16.46 Auditors, Internal – Audit Services

A. Purpose

This policy establishes and authorizes Audit Services as the administrative unit tasked with performing internal audit functions, and reporting to the various NMSU components, The Regents Audit and Risk Committee (RARC) of the Board of Regents, and the President and/or the Board of Regents.

B. Mission and Internal Audit Function

Audit Services provides university-wide, independent, objective assurance and consulting services designed to add value to, and improve university operations. It helps the university community accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Audit Services assists members of management in effectively carrying out their respective responsibilities by determining whether the organization’s network of risk management, control and governance processes are adequate to ensure that:

1. Risks are appropriately identified and managed;
2. University policies and procedures, and external laws and regulations are followed;
3. Resources are acquired economically, used efficiently, and are adequately protected;
4. Significant financial, managerial and operational information is accurate and reliable;
5. Program objectives are achieved and are consistent with university objectives.

C. Authority

The internal audit staff is authorized full, free and unrestricted access to all university records in any form; to all facilities and real estate; and to all personnel relevant to an audit. With approval from the NMSU affiliated organization, internal audit staff may review records of affiliated organizations in conjunction with a specific university audit. Internal audit staff is correspondingly responsible for handling documents and information obtained in a prudent and ethical manner.

D. Neutrality

Internal auditors will avoid participating in activities that might reasonably appear to compromise their independence or objectivity. They will have no direct responsibility or authority over any of the operating activities examined, and their review does not relieve operating personnel of their responsibilities.

E. Internal Audit Duties

The chief audit executive and staff of Audit Services have responsibility to:

1. Develop a flexible annual audit plan using appropriate risk-based methodology, including concerns identified by management, and submit the plan to the RARC for review and approval;
2. Operate in accordance with the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics of the Institute of Internal Auditors;
3. Provide audit reports and memoranda that contain reasonable and cost-effective recommendations for control issues identified, and facilitate the resolution of audit issues with appropriate managers;
4. Suggest the need for policies and procedures where appropriate, or changes to existing policies and procedures;
5. Perform appropriate assurance, advising, and consulting services defined as services intended to add value and improve governance, risk management, and control processes, and to assist management in meeting its strategic objectives;
6. Assist in the investigation of significant suspected fraudulent activities within the university;

F. Reporting Structure

In order to maintain independence, the staff of Audit Services reports to the chief audit executive, who reports administratively to the President and functionally to the RARC and/or the Board of Regents. The chief audit executive shall meet with the RARC periodically, as outlined in the RARC Charter (See Appendix 1 – C) and will present an annual report on the activities and operations of the department. The RARC will provide oversight of the selection and periodic review of the Chief Audit Executive.

G. Scheduling Audit Projects and Reporting Results

With the exception of emergency audits and those requiring an element of surprise, audit clients will receive advance notice of planned audits and Audit Services staff will make reasonable efforts to accommodate client needs in terms of scheduling.

1. Audits involving suspected fraudulent activities are processed differently from other internal audits, so as not to compromise a police investigation or personnel action.
2. At the conclusion of an audit project, the chief audit executive will issue a formal report or audit memorandum to the audit client and appropriate members of senior management.
3. On an annual basis or as time permits, Audit Services staff will perform a follow-up on formal recommendations included in audit reports and memoranda. Follow-up reports will summarize the status of audit issues and any actions taken by management to resolve the issues. Any items not resolved at the conclusion of a second follow-up, will be referred to the President and to the RARC for resolution.

Results of audit work are shared with the RARC and with the Board of Regents on an annual basis, or more often if appropriate.