I.         BACKGROUND

 

The University of California Board of Regents has formally approved an Internal Audit Mission Statement and Charter. 

 

     II.         POLICY

 

It is the policy of UC San Diego to support the University of California Internal Audit Charter through the auspices of Audit & Management Advisory Services department.

 

    III.         AUTHORITY                                                                                             

 

Audit & Management Advisory Services has been designated the responsibility and authority to carry out its function by virtue of:

 

A.             The University of California Internal Audit Charter provides direction and guidance for local campus implementation of a campus audit program, defines the objectives of the program, the responsibilities of the audit group, the reporting channels, and certain personnel matters as endorsed by The Regents of the University of California. 

 

B.             The UC San Diego Audit & Management Advisory Services Charter (Attachment 1) establishes immediate authority, responsibility and accountability for executing internal audit functions as endorsed by the Chancellor and UC San Diego Compliance Audit Risk and Ethics (CARE) Committee. This document correlates closely with the UC Internal Audit Charter approved by the Regents.

 

Audit & Management Advisory Services is a management service function and as such, has no authority to direct anyone in operations to take action implementing any of its recommendations. These tasks are the responsibility of University management.

 

   IV.         REPORTING CHANNELS

 

A.             Organization and Structure

 

Organizationally, UC San Diego Audit & Management Advisory Services has a dual reporting relationship to the Chancellor (including his/ her delegate, the Chief Ethics and Compliance Officer), and the UC Senior Vice President and Chief Compliance and Audit Officer.  Additional reporting responsibilities are to the President and the Board of Regents as required.

 

To ensure sufficient organizational status and independence in meeting its auditing responsibilities, Audit & Management Advisory Services reports functionally to The Regents through the Office of the Chief Compliance and Audit Officer, and administratively to the UC San Diego Chief Ethics & Compliance Officer.

 

The UC San Diego CARE Committee has been established to provide ongoing oversight of compliance with established policies and procedures in a variety of areas; and to make recommendations to the Chancellor for improving compliance programs in a highly decentralized environment. The UC San Diego CARE Committee Charter (Attachment 2) establishes the authority, composition, roles and responsibilities, and protocols of its Committee.

  

     V.         RESPONSIBILITY

 

The internal audit function provides a management service comprised primarily of independent assurance and advisory activities. Responsibilities for management services provided include:

 

A.             Performing audits of campus and health system operations and activities in accordance with the annual plan approved by the CARE Committee and Chancellor and submitted to Office of the President.

 

B.             Conducting internal investigations in accordance with the University of California Policy on Reporting and Investigating Allegations of Suspected Improper Governmental Activities (Whistleblower Policy).

 

C.             Providing services in a consultation role as requested by management, business units, and academic administration when such requests are consistent with the professional expertise of the auditors and maintenance of an appropriate level of independence, and do not materially impact the accomplishment of the risk based campus annual internal audit plan.

 

D.             Reviewing campus compliance with University fiscal and administrative policies and procedures, conformance with governmental laws and regulations, and compliance with resource allocation and gift endowment restrictions.

 

E.              Participating and providing appropriate support to campus and health sciences committees, work groups, task forces involved in the development, review and/or re-engineering of policies, procedures, and systems. In these endeavors, auditors will be cognizant of their appropriate role versus the role of management and will actively

promote and advocate a sound system of internal controls in support of operational effectiveness and efficiency objectives.

 

F.              Serving as the external audit coordinator working with external agencies having an audit interest in the University by:

 

1.     Coordinating external audit and investigation activities for UC San Diego.

 

2.     Coordinating the University's response to a notice of external audit or investigation, and the provision of any materials to the external agency.

 

3.     Resolving questions and providing guidance for UC San Diego departments involved in reviews.

 

4.     Communicating external audit and investigation concerns to campus and health sciences personnel on a proactive basis so that appropriate corrective action can be taken.

