Background
The Idaho State Board of Education (Board) serves as the board of trustees for Boise State University, Idaho State University, Lewis-Clark State College and serves as the board of regents for the University of Idaho. The Audit, Risk and Compliance Committee (“Committee”) is a standing committee of the Board under Section I.F.4. of the Board’s Bylaws, created for the purpose of providing oversight to organizations under the governance of the Board for “financial statement integrity, financial practices, internal control systems, financial management, and standards of conduct.” The Office of the State Board of Education (OSBE), is an executive agency of the Board, created pursuant to Idaho Code, Section 33-102A.
Purpose
The Board of Education’s Internal Audit and Advisory Services unit (IAAS) is part of the Office of the State Board of Education (OSBE). IAAS exists to provide independent, objective, and value-added assurance and advisory services to the Committee, the Board and to Boise State University, Idaho State University, Lewis-Clark State College, and the University of Idaho (collectively referred to hereafter as “institutions”). IAAS strengthens the institutions’ ability to create, protect and sustain value by providing the Board and institution management with independent, risk-based, and objective assurance, advice, insight, and foresight. IAAS enhances successful achievement of objectives; governance, risk management and control processes; decision-making and oversight; reputation and credibility with stakeholders; and ability to serve the public interest.
The internal audit function is most effective when:
- Internal auditing is performed by competent professionals in conformance with Global Internal Audit Standards established by the Institute of Internal Auditors.
- The internal audit function is independently positioned with direct accountability to the Board of Education.
- Internal auditors are free from undue influence and committed to making objective assessments.
Professional Standards
IAAS will adhere to the mandatory elements of the Institute of Internal Auditors’ International Professional Practices Framework, which are the Global Internal Audit Standards and Topical Requirements. The IAAS Chief Audit Executive (CAE) will periodically report to the Committee regarding conformance to these standards, which will be assessed through a quality assurance and improvement program. .
Mandate
Authority
Board Policy V.H. provides authorities of the Committee and IAAS. The Committee authorizes IAAS to:
- Have full and unrestricted access to all functions, data, systems, records, information, physical property, and personnel pertinent to fulfilling internal audit responsibilities. Internal auditors are accountable for confidentiality and safeguarding records and information.
- Assist institution general counsels in performing investigations and reports. Communications between IAAS auditors and attorneys of the Board or institution are confidential and subject to attorney client privilege and work product doctrine.
- Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques, and issue communications to accomplish IAAS objectives.
- Obtain assistance from the necessary personnel of the institutions and OSBE and other specialized services from within or outside of the institutions and OSBE to complete internal audit services.
Independence, Organizational Position and Reporting Relationships
As specified in Board Policy V.H., the CAE reports functionally to the Committee of the Idaho State Board of Education and administratively to the OSBE Executive Director of the Idaho State Board of Education. This positioning enables internal audit services and responsibilities to be performed without interference from management, thereby establishing the independence of the internal audit function. This positioning also provides the organizational status and authority to bring matters directly to senior management and escalate matters to the Committee, when necessary, without interference and supports the internal auditors’ responsibility to maintain objectivity.
The CAE will confirm to the Committee, at least annually, the organizational independence of IAAS. If the governance structure does not support the organizational independence of IAAS, the CAE will document characteristics of the governance structure limiting independence and any safeguards employed to achieve independence. The CAE will disclose to the Committee any interference IAAS encounters related to scope, performance or communication of internal audit work and results. The disclosure will include communicating the implications of such interference on IAAS’s effectiveness and ability to fulfill its mandate.
Changes to the Mandate and Charter
Circumstances may justify a follow-up discussion between the CAE, the Committee and senior management on the internal audit mandate or other aspects of the internal audit charter. Such circumstances may include but are not limited to:
- A meaningful change in the Global Internal Audit Standards
- A significant reorganization within Idaho higher education.
- Significant changes in the CAE, the Committee, and/or senior management
- Significant changes to organizational strategies, objectives, risk profile, or the environment in which the institutions operate.
