1. Home
  2. Access & Authority of OIRCA

Access & Authority of OIRCA

 

OFFICE OF INSTITUTIONAL RISK, COMPLIANCE, AND AUDIT

INTERNAL AUDIT CHARTER

Introduction

Internal auditing is an independent, objective assurance and consulting activity designed to safeguard the University’s assets by identifying opportunities to mitigate risk and improve the University’s operations. It assists the University to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of its institutional risk, compliance, and governance processes.

The mission of The Office of Institutional Risk, Compliance, and Audit (OIRCA) is to protect institutional value and integrity by providing independent, objective assurance through rigorous auditing and strategic advisory services. We support strong governance by coordinating and facilitating the execution of institutional risk and compliance programs, enabling the University to sustain excellence in education and research.

Role of The Office of Institutional Risk, Compliance, and Audit

OIRCA is responsible for conducting a comprehensive program of internal audits and advisory services, facilitating the institutional risk management process, and providing oversight for the compliance program. These activities are designed to assist the Board of Trustees and Management in the effective discharge of their responsibilities. The activities of OIRCA support the University in its assessment and improvement of the effectiveness of the internal control framework, risk management, and compliance processes.

Authority and Mandate

OIRCA reports operationally to the Audit Committee of the Board of Trustees and administratively to the President of the University, with guidance from the Executive Vice President (EVP). The Chief Audit Executive (CAE) shall meet with the Audit Committee without the presence of Management to discuss significant matters at least annually.

By virtue of this charter’s approval, the Audit Committee authorizes OIRCA to full, free, and unrestricted access to all University functions, records, data, resources, properties, and personnel in order to conduct its reviews thoroughly and effectively. The Audit Committee requires that Management support and cooperate with OIRCA in the performance of its duties. All documents and information given to OIRCA staff as part of an engagement will be handled in the same prudent and confidential manner as by those employees normally accountable for them.

Independence and Objectivity

OIRCA has complete independence with respect to the units under review and, consequently, is not subject to restriction in the scope of its work by the operating unit. Management shall not place any restrictions on the scope of the audits.

In performing its audit functions, OIRCA shall have no management responsibility or authority over any of the activities reviewed. It shall not have direct responsibility to design and install procedures, initiate or approve accounting transactions, prepare records, or engage in any other activity that it would normally review and appraise and which could reasonably be construed to compromise its independence and objectivity. Therefore, internal audit reviews do not, in any way, substitute for or relieve other University personnel from their assigned responsibilities.

OIRCA’s objectivity is not adversely affected by recommending standards, controls, or procedures. In selected instances such as advisory engagements, OIRCA may recommend or help design improved procedures or processes; however, ownership of, and responsibility for, these procedures and processes remains with Management.

The CAE shall ensure that OIRCA remains free of conditions that threaten its ability to carry out its responsibilities in an unbiased manner, and shall confirm the independence of OIRCA to the Audit Committee on a periodic basis, including disclosing any incidents that may have impaired independence and how it was addressed.  The CAE shall facilitate and coordinate the institutional risk and compliance processes in an oversight role, and shall not assume any direct management responsibility for any operational aspects of risk management or compliance.  Moreover, any assurance engagements related to the University’s institutional risk and compliance programs will be performed by an objective, competent external assurance provider that reports independently to the Board.

Professional Conduct and Quality Assurance

The Audit Committee shall approve the CAE’s roles and responsibilities and identify the necessary qualifications, experience, and competencies to carry out those roles and responsibilities.  The CAE shall maintain a professional staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this charter. OIRCA staff members are responsible for conducting themselves in a professional manner and exercising due professional care. The internal audit function will conduct its activities in accordance with relevant professional frameworks and standards.

A quality assurance and improvement program will be established to evaluate OIRCA conformance with the relevant professional frameworks and standards. This will include periodic internal assessments performed by the CAE (or designee) and external assessments conducted by a qualified, independent assessor or team. The CAE will report to the Audit Committee and Executive Management regarding the results of the quality assurance and improvement program.

