Internal Audit Charter

Purpose of Internal Audit

The purpose of the Office of Internal Audit and Advisory Services is to provide independent and objective assurance and advisory services to Georgia College & State University (Institution) to add value and improve operations while promoting accountability and transparency to maintain public trust. The Office of Internal Audit and Advisory Services (Internal Audit) assists the institution in achieving its objectives by taking a systematic, disciplined approach to evaluating and improving the effectiveness of governance, risk management, compliance, and internal control processes.

Internal Audit Mandate

Internal Audit offers services to the institution as outlined by the Board of Regents (BOR) Policy Manual § 7.9.2—Internal Audits. The University System of Georgia (USG) Business Procedures Manual details the scope of these services in § 16.1 – Internal Audit Functions Across the USG, § 16.3 – Types of Internal Audit, Ethics and Compliance Engagements, and § 16.4 – Internal Audit/Engagement Process.

Role of the Internal Audit Function

Internal Audit reports directly to the institution’s President (President), and the USG’s Chief Audit Officer (BOR CAO), as required by BOR Policy Manual § 7.9.2 – Internal Audits. The senior staff member of Internal Audit will serve as the Institutional Chief Auditor (ICA) for system-wide meetings and communications. Internal Audit does not report to any other division or unit of the Institution.

Responsibilities

1. The ICA is responsible for developing an institution-wide rolling audit plan using appropriate risk-based methodology, including input from senior management and the BOR CAO. The President will review and approve the audit plan before it is submitted to the BOR CAO for approval by the BOR Committee on Internal Audit, Risk, and Compliance. Any modifications to the audit plan will be communicated to the BOR CAO for approval.
2. The ICA is responsible for performing and/or providing functional coordination and guidance for the following institution-wide audit activities:
   1. Implement the annual audit plan, as approved, including, as appropriate, any special tasks or projects requested by the appropriate management levels and approved by the President and BOR CAO.
   2. As applicable, recruit, train, and maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the objectives of this charter. To the extent that additional or expert/specialized skills are needed to supplement the work, such activities may be co-sourced or outsourced, as necessary.
   3. Evaluate and assess significant new or changing services, processes, operations, and control processes coincident with their development, implementation, and/or expansion.
   4. Analyze operational issues impacting enterprise-wide processes and organizational areas.
   5. Conduct follow-up reviews on previously reported recommendations.
   6. Issue periodic reports to the President and BOR CAO summarizing the results of audit activities.
   7. According to USG Business Procedures Manual §16.6.5, report all issues of malfeasance to the BOR CAO.
   8. Inform the President of emerging trends regarding risk management, internal controls, and successful practices in internal auditing.
   9. Investigate reported fraud, waste, and abuse and recommend controls to prevent and detect them.
   10. Coordinate enterprise risk management (ERM) activities while expressly avoiding making management decisions, including setting the risk appetite, implementing risk responses, taking accountability for risk management, etc.

Authorization

To the extent permitted by law and as needed to complete the annual audit plan, the Office of Internal Audit and Advisory Services has full access to all activities, records, properties, and personnel within the institution, including cooperative organizations created to serve the institutions. Internal Audit is authorized to review and appraise all operations, policies, plans, and procedures. Documents and other materials provided to the Internal Audit will be handled as prudently as those employees who are normally accountable for them.

Independence and Objectivity

The ICA will ensure that the internal audit function remains free from any conditions that threaten the internal auditors’ ability to perform their responsibilities without bias. This includes issues related to engagement selection, scope, procedures, frequency, timing, and communication. If the ICA determines that objectivity may be impaired, either in fact or appearance, the details of the impairment will be disclosed to the President and the BOR CAO.

Internal Audit staff will have no direct operational responsibility or authority over any audited activities. Therefore, they will not implement internal controls, develop procedures, prepare records, or engage in any other activities that could impair their judgment.

Internal Audit staff must disclose any impairment of independence or objectivity, whether in fact or appearance, to the ICA and the BOR CAO. They will maintain the highest level of professional objectivity in gathering, evaluating, and communicating information regarding the activity or process being examined and will not be unduly influenced by their own interests or those of others when making judgments.

Definition of Audit Engagement Scope

The Office of Internal Audit and Advisory Services is responsible for examining and evaluating the adequacy and effectiveness of the Institution’s systems of governance, risk management, compliance, internal control, and performance quality in fulfilling assigned responsibilities. The scope may vary by area and could include:

1. Review the effectiveness of governance processes to include the following:
   1. Promotion of ethical behavior within the Institution.
   2. Efficiency of organizational performance management and accountability.
   3. Communication of risk and control information to appropriate areas of the organization.
   4. Coordinate activities and information among external and internal auditors and management.
2. Review the effectiveness of risk management processes to include the following:
   1. Alignment of organizational objectives in support of the USG and institutional missions.
   2. Identification and assessment of significant risks.
   3. Alignment of risk responses with the Institution’s risk appetite.
   4. Capturing and communicating relevant risk information across the Institution to enable staff and management to carry out their responsibilities.
3. Review the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information.
4. Review the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations that could significantly impact operations and reports and determine whether the Institution is compliant.
5. Review the means of safeguarding assets and, as appropriate, verify the existence of such assets.
6. Review and appraise the economy and efficiency with which resources are employed.
7. Review operations or programs to determine whether results are consistent with established objectives and goals and whether they are being implemented as planned.
8. Review the status of Information Technology policies and procedures, verifying that required hardware, software, and process controls have been implemented and that the controls function properly.
9. Conduct special audits at the request of the BOR CAO or President.
10. Analyze and review public private ventures associated with the Institution and its cooperative organizations.
11. Provide advisory services at the request of institutional management and with the BOR CAO’s approval, consistent with the Institute of Internal Auditors Global Internal Audit Standards (Standards) governing advisory engagements. Advisory engagements undertaken should potentially improve governance, risk management, compliance, and/or internal controls within the institution.

The internal audit function shall issue reports on the results of completed reviews, discuss these reports with appropriate levels of management, and share them with the BOR CAO before distributing them as final reports to the BOR CAO, President, and other levels of management as deemed appropriate.

Required Actions by Management

The institutional areas receiving an internal audit report from the Office of Internal Audit and Advisory Services will respond within 30 days. This response will indicate agreement or disagreement, proposed actions, and the dates for completion for each specific finding and recommendation. If a recommendation is not accepted, the reason should be given. Internal Audit will prepare and issue a final written report.

Quality Assurance and Improvement Program

The Office of Internal Audit and Advisory Services will participate in a quality assurance and improvement program (QAIP) created by the BOR CAO that covers all aspects of the internal audit process. The program evaluates the internal audit function’s conformance with the Purpose of Internal Auditing, the IIA’s standards of ethics and professionalism, and the Standards. It also assesses the function's efficiency and effectiveness and identifies opportunities for improvement.

Internal Audit will participate in quality assurance external assessments with the USG Office of Internal Audit, Ethics & Compliance conducted at least every five years as required by the Standards. The ICA will report to the President on the results of the review.
 

The Charter was last updated in February 2025.