Purpose:
This policy addresses staffing, responsibilities of the internal audit function, audit planning and reporting on internal audit activities.
The internal audit function contributes to the improvement of the institution’s operations by providing objective and relevant assurance regarding risk management, control and governance processes to management and the Board.
In addition to this policy, the TBR Office of System-wide Internal Audit maintains an audit manual. The purpose of the audit manual is to provide a resource for institution auditors to assist them in achieving consistency, continuity, and standards of acceptable performance.
Scope:
The Internal Audit Charter, signed by the DSCC President, outlines the purpose of the DSCC internal audit function, the authority and scope, and the responsibility and role of the internal auditors. The Audit Charter is reviewed periodically by the TBR System Wide Chief Audit Executive.
Specifically, the scope is defined as follows in the Internal Audit Charter:
Internal Audit’s review of operations may include the examination and evaluation of the effectiveness of all aspects of institutional operations at DSCC. In the course of its work, Internal Audit has full and complete direct access to all DSCC books, electronic and manual records, physical properties, and personnel information relative to the performance of duties and responsibilities. All documents and information given to Internal Audit during their work will be handled in the same prudent manner that DSCC expects of the employees normally accountable for them.
Internal Audit has neither direct responsibility for, nor authority over, any of the activities, functions, or tasks it reviews nor shall their review relieve others of their responsibilities. The internal auditor must maintain a high degree of independence and not be assigned duties or engage in any operations or decision making in any activities that they would normally be expected to review or evaluate as part of the normal audit function.
Management is responsible for evaluating the institution’s risks and establishing and maintaining adequate controls and processes. To provide relevant information, the internal audit activity will consider the goals of the institution, management’s risk assessments and other input from management in determining its risk-based audit activities.
Policy:
- Organizational Status/Reporting Structure
In accordance with T.C.A. 49-14-102 and TBR Policy 4-01-05-00, Internal Audit, the System-wide Chief Audit Executive reports directly to the Audit Committee and the TBR. DSCC’s Director of Internal Auditor reports to the President with audit reporting responsibility to the Audit Committee and the Board through the System-wide Chief Audit Executive.
The internal auditing services provided by Internal Audit are reported directly to the President/Chancellor and the TBR Audit Committee. All audit work is summarized in timely written reports distributed to management to ensure that the results are given due consideration. In addition to management, reports or summaries are distributed to all members of the Audit Committee and to the State of Tennessee, Comptroller’s Office. Management is provided a discussion draft of the audit report prior to the report being issued. Internal Audit is responsible for following up timely on audit findings to ascertain the status of management’s corrective actions. - Audit Standards and Ethics
The Internal Audit function adheres to The Institute of Internal Auditors’ mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance.
Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
To assure compliance with the IIA Standards, the internal audit office must implement and maintain a quality assurance and improvement program that incorporates both internal and external review activities. External reviews must be performed at least every five years by a qualified, independent reviewer. Results of quality assurance reviews will be communicated to the Audit Committee and management. - Responsibility and Role
TBR Policy 04:01:05:00, Internal Audit, states the role of Internal Audit is to assist members of the organization in the effective discharge of their responsibilities. Meaningful internal auditing requires cooperation among Internal Audit, DSCC’s administration, and the department under audit. In fulfilling their responsibilities, Internal Audit will:
• Comply with auditing standards established by the Institute of Internal Auditors to ensure the effectiveness and quality of the internal audit effort.
• Develop and implement audit plans and programs after consultation with the President that respond to both risk and cost effectiveness criteria.
• Review the reliability and integrity of information, and the information technology processes that produce that information.
• Verify compliance with applicable policies, guidelines, laws, and regulations.
• Suggest policies and procedures or improvements to existing policies and procedures where appropriate.
• Provide audit reports that identify internal control issues and make cost-effective recommendations to strengthen control.
• Facilitate the resolution of audit issues with administrators who have the most direct involvement and accountability.
• Review institutional operations (financial and other) on an advisory basis to inform and assist management in the successful execution of their duties.
• Assist with audits or perform certain agreed upon procedures for external parties. External parties include but are not limited to audit offices of federal and state governments and related agencies.
• Review management’s risk assessment process and advise management on the reasonableness and propriety of the assessment.
• Promote and evaluate fraud prevention and identification programs and investigate allegations involving fraud, waste, and abuse.
• Demonstrate and promote appropriate ethics and values within the organization.
• Communicate activities and information among the board, internal auditors, external auditors and the administration.
• Perform consulting services and special requests as directed by the Audit Committee, the Chancellor or the DSCC President. - Internal Audit Staff
a. Internal audit staff must possess the professional credentials, knowledge, skills, and other competencies needed to perform their individual responsibilities.
b. The internal audit function collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.
c. The campus Internal Audit Director and the System-wide Chief Audit Executive must be licensed as a Certified Public Accountant or a Certified Internal Auditor, maintain an active license and annually complete sufficient, relevant continuing professional education to satisfy the requirements for the professional certification held.
d. Internal Audit Directors should communicate concerns to management and the System-wide Chief Audit Executive regarding the lack of sufficient resources to complete the objectives of an audit engagement or the audit plan. Such resources may include the need for additional personnel or personnel with specialized knowledge, such as those with knowledge of fraud, information technology or other technical areas.
e. The appointment of campus Internal Audit Directors as recommended by the President is subject to approval by the Chancellor or designee (T.C.A. § 49-14-106).
f. The termination or change of status of campus Internal Audit Directors requires the prior approval of the Chancellor and the Audit Committee of the Tennessee Board of Regents. - Risk
a. Risk is the possibility of an event occurring that will have an impact on the achievement of an institution’s goals and objectives.
i. Risk is measured in terms of the impact an event may have and the likelihood that the event will occur.
ii. To optimize the achievement of the institution’s goals and objectives, the Board and management acts to minimize the related risks by implementing reasonable procedures to control and monitor the risks.
