Regents' Policies

 

UNM_Policy_Office-L communicates important policy announcements (such as policy approvals, revisions, or campus review-and-comment periods).




UNM Policy Office

MSC05 3357
1 University of New Mexico
Albuquerque, NM 87131

Physical Location:
Scholes Hall
114 A and B

Phone: (505) 277-2069

Regents' Policy Manual - Section 7.2: Internal Auditing and Compliance

Adopted Date: 09-12-1996
Amended: 08-10-2004
Amended: 07-01-2007
Amended: 05-28-2008
Amended: 09-12-2014

Applicability

This policy applies to the controls, risk management and organizational governance of the University, and to public access to University records.

Policy

The Internal Audit Department was established to perform a comprehensive internal audit function for the University.  The Compliance Program was established to ensure that University activities are conducted in compliance with applicable federal and state laws and regulations and with the highest ethical standards. The Compliance Program consists of the Main Campus Compliance Program, which is addressed in this policy, and the Health Sciences Center Institutional Compliance Program, which is addressed separately in RPM 3.7 (“Health Sciences Center Institutional Compliance Program”).

These units add value and improve the University's operations. They conduct independent, objective assurance services and consultations to determine whether the University's systems of controls, risk management, and organizational governance, as designed and represented by management, are adequate, functioning properly and ethically, and in full compliance with all regulations. To ensure independence of the internal audit and compliance functions, the Director of Internal Audit and the Main Campus Chief Compliance Officer report functionally to the Board of Regents, and administratively to the University President. Internal Audit and the Main Campus Compliance Office shall be free from interference in determining the scope of internal auditing and compliance reviews, and shall be empowered to obtain the information they need to perform their work and communicate the results.

Authority

The Internal Audit Department is authorized to:

  1. Have unrestricted access to all functions, records, property, and personnel.

  2. Obtain the necessary assistance of personnel in organizations where they perform audits.

  3. Communicate with University management, faculty, staff, external auditors, governmental entities, and law enforcement agencies as needed.

  4. Cooperate with any legitimate inquiry or investigation from an outside audit, law enforcement or investigative agency.

The Internal Audit Department is not authorized to:

  1. Perform any operational duties for the University or its affiliates.

  2. Initiate or approve accounting transactions external to Internal Audit.

  3. Direct the activities of any University employee not employed by Internal Audit.

  4. Render legal opinions. 

  5. Have direct responsibility for or authority over any of the activities that it examines.

The Compliance Office is authorized to:

  1. Obtain the necessary assistance of personnel involved in compliance activities. To this end, the Chief Compliance Officer shall identify a network of compliance partners who have expertise in specific compliance areas.

  2. Require that compliance partners provide regular (e.g., quarterly) reports that are sufficient to determine compliance status.

  3. Communicate with University management, faculty, staff, and governmental entities, as needed.

  4. Cooperate with any legitimate inquiry or investigation from an outside law enforcement or investigative agency.

The Compliance Office is not authorized to:

  1. Direct the activities of any University employee not employed by the Compliance Office, except as authorized above.

  2. Render legal opinions.

  3. Have direct responsibility for or authority over any of the activities that it examines.

Responsibility and Accountability

The Director of Internal Audit shall:

  1. Submit an annual budget and audit plan to the Board of Regents Audit and Compliance Committee for review and approval.

  2. Provide quarterly reports to the Audit and Compliance Committee on the status and results of the audit plan, significant audit findings and recommendations, and sufficiency of department resources.

  3. Provide timely information to the University President and the Audit and Compliance Committee concerning suspected fraudulent activities.

  4. Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of the policy.

The Chief Compliance Officer shall:

  1. Submit an annual budget and compliance plan to the University President for review and approval and to the Audit and Compliance Committee for review.

  2. Provide quarterly reports to the University President and the Audit and Compliance Committee on the status and results of the compliance plan, significant compliance findings and recommendations, and sufficiency of department resources.

  3. Provide timely information to the University President and the Audit and Compliance Committee concerning significant compliance concerns.

  4. Obtain and maintain sufficient knowledge, skills, experience, and professional certifications to fulfill the requirements of the position.

