The UNC Policy Manual
1300.7.1 [R]
Adopted 08/13/24
Regulation
Regarding Internal Audit Reporting Relationships at Constituent Institutions
I.
Purpose.
In accordance with the Board of Governors Policy on Selection
Criteria and Operating Instructions for Special Responsibility Constituent
Institutions (UNC Policy Manual, Section 600.3.1), G.S. 116-30.1, and G.S. 116-40.7,
the president may establish regulations and guidelines for implementing operating
instructions for special responsibility constituent institutions. As required
by G.S. Chapter 143 Article 79, each State agency “shall establish a program of
internal auditing.” The President hereby requires all special responsibility constituent
institutions to establish appropriate reporting lines for their respective
internal audit functions. Appropriate reporting lines for internal auditors are
critical to achieve the requisite independence, objectivity, and organizational
stature needed to effectively assess internal controls, risk management, and
governance. This regulation is intended to comply with the Institute of
Internal Audit standards.
II.
Definitions. For purposes of this regulation:
a.
“Internal Audit Charter” means the charters of
each constituent institution’s internal audit office.
b.
“Audit Committee” means the committee of a
constituent institution that is composed of Board of Trustees members and
oversees audit matters for that constituent institution.
c.
“CAE” means the chief audit executive or
similarly titled director of the internal audit office at a constituent
institution.
d.
“Senior Executive” means the Chancellor or other
administrative and executive leader of a constituent institution.
e.
“Administrative reporting” means the
relationship within a constituent institution’s management structure that
facilitates day-to-day operations of internal audit activity and provides
appropriate interface and support effectiveness. Examples of administrative
reporting may involve:
i. Budgeting
and management accounting
ii. Human
resources administration
iii. Internal
communications and information flows
iv. Administration
of the organization’s internal policies and procedures (expense approvals,
leave approvals, etc.)
f.
“Functional reporting” means an indirect
reporting relationship lacking managerial authority. Examples of functional
reporting may involve:
i. Reviewing
and approving the internal audit charter
ii. Reviewing
and approving the risk-based internal audit plan
iii. Reviewing
and approving the internal audit and resource plan
iv. Receiving
communications from the CAE on the internal audit activity’s performance
relative to its plan and other matters
v. Approving
decisions regarding the appointment, removal, and remuneration of the CAE
vi. Determining
whether there are scope or budgetary limitations that impede the ability of the
internal audit activity to execute its responsibilities
vii. Reviewing
the results from the internal audit’s quality assurance and improvement
program, including the direct review of the results of external quality
assessment.
III.
Reporting Relationship.
Each constituent institution’s internal audit
charter shall describe the reporting relationship of the CAE to functionally
report to the audit committee and administratively report to a senior executive
at the constituent institution. Beyond approving the internal audit and
resource plans, the senior executive, the audit committee, the chair of such
committee, Board of Trustee members, or senior administrative leaders may not direct
or dictate the day-to-day auditing work of the CAE. Any reporting relationship
that impedes independence and effective operations of the office of internal
audit should be viewed as a serious scope limitation and should be brought to
the attention of the NC Council of Internal Auditing, the Board of Governors
Committee on Audit, Risk Management and Compliance, the audit committee, the
Board of Trustees, the Chancellor, or other senior executive of the constituent
institution, as appropriate.
IV.
Reporting to the System Office and Other
Entities.
Each audit committee shall ensure that the
institution’s internal audit function complies with all reporting requirements
of the NC Council of Internal Auditing and the UNC System Office’s Compliance
and Audit Services, including any reporting requests outlined by the Chief
Audit Officer at the UNC System Office.