Skip to content

Policy 3-019: University of Utah Internal Audit Policy. 

Revision 5. Effective date: April 14, 2020

  1. Purpose and Scope

    1. Purpose: To establish the University's policy regarding internal audits and the role, authority and responsibilities of the Internal Audit Department.

    2. Scope: This policy applies to all University of Utah organizations and employees.

  2. Definitions

    1. Internal Auditing. An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. This is achieved by bringing a disciplined approach to the evaluation and improvement of University processes related to risk management, internal control, and governance.

  3. Policy

    1. Internal Audit Department Authority and Function.

      1. Authority and Structure.

        The Internal Audit Department is established in accordance with the Utah Internal Audit Act and policy R567 of the Utah Board of Higher Education (formerly Board of Regents). It derives its authority directly from the Board of Trustees and the president, and is authorized to conduct such reviews of University organizational units or functional activities as are necessary to accomplish its objectives. The Chief Audit Executive reports functionally to the President and to the Chair of the Board of Trustees Audit Committee, and will have unrestricted access to communicate and interact directly with the audit committee.

      2. Mission and Function.

        Internal Audit’s mission is to enhance and protect organizational value by providing risk-based and objective assurance and advice. It is intended to be a protective and constructive link between policy-making and operational levels. Assurance services involve an objective examination of evidence for the purpose of providing an independent assessment of various processes. Advisory services, the nature and scope of which are agreed with the client, are intended to add value and improve processes without the internal auditor assuming management responsibility.

      3. Access.

        Internal Audit is authorized access to all records, personnel, and physical properties pertinent to any audit engagement, subject to accountability for confidentiality and safeguarding of records and information.

      4. Adherence to Professional Standards.

        The Internal Audit Department shall adhere to mandatory elements of the Institute of Internal Auditors’ International Professional Practices Framework, including the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, and International Standards for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing. This includes adherence to standards regarding independence and objectivity.

    2. Responsibilities.

      Responsibilities of the Internal Audit Department include:

      1. Development of an orderly, risk-based program for the audit of selected University departments or functional activities. Unscheduled audits regarding particular transactions and issues may also be conducted, as circumstances warrant.

      2. Conduct of audits in accordance with standards established for the professional practice of internal auditing.

      3. Investigation, review, or referral to appropriate management of reports received through the University’s ethics and compliance hotline.

      4. Timely communication to appropriate officers of any serious deficiencies noted in any audit engagement.

      5. Preparation of a report of findings, conclusions, and recommendations upon completion of the audit.

      6. Review of the implementation of recommendations or of other actions taken as a result of the audit.

    3. General Procedures for the Conduct of Audits.

      1. Opening Conference.

        Internal Audit will ordinarily provide advance notice of the audit to the department head and other responsible administrators. An opening conference will be arranged where specific audit objectives, plans, and Procedures will be discussed. Surprise audits may also be undertaken if appropriate in the circumstances.

      2. Conduct of Fieldwork.

        Audit fieldwork consists of interviews with responsible employees, observation of Procedures, examination of documentation, and other audit or analytical procedures considered necessary in the circumstances. Audit observations and tentative findings and recommendations will normally be discussed with responsible employees of the audited department during the audit.

      3. Closing Conference.

        A closing conference will ordinarily be held in which a preliminary draft of the audit report will be reviewed, any differences of fact or interpretation discussed, and any appropriate corrections or revisions made.

      4. Response to Final Audit Report.

        Within a reasonable time following the audit, normally not to exceed two weeks, the head of the audited department shall deliver a written response to the Chief Audit Executive.

        The response should indicate with respect to each finding and recommendation:

        1. A statement of agreement or disagreement. If disagreement, specific provisions of the report to which exception is taken should be identified and

        2. A concise statement of actions undertaken or planned in response to the recommendation, as well as a timetable for implementation.

          Upon receipt of the response, Internal Audit shall forward the draft audit report and response to the cognizant vice president, together with explanatory comments. The vice president should respond in writing to the Chief Audit Executive that he/she has reviewed the audit report and response.
      5. Final Audit Report.

        After considering the responses of the audited department head and the cognizant vice president, and after making any changes which may be appropriate, the final audit report shall be submitted to the president, with copies to the Board of Trustees audit committee and line management through the cognizant vice president. A copy of the responses of the department head and the cognizant vice president will be included in the final report.

      6. Follow-up Review.

        Within a reasonable time following the release of the audit report, ordinarily six months, Internal Audit will conduct a review of actions taken in response to the audit report. At the completion of the review, a follow-up report will be distributed to those who received the original audit report.

        The follow-up report will state if appropriate steps have been initiated by the audited department, and will identify any items where further action is considered necessary.

        [Note: Parts IV-VII of this Regulation (and all other University Regulations) are Regulations Resource Information – the contents of which are not approved by the Academic Senate or Board of Trustees, and are to be updated from time to time as determined appropriate by the cognizant Policy Officer and the Institutional Policy Committee, as per Policy 1-001 and Rule 1- 001.]


  4. Rules, Procedures, Guidelines, Forms and other Related Resources:


  5. References:

    Utah Code §63I-5, Utah Internal Audit Act

    Utah Board of Higher Education (formerly Board of Regents)  Policy R567 Internal Audit Program

    Utah Board of Higher Education (formerly Board of Regents) Policy R565, Audit Committees

    Institute of Internal Auditors, International Standards for the Professional Practice of Internal Auditing

  6. Contacts:

    The designated contact officials for this Regulation are

    1. Policy Owner (primary contact person for questions and advice): Chief Audit Executive, 801-581-5988

    2. Policy Officer: VP for Administrative Services, 801-581-6940

      These officials are designated by the University President or delegee, with assistance of the Institutional Policy Committee, to have the following roles and authority, as provide in University Rule 1-001:

      “A ‘Policy Officer’ will be assigned by the President for each University Policy, and will typically be someone at the executive level of the University (i.e., the President and his/her Cabinet Officers). The assigned Policy Officer is authorized to allow exceptions to the Policy in appropriate cases…”

      “The Policy Officer will identify an ‘Owner’ for each Policy. The Policy Owner is an expert on the Policy topic who may respond to questions about, and provide interpretation of the policy; and will typically be someone reporting to an executive level position (as defined above), but may be any other person to who the President or a Vice President has delegated such authority for a specified area of University operations. The Owner has primary responsibility for maintaining the relevant portions of the Regulations Library… [and] bears the responsibility for determining –requirements of particular Policies….”

      University Rule 1-001-III-B & E

  7. History:


    Renumbered as Policy 3-019 effective 9/15/2008, formerly known as PPM 3-23.

    Revision History:

    1. Current version: Revision 5, effective April 14, 2020

      Presented for the Information & Recommendations of the Academic Senate: March 30, 2020

      Approved by Board of Trustees: April 14, 2020

      Editorially revised May 18, 2021 to update the formerly named Utah Board of Regents to the new name of Utah Board of Higher Education.

               Legislative History of Revision 5.
    2. Earlier revisions:

      Revision 4: effective dates- April 3, 1985- April 14, 2020

Policy: 3-019 Rev: 5
Date: April 14, 2020
Last Updated: 6/15/23