About Internal Audit
To provide quality service, valuable advice and practical guidance in support of the university’s mission, vision and core values.
Confidentiality & Independence
Internal Audit's charter provides free and unrestricted access to Western Kentucky University records and personnel. With this access comes a great responsibility to maintain confidentiality of information and records accessed during our audit projects. Internal Audit employees pledge to appropriately maintain the confidentiality of all information obtained, comply with the Code of Ethics of the Institute of Internal Auditors and notify appropriate parties of any known conflict of interest that may inhibit independence in an engagement.
Office of Internal Audit Charter
The WKU Finance & Budget Committee, of behalf of the WKU Board of Regents, hereby establishes the WKU Office of Internal Audit. This charter establishes the purpose, authority and responsibility conferred by the Finance & Budget Committee within which the WKU Office of Internal Audit will operate to make a positive contribution to the University by examining, evaluating and recommending improvements regarding the effectiveness and adequacy of business and administrative activities of the University.
The internal audit charter is required by the International Standards for the Professional Practice of Internal Auditing. The charter is a formal document that defines the Office of Internal Audit’s purpose, authority and responsibility; establishes the internal audit position within the University; authorizes access to records, personnel and physical properties relevant to the performance of audit work; and defines the scope of internal audit activities.
Internal auditing, as defined by the Institute of Internal Auditors (IIA) is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the University. It assists the University in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the University's governance, risk management, and internal controls.
The internal audit function assists University Administration in assessing risks and evaluating both the design and operating effectiveness of controls that address those risks. Internal Audit provides Administration with analyses, recommendations, counsel and information concerning the specific University activities under review. The objective is to promote effective controls and improved processes at reasonable costs.
The internal audit activity will govern itself by adherence to The Institute of Internal Auditors' mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance.
The Institute of Internal Auditors' Practice Advisories, Practice Guides, and Position Papers will also be adhered to as applicable to guide operations. In addition, the internal audit activity will adhere to University relevant policies and procedures and the internal audit activity's standard operating procedures manual.
The internal audit activity, with strict accountability for confidentiality and safeguarding records and information, is authorized full, free, and unrestricted access to any and all of University records, physical properties, and personnel pertinent to carrying out any engagement. All employees are requested to assist the internal audit activity in fulfilling its roles and responsibilities. The internal audit activity will also have free and unrestricted access to the Finance and Budget Committee.
The Chief Audit Executive will report functionally to the Finance and Budget Committee and administratively (i.e., day-to-day operations) to the President.
The Finance and Budget Committee will:
- Approve the internal audit charter.
- Approve the risk based internal audit plan.
- Approve the internal audit budget and resource plan.
- Receive communications from the Chief Audit Executive on the internal audit activity’s performance relative to its plan and other matters.
- Approve decisions regarding the appointment and removal of the Chief Audit Executive.
- Approve the remuneration of the Chief Audit Executive.
- Make appropriate inquiries of Administration and the Chief Audit Executive to determine whether there is inappropriate scope or resource limitations.
- The Chief Audit Executive will communicate and interact directly with the Finance and Budget Committee, including in executive sessions and between Committee meetings, as appropriate.
The internal audit activity will remain free from interference by any element in the University, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair internal auditor’s judgment.
Internal auditors will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors will make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
The Chief Audit Executive will confirm to the Finance and Budget Committee, at least annually, the organizational independence of the internal audit activity.
The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the University's governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the University’s stated goals and objectives. This includes:
- Evaluating risk exposure relating to achievement of the University’s strategic objectives.
- Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information.
- Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the University.
- Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
- Evaluating the effectiveness and efficiency with which resources are employed.
- Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.
- Monitoring and evaluating governance processes.
- Monitoring and evaluating the effectiveness of the University's risk management processes.
- Evaluating the quality of performance of external auditors and the degree of coordination with internal audit.
- Performing consulting and advisory services related to governance, risk management and control as appropriate for the University.
- Reporting periodically on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan.
- Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Finance and Budget Committee.
- Evaluating specific operations at the request of the Finance and Budget Committee or Administration, as appropriate.
INTERNAL AUDIT PLAN
At least annually, the Chief Audit Executive will submit to the President’s Cabinet and the Finance and Budget Committee an internal audit plan for review and approval. The internal audit plan will consist of a work schedule as well as budget and resource requirements for the next fiscal year. The Chief Audit Executive will communicate the impact of resource limitations and significant interim changes to the President’s Cabinet and the Finance and Budget Committee.
The internal audit plan will be developed based on a prioritization of the audit universe using a risk-based methodology, including input of the President’s Cabinet and the Finance and Budget Committee. The Chief Audit Executive will review and adjust the plan, as necessary, in response to changes in the University’s business, risks, operations, programs, systems, and controls. Any significant deviation from the approved internal audit plan will be communicated to the President’s Cabinet and the Finance and Budget Committee through periodic activity reports.
A written audit report will be prepared and issued by the Chief Audit Executive or designee following the conclusion of each internal audit engagement and will be distributed as appropriate. Internal audit results will also be communicated to the Finance and Budget Committee.
The internal audit report may include Administration’s response and corrective action taken or to be taken in regard to the specific findings and recommendations. Administration's response, whether included within the original audit report or provided thereafter (i.e., within thirty days) by Administration of the audited area should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented.
Internal Audit will be responsible for conducting appropriate follow-up reviews on audit findings and recommendations. All significant findings will remain in an open issues file until cleared. The Chief Audit Executive will periodically report to the Finance and Budget Committee with a secondary, ancillary reporting to the President, on the follow-up reviews.
NATURE OF SERVICES
Assurance services involve the internal auditor’s objective assessment of evidence to provide an independent conclusion regarding an entity, operation, function, process, system or other subject matter. The nature and scope of the assurance engagement are determined by the internal auditor. There are three parties involved in assurance services: (1) the person or group directly involved with the entity, operation, function, process, system or other subject matter, (2) the internal auditor, and (3) the person or group using the assessment – the user.
Consulting services are advisory in nature, and are generally performed at the specific request of management. The nature and scope of the consulting engagement are subject to agreement with management. Consulting services generally involve two parties: (1) the internal auditor and (2) the person or group seeking and receiving the advice – management. When performing consulting services the internal auditor should maintain objectivity and not assume management responsibility.
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM
The internal audit activity will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program will include an evaluation of the internal audit activity’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement.
The Chief Audit Executive will communicate to the Finance and Budget Committee with secondary, ancillary reporting to the President, on the internal audit activity’s quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years.
Download a pdf of the Internal Audit Charter
Wetherby Administration Building - G21
Bowling Green, KY 42101