1:015 Internal Audit
|Austin Peay State University
||March 9, 2018
||Chief Audit Officer
||Office of Internal Audit
It is the policy of Austin Peay State University that the internal audit function
contributes to the improvement of the university’s operations by providing objectives
and relevant assurance regarding risk management, control, and governance processes
to management and the Board. Management is responsible for evaluating the university’s
risks and establishing and maintaining adequate controls and processes. To provide
relevant information, the internal audit function will consider the goals of the university,
management’s risk assessments and other input from management in determining its risk-based
The purpose of the policy is to address staffing, responsibilities of the internal
audit function, audit planning and reporting on internal audit activities.
-Internal Audit Standards
-Internal Audit Personnel
-Internal Audit Role and Scope
-Audit Plans and Activity Reports
-Communicating Audit Results
Internal Audit Standards
- The internal audit function shall adhere to The Institute of Internal Auditors’ (IIA)
International Standards for the Professional Practice of Internal Auditing and Code
of Ethics (T.C.A. § 4-3-304(9)). The Institute of Internal Auditors, International
Professional Practices Framework (IPPF), incorporates the mandatory guidance of the
definition of internal auditing, the International Standards for the Professional Practice of Internal Auditing (Standards), Core Principles for the Professional Practice of Internal Auditing and Code of Ethics
into one document. It includes the following definition of internal auditing:
- Internal Auditing is an independent, objective assurance and consulting activity designed
to add value and improve an organization’s operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and improve
the effectiveness of risk management, control, and governance processes (IPPF 2013).
- To assure compliance with the IIA Standards, the internal audit function must implement
and maintain a quality assurance and improvement program that incorporates both internal
and external review activities.
- Internal reviews include both ongoing and periodic review activities.
- External reviews must be performed at least every five years by a qualified, independent
- Results of quality assurance reviews will be communicated to the Board of Trustees
Audit Committee and management.
Internal Audit Personnel
- APSU shall employ at least two individuals with full-time responsibility as internal
auditors. Additional internal audit staff shall depend upon the size and structure
of the university.
- Titles of internal audit staff shall be consistent within the overall university structure.
- Internal Audit Staff
- Internal audit staff must possess the professional credentials, knowledge, skills,
and other competencies to perform their individual responsibilities and collectively
must possess or obtain knowledge, skills, and other competencies needed to perform
- The Chief Audit Officer must be licensed as a Certified Public Accountant or a Certified
Internal Auditor, maintain an active license and annually complete sufficient, relevant
continuing professional education to satisfy the requirements for the professional
- Audit staff should annually complete sufficient, relevant continuing professional
education to satisfy the requirements for their related professional certifications
or, at a minimum, eighty hours of relevant continuing professional education every
- The Chief Audit Officer should communicate concerns to management and the Board regarding
the lack of sufficient resources to complete the objectives of an engagement or the
- Such resources may include the need for additional personnel or personnel with specialized
knowledge, such as those with knowledge of fraud, information technology or other
- The appointment of the Chief Audit Officer as recommended by the President is subject
to approval by the Audit Committee of the Board of Trustees.
- Compensation of the internal auditors is subject to approval by the Audit Committee
of the Board.
- Termination or Change of Status
- The termination or change of status of Chief Audit Officer requires the prior approval
of the President and the Audit Committee of the Board of Trustees.
Internal Audit Role
- Reporting Structure
- The Chief Audit Officer reports functionally to the Audit Committee of the Board and
reports to the President for administrative purposes. This reporting structure assures
the independence of the internal audit function.
- The internal audit function will maintain a manual to guide the internal audit activity
in a consistent and professional manner.
- The internal auditors’ responsibilities include:
- Working with management to assess university’s risks and developing an audit plan
that considers the results of the risk assessment.
- Evaluating university controls to determine their effectiveness and efficiency.
- Coordinating work with external auditors, program reviewers, and consultants.
- Determining the level of compliance with internal policies and procedures, state and
federal laws, and government regulations.
- Testing the timeliness, reliability, and usefulness of institutional records and reports.
- Recommending improvements to controls, operations, and risk mitigation resolutions.
- Assisting the university with its strategic planning process to include a complete
cycle of review of goals and values.
- Evaluating program performance.
