Skip to main content

University Policies

University Policies

070  Internal Audit

Approved by Board of Trustees
Effective Date: June 17, 2025
Responsible Division: President
Responsible Office:  Audit Services
Responsible Officer: Chief Audit Executive

I. Purpose

This policy addresses responsibilities of the internal audit function, staffing, audit planning, and reporting on internal audit activities at Middle Tennessee State University (MTSU or University).

II. Definitions

  1. Internal Auditing. An independent, objective assurance and advisory function designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
  2. Risk. The possibility of an event occurring that will have an impact on the achievement of University goals and objectives. Risk is measured in terms of the impact an event may have and the likelihood that the event will occur. To optimize the achievement of the University’s goals and objectives, the Board of Trustees (Board) and management act to minimize the related risks by implementing reasonable procedures to control and monitor the risks.
  3. Governance Processes. The combination of processes and structures implemented by the Board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. Examples of such processes include the organizational structure within the University or a department; policies, standards, and procedures instituted by the Board or management to direct and control a particular activity and preparation and review procedures for preparing reports such as annual financial statements, federal grant, or financial aid reports.

III. General Statement

  1. The internal audit function at MTSU is the responsibility of the office of Audit Services which contributes to the improvement of the University’s operations by providing objective and relevant assurance regarding risk management, control, and governance processes to management and the Board.
  2. Management is responsible for evaluating the University’s risks and establishing and maintaining adequate controls and processes.
  3. To provide relevant information, Audit Services will consider the goals of the University, management’s risk assessments, and other input from management in determining its risk-based audit activities.

IV. Internal Audit Standards

Audit Services adheres to the Institute of Internal Auditors’ (IIA) International Professional Practices Framework (IPPF), which includes the Global Internal Audit Standards (formerly known as the International Standards for the Professional Practice of Internal Auditing) as authorized by T.C.A. § 4-3-304(9).

  1. The IPPF includes Global Internal Audit Standards and Topical Requirements, both of which are mandatory, and Global Guidance, presented as supplemental. The IPPF addresses current internal audit practices while enabling practitioners and stakeholders globally to be flexible and responsive to the ongoing needs for high quality internal auditing in diverse environments and organizations of different purposes, sizes, and structures.
  2. To assure compliance with the IIA Standards, the Chief Audit Executive must implement and maintain a quality assurance and improvement program that includes:
    1. Internal assessments include both ongoing and periodic review activities.
    2. External assessments must be performed at least every five (5) years by a qualified, independent assessment team, one of which is required to be a Certified Internal Auditor.
    3. Results of internal and external assessments will be communicated, when completed, to the University President and the Audit and Compliance Committee of the Board.

V. Internal Audit Personnel

  1. Internal audit staff must possess the professional credentials, knowledge, skills, and other competencies needed to perform their individual responsibilities.
  2. The internal audit function collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. This may include engaging skilled assessors from outside of the organization.
  3. The Chief Audit Executive must be licensed as a Certified Public Accountant or a Certified Internal Auditor, maintain an active license, and annually complete sufficient, relevant continuing professional education to satisfy the requirements for the professional certification held.
  4. Other University auditors should annually complete sufficient, relevant continuing professional education to satisfy the requirements for their related professional certification or, at a minimum, forty (40) hours of relevant continuing professional education.
  5. Appointments
    1. The appointment of the Chief Audit Executive is recommended by the President and approved by the Board. T.C.A. § 49-14-102.
    2. The Chief Audit Executive reports directly to, and shall have unrestricted access to, the Audit and Compliance Committee of the Board. T.C.A. § 49-14-102.
  6. Compensation. Compensation of the employees of the MTSU internal audit function is subject to review by the Audit and Compliance Committee of the Board.
  7. Termination or Change of Status
    1. The termination or change of status of the Chief Audit Executive requires the approval of the President and the Audit and Compliance Committee of the Board.
    2. The Chief Audit Executive may be removed only for cause, which requires a majority vote of the Board. T.C.A. § 49-14-102.

