The authority and responsibilities of the Oregon State University Office of Audit, Risk, and Compliance (OARC) are defined in this charter, which is approved by the president and the Executive, Audit and Governance Committee (EAGC) of the OSU Board of Trustees.

The OARC will perform independent internal audits, plan and oversee the university enterprise risk management process, and oversee the institutional compliance program. The OARC’s mission is to enhance and protect organizational value by providing risk-based and objective assurance and advice as follows:

Audit: Provides independent, objective assurance and advisory activity designed to add value and improve university operations. Audit helps the university accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Risk Management: Facilitates the enterprise risk management (ERM) program by creating and maintaining the framework to effectively identify, assess, and manage enterprise risk. The role will not include supervision of the enterprise risk services department that administers the university insurance programs

Compliance: Coordinates the institutional compliance program and the distributed processes that support compliance across the university. Compliance serves in a consultative role, meaning the position does not have specific programmatic or operational duties, but does have authority to escalate matters as needed.

The OARC shall uphold the principles of integrity, objectivity, confidentiality, and competency as defined in the Institute of Internal Auditors’ Code of Ethics and shall adhere to the International Standards for the Professional Practice of Internal Auditing (Standards). The OARC is to utilize the Committee of Sponsoring Organizations (COSO) as the model for evaluating the adequacy of internal controls within Oregon State University.


The chief audit, risk, and compliance executive reports administratively to the president and functionally to the EAGC.

Authorization is granted for full and complete access to any of the organization’s records (either manual or electronic), physical properties, and personnel relevant to an audit engagement. Documents and information given to internal auditors during a periodic review will be handled in a confidential and prudent manner, as required by the Institute of Internal Auditors’ Code of Ethics.

University management is responsible for the risk management and internal control structure over the areas audited. Internal auditors have no direct responsibility or any authority over any of the activities or operations that they review. They do not develop and implement procedures, prepare records, or engage in activities which would normally be audited by OARC.


The OARC is responsible for developing and implementing an annual plan that outlines the engagements to be performed using an appropriate risk-based methodology. The annual plan is to include the consideration of any risks or control concerns identified by management and is reviewed and approved by the president and the EAGC. The OARC performs five types of engagements:

  • Assurance Services: Assurance services are objective examinations of evidence for the purpose of providing an independent assessment. This includes assessing and reporting on the adequacy and effectiveness of the internal controls and the quality of performance in carrying out assigned responsibilities. The scope includes reviewing and evaluating:
    • internal controls established to ensure compliance with applicable policies, plans, procedures, laws, regulations, and contracts;
    • the means with which assets are safeguarded;
    • the reliability and integrity of financial and operating information;
    • the economy, efficiency and effectiveness with which resources are employed; and,
    • IT systems to determine whether they are appropriately managed, controlled, and protected.
  • Consulting Services: Advisory and related client service activities, the nature and scope of which are agreed upon with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Activities include counsel, advice, facilitation, and training related to enterprise risk and compliance matters.
  • Investigative Engagements: Investigations evaluate allegations of non-compliant, unethical business practices and/or financial and operational misconduct to determine whether allegations are substantiated and to prevent future occurrences. The OAS maintains the OSU Accountability & Integrity Hotline and coordinates investigations with university management and the Oregon Secretary of State Audits Division.
  • Follow-up Engagements: Follow-up engagements evaluate plans and actions taken to correct reported conditions.
  • External Audit: The OARC coordinates with the external auditors to ensure efficient and economical utilization of audit resources and is responsible for overseeing all external audits. The OARC meets with the external auditors to discuss audit plans, risks, and coordination. The OARC attends external audit entrance and exit conferences and may perform follow-up activity on external audit recommendations.

A written report will be prepared and issued by the chief audit, risk, and compliance executive following the conclusion of each engagement and will be distributed appropriately. University management shall respond in a timely manner. This response will indicate what actions were taken or are planned and an anticipated completion date in regard to the specific recommendations. Copies of final reports will be distributed to the president as well as appropriate university personnel.

The chief audit, risk, and compliance executive will provide progress reports to the EAGC at each regular meeting, summarizing the results of engagement activities and reports. In addition, the chief audit, risk, and compliance executive will keep the president, campus executives, and the EAGC apprised of high-risk engagement issues.

Last updated: October 31, 2018