About

The mission of Indiana University Internal Audit (Internal Audit) is to provide independent and objective assurance and consulting services for Indiana University (IU or the University) including IU management (Management) and the Board of Trustees of Indiana University (the Board). Internal Audit assists the University in accomplishing its mission and priorities by bringing a systematic, disciplined, and value-added approach to evaluate and improve the effectiveness of the University’s governance structures, risk management processes, and internal controls by providing independent appraisals of the University’s financial, operational, information technology, and control activities.

The core values by which Internal Audit will seek to achieve its mission and support the University’s mission and principles of excellence include:

• Professional Service: Internal Audit will provide timely, high-quality, value-added service in a manner that fosters collaboration and treats clients and colleagues with respect.
• Compliance: Internal Audit will adhere to all applicable laws and regulations, comply with the Institute of Internal Auditors (IIA) standards and code of ethics, and comply with all IU policies.
• Integrity: Internal Audit will always strive to do the right thing for the right reason; communicate in an honest, direct, and transparent manner; be accountable, trustworthy, and engaged team members; and earn and maintain the trust of the university community.
• Excellence: Internal Audit will demonstrate a commitment to professional excellence, maintain high professional standards through continuing professional development, be a results-focused organization, and exercise initiative in providing solutions and generating insights for our clients.
• Intentionality: Internal Audit will be intentional about our work by planning, analyzing, evaluating, measuring, deliberating, adjusting, and then moving forward. Internal Audit will be intentional about our people by mentoring, training, developing, and encouraging personal and professional growth.

The internal audit activity is established by the Finance and Audit Committee of the Board. Internal Audit responsibilities are defined by the Board as part of their oversight role.

Internal Audit, with strict accountability for confidentiality and safeguarding records and information, is authorized full, free, and unrestricted access to any and all of the University’s information, records, systems, physical properties, and personnel pertinent to carrying out any engagement. All relevant University employees are required to assist Internal Audit in fulfilling its roles and responsibilities. Internal Audit will also have free and unrestricted access to senior management and the Board.

Internal Audit will govern itself by adherence to The Institute of Internal Auditors’ mandatory guidance, including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance. In addition, Internal Audit will adhere to the University’s relevant policies and procedures as well as Internal Audit’s standard operating procedures.

The Associate Vice President and Chief Audit Officer (CAO) will report functionally to the Board and administratively (i.e. day to day operations) to the Vice President & General Counsel. The Board will:

1. Approve the internal audit charter.
2. Review the risk-based internal audit plan and the internal audit budget and resource plan.
3. Receive communications from the CAO on IU Internal Audit’s performance relative to its plan and other matters.
4. Approve decisions regarding the appointment and removal of the CAO.
5. Make appropriate inquiries of management and the CAO to determine whether there are inappropriate scope or resource limitations.

The CAO will communicate and interact directly with the Board, including in executive sessions and between Board meetings as appropriate.

Internal Audit will remain free to conduct assurance and consulting services, including matters of audit selection, scope, procedures, frequency, timing, or report content, in a manner that maintains an independent and objective mental attitude.

Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, approve policies, develop procedures, install systems, prepare records, or engage in any other activity that may impair an internal auditor’s judgment.

Internal auditors will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors will make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.

The CAO will confirm to the Board, at least annually, the organizational independence of the internal audit activity.

The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the organization's governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the organization’s stated goals and objectives. This includes:

1. Evaluating risk exposure relating to achievement of the University’s strategic objectives.
2. Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information.
3. Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the University.
4. Evaluating the means of safeguarding University assets and, as appropriate, verifying the existence of such assets.
5. Evaluating the effectiveness and efficiency with which resources are employed.
6. Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals.
7. Evaluating governance processes.
8. Evaluating the effectiveness of the risk management processes.
9. Reporting periodically on Internal Audit’s purpose, authority, responsibility, and performance relative to its plan.
10. Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Board.
11. Investigating reports of fiscal misconduct and fraud that are submitted through the University’s whistleblower hotline or other sources.

At least annually, the CAO will submit to the University President and the Board an internal audit plan for review and approval. The internal audit plan will consist of a work schedule as well as budget and resource requirements for the next fiscal year. The CAO will communicate the impact of resource limitations and significant interim changes to senior management and the Board.

The internal audit plan will be developed based on a prioritization of the audit universe using a risk-based methodology, including input of senior management and the Board. The CAO will review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, senior leadership, and controls. Any significant deviation from the approved internal audit plan will be communicated to senior management and the Board through periodic activity reports.

Assurance engagements involve the auditors' objective assessment of evidence to provide an independent opinion or conclusions regarding internal controls and compliance with a process, system, or other subject matter. Types of assurance engagements include Operations and Financial Audits, IT/Cybersecurity Audits, and Compliance Audits. These engagements are reported to the client/stakeholders, the President and the Board of Trustees.

Advisory Service engagements are usually requested by management. The scope and objectives of advisory engagements are typically identified by the client. Results of advisory engagements are generally shared with the client only. However, if a high-risk finding is identified during the engagement, the CAO must determine if the finding is material enough to report to other university stakeholders, the President, and/or the Board of Trustees.

A written report will be prepared and issued by the CAO or designee following the conclusion of each internal audit engagement and will be distributed as appropriate. Internal Audit results will also be communicated to the Board. The internal audit report will include client/management’s response and action plans taken or to be taken in regard to the specific findings and recommendations. Management's response should include a timetable for the anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented.

Internal Audit will be responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will remain in an open status until cleared.

The CAO will periodically report to senior management and the Board on Internal Audit’s performance relative to its plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the Board. The CAO will also report on instances of fraud or fiscal misconduct that may have a material financial, compliance, or reputational impact on the University.

IU Internal Audit will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program will include an evaluation of the internal audit activity's conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement.

The CAO will communicate to the Vice President & General Counsel and the Board on the quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years.