- New laws or regulations that may affect the nature and/or scope of internal audit services.
Committee Oversight
To establish, maintain and ensure that IAAS has sufficient authority to fulfill its duties, the Committee will:
- Ensure the functional independence of IAAS.
- Discuss with the CAE and institution presidents, the appropriate authority, role, responsibilities, scope, and services of IAAS.
- Ensure the CAE has unrestricted access to, communicates, and interacts directly with the Committee, including private meetings without senior management present (subject to applicable public meeting requirements).
- Discuss with the CAE and institution presidents other topics that should be included in the internal audit charter.
- Discuss with the CAE and institution presidents the “essential conditions,” described in the Global Internal Audit Standards, which establish the foundation that enables an effective internal audit function.
- Approve the IAAS charter, which includes the internal audit mandate and the scope and types of audit services.
- Ensure that IAAS works under an internal audit charter, reviewed annually by the Committee.
- Approve the risk-based internal audit plan.
- Review the internal audit function’s budget and resource plan and advise the Board about increases/decreases to IAAS resources.
- Receive communications from the Chief Audit Executive (CAE) on the internal audit function’s performance relative to its plan and other matters.
- Make appropriate inquiries of institution management and the CAE to determine if there are any inappropriate scope or resource limitations.
- Approve the hiring, termination and discipline of the CAE. Such decisions rest with the Board with advice from the Committee and the OSBE Executive Director.
- Consult with the executive director on compensation for the CAE (subject to Board policy and applicable law)
Chief Audit Executive Roles and Responsibilities
Ethics and Professionalism
The CAE will ensure that internal auditors:
- Conform with the Global Internal Audit Standards, including the principles of Ethics and Professionalism: integrity, objectivity, competency, due professional care; and confidentiality.
- Understand, respect, meet and contribute to the legitimate and ethical expectations of the State of Idaho and Idaho Higher Education and be able to recognize conduct that is contrary to those expectations.
- Encourage and promote an ethics-based culture.
- Report behavior that is inconsistent with ethical expectations, as described in applicable policies and procedures.
Independence and Objectivity
The CAE will ensure that IAAS remains free from all conditions that threaten the ability of internal auditors to fulfill their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report content. If the CAE determines that independence or objectivity may be impaired in fact or appearance, the details of impairment will be to the Committee.
Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others.
The CAE and internal audit staff are not authorized to:
- Perform any operational duties of OSBE, the institutions or institution affiliates.
- Initiate, modify, or approve transactions, policies, procedures processes or systems external to IAAS.
- Eliminate, implement or modify internal controls.
- Direct activities of OSBE or institution employee not employed by IAAS, except to the extent they have been appropriately assigned to work for or assist IAAS.
Managing the Internal Audit Function
The CAE has the responsibility to:
- Develop a risk-based internal audit plan that considers the input of the Committee, the OSBE Executive Director and institutional senior management. Discuss the annual audit plan with the Committee and the institutional presidents and submit the plan for review and approval by the Committee.
- Communicate to the Committee, the OSBE Executive Director and the institutional presidents, the impact of resource limitation on the internal audit plan and on internal audit coverage and service.
- Review and adjust the internal audit plan as necessary, in response to changes in business risk, operations, programs, systems, and controls.
- Communicate to the Committee and institutional presidents any significant interim changes to the internal audit plan.
- Ensure internal audit engagements are performed, documented, and communicated in accordance with Global Internal Audit Standards.
- Follow up on engagement findings and confirm implementation of recommendations or action plans and communicate results to the Committee.
- Ensure that IAAS collectively possesses or obtains the knowledge, skills and other competencies and qualifications needed to meet requirements of the Global Internal Audit Standards and fulfill the internal audit mandate.
- Identify and consider trends and emerging issues that could impact the institutions and communicate to the Committee and institution presidents as appropriate.
- Consider emerging trends and successful practices in internal auditing.
