The Idaho State Board of Education (Board) serves as the board of trustees for Boise State University, Idaho State University, Lewis-Clark State College and serves as the board of regents for the University of Idaho. The Audit Committee (“Committee”) is a standing committee of the Board under Section I.F.4. of the Board’s Bylaws, created for the purpose of providing oversight to organizations under the governance of the Board for “financial statement integrity, financial practices, internal control systems, financial management, and standards of conduct.” The Office of the State Board of Education (OSBE), is an executive agency of the Board, created pursuant to Idaho Code, Section 33-102A.
PURPOSE AND OBJECTIVE
The Board’s of Education’s Internal Audit and Advisory Services unit (IAAS) is located within OSBE. IAAS exists to provide independent, objective and value-added assurance and advisory services to the Committee, the Board and to Boise State University, Idaho State University, Lewis-Clark State College, and the University of Idaho (collectively referred to hereafter as “institutions”). IAAS assists the Board and the institutions to achieve operating objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management and internal control processes.
STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING
IAAS will govern itself by adherence to the mandatory elements of the Institute of Internal Auditors International Professional Practices Framework, including the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing and the Definition of Internal Auditing. The IAAS Chief Audit Executive (CAE) will report periodically to the Board’s Audit Committee regarding internal audit conformance to the Code of Ethics and the Standards.
The CAE reports functionally to the Committee of the Idaho State Board of Education and administratively to the OSBE Executive Director of the Idaho State Board of Education. To establish, maintain and assure that the internal audit function has sufficient authority to fulfill its duties, Board Policy V.H. provides that the Committee has the authority to:
- Ensure that IAAS works under an internal audit charter, reviewed annually by the Committee
- Ensure functional independence of IAAS
- Review and provide feedback to the CAE on a risk-based internal audit plan
- Review the internal audit function’s budget and resource plan and advise the Board about increases/decreases to IAAS resources
- Receive communications from the Chief Audit Executive (CAE) on the internal audit function’s performance relative to its plan and other matters
- Make appropriate inquiries of institution management and the CAE to determine if there are any inappropriate scope or resource limitations
- Consult with the executive director on hiring, evaluating and terminating the CAE (subject to Board policy and applicable law)
- Consult with the executive director on compensation for the CAE (subject to Board policy and applicable law)
The CAE has unrestricted access to communicate and interact with the Committee, including private meetings without institution management present.
The CAE and internal audit staff are authorized to:
- Have full, free, direct and unrestricted access to functions, systems, records, property and personnel relevant to carrying out any engagement or audit assignment, subject to accountability for confidentiality and safeguarding of records and information. Communications between the IAAS auditors and the Board attorney and the university attorneys are confidential and subject to the attorney client privilege and work product doctrine.
- Allocate resources, set frequencies, select subjects, determine scopes of work, and apply techniques required to accomplish audit objectives and issue reports.
- Obtain assistance from OSBE or institution or personnel in order to complete audit engagements and assignments.
- Assist institution general counsel in performing investigations and reports, as requested
- Obtain specialized assistance from within or outside OSBE or the institutions in order to complete audit engagements.
- Within the constraints of professional independence standards, provide advisory services related to the development and/or implementation of policies, procedures, processes, controls or systems.
INDEPENDENCE & OBJECTIVITY
The CAE will ensure that IAAS remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing and report content. If the CAE determines that independence or objectivity may be impaired in fact or appearance, the details of impairment will be appropriately disclosed as required by Standards.
Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do no subordinate their judgment on audit matters to others.
The CAE and internal audit staff are not authorized to:
- Perform any operational duties of OSBE, the institutions or institution affiliates
- Initiate, modify, or approve transactions, policies, procedures processes or systems external to IAAS.
- Eliminate, implement or modify internal controls
- Direct activities of OSBE or institution employee not employed by IAAS, except to the extent they have been appropriately assigned to work for or assist IAAS.
At least annually, the CAE will confirm to Audit Committee the organizational independence of Internal Audit and Advisory Services.
