Internal Audit Charter
The Department's charter, as approved by the Stanford University Board of Trustees, follows:
The mission of Internal Audit (IA) is to provide risk-based independent and objective audit, assessment, advisory and investigative services designed to add value and improve the operations of Stanford University, Stanford Health Care, Lucile Packard Children’s Hospital, SLAC, Stanford Management Company, and related organizations. IA helps these organizations accomplish their objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
The scope of work of IA is to determine whether the organization’s network of risk management, control, and governance processes, as designed and represented by management, is adequate and functioning effectively to ensure:
- Risks are appropriately identified and managed
- Significant financial, managerial, and operating information is accurate, reliable, and timely.
- Employees’ actions are in compliance with applicable laws, regulations, contract/grant provisions, donor restrictions, and internal policies, plans, and procedures.
- Resources are acquired economically, used efficiently, accounted for accurately, and protected adequately.
- Compliance, integrity, quality and continuous improvement are fostered in the organization’s culture and control process.
- Significant legislative or regulatory issues impacting the organization are recognized and addressed properly.
The Senior Associate Vice President and Chief Risk Officer for IA shall be accountable to senior leadership and the Audit, Compliance and Risk Committee of the University Board of Trustees and the Audit and Compliance Committeees of the Hospitals' Boards of Directors to:
- Provide annually an assessment on the adequacy and effectiveness of the organization’s processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work.
- Report significant issues related to the processes for controlling the activities of the organization its affiliates, including potential improvements to those processes, and provide information concerning such issues through resolution.
- Periodically provide information on the status and results of the annual audit and compliance and ethics plans, enterprise risk management activities and the sufficiency of department resources.
- Coordinate with, and provide oversight of, other compliance, control, and monitoring functions.
To provide for the independence of Internal Audit and Compliance and Ethics efforts, the Senior Associate Vice President and Chief Risk Officer reports administratively to the University Vice President of Business Affairs and Chief Financial Officer (CFO), and functionally to the Audit, Compliance and Risk Committee of the University Board of Trustees and the Audit and Compliance Committees of the Hospitals’ Boards of Directors in the manner described in the Accountability section above.
IA personnel will exhibit the highest level of professional objectivity and integrity in gathering, evaluating, and communicating information about the activity or process being examined. IA's assessments will consider all relevant facts and circumstances, and will not be unduly influenced by their own interests or by others interests in forming judgments.
The internal audit activity will govern itself by adherence to The Institute of Internal Auditors’ mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing. These Standards require a Charter approved by the Board. Internal Audit also conforms to other applicable standards.
IA is authorized to:
- Have unrestricted access to all functions, records, properties, and personnel.
- Make specific reports directly to the University President and Provost.
- Have direct access to the relevant Board Committees.
- Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish IA objectives.
- Obtain the necessary assistance of personnel in units of the organization where they perform audits, reviews, assessments, investigations and advisory engagements as well as other specialized services from within or outside the organization.
IA is not authorized to:
- Perform any operational duties for the organization or its affiliates.
- Initiate or approve accounting transactions external to IA.
- Direct the activities of any organization employee not employed by IA, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist IA.
IA has responsibility to:
- Maintain a professional staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this charter.
- Establish a quality assurance and improvement program that covers all aspects of Internal Audit and Compliance and Ethics activities.
Internal Audit (IA), under the direction of the Chief Audit Executive, conducts financial, operational, and information technology audits in accordance with approved plans and its established policies and procedures.
Internal Audit services include, but are not limited to the following:
- Developing and implementing a flexible annual audit plan using appropriate risk-based methodology, including risks or control concerns identified by management. These plans are submitted to the Audit, Compliance and Risk Committee of the University Board of Trustees and the Audit and Compliance Committees of the Hospitals’ Boards of Directors for review and approval.
- Examining and evaluating the adequacy and effectiveness of the systems of internal controls.
- Evaluating and assessing significant new or changing services, processes, operations, technologies, and controls coincident with their development and implementation.
- Identifying opportunities for reducing costs, improving processes, strengthening controls and enhancing the organization’s reputation.
- Reviewing the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information.
- In conjunction with the Office of General Counsel, assessing compliance with laws, regulations, contract/grant provisions, and internal policies, plans, and procedures.
- Verifying that resources are acquired economically, used efficiently, accounted for accurately, and protected adequately.
- Reviewing operations or programs to ascertain whether results are consistent with established objectives.
- Conducting investigations of suspected fraudulent activities in conjunction with Compliance and Ethics and other University resources and notifying management and the Audit, Compliance and Risk Committee of the University Board of Trustees and the Audit and Compliance Committees of the Hospitals’ Boards of Directors of the results.
- Performing advisory services, beyond IA’s auditing services, to assist management in meeting its objectives.
- Facilitating and coordinating external audits.
- Evaluating emerging audit trends and implementing best practices.
IA provides optimal audit coverage to the University, Hospitals, SLAC and SMC at a reasonable overall cost. In addition, the work performed by external auditors and regulators, as appropriate, is considered.
Compliance and Ethics (C&E) at Stanford University is the responsibility of all employees and is conducted by a number of different organizations with oversight residing under the Chief Ethics and Compliance Officer. C&E works closely with the Office of the General Counsel, seeking advice and counsel on matters that involve legal issues. Compliance and Ethics is organized in a matrix operational framework. This framework helps connect and coordinate the different compliance organizations ensuring that compliance is an integral part of the University’s culture. This framework also ensures that the institutional perspective is always present as we continue to fulfill our legal and ethical obligations to each other and to persons outside Stanford with whom we interact.
Compliance services include, but are not limited to the following:
- Developing and implementing a flexible annual compliance and ethics plan as per the seven elements of the Federal Sentencing Guidelines and submitting it to the Audit, Compliance and Risk Committee of the University Board of Trustees for review and approval.
- Coordinating the University’s compliance activities, including chairing the Compliance, Ethics and ERM (CEE) Steering Committee and the Compliance Risk Administrators Network (CRAN).
- Serving as a resource in developing or improving compliance-related processes.
- Assisting in the development of University policies or practices to help ensure compliance with Federal, State, and Local laws and regulations, and contract/grant provisions.
- Assisting in the development and delivery of compliance-related training.
- Promoting compliance awareness.
- Providing compliance advisory services to management, faculty, and staff.
- Monitoring compliance and assessing the adequacy of compliance activities in compliance areas throughout the University.
- Evaluating emerging compliance trends in higher education and government and implementing best practices.
- Administering a Compliance and Ethics Helpline, (with the assistance and guidance of the Office of the General Counsel and Human Resources), that provides the University community with a mechanism to: pose questions and obtain advice regarding compliance issues; report concerns related to possible noncompliance with government or external agency regulations; and report concerns related to University policies and procedures or errors or irregularities in Stanford’s financial accounting practices or policies.
On February 13, 2017, signed by:
Chair, Board of Trustees, Committee on Audit, Compliance and Risk,
Stanford University President,
Stanford Vice President Business Affairs and Chief Financial Officer, and Senior Associate Vice President and Chief Risk Officer
Note: Administrative update to functional unit name - January 29, 2024