Ethics, Compliance and Audit Services
Internal Audit Charter(Charter Revised September 2020)
- Policy Statement
- Independence and Reporting Structure
- Scope of Work
- Nature of Assurance and Consulting Services
- Mandatory Guidance
- Certain Personnel Matters
It is the policy of the University of California (UC) to maintain an independent and objective internal audit function to provide the Regents, President, campus Chancellors and Laboratory Director with information and assurance on the governance, risk management and internal control processes of the University. Further, it is the policy of the University to provide the resources necessary to enable Internal Audit (IA) to achieve its mission and discharge its responsibilities under its charter. Internal Audit is established by the Regents, and its responsibilities are defined by the Regents' Committee on Compliance and Audit as part of their oversight function.
UC Internal Audit will be a universally recognized knowledgeable, collaborative and trusted resource on governance, risk management and control.
The mission of UC IA is to provide the Regents, President, campus Chancellors and Laboratory Director with independent and objective assurance and consulting services designed to add value and improve operations. We do this through communication, monitoring and collaboration with management to assist the campus community in the discharge of their oversight, management, and operating responsibilities. IA brings a systematic, risk-based and disciplined approach to evaluating and improving the effectiveness of risk management, control and governance processes.
IA functions under the policies established by the Regents of the University of California and by University management under delegated authority.
IA is authorized to have full, free and unrestricted access to information it deems necessary to perform audit, consulting/advisory services, and investigation projects and ongoing risk assessment activities, including, but not limited to, records, computer files, information systems, databases, property, and personnel of the University in accordance with the authority granted by approval of this charter and federal and state statutes. Except where limited by law, the work of IA is unrestricted. IA is free to review and evaluate all policies, procedures, and practices for any university activity, program, or function on behalf of the Board of Regents.
In performing the audit function, IA has no direct responsibility for, nor authority over, any of the activities reviewed. The IA review process does not in any way relieve other persons in the organization of the responsibilities assigned to them.
Information requested by IA shall be provided without delay. Any attempt to interfere with or prevent IA’s access to information, including termination of access to information required to perform IA’s duties, shall be immediately escalated to the local Chancellor/Laboratory Director and to the President of the University for resolution. If the access issues are not timely resolved through this escalation, the Chief Compliance and Audit Officer (CCAO) shall escalate the issues to the Chair of the Regents Compliance and Audit Committee for resolution.
Independence and Reporting Structure
To permit the rendering of impartial and unbiased judgment essential to the proper conduct of audits, internal auditors will be independent of the activities they audit. This independence is based primarily upon organizational status and objectivity and is required by external industry standards.
The CCAO has a direct, independent reporting relationship to the Regents, communicating directly with the Board of Regents and the Regents Committee on Compliance and Audit regarding all elements of meaningful compliance and audit programs, including providing annual reports on compliance with applicable laws, regulations, and University policies. The CCAO shall also consult with and advise the President and the Chair and Vice Chair of the Regents’ Committee on Compliance and Audit on compliance and audit activities. The CCAO has established an active channel of communication with the Chair of the Regents' Committee on Compliance and Audit, as well as with campus executive managements, on audit matters. The CCAO has direct access to the President and the Regents’ Committee on Compliance and Audit. In addition, the CCAO serves as a participating member on all campus compliance oversight/audit committees.
Campus/Laboratory Internal Audit Directors (IADs) report administratively to the Chancellor/Laboratory Director and directly to the Regents' Committee on Compliance and Audit through the CCAO. IADs have direct access to the CCAO and to the President or the Regents' Committee on Compliance and Audit as circumstances warrant.
Campus/Laboratory IADs will report periodically to campus compliance oversight/audit committees on the adequacy and effectiveness of the organization’s processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work, the status of the annual audit plan, and the sufficiency of audit resources. Local audit functions will coordinate with and provide oversight of other control and monitoring functions involved in governance, such as risk management, compliance, security, legal, ethics, environmental health and safety, external audit, etc.
IADs may take directly to the respective Chancellor or Laboratory Director, the CCAO, the President, or the Regents matters that they believe to be of sufficient magnitude and importance. IADs shall take directly to the CCAO, who shall report to the President and the Regents' Committee on Compliance and Audit Chair, any credible allegations of significant wrongdoing (including any wrongdoing for personal financial gain) by or about a Chancellor, Executive Vice Chancellor or Vice President, or any other credible allegations that if true could cause significant harm or damage to the reputation of the University.
The Chancellors/Laboratory Director may delegate other IAD administrative oversight responsibilities such as time and expense approval and departmental budget oversight to a position no lower than the Vice Chancellor/Associate Laboratory Director or Chief Operating Officer level. To maintain organizational independence, this position should generally not have responsibility over key operating units routinely reviewed by internal audit. The Chancellor/Laboratory Director shall retain responsibility for approval of the campus/laboratory annual audit plan and approval of local audit committee/work group charter, and shall meet with the IAD regularly to review the state of the internal audit function and the state of internal controls locally. The Regents have the ultimate authority to approve and/or amend the systemwide audit plan, which is a consolidation of all campus and laboratory audit plans.
Scope of WorkThe scope of IA work is to determine whether UC’s network of risk management, control, and governance processes, as designed and represented by management at all levels, is adequate and functioning in a manner to ensure:
- Risk management processes are effective and significant risks are appropriately identified and managed.
- Ethics and values are promoted within the organization.
- Financial and operational information is accurate, reliable, and timely.
- Employee’s actions are in compliance with policies, standards, procedures, and applicable laws and regulations.
- Resources are acquired economically, used efficiently, and adequately protected.
- Programs, plans, and objectives are achieved.
- Quality and continuous improvement are fostered in the organization’s risk management and control processes.
- Significant legislative or regulatory compliance issues impacting the organization are recognized and addressed properly.
- Effective organizational performance management and accountability are fostered.
- Coordination of activities and communication of information among the various governance groups occur as needed.
- The potential occurrence of fraud is evaluated and fraud risk is managed.
- Information technology governance supports UC’s strategies, objectives, and privacy framework.
- Information technology security practices adequately protect information assets and are in compliance with applicable policies, rules and regulations.
- Opportunities for improving management control, quality and effectiveness of services, and the organization’s image identified during audits are communicated by IA to the appropriate levels of management.
Nature of Assurance and Consulting ServicesIA performs three types of projects:
- Audits are assurance services defined as examinations of evidence for the purpose of providing an independent assessment of governance, risk management, and control processes for the organization. Examples include financial, performance, compliance, systems security and due diligence engagements.
- Consulting/Advisory Services, the nature and scope of which are agreed upon with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include reviews, recommendations (advice), facilitation, and training.
- Investigations are independent evaluations of allegations generally focused on improper governmental activities, including misuse of university resources, fraud, financial irregularities, significant control weaknesses and unethical behavior or actions.
IA serves the University in a manner that is consistent with the standards established by the CCAO and acts in accordance with University policies and the UC Standards for Ethical Conduct. At a minimum, it complies with relevant professional standards such as the Institute of Internal Auditors’ mandatory guidance, including the Definition of Internal Auditing, the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing. This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance.
Certain Personnel Matters
Action to appoint, demote or dismiss the CCAO requires the approval of the Regents. Action to appoint an IAD requires the concurrence of the CCAO. Action to demote or dismiss an IAD requires the concurrence of the President and the Chair of the Compliance and Audit Committee, upon the recommendation of the CCAO.