Audit Charter - Introduction
The Internal Audit Department’s primary role is to serve Northeastern University’s Board of Trustees and management in the identification, evaluation, and mitigation of risk. To serve this role, Internal Audit assists management in identifying risks and controls in financial, operational and information technology area; develops internal audit plans and conducts control testing in specific areas of risk; and identifies process improvement opportunities. Internal Audit is an independent, objective assurance and consulting activity designed to add value and improve the University’s operations. Internal Audit helps the University to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal controls, and governance processes.
Internal Audit supports the University’s strategic objectives by ensuring that resources are used effectively and efficiently and comply with established policies and procedures. The extent of Internal Audit Department’s efforts is to examine, evaluate, and, recommend improvements to the internal control system established throughout the University. Internal controls encompass the policies, procedures, people, activities, and information systems through which colleges, schools, centers and departments ensure:
- accuracy, authorization, completeness and timeliness of information;
- security and privacy of data;
- integrity of data;
- safeguarding of assets;
- compliance with federal and state laws and regulations; and
- adherence to University policies and procedures.
To promote an ethical culture in the profession of internal auditing, Northeastern University’s Internal Audit department follows the Institute of Internal Audit’s Code of Ethics. The Code of Ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about risk management, control, and governance. By upholding high ethical standards and promoting good business conduct, Internal Audit is a valuable resource to management by ensuring that financial, operational, and system controls are adequate and effective.
Scope of Work
To assess the University’s control environment, Internal Audit performs:
financial reviews to provide an assessment of internal controls over financial reporting including controls over revenue and expenditure processes;
compliance reviews to ensure University departments and operations adhere to applicable regulations, and to determine that University policies exist to support compliance with regulations;
operational reviews to provide an assessment of processes, systems, operations and strategies to ensure adherence with internal controls, and to determine that adequate policies and procedures exist to support operations;
information technology reviews to provide an assessment of the University’s information technology organization including controls over program development, change control, applications, system security, databases, logical security, and physical security as they relate to the University’s business activities; and
consulting engagements, beyond Internal Audit’s assurance services, to assist management in meeting its objectives. Examples may include facilitation, process design, training, and advisory services.
The Director of Internal Audit shall be accountable to management and the audit committee to:
- Provide a continuous assessment of the adequacy and effectiveness of processes for controlling activities and managing risks in the areas set forth under the charter and scope of work.
- Report issues related to internal control weaknesses identified in organizational processes, including potential improvements to those processes, and provide information concerning such issues through resolution.
- Provide information periodically on the status and results of the annual audit plan and the sufficiency of department resources.
The scope of audit coverage is enterprise-wide and no function, activity, or unit of the University is exempt from audit and review. To provide for the independence of the internal auditing department, the Internal Audit department has a dual reporting relationship. The Director of Internal Audit reports administratively to a member of the Senior Leadership Team and reports to the Chair of the Audit Committee.
The Internal Audit department is authorized to:
- Have unrestricted access to all activities, documents, records, systems, facilities, and personnel as necessary to fulfill its objectives. Information will be maintained with appropriate confidentiality.
- Have full and free access to the audit committee.
- Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish audit objectives.
- Obtain the necessary assistance of personnel in units of the organization where they perform audits, as well as other specialized services from within or outside the organization.
From time to time, Internal Audit is asked to participate in management committees or project teams. Internal Audit is not a management decision-making function. Decisions to adopt or implement recommendations made as a result of an internal audit advisory service should be made by management. Therefore, internal audit objectivity should not be impaired by the decisions made by management.
Internal Audit may also be requested to facilitate consulting engagements as requested by the board or management. Consulting engagements may produce a formal report for management. The formal report may include analytical details, and recommendations to management and/or the board. Management is not required to implement Internal Audit’s recommendations. If control risks are identified during a consulting engagement, then Internal Audit is responsible to report the issues to management and the board.