- Performing consulting services and special requests as directed by the Board of Trustees
Audit Committee or the President.
- The scope of internal auditing extends to all aspects of university operations and
beyond fiscal boundaries. The internal audit staff shall have access to all records,
personnel, and physical properties relative to the performance of duties and responsibilities.
- The scope of a particular internal audit activity may be as broad or as restricted
as required to meet management needs.
- Objectivity is essential to the internal audit function. Therefore, internal audit
personnel should not be involved in the development and installation of systems and
procedures, preparation of records, or any other activities that the internal audit
staff may review or appraise. However, internal audit personnel may be consulted on
the adequacy of controls incorporated into new systems and procedures or on revisions
to existing systems.
- Management is responsible for identifying, evaluating, and responding to potential
risks that may impact the achievement of the university’s objectives. Auditors continually
evaluate the risk management, internal control, and governance processes. To facilitate
these responsibilities, Internal Audit will receive notices or copies of external
audit reviews, program reviews, fiscally related consulting reports, cash shortages,
physical property losses, and employee misconduct.
Audit Plans and Activity Reports
- Internal Audit shall develop an annual audit plan using an approved risk assessment
- At the beginning of each fiscal year, after consultation with the President, the Board
of Trustees Audit Committee, and other university management, Internal Audit will
prepare an annual audit plan. The audit plan must be flexible to respond to immediate
issues and will be revised for such changes during the year.
- Audit plans and any significant revisions will be approved by the Board of Trustees
- At the end of each fiscal year, Internal Audit will prepare an annual activity report
of all significant audit services performed.
- Annual activity reports and approved audit plans will be provided to the Comptroller's
Office, Division of State Audit.
- Audit engagements will be planned to provide relevant results to management and the
Board of Trustees Audit Committee regarding the effectiveness and efficiency of processes
and controls over operations. To ensure management's expectations are met, auditors
will communicate with management regarding the objectives and scope of the engagement.
- In planning and during the engagement, auditors should consider and be alert to risks
that affect the university's goals and objectives, operations and resources. Auditors
should consider risks based on the operations under review, which include but are
not limited to the risk of financial misstatements, noncompliance, and fraud.
- An audit work program will be designed to achieve the objectives of the engagement
and will include the steps necessary to identify, analyze, evaluate, and document
the information gathered and the conclusions reached during the engagement.
- Working papers that are created, obtained, or compiled by an internal audit staff
are confidential and are not an open record (T.C.A. § 4-3-304(9)).
- A written report that documents the objectives, scope, conclusions, and recommendations
of the audit will be prepared for audit engagements providing assurance to the Board
and management. Management will include corrective action for each reported finding.
- Internal Audit will perform audits to follow-up on findings or recommendations included
in internal audit reports, investigation reports, and State Audit reports. A written
report will be prepared and for any findings that have not been corrected, management
will be asked to include a revised corrective action plan. The President, along with
the Board of Trustees Audit Committee, will be notified at the conclusion of a follow-up
audit if management has not corrected the reported finding or implemented the recommendation.
- A written report that documents the objectives, scope, conclusions, and recommendations
will be prepared for investigations resulting from allegations or identification of
fraud, waste or abuse. As appropriate in the circumstances, management will include
corrective action for each reported finding. In a case where allegations are not substantiated
by the review and there are no other operational concerns to report to management
regarding the review, the case may be closed by writing a memo to the working paper
file documenting the reasons for closing the case.
- Reports on special studies, consulting services, and other non-routine items should
be prepared as appropriate, given the nature of the assignment.
- All internal audit reports will be signed by the Chief Audit Officer and transmitted
directly to the President in a timely manner.
- The Chief Audit Officer will present significant results of internal audit reports
to the Board of Trustees Audit Committee quarterly.
- The Chief Audit Officer will provide a copy of each report to the Comptroller's Office,
Division of State Audit.
APSU Policy 1:015 - Rev.: March 9, 2018
APSU Policy 1:015 (previously 4:001) – Rev.: May 19, 2017
APSU Policy 1:015 – Rev.: March 28, 2017
APSU Policy 1:015 – Rev.: September 14, 2015
APSU Policy 1:015 – Rev.: October 21, 2011
APSU Policy 1:015 – Issued: October 7, 2002
President: signature on file