University Audit serves as the university's internal auditor, providing internal audits and reviews, management consulting and advisory services, investigations of fraud and abuse, follow-up of audit recommendations, evaluation of the processes of risk management and governance, and coordination with external auditors. University Audit will escalate and report the results of this work to appropriate internal and external parties including the president and board of trustees.
The mission of the office is to serve the university by recommending actions to assist them in achieving its strategic and operational objectives. This assistance includes providing recommendations to management of activities designed and implemented by management to strengthen internal controls, reduce risk to and waste of resources, and improve operations to enhance the performance and reputation of the university. In addition, University Audit assists the Audit and Compliance Committee of the Board of Trustees in accomplishing its oversight responsibilities in accordance with UCF Board of Trustee and Florida Board of Governors guidelines and regulations.
UCF Internal Audit Charter
According to the Institute of Internal Auditors:
"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."
Under the IIA "Three Lines of Defense" model, Internal Audit serves as "the third line of defense" as noted below: The first line of defense is provided by front line staff and operational management. The systems, internal controls, the control environment and culture developed and implemented by these business units is crucial in anticipating and managing operational risks. The second line of defense is provided by the risk management and compliance functions. These functions provide the oversight and the tools, systems and advice necessary to support the first line in identifying, managing, and monitoring risks. The third line of defense is provided by the internal audit function. This function provides a level of independent assurance that the risk management and internal control framework is working as designed.
University Audit reports administratively to the president and executive chief of staff, and functionally to the Audit and Compliance Committee of the Board of Trustees. This reporting structure promotes independence and full consideration of audit recommendations and management action plans.
All internal audit activities shall remain free of influence by any element in the organization, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of an independent and objective mental attitude necessary in rendering reports.
To maintain independence in accordance with serving as the "third line of defense" University Audit is not authorized to:
University Audit has the authority to audit or investigate all areas of the university, including its direct support organizations, auxiliary facilities and services, faculty practice plan corporations, and other component units. Audits, reviews, and investigations shall not be restricted or limited by management, the president, or the board of trustees.
University Audit has unrestricted and timely access to records, data, personnel, and physical property relevant to performing audits, reviews, investigations, and consulting services. Documents and information given to internal auditors will be handled in the same prudent and confidential manner as by those employees normally accountable for those records. As required by law, University Audit will comply with the Florida Sunshine Law and public record requests. University Audit will notify the chair of the board of trustee's Audit and Compliance Committee or the president as appropriate, of any unresolved restriction, barrier or limitation to obtaining necessary information to perform their duties. If the university is not able to remedy such limitations, the chief audit executive shall timely notify the Board of Governors (through the OIGC) of any such restrictions, barrier, or limitation.
University Audit performs three types of projects:
In addition, as noted in Florida Board of Governors Regulation 4.002 State University Chief Audit Executives, University Audit is responsible to review statutory whistle-blower information and coordinate all activities of the university as required by the Florida Whistle-blower's Act. When performing any of these activities, University Audit will focus on:
Audits will be scheduled and performed according to the risk-based annual plan, which is submitted to the president, the Audit and Compliance Committee and the Florida Board of Governors. The plan will be updated as necessary to reflect changes in the university's strategic plan, program initiatives, and external environmental factors along with accommodating requests from the Board of Trustees and university management. Consulting services and investigations will be scheduled and performed on a case-by-case basis.
Follow-up on open audit issues will be performed on a regular basis to evaluate management's progress in implementing internal audit recommendations generated by all audit department projects as defined above
In addition, University Audit will work with third parties such as the State University System of Florida Board of Governors, the Florida Auditor General, external auditors (public accounting firms), and relevant federal, state and local government agencies to discuss internal controlrelated activities and provide requested information.
To help ensure University Audit has the capabilities to perform these functions, the department will:
University Audit adheres to the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing adopted by The Institute of Internal Auditors. In addition, this charter will be reviewed and approved at least every three (3) years for consistency with applicable Florida Board of Governors and university regulations, professional standards, and industry best practices.