VI. Internal Audit Role and Scope

  1. Reporting Structure. The Chief Audit Executive reports directly to the Audit and Compliance Committee of the Board and administratively to the University President. T.C.A. § 49-14-102. This reporting structure assures the independence of the internal audit function.
  2. The internal auditors’ responsibilities include:
    1. Working with management to assess University risks and developing an audit plan that considers the results of the risk assessment.
    2. Evaluating University controls to determine their effectiveness and efficiency.
    3. Coordinating work with external auditors, program reviewers, and consultants.
    4. Determining the level of compliance with internal policies and procedures, state and federal laws, and government regulations.
    5. Testing the timeliness, reliability, and usefulness of University records and reports.
    6. Recommending improvements to controls, operations, and risk mitigation resolutions.
    7. Assisting the University with its strategic planning process to include a complete cycle of review of goals and values.
    8. Evaluating program performance.
    9. Performing advisory services and special requests as directed by the Audit and Compliance Committee or President.
      1. The scope of internal auditing extends to all aspects of University operations and beyond fiscal boundaries. The internal auditors shall have access to all records, personnel, and physical properties relative to the performance of duties and responsibilities.
      2. The scope of a particular internal audit activity may be as broad or as restricted as required to meet management needs.
      3. Objectivity is essential to the internal audit function. Therefore, internal audit personnel should not be involved in the development and installation of systems and procedures, preparation of records, or any other activities that the internal audit staff may review or appraise. However, internal audit personnel may be consulted on the adequacy of controls incorporated into new systems and procedures or on revisions to existing systems.
      4. Management is responsible for identifying, evaluating, and responding to potential risks that may impact the achievement of the University’s objectives. Auditors continually evaluate the risk management, internal control, and governance processes. To facilitate these responsibilities, Audit Services will receive notices or copies of external audit reviews, program reviews, fiscally related consulting reports, cash shortages, physical property losses, and employee misconduct.

VII. Audit Plans and Activity Reports

  1. Audit Services shall develop an annual audit plan using an approved risk assessment methodology.
  2. At the beginning of each fiscal year, after consultation with the Audit and Compliance Committee, the President, and other University management, Audit Services will prepare an annual audit plan. The audit plan must be flexible to respond to immediate issues and will be revised for such changes during the year.
  3. Audit plans and revisions will be reviewed by the President and approved by the Audit and Compliance Committee.
  4. At the end of each fiscal year, Audit Services will prepare an annual activity report of all significant audit services performed.
  5. Annual activity reports and approved audit plans will be provided to the Comptroller’s Office, Division of State Audit.

VIII. Audit Engagements

  1. Audit engagements will be planned to provide relevant results to management and the Audit and Compliance Committee regarding the effectiveness and efficiency of processes and controls over operations. To ensure management’s expectations are met, auditors will communicate with management regarding the objectives and scope of the engagement.
  2. In planning and during the engagement, auditors should consider and be alert to risks that affect the University’s goals, objectives, operations, and resources. Auditors should consider risks based on the operations under review, which include, but are not limited to, the risk of financial misstatements, noncompliance, and fraud.
  3. An audit work program will be designed to achieve the objectives of the engagement and will include the steps necessary to identify, analyze, evaluate, and document the information gathered, and the conclusions reached during the engagement.
  4. Working papers that are created, obtained or compiled by an internal audit staff are confidential and are not records subject to the Public Records Act. T.C.A. § 4-3-304(9).

IX. Communicating Audit Results

  1. The Chief Audit Executive must establish and implement methodologies to promote accurate, objective, clear, concise, constructive, complete, and timely internal audit communications. Management will include corrective action for each reported recommendation.
  2. Audit Services will monitor findings, recommendations, and action plans included in internal audit reports, investigation reports, and State Audit reports. A written report will be prepared and for any findings that have not been corrected, management will be asked to include a revised corrective action plan. The President, along with the Audit and Compliance Committee, will be notified at the conclusion of a follow-up audit if management has not corrected the reported finding or implemented the corrective action.
  3. A written report that documents the objectives, scope, conclusions, and recommendations will be prepared for investigations resulting from allegations or identification of fraud, waste, or abuse. As appropriate in the circumstances, management will include corrective action for each reported recommendation. In a case where allegations are not substantiated by the review and there are no other operational concerns to report to management regarding the review, the case may be closed by a memo to the working paper file documenting the reasons for closing the case.
  4. Reports on special studies, advisory services, and other non-routine items should be prepared as appropriate, given the nature of the assignment.
  5. All internal audit reports will be signed by the Chief Audit Executive and transmitted directly to the President and appropriate levels of management in a timely manner.
  6. The Chief Audit Executive will present significant results of internal audit reports to the Audit and Compliance Committee quarterly or as appropriate.
  7. The Chief Audit Executive will provide a copy of each report to the Comptroller’s Office, Division of State Audit.

X. Exceptions

Any exceptions to the policy established herein shall be subject to the approval of the Audit and Compliance Committee.

Forms: none.

Revisions: none.

Last Reviewed: January 2023; June 2025.

References:  T.C.A. §§ 4-3-304(9); 49-14-102.