The purpose of Internal Audit is to provide independent, objective assurance and consulting services that add value and improve the operations of The University of Arizona (Arizona). Internal Audit reviews help Arizona accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of business, risk management, control and governance processes. 

Internal Audit evaluates risk exposures relating to Arizona governance, operations and information systems for:

  • Achievement of the organization’s strategic objectives.
  • Effectiveness and efficiency of operations and programs.
  • Reliability and integrity of financial and operational information.
  • Safeguarding of assets.
  • Compliance with laws, regulations, policies, procedures and contracts.


In order to accomplish its objectives, Internal Audit has full, free and unrestricted access to all functions, records, reports, activities, property and personnel, as needed to fulfill their assigned responsibilities. Internal Audit staff will exercise discretion in the review of records to assure the necessary confidentiality of matters that come to their attention, as required by the Institute of Internal Auditors’ Code of Ethics. 

University management is responsible for the risk management and internal control structure over the areas audited. Internal auditors have no direct responsibility or any authority over any of the activities or operations that they review.

Independence and Objectivity

Internal Audit must be independent, and the internal auditors must be objective in performing their work. Internal Audit’s authority comes from the Arizona Board of Regents Audit and Risk Management Committee. The Audit and Risk Management Committee is responsible for auditor independence and objectivity, but delegates responsibility for ongoing oversight of the university internal audit function to the Internal Audit Review Board. 

The Chief Auditor of the Internal Audit Department reports functionally to the Internal Audit Review Board and administratively to the Senior Vice President for Business Affairs and Chief Financial Officer. This authority cannot be delegated. The Chief Auditor is not a member of the Internal Audit Review Board

The reporting line for the internal audit activity is the ultimate source of its independence and authority. Examples of functional reporting involve:

  1. Approving the internal audit charter.
  2. Approving a risk-based internal audit plan.
  3. Approving the internal audit, budget and resource plan.
  4. Receiving communications from the Chief Auditor on the internal audit activity’s performance relative to its plan and other matters.
  5. Approving decisions regarding the appointment and removal of the Chief Auditor.
  6. Approving the remuneration of the Chief Auditor.
  7. Making appropriate inquiries of management and the Chief Auditor to determine whether there are inappropriate scope or resource limitations.

Administrative reporting is a relationship within the organization’s management structure that facilitates day-to-day operations of the internal audit activity and provides appropriate interface and support for effectiveness. Examples of administrative reporting involve:

  1. Budgeting and management accounting.
  2. Human resource administration.
  3. Internal communications and information flows.
  4. Administration of the organization’s internal policies and procedures (expense approvals, leave approvals, floor space, etc.).

The Chief Auditor confers with the Arizona Board of Regents Audit and Risk Management Committee at least annually, outside the presence of university officials, on any subject related to Internal Audit's area of responsibility. The Chief Auditor may communicate directly with the Chair of the Audit and Risk Management Committee at any time. 

Internal auditors must exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined and shall have an impartial, unbiased attitude and avoid conflicts of interest


The responsibility of the internal audit function is to serve Arizona in a manner that adheres to the Institute of Internal Auditors’ Mandatory Guidance. 

Internal Audit responsibilities include, but are not limited to:

  1. Developing and implementing a risk-based annual audit plan and additional multi-year audit schedule that recognizes the scope of work performed by other university compliance functions and other auditors. Unless otherwise directed by the Audit and Risk Management Committee, the audit plan will include components of IT Security.
  2. Submitting the aforementioned plan to the Internal Audit Review Board for review and approval. The Chief Auditor will submit the plan to the Audit and Risk Management Committee for approval.
  3. Implementing the annual audit plan, as approved.
  4. Examining and evaluating the adequacy and effectiveness of the systems of internal control, including information systems security and control.
  5. Identifying opportunities for reducing costs, improving processes and enhancing the university’s reputation.
  6. Appropriately documenting the results of all audit work performed.
  7. Promptly and properly reporting any frauds, abuses, internal control weaknesses, other concerns and opportunities for improvement to university management and the Audit and Risk Management Committee, if appropriate.
  8. Following-up on previously completed audits to ensure management is implementing actions to address identified operational, compliance and internal control issues satisfactorily.
  9. Distributing audit reports to university management and the Audit and Risk Management Committee.
  10. Maintaining a professional audit staff with sufficient knowledge, skills, professional certifications and competencies to meet the requirements of this charter.
  11. Performing advising and consulting services, as requested, to assist management in meeting its objectives.
  12. Responding to requests and special audit projects requested by the Audit and Risk Management Committee. 
  13. Establishing a quality assurance program by which the Chief Auditor assures the operation of internal auditing activities are conducted in accordance with professional standards.

Reports to the Audit and Risk Management Committee

During each Audit and Risk Management Committee regularly scheduled meeting, the Chief Auditor will report:

  1. Significant obstacles experienced in performing individual audits/projects.
  2. Status or progress to approved audit plan and any concerns regarding ability to complete the annual audit plan.
  3. Current internal audit staffing levels, including certifications.
  4. Changes in significant risks since prior meeting.
  5. Significant audit findings in audit reports issued since the prior Audit and Risk Management Committee meeting, irrespective of remediation. The Chief Auditor is to determine which findings to report.
  6. Status of major corrective actions pending. The Chief Auditor is to determine which findings to include. 

Annually, the Chief Auditor will present for Audit and Risk Management Committee approval:

  1. University risk assessment, including a description of the heat map development.
  2. Annual Internal Audit Plan for the next fiscal year, with a description of how the plan was developed and how the risk assessment influenced the plan.
  3. Multi-year audit schedule.
  4. Updated Internal Audit Charter for Audit and Risk Management Committee approval, highlighting any changes proposed since last approval, if any.

Periodically, when appropriate, the Chief Auditor will present Internal Audit’s completion of a Quality Assessment Review (peer review


Update Effective July 1, 2023