Subject: Internal Audit
The internal audit function contributes to the improvement of the institution's operations by providing objective and relevant assurance regarding risk management, control and governance processes to management and the Board. Management is responsible for evaluating the institution's risks and establishing and maintaining adequate controls and processes. To provide relevant information, the internal audit activity will consider the goals of the institution, management's risk assessments and other input from management in determining its risk-based audit activities.
This policy addresses staffing, responsibilities of the internal audit function, audit planning and reporting on internal audit activities. In addition to this policy, the Office of System-wide Internal Audit maintains an audit manual. The purpose of the audit manual is to provide for consistency, continuity, and standards of acceptable performance.
Internal Audit Standards
Each internal audit function shall adhere to The Institute of Internal Auditors' (IIA) International Standards for the Professional Practice of Internal Auditing and Code of Ethics (T.C.A. § 4-3-304(9)). The Institute of Internal Auditors, International Professional Practices Framework (IPPF), incorporates the definition of internal auditing, the International Standards for the Professional Practice of Internal Auditing and Code of Ethics into one document. It includes the following definition of internal auditing:
Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Risk is the possibility of an event occurring that will have an impact on the achievement of an institution's goals and objectives. Risk is measured in terms of the impact an event may have and the likelihood that the event will occur. To optimize the achievement of the institution's goals and objectives, the Board and management acts to minimize the related risks by implementing reasonable procedures to control and monitor the risks.
Governance processes is the combination of processes and structures implemented by the Board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. Examples of such processes include the organizational structure within an institution or a department; policies, guidelines and procedures instituted by the Board or management to direct and control a particular activity such as maintenance fees or hiring practices; and preparation and review procedures for preparing reports such as annual financial statements or federal grant or financial aid reports.
The IPPF includes attribute standards, which address the expected characteristics of organizations and individuals performing internal audit activities and performance standards, which describe the nature of internal audit activites and establish criteria to evaluate the performance of internal audit activities.
To assure compliance with the IIA Standards, internal audit offices must implement and maintain a quality assurance and improvement program that incorporates both internal and external review activities. Internal reviews include both ongoing and periodic review activities. External reviews must be performed at least every five years by a qualified, independent reviewer. Results of quality assurance reviews will be communicated to the Audit Committee and management.
Internal Audit Personnel
1. Each university shall employ at least two individuals with full-time responsibility as internal auditors. Additional internal audit staff shall depend upon institutional size and structure. Two-year institutions shall employ at least one full-time internal auditor or have an approved agreement with a university or other two-year institution to provide required audit services. Titles of internal audit staff shall be consistent within the overall institutional structure.
2. Internal audit staff must possess the professional credentials, knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit function collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. The campus Internal Audit Director and the Director of System-wide Internal Audit must be licensed as a Certified Public Accountant or a Certified Internal Auditor, maintain an active license and annually complete sufficient, relevant continuing professional education to satisfy the requirements for the professional certification held. Other system auditors should annually complete sufficient, relevant continuing professional education to satisfy the requirements for their related professional certification or, at a minimum, forty hours of relevant continuing professional education. Internal Audit Directors should communicate concerns to management regarding the lack of sufficient resources to complete the objectives of an engagement or the audit plan. Such resources may include the need for additional personnel or personnel with specialized knowledge, such as those with knowledge of fraud, information technology or other technical areas.
3. The appointment of campus Internal Audit Directors as recommended by the President is subject to approval by the Chancellor or designee (T.C.A. §.49-14-106). The appointment of the Director of System-wide Internal Audit is subject to review and approval by the Audit Committee of the Board of Regents (T.C.A. §.49-14-102).
4. Compensation of the internal auditors is subject to review by the Audit Committee of the Board of Regents. Compensation of the Director of System-wide Internal Audit and the central office internal auditors is subject to review and approval by the Audit Committee of the Board of Regents.
5. The termination or change of status of campus Internal Auditor Directors (T.C.A. § 49-14-106) requires the prior approval of the Chancellor and the Audit Committee of the Board of Regents. The termination or change of status of the Director of System-wide Internal Audit (T.C.A. §.49-14-102) or central office internal auditors requires the prior approval of the Audit Committee of the Board of Regents.
Internal Audit Role and Scope
1. In accordance with T.C.A. § 49-14-102, the Director of System-wide Internal Audit reports directly to the Audit Committee and the Tennessee Board of Regents. Campus internal auditors report to the respective campus President with audit reporting responsibility to the Audit Committee and the Board through the Director of System-wide Internal Audit. This reporting structure assures the independence of the internal audit function.
2. The TBR, Office of System-wide Internal Audit, hosts periodic meetings and communicates with the audit directors on matters of mutual interests.
3. The Office of System-wide Internal Audit maintains an internal audit manual to guide the internal audit activity in a consistent and professional manner at each institution.
