Internal auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of Oregon Tech. It assists Oregon Tech in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of Oregon Tech's governance, risk, and internal control. Internal Audit shall provide the Oregon Tech administrators (Management) and the Oregon Tech Board of Trustees (Board) with an independent and objective examination of the effectiveness, efficiency, and application of the accounting, financial, and other internal controls necessary to accomplish Oregon Tech's objectives.
The authority and responsibilities of Internal Audit are defined in this charter, which is approved by the Board's audit committee. Internal Audit examines and evaluates Oregon Tech's activities and their systems of controls to assist Management and the Board in determining whether acceptable policies and procedures are followed, whether legislative requirements and established standards are met; whether resources are used efficiently and economically, whether planned missions are accomplished effectively, and whether the objectives of higher education are being achieved. Management and the Board are responsible for prioritizing the use of Internal Audit resources, assessing the recommendations made by Internal Audit, and implementing any recommendations made.
Internal Audit will have no direct operational responsibility or authority over the activities audited. Accordingly, Internal Audit will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair independent and objective judgment.
Internal Audit will exhibit professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors will make an unbiased and balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
Internal Audit will confirm to the Board, at least annually, the organizational independence of the internal audit activity.
Internal Audit will govern itself by adherence to The Institute of Internal Auditors' mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the Internal Audit's performance.
Members of Internal Audit are responsible for maintaining the standards of conduct, independence, and character necessary to provide proper and meaningful internal auditing for Oregon Tech.
Internal Audit reports administratively to Management and functionally to the Board. Internal Audit, with strict accountability for confidentiality and safeguarding records and information, is authorized full, free, and unrestricted access to any and all of Oregon Tech's records (either manual or electronic), physical properties, and personnel relevant to carrying out an audit engagement. All employees are requested to assist the internal audit activity in fulfilling its roles and responsibilities. Internal Audit will also have free and unrestricted access to the Board. Management is responsible for the risk management and internal control structure over the areas audited. Internal Audit shall have the authority to require a written response to audit observations and recommendations contained in audits.
The scope of internal auditing encompasses, but it is not limited to, the examination and evaluation of the adequacy and effectiveness of Oregon Tech's governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the organization's stated goals and objectives. Responsibilities include, but are not limited to:
- Evaluating risk exposure relating to achievement of the organization's strategic objectives.
- Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information.
- Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have significant impact on the organization.
- Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
- Evaluating the effectiveness and efficiency with which resources are employed.
- Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.
- Monitoring and evaluating governance processes.
- Monitoring and evaluating the effectiveness of the organization's risk management process.
- Performing consulting and advisory services related to governance, risk management, and control as appropriate for the organization.
- Reporting periodically on the internal audit activity's purpose, authority, responsibility, and performance relative to its plan.
- Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Board.
- Evaluating specific operations at the request of the Board, as appropriate.
- Evaluating allegations of fraud, waste, abuse, unethical business practices, and/or financial and operational misconduct.
- Evaluating plans and actions taken to correct reported conditions.
It is the responsibility of Management to identify, understand, and manage risks effectively, including taking appropriate and timely action in response to audit findings. It is also Management's responsibility to maintain a sound system of internal control. The existence of an internal audit function does not in any way relieve Management of this responsibility.
At least annually, Internal Audit will submit to the Board an internal audit plan for review and approval. The internal audit plan will be developed based on a prioritization of the audit universe using a risk-based methodology, including input of Oregon Tech management and the Board. The Board, in conjunction with Internal Audit's recommendations, will determine the best allocation of available audit resources for the current year. Internal Audit will adjust the plan, as necessary, in response to changes in the organization's business, risks, operations, programs, systems and controls. Any significant deviation from the approved internal audit plan will be communicated to Oregon Tech management and the Board. Internal Audit will present quarterly to the Board the results of audits completed or in-process.
A written report will be prepared and issued by Internal Audit following the conclusion of each internal audit engagement. Internal audit results will also be communicated to the Board. The internal audit report will identify the audit scope and objective, the audit steps performed, audit findings (including condition, criteria, cause, and effect), overall opinion, audit observations, and recommendations for change or improvement.
The report may include management's response and corrective action taken or to be taken in regard to specific findings and recommendations. Management's response should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented. Internal Audit is responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will be tracked until the issues are resolved.