, scope, and services (assurance and/or advisory) of the internal audit function.
  • Ensure the Director has unrestricted access to and communicates and interacts directly with the Committee on Audit and Risk, including in private meetings without senior management present in accordance with laws and/or regulations set by the Commonwealth of Pennsylvania.
  • Approve the internal audit function’s charter, which includes the internal audit mandate and the scope and types of internal audit services.
  • Annually review the internal audit charter with the Director to consider changes affecting the organization, or changes in the type, severity, and interdependencies of risks to the organization; and approve the internal audit charter.
  • Approve the risk-based internal audit plan.
  • Receive input from the Director as to the adequacy and fulfillment of the internal audit function’s budget and staffing needs.
  • Provide input to and receive feedback from senior management on the Director’s performance as requested.
  • Receive communications from the Director about the internal audit function including its performance relative to its plan.
  • Ensure a quality assurance and improvement program has been established and review the results annually.
  • Make appropriate inquiries of senior management and the Director to determine whether scope or resource limitations are inappropriate.

Director Roles and Responsibilities

Ethics and Professionalism

The Director will ensure that internal auditors:

  • Conform with the Global Internal Audit Standards, including the principles of Ethics and Professionalism: integrity, objectivity, competency, due professional care, and confidentiality.
  • Understand, respect, meet, and contribute to the legitimate and ethical expectations of the organization and be able to recognize conduct that is contrary to those expectations.
  • Encourage and promote an ethics-based culture in the organization.
  • Report organizational behavior that is inconsistent with the organization’s ethical expectations, as described in applicable policies and procedures.

Objectivity

The Director will ensure that the internal audit function remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of engagement selection, scope, procedures, frequency, timing, and communication. If the Director determines that objectivity may be impaired in fact or appearance, the details of the impairment will be disclosed to appropriate parties.

Managing the Internal Audit Function

The Director has the responsibility to:

  • At least annually, develop a risk-based internal audit plan that considers the input of the Committee on Audit and Risk and senior management. Discuss the plan with the Committee on Audit and Risk and senior management and submit the plan to the Committee on Audit and Risk for review and approval.
  • Communicate the impact of resource limitations on the internal audit plan to the Committee on Audit and Risk and senior management.
  • Review and adjust the internal audit plan, as necessary, in response to changes in Penn State University’s business, risks, operations, programs, systems, and controls.
  • Communicate with the Committee on Audit and Risk and senior management if there are significant interim changes to the internal audit plan.
  • Ensure internal audit engagements are performed, documented, and communicated in accordance with the Global Internal Audit Standards and applicable laws and/or regulations.
  • Follow up on engagement findings and confirm the implementation of recommendations or action plans and communicate the results of internal audit services to the Committee on Audit and Risk and senior management during each meeting of the Committee.
  • Ensure the internal audit function collectively possesses or obtains the knowledge, skills, and other competencies and qualifications needed to meet the requirements of the Global Internal Audit Standards and fulfill the internal audit mandate.
  • Identify and consider trends and emerging issues that could impact Penn State University and communicate to the Committee on Audit and Risk and senior management as appropriate.
  • Consider emerging trends and successful practices in internal auditing.
  • Establish and ensure adherence to methodologies designed to guide the internal audit function.
  • Ensure adherence to Penn State University’s relevant policies and procedures unless such policies and procedures conflict with the internal audit charter or the Global Internal Audit Standards. Any such conflicts will be resolved or documented and communicated to the Committee on Audit and Risk and senior management.
  • Coordinate activities and consider relying upon the work of other internal and external providers of assurance and advisory services. If the Director cannot achieve an appropriate level of coordination, the issue must be communicated to senior management and if necessary escalated to the Committee on Audit and Risk.

Communication with the Committee on Audit and Risk and Senior Management

The Director will, annually, during the first meeting following the start of the academic calendar year report to the Committee on Audit and Risk and senior management regarding:

  • The internal audit function’s mandate.
  • The internal audit plan and performance relative to its plan.
  • Internal audit budget.
  • Resource requirements.
  • Potential impairments to independence, including relevant disclosures as applicable.
  • Results from the quality assurance and improvement program, which include the internal audit function’s conformance with The IIA’s Global Internal Audit Standards and action plans to address the internal audit function’s deficiencies and opportunities for improvement.

During meetings throughout the year, the Director will provide regular status updates including, but not limited to:

  • Significant risk exposures and control issues, including fraud risks, governance issues, and other areas of focus for the Committee on Audit and Risk that could interfere with the achievement of Penn State University’s strategic objectives.
  • Results of assurance and advisory services.
  • Management’s responses to risk that the internal audit function determines may be unacceptable or acceptance of a risk that is beyond Penn State University’s risk appetite.

Quality Assurance and Improvement Program

The Director will develop, implement, and maintain a quality assurance and improvement program that covers all aspects of the internal audit function. The program will include external and internal assessments of the internal audit function’s conformance with the Global Internal Audit Standards, as well as performance measurement to assess the internal audit function’s progress toward the achievement of its objectives and promotion of continuous improvement.

Scope and Types of Internal Audit Services

The scope of internal audit services covers the entire breadth of the organization, including all of Penn State University’s activities, assets, and personnel in both an assurance and advisory capacity. The nature and scope of advisory services may be agreed with the party requesting the service, provided the internal audit function does not assume management responsibility including both assurance and advisory services.

Internal audit engagements may include evaluating whether:

  • Risks relating to the achievement of Penn State University’s strategic objectives are appropriately identified and managed.
  • The actions of Penn State University’s officers, directors, management, employees, and contractors or other relevant parties comply with Penn State University’s policies, procedures, and applicable laws, regulations, and governance standards.
  • The results of operations and programs are consistent with established goals and objectives.
  • Operations and programs are being carried out effectively, efficiently and ethically. 
  • Established processes and systems enable compliance with the policies, procedures, laws, and regulations that could significantly impact Penn State University.
  • The integrity of information and the means used to identify, measure, analyze, classify, and report such information is reliable.
  • Resources and assets are acquired economically, used efficiently and sustainably, and protected adequately.
  • Reports received from the University’s Ethics and Compliance Hotline or other investigations of allegations of financial and operational misconduct are substantiated, then determine and transmit the appropriate response. 
  • The design, development and/or implementation of new information systems or business processes have had the appropriate risks addressed and design of controls is adequate for implementation.