Internal Audit Policy May 29, 2006 To request an official copy of this policy, contact: Phone: 416-978-6576
Table of Contents Introduction
The University of Toronto supports Internal Auditing as an independent and objective assurance and consulting activity designed to add value and improve the University’s operations. It assists the University in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the University’s risk management, control and governance processes. The Internal Audit Department is established by Governing Council Policy and its responsibilities are defined by this Policy and the Audit Committee of the Business Board as part of their oversight function. The Director of Internal Audit is responsible for the development, review and modification of the Internal Audit Department’s policies and procedures. The objectives of internal auditing are to assist members of the University in the effective discharge of their responsibilities by furnishing them with analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed and by promoting effective control and sound business practices. The scope of internal auditing encompasses the examination and evaluation of the adequacy and effectiveness of the organization’s system of internal control and the quality of performance in carrying out assigned responsibilities at the organizational, divisional, departmental, program or functional level. The Mandate includes:
To the extent that resources are available, the Internal Audit Department will provide advice and assistance to University administrators when requested, by:
Annually, the Director of Internal Audit shall submit to senior management and the Audit Committee a Plan summarizing the staffing plan, budget and areas identified for audit during the following fiscal year. The Plan is to be developed based on the prioritization of the audit universe using a risk-based methodology. The Plan will include the allocation of audit services to those areas identified as ‘high risk’ on the basis of a reasonable cyclical frequency. The Plan will also be informed by management’s and other requests as well as knowledge obtained in connection with the delivery of the Department’s services. An audit report will be prepared and issued by the Director of Internal Audit following the conclusion of each audit and will be distributed as appropriate. The senior administrator of the department or activity receiving the report will respond to the audit recommendations and the responses will be included in the final report. The response should include a timeframe for anticipated completion of the action to be taken and an explanation for any recommendations that will not be addressed. In the event that the Director has a serious concern about a matter which could not be resolved with the appropriate senior administrator of the department or activity under review, the Director will inform the one-level-up report including, if considered necessary by the Director, the relevant Vice-President, the President, the Chair of the Audit Committee, the Chair of the Business Board or the Chair of the Governing Council. The Director of Internal Audit shall report administratively to the President or the Secretary of the Governing Council as designate [1] and functionally to the Audit Committee of the Business Board. All internal audit activities shall remain free of influence by anyone in the University, including matters of audit selection, scope, procedures, frequency, timing or report content in order to maintain the independent and objective state of mind the Department requires when providing its services. The Director of Internal Audit will meet with the Audit Committee in private session at least once a year or on request of either the Director or the Committee. [1] In the mid 1990s the President delegated the ongoing administrative reporting responsibility of the Director to the Secretary of the Governing Council. This reporting relationship preserves the independence of the Director and ensures that internal audit matters receive sufficient and appropriate executive management attention. Internal Audit staff members are responsible for conducting themselves so that their integrity, objectivity, confidentiality, and competency are not open to question. Standards of professional behaviour are based upon the Code of Ethics adopted by the Institute of Internal Auditors (IIA) Board of Directors, June 17, 2000. Internal Auditors will:
Relationship with the External Auditor The Director will consult with the external auditor on a regular basis to coordinate the audit activities of the Department with those of the External Auditor in order to avoid duplication of effort. Copies of audit reports will be forwarded to the external auditor. Internal Audit has the authority to audit all parts of the University and shall have full and complete access to all information, records, facilities and personnel relevant to the performance of an audit. Documents and information given to internal auditors during a review will be handled consistent with University policy and in the same manner as the employees normally accountable for them. In the case where access to information is denied and in the professional opinion of the Director, the information is needed for the successful completion of the audit, the Director will inform the one-level-up report including, if considered necessary by the Director, the relevant Vice-President, the President, the Chair of the Audit Committee, the Chair of the Business Board or the Chair of the Governing Council. Divisional/Departmental Responsibilities The division/department or activity under review is to provide full co-operation to the Internal Audit Department. University administrators are responsible for developing action plans and implementing the recommendations contained in the audit report or alternatives that meet the objectives of the recommendations. In the event that the senior administrator of the department or activity under review and the Director of Internal Audit are unable to resolve or reach agreement on the implementation of one or more of the recommendations, a follow-up audit report will incorporate the operating management’s positions prior to sign-off by the appropriate one-level-up report including, if necessary, the relevant Vice-President, the President and/or Chair of the Audit Committee. May 29, 2006 |