Policy & Regulation

Chapter 05.03 - Audit and Compliance Services

DOWNLOAD FILE

REGENTS’ POLICY
PART V – FINANCE AND BUSINESS MANAGEMENT
Chapter 05.03 - Audit and Compliance Services

P05.03.010. Purpose of P05.03.010 - 05.03-032

By adopting P05.03.010 - 05.03.032, the board establishes the general authority and responsibilities of the university's office of audit and compliance services.                                                                                                                                                                     

   (02-19-26)

P05.03.012. Mission.

The mission of the office of audit and compliance services is to assist the board and management in the effective discharge of their fiduciary, compliance oversight, and administrative responsibilities by providing analysis, appraisals, counsel, information and recommendations concerning activities reviewed and by promoting effective controls for the recording and reporting of operational activities and for the custody and safeguarding of assets, and for addressing significant federal and state laws, regulations, university policy and other requirements impacting the university.                                                                                                                                       

    (02-19-26)

P05.03.014. Role.

A. The office of audit and compliance services is established by the Board of Regents, and its responsibilities are defined by the Audit and Finance Committee of the Board of Regents as part of their oversight function.

B. Internal auditing is as an independent, objective assurance and consulting activity designed to add value and improve the university’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of internal control, institutional compliance, risk management, and governance processes. It is established within the university to examine and evaluate its activities to meet the needs of the board and executive management. Internal audits may include financial, performance, operational and compliance audits.

C. Chancellors have the primary responsibility for ensuring the compliance of their respective university to achieve the highest level of compliance with applicable ethical, legal, regulatory and system standards and requirements by faculty, staff and students in the system and promoting an organizational culture that encourages ethical conduct and a commitment to compliance with such standards and requirements.

D. The president, as chief executive officer of the University of Alaska, is responsible for ensuring the design, implementation, and enforcement of an effective compliance and ethics program for the University of Alaska system and will ensure system support, coordination and oversight among the universities in implementing this chapter. 

                                                                                                                                                                                                           (02-19-26)

P05.03.016. Professional Standards.

A. The office of audit and compliance services will take reasonable steps to adhere to the mandatory elements of the Institute of Internal Auditors’ (IIA) International Professional Practices Framework, which are the Global Internal Audit Standards and Topical Requirements. The chief audit executive will report periodically to the audit and finance committee and senior management regarding the internal audit function’s conformance with the Standards, which will be assessed through a quality assurance and improvement program.

B. The office of audit and compliance services will take reasonable steps to adhere to the Governmental Auditing Standards published by the Comptroller General of the United States, university policies and procedures, and the departmental procedures manual.

C. The information systems audit professionals will additionally take reasonable steps to adhere to the mandatory standards of the Information Technology Assurance Framework (ITAF) and the Code of Ethics of the Information Systems Audit and Control Association (ISACA).

D. The university’s institutional compliance program will strive to implement the best practices of effective compliance programs as guided by the Federal Requirements of an Effective Compliance and Ethics Program (§8B2.1.)

                                                                                                                                                                                                                 (02-19-26)

P05.03.018. Authority.

  1. The office of audit and compliance services’ authority was created and is maintained by its direct reporting relationship to the Audit and Finance Committee chair. Such authority allows for unrestricted access to the Audit and Finance Committee and chair of the board.
  2. The chief audit executive and staff of the office of audit and compliance services shall have full, free, and unrestricted access to all university operations, information, records, either manual or electronic, property, and personnel as may be required for the efficient conduct of their audit responsibilities. All employees are directed to assist the office of audit and compliance services staff in fulfilling their role and responsibilities.
  3. The institutional compliance program shall be headed by a senior compliance professional that will develop the infrastructure for the effective operation of the institutional compliance program. This role is a fundamental part of the management structure of the University of Alaska in developing and maintaining a compliance program to assist the universities in complying with federal, state and local rules and regulations.
  4. All documents and information provided to the audit and compliance staff shall be handled in the same prudent manner as expected of those who are normally accountable for them.
  5. The chief audit executive shall have free and unrestricted access to the chair of the Audit and Finance Committee and the chair of the board.                                                                                                                                                                                         

                                                                                                                                                                                                                 (02-19-26)

P05.03.020. Organization.