Scope of Responsibilities

The scope of OIRCA encompasses internal audit assurance and advisory services, institutional risk management facilitation, and compliance oversight.

Internal Audit Assurance and Advisory Services

OIRCA is responsible for conducting a comprehensive, risk-based program of internal audits across all University operations, systems, and programs. The Internal Audit Plan is based on an assessment of the organization’s strategies, objectives, and risks, and is approved by the Audit Committee annually.

 

OIRCA performs both assurance and advisory services including, but not limited to:

  • Evaluating the reliability and integrity of financial and operational information.
  • Evaluating the effectiveness and efficiency of operations and University resources.
  • Reviewing compliance with laws, regulations, policies, and contracts.
  • Assessing the adequacy of controls for safeguarding assets.
  • Conducting special examinations and reviews, most notably, reported occurrences of fraud, embezzlement, or theft, working in collaboration with Management.
  • Performing consulting services such as process design facilitation and participation on committees to assist Management in meeting its objectives.
  • Coordinating assurance efforts with other internal and external providers to minimize duplication and highlight gaps in coverage.

A written report will customarily be prepared and issued by OIRCA following the conclusion of an engagement. A Management response to a finding or observation will be specifically indicated in the report. Normally, a time limit to respond to audit findings and recommendations will be specified. If the response to any audit finding is not considered adequate, OIRCA shall consult with the Management of the function under review and attempt to reach a mutually agreeable resolution.

Institutional Risk Management Facilitation

OIRCA is responsible for facilitation of the University’s institutional risk management program on behalf of the EVP and the Enterprise Risk Oversight Committee. Responsibilities include, but are not limited to:

  • Developing and maintaining the institutional risk management framework and methodology.
  • Coordinating the Institutional Risk Committee and participating on the Enterprise Risk Oversight Committee.
  • Facilitating the identification, assessment, and prioritization of key institutional risks that may affect objectives, operations, or resources.
  • Advising risk owners in their identification, monitoring, and mitigation activities.
  • Monitoring and reporting on the status of risk mitigation efforts and the effectiveness of risk responses.
  • Communicating any risk acceptance that exceeds the University’s risk appetite to the Enterprise Risk Oversight Committee.

Institutional Compliance Oversight

OIRCA is responsible for providing oversight and coordination of the institutional compliance program. Responsibilities include, but are not limited to:

  • Monitoring compliance activities by engaging with the subject matter experts and compliance leaders responsible for the distributed processes that support compliance across the University.
  • Advising Management on developing and assessing compliance controls, and collaborating with the Office of General Counsel to resolve any legal questions or issues associated with determining compliance control effectiveness.
  • Reporting on the status of compliance issues to the Enterprise Risk Oversight Committee.
  • Facilitating the University’s annual conflict of interest disclosure process for faculty, staff, and Trustees.
  • Monitoring and reporting on concerns submitted through the University’s ND Integrity Line hotline.

Reporting Responsibilities

The CAE will present an annual audit plan and provide status updates to the Audit Committee at least annually.  The status updates to the Audit Committee shall include, if applicable:

  • Significant risk exposures and control, governance, or compliance issues.
  • The results of OIRCA engagements and the status of agreed-upon corrective actions.
  • The impact of insufficient financial, technological, or human resources on OIRCA’s ability to fulfill its mandate.

*          *          *          *          *

This charter represents the framework for the conduct of the internal audit, institutional risk management facilitation, and institutional compliance oversight functions at the University. It is hereby approved by the President, the Chair of the Audit Committee, and the Chief Audit Executive.

Date:  _________________________________________

___________________________________________________________

President
Date:  _________________________________________

___________________________________________________________

Chairman of the Audit Committee of the Board of Trustees
Date:  _________________________________________ 

___________________________________________________________

Chief Audit Executive

 

Originally adopted: November 2004

Amended: October 2008

Amended: October 2011

Amended:  February 2026