Internal Audit performs five types of engagements:

Assurance Services - Assurance services are objective examinations of evidence to provide an independent assessment. This includes assessing and reporting on the adequacy and effectiveness of internal controls, the quality of performance in carrying out assigned responsibilities and evaluating risk exposures relating to the University’s governance, operations, and information systems. The scope includes reviewing and evaluating:

  1. achievement of the University’s strategic objectives;

  2. internal controls established to ensure compliance with applicable policies, plans, procedures, laws, regulations and contracts;

  3. the means with which assets are safeguarded;

  4. the reliability and integrity of financial and operational information;

  5. the efficiency and effectiveness with which resources are employed; and

  6. information technology systems to determine if they are appropriately managed, controlled, and protected.

Areas selected for internal audit are identified as a part of robust annual planning process.  The goal of the annual planning process is to identify what units can most benefit from assurance services.  The annual planning process seeks to apply available resources to highest risks identified, but also serves to provide periodic resources to all units. 

For planning purposes, Internal Audit has organized the University into eight major functions:

  1. governance and leadership;

  2.  instruction and academic support including student affairs and the library;

  3.  research and development;

  4.  human resources management;

  5.  fiscal management including the service center;

  6.  facilities management and planning including plant operations and campus public safety;

  7.  athletics, auxiliary enterprises, and other self-support enterprises such as student centers and activities, Jefferson Public Radio, housing, food, student health services, parking and the bookstore;

  8.  information technology and others as identified and necessary.

The assurance services selection process entails a macro-level risk assessment of the major functional areas using industry trends, past internal audit experience, financial analysis, and University constituent input.  Some factors considered in selecting auditable units for assurance services include: 

  1. the critical nature of the auditable unit in meeting University objectives.

  2. the length of time since and results of prior assurance services.

  3. the size and complexity of the operation.

  4. changes in regulations, personnel, operations, programs, systems, contracts, or internal controls.

  5. regulatory requirements of the operation.

  6. the degree of manual and automated processing.

  7. the sensitivity of the unit's operations to the University’s image and reputation. 

  8. the amount of financial activity and resources.

  9. the likelihood, frequency, vulnerability and impact of an event.

  10. management concern.

Consulting Services - Advisory and related client service activities, the nature and scope of which are agreed upon with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the Internal Auditor assuming management responsibility. Examples include counsel, advice, facilitation and training.

Investigative Services - Investigations evaluate and substantiate allegations of unethical business practices and/or financial and operational misconduct for management to act upon and to detect, deter and prevent future occurrences.

Follow-up Engagements - Follow-up engagements evaluate plans and actions taken to correct reported conditions.

External Audit – Internal Audit meets with external auditors to discuss audit plans, risk assessment, effectiveness of internal controls and coordination of effort; specifically including the results of assurance, consulting and investigation activities.  Internal Audit may perform follow-up activity based on external audit recommendations, but Internal Audit does not perform auditing services for the external auditors.

Annual Assessment of Management Responsibilities

It is the objective of Internal Audit to determine whether the University’s network of governance, risk management and control processes, as designed and represented by management, is adequate and functioning in a manner to confirm that:

  1. Risks are appropriately identified and managed; specifically including management compliance with laws and regulations.

  2. Governance interaction occurs as needed.

  3. Significant financial, managerial, and operating information is accurate, reliable and timely.

  4. Employee’s actions are in compliance with policies, standards, procedures, professional ethics and applicable laws and regulations; specifically including privacy and security.

  5. Resources are acquired economically, used efficiently and adequately protected; specifically including review of management processes and internal controls and the prevention and detection of fraud.

  6. Accountability systems are in place to ensure organizational and program missions, goals, plans, and objectives are achieved.

  7. Quality and continuous improvement are fostered in the University’s control process.

  8. Significant legislative or regulatory issues impacting the University are recognized and properly addressed.

This assessment, and confirmation of reasonable assurance, on the adequacy and effectiveness of the University’s processes for controlling its activities, managing its risks, governance, and the performance of management responsibilities is included in each year’s Internal Audit Plan.

Annual Confirmation of the Organizational Independence of Internal Audit

Another key responsibility set forth in the Internal Audit Charter is to confirm annually the organizational independence of Internal Audit.  This is included in each year’s Internal Audit Plan.  The Board will be advised of any responsibilities or conditions believed to be inappropriate, as well as any inappropriate limitations to scope or insufficient resources.