  1. The chief audit executive shall report administratively to the chief finance officer and functionally to the chair of the Audit and Finance Committee. This enables internal audit services and responsibilities to be performed without interference from management, thereby maintaining the necessary independence and objectivity. The chief finance officer shall appoint and may remove the chief audit executive with the advice and consent of the Audit and Finance Committee.
  2. The chief audit executive shall report any matters which in the chief audit executive’s sole opinion warrant direct attention or action by the board to the chair of the Audit and Finance Committee and to management any matters that warrant direct attention or action by management.
  3. The chief finance officer shall supervise the chief audit executive except for matters relating to the establishment of the scope of audit activities and the reporting of audit findings and recommendations.
  4. The senior compliance professional reports to the chief audit executive, and through that position, indirectly to the Audit and Finance Committee.
  5. Senior management may request special audits by the department to meet the its responsibilities. Special request audits will be discussed with the chair of the Audit and Finance Committee prior to acceptance by the chief audit executive.
  6. Senior management shall be responsible for and have the authority to require the implementation of recommendations or other resolution of audit findings.                                                                                                                                                         

                                                                                                                                                                                                                 (02-19-26)

P05.03.022. Independence.

  1. All activities conducted by the office of audit and compliance services shall remain free of influence by other elements of the university, including matters of audit selection, scope, procedures, frequency, timing, or report content, to permit maintenance of an independent and objective mental attitude necessary in rendering reports.
  2. All staff of the office of audit and compliance services have the independence necessary to be able to carry out duties effectively and without fear of retaliation.
  3. Internal auditors shall have no direct operational responsibility or authority over any of the activities they review. Accordingly, they shall not develop nor install systems or procedures, prepare records, or engage in any other activity which would normally be audited. 
  4. Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively such that they believe in their work product, do not compromise quality, and do not subordinate their judgment on audit matters to others, either in fact or appearance.
  5. The chief audit executive will confirm to the Audit and Finance Committee, at least annually:
    1. The organizational independence of audit and compliance services. If the governance structure does not support organizational independence, the chief audit executive will document the characteristics of the governance structure limiting independence and any safeguards aimed at achieving the principle of independence.

No limitations to scope, performance, or communication of audit work or results were encountered. If necessary, a disclosure of the limitations encountered will be provided, to include the implications of the interference on the internal audit function’s effectiveness and ability to fulfill its purpose.                                                                                                                                                                                                                                                                                                                                          (02-19-26)

P05.03.024. Audit and Compliance Scope.

  1. The scope of internal auditing covers the entire breadth of the university, including all assets, activities and personnel. The scope encompasses the examination and evaluation of the adequacy and effectiveness of the university’s governance, risk management process, system of internal controls, and the quality of performance in carrying out assigned responsibilities. This scope includes:
    1. Reviewing the reliability and integrity of financial and operational information and the adequacy of the means used to identify, measure, classify and report such information; 
    2. Monitoring compliance with the policies, plans, procedures, laws and regulations that have an impact on university operations; 
    3. Reviewing the means of safeguarding assets and verifying their existence when appropriate; 
    4. Appraising the economy and efficiency with which resources are employed; 
    5. Reviewing financial and operational activities and programs to determine if results are consistent with established goals, objectives and authorized plans; 
    6. Reviewing specific operations at the request of the Audit and Finance Committee or management, as appropriate;
    7. Monitoring and evaluating the effectiveness of the university’s risk management processes, including the identification and management of risks impacting the achievement of strategic objectives;
    8. Serving as liaison for coordination of all external audit activities. The chief finance officer and the administrative vice chancellors are responsible for notifying the chief audit executive of all external audit engagements scheduled or taking place at their respective university. The chief audit executive shall have the discretion to determine the authority of the external auditors to conduct the audit, advise the auditor and auditees on the conduct of the audit, facilitate the audit if the chief audit executive considers it appropriate, and report on the status of the audit to the Audit and Finance Committee;
    9. Assisting in fraud and theft assessment at the request of the Office of General Counsel and senior management. The chief audit executive shall provide support for such reviews under the direction of legal counsel; and 
    10. Providing staff guidance to university staff and managers on matters relating to audits, internal control functions, and risk identification; and
    11. Determining the allocation of resources, frequency of reviews, select subjects, apply techniques as required to accomplish audit objectives, and issue reports.

