The Board of Visitors has been authorized by the Commonwealth of Virginia to govern William & Mary and Richard Bland College. The Board of Visitors has appointed the Committee on Audit, Risk and Compliance with oversight responsibility of the Office of Internal Audit (Internal Audit). The Director of Internal Audit shall report directly to the Committee on Audit, Risk and Compliance.
PURPOSE AND MISSION:
Internal audit is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of William & Mary and Richard Bland College (“the Colleges”). The mission of internal audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. Internal audit assists the Colleges in accomplishing their objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the Colleges’ governance, risk management, and internal controls. Internal audit shall consider and make recommendations on policy matters pertaining to campus safety and security and risk management.
Internal audit will govern itself by adherence to The Institute of Internal Auditors' mandatory guidance including the International Professional Practices Framework, the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing.
Internal audit, with accountability for confidentiality and safeguarding records and information, is authorized full, free, and unrestricted access to any and all of the Colleges’ records, physical properties, and personnel pertinent to carrying out any engagement. Internal audit will also have free and unrestricted access to the Board of Visitors through the Committee on Audit, Risk and Compliance.
The Internal Audit Director will report directly to the Committee on Audit, Risk and Compliance.
The Committee on Audit, Risk and Compliance will:
- Review the internal audit charter and recommend to the full Board of Visitors for approval.
- Approve the risk-based internal audit plan and resources needed to achieve the plan.
- Receive communications from the Internal Audit Director on internal audit’s performance relative to its plan and other matters.
- Approve decisions regarding the appointment and removal of the Internal Audit Director.
- Annually evaluate the Internal Audit Director.
The Internal Audit Director will communicate and interact directly with the Committee on Audit, Risk and Compliance, including in executive sessions and between scheduled meetings, as appropriate.
INDEPENDENCE AND OBJECTIVITY:
The internal audit activity will remain free from interference regarding matters of audit selection, scope, procedures, frequency, timing, or report content in order to foster an independent and objective mental attitude.
- Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgment as internal auditors.
- Internal auditors will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined.
- Internal auditors will make a balanced assessment of all the relevant circumstances and not be influenced by their own interests or by others in forming judgments.
The Director of Internal Audit will confirm to the Committee on Audit, Risk and Compliance, at least annually, the organizational independence of the internal audit activity.
INTERNAL AUDIT RESPONSIBILITY:
The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the College's governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve stated goals and objectives. This includes:
- Evaluating risk exposure relating to achievement of strategic objectives.
- Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information.
- Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the Colleges.
- Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
- Evaluating the effectiveness and efficiency with which College resources are employed.
- Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.
- Evaluating governance and risk management processes.
- Coordinating with external agencies, including the Auditor of Public Accounts and the Office of the Inspector General, to promote an efficient combined audit effort.
- Performing consulting and advisory services related to governance, risk management and controls as appropriate.
- Reporting periodically on the internal audit performance relative to its work plan.
- Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Committee on Audit, Risk and Compliance.
- Evaluating specific operations at the request of the Committee on Audit, Risk and Compliance or management, as appropriate.
- Establishing and maintaining an internal audit quality review program to evaluate the operations of the department. An external assessment will be performed every five years and will be communicated to senior management and to the Committee on Audit, Risk and Compliance Chair.
INTERNAL AUDIT PLAN:
Annually, the Internal Audit Director will submit to the Committee on Audit, Risk and Compliance and senior management an internal audit plan for review and approval. The internal audit plan will represent a work plan for the next calendar year. The Director of Internal Audit will communicate the impact of resource limitations and significant interim changes to the Committee on Audit, Risk and Compliance and senior management, as appropriate. The internal audit plan will be developed based on a prioritization of the audit universe using a risk-based methodology, including input of the Committee on Audit, Risk and Compliance and senior management. The Director of Internal Audit will review and adjust the plan, as necessary, in response to changes in risks, operations, programs, systems, and controls. Any significant deviation from the approved internal audit plan will be communicated to the Committee on Audit, Risk and Compliance through periodic reports.
REPORTING AND MONITORING:
A written report will be prepared and issued by the internal audit department following the conclusion of each formal internal audit engagement and will be distributed as appropriate. Internal audit results will also be communicated to the Committee on Audit, Risk and Compliance. The internal audit report will include management’s response and corrective action taken or to be taken in regard to the specific findings and recommendations.
Internal audit will follow-up on audit findings and recommendations. The status of follow-up activity will be regularly reported to the Committee on Audit, Risk and Compliance. The Internal Audit Director will periodically report to the Committee on Audit, Risk and Compliance on internal audit activity, as well as performance relative to the annual plan. Reporting will also include significant risk exposures and control issues, including fraud risks, emerging trends, governance issues, and other matters needed or requested the Committee on Audit, Risk and Compliance or senior management.