 

5.     Maintaining complete and accurate files of external audit and investigation activity for campus reference.

 

G.             Supporting the Chief Ethics & Compliance Officer, in their role as the UC San Diego Locally Designated Official, and facilitating the adoption, implementation, and administration of local whistleblower procedures in support of the University policy.

 

H.             Participating in the development of standards, audit planning methodologies, common audit programs, peer review programs, and other initiatives undertaken for the benefit of the entire University of California internal audit community.

 

I.                Conducting audit, consultation and investigation activities in accordance with standards established for the entire University of California internal audit community.

 

J.              Consulting with the Chief Compliance and Audit Officer on any matter representing a conflict of interest, or the appearance of a conflict of interest on the part of the local internal audit department.

 

The scope of Audit & Management Advisory Services’ work is to determine whether UC San Diego’s network of risk management, control, and governance processes as designed and represented by management is adequate and functioning. 

 

   VI.         PROCEDURES

 

A.             Audit Planning

 

An annual audit plan will be prepared. The scope of the audit plan will include all activities at UC San Diego. In general terms this scope will encompass the campus, Scripps Institution of Oceanography, and UC San Diego Health Sciences (including the Professional Schools and UC San Diego Health). Audit & Management Advisory Services drafts the audit plan and presents it to the campus CARE Committee and subsequently to the Chancellor for approval. The approved audit plan will be forwarded to the Chief Compliance and Audit Officer for inclusion in the University of California Audit Plan presented to The Regents Committee on Audit.

 

In selecting the areas for the audit plan, a risk assessment will be conducted by Audit & Management Advisory Services with participation by key UC San Diego management representatives.  High risk areas will be identified and incorporated in the audit plan to the extent feasible considering resource constraints.

 

In addition to performing audits on the annual plan, Audit & Management Advisory Services will conduct supplemental audits, advisory services, consultations and investigations as determined appropriate to meet its objectives.

 

B.             Audit Review

 

Internal audit procedures are tailored for the type of engagement involved. The general review process for a traditional audit is comprised of the following components:

 

1.     Opening Conference

 

Audit & Management Advisory Services usually notifies the auditee by email that an audit or advisory services project has been scheduled. An opening conference is conducted between members of the audit team (Manager and Auditor in Charge) and departmental management. This meeting is for the purpose of discussing the audit process and clarifying the audit approach and scope. 

 

2.     Preliminary Survey

 

The auditor conducts a preliminary survey to become familiar with the department's activities and related systems of internal controls. This involves information gathering, which could include, but is not limited to, interviews with departmental personnel, flowcharting, review of the department objectives, and a walk-through of the department's operations. As a result of the preliminary survey, the auditor develops an audit program that focuses the review on key areas that may have insufficient or weak internal controls or other areas specified for inclusion in the scope.

 

3.     Fieldwork

 

During the fieldwork phase of the audit, the auditor accumulates, classifies and appraises information to measure and evaluate the effectiveness of specific control techniques within the department's control system. The auditor will discuss observations on areas where improvements may be appropriate with departmental management. This provides departmental management with the opportunity to take immediate action if needed and validates the accuracy of the auditor's problem assessment.

 

Note:  The above process does not necessarily apply for the conduct of an advisory service or investigation.

 

C.             Communicating Results

 

Upon completion of fieldwork, the auditor documents and communicates the results of the audit by preparing an audit report draft, which generally explains the audit objectives, scope, observations, recommendations, and conclusions.

 

1.     Review

 

Department management and the audit team meet to discuss the draft report. The purpose of the meeting is to review the auditor's recommendations and conclusions. Department management and the audit team works to resolve any open issues, misunderstandings regarding the accuracy and content of the report, and, if possible, come to agreement on management corrective actions to be taken to resolve open issues.

