University Audit

Purpose and Mission

University Audit serves as the university's internal auditor, providing internal audits and reviews, management consulting and advisory services, investigations of fraud and abuse, follow-up of audit recommendations, evaluation of the processes of risk management and governance, and coordination with external auditors. University Audit will escalate and report the results of this work to appropriate internal and external parties including the president and board of trustees.

The mission of the office is to serve the university by recommending actions to assist them in achieving its strategic and operational objectives. This assistance includes providing recommendations to management of activities designed and implemented by management to strengthen internal controls, reduce risk to and waste of resources, and improve operations to enhance the performance and reputation of the university. In addition, University Audit assists the Audit and Compliance Committee of the Board of Trustees in accomplishing its oversight responsibilities in accordance with UCF Board of Trustee and Florida Board of Governors guidelines and regulations.
UCF Internal Audit Charter

Millican Hall

Definition and Role of Internal Auditing

According to the Institute of Internal Auditors:

"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."

Under the IIA "Three Lines of Defense" model, Internal Audit serves as "the third line of defense" as noted below: The first line of defense is provided by front line staff and operational management. The systems, internal controls, the control environment and culture developed and implemented by these business units is crucial in anticipating and managing operational risks. The second line of defense is provided by the risk management and compliance functions. These functions provide the oversight and the tools, systems and advice necessary to support the first line in identifying, managing, and monitoring risks. The third line of defense is provided by the internal audit function. This function provides a level of independent assurance that the risk management and internal control framework is working as designed.

Reporting Structure and Independence

University Audit reports administratively to the president and executive chief of staff, and functionally to the Audit and Compliance Committee of the Board of Trustees. This reporting structure promotes independence and full consideration of audit recommendations and management action plans.

All internal audit activities shall remain free of influence by any element in the organization, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of an independent and objective mental attitude necessary in rendering reports.

To maintain independence in accordance with serving as the "third line of defense" University Audit is not authorized to:

  • Perform any operational duties (such as implementing or performing internal controls, developing university-wide or department level procedures, installing systems or preparing records or tendering legal opinions) for the areas of the university or any affiliated organizations external to the department.
  • Initiate or approve accounting transactions or selection of third-party vendors external to the department.
  • Direct the activities of any university employee not employed by University Audit, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the internal audit staff during the course of audit work in providing requested documentation or clarification of university processes and practices.


University Audit has the authority to audit or investigate all areas of the university, including its direct support organizations, auxiliary facilities and services, faculty practice plan corporations, and other component units. Audits, reviews, and investigations shall not be restricted or limited by management, the president, or the board of trustees.

University Audit has unrestricted and timely access to records, data, personnel, and physical property relevant to performing audits, reviews, investigations, and consulting services. Documents and information given to internal auditors will be handled in the same prudent and confidential manner as by those employees normally accountable for those records. As required by law, University Audit will comply with the Florida Sunshine Law and public record requests. University Audit will notify the chair of the board of trustee's Audit and Compliance Committee or the president as appropriate, of any unresolved restriction, barrier or limitation to obtaining necessary information to perform their duties. If the university is not able to remedy such limitations, the chief audit executive shall timely notify the Board of Governors (through the OIGC) of any such restrictions, barrier, or limitation.

Duties and Responsibilities

University Audit performs three types of projects:

  • Perform audits and reviews according to the risk-based annual plan, which is submitted to the president and the Audit and Compliance Committee.
  • Audits are assurance services defined as examinations of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples include financial, operational performance, compliance, systems and data security and due diligence engagements relating to vendors and third-party relationships.
  • Consulting services, the nature and scope of which are agreed to with the client, are intended to add value and improve an organization's governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include reviews, recommendations (advice), facilitation of and providing guidance relating to management's control self-assessment initiatives, identification of leading practices, and providing training to the university community in areas such as fraud awareness, risk management, internal controls and other related subject matter.
  • Investigations are independent evaluations of allegations generally focused on improper activities including misuse of university resources, fraud, financial irregularities, and academic integrity concerns along with research misconduct. Management will also be informed of any identified significant control weaknesses such as management override of controls along with unethical behavior, lack of academic integrity, failure to provide adequate oversight, or similar types of actions. In conjunction with performance of or participation in investigations across the university community, University Audit is responsible for determining whether allegations associated with an investigation fall under the State of Florida Whistle-blower Act in accordance with sections 112.3187-112.31895, Florida Statutes.

In addition, as noted in Florida Board of Governors Regulation 4.002 State University Chief Audit Executives, University Audit is responsible to review statutory whistle-blower information and coordinate all activities of the university as required by the Florida Whistle-blower's Act. When performing any of these activities, University Audit will focus on:

  • a) Evaluating the economy, efficiency and effectiveness in the administration of university programs and operations
  • b) Recommending adjustments to existing internal controls to enhance the prevention and detection of fraud and abuse within university programs and operations
  • c) Examine the validity of significant and credible allegations relating to waste, fraud or financial mismanagement as provided in Board of Governors Regulation 4.001.

Audits will be scheduled and performed according to the risk-based annual plan, which is submitted to the president, the Audit and Compliance Committee and the Florida Board of Governors. The plan will be updated as necessary to reflect changes in the university's strategic plan, program initiatives, and external environmental factors along with accommodating requests from the Board of Trustees and university management. Consulting services and investigations will be scheduled and performed on a case-by-case basis.

Follow-up on open audit issues will be performed on a regular basis to evaluate management's progress in implementing internal audit recommendations generated by all audit department projects as defined above

In addition, University Audit will work with third parties such as the State University System of Florida Board of Governors, the Florida Auditor General, external auditors (public accounting firms), and relevant federal, state and local government agencies to discuss internal controlrelated activities and provide requested information.

To help ensure University Audit has the capabilities to perform these functions, the department will:

  • use existing or request additional funds to maintain a professional staff with sufficient size, knowledge, skills, experience, and professional certifications along with obtaining appropriate technology that increases the department’s capabilities, productivity and efficiency
  • use third-party resources (i.e. co-sourcing) as appropriate to supplement the department's efforts
  • establish a quality assurance improvement program of internal auditing for the office of chief audit executive and the department as a whole.
  • prepare an annual report summarizing the activities of the department for the preceding fiscal year, the office’s plans and resource requirements, including significant changes, and the impact of resource limitations for distribution to the president, board of trustees and Florida Board of Governors.
  • report on a routine basis (through written or verbal means) to the Audit and Compliance Committee and/or the full board of trustees on matters including significant risk exposures, control issues, fraud risks, governance issues and other matters as requests by the president and/or the board of trustees.

Professional Standards

University Audit adheres to the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing adopted by The Institute of Internal Auditors. In addition, this charter will be reviewed and approved at least every three (3) years for consistency with applicable Florida Board of Governors and university regulations, professional standards, and industry best practices.