Internal Audit Services Charter

Purpose

The purpose of the internal audit function is to strengthen Utah State University’s ability to create, protect, and sustain value by providing the Board of Trustees Audit, Risk and Compliance Committee and management with assurance, advice, insight and foresight that is independent, objective and risk-based.

The internal audit function enhances Utah State University's:

Successful achievement of its objectives.
Governance, risk management and control processes.
Decision-making and oversight.
Reputation and credibility with its stakeholders.
Ability to serve the public interest.

Utah State University’s internal audit function is most effective when:

Internal auditing is performed by competent professionals in conformance with the Institute of Internal Auditors’ Global Internal Audit Standards, which are established in the public interest.
The internal audit function is independently positioned with direct accountability to the Audit, Risk and Compliance Committee.
Internal auditors are free from undue influence an committed to making objective assessments.

Commitment to Adhering to the Global Internal Audit Standards

The Utah State University’s internal audit function will adhere to the mandatory elements of the Global Internal Audit Standards and its related Topical Requirements. The chief audit executive will report periodically to the Audit Risk and Compliance Committee and senior management regarding the internal audit function’s conformance with the Standards, which will be assessed through a quality assurance and improvement program.

Mandate

Internal Audit Services (IAS) exists as mandated by Utah Code 63I, Chapter 5 (Utah Internal Audit Act). Per 63I-5-201, part 2, section (3)(a), “Utah Tech University, the University of Utah, Utah State University, Salt Lake Community College, Southern Utah University, Utah Valley University, Weber State University, and Snow College shall establish an internal audit program under the direction of the Utah Board of Higher Education.”

The Utah Board of Higher Education (BHE) also requires internal audits. BHE’s Policy R567, Internal Audit Program, section 4.2 states, “Each USHE institution is required to maintain an internal audit activity plan.”

Authority

The internal audit function’s authority is created by its direct reporting relationship to the Chair of the Board of Trustees Audit, Risk and Compliance Committee. Such authority allows for unrestricted access to the Audit, Risk and Compliance Committee.

The Audit, Risk and Compliance Committee authorizes the internal audit function to:

Have full and unrestricted access to all functions, data, records, information, physical property and personnel pertinent to carrying out internal audit responsibilities. Internal auditors are accountable for confidentiality and safeguarding records and information.
Allocate resources, set frequencies, select subjects, determine scope of work, apply techniques and issue communications to accomplish the function’s objectives.
Obtain assistance from the necessary personnel of Utah State University and other specialized services from within or outside Utah State University to complete internal audit services.

Independence, Organizational Position and Reporting Relationships

The chief audit executive will be positioned at a level in the organization that enables internal audit services and responsibilities to be performed without interference from management, thereby establishing the independence of the internal audit function. The chief audit executive will report functionally to the Chair of the Trustees Audit, Risk and Compliance Committee and administratively to the President. This positioning provides the organizational authority and status to bring matters directly to senior management and escalate matters to the Audit, Risk and Compliance Committee, when necessary, without interference and supports the internal auditors’ ability to maintain objectivity.

The chief audit executive will confirm to the Audit, Risk and Compliance Committee, at least annually, the organizational independence of the internal audit function. If the governance structure does not support organizational independence, the chief audit executive will document the characteristics of the governance structure limiting independence and any safeguards employed to achieve the principle of independence. The chief audit executive will disclose to the Audit, Risk and Compliance Committee any interference internal auditors encounter related to the scope, performance or communication of internal audit work and results. The disclosure will include communicating the implications of such interference on the internal audit function’s effectiveness and ability to fulfill its mandate.

Changes to the Mandate and Charter

Circumstances may justify a follow-up discussion between the chief audit executive, Audit, Risk and Compliance Committee and senior management on the internal audit mandate or other aspects of the internal audit charter. Such circumstances may include but are not limited to:

A significant change in the Global Internal Audit Standards.
A significant reorganization within the university.
Significant changes in the chief audit executive, Audit, Risk and Compliance Committee and/or senior management.
Significant changes to the university’s strategies, objectives, risk profile or the environment in which the university operates.
New laws or regulations that may affect the nature and/or scope of internal audit services.

