University of Toronto Governing Council
Internal Audit Policy
May 29, 2006
To request an official copy of this policy, contact:
The Office of the Governing Council
Room 106, Simcoe Hall 27 King’s College Circle University of Toronto Toronto, Ontario
Internal Audit Policy
The University of Toronto supports Internal Auditing as an independent and objective assurance and consulting activity designed to add value and improve the University’s operations. It assists the University in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the University’s risk management, control and governance processes. The Internal Audit Department is established by Governing Council Policy and its responsibilities are defined by this Policy and the Audit Committee of the Business Board as part of their oversight function.
The Director of Internal Audit is responsible for the development, review and modification of the Internal Audit Department’s policies and procedures.
The objectives of internal auditing are to assist members of the University in the effective discharge of their responsibilities by furnishing them with analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed and by promoting effective control and sound business practices.
The scope of internal auditing encompasses the examination and evaluation of the adequacy and effectiveness of the organization’s system of internal control and the quality of performance in carrying out assigned responsibilities at the organizational, divisional, departmental, program or functional level. The Mandate includes:
- Reviewing the reliability and integrity of financial and operating information and the means used to identify and measure, classify and report such information;
- Assessing compliance with those policies, plans, procedures, laws and regulations which could have a significant impact on operations and reports;
- Reviewing the means of safeguarding assets and, as appropriate, verifying the existence of such assets;
- Reviewing and appraising the economy and efficiency with which resources are employed, as appropriate;
- Reviewing established systems of internal control to ascertain whether they are functioning as designed;
- Monitoring and evaluating the effectiveness of the University’s operational risk management processes;
- Examining and reporting on the adequacy of internal controls for all new or significantly modified central financial and administrative information systems as well as divisional/departmental systems interfacing with the central information systems;
- Investigating and reporting on alleged violations of policies and procedures, errors, fraud or misuse of University assets, and rules and regulations covering research and other grants, including liaison with law enforcement bodies when appropriate;
- Performing and reporting on follow-up reviews to determine the status of recommendations contained in reports;
- Reviewing specific operations, programs, functions or activities at the request of the Audit Committee or management, as appropriate.
To the extent that resources are available, the Internal Audit Department will provide advice and assistance to University administrators when requested, by:
- Serving as a consulting resource for the review of policies and procedures, financial and administrative systems, organizational structures, and other related administrative activities.
- Serving as a consulting resource for the development of control procedures for new or significantly modified divisional/departmental manual and computer-based financial and administrative systems.
Annually, the Director of Internal Audit shall submit to senior management and the Audit Committee a Plan summarizing the staffing plan, budget and areas identified for audit during the following fiscal year. The Plan is to be developed based on the prioritization of the audit universe using a risk-based methodology. The Plan will include the allocation of audit services to those areas identified as ‘high risk’ on the basis of a reasonable cyclical frequency. The Plan will also be informed by management’s and other requests as well as knowledge obtained in connection with the delivery of the Department’s services.
An audit report will be prepared and issued by the Director of Internal Audit following the conclusion of each audit and will be distributed as appropriate. The senior administrator of the department or activity receiving the report will respond to the audit recommendations and the responses will be included in the final report. The response should include a timeframe for anticipated completion of the action to be taken and an explanation for any recommendations that will not be addressed.
In the event that the Director has a serious concern about a matter which could not be resolved with the appropriate senior administrator of the department or activity under review, the Director will inform the one-level-up report including, if considered necessary by the Director, the relevant Vice-President, the President, the Chair of the Audit Committee, the Chair of the Business Board or the Chair of the Governing Council.
The Director of Internal Audit shall report administratively to the President or the Secretary of the Governing Council as designate1 and functionally to the Audit Committee of the Business Board.
All internal audit activities shall remain free of influence by anyone in the University, including matters of audit selection, scope, procedures, frequency, timing or report content in order to maintain the independent and objective state of mind the Department requires when providing its services.
The Director of Internal Audit will meet with the Audit Committee in private session at least once a year or on request of either the Director or the Committee.
Code of Ethics
Internal Audit staff members are responsible for conducting themselves so that their integrity, objectivity, confidentiality, and competency are not open to question. Standards of professional behaviour are based upon the Code of Ethics adopted by the Institute of Internal Auditors (IIA) Board of Directors, June 17, 2000. Internal Auditors will:
- Possess the educational background, qualifications and competencies commensurate with their level of responsibility with providing assurance and consulting services to the University;
- Exercise honesty, objectivity, and diligence in the performance of their duties and responsibilities;
- Exhibit loyalty in all matters pertaining to the affairs of the University and not knowingly be a party to illegal or improper activity;
- Refrain from entering into any activity which may be in conflict with the interest of the University or which would prejudice their ability to objectively carry out their duties;
- Decline to accept anything that may impair or be presumed to impair their professional judgement;
- Be prudent in the use of information acquired in the course of their duties and not use confidential information for any personal gain or in a manner that knowingly would be detrimental to the welfare of the University;
- Use reasonable care to obtain sufficient, factual evidence to support the conclusions drawn and, in reporting, reveal such material facts known to them which, if not revealed, could distort the reported results of the audit;
- Engage only in those projects which they have the necessary knowledge, skill, and experience;
- Continue to strive for improvement in the proficiency and effectiveness of their service.
1In the mid 1990s the President delegated the ongoing administrative reporting responsibility of the Director to the Secretary of the Governing Council. This reporting relationship preserves the independence of the Director and ensures that internal audit matters receive sufficient and appropriate executive management attention.
Relationship with the External Auditor
The Director will consult with the external auditor on a regular basis to coordinate the audit activities of the Department with those of the External Auditor in order to avoid duplication of effort. Copies of audit reports will be forwarded to the external auditor.
Access to Information
Internal Audit has the authority to audit all parts of the University and shall have full and complete access to all information, records, facilities and personnel relevant to the performance of an audit. Documents and information given to internal auditors during a review will be handled consistent with University policy and in the same manner as the employees normally accountable for them.
In the case where access to information is denied and in the professional opinion of the Director, the information is needed for the successful completion of the audit, the Director will inform the one-level-up report including, if considered necessary by the Director, the relevant Vice-President, the President, the Chair of the Audit Committee, the Chair of the Business Board or the Chair of the Governing Council.
The division/department or activity under review is to provide full co-operation to the Internal Audit Department.
University administrators are responsible for developing action plans and implementing the recommendations contained in the audit report or alternatives that meet the objectives of the recommendations.
In the event that the senior administrator of the department or activity under review and the Director of Internal Audit are unable to resolve or reach agreement on the implementation of one or more of the recommendations, a follow-up audit report will incorporate the operating management’s positions prior to sign-off by the appropriate one-level-up report including, if necessary, the relevant Vice-President, the President and/or Chair of the Audit Committee.
May 29, 2006
(replacing Internal Audit Policy, November 23, 1992)