The Institutional Compliance & Internal Audit Department (the Department) serves as an independent and objective internal resource that shall be used to examine and evaluate the University of Denver (University) activities as an assurance and consulting service to the Board of Trustees and management.
The Department assists the University with fulfilling its vision, values, mission and goals while embodying the commitment to improvement and betterment of the University.
The Department will use a systematic, disciplined approach to evaluate and improve enterprise-wide risk management, internal control processes, governance and operations.
Statement of Policy
The Department was established by a motion that was duly passed by the Board of Trustees at its April 20, 2002 meeting. The Department Charter was most recently approved by the Audit Committee of the Board of Trustees at its April 12, 2012 meeting.
The Director of Institutional Compliance & Internal Audit (the Director) will update and revise the charter as necessary and present it to the Audit Committee of the Board of Trustees (the Audit Committee) for approval.
The Department shall be free from conditions that threaten the ability of the Department to carry out internal audit and compliance responsibilities (e.g., scoping an audit, reporting audit or compliance monitoring results) in an unbiased manner. To ensure organizational independence, the Director shall report functionally to the Audit Committee and administratively to the Chancellor. Functional reporting includes: review and approval of the Department Charter, internal audit plan, compliance monitoring plan, and annual risk assessment; and approval of all decisions regarding performance evaluation, appointment or removal of the Director, annual compensation, and salary adjustments of the Director. Administrative reporting includes: budgeting and management accounting; human resource administration (e.g., execution of performance evaluations, compensation); internal communications and information flow; and administration of the Department's policies and procedures.
The Director shall have direct access to the Chancellor and the Audit Committee should matters of immediate significance arise that require their attention. At least annually, the Director shall report to the Chancellor and the Audit Committee on the organizational independence of the internal audit and compliance activity. If, at any time, independence is impaired in fact or appearance, the Director shall promptly disclose the details of the impairment to the Chancellor and the Audit Committee.
All employees of the Department shall perform their work with proficiency, due professional care and objectivity (an impartial, unbiased attitude and avoidance of conflict of interests).
Department employees shall not provide assurance services for a process for which they had responsibility within the previous year. A party outside the Department must oversee audits over functions for which the Director previously had responsibility.
The Department has no direct authority over or responsibility for any system, procedure or activity reviewed. The Department shall take an advisory role in the formulation of policy and procedures and development of new systems and processes, but all final decisions and implementation is the responsibility of the appropriate manager or project sponsor.
If a conflict of interest arises that restricts the employee from fulfilling their duties impartially, the impairment shall be reported to the Director immediately.
The internal audit and compliance monitoring scope is enterprise-wide and no function, activity, department, or unit of the University is exempt from audit and review. Consistent with all applicable laws, the staff of the Department has full, free and unrestricted access to records (manual or automated), physical property and personnel of the University that are deemed pertinent to completing an audit or compliance review. The staff will prudently maintain sensitive information and documents as strictly confidential.
The Director is authorized to allocate Department resources and budget, establish frequencies, determine scopes of work, and apply appropriate techniques required to accomplish the Department’s objectives and internal audit plan, as approved by the Audit Committee. If staff and the Director lack the knowledge, skills, or other competencies needed to perform all or part of the audit, the Director shall present a recommendation to the Chairperson of the Audit Committee for approval before contracting with an outside party.
Responsibilities Related to Internal Audit
The Department shall conduct audits of the University based upon an annual audit plan, which the Director shall develop and present to the Chancellor and Audit Committee for approval. The scope of internal audit encompasses the examination and evaluation of the adequacy and effectiveness of the University’s governance, risk management process, system of internal control structure, operational efficiency and the quality of performance in carrying out assigned responsibilities to achieve the University’s stated goals and objectives. Specific Department responsibilities include the following:
- Evaluate risk exposures and the adequacy and effectiveness of controls in responding to risks within the University’s governance, operations, and information systems regarding the:
- Reliability and integrity of financial and operational information.
