Policy-Code-DIFA
Section D: Fiscal Management
Policy Title: Office of Internal Audit
Policy Code: DIFA
Print Version (In PDF)
Definition of Internal Audit
The Internal Audit function, as defined by the Institute of Internal Auditors (IIA) as: "an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal controls, and governance processes."
Professionalism and Code of Ethics
The Office of Internal Audit (OIA) will adhere to District policies and regulations, applicable federal and state laws, governing regulations and guidelines, IIA's Code of Ethics, and International Standards for the professional practice of Internal Auditing (Standards).
The OIA is expected to uphold the following Code of Ethics and rules of professional conduct:
- Integrity – Establish trust, perform their work with honesty, diligence, and responsibility;
- Objectivity – Assess information, be open and maintain impartiality;
- Confidentiality – Protect information, never use for personal ends, disclose only with proper authorization;
- Competency – Apply appropriate knowledge, skills and experience, and continue professional development by improving proficiency and effectiveness of their services.
District Commitment to the Mission of the OIA
The Tucson Unified Governing Board is committed to a model of ongoing continuous improvement in meeting its goals; a fully independent OIA function is essential to this commitment.
Tucson Unified School District's (the District's) OIA is charged with evaluating and contributing to the improvement of the District's governance, risk-management and control processes by using an independent, objective, and systematic risk-based approach.
The OIA will assist the District by performing assurance and consulting audits, identifying potential risks, accessing internal controls, governance processes, and assisting in identifying operational and compliance issues.
The mission of the OIA is consistent with the IIA, and the Generally Accepted Governing Auditing Standards (GAGAS):
perform assurance and consulting audits that evaluate efficient use of resources, effectiveness of operations, compliance with internal controls, and adherence to District policies and procedures.
For the OIA to be effective it must build and maintain strong constructive relationships with the Superintendent or designee, and other stakeholders within the District. To operate at the highest level, it must have clearly defined and articulated guidance from the Governing Board and the Superintendent.
Maintaining the Independence of the OIA
For the OIA to achieve organizational independence, the department must have direct and unrestricted access to the Superintendent and individual members of the Governing Board, however routine contacts with the Governing Board may take place through the Governing Board's representative on the Audit Committee.
Accordingly, the OIA shall report administratively1 to the Superintendent and functionally to the Governing Board, thus maintaining the independence necessary to ensure the accountability and operational integrity of the OIA. The effectiveness of the OIA rests with its independence and support from the Superintendent and the Governing Board; they provide the authority and support to ensure the OIA has access to all areas of the District in order to perform the OIA duties.
The OIA will confirm their independence annually by signing the independent internal audit certificate and providing a copy to the Audit Committee, the Governing Board, and the Superintendent.
1 Administrative functions including day-to-day supervision, such as approving time off and scheduling requests, facilitating the Governing Board's evaluation of the Internal Auditor, addressing any employee-related concerns the OIA may have, and providing any administrative support or access needed.
Evaluation Process
The Governing Board hereby adopts the Internal Auditor's Evaluation Instrument as an Exhibit to this Policy (Exhibit DIFA-E Internal Auditor Evaluation Instrument).
The Governing Board delegates to the Superintendent the administrative responsibility for facilitating the formal evaluation process for the Internal Auditor as follows:
- Using Exhibit DIFA-E, the Superintendent gathers evidence related to those administrative portions of the evaluation that are related to day-to-day administrative operations with which the Governing Board has no direct knowledge or experience;
- The Superintendent presents the evidence related to the evaluation items to the Internal Auditor and provides an opportunity to supplement or provide a written response to the evidence.
- The Superintendent provides the evidence, along with any information the Internal Auditor wants to be considered, to the Governing Board in an Executive Session convened for that purpose.
- The Governing Board will consider the above evidence and additional information with which they have direct knowledge and experience regarding the performance of the Internal Auditor.
- The Governing Board completes the evaluation and formally adopts it in a public meeting
Scope of Work
The OIA will provide independent overview and analysis in the following areas:
- Evaluate the efficiency and effectiveness of departments and programs.
- Conduct follow up audits on Management's Response and Commitments to Internal Audit Findings.
- Test controls and make recommendations to help prevent fraud, waste and abuse,
- Ascertain the integrity of data developed and retained within the District.
- Assess the systems established to ensure compliance with policies, procedures, laws, and regulations which could have a significant impact on the District.
