University of Pittsburgh

Internal Audit Department Charter


The mission of the Internal Audit Department is to provide independent, objective assurance and consulting services designed to add value and improve the University’s operations. Internal Audit helps the University to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of internal controls, risk management, compliance, and governance processes. Internal Audit will assist University Management and the Audit Committee of the Board of Trustees in identifying, avoiding, and mitigating risks.

To accomplish its threefold mission of teaching, research and public service, the University must maintain the confidence of its Board of Trustees, faculty, staff, students, alumni, the public, elected officials and various other constituencies. Confidence in the institution is paramount if the University is going to achieve its stated objectives. The Internal Audit Department provides valuable support in maintaining the public’s confidence by performing independent and objective reviews, and reporting to the Audit Committee and responsible administrative and academic officers on their findings so that corrective actions or enhancements can be initiated.


The Internal Audit Department is established by the Board of Trustees. The Internal Audit Department’s responsibilities are defined by the Audit Committee as part of their oversight role.

The Director of Internal Audit, in the discharge of his/her duties, shall be accountable to the Chancellor and the Audit Committee of the Board of Trustees to:

  • Provide annually an assessment on the adequacy and effectiveness of the University’s processes for controlling its activities and managing its risks in the areas set forth under the Mission and Scope of Work.
  • Report significant issues related to the processes for controlling the activities of the University, including potential improvements to those processes, and provide information concerning such issues through resolution.
  • Periodically provide information on the status and results of the annual audit plan and the sufficiency of departmental resources.
  • Coordinate investigation of fraudulent activities with other control and monitoring functions (i.e. risk management, compliance, campus police, general counsel, environmental, and external audit).

Professionalism/Professional Standards

The Internal Audit Department is committed to the professional practice of internal auditing. The Internal Audit Department will govern itself by adherence to the Institute of Internal Auditors “Definition of Internal Auditing”; the “International Standards for the Professional Practice of Internal Auditing”; and the “Code of Ethics”. The Institute of Internal Auditors “Position Papers”; “Practice Advisories”; and “Practice Guides” will be used for guidance in the practice of internal auditing. In addition, Internal Audit will adhere to University policies and procedures and the Internal Audit Department audit manual. This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the Internal Audit Department’s performance.

Scope of Work

The scope of work of the Internal Audit Department must be appropriate so that it can determine whether the University’s network of risk management, control and governance processes, as designed and represented by management, are adequate and functioning in a manner to ensure:

  • Risks are appropriately identified and managed.
  • Interaction with the various governance groups occurs as needed.
  • Significant financial, managerial and operating information is accurate, reliable and timely.
  • Employees’ actions are in compliance with policies, standards, procedures and applicable laws and regulations.
  • Resources are acquired economically, used efficiently and adequately protected.
  • Programs, plans and objectives are achieved.
  • Quality and continuous improvements are fostered in the University’s control process.
  • Significant legislative or regulatory issues impacting the University are recognized and addressed appropriately.
  • Information Technology is adequate, reliable and secure.

The extent and frequency of internal audits will depend upon varying circumstances such as results of previous audits, relative risk associated with activities, materiality, the adequacy of the system of internal control and resources available to Internal Audit.


The Internal Audit Department is authorized to direct a broad, comprehensive program of internal auditing within the University. The Director and staff of the Internal Audit Department are authorized to:

  • Have unrestricted access to all functions, records, property and personnel. Documents and other information provided to Internal Audit will be handled in the same prudent and confidential manner as by the employees normally accountable for them.
  • Have full and free access to the Audit Committee.
  • Allocate resources, set frequencies, select subjects, determine scopes of work and apply the techniques required to accomplish audit objectives.
  • Obtain the necessary assistance of personnel in units of the University where audits are performed, as well as other specialized services from within or outside the University.


To properly perform these tasks, the Internal Audit Department must be independent in its actions. To provide for the independence of the Internal Audit Department, its personnel report to the Director of Internal Audit, who reports functionally to the Audit Committee of the Board of Trustees and administratively to the Chancellor, in a manner outlined in the above section on Role/Accountability. It will include as part of its reports to the Audit Committee a regular report on personnel in the Internal Audit Department and their independence.

This reporting structure allows Internal Audit to remain independent and report all items of significance to the Chancellor and the Audit Committee.

The Director and staff of the Internal Audit Department are not authorized to:

  • Perform any operational duties for the University or its affiliates.
  • Initiate or approve accounting transactions external to the Internal Audit Department.
  • Direct activities of any University employee, not employed by Internal Audit, except to the extent those employees have been appropriately assigned to auditing teams, or to otherwise assist the internal auditors.


The Director and staff of the Internal Audit Department have the responsibility to:

  • Develop a flexible annual audit plan using appropriate risk based methodology, including any risks or control concerns identified by management and submit that plan to the Audit Committee for review and approval, as well as periodic updates.
  • Implement the annual audit plan, as approved, including as appropriate any special tasks or projects requested by management and the Audit Committee.
  • Maintain a professional audit staff with sufficient knowledge, skills, experience and professional certifications to meet the requirements of this Charter.
  • Evaluate and assess significant merging/consolidating functions, new or changing services, processes, operations and control processes coincidental to their development, implementation and/or expansion.
  • Identify and measure new and major changes to information systems to ensure that adequate internal controls exist.
  • Issue periodic reports to management and the Audit Committee summarizing results of audit activities.
  • Keep the Audit Committee informed of emerging trends and successful practices in internal auditing.
  • Provide a list of significant measurement goals and results to the Audit Committee.
  • Assist in investigations of significant suspected fraudulent activities within the University and notify management and the Audit Committee of the results.
  • Evaluate the adequacy of actions taken by management to correct reported deficiencies.
  • Consider the scope of work of external auditors and regulators as appropriate, for the purpose of providing optimal audit coverage to the organization at a reasonable overall cost.
  • Perform consulting and advisory services related to internal controls, risk management, compliance, and governance processes as appropriate for the organization.

Internal Audit Plan

Annually the Director of Internal Audit will submit to senior management and the Audit Committee an internal audit plan for review and approval. The internal audit plan will contain a schedule of audits to be completed, prior year audit plan, department objectives, and financial and resource budgets for the fiscal year. The Director of Internal Audit will communicate the impact of resource limitations and significant interim changes to senior management and the Audit Committee.

The internal audit plan will be developed based on a prioritization of the audit universe using a risk-based methodology, including input of senior management and the Audit Committee. Any significant deviation from the approved internal audit plan will be communicated to senior management and the Audit Committee through periodic activity reports.


A written report will be prepared and issued by the Director of Internal Audit or designee following the conclusion of each internal audit engagement and will be distributed as appropriate. A copy of each audit report will be forwarded to the Chancellor and other appropriate parties.

Internal audit reports generally include management’s response and corrective action taken or to be taken in regard to the specific findings and recommendations. Management’s response should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented.

The Internal Audit Department will be responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will remain in an open issues file until cleared.

Periodic Assessment/Quality Assurance

The Director should periodically assess whether the mission, scope of work, responsibility and authority, as defined in this charter, continue to be adequate to enable the Internal Audit Department to be able to accomplish its objectives. The result of this periodic assessment should be communicated to University Management and the Audit Committee of the Board of Trustees.

In addition, the Director will communicate to senior management and the Board on the Internal Audit Department’s quality assurance and improvement program, including results of on-going internal assessments and external assessments conducted at least every five years.

Cathedral Images