B. The scope of institutional compliance is to enhance a culture within the university that promotes prevention, detection, and resolution of instances of noncompliance with federal and state laws, regulations, university policy and other requirements. This scope includes:

           1. Collaborate with distributed compliance partners and management to support the compliance and ethics culture;

           2. Educate and inform university staff and management of the importance of ethics and compliance processes and procedures;

           3. Serve as a source of compliance information for staff, management and the internal auditors;

           4. Maintain a process for disseminating information and guidance on applicable federal and state laws, regulations, the university
               policy and other requirements;

           5. Monitor the process utilized by departments and distributed compliance partners to document compliance with the policies, plans,
               procedures, laws and regulations that have an impact on university operations.

           6. Assess and respond to allegations of noncompliance by engaging with the Office of General Counsel or other university leadership
               to conduct reviews of reported issues, and

            7. Address significant federal and state laws, regulations, the university policy and other requirement issues.                   

                                                                                                   (02-19-26)

P05.03.026. Audit and Compliance Planning.

  1. The chief audit executive shall independently develop the annual audit plan using a risk-based prioritization of the audit universe. The plan will consider the input of senior management and the Audit and Finance Committee.
  2. The chief audit executive shall present the audit plan to the Audit and Finance Committee for review and approval. The impact of resource limitations on the internal audit plan will be communicated to senior management and the Audit and Finance Committee. 
  3. Significant deviations from the formally approved plan will be communicated to senior management and the Audit and Finance Committee through periodic status reports. Deviations will be considered in response to changes in the university’s business operations, risks, programs, systems and controls.
  4. The senior compliance professional shall develop and implement a risk-based work plan that addresses the highest priority compliance areas.                                                                                                                                                                                       

     (02-19-26)

P05.03.028. Reporting.

  1. The chief audit executive shall provide written reports on the status of all internal and external audit and institutional compliance activities to the Audit and Finance Committee, including performance relative to the plan.
  2. Formal audit reports shall be issued to the senior managers who will be responsible for the implementation of recommendations or other resolution of audit findings. Copies of all formal audit reports, including management's response, will be provided to the chief finance officer, general counsel, president, and the Audit and Finance Committee before the next scheduled committee meeting. 
  3. Recommendations for improvement or correction shall be reported to the appropriate individuals or management staff. 
  4. Management responses to risk that the chief audit executive determines may be unacceptable or the acceptance of a risk exceeds the university’s risk appetite will be communicated to senior management and the Audit and Finance Committee.
  5. The chief audit executive shall be responsible for appropriate follow-up on audit findings and recommendations. All significant findings will remain in an open status until cleared or waived by the chief audit executive. The chief audit executive will report to the Audit and Finance Committee on the status of open audit findings.
  6. Institutional compliance will periodically provide reports to the Audit and Finance Committee.                                                                   

 (02-19-26)

P05.03.030. Quality Assurance and Improvement Program

  1. The chief audit executive will maintain a comprehensive quality assurance and improvement program for internal audit. This program will include both external and internal assessments to ensure conformance with Global Internal Audit Standards, and performance measures for continuous improvement. It will also address any deficiencies and opportunities for improvement.
  2. Annually, the chief audit executive will report to the Board and senior management on the quality assurance and improvement program, including results from internal (ongoing monitoring and periodic self-assessments) and external assessments.
  3. External assessments will be conducted at least once every five years by a qualified, independent assessor or team, with at least one member holding an active Certified Internal Auditor credential.

                                                                                                                                                                                                 (02-19-26)

P05.03.032. Policy Updates

  1. This policy is intended to be consistent with the charter recommended by the Institute of Internal Auditors and shall periodically be assessed to determine if the purpose, authority, and responsibility, as defined in this policy, continue to be adequate to enable the office of audit and compliance services to accomplish its objectives. Circumstances may require follow-up discussion between the chief audit executive, senior management, and the Audit and Finance Committee on the roles and responsibilities of internal audit or elements of the internal audit policy. Such circumstances may include but are not limited to:
    1. A significant change in the Global Internal Audit Standards;
    2. A significant reorganization within the organization;
    3. Significant changes in the chief audit executive, senior management, or the Audit and Finance Committee;
    4. Significant changes to the organization’s strategies, objectives, risk profile, or the environment in which the organization operates; and
    5. New laws or regulations that may affect the nature and/or scope of internal audit services.
  2. The result of the periodic policy assessment shall be communicated to senior management and the board.

                                                                                                                                                                                                 (02-19-26)