Department of Internal Audit and Compliance

"Required Communications"

The International Standards for the Professional Practice of Internal Auditing requires that certain aspects of the delivery of our internal auditing services be communicated to management and the Board at least annually.  We deliver on this requirement in multiple ways:  through our Profile of an Audit Service brochure, through our quarterly status updates to executive leadership and the Board, and through our quarterly newsletter to the President's Advisory Council and the Board.  Evaluate financial and operational procedures for adequacy of internal controls and provide advice and guidance on control aspects of new policies, systems, processes and procedures.  We also share this same information on this web-page for your review.  On this web-page we state the relevant professional Standard, and how the University complies with that Standard.

Standard 1000 – Purpose, Authority, and Responsibility
The purpose, authority, and responsibility of the internal audit activity is formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing. The Executive Director of Internal Audit and Chief Compliance Officer ("chief audit executive") periodically reviews the internal audit charter and presents it to senior management and the board for approval.
 
Standard 1010 – Recognizing Mandatory Guidance in the Internal Audit Charter
The mandatory nature of the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing is recognized in the internal audit charter. The chief audit executive discusses the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework with senior management and board.
 
Standard 1110 – Organizational Independence
The chief audit executive reports to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive confirms to the board, at least annually, the organizational independence of the internal audit activity.  The internal audit activity is free from interference in determining the scope of internal auditing, performing work, and communicating results. The chief audit executive discloses such interference to the board and discusses the implications.
 
Standard 1112 – Chief Audit Executive Roles Beyond Internal Auditing
Where the chief audit executive has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards are in place to limit impairments to independence or objectivity.  Safeguards are those oversight activities, often undertaken by the board, to address these potential impairments.  The implementation guidance states, “To address the risk of impairment, the chief audit executive should gain an understanding of any proposed role that falls outside of internal auditing and speak with senior management and the board about the reporting relationships, responsibilities, and expectations related to the role.”
 
Standard 1130 – Impairment to Independence or Objectivity
The determination of appropriate parties to which the details of an impairment to independence or objectivity is disclosed in dependent upon the expectations of the internal audit activity’s and the chief audit executive’s responsibilities to senior management and the board as described in the internal audit charter, as well as the nature of the impairment.  At the University of Toledo, Internal Audit and Institutional Compliance (as well as Student Disability Services) each report to the chief audit executive.  As a result, the chief audit executive recuses himself from internal audits of Institutional Compliance and Student Disability Services, and is not involved in the planning, fieldwork, or reporting processes for those engagements.  Instead, such engagements are led by the Assistant Director of Internal Audit.  Further, the Assistant Director is tasked with reviewing all project-based working papers prepared by the University's various Institutional Compliance Officers (i.e., this task is not performed by the chief audit and compliance executive, to promote effective separation of duties and to minimize any perceived conflicts of interest).
 
Standard 1320 – Reporting on the Quality Assurance and Improvement Program
The chief audit executive communicates the results of the quality assurance and improvement program to senior management and the board. Disclosure includes:
  • The scope and frequency of both the internal and external assessments.
  • The qualifications and independence of the assessor(s) or assessment team, including potential conflicts of interest.
  • Conclusions of assessors.
  • Corrective action plans.

Standard 1322 – Disclosure of Non-Conformance
When non-conformance with the Code of Ethics or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive discloses the non-conformance and the impact to senior management and the board.
 
Standard 2020 – Communication and Approval
The chief audit executive communicates the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and the board for review and approval. The chief audit executive also communicates the impact of resource limitations.

Standard 2060 – Reporting to Senior Management and the Board
The chief audit executive reports periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan and on its conformance with the Code of Ethics and the Standards. Reporting also includes significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board.
 
Standard 2421 – Errors and Omissions
If a final communication contains a significant error or omission, the chief audit executive communicates corrected information to all parties who received the original communication.
 
Standard 2431 – Engagement Disclosure of Non-Conformance
When non-conformance with the Code of Ethics or the Standards impacts a significant engagement, communication of the results  disclose:
  • Principle(s) or rule(s) of conduct of the Code of Ethics or the Standard(s) with which full conformance was not achieved.
  • Reason(s) for non-conformance.
  • Impact of non-conformance on the engagement and the communicated engagement results.
 Standard 2440 – Disseminating Results
The chief audit executive communicates results to the appropriate parties.  During consulting engagements, governance, risk management, and control issues may be identified. Whenever these issues are significant to the organization, they are communicated to senior management and the board.
 
Standard 2500 – Monitoring Progress
The chief audit executive establishes and maintain a system to monitor the disposition of results communicated to management.  The chief audit executive establishes a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.
 
Standard 2600 – Communicating the Acceptance of Risks
When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive discusses the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive communicates the matter to the board.
Last Updated: 11/4/19