The CAE will disclose to the Committee, any interference and related implications in determining the scope internal auditing, performing work and/or communicating results.
The scope of internal audit activities encompasses, but is not limited to, objective examinations of audit evidence for the purpose providing independent assessments to the Committee, the institution presidents and institution management, and outside parties on the adequacy and effectiveness of governance, risk management, and control processes for the institutions. Internal audit assessments include evaluating whether:
- Risks relating to the achievement of the strategic initiatives for the Board and institutions are appropriately identified and managed
- The results of operations or programs are consistent with established goals and objectives.
- Operations or programs are being carried out efficiently and effectively.
- Established processes and systems enable compliance with policies, procedures, laws and regulations that impact the Board or institutions
- Information and means used to identify, measure, analyze, classify and report such information are reliable and have integrity.
- Resources and assets are acquired economically, used efficiently and adequately protected.
The CAE will report periodically to the Committee regarding:
- IAAS’s purpose, authority and responsibility
- IAAS’s audit plan and performance relative to its plan
- IAAS’s compliance with the IIA’s Code of Ethics and Standards, and action plans to address any significant conformance issues.
- Significant risk exposures and control issues, including fraud risks, governance issues, and other matters requiring the attention of the Committee.
- Results of audit engagements or other activities
- Resource requirements
- Any response by management that may be unacceptable to the State Board of Education.
The CAE also coordinates activities, where possible and considers relying upon the work of their internal and external assurance consulting service providers as needed. IAAS may perform advisory and related client service activities, the nature and scope of which will be agreed upon with the client, provided IAAS does not assume management responsibility.
Opportunities for improving the efficiency of governance, risk management and control processes may be identified during engagements. These opportunities will be communicated to the appropriate level of management.
The CAE has the responsibility to:
- Submit, at least annually, to the Committee a risk-based internal audit plan for review.
- Communicate to the Committee the impact of resource limitations on the internal audit plan.
- Review and adjust the internal audit plan, as necessary, in response to changes in Board , OSBE or individual institution business, risks, operations, programs, systems and controls.
- Communicate to the Committee any significant interim changes to the internal audit plan.
- Direct audit staff at Boise State institution, Idaho State institution, the institution of Idaho and Lewis-Clark State College.
- Administer audit resources at Boise State University, Idaho State University, the University of Idaho and Lewis-Clark State College.
- Ensure each engagement of the internal audit plan is executed, including the establishment of objectives and scope, the assignment of appropriate and adequately supervised resources, the documentation of work programs and testing results, and the communication of engagement results with applicable conclusions and recommendations to appropriate parties.
- Follow up on engagement findings and corrective actions, and report periodically to institution management and the Committee any corrective actions not effectively implemented.
- Ensure principles of integrity, objectivity, confidentiality and competency are applied and upheld
- Ensure that IAAS collectively possesses or obtains the knowledge, skills and other competencies needed to meet the requirements of the internal audit charter
- Establish and ensure adherence to policies and procedures designed to guide IAAS.
- The Board’s Governing Policies and Procedures take precedence over any conflicts with this charter.
- Ensure conformance with the Standards, with the following qualifications:
- If IAAS is prohibited by law or regulation from conformance with certain parts of the Standards, the CAE will ensure appropriate disclosures and will ensure conformance with other parts of the
- If the Standards are used in conjunction with requirement issued by other professional authoritative bodies, the CAE will ensure that IAAS conforms with the Standards, even if IAAS conforms with more restrictive requirements of other authoritative bodies.
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM
IAAS will maintain a quality assurance and improvement program that covers all aspects of IAAS operations. The program will include an evaluation of IAAS’s conformance with the Standards and an evaluation of whether internal auditors apply the IIA’s Code of Ethics. The program will also assess the efficiency and effectiveness of IAAS and identify opportunities for improvement.
The CAE will communicate to the Committee IAAS’s quality assurance and improvement program, including results of internal assessments (both ongoing and periodic) and external assessments conducted at least once every five years by a qualified, independent assessor or assessment from outside Idaho higher education.