Office of Audit Services Mission (Purpose)
The Office of Audit Services is an independent and objective assurance and consulting activity within the University of Vermont (UVM) that provides the Board of Trustees and management with observations, recommendations and advice designed to add value and improve the effectiveness of the University's risk management, control, and governance processes.
Internal Audit Function
The chief internal auditor is specifically authorized and directed to:
- Provide a program of financial, operational, information systems, compliance, and investigative audits (i.e., stemming from fraud or dishonest conduct);
- Have unlimited and unrestricted access to all UVM entities, subsidiaries and related organizations and any associated data, files, records, property, and personnel;
- Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish the audit objectives;
- Obtain the necessary assistance of personnel in units of UVM where they perform audits, as well as other specialized services from within or outside UVM;
- Coordinate all audit activity at UVM to assure an efficient audit coverage that remains responsive to the University's needs.
The chief internal auditor is not authorized to:
- Perform any operational duties for UVM:
- Initiate or approve any accounting transactions external to internal audit;
- Direct activities of any UVM employee not employed by internal audit, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the chief internal auditor.
Internal Audit Operations
The chief internal auditor is responsible for:
- Maintaining a professional audit staff with sufficient knowledge, skills, and experience, and professional certifications to meet the requirements of this charter;
- Developing an annual risk-based audit plan that incorporates collaboration and consultation with the Board of Trustees, UVM's independent auditors, and management;
- Proposing an annual audit budget that is adequate to perform the scope of his or her responsibilities and to accomplish the annual risk-based audit plan.
Audit Committee Function
The chief internal auditor reports to and is supervised by the Audit Committee of the Board of Trustees. The Audit Committee has full authority and oversight of the internal audit function including appointment decisions, performance evaluations, salary setting and employment termination of the chief internal auditor. The Audit Committee has delegated to the President administrative oversight regarding certain specific operational activities of the internal audit function.
The Office communicates to management or operating personnel in the form of written reports, consultation, or advice. Written reports include observations, recommendations for improvement, and management's action plans to manage identified risks and to ensure that objectives are achieved. The Office also monitors, evaluates, and verifies (if appropriate) management's responses to audit observations and recommendations. Audit Services reports regularly on the status and results of the annual audit plan and sufficiency of office resources to the Audit Committee.
Professional Standards and Ethics
The chief internal auditor and staff will meet or exceed the International Standards for the Professional Practice of Internal Auditing of the Institute of Internal Auditors.
The University is committed to conducting its affairs in accordance with its principles of behavior outlined in its Code of Conduct and Ethical Standards and University policies. This protocol establishes an administrative process for dealing with allegations of misconduct reported under the Code of Conduct and Ethical Standards so that the integrity of business conducted at the University of Vermont may be preserved.
As outlined in the Code of Conduct and Ethical Standards reports of suspected misconduct are to be made to a responsible official or Office of Audit Services. Suspected fraudulent activity should be reported to the Office of Audit Services. Reporting channels outlined in specific University policy should be followed.
The Chief Internal Auditor shall keep the President, General Counsel and the Chair of the Audit Committee informed of any potentially serious or widespread compliance issues or defalcations.
Expectations of Employees
All employees are expected to cooperate and be truthful in the University's investigation of allegations.
When fraudulent activity is suspected, administrators:
- should not contact the person suspected to further investigate the matter or demand restitution,
- should not discuss the case with anyone other than the Audit Services Office, the Office of General Counsel, or a duly authorized law enforcement officer,
- should direct all inquiries from any attorney retained by the suspected individual to the Office of General Counsel, and
- should direct all inquiries from the media to the University Communications Office, or in the event that the Communications Office cannot be contacted, to the Office of General Counsel.
Persons assisting in the investigation shall be reminded of the University's whistleblower protections against retaliation in cases where the identity of the whistleblower may be compromised in furtherance of the investigation.
Individuals that are the subject of an allegation shall be notified as long as the investigative officer concludes it will not risk the integrity of the investigation and evidence of wrongdoing is found and reported on.
- The investigative auditor shall evaluate the issues raised and refer the matter to the appropriate University offices as may be required during the investigation and in accordance with University policy.
- Investigation Outcomes.
- When the fact finding produces no evidence of misconduct or defalcation, the Office of Audit Services shall report the outcome to the cognizant University administrator.
- Incidents of minor misconduct or noncompliance may be referred to departmental management or other appropriate University offices for resolution. In these instances the investigation shall be a fact finding function in order to determine whether internal control deficiencies exist.
- If the investigation determines that substantial misconduct or defalcation occurred or likely occurred, the Office of Audit Services shall report on the findings to the President, Cognizant Vice President or Provost, appropriate responsible official, and General Counsel. Potential criminal activity will also be reported to Police Services. Risk Management will be notified of any defalcation that may be covered under University insurance. In addition, the Audit Committee of the Board of Trustees shall be notified of any allegation involving senior management (Vice President or above) and any fraud with an aggregate value of $10,000 or greater.
- Note: The Chief Internal Auditor retains the authority to report any matter to University administration or the Board of Trustees as he/she deems appropriate.
- If wrongful conduct is determined to have occurred the appropriate University official will initiate disciplinary action in a manner consistent with applicable University policy and procedure.
- Police Services is responsible for referrals made to the Vermont State Attorney's Office for potential criminal prosecution.
- The Office of Audit Services shall maintain the records and supporting documents related to all investigations.
- All reasonable efforts shall be made to complete the investigative review within 90 days. Any inquiries anticipated to extend beyond 90 days will be reviewed and approved by the Chief Internal Auditor.
Effective Date: 7/17/09
When an audit begins, the department being audited is informed in advance. An entrance conference is held for the auditors and department members to meet each other and discuss the objectives of the audit. Issues or processes that members of the department would like included in Audit Service's scope of work may be defined at this time. During the initial planning phase, Audit Services may talk with managers, General Counsel, and other offices to get different perspectives on operations and where to focus resources during the audit.
Since each department is unique in its size, purpose, staffing and procedures. The audit procedures that are followed during the fieldwork phase depend on the nature of the audit and are designed to focus on operations or controls that have been identified as high risk or the most problematic for the department. Test work may be expanded, eliminated, or otherwise adjusted as the audit progresses
During a typical audit, Audit Services performs an evaluation of the internal controls and tests the compliance by tracing a sample of transactions through the operations' processes. Office policies and manuals are reviewed, processed and systems are tested, and documents maintained by the department are examined. Key personnel may also be interviewed. Compliance with University policies are reviewed, as is compliance with procedures that are important and specific to the department's mission.
Throughout the audit process, Audit Service staff will keep relevant staff members advised of findings and attempt to resolve any issues that arise during the audit. Occasionally, a serious or urgent problem is discovered that Audit Services will bring immediately to the attention of the appropriate senior officer(s) for corrective action. An audit of one department may produce findings and recommendations for another department within the University to address.
When the fieldwork is completed, Audit Services prepares a draft of the audit report which is provided to department management for discussion and review. The report is usually formatted with the background and scope of the audit, a brief summary of the positive findings and a list of observations that were identified in the audit. Observations which require a response from outside of the unit being audited are referred to the area's manager for response.
An exit conference is scheduled with Audit Services and relevant managers to discuss the substance and wording of the report and how management intends to respond to the observations. If there are significant changes to the draft, a second draft of the report may be issued.
The final version of the audit report incorporates management's responses to each recommendation. It is distributed to the senior officers and department managers responsible for the operations being reported upon. Some final internal audit reports are requested by external auditors.