R567-1. Purpose: To establish policies and standards for internal audit departments within the Utah System of Higher Education (USHE).

R567-2. References

2.1. Utah Code Title 53B, Chapter 6, Section 102 (Standardized Systems Prescribed by the Board)

2.2. Utah Code Title 53B, Chapter 7, Section 101 (Financial Affairs Under the General Supervision of the Board)

2.3. Utah Code Title 631, Chapter 5 (Utah Internal Audit Act)

2.4. Board Policy R565, Audit Committees

2.5. Board Policy R120-3.3.2.7, Bylaws of the Board of Higher Education

2.6. Institute of Internal Auditors, International Standards for the Professional Practice of Internal Auditing (IIA Standards)

R567-3. Definitions

3.1. Audit Charter: “The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.” The audit charter should grant appropriate access to data, information, records, and personnel needed to fulfill the internal audit activity’s purpose and responsibilities.

3.2. Institution Audit Committee: Institution audit committees provide functional oversight of the internal audit activities, as described in the Internal Audit Act, and in accordance with IIA Standards. The Board of Higher Education shall appoint institution audit committees members in adherence to the Utah Internal Audit Act and R565, Audit Committees.

3.3. Internal Auditing: An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

3.4. Institution Internal Audit Activity: Any activity administered by the institution’s internal auditing organization. Each institution’s audit committee shall establish an audit charter, granting the internal audit unit authority to engage in audit activities.

3.5. Board of Higher Education Audit Director: The audit director reports functionally to the Higher Education Audit Committee and administratively to the Associate Commissioner for Finance, Facilities, and Research within the Office of the Commissioner. The audit director provides audit support to the Board of Higher Education and to institution audit activities.

R567-4. Policy

4.1. General Standards:  Internal audit activities shall comply with IIA Standards. Other professional standards (such as “Generally Accepted Auditing Standards” disseminated by the American Institute of Certified Public Accountants, or Government Auditing Standards published by the Comptroller General of the United States) may also apply to particular audit assignments, as determined by the institution’s audit committee or the Board of Higher Education.

4.2. Internal Audit Activities Required at All Institutions: The State Board of Higher Education requires each USHE institution to maintain an internal audit activity plan.

4.3. Internal Audit Activity Independence and Objectivity: Internal audit activities shall remain independent and objective. Institutions and internal auditors may foster independence by adhering to applicable standards, including:

4.3.1. Organizational Independence: Each institution should maintain organizational independence by establishing functional and administrative reporting relationships consistent with IIA Standards 1110 and 1111.

4.3.2. Internal Audit Activity Objectivity: Internal auditors shall adhere to standards of independence and objectivity outlined in IIA Standards 1100 and 1120.

4.3.3. Independence Impairment Disclosure: Internal auditors shall properly disclose impairments to independence, as required in IIA Standard 1130.

4.3.4. Role in Institution Operations: System and institution internal auditors shall not participate in institution management or operational responsibilities that would impair independence.

4.4. Institution Audits: In addition to audits required by policy, institution internal auditors shall conduct risk-based audits for their institutions, as assigned by the institution audit committee. Institution presidents and executive cabinet may also request audit activities.

4.5. Required Audits: Institution internal auditors shall annually conduct the following audits:

4.5.1. Presidential Travel (in accordance with R212-1.2)

4.5.2. Institutional Investments (in accordance with R541-11)

4.5.3. Auxiliary Enterprises (in accordance with R550-7.3)

4.5.4. Information Systems Audits: Each degree granting institution shall conduct regular information systems audits to ensure adequate controls exist to promote the integrity of data security, access, and governance. The audit committee for each degree granting institution also shall prioritize regular information systems audits on auditable risks identified in their institution’s annual risk assessment.

4.6. Institution Risk Assessment: Internal auditors shall participate in institution risk assessments at least annually and report the results to the institution audit committee. Institution risks may include financial, operational, efficiency, fraud, compliance, internal control, information systems, data loss, reputation and political.

4.7. Institution Audit Communication: Upon completion of internal audit activities, institution auditors shall communicate the results to the institution audit committee.

4.8. Communication with Institution Management: The chief audit executive shall meet with the institution president at least annually to review completed audits, institution responses, and other pertinent issues.

4.9. Audit Committee Responsibilities: The audit committee shall adhere to responsibilities established in the Utah Internal Audit Act and R565, Audit Committees.

4.10. Coordination of System-Wide Audits: Under the direction of the Board of Higher Education Audit Subcommittee, the Commissioner of Higher Education and institution presidents shall coordinate assignments to conduct system-wide internal audits.

4.11. Special Audits Directed by the Commissioner: Under the direction of the Board of Higher Education Audit Subcommittee, the Commissioner may schedule and conduct an audit at an institution, separately or in cooperation with a resident chief audit executive. (See Board of Higher Education Bylaw R120-3.3.2.7.)

4.12. Audit Notification: The institution’s vice president of finance or chief audit executive shall promptly notify the Board of Higher Education audit director regarding apparent fraud or misconduct with any of the following attributes:

4.12.1. significant embezzlement, theft, or other fraud;

4.12.2. concerns that may damage an institution’s reputation;

4.12.3. apparent misuse of institutional resources of at least $25,000;

4.12.4. issues that may be covered by the media; or

4.12.5. any other issue that requires attention from the Board of Higher Education or the Commissioner.

Adopted April 24, 1973, amended May 29, 1973, June 26, 1973, November 27, 1973, January 28, 1975 and April 22, 1975; replaced January 17, 1992, amended April 17, 1992, March 18, 2005, March 31, 2017, November 16, 2018, and March 25, 2021.

IIA Standards, 1000: Purpose, Authority, and Responsibility.

See Utah Code 63I-5-301(3).

IIA Standard 1110.