Scope of Work

The scope of work of Internal Audit is to determine whether the University's systems of control, risk management, and organizational governance, as designed and represented by management, are adequate and functioning properly to ensure:

  1. Risks are identified and managed.

  2. Significant financial, managerial, and operating information is accurate, reliable, and timely.

  3. Employees' actions are in compliance with policies, standards, procedures, and applicable laws and regulations. 

  4. Resources are acquired economically, used efficiently, and adequately protected. 

  5. Programs, plans, and objectives are achieved.

  6. Quality and continuous improvements are fostered in the University's control process.

  7. Significant legislative or regulatory issues impacting the organization are recognized and addressed appropriately. 

  8. Procedures used by the governing body provide oversight of risk and control processes administered by management.

The scope of work of the Compliance Office is to identify compliance requirements, enhance compliance awareness, and support the achievement of compliance obligations. As part of this work, the Compliance Office will:

  1. Identify compliance partners for every unit of the University (excluding the Health Sciences Center) that has a compliance role. The compliance partners manage day-to-day compliance for a wide range of University activities, including without limitation, human subjects research, export control, animal research, conflicts of interest in research, research integrity, research administration, the Clery Act, Federal Educational Rights and Privacy Act, tax-exempt bonds, unrelated business activities, Americans with Disabilities Act, affirmative action, equal opportunity employment, donor gift restrictions, financial aid, global operations, human resources, immigration, land use, National Collegiate Athletic Association, procurement, property management, scientific misconduct, sexual harassment, intellectual property, technology licensing, and workers compensation.

  2. Provide the tools, guidance, and oversight that the compliance partners need to ensure that their units’ internal compliance controls are adequate and functioning.

  3. Coordinate the University’s compliance activities, including chairing a Compliance Committee.

  4. Identify key risk areas and perform risk assessments on compliance readiness.

  5. Provide compliance advisory services to Internal Audit and to faculty and staff.

  6. Assist in the development of compliance related policies or practices.

  7. Assist in the development and delivery of compliance related training.

  8. Evaluate emerging compliance trends in higher education and government and recommend best practices.

  9. Report results of compliance program activities to senior management and the Audit and Compliance Committee.

  10. Collaborate with the Health Sciences Center’s Chief Compliance Officer on various compliance matters.

Audit Reports

Internal Audit will prepare a written report of the results of audit work performed. Management is required to respond to the report within ten days of receiving it. The response will include three elements: a statement as to whether management agrees with the audit finding, corrective action to be taken to meet the objectives of the audit finding, and the dates by which the actions will be implemented. If no action will be taken, the response will indicate the reasons. Internal Audit will forward its report and the management's response to the University President who shall review them and either accept the response or request further development of the response. After the University President has accepted the response, Internal Audit will forward the report and response to the Audit and Compliance Committee for approval. Upon approval of an audit report by the Audit and Compliance Committee, the full text of the report will be made public in accordance with RPM 2.17, except for information that is specifically exempted from public inspection by the New Mexico Inspection of Public Records Act (IPRA).  Any such information that is specifically exempted by IPRA will be redacted (blacked-out) when the reports are made public. Information redacted from reports will be made public if and when these considerations are no longer relevant. Public reports will be posted on Internal Audit's public Internet web site. The full text of reports may be released to non-public sources, such as external auditors, governmental entities, funding entities, and law enforcement agencies as needed. Internal Audit will perform follow-up reviews to ensure corrective actions indicated in the responses have been completed.

Investigation of Fraudulent Activity

The Internal Audit Department will coordinate investigation of suspected fraudulent activities within the University. If an investigation reveals possible fraudulent activity has occurred, Internal Audit will ask University Counsel to render an opinion as to whether the audit findings indicate that illegal activity appears to have occurred. If, in University Counsel's opinion, illegal activity appears to have occurred, Internal Audit will notify the University President, the cognizant vice president, Safety and Risk Services, the Compliance Office, and the appropriate law enforcement agency. If the illegal activity involves an area of high public interest or an amount greater than $20,000, Internal Audit will notify the Audit and Compliance Committee within forty-eight hours.

Internal Audit will notify the State Auditor's Office of illegal activity in accordance with the State Audit Act, § 12-6-6 NMSA 1978, and the State Auditor's regulations, NMAC 2.2.2.10. Internal Audit will assist the Office of the Vice President for Research Services or the Health Sciences Center Controller's Office in notifying funding agencies when contract and grant funds are involved in the loss.

Standards and Ethics

Both Internal Audit and the Compliance Office are required to maintain the highest standards of ethical practice. In the conduct of its audits, Internal Audit shall abide by applicable pronouncements made by professional bodies including the Institute of Internal Auditors (IIA) and the American Institute of Certified Public Accountants (AICPA). The generally accepted auditing standards published by these groups shall serve as guides in the performance of internal audits. In addition to maintaining the highest standards of practice in the performance of its duties, Internal Audit shall adhere strictly to the Code of Ethics as established by the IIA and adopted by the Association of College and University Auditors. Due regard should also be given to pronouncements concerning ethical behavior by the AICPA.

References

Audit Act, §12-6-6, NMSA 1978; NMAC 2.2.2.10; RPM 2.17 ("Public Access to University Records"); RPM 7.3 ("Audit and Compliance Committee") ; UAP 2200 ("Reporting Suspected Misconduct and Whistleblower Protection from Retaliation"); UAP 7205 ("Dishonest or Fraudulent Activities"); and publications from the Institute of Internal Auditors.