The scope of work of the Internal Audit Department shall encompass, but not be limited to, the examination and evaluation of the adequacy and effectiveness of the University’s governance, risk management, and internal controls. This includes:
- evaluating risk exposure relating to achievement of the University’s strategic objectives;
- evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information;
- evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the University;
- evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets;
- evaluating the effectiveness and efficiency with which resources are employed;
- evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned;
- monitoring and evaluating governance processes;
- monitoring and evaluating the effectiveness of the University's risk management processes;
- evaluating the quality of performance of external auditors and the degree of coordination with internal audit;
- performing consulting and advisory services related to governance, risk management and control as appropriate for the University;
- reporting periodically on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan;
- reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Board; and
- evaluating specific operations at the request of the Board or Senior University administration personnel, as appropriate.
Regulatory requirements for internal audit plans of Illinois State Agencies:
FCIAA (30 ILCS 10/2003 (a) (2) ):
Audits of major systems of internal accounting and administrative control … so that all major systems are reviewed at least once every 2 years. … [The audit plan] must include:
- the obligation, expenditure, receipt and use of public funds and funds held in trust
- the design of major new [/ modifications of] electronic data processing systems
- special audits of operations, procedures, programs, electronic data processing systems, and activities as directed by the [President of the University] or [Board of Trustees].
The State Internal Audit Advisory Board (SIAAB) added specificity to the FCIAA requirement of auditing “all major systems,” by requiring the following areas to be considered for inclusion in the internal audit plan:
- Agency Organization and Management;
- Administrative Support Services;
- Budgeting, Accounting and Reporting;
- Purchasing, Contracting and Leasing;
- Expenditure Control;
- Personnel and Payroll;
- Property, Equipment, and Inventories;
- Revenues and Receivables;
- Petty Cash and Local Funds;
- Grant Administration; and,
- Electronic Data Processing.
In a Nutshell
The Chief Internal Auditor develops and implements a flexible annual two-year rolling internal audit plan that complies with FCIAA and SIAAB requirements and also includes areas based on a risk assessment derived from analysis and input from the President, Board of Trustees, and senior University administration.
The rolling two-year internal audit plan is approved annually by the President. The internal audit plan can be changed at any time based on emerging and previously unknown risks, with significant changes also requiring Presidential approval.