Purpose

The authority and responsibilities of the Oregon State University Office of Audit Services (OAS) are defined in this charter, which is approved by the president and the Executive & Audit Committee of the OSU Board of Trustees.

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of the risk management, control, and governance processes.

The OAS shall uphold the principles of integrity, objectivity, confidentiality, and competency as defined in the Institute of Internal Auditors’ Code of Ethics and shall adhere to the International Standards for the Professional Practice of Internal Auditing (Standards). The OAS is to utilize the Committee of Sponsoring Organizations (COSO) as the model for evaluating the adequacy of internal controls within Oregon State University.

Authority

The chief audit executive of the OAS reports administratively to the president and functionally to the Executive & Audit Committee of the OSU Board of Trustees.

Authorization is granted for full and complete access to any of the organization’s records (either manual or electronic), physical properties, and personnel relevant to an audit engagement. Documents and information given to internal auditors during a periodic review will be handled in a confidential and prudent manner, as required by the Institute of Internal Auditors’ Code of Ethics.

University management is responsible for the risk management and internal control structure over the areas audited. Internal auditors have no direct responsibility or any authority over any of the activities or operations that they review. They should not develop and install procedures, prepare records, or engage in activities which would normally be reviewed by the OAS.

Responsibility

The OAS is responsible for developing and implementing an annual internal audit plan that outlines the engagements to be performed using an appropriate risk-based methodology. The annual plan is to include the consideration of any risks or control concerns identified by management, and is reviewed and approved by the president and the Executive & Audit Committee.

The OAS performs five types of engagements:

  1. Assurance Services: Assurance services are objective examinations of evidence for the purpose of providing an independent assessment. This includes assessing and reporting on the adequacy and effectiveness of the internal controls and the quality of performance in carrying out assigned responsibilities. The scope includes reviewing and evaluating:
    • internal controls established to ensure compliance with applicable policies, plans, procedures, laws, regulations, and contracts
    • the means with which assets are safeguarded
    • the reliability and integrity of financial and operating information
    • the economy, efficiency, and effectiveness with which resources are employed
    • IT systems to determine if they are appropriately managed, controlled, and protected
  2. Consulting Services: Advisory and related client service activities, the nature and scope of which are agreed upon with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.
  3. Investigative Engagements: Investigations evaluate allegations of unethical business practices and/or financial and operational misconduct to determine whether allegations are substantiated and to prevent future occurrences. The OAS maintains the OSU Accountability & Integrity Hotline and coordinates investigations with university management and the Oregon Secretary of State Audits Division.
  4. Follow-up Engagements: Follow-up engagements evaluate plans and actions taken to correct reported conditions.
  5. External Audit: The OAS coordinates with the external auditors to ensure efficient and economical utilization of audit resources, and is responsible for overseeing all external audits. The OAS meets with the external auditors to discuss audit plans, risks, and coordination. The OAS attends external audit entrance and exit conferences and may perform follow-up activity on external audit recommendations.

A written report will be prepared and issued by the chief audit executive following the conclusion of each engagement and will be distributed appropriately. University management shall respond in a timely manner. This response will indicate what actions were taken or are planned, and an anticipated completion date in regard to the specific recommendations. Copies of final reports will be distributed to the president as well as appropriate university personnel.

The chief audit executive will provide quarterly progress reports to the Executive & Audit Committee at each regular meeting, summarizing the results of engagement activities and reports. In addition, the chief audit executive will keep the president, campus executives, and the Executive & Audit Committee apprised of high-risk engagement issues.

Approved by the Executive & Audit Committee, OSU Board of Trustees, January 19, 2017