- Establish and ensure adherence to procedures and methodologies to guide IAAS operations.
- Ensure adherence to relevant policies and procedures of the Board of Education and the State of Idaho unless such policies and procedures conflict with the internal audit charter or the Global Audit Standards. Any such conflicts will be resolved or documented and communicated to the Committee, the OSBE Executive Director and the institutional presidents.
- Coordinate actives and consider relying upon the work of the other internal and external providers of assurance and advisory services. If the CAE cannot achieve an appropriate level of coordination, the issue will be communicated to the Committee.
Communication to the Committee and Senior Management
The CAE will periodically report to the Committee and senior management regarding the following:
- The IAAS mandate and changes needed to the internal audit charter.
- The internal audit plan and performance relative to the plan.
- Internal audit resources and resource requirements.
- Significant revisions to the internal audit plan and budget.
- Potential impairments to independence, including relevant disclosures as applicable.
- Results of the quality assurance and improvement program, which include IAAS’s conformance to the Global Internal Audit Standards and action plans to address deficiencies and opportunities for improvement.
- Significant risk exposures and control issues, including fraud risks, governance issues and other areas of focus for the Committee.
- Results of assurance and advisory services.
- Management responses to risk that the internal audit function determines may be unacceptable or acceptance of risk that is beyond risk appetites established by the Board.
Quality Assurance and Improvement Program
IAAS will maintain a quality assurance and improvement program that covers all aspects of IAAS operations. The program will include an evaluation of IAAS’s conformance with the Global Internal Audit Standards.
The CAE will communicate to the Committee IAAS’s quality assurance and improvement program, including results of internal assessments (both ongoing and periodic) and external assessments conducted at least once every five years by a qualified, independent assessor or assessment from outside Idaho higher education.
Scope and Types of Internal Audit Services
The scope of internal audit services covers the entire breadth of institutional operations, including all activities, assets, and personnel. The scope of internal audit activities encompasses, but is not limited to, objective examinations of audit evidence for the purpose providing independent assessments to the Committee, the institution presidents and institution management, and outside parties on the adequacy and effectiveness of governance, risk management, and control processes for the institutions. Internal audit assessments include evaluating whether:
- Risks relating to the achievement of the strategic initiatives for the Board and institutions are appropriately identified, managed, and controlled.
- The results of operations or programs are consistent with established goals and objectives.
- Operations or programs are being carried out efficiently and effectively.
- Established processes and systems enable compliance with policies, procedures, laws, and regulations that impact the Board or institutions.
- Information and means used to identify, measure, analyze, classify, and report such information are reliable and have integrity.
- Resources and assets are acquired economically, used efficiently and adequately protected.
IAAS may perform advisory and related client service activities, the nature and scope of which will be agreed upon with the client, provided IAAS does not assume management responsibility. Opportunities for improving the efficiency of governance, risk management and control processes may be identified during engagements. These opportunities will be communicated to the appropriate level of management.
With approval of the OSBE Executive Director, IAAS is authorized to perform audit and advisory work within OSBE and other agencies under the Board’s direction, provided the activities audited impact operations of Boise State University, Idaho State University, Lewis-Clark State College or the University of Idaho.
IAAS is responsible for assessing controls over the prevention and detection of fiscal misconduct (fraud, waste, and abuse), and is responsible for monitoring institutional responses to allegations of fiscal misconduct. IAAS will work with institutions to coordinate fiscal misconduct investigations. However, IAAS is authorized to conduct independent investigations if determined necessary by the CAE. IAAS is not authorized to implement or direct corrective actions in response to fiscal misconduct.
IAAS is not responsible for coordinating or overseeing external audits. These include financial statement audits, legislative audits, regulatory audits, etc. However, the CAE is authorized to utilize the services of external auditors to supplement internal audit coverage.
Within the constraints of professional independence standards, provide advisory services related to the development and/or implementation of policies, procedures, processes, controls, or systems.