7.2 Subject: INTERNAL AUDITING
Adopted: September 12, 1996
Amended: August 10, 2004
Amended: July 1, 2007
Amended: May 28, 2008
Applicability
This policy applies to the controls, risk management and organizational governance of the University, and to public access to University records.
Policy
The Board of Regents shall establish an Internal Audit Department to perform a comprehensive internal audit function for the University. The internal audit function is an assurance and consulting activity designed to add value and improve the University's operations. Internal Audit will conduct independent, objective assurance services (audits) and consultations to determine whether the University's systems of controls, risk management, and organizational governance, as designed and represented by management, are adequate and functioning properly. To ensure independence of the internal audit function, the Internal Audit Department shall report functionally to the Board of Regents and administratively to the President of the University. Internal Audit shall be free from interference in determining the scope of internal auditing, performing work, and/or communicating results.
Authority
The Internal Audit Department is authorized to:
1. Have unrestricted access to all functions, records, property, and personnel.
2. Obtain the necessary assistance of personnel in organizations where they perform audits.
3. Communicate with University management, faculty, staff, external auditors, governmental entities, and law enforcement agencies as needed.
4. Cooperate with any legitimate inquiry or investigation from an outside audit, law enforcement or investigative agency, if advised to do so by University Counsel.
The Internal Audit Department is not authorized to:
1. Perform any operational duties for the University or its affiliates.
2. Initiate or approve accounting transactions external to Internal Audit.
3. Direct the activities of any University employee not employed by Internal Audit.
4. Render legal opinions.
5. Have direct responsibility for or authority over any of the activities that it examines.
Responsibility and Accountability
The Director of Internal Audit shall:
1. Submit an annual budget and audit plan to the Board of Regents Audit Committee (Audit Committee) for review and approval.
2. Provide quarterly reports to the Audit Committee on the status and results of the audit plan, significant audit findings and recommendations, and sufficiency of
department resources.
3. Provide timely information to the President of the University and the Audit Committee concerning suspected fraudulent activities.
4. Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of the
policy.
Scope of Work
The scope of work of Internal Audit is to determine whether the University's systems of control, risk management, and organizational governance, as designed and represented by management, are adequate and functioning properly to ensure:
1. Risks are identified and managed.
2. Significant financial, managerial, and operating information is accurate, reliable, and timely.
3. Employees' actions are in compliance with policies, standards, procedures, and applicable laws and regulations.
4. Resources are acquired economically, used efficiently, and adequately protected.
5. Programs, plans, and objectives are achieved.
6. Quality and continuous improvements are fostered in the University's control process.
7. Significant legislative or regulatory issues impacting the organization are recognized and addressed appropriately.
8. Procedures used by the governing body provide oversight of risk and control processes administered by management.
Reports
Internal Audit will prepare written reports of the result of audit work performed. Management is required to respond to the report within ten days of receiving it. The response will include three elements: a statement as to whether management agrees with the audit finding, corrective action to be taken to meet the objectives of the audit finding, and the dates by which the actions will be implemented. If no action will be taken, the response will indicate the reasons. Internal Audit will forward its report and the management's response to the President who shall review them and either accept the response or request further development of the response. After the President has accepted the response, Internal Audit will forward the report and response to the Audit Committee for approval. Upon approval of an audit report by the Audit Committee, the full text of the report, as well as any drafts of the audit report and related audit materials will be made public in accordance with Regents' Policy 2.17, except for information that is specifically exempted from public inspection by the New Mexico Inspection of Public Records Act (IPRA). Any such information that is specifically exempted by IPRA will be redacted (blacked-out) when the reports are made public. Information redacted from reports will be made public if and when these considerations are no longer relevant. Public reports will be posted on Internal Audit's public Internet web site. The full text of reports may be released to non-public sources, such as external auditors, governmental entities, funding entities, and law enforcement agencies as needed. Internal Audit will perform follow-up reviews to ensure corrective actions indicated in the responses have been completed.
Investigation of Fraudulent Activity
The Internal Audit Department will coordinate investigation of suspected fraudulent activities within the University. If the investigation reveals possible fraudulent activity has occurred, Internal Audit will ask University Counsel to render an opinion as to whether the audit findings indicate that illegal activity may have occurred. If, in University Counsel's opinion, illegal activities may have occurred, Internal Audit will notify the President of the University, the cognizant vice president, UNM Risk Management, and the appropriate law enforcement agency. If the illegal activity involves an area of high public interest or an amount greater than $20,000, Internal Audit will notify the Audit Committee within forty-eight hours.
Internal Audit will notify the State Auditor's Office of illegal activity in accordance with NMAC 2.2.2.10 L. Internal Audit will assist the Office of the Vice President for Research Services or the Health Sciences Center Controller's Office in notifying funding agencies when contract and grant funds are involved in the loss.
Standards and Ethics
In the conduct of its audits, Internal Audit shall abide by applicable pronouncements made by professional bodies including the Institute of Internal Auditors (IIA) and the American Institute of Certified Public Accountants (AICPA). The generally accepted auditing standards published by these groups shall serve as guides in the performance of internal audits. In addition to maintaining the highest standards of practice in the performance of its duties, Internal Audit shall adhere strictly to the Code of Ethics as established by the IIA and adopted by the Association of College and University Auditors. Due regard should also be given to pronouncements concerning ethical behavior by the AICPA.
References
Audit Act, §12-6-3, NMSA 1978; NMAC 2.2.2.10 L; "Public Access to University Records" RPM 2.17; "Audit Committee" RPM 7.3 ; "Whistleblower Protection and Reporting Suspected Misconduct and Retaliation " UBPPM Policy 2200; "Dishonest or Fraudulent Activities" UBPPM Policy 7205; University Business Policies and Procedures Manual and publications from The Institute of Internal Auditors.
Comments should be sent to BRPM@UNM.edu
Go to:
Table of Contents
Table of Contents - Section 7
Regents' Policy Manual Homepage
![[UNM Home ]](http://www.unm.edu/graphics/unmhomebutton.gif){kind=small}
The University of New Mexico
Albuquerque, New Mexico