R567, Internal Audit Program

R567-1. Purpose: To establish policies and standards for internal audit departments within the Utah System of Higher Education (USHE).

R567-2. References

2.1. Utah Code §53B-6-102 (Standardized Systems Prescribed by the Board)

2.2. Utah Code §53B-7-101 (Financial Affairs Under the General Supervision of the Board)

2.3. Policy and Procedures R565, Audit Review Subcommittee

2.4. Policy and Procedure R120-3.3.2.7, Bylaws of the Board of Regents, Auditing Records

2.5. Utah Code §63I-5 (Utah Internal Audit Act)

2.6. Institute of Internal Auditors, International Standards for the Professional Practice of Internal Auditing (IIA Standards)

R567-3. Definitions

3.1. Audit Charter. “The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.”[2] The audit charter should grant appropriate access to data, information, records, and personnel needed to fulfill the internal audit activity’s purpose and responsibilities.

3.2. Institution Audit Committee: Institution audit committees provide functional oversight of the internal audit activities, as described in the Internal Audit Act[3], and in accordance with IIA Standards.[4] Boards of trustees shall establish audit committees in adherence to the Utah Internal Audit Act and R565, Audit Committees.

3.3. Internal Auditing: An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

3.2. Institution Internal Audit Activity: Any activity administered by the institution’s internal auditing organization. Each institution’s audit committee shall establish an audit charter, granting the internal audit unit authority to engage in audit activities.

3.3. Board of Regents Audit Director: The  audit director reports functionally to the Regent Audit Subcommittee and administratively to the Associate Commissioner for Finance, Facilities, and Research within the Office of the Commissioner. The audit director provides audit support to the Board of Regents and to institution audit activities.

R567-4. Policy

4.1. General Standards:  Internal audit activities shall comply with IIA Standards. Other professional standards (such as “Generally Accepted Auditing Standards” disseminated by the American Institute of Certified Public Accountants, or Government Auditing Standards published by the Comptroller General of the United States) may also apply to particular audit assignments, as determined by the institution’s audit committee or the Board of Regents.

4.2. Internal Audit Activities Required at All Institutions: The State Board of Regents requires each USHE institution to maintain an internal audit activity plan.

4.3. Internal Audit Activity Independence and Objectivity: Internal audit activities shall remain independent and objective. Institutions and internal auditors may foster independence by adhering to applicable standards, including:

4.3.1. Organizational Independence: Each institution should maintain organizational independence by establishing functional and administrative reporting relationships consistent with IIA Standards 1110 and 1111.

4.3.2. Internal Audit Activity Objectivity: Internal auditors shall adhere to standards of independence and objectivity outlined in IIA Standards 1100 and 1120.

4.3.3. Independence Impairment Disclosure: Internal auditors shall properly disclose impairments to independence, as required in IIA Standard 1130.

4.3.4. Role in Institution Operations: System and institution internal auditors shall not participate in institution management or operational responsibilities that would impair independence.

4.4. Institution Audits: In addition to audits required by policy, institution internal auditors shall conduct risk-based audits for their institutions, as assigned by the institution audit committee. Institution presidents and executive cabinet may also request audit activities.

4.5. Required Audits: Institution internal auditors shall annually conduct the following audits:

4.5.1. Presidential Travel (in accordance with R212-1.2)

4.5.2. Institutional Investments (in accordance with R541-11)

4.5.3. Auxiliary Enterprises (in accordance with R550-7.3)

4.6. Institution Risk Assessment: Internal auditors shall participate in institution risk assessments at least annually and report the results to the institution audit committee. Institution risks may include financial, operational, efficiency, fraud, compliance, internal control, information systems, data loss, reputation and political.

4.7. Institution Audit Communication: Upon completion of internal audit activities, institution auditors shall communicate the results to the institution audit committee.

4.8. Communication with Institution Management: The chief audit executive shall meet with the institution president at least annually to review completed audits, institution responses, and other pertinent issues.

4.9. Audit Committee Responsibilities: The audit committee shall adhere to responsibilities established in the Utah Internal Audit Act and R565, Audit Committees.

4.10. Coordination of System-Wide Audits: Under the direction of the Regent Audit Subcommittee, the Commissioner of Higher Education and institution presidents shall coordinate assignments to conduct system-wide internal audits.

4.11. Special Audits Directed by the Commissioner: Under the direction of the Regent Audit Subcommittee, the Commissioner may schedule and conduct an audit at an institution, separately or in cooperation with a resident chief audit executive. (See State Board of Regents Bylaw R120-3.3.2.7.)

4.12. Audit Notification: The institution’s vice president of finance or chief audit executive shall promptly notify the Board of Regents audit director regarding apparent fraud or misconduct with any of the following attributes:

4.12.1. significant embezzlement, theft, or other fraud;

4.12.2. concerns that may damage an institution’s reputation;

4.12.3. apparent misuse of institutional resources of at least $25,000;

4.12.4. issues that may be covered by the media; or

4.12.5. any other issue that requires attention from the Board of Regents or the Commissioner.

Adopted April 24, 1973, amended May 29, 1973, June 26, 1973, November 27, 1973, January 28, 1975 and April 22, 1975; replaced January 17, 1992, amended April 17, 1992, March 18, 2005, March 31, 2017, and November 16, 2018.

[2] IIA Standards, 1000: Purpose, Authority, and Responsibility.

[3] See Utah Code 63I-5-301(3).

[4] IIA Standard 1110.