University Auditing Charter

    Introduction

    This charter addresses the objectives, standards, authority, independence, objectivity, and scope of activities of the University Audit and Advisory function.

    The Yale Corporation Audit Committee (hereafter referred to as “the Committee”) and the Officers of Yale University (“Yale” or “the university”) both approve the “Yale University Audit and Advisory Charter,” which establishes the internal audit function and defines the requirements the internal audit function must fulfill.

    Purpose and Mission

    The purpose of Yale University’s internal audit activity is to provide independent, objective assurance and advisory services designed to add value and improve the university’s operations. The mission of the University Audit and Advisory Department is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. It includes helping the university accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, governance, and business processes.

    Objective

    Internal auditors and advisors assist university management and the Committee in assessing risks and evaluating both the design and operating effectiveness of controls that address those risks. An independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the university, University Audit and Advisory (hereafter referred to as “UAA” or “the internal audit function”) provides management with analyses, recommendations, advice, and information concerning the specific university activities under review. The objective is to promote effective controls and improved processes in a cost-effective manner.

    Standards for the Professional Practice of Internal Auditing

    The internal audit function guides its practices in accordance with The Institute of Internal Auditors’ (The IIA) Framework including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit function’s performance.

    The Institute of Internal Auditors’ Practice Advisories, Practice Guides, and Position Papers will also be considered as applicable to guide internal audit’s activities. In addition, the internal audit function will adhere to Yale’s relevant policies and procedures, and UAA’s standard operating procedures manual (once developed).

    Authority

    UAA operates with the authority of the Corporation Audit Committee and has full, free, and unrestricted access to any and all university records, physical properties, systems, and personnel pertinent to carrying out any engagement. Department members are accountable for confidentiality and safeguarding records and information they obtain in performing their work. It is the responsibility of Yale management to communicate to employees the authority of the internal audit activity in fulfilling its roles and responsibilities. The Executive Director of Internal Audit will have free and unrestricted access to Corporation Audit Committee members and the Officers of the university.

    The Executive Director of Internal Audit (ED) reports functionally to the Chair of the Yale Corporation Audit Committee and administratively (i.e., day-to-day operations) to the Vice President for Finance and Chief Financial Officer.

    The ED is a regular participant in Corporation Audit Committee meetings and will communicate and interact directly with the Committee, including in executive sessions and during or between Committee meetings as appropriate.

    Independence and Objectivity

    The internal audit function will remain free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report content. If the ED determines that independence or objectivity may be impaired in fact or appearance, the details of the impairment will be disclosed to the appropriate university officers or Corporation members.

    Internal auditors must exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being reviewed. Internal auditors must make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.

    Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgment.

    Annually, the ED will confirm to the Corporation Audit Committee the organizational independence of the internal audit function.

    Scope of Internal Audit Activities

    UAA examines and evaluates the adequacy and effectiveness of the university’s governance, risk management, and internal control processes as they relate to the university’s stated goals and objectives. The ED will communicate to management and the Committee the internal auditors’ observations and recommendations regarding the processes reviewed.

    In carrying out this responsibility, UAA’s scope of activities may include:

    • Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information.
    • Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the organization.
    • Evaluating the means of safeguarding assets and, as appropriate, verifying their existence.
    • Evaluating the effectiveness and efficiency with which resources are employed.
    • Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.
    • Monitoring and evaluating governance processes.
    • Monitoring and evaluating the effectiveness of the organization’s risk management processes.
    • Performing consulting and advisory services to evaluate and improve the efficiency and effectiveness of risk management, internal controls, governance, and business processes as appropriate for the institution.
    • Offering training workshops to managers and their units covering internal control concepts and applications, and techniques for assessing risks.
    • Administering a Yale University Hotline (with the assistance and guidance of the Office of General Counsel and Human Resources) that provides the university community with a mechanism to report concerns or suspected violations of applicable laws and regulations, Yale’s Institutional Standards of Conduct, and other Yale policies.

    The ED will report periodically to senior management and the Committee regarding:

    • UAA’s purpose, authority, and responsibility.
    • UAA’s plan and performance relative to its plan.
    • UAA’s conformance with The IIA’s Code of Ethics and Standards, and action plans to address any significant conformance issues.
    • Significant risk exposures and control issues, including fraud risks, governance issues, and other matters requiring the attention of, or requested by, the Committee.
    • Results of audit engagements or other activities.
    • Resource requirements.
    • Any response to risk by management that may be unacceptable to Yale University.

    The ED also coordinates activities, where possible, and considers relying upon the work of other internal and external assurance and consulting service providers as needed. The internal audit function may perform advisory and related client service activities, the nature and scope of which will be agreed with the client, provided the internal audit function does not assume management responsibility.

    Annual Audit Plan

    The ED will submit to the Committee an annual audit plan no later than the last Committee meeting of the fiscal year that covers audit, advisory, and investigative activities to be performed the following fiscal year. The Committee will review, discuss, and approve the plan subject to the Committee members’ concurrence, in accordance with the Committee’s charter. The annual audit plan will include a summary and proposed timeline of engagements and other audit, advisory, and investigative activities. The ED will communicate the anticipated resource allocation to complete these activities as well as the impact of any resource limitations to the Committee. The ED will also ensure that the internal audit department collectively possesses or obtains the knowledge, skills, and other competencies needed to meet the requirements of the Yale University Audit and Advisory Charter.

    UAA will develop the annual audit plan using a risk-based methodology that includes the following considerations:

    • Input of senior management and the Committee
    • Institutional strategic objectives and key initiatives
    • Enterprise risk management considerations
    • Compliance concerns
    • Results of prior audits
    • Emerging needs of campus clients
    • Management requests
    • Hotline activity
    • Data incident response/ investigations
    • Higher education, research and health care services trends and best practices

    Throughout the year, the ED will communicate the status and progress of the approved audit and advisory plan and will present any significant updates to the approved plan to the Committee for approval.

    Reporting and Monitoring

    The ED will communicate results of each engagement to management responsible for implementing recommended improvements. These communications will use the appropriate format, which may include audit reports, memorandums, emails, or verbal consultations. The ED will also communicate audit reports, investigation memorandums, and other significant advisory results to the Committee, the President and senior management, and the university’s external audit firm.

    UAA will require management’s response to the specific audit observations and recommendations. Management’s response should specify a timetable for completion of corrective actions (i.e., target completion dates) and identify responsible parties to implement the recommendations put forward for management’s consideration. UAA will require a full explanation as to the acceptance of identified risks where management has decided not to proceed with a corrective action plan associated with an observation.

    UAA will follow-up with the responsible parties to determine the implementation status of all recommendations as target completion dates approach and will report their status to the Committee.

    Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, trends, emerging issues, and other matters needed or requested by senior management and the Committee.

    Quality Assurance and Improvement Program

    UAA will maintain a quality assurance and improvement program that covers all aspects of the internal audit function’s activities. The program will include an evaluation of the internal audit department’s conformance with the Standards and an evaluation of whether internal auditors follow the IIA’s Code of Ethics. The program will also assess the efficiency and effectiveness of the internal audit department and identify opportunities for improvement.

    The ED will communicate to senior management and the Committee on the internal audit department’s quality assurance and improvement program, including results of ongoing internal assessments and external assessments (also known as “QARs”) conducted at least every five years.