Internal auditing at Rochester Institute of Technology (the “university”) is an independent and objective assurance and consulting activity designed to add value and improve the university’s operations. Specifically, it helps the university accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The university’s internal auditing function is performed by the department of Institute Audit, Compliance & Advisement (“IACA”).
Institute Audit, Compliance & Advisement promotes a strong internal control environment by objectively and independently assessing risks and controls; evaluating business processes for efficiency, effectiveness, and compliance; providing management advisory services; and offering training to the University community. We focus on preserving the resources of the University for use by our students as they prepare for successful careers in a global society.
Role and Organization
IACA was established by the university to assist the Audit Committee of the Board of Trustees (the “Committee”) in the accomplishment of its objectives as described in the Audit Committee Charter. The Assistant Vice President of IACA leads the department and is the university’s Chief Audit Executive (the “CAE”). The CAE reports administratively to the Senior Vice President for Finance and Administration, and functionally to the Committee. IACA is required to report regularly to the Committee regarding the status of the annual audit plan and university risk management systems which include strategic, financial, regulatory, reputational, and operational risks. The Chief Audit Executive has a responsibility to communicate promptly and directly with the university’s President and the Committee if management efforts to identify and address critical risks are of concern.
Professional Standards and Quality Assurance
The IACA staff shall govern themselves by adherence to The Institute of Internal Auditors' (the “IIA”) “Code of Ethics.” The IIA’s “International Standards for the Professional Practice of Internal Auditing” (the “Standards”) shall constitute the operating procedures for IACA. The IIA’s “Practice Advisories” will be adhered to as applicable. In addition, IACA will adhere to the university’s policies, procedures and the IACA Department Manual. The IACA Department Manual shall include attribute, performance, and implementation standards to guide IACA.
IACA is committed to meet the Standards, which includes employing highly competent auditors and maintaining a quality assessment review program. The Committee reviews professional credentials and achievement of annual training and quality goals.
Independence and Authority
All internal audit activities shall remain free of influence by any element in the university, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of an independent and objective mental attitude necessary in rendering reports. One exception to this statement is that the Senior Vice President for Finance and Administration can mandate that certain engagements be included in the internal audit work plan.
To maintain its independence, IACA and its professional staff may have had no direct responsibility or control over any of the activities they audit and review. Accordingly, they shall not develop nor install systems or procedures, prepare records, or engage in any other activity, which would normally be audited. However, IACA staff may perform advisory services without impairing their independence provided those services remain consultative and not operational in nature. In fulfilling its role, IACA has full and complete access to all university records (manual and electronic), physical properties, personnel, and information provided by third parties relevant to its activities. Documents and information given to IACA during an audit or review will be handled in the same prudent and confidential manner as by those employees normally accountable for them. All university employees are requested to assist IACA in fulfilling their staff function. IACA shall also have free and unrestricted access to the Committee.
Scope of Activities
The scope of IACA encompasses the examination and evaluation of the adequacy and effectiveness of the university’s governance, risk management process, and system of internal controls in carrying out assigned responsibilities to achieve the university’s stated goals, standards, and objectives. It includes:
- Reviewing the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information.
- Reviewing the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations, which could have a significant impact on operations and reports and whether the organization is in compliance.
- Reviewing the means of safeguarding assets and, as appropriate, verifying the existence and value of such assets.
- Reviewing and appraising the economy and efficiency with which resources are employed.
- Reviewing operations or programs to ascertain whether results are consistent with established standards, goals, and objectives and whether the operations or programs are being carried out as planned.
- Reviewing specific operations at the request of the Audit Committee or management, as appropriate.
- Monitoring and evaluating the effectiveness of the university’s risk management system.
- Reviewing the degree of coordination between external auditors and internal audit.
- Reviewing the internal control statement made by senior management and the related opinion by the attest auditor for audit planning.
- Suggesting new or modified policies and procedures where appropriate.
- Compiling information related to irregularities and investigations.
- Participating on committees and in meetings for significant university initiatives to advise on exposure prevention.
- Performing follow-up activities to encourage resolution of identified concerns.
- Monitoring an anonymous hotline (the RIT Ethics and Compliance Hotline) on behalf of the Audit Committee.
- Perform monitoring of university compliance activities in collaboration with RIT’s Chief Compliance and Ethics Officer.
- Promote a culture of ethics, responsibility, and accountability within the university community by providing various regularly-scheduled trainings and communications.
Annually, the CAE shall submit to senior management and the Committee a summary of the audit work schedule, staffing plan, and hours budget for the following fiscal year. The audit work schedule is to be developed based on a prioritization of the audit universe using a risk-based methodology. The Committee is responsible for approving IACA’s annual audit plan. Any significant deviation from the formally approved work schedule shall be communicated to senior management and the Committee through periodic activity reports.
IACA performs audits, business process reviews, limited scope reviews, continuous auditing, advisory engagements, and fraud investigations.
Written communications will be prepared and issued by the CAE or designee following the conclusion of each engagement performed by IACA and distributed as appropriate. Additionally, a summary of results for all audits, business process reviews, limited scope reviews, continuous auditing engagements, and fraud investigations will be provided to all members of the Committee, the President, and the Senior Vice President for Finance and Administration.
The CAE or designee may include in IACA published reports Management’s response and corrective action taken, or to be taken, in regard to the specific findings. Management’s response should include a timetable for anticipated completion of the action to be taken or rationale for accepting a risk and not implementing a corrective action.
IACA shall be responsible for appropriate follow-up on all management corrective action plans. All findings requiring management action will remain open until cleared by the CAE.
IACA selects high quality professionals to staff its department. All professional staff must possess certifications in public accounting, internal auditing, or information systems auditing, or be able to obtain one of these certifications within a reasonable time frame. All IACA professional staff will participate in a continuing professional education program. IACA also engages external professional service providers, as necessary, to increase the breadth and depth of skills available and to increase its flexibility to respond to the challenges of the university’s changing business risks.
The CAE should periodically assess whether the purpose, authority, and responsibility, as defined in this charter, continue to be adequate to enable the internal auditing activity to accomplish its objectives. The result of this periodic assessment should be communicated to senior management and the Board of Trustees via the Committee.
This Charter was adopted on April 30, 2015 and approved by the following individuals:
Patrick M. Didas
Assistant Vice President
Institute Audit, Compliance & Advisement
James H. Watters
Senior Vice President
Finance & Administration
Audit Committee Chair