 

2.     Distribution of Final Report

 

Audit & Management Advisory Services reports the results of the audit work in a signed, written report. The final report is normally distributed to:

 

a.     Chair or Director of the department or process reviewed,

 

b.     Cognizant Vice Chancellor/Director for the client department, and other senior management deemed appropriate by the Audit Director,

 

c.     UC San Diego Chief Ethics & Compliance Officer

 

d.     UC Chief Compliance and Audit Officer

 

3.     Response

 

In order to provide for a balanced presentation of issues, management corrective actions agreed upon during the course of the audit are generally noted in the final report. Department management is then requested to provide a written response to Audit & Management Advisory Services addressing any remaining recommendations which are included in the final report, and which have not yet been acted on. If disagreement with an observation or recommendations exists, management shall provide the rationale supporting the basis of the disagreement. These issues are then reviewed as needed with higher management for consideration of associated risk.

 

Note:  The above process does not necessarily apply for the conduct of an advisory service or investigation.

 

 

 

D.             FOLLOW-UP

 

Audit & Management Advisory Services periodically follows-up to ascertain whether corrective actions which have been agreed to have been implemented. The Chancellor and Chief Compliance and Audit Officer are informed of all significant open follow-up items. For those observations where no action has been taken, Audit & Management Advisory Services advises appropriate levels of management of the risk involved. When follow-up is complete, a letter closing the audit may be issued.

 

  VII.         REFERENCES

 

A.             University of California Internal Audit Charter, Office of the President - endorsed by the Regent’s Committee on Audit, Revised September 2020

 

B.             Policy on Reporting and Investigating Allegations of Suspected Improper Governmental Activities (Whistleblower Policy), Office of the President, January 1, 2012.

 

C.             UC San Diego Policy and Procedure Manual (PPM)

300-5	Audits by External Agencies
460-5	Misuse of University Resources

 

D.             University of California San Diego, Audit & Management Advisory Services Charter, Revised June 2023

 

E.              University of California San Diego, Compliance Audit Risk and Ethics (CARE) Committee Charter, Revised June 2023

VIII.         REVISION HISTORY

 

2012/07/12                   Policy made effective.

 

2018/04/20                   Policy revised and reissued.

 

2023/06/29                   Policy revised and reissued.

 

ATTACHMENT 1

 

UNIVERSITY OF CALIFORNIA SAN DIEGO

Audit & Management Advisory Services Charter

June 2023

 

Purpose/Mission

 

The mission of University of California, San Diego Audit & Management Advisory Services (AMAS) is to provide the University of California (UC) Regents, President, and UC San Diego Chancellor with independent and objective assurance and consulting services designed to add value and improve operations. We do this through communication, monitoring and collaboration with management to assist the campus community in the discharge of their oversight, management, and operating responsibilities. AMAS brings a systematic, risk-based, and disciplined approach to evaluating and improving the effectiveness of risk management, control and governance processes.

 

Authority

 

AMAS functions under the policies established by the Regents of the University of California and by University management under delegated authority.

 

AMAS is authorized to have full, free and unrestricted access to information it deems necessary to perform audit, consulting/advisory services, and investigation projects and ongoing risk assessment activities, including but not limited to, records, computer files, information systems, databases, property, and personnel of the University in accordance with the authority granted by approval of this charter and applicable federal and state statues. Except where limited by law, the work of AMAS is unrestricted. AMAS is free to review and evaluate all policies, procedures, and practices for any University activity, program, or function on behalf of the Board of Regents.

 

In performing the audit function, AMAS has no direct responsibility for, nor authority over any of the activities reviewed. The internal audit review and approval process does not in any way relieve other persons in the organization of the responsibilities assigned to them.

 

Information requested by AMAS shall be provided without delay. Any attempt to interfere with or prevent AMAS’ access to information, including termination of access to information required to perform AMAS’ duties, shall be immediately escalated to the Chancellor and to the President of the University for resolution. If the access issues are not timely resolved through this escalation, the Chief Compliance and Audit Officer (CCAO) shall escalate the issues to the Chair of the Regents Compliance and Audit Committee for resolution.

