Skip to content

Policy 3-019: University of Utah Internal Audit Policy. 

Revision 6. Effective date: November 12, 2024

View PDF

  1. Purpose and Scope
  2. Definitions
  3. Policy
    1. Internal Audit Department Authority and Function
    2. Responsibilities
    3. General Procedures for Assurance Engagements (Audits)
    4. General Procedures for Advisory Engagements
  4. Policies/ Rules, Procedures, Guidelines, Forms and other Related Resources
  5. References
  6. Contacts
  7. History

  1. Purpose and Scope‌

    1. Purpose.

      To establish the university's policy regarding internal audits and the role, authority, and responsibilities of the Department of Internal Audit.

    2. Scope.

      This policy applies to all University of Utah organizations and employees.

  2. ‌Definitions‌

    The following definitions apply for the limited purposes of this policy and any associated regulations.

    1. Internal Auditing -- An independent, objective assurance and advisory service designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.

  3. ‌Policy‌

    1. ‌Internal Audit Department Authority and Function.‌

      1. Authority and Structure: The Department of Internal Audit is established in accordance with Utah Code Title 63I, Chapter 5, Utah Internal Audit Act and Utah Board of Higher Education Policy R567. It derives its authority directly from the Board of Trustees and the university president and is authorized to conduct such reviews of university organizational units or functional activities as are necessary to accomplish the university’s objectives. The Chief Audit Executive reports functionally to the president and to the Board of Trustees’ Audit Committee and has unrestricted access to communicate and interact directly with the audit committee.

      2. Mission and Function: Internal Audit’s mission is to enhance and protect organizational value by providing risk-based and objective assurance and advisory services. It is intended to be a protective and constructive link between policy-making and operational levels.

        1. Assurance services involve an objective examination of evidence for the purpose of providing an independent assessment of various processes. Internal Audit may provide limited or reasonable assurance, depending on the nature, timing, and extent of procedures performed.

        2. Advisory services, the nature and scope of which are agreed to by the relevant stakeholders, are services through which internal auditors provide advice and are intended to add value and improve processes. Internal Audit does not assume management responsibility or provide assurance when performing advisory or consulting services.

      3. Access: Internal Audit is authorized access to all records, personnel, and physical properties pertinent to any engagement, subject to accountability for confidentiality and safeguarding of records and information.

      4. Adherence to Professional Standards: The Internal Audit Department shall adhere to the Global Internal Audit Standards, as promulgated by the Institute of Internal Auditors.

    2. ‌Responsibilities‌

      Responsibilities of the Department of Internal Audit include:

      1. The development of an orderly, risk-based program for the audit of university departments or functional activities. Unscheduled audits regarding particular transactions and issues may also be conducted, as circumstances warrant.

      2. The conducting of assurance and advisory services in accordance with standards established for the professional practice of internal auditing.

      3. The investigation, review, or referral to appropriate management of reports received through the university’s ethics and compliance hotline.

      4. Timely communication to appropriate officers of any serious deficiencies noted in any audit engagement.

      5. Preparation of a report of findings, conclusions, and recommendations upon completion of an audit.

      6. Review of the implementation of recommendations or of other actions taken as a result of the audit.

    3. ‌General Procedures for Assurance Engagements (Audits).‌

      1. Opening Conference: Internal Audit will ordinarily provide advance notice of the audit to the department head and other responsible administrators. An opening conference will be arranged where specific audit objectives and plans will be discussed. Internal Audit may undertake surprise audits when appropriate.

      2. Conduct of Fieldwork: Fieldwork consists of interviews with responsible employees, observation of procedures, examination of documentation, and other audit or analytical procedures considered necessary in the circumstances. Observations and tentative findings and recommendations will normally be discussed with responsible employees of the department or functional activity throughout the audit.

      3. Closing Conference: A closing conference will ordinarily be held in which a preliminary draft of the audit report will be reviewed, any differences of fact or interpretation discussed, and any appropriate corrections or revisions made.

