Vision, Mission and Charter

Vision

The Office of Audit, Risk, and Compliance is a valued resource for financial, operational and control activities.

Mission

The Office of Audit, Risk, and Compliance is a business partner of, and independent adviser to, Ohio University's Administration and Board of Trustees. Internal Auditors provide professional reviews, reliable appraisals, and value-added recommendations for the effective and efficient achievement of financial and operating objectives across Ohio University.

Ohio University Audit Charter

I. Purpose

Internal audit, as defined by the Institute of Internal Auditors (IIA), is an independent, objective, assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve effectiveness of risk management, control, and governance processes.

The Ohio University Board of Trustees (Board) recognizes the benefit of an Internal Audit Office (Office) and has adopted the “Ohio University Internal Audit Charter.” The Charter addresses the Internal Audit Office’s mission, scope, authority, responsibility, and independence.

II. Charter

1. Mission and Scope of Work

The mission of the Office is to be a business partner of, and independent advisory to, Ohio University’s Administration and Board of Trustees. The Office enhances and protects organizational value by providing risk-based professional reviews, reliable appraisals, and value-added recommendations for the effective and efficient achievement of financial and operating objectives across the University.

The scope of work of the Office encompasses the examination and evaluation of the adequacy and effectiveness of the organization’s system of risk management and internal control and the quality of performance in carrying out assigned responsibilities. It includes, but is not limited to:

  • Reviewing the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information;
  • Reviewing the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations that could have a significant impact on operations and reports and whether the organization is in compliance;
  • Reviewing the means of safeguarding assets and, as appropriate, verifying the existence of such assets;
  • Reviewing and appraising the economy and efficiency with which resources are employed;
  • Reviewing operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned;
  • Recommending operating improvements;
  • Assisting in the deterrence of fraud by examining and evaluating the adequacy and effectiveness of control, commensurate with the extent of the potential exposure or risk in the various segments of the University’s operations;
  • Performing special reviews requested by University management or the Board of Trustees; and
  • Providing professional advice and internal control information across the University.

2. Authority

The Chief Audit Executive (CAE) is authorized to oversee a broad and comprehensive, risk-based program of internal auditing within Ohio University. The Board grants the Office authorization for full and complete access to any of Ohio University’s records, in any form, and its activities, physical properties, and personnel relevant to a review. The CAE is required to report any restriction placed upon such access, other than for established regulatory requirements, to the Audit Committee.

The Office of Audit, Risk, and Compliance will handle documents and information given to them during a periodic review in the same prudent manner as by those employees normally accountable for them. Further, Internal Auditors understand that certain University items are confidential in nature, and they will make special arrangements when examining and reporting upon such items.

The Office has no direct responsibility or any authority over any of the activities or operations it reviews. Internal Audit is a managerial control that functions by measuring and evaluating the effectiveness of other controls. Management is not relieved of any assigned responsibilities because Internal Auditors perform the evaluative reviews with which they have been charged.

3. Responsibility

The CAE and staff of the Office are responsible for, but not limited to:

  • Developing a flexible Annual Audit Plan using an appropriate risk-based methodology, including any risks or control concerns identified by management. The Plan shall be submitted to the President and submitted to, and approved by the Audit and Risk Management Committee, as well as periodic updates as to the status of and/or changes to the Plan.
  • Implementing the Annual Audit Plan, as approved, including any special tasks or projects requested by management or the Audit and Risk Management Committee. Time will be made available in the Plan for such unexpected requests.
  • Following up on engagement findings and corrective actions and reporting periodically to the President and Audit and Risk Management Committee any corrective actions not effectively implemented.
  • Maintaining a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter.
  • Coordinating the Office audit efforts with those of the Ohio Auditor of State and other external1 auditors that have business with the University. This coordination of audit efforts should be in the planning and definition of the scope of proposed audits so the work of auditing groups is complementary and will provide a comprehensive, cost-effective audit effort. University administrators must ensure external auditors have met with the CAE before permitting any such external audit to commence.
  • Assisting the Board in the evaluation of the external auditors’ examination of the University.
  • Facilitating Enterprise Risk Management (ERM) efforts as requested and ensuring that results of the ERM program are reported to the President and the Audit and Risk Management Committee.
  • Managing the University’s Ethics Hotline and conducting investigations of allegations of financial or operational misconduct.
  • Reviewing any suspicions of a significant error or irregularity in an area under review or in any other area of the University. The CAE will consider the scope and implications of such an error or irregularity and discuss its disposition with the President. If the CAE believes that individual is involved, the CAE will disclose the potential significant errors or irregularities directly to the Board.
  • Disclosing any impairment of audit independence or objectivity, in fact or appearance, to appropriate parties.

4. Independence

To provide for the independence of the Office, the Ohio University Board of Trustees delegates directly to the Office the authorities necessary to perform the duties set forth in this Charter.

