Internal Audit will have no direct operational responsibility or authority over the activities audited. Accordingly, Internal Audit will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair independent and objective judgment.
Internal Audit will exhibit professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors will make an unbiased and balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
Internal Audit will confirm to the Board, at least annually, the organizational independence of the internal audit activity.
Internal Audit will govern itself by adherence to The Institute of Internal Auditors' mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the Internal Audit's performance.
Members of Internal Audit are responsible for maintaining the standards of conduct, independence, and character necessary to provide proper and meaningful internal auditing for Oregon Tech.
The scope of internal auditing encompasses, but it is not limited to, the examination and evaluation of the adequacy and effectiveness of Oregon Tech's governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the organization's stated goals and objectives. Responsibilities include, but are not limited to:
- Evaluating risk exposure relating to achievement of the organization's strategic objectives.
- Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information.
- Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have significant impact on the organization.
- Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
- Evaluating the effectiveness and efficiency with which resources are employed.
- Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.
- Monitoring and evaluating governance processes.
- Monitoring and evaluating the effectiveness of the organization's risk management process.
- Performing consulting and advisory services related to governance, risk management, and control as appropriate for the organization.
- Reporting periodically on the internal audit activity's purpose, authority, responsibility, and performance relative to its plan.
- Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Board.
- Evaluating specific operations at the request of the Board, as appropriate.
- Evaluating allegations of fraud, waste, abuse, unethical business practices, and/or financial and operational misconduct.
- Evaluating plans and actions taken to correct reported conditions.
It is the responsibility of Management to identify, understand, and manage risks effectively, including taking appropriate and timely action in response to audit findings. It is also Management's responsibility to maintain a sound system of internal control. The existence of an internal audit function does not in any way relieve Management of this responsibility.
A written report will be prepared and issued by Internal Audit following the conclusion of each internal audit engagement. Internal audit results will also be communicated to the Board. The internal audit report will identify the audit scope and objective, the audit steps performed, audit findings (including condition, criteria, cause, and effect), overall opinion, audit observations, and recommendations for change or improvement.
The report may include management's response and corrective action taken or to be taken in regard to specific findings and recommendations. Management's response should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented. Internal Audit is responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will be tracked until the issues are resolved.