      4. Response to Final Audit Report

        1. Within a reasonable time following the audit, normally not to exceed two weeks, the head of the audited department shall deliver a written response to the chief audit executive. The response should indicate with respect to each finding and recommendation a statement of agreement or disagreement. If disagreement, specific provisions of the report to which exception is taken should be identified.

          i. The response should include a concise statement of actions undertaken or planned in response to the recommendation, the employee responsible, and a timetable for implementation.

        2. Upon receipt of the response, Internal Audit shall forward the draft audit report and response to the cognizant vice president, together with explanatory comments. The vice president should respond in writing to the Chief Audit Executive that they have reviewed the audit report and response.

      5. Final Audit Report: After considering the responses of the department head and the cognizant vice president, and after making any changes which may be appropriate, the final audit report shall be submitted to the president, with copies to the Board of Trustees’ Audit Committee and line management through the cognizant vice president. A copy of the responses of the department head and the cognizant vice president shall be included in the final report.

      6. Follow-up Review.

        1. Within a reasonable time following the release of the audit report, as determined appropriate by the audited department or functional activity and Internal Audit, Internal Audit will conduct a review of actions taken in response to the audit report. At the completion of the review, Internal Audit shall distribute a follow-up report to those who received the original audit report.

        2. The follow-up report shall state if appropriate steps have been initiated by the audited department and identify any items where further action is necessary.

    4. ‌General Procedures for Advisory Engagements.‌

      1. Opening Conference: Internal Audit shall provide advance notice of the advisory engagement to relevant stakeholders. An opening conference shall be arranged where specific objectives and plans will be discussed.

      2. Conduct of Fieldwork: Fieldwork consists of interviews with responsible employees, observation of procedures, examination of documentation, and other analytical procedures considered necessary in the circumstances. Observations and tentative findings and recommendations shall normally be discussed with responsible employees of the department or functional activity throughout the advisory engagement.

      3. Closing Conference: A closing conference shall ordinarily be held in which a preliminary draft of the report will be reviewed.

      4. Final Report.

        1. Internal Audit shall provide a written report to the relevant stakeholders within a reasonable time following the completion of its fieldwork.

        2. The report shall include a summary of Internal Audit’s scope of work and observations made during the engagement.


          Sections IV- VII are for user information and are not subject to the approval of the Academic Senate or the Board of Trustees. The Institutional Policy Committee, the Policy Owner, or the Policy Officer may update these sections at any time.


  4. ‌Policies/ Rules, Procedures, Guidelines, Forms, and other Related Resources‌

    1. Policies/ Rules. [reserved]

    2. Procedures, Guidelines, and Forms. [reserved]

    3. Other Related Resources. [reserved]

  5. ‌References‌

    1. Utah Code Title 63I, Chapter 5, Utah Internal Audit Act

    2. Utah Board of Higher Education Policy R567: Internal Audit Program

    3. Institute of Internal Auditors Global Internal Audit Standards

  6. ‌Contacts‌

    The designated contact officials for this regulation are

    1. Policy Owner(s) (primary contact person for questions and advice): Chief Audit Executive

    2. Policy Officer(s): Vice President for Administrative Services

      See Rule 1-001 for information about the roles and authority of policy owners and policy officers.

  7. ‌History‌

    1. Current version. Revision 6

      1. Presented for information of the Academic Senate on November 4, 2024, and approved by the Board of Trustees on November 12, 2024, with effective date of November 12, 2024.

      2. Legislative History

      3. Editorial Revisions [reserved]

    2. Previous Versions

      1. Revision 5. Effective date: April 14, 2020

        1. Legislative History for Revision 5
      2. Revision 4. Effective date: April 3, 1985

    3. Renumbering

      1. Renumbered from Policy and Procedures Manual 3-23.

Last Updated: 12/17/24