 

Independence and Reporting Structure

 

To permit the rendering of impartial and unbiased judgment essential to the proper conduct of audits, internal auditors will be independent of the activities they audit. This independence is based primarily upon organizational status and objectivity and is required by external industry standards. To provide for independence, AMAS reports administratively to the UC San Diego Chancellor through the Chief Ethics & Compliance Officer, and directly to the Regents' Committee on Compliance and Audit through the UC Senior Vice President and Chief Compliance and Audit Officer (CCAO). The AMAS Director has direct access to the CCAO and to the President or the Regents' Committee on Compliance and Audit as circumstances warrant

 

Communications, Accountability, and Coordination with Related Campus Entities

 

AMAS reports periodically to the campus Compliance, Audit, Risk and Ethics (CARE) Committee on the  adequacy and effectiveness of the organization's processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work; the status of the annual audit plan, and the sufficiency of audit resources. The audit function coordinates with and provides oversight of other control and monitoring functions involved in governance such as risk management, compliance, security, legal, ethics, environmental health & safety, and external audit. 

 

The AMAS Director may take directly to the Chancellor, the CCAO, the President, or the Regents matters that they believe to be of sufficient magnitude and importance.

 

The Chancellor shall retain responsibility for approval of the campus annual audit plan and approval of the CARE Committee charter, and shall meet with the AMAS Director regularly to review the state of the internal audit function and the state of internal controls locally. The Regents have the ultimate authority to approve and/or amend the systemwide audit plan, which is a consolidation of all campus and laboratory audit plans.

 

Scope of Work

 

The scope of AMAS work is to determine whether UC San Diego's network of risk management, control, and governance processes, as designed and represented by management at all levels is adequate and functioning in a manner to ensure:

 

·     Risks management processes are effective and significant risks are appropriately identified and managed.

·     Ethics and values are promoted within the organization.

·     Financial and operational information is accurate, reliable, and timely.

·     Employee's actions are in compliance with policies, standards, procedures, and applicable laws and regulations.

·     Resources are acquired economically, used efficiently, and adequately protected.

·     Programs, plans, and objectives are achieved.

·     Quality and continuous improvement are fostered in the organization's risk management and control processes.

·     Significant legislative or regulatory compliance issues impacting the organization are recognized and addressed properly.

·       Effective organizational performance management and accountability are fostered.

·       Coordination of activities and communication of information among the various governance groups occur as needed.

·       The potential occurrence of fraud is evaluated and fraud risk is managed.

·       Information technology governance supports UC’s strategies, objectives, and privacy framework.

·       Information technology security practices adequately protect information assets and are in compliance with applicable policies, rules and regulations.

·       Opportunities for improving management control, quality and effectiveness of services, and the organization’s image identified during audits are communicated by IA to the appropriate levels of management.

 

AMAS also acts as the official external audit liaison for the campus for external audit engagements other than the annual financial audit performed by the Regents' auditors.

 

Nature of Assurance and Consulting Services

 

AMAS performs three types of projects:

 

·       Audits are assurance services defined as examinations of evidence for the purpose of providing an independent assessment of governance, risk management, and control processes for the organization.

·       Consulting/Advisory Services, the nature and scope of which are agreed upon with the client, are intended to add value and improve an organization's governance, risk management, and control processes without the internal auditor assuming management responsibility.

·       Investigations are independent evaluations of allegations generally focused on improper government activities including misuse of university resources, fraud, financial irregularities, significant control weaknesses and unethical behavior or actions.

 

Mandatory Guidance

 

AMAS serves the University in a manner that is consistent with the standards established by the CCAO and acts in accordance with University policies and the UC Standards for Ethical Conduct. At a minimum, it complies with relevant professional standards, and the Institute of Internal Auditors' mandatory guidance including the Definition of Internal Auditing, the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing. This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity's performance.