4. The internal auditors’ responsibilities include:
a. Working with management to assess institutional risks and developing an audit plan that considers the results of the risk assessment.
b. Evaluating institutional controls to determine their effectiveness and efficiency.
c. Coordinating work with external auditors, program reviewers, and consultants.
d. Determining the level of compliance with internal policies and procedures, state and federal laws, and government regulations.
e. Testing the timeliness, reliability, and usefulness of institutional records and reports.
f. Recommending improvements to controls, operations, and risk mitigation resolutions.
g. Assisting the institution with its strategic planning process to include a complete cycle of review of goals and values.
h. Evaluating program performance.
i. Performing consulting services and special requests as directed by the Audit Committee, the Chancellor, or the institution’s President.
5. The scope of internal auditing extends to all aspects of institutional operations and beyond fiscal boundaries. The internal auditor shall have access to all records, personnel, and physical properties relative to the performance of duties and responsibilities.
6. The scope of a particular internal audit activity may be as broad or as restricted as required to meet management needs.
7. Objectivity is essential to the internal audit function. Therefore, internal audit personnel should not be involved in the development and installation of systems and procedures, preparation of records, or any other activities that the internal audit staff may review or appraise. However, internal audit personnel may be consulted on the adequacy of controls incorporated into new systems and procedures or on revisions to existing systems.
8. Management is responsible for identifying, evaluating, and responding to potential risks that may impact the achievement of the institution’s objectives. Auditors continually evaluate the risk management, internal control, and governance processes. To facilitate these responsibilities, Internal Audit will receive notices or copies of external audit reviews, program reviews, fiscally related consulting reports, cash shortages, physical property losses, and employee misconduct.
1. Internal Audit shall develop an annual audit plan using an approved risk assessment methodology.
2. At the beginning of each fiscal year, after consultation with the Chancellor or President and other institution management, the Internal Audit Director will prepare an annual plan listing proposed areas to be audited. The audit work plan must be flexible to respond to immediate requests. The institutional Internal Audit Director will submit an electronic copy of the audit plan for review by the Director of System-wide Internal Audit and the Audit Committee. The Director of System-wide Internal Audit will prepare an annual system-wide internal audit plan for approval by the Audit Committee. Once approved by the Audit Committee, audit plans for all institutions will be submitted to the Comptroller's Office, Division of State Audit.
3. The status of the past year's plan will also be prepared in an annual activity report that should include all significant audit services performed. The Internal Audit Director will submit an electronic copy of the annual activity report for review by the Director of System-wide Internal Audit and the Audit Committee. Once reviewed by the Audit Committee, annual audit activity reports for all institutions will be submitted to the Comptroller's Office, Division of State Audit.
1. Audit engagements will be planned to provide relevant results to management and the Audit Committee regarding the effectiveness and efficiency of processes and controls over operations. To ensure management's expectations are met, auditors will communicate with management regarding the objectives and scope of the engagement.
2. In planning and during the engagement, auditors should consider and be alert to risks that affect the institution's goals and objectives, operations and resources. Auditors should consider risks based on the operations under review, which include but are not limited to the risk of financial misstatements, noncompliance and fraud.
3. An audit work program will be disigned to achieve the objectives of the engagement and will include the steps necessary to identify, analyze, evaluate and document the information gathered and the conclusions reached during the engagement.
4. Working papers that are created, obtained or compiled by an internal audit staff are confidential and are not an open record (T.C.A. § 4-4-304(9)).
Communicating Audit Results
1. A written report that documents the objectives, scope, conclusions, and recommendations of the audit will be prepared for audit engagements providing assurance to the Board and management. Management will include corrective action for each reported finding.
2. Internal Audit will perform audits to follow-up on findings included in internal audit reports, investigation reports and State Audit reports. A written report will be prepared and for any findings that have not been corrected, management will be asked to include a revised corrective action plan. The Chancellor or institution’s President, along with the Audit Committee, will be notified at the conclusion of a follow-up audit if management has not corrected the reported finding.
3. A written report that documents the objectives, scope, conclusions and recommendations will be prepared for investigations resulting from allegations or identification of fraud, waste or abuse. As appropriate in the circumstances, management will include corrective action for each reported finding. In a case where allegations are not substantiated by the review and there are no other operational concerns to report to management regarding the review, the case may be closed by writing a memo to the working paper file documenting the reasons for closing the case.
4. Reports on special studies, consulting services, and other non-routine items should be prepared as appropriate, given the nature of the assignment.
5. All internal audit reports will be signed by the institution's Internal Audit Director and transmitted directly to the Chancellor, President, or TTC Director in a timely manner.
6. The Internal Audit Director will transmit an electronic copy of the internal audit report to the Director of System-wide Internal Audit.
7 .The Director of System-wide Internal Audit will present significant results of internal audit reports to the Audit Committee quarterly.
8. The Director of System-wide Internal Audit will provide a copy of each report to the Comptroller's Office, Division of State Audit.
Any exceptions to the policy established herein shall be subject to the approval of the Director of System-wide Internal Audit and the Audit Committee.
Source: June 3, 1981 TBR Presidents’ Meeting; July 1, 1984; May 20, 1986; February 14, 1989; November 14, 1989; August 13, 2002; February 10, 2004; November 18, 2004; Changed from Guideline B-050 at TBR Board Meeting, June 29, 2007; TBR Board Meeting, December 6, 2007; TBR Board Meeting, December 8, 2011.