The Office shall report directly to the President for the purpose of the day-to-day direction needed by the office in the mediation of audit scope and scheduling, plus budgetary and personnel concerns.

The Office shall report directly to the Chair of the Board’s Audit and Risk Management Committee for the purpose of the direction needed by the Office in the implementation and championing of its operational plans, plus authority and ethics concerns. The CAE shall have direct access to the Board’s Trustees in any instance where the CAE believes that such access is needed to fulfill the stated objectives of the department.

Independence is an essential element of objectivity. The independence of the Office may be compromised if Internal Auditors participated directly in the development, installation, preparation or reconstruction of accounting systems, data, or records, or by engaging in activities that would normally be reviewed by Internal Auditors. Thus, Internal Auditors will serve only in an advisory capacity in performing their engagements.

It is imperative that Internal Auditors maintain independence in appearance as well as in fact. Internal Auditors will formally disclose business and personal interests in companies doing business with the University, annually, in accordance with the State of Ohio Ethics Bill.

5. Reporting

At the conclusion of each audit, the Office will hold an exit conference with the individual in charge of the department or activity under review, during which all findings, conclusions and recommendations will be discussed and any differences of opinion will be settled or so noted.

The CAE will prepare and issue a draft audit report before the exit conference is held. The department or activity audited will be provided an opportunity to respond in writing to the findings, conclusions and recommendations of the Internal Auditors; and such response will be made part of the Office of Audit, Risk, and Compliance's final audit report. The Internal Auditors will discuss the report with the Senior Administrator of the area under review prior to its issuance.

The CAE will distribute all final audit reports to relevant administrators of the area audited, the President, the Audit and Risk Management Committee, senior administrators, deans, the external auditors, and others as deemed appropriate. Reports will also be made available to the full Board. The Office will conduct follow-up activities on audit recommendations, in the manner deemed necessary or as directed by the President or Board. It is important to note, however, that the Office of Audit, Risk, and Compliance serves in an advisory capacity only, and, while the Office will report the status of issues, it has no authority over University administrators in the discharge of their duties and responsibilities over those issues.

The Office will provide consulting services to University administrators utilizing a process similar to that used in audit engagements, which may include a formal report. The CAE may conduct a formal audit following a consulting engagement, as deemed necessary.

6. Accountability

Consistent with Ohio Law and the Open Meetings Act, the CAE shall, at a minimum, meet in executive session with the Board, and outside the presence of University officials, at least annually, and shall meet with the President on a regularly scheduled basis to:

  • Periodically provide information on the status and results of the Annual Audit Plan and the sufficiency of department resources
  • Report significant issues relating to the processes for controlling University activities including potential improvements to those processes
  • Coordinate efforts with other control and monitoring functions (e.g., Legal Affairs, external auditors, etc.)
  • Discuss limitations placed by University administrators on the scope of Office engagements.

7. Detection, Investigation, and Reporting of Fraud

The Office shall be notified in all cases where the discovery of circumstances suggests a reasonable possibility that assets have, or are thought to have, been lost through defalcation or other security breaches in the financial and operating systems. Each University employee is responsible for notifying the CAE of such circumstances. Further, University management is responsible for communicating such notification requirement to related and unrelated parties with whom the University does business, and for encouraging those parties to communicate those circumstances of which they have knowledge to the CAE.

The CAE will ensure that the proper authorities within the department are notified of the potential loss and that departmental authorities promptly notify other state departments as required by the Ohio Revised Code (ORC).

The Office will perform sufficient tests to identify the weaknesses in financial and operating procedures, both automated and manual, which permitted the loss and evaluate the impact the weaknesses have with respect to other activities of the institution. In addition, the Office will recommend improvements to correct the weaknesses and incorporate appropriate tests in future audits to disclose the existence of similar weaknesses in other areas of the institution.

8. Periodic Assessment

The CAE will communicate to the Board and senior administrators the results of the Office’s Quality Assurance and Improvement Program, including external assessments to be conducted at least every five years and ongoing internal assessments.

9. Administration

The CAE is responsible for the administration of this charter and for functionally directing internal audit activities throughout the University.

10. Standards of Audit Practice

The Office of Audit, Risk, and Compliance governance is based on adherence to University policies and procedures and the IIA’s mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing. This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the Office of Audit, Risk, and Compliance activity’s performance.

1 The term “external” shall refer to representatives of or the activities of the Auditor of State for the State of Ohio, individual certified public accountants (the “CPA”) and auditors from organizations, governmental or commercial, outside the University.

Resolution 1999-1681 adopting the Internal Audit charter was approved by the Ohio University Board of Trustees on December 3, 1999.

This Charter was revised by the Ohio University Board of Trustees in February of 2005.

This Charter was revised by the Ohio University Board of Trustees in February of 2011 via Resolution 2011-3028.

Revised Charter was reviewed and approved April 8, 2022 (Resolution 2022-3989)