 

 

Approved:

 

 

 

__________________________

 

Chancellor Khosla

 

 

ATTACHMENT 2

 

UNIVERSITY OF CALIFORNIA SAN DIEGO

 

Compliance, Audit, Risk, and Ethics (CARE) Committee Charter

June 29, 2023

 

Purpose/Mission

 

The Compliance, Audit, Risk, and Ethics (CARE) Committee was established in 2011 in accordance with the UC Ethics and Compliance Program Plan which was approved in 2008 by the Regents of the University of California, and approved and re-affirmed in 2017. The CARE Committee functions in an advisory capacity to the UC San Diego Chancellor and the UC Office of Ethics, Compliance, and Audit Services, on matters pertaining to compliance with laws, regulations, and UC policies and procedures; the conduct of the external and internal audit programs; and the identification and assessment of enterprise risk.

 

Roles and Responsibilities

 

The CARE Committee's charge is to provide ongoing oversight of compliance with established policies and procedures in a variety of areas; and to make recommendations for improving compliance programs as needed in a highly decentralized environment. The Chief Ethics and Compliance Officer, who co-chairs the CARE Committee, has the independent authority and autonomy necessary to objectively provide a review and evaluation of compliance issues within all levels and in all subdivisions, subsidiaries and holdings of UC San Diego. 

D

As noted in the UC Ethics and Compliance Program Plan, the duties of the CARE Committee include:

 

•       Responsibility and support for the overall UC San Diego Compliance Program including implementation, performance metrics, and ongoing processes of the Program

           

•       Providing oversight of risk assessment tools for campus use in identifying and mitigating high risk compliance areas

           

•       Advising on the need for campus-specific guidance documents, education materials, and training courses

           

•        Providing oversight of compliance monitoring activities for high-risk areas as needed and recommending compliance policies and best practices

 

•       Reporting compliance risk areas of high priority and proposed risk mitigation activities to UC Ethics, Compliance and Audit Services on an ad hoc and annual basis as requested

 

The CARE Committee will consider whether the following elements are in place as determined necessary for reducing and/ or mitigating key risk areas of regulatory compliance:

           

•       Written policies and procedures

 

•       Conduct of effective training and education

 

•       Effective Lines of communication

 

•       Enforcement of standards through well-publicized disciplinary guidelines, undertaking corrective action, and reporting to the appropriate Federal agency

 

•       Well-defined roles and responsibilities and assignment of oversight responsibility and appropriate delegations of authority

 

Review and Approval

 

The CARE Committee is responsible for reviewing and approving the following on an annual basis:

 

• Institutional Risk Work Plan
• Health Risk and Compliance Work Plan
• Audit & Management Advisory Services Audit Plan

 

Governance Structure

 

UC San Diego has established a Compliance Governance Structure approved by the Chancellor which includes various Committees, Councils, or other groups (collectively referred to as Subcommittees) that will provide reports to the CARE Committee. These include:

 

• Clery Compliance Committee
• Athletics Compliance Committee
• Risk Steering Committee
• Information Security and Privacy Council
• Health Sciences Executive Compliance Committee (also reports to the Health System Executive Governing Board)
• Cybersecurity Governance Committee (also reports to the IT Executive Governance Committee (ITEGC))
• Youth Protection Oversight Committee

 

Subcommittees may be added or removed as needed by the CARE Committee.

 

Composition

 

Co-Chairs

 

The Chief Ethics & Compliance Officer and Executive Vice Chancellor shall co-chair the Committee.

 

Committee Members

 

Committee shall be composed Vice Chancellors from each area of the campus, subject matter experts, and selected ex-officio members, including the CEO of UC San Diego Health, the Health Sciences Compliance and Privacy Officer, the Director of Audit & Management Advisory Services, and Campus Counsel.

 

 

Meetings

 

The CARE Committee shall meet annually and more frequently as needed.

 

Approval and Revisions

 

• Approved by the Chancellor on January 8, 2011
• Revised March 1, 2018
• Revised June 29, 2023

 

Reference Section

 

• July 16, 2008, Resolution to Approve the University of California Ethics and Compliance Program
• March 15, 2017, Resolution to Reaffirm the University of California Ethics and Compliance Program

 

 

Attachments

 

• UC San Diego Compliance Governance Structure