The UNC Policy Manual

1300.7.1 [R]

            Adopted 08/13/24

 

Regulation Regarding Internal Audit Reporting Relationships at Constituent Institutions

I.               Purpose. 

In accordance with the Board of Governors Policy on Selection Criteria and Operating Instructions for Special Responsibility Constituent Institutions (UNC Policy Manual, Section 600.3.1), G.S. 116-30.1, and G.S. 116-40.7, the president may establish regulations and guidelines for implementing operating instructions for special responsibility constituent institutions. As required by G.S. Chapter 143 Article 79, each State agency “shall establish a program of internal auditing.” The President hereby requires all special responsibility constituent institutions to establish appropriate reporting lines for their respective internal audit functions. Appropriate reporting lines for internal auditors are critical to achieve the requisite independence, objectivity, and organizational stature needed to effectively assess internal controls, risk management, and governance. This regulation is intended to comply with the Institute of Internal Audit standards.

II.              Definitions. For purposes of this regulation:

a.     “Internal Audit Charter” means the charters of each constituent institution’s internal audit office.

b.     “Audit Committee” means the committee of a constituent institution that is composed of Board of Trustees members and oversees audit matters for that constituent institution.

c.      “CAE” means the chief audit executive or similarly titled director of the internal audit office at a constituent institution.

d.     “Senior Executive” means the Chancellor or other administrative and executive leader of a constituent institution.

e.     “Administrative reporting” means the relationship within a constituent institution’s management structure that facilitates day-to-day operations of internal audit activity and provides appropriate interface and support effectiveness. Examples of administrative reporting may involve:

                                               i.     Budgeting and management accounting

                                              ii.     Human resources administration

                                             iii.     Internal communications and information flows

                                             iv.     Administration of the organization’s internal policies and procedures (expense approvals, leave approvals, etc.)

f.      “Functional reporting” means an indirect reporting relationship lacking managerial authority. Examples of functional reporting may involve:

                                               i.     Reviewing and approving the internal audit charter

                                              ii.     Reviewing and approving the risk-based internal audit plan

                                             iii.     Reviewing and approving the internal audit and resource plan

                                             iv.     Receiving communications from the CAE on the internal audit activity’s performance relative to its plan and other matters

                                              v.     Approving decisions regarding the appointment, removal, and remuneration of the CAE

                                             vi.     Determining whether there are scope or budgetary limitations that impede the ability of the internal audit activity to execute its responsibilities

                                           vii.     Reviewing the results from the internal audit’s quality assurance and improvement program, including the direct review of the results of external quality assessment.

III.             Reporting Relationship.

Each constituent institution’s internal audit charter shall describe the reporting relationship of the CAE to functionally report to the audit committee and administratively report to a senior executive at the constituent institution. Beyond approving the internal audit and resource plans, the senior executive, the audit committee, the chair of such committee, Board of Trustee members, or senior administrative leaders may not direct or dictate the day-to-day auditing work of the CAE. Any reporting relationship that impedes independence and effective operations of the office of internal audit should be viewed as a serious scope limitation and should be brought to the attention of the NC Council of Internal Auditing, the Board of Governors Committee on Audit, Risk Management and Compliance, the audit committee, the Board of Trustees, the Chancellor, or other senior executive of the constituent institution, as appropriate.

IV.            Reporting to the System Office and Other Entities.

Each audit committee shall ensure that the institution’s internal audit function complies with all reporting requirements of the NC Council of Internal Auditing and the UNC System Office’s Compliance and Audit Services, including any reporting requests outlined by the Chief Audit Officer at the UNC System Office.