Audit, Risk and Compliance Committee Oversight

To establish, maintain, and ensure that Utah State University’s internal audit function has sufficient authority to fulfill its duties, the Audit, Risk and Compliance Committee will:

Discuss with the chief audit executive and senior management the appropriate authority, role and responsibilities of the internal audit function.
Ensure the chief audit executive has unrestricted access to, communicates and interacts directly with the Audit, Risk and Compliance Committee including in private meetings without senior management present (including General Counsel).
Discuss with the chief audit executive and senior management other topics that should be included in the internal audit charter.
Participate in discussions with the chief audit executive and senior management about the “essential conditions,” described in the Global Internal Audit Standards, which establish the foundation that enables an effective internal audit function.
Approve the internal audit function’s charter, which includes the internal audit mandate and the scope and types of internal audit services.
Review the internal audit charter periodically with the chief audit executive to consider updates to address changes affecting the university, such as the appointment of a new chief audit executive or changes in the type, severity and interdependencies of risks to the university; and approve any updates to the internal audit charter.
Approve the risk-based internal audit plan.
Review with the chief audit executive the adequacy of the internal audit staff and resources.
As per the Internal Audit Act, “appoint, evaluate, and, if necessary, remove the agency internal audit director.”
Receive communications from the chief audit executive about the internal audit function, including its performance relative to its plan.
Ensure a quality assurance and improvement program has been established and review the results annually.
Make appropriate inquiries of senior management and the chief audit executive to determine whether any identified scope or resource limitations are inappropriate.

Chief Audit Executive Roles and Responsibilities

Ethics and Professionalism

The chief audit executive will ensure that internal auditors:

Conform with the Global Internal Audit Standards, including the principles of Ethics and Professionalism: integrity, objectivity, competency, due professional care and confidentiality.
Understand, respect, meet and contribute to the legitimate and ethical expectations of the university and be able to recognize conduct that is contrary to those expectations.
Encourage and promote an ethics-based culture in the university.
Report organizational behavior that is inconsistent with the university’s ethical expectations, as described in applicable policies and procedures.

Objectivity

The chief audit executive will ensure that the internal audit function remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of engagement selection, scope, procedures, frequency, timing and communication. If the chief audit executive determines that objectivity may be impaired in fact or appearance, the details of the impairment will be disclosed to the Chair of the Audit, Risk and Compliance Committee and the Commissioner of Higher Education.

Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively such that they believe in their work product, do not compromise quality, and do not subordinate their judgment on audit matters to others, either in fact or appearance.

Internal auditors will have no direct operational responsibility or authority over any of the activities they review. Accordingly, internal auditors will not implement internal controls, develop procedures, install systems or engage in other activities that may impair their judgment, including:

Assessing specific operations for which they had responsibility within the previous year.
Performing operational duties for Utah State University or its affiliates.
Initiating or approving transactions external to the internal audit function.
Directing the activities of any Utah State University employee that is not employed by the internal audit function, except to the extent that such employees have been appropriately assigned to internal audit teams or to assist internal auditors.

Internal auditors will:

At least annually, disclose impairments of independence or objectivity, in fact or appearance, to appropriate parties, such as the chief audit executive, Audit, Risk and Compliance Committee, the Commissioner of Higher Education, management or others, as necessary.
Exhibit professional objectivity in gathering, evaluating, and communicating information.
Make balanced assessments of all available and relevant facts and circumstances.
Take necessary precautions to avoid conflicts of interest, bias, and undue influence.

Managing the Internal Audit Function

The chief audit executive has the responsibility to:

Develop a risk-based audit plan that considers the input of the Audit, Risk and Compliance Committee and senior management. Discuss and submit the annual audit plan for approval to the Audit, Risk and Compliance Committee.
Communicate the impact of resource limitations on the audit plan to the Audit, Risk and Compliance Committee and senior management.
Review and adjust the audit plan, as necessary, in response to changes in Utah State University’s business, risks, operations, programs, systems and controls.
Request approval to deviate from the audit plan from the Audit, Risk and Compliance Committee Chair and President to conduct engagements initiated by valid hotline concerns or an increase in identified risks.
Ensure internal audit engagements are performed, documented, and communicated in accordance with the Global Internal Audit Standards, Utah Code 63I Chapter 5 (Utah Internal Audit Act), BHE’s Policy 567, Internal Audit Program and other applicable laws and/or regulations.
Follow up on engagement findings and confirm the implementation of recommendations or action plans and communicate the results to the Audit, Risk and Compliance Committee and senior management.
Ensure the internal audit function collectively possesses or obtains the knowledge, skills, and other competencies and qualifications needed to meet the requirements of the Global Internal Audit Standards and fulfill the internal audit mandate.
Identify and consider trends and emerging issues that could impact Utah State University and communicate to the Audit, Risk and Compliance Committee and senior management as appropriate.
Consider emerging trends and successful practices in internal auditing.
Establish and ensure adherence to methodologies designed to guide the internal audit function.
Ensure adherence to Utah State University’s relevant policies and procedures unless such policies and procedures conflict with the Internal Audit Charter, the Global Internal Audit Standards, federal law or state law. Any such conflicts will be resolved or documented and communicated to the Audit, Risk and Compliance Committee and senior management.
Coordinate activities and consider relying upon the work of other internal and external providers of assurance and advisory services. If the chief audit executive cannot achieve an appropriate level of coordination, the issue must be communicated to senior management and if necessary escalated to the Audit, Risk and Compliance Committee.

Communication with the Audit, Risk and Compliance Committee and Senior Management

The chief audit executive will report to the Audit, Risk and Compliance Committee and senior management regarding:

The internal audit function’s mandate.
The internal audit plan and performance relative to its plan.
Significant deviations to the internal audit plan and budget.
Potential impairments to independence, including relevant disclosures as applicable.
Results from the quality assurance and improvement program, which include the internal audit function’s conformance with the Global Internal Audit Standards and action plans to address the internal audit function’s deficiencies and opportunities for improvement.
Significant risk exposures and control issues, including fraud risks, governance issues and other areas of focus for the Audit, Risk and Compliance Committee that could interfere with the achievement of Utah State University’s strategic objectives.
Results of assurance and advisory services.
Management’s responses to risk that the internal audit function determines may be unacceptable or acceptance of a risk that is beyond Utah State University’s risk appetite.

Quality Assurance and Improvement Program

The chief audit executive will develop, implement, and maintain a quality assurance and improvement program that covers all aspects of the internal audit function. The program will include external and internal assessments of the internal audit function’s conformance with the Global Internal Audit Standards, as well as performance measurement to assess the internal audit function’s progress toward the achievement of its objectives and promotion of continuous improvement. The program also will assess, if applicable, compliance with laws and/or regulations relevant to internal auditing. Also, if applicable, the assessment will include plans to address the internal audit function’s deficiencies and opportunities for improvement.

The chief audit executive will communicate with the Audit, Risk and Compliance Committee and senior management about the internal audit function’s quality assurance and improvement program, including the results of internal assessments (ongoing monitoring and periodic self-assessments) and external assessments. External assessments will be conducted at least once every five years by a qualified, independent assessor or assessment team from outside Utah State University.

Scope and Types of Internal Audit Services

The scope of internal audit services covers the entire breadth of the organization, including all of Utah State University’s activities, assets, and personnel. The scope of internal audit activities also encompasses but is not limited to objective examinations of evidence to provide independent assurance and advisory services to the Audit, Risk and Compliance Committee and management on the adequacy and effectiveness of governance, risk management, and control processes for Utah State University.

The nature and scope of advisory services may be agreed with the party requesting the service, provided the internal audit function does not assume management responsibility. Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during advisory engagements. These opportunities will be communicated to the appropriate level of management.

Internal audit engagements may include evaluating whether:

Risks relating to the achievement of Utah State University’s strategic objectives are appropriately identified and managed.
The actions of Utah State University’s officers, directors, management, employees, and contractors or other relevant parties comply with Utah State University’s policies, procedures, and applicable laws, regulations and governance standards.
The results of operations and programs are consistent with established goals and objectives.
Operations and programs are being carried out effectively, efficiently, ethically and equitably.
Established processes and systems enable compliance with the policies, procedures, laws, and regulations that could significantly impact Utah State University.
The integrity of information and the means used to identify, measure, analyze, classify and report such information is reliable.
Resources and assets are acquired economically, used efficiently and sustainably and protected adequately.

Approved by the Audit, Risk and Compliance Committee on February 20, 2025.