- Effectiveness and efficiency of operations.
- Safeguarding of assets; and
- Compliance with laws, regulations, and contracts.
- Assist with maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
- Ascertain the extent to which operating and program goals and objectives have been established and conform to those of the University.
- Review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended.
- Evaluate the potential for the occurrence of fraud and how the
University manages fraud risk.
- Evaluate the design, implementation, and effectiveness of the University’s ethics-related objectives, programs, and activities.
- Assess whether the information technology governance, and the reliability, integrity, and security of information systems, sustains and supports the University’s strategies and objectives.
- Review specific operations/processes, as requested by management or the Audit Committee, with the approval of the Chancellor and Chairperson of the Audit Committee.
- Assess whether University risk management processes are effective and relevant risk information is communicated timely across the University, enabling staff, management, and the Board of Trustees to carry out their responsibilities.
- Identify opportunities for cost savings and recommend improvements where applicable.
- Determine whether allocated funds are used efficiently in accordance with the intended purpose.
- Coordinate with the external auditor to ensure the internal and external audit plans do not contain overlap or gaps in the identification and mitigation of key risks.
- Establish a follow-up process to monitor and ensure that management actions have been effectively implemented for audit issues reported by the Department and by external auditors.
- Maintain complete and organized engagement workpapers and files in accordance with the University’s records retention policy.
Responsibilities Related to Institutional Compliance
Compliance at the University of Denver is impacted by the actions of all employees, and efforts to ensure compliance are conducted within different areas of the organization. Institutional Compliance shall be responsible for monitoring compliance with regulations and other requirements, including assessing functions and controls as well as reporting to management concerning their condition. The Department works closely with the Executive Risk and Compliance Committee, University Counsel, and other departments to fulfill its responsibilities. Specific Department responsibilities include the following:
- Review and assess the adequacy of compliance activities throughout the organization.
- Promote compliance awareness by disseminating information to appropriate constituencies across the organization, including communicating news and information on emerging compliance issues.
- Serve as a resource in developing or improving compliance-related processes, including providing information and guidance in the design of compliance programs.
- Provide compliance advisory services to management.
- Maintain awareness of high risk compliance areas and associated programs.
- Liaise with Internal Audit to avoid duplication of effort in monitoring the effectiveness of internal controls.
- Conduct follow-up assessments to determine effectiveness of remedial actions implemented in response to identified deficiencies in compliance.
- Manage the employee hotline and investigate concerns from the hotline as appropriate.
- Complete an annual Conflict of Commitment and Interest assessment.
- Execute investigations, consulting services and compliance oversight based on standards outlined in the Code of Professional Ethics for Compliance and Ethics Professionals.
A written report shall be approved and issued by the Director at the conclusion of each audit and shall be distributed as appropriate. At each Audit Committee meeting, the Director will report to the Audit Committee on the Department's purpose, authority, responsibility, and performance relative to its plan, resource requirements, significant interim changes to its plan, significant risk exposures and control issues, audit results, status of open audit issues, and other matters needed or requested by senior management and the Audit Committee.
Quality Assurance Assessments
The Director shall perform on-going monitoring of the performance of the Department, and periodically perform an assessment of the Department's conformance with the Definition of Internal Auditing, the Code of Ethics, and the Institute of Internal Auditors' (IIA) International Standards for the Professional Practice of Internal Auditing (Standards). At least once every five years, the Audit Committee and Director may engage an independent reviewer from outside the University to evaluate the Department's conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The results of the assessments shall be communicated to the Chancellor and the Audit Committee.
Professional Standards and Ethics
The Department shall govern themselves by adherence to the IIA Code of Ethics and the Code of Professional Ethics for Compliance and Ethics Professionals. The IIA Standards shall constitute the operating procedures for the Department. The IIA Practice Advisories shall be utilized as applicable. The Department will adhere to the University’s policies and procedures.