- Evaluate operations to determine whether the District is on track to meet objectives and goals.
- Analyzes the governance process; this provides assurance to management and the Governing Board of existing controls, processes and procedures to determine their efficiency and effectiveness in preventing risk.
- Report significant risk exposure and control issues, including fraud risks, governance issues, and other matters needed or requested by the Superintendent or Governing Board.
- Evaluate specific operations at the request of the Governing Board or Superintendent, as appropriate.
- Conduct special examinations at the request of the Superintendent or Governing Board, including, but not limited to, the review of audits made by persons inside or outside the District.
- Create an annual OIA Work Plan, utilizing the Annual Risk Based Assessment Plan (ARBAP), to generate a list of internal audits with estimated timelines to be completed during the year.
OIA Work Product and Annual Deadlines
1. Annually, the OIA, in consultation with the Audit Committee, will create and submit to the Superintendent and Governing Board, copies of the following:b. Major findings and ongoing risks, recommendations, and corrective actions taken by the District (including Management Response and Commitments).
c. Significant findings that have not yet been fully addressed during the past year. See Regulation DIFA-R1.
d. An Annual Risk Based Assessment Plan (ARBAP) and OIA Work Plan for the coming year, based on an assessment of risks and best practice. See Regulation DIFA-R1.
3. Ongoing, as completed: Final audit reports, findings, and recommendations to the Governing Board, the Superintendent and the Audit Committee following the internal audit procedures described in DIFA-R1.
Public Records
Except for privileged attorney-client work product and communications, the Internal Auditor's work product is subject to public records disclosure (A.R.S.39-121 et seq.) at the point Final Draft Audits or other Quarterly or Annual Reports are provided to the Governing Board and the Audit Committee. (See DIFA-R1).
Internal Auditor Charter
The purpose, authority and responsibility of the internal audit function must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards) (Section 301.3).
The OIA must periodically review and update the internal audit charter.
Unrestricted Access
The OIA shall be provided unrestricted access to all functions, records (including data and databases), property, and personnel relevant to the subject being reviewed.
The OIA shall also have full, free, and unrestricted access to the Superintendent, the Governing Board through its representative on the Audit Committee, any member of the Audit Committee, the District's General Counsel, and to the District's External Auditor.
The OIA shall have the authority to conduct various audits, included but not limited to, financial, operational, and information systems audits or reviews of all departments, offices, activities, programs, and systems under the control of the Governing Board and of expenditures incurred by the District.
Copies of documents, databases, and information given to the OIA, during a periodic review, shall be handled in the same prudent and confidential manner as by those employees normally accountable for them.
Failure or refusal to cooperate fully with the OIA during the course of an Internal Audit is a violation of Policy and Regulation DIFA and may subject the employee to disciplinary action in accordance with Governing Board policy and applicable state laws and/or employee agreements.
The OIA shall be free of interference in determining the scope of internal audits, performing audit work, and communicating audit results. Any auditee impositions, limitations, objections, and or issues, that could potentially impair or jeopardize the internal audit independence or the timely completion of an audit, shall be reported to the Superintendent or designee and/or the Governing Board and Audit Committee.
Staffing of the OIA
Staffing of the OIA is based on the needs of the department; candidates for employment require Governing Board approval prior to being hired.2
2There are two functions in the OIA. Under the IIA guidelines, the OIA Department is managed by the Chief Audit Executive function (CAE). The Internal Auditor's activities are to focus exclusively on conducting internal audits. Ideally the two functions are staffed by different individuals.
Limitations
The OIA has no operational responsibilities; it shall not perform, initiate, approve, manage, or conduct any District operational activities external to its department.
The OIA shall have "read-only" access into all District operating systems, applications, and data under audit.
When conducting Cash audits, the OIA shall not handle monies; instead the OIA shall observe as authorized cash handling employees perform the cash handling activities.
Original documents may be viewed by the OIA but they may not be removed from the department's premises. Instead electronic or paper copies of the original documents may be provided to the OIA.
Regulatory Authority
The Superintendent shall establish Regulations governing OIA deadlines, processes and procedures. See Regulation DIFA-R1 Office of Internal Audit (OIA) and Regulation DIFA-R2 Internal Audit Procedures.
Adopted: November 17, 2020
CROSS REF
DIF - Audits/Financial Monitoring