Management is responsible for identifying, evaluating, and responding to potential risks that may impact the achievement of the institution’s objectives. Auditors continually evaluate the risk management, internal control, and governance processes. To facilitate these responsibilities, Internal Audit will receive notices or copies of external audit reviews, program reviews, fiscally related consulting reports, cash shortages, physical property losses, and employee misconduct. - Audit Plans
a. Internal Audit shall develop an annual audit plan using an approved risk assessment methodology.
b. At the beginning of each fiscal year, after consultation with the President and other DSCC management, Internal Audit will prepare an annual audit plan. The audit plan must be flexible to respond to immediate issues and will be revised for such changes during the year.
c. Audit plans and revisions will be reviewed by the System-wide Chief Audit Executive and approved by the Audit Committee.
d. At the end of each fiscal year, Internal Audit will prepare an annual activity report of all significant audit services performed.
e. Annual activity reports and approved audit plans will be provided to the Comptroller’s Office, Division of State Audit. - Audit Engagements
a. Audit engagements will be planned to provide relevant results to management and the Audit Committee regarding the effectiveness and efficiency of processes and controls over operations. To ensure management’s expectations are met, auditors will communicate with management regarding the objectives and scope of the engagement.
b. In planning and during the engagement, auditors should consider and be alert to risks that affect the institution’s goals and objectives, operations and resources. Auditors should consider risks based on the operations under review, which include but are not limited to the risk of financial misstatements, noncompliance and fraud.
c. An audit work program will be designed to achieve the objectives of the engagement and will include the steps necessary to identify, analyze, evaluate and document the information gathered and the conclusions reached during the engagement.
d. Working papers that are created, obtained or compiled by an internal audit staff are confidential and are not an open record (T.C.A. § 4-4-304(9)). - Communicating Audit Results
a. A written report that documents the objectives, scope, conclusions, and recommendations of the audit will be prepared for audit engagements providing assurance to the Board and management. Management will include corrective action for each reported finding.
b. Internal Audit will perform audits to follow-up on findings or recommendations included in internal audit reports, investigation reports and State Audit reports. A written report will be prepared and for any findings that have not been corrected, management will be asked to include a revised corrective action plan. The Chancellor or institution’s President, along with the Audit Committee, will be notified at the conclusion of a follow-up audit if management has not corrected the reported finding or implemented the recommendation.
c. A written report that documents the objectives, scope, conclusions and recommendations will be prepared for investigations resulting from allegations or identification of fraud, waste or abuse. As appropriate in the circumstances, management will include corrective action for each reported finding. In a case where allegations are not substantiated by the review and there are no other operational concerns to report to management regarding the review, the case may be closed by writing a memo to the working paper file documenting the reasons for closing the case.
d. Reports on special studies, consulting services, and other non-routine items should be prepared as appropriate, given the nature of the assignment.
e. All internal audit reports will be signed by the institution’s Internal Audit Director and transmitted directly to the Chancellor, President, or TCAT Director in a timely manner.
f. The Internal Audit Director will transmit an electronic copy of the internal audit report to the System-wide Chief Audit Executive.
g. The System-wide Chief Audit Executive will present significant results of internal audit reports to the Audit Committee quarterly.
h. The System-wide Chief Audit Executive will provide a copy of each report to the Comptroller’s Office, Division of State Audit.
Compliance:
The DSCC Director of Internal Audit and related staff must adhere to this policy.
Definitions:
Definitions are detailed in the body of the policy. In addition, the following definitions are provided:
Internal Audit is an independent objective assurance and consulting activity designed to add value and improve Dyersburg State Community College management systems. Internal Audit helps DSCC accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Internal Audit assists DSCC’s management in the effective discharge of their duties and responsibilities by evaluating activities, recommending improvements and providing other information designed to promote effective controls.
Assurance services involve the internal auditor’s objective assessment of evidence to provide an independent opinion or conclusions regarding an entity, operation, function, process, system, or other subject matter. The nature and scope of the assurance engagement are determined by the internal auditor. There are generally three parties involved in assurance services: (1) the person or group directly involved with the entity, operation, function, process, system, or other subject matter — the process owner, (2) the person or group making the assessment — the internal auditor, and (3) the person or group using the assessment — the user.
Consulting services are advisory in nature, and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties: (1) the person or group offering the advice — the internal auditor, and (2) the person or group seeking and receiving the advice — the engagement client. When performing consulting services the internal auditor should maintain objectivity and not assume management responsibility.
Revision History:
Policy written 11/16/16 by the Director of Internal Audit.
Policy approved by Administrative Council on November 30, 2016.