Internal Auditing

The internal auditor works for the University Council and has the role of improving management practices at the University of Iceland by helping administrators to achieve set management targets, evaluate success, improve risk management, controls and administration. The main focus of the internal auditor is to determine whether internal controls work such that the University’s operations are conducted in a reasonable way.

The internal auditor is an independent unit who answers professionally to the University Council, but is under the administration of the rector.

The responsibilities of the internal auditor include assurance engagements, consulting services and auditing of international research grants. Assurance engagements involve the internal auditor’s objective evaluation of data in order to produce an unbiased verdict on a unit, management practice, activity, process or system. Engagements are announced in the internal audit plan, approved by the University Council.  The primary assurance engagements in accordance with the formal statement of duties are to evaluate whether:

• working processes, organisation and administration are effective,
• the information system operates in a secure manner which ensures the validity and integrity of data,
• staff comply with the law, regulations, official strategy, standards and rules of procedure,
• accounts and financial statements comply with the provisions of the law and regulation,
• risk is satisfactorily identified and managed,
• the University Council, rector and other University administrators receive the accurate information they require in order to fulfil their responsibilities.

Laws and regulations on internal auditing

Article 65 of the Act on Public Finances no. 123/2015 states that internal audits shall be conducted of state entities in Section A on the basis of regulations established by the minister in accordance with international standards published by the Institute of Internal Auditors.

Professional Practices Framework for internal auditing

The Institute of Internal Auditors (www.theiia.org) produces a Professional Practice Framework. Internal auditors are required to comply with the following:

• the definition of internal auditing
• core principles for the professional practice of internal auditing
• international standards for internal auditing
• the Code of Ethics.

Definition of internal auditing

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Core Principles for the Professional Practice of Internal Auditing

The Core Principles, taken as a whole, articulate internal audit effectiveness. For an internal audit function to be considered effective, all principles should be present and operating effectively. The Core Principles are that the internal auditor:

• Demonstrates integrity
• Demonstrates competence and due professional care
• Is objective and free from undue influence
• Aligns with the strategies, objectives and risks of the organisation
• Is appropriately positioned and adequately resourced
• Communicates effectively
• Provides risk-based assurance
• Is insightful, proactive, and future-focused
• Promotes organisational improvement

Code of Ethics for Internal Auditors

The Code of Ethics contains the main rules of the profession and internal auditing practices. The Code of Ethics applies equally to internal auditors and the people working under their authority. The main principles from the Code of Ethics for Internal Auditors are: integrity, objectivity, confidentiality and competency.

International Standards for the Professional Practice of Internal Auditing

The international standards are intended to provide a basic framework for the implementation of internal audits. The standards pertain to the organisation and implementation of internal audits, as well as the attributes of individuals working in internal auditing.

1. Role

The role of the internal auditor at the University of Iceland is to promote optimised use of funding and efficient management practices in the interests of the strategy and objectives of the University. The internal auditor shall assist the University Council, rector and other administrators in attaining set management targets, evaluating success, improving risk management and strengthening internal controls.

2. Tasks and responsibility

The primary tasks of the internal auditor are:

• To advise the rector, University Council and other administrators at the University of Iceland regarding matters pertaining to optimised use of funding, efficient management practices, risk management and internal controls over administration and finances.
• To determine whether internal controls, the information system, working processes, organisation and administration are effective and secure and align with the strategy and objectives of the University.
• To determine whether accounts and financial statements comply with the provisions of the law and regulation.
• To determine whether the University Council, rector and other administrators receive the accurate information they require in order to fulfil their responsibilities efficiently, and to promote such information flow.
• In consultation with or at the request of the University Council and rector, to review individual structural units and selected elements of administration and operations at the University. To propose reforms, amendments and innovations to improve management practices and financial administration, as appropriate.
• To stay abreast of the results of professional quality engagements and evaluate, as appropriate, their administrative and financial basis.
• To receive reasoned reports of waste and inefficiency in management practices, risks and possible fraud in the handling of finances and, as appropriate, alert the University Council and rector.

3. Appointment, position in organisational chart and objectivity

• The internal auditor is appointed by the head of the institution (rector) but works under the authority of the board (University Council).
• The internal auditor must be university educated and possess extensive knowledge of public administration and internal auditing. Ideally, he or she shall be an accredited auditor.
• The internal auditor is professionally autonomous and works independently.
• The internal auditor must ensure objectivity and work independently of those operating units being audited or reviewed.
• The internal auditor shall have ready access to all data required to perform his or her job effectively.
• Staff at the University of Iceland shall assist the internal auditor with gathering information and ensure that information and files are accessible. Care must be taken to ensure that information gathered in this way is not accessible to others and is used only in accordance with the objectives of the internal audit. Confidential information must be handled as such. The internal auditor must comply with the provisions of the law and regulation concerning confidentiality and communication with employees in their place of work.
• The internal auditor is not involved with the day-to-day management of the University, but shall work closely with its administrators.
• The internal auditor must report to the University Council and rector any circumstances or incidents that could indicate incompetence, conflicts of interest or partiality. An auditor who has worked on or been responsible for certain projects shall not audit them until a reasonable amount of time has passed.

4. Annual audit plan, annual audit report and budget

Every year the internal auditor shall submit an audit plan and audit report to the University Council, based on a risk evaluation of the institution’s operations. The report shall evaluate the efficiency of internal monitoring in University administration and, as appropriate, propose amendments to management practices and indicate opportunities for optimisation.

Along with the audit plan, the internal auditor shall submit a budget for each year.

5. Audit and engagement reports

Upon completing an audit or engagement, the internal auditor shall submit a written report to the University Council explaining the purpose of the audit/engagement, analysis, conclusions and proposed amendments. Before finalising the report, care must be taken to ensure that the subjects receive a draft copy and the opportunity to comment and correct factual errors.

Where appropriate, the audit report submitted to the University Council shall be accompanied by a statement from the University’s governing bodies and their proposed measures and follow-up. The University Council shall determine which proposals to approve and when they will be implemented. The Council may also determine whether and when the University’s governing bodies shall produce a report on the measures taken.

A copy of the internal auditor’s audit report shall be sent to the National Audit Office.

6. Criteria

The internal auditor shall work with reference to the following criteria and regulations:

• Legislation and regulation concerning the operations of the University of Iceland.
• Legislation and regulation on financial statements, accounts and state finances.
• Legislation on data protection and the handling of personal information.
• National Audit Office guidelines on internal auditing, internal supervision and the operational security of the information system.
• Internationally recognised guidelines, regulations and standards on the professional practices of internal auditing, e.g. from the International Organisation of Supreme Audit Institutions (INTOSAI), Institute of Internal Auditors and Information Systems Audit and Control Association.
• The University of Iceland Code of Ethics and the Code of Ethics from the Institute of Internal Auditors.

7. Communication with the National Audit Office

The internal auditor shall consult with the National Audit Office in order to coordinate working methods, avoid redundant work and ensure that auditing at the University of Iceland is, on the whole, in good shape.

The National Audit Office shall have access to the internal auditor’s audit plan, working data and reports.

Approval and review of formal statement of duties

This formal statement of duties for internal auditing was approved by the University Council on 7 February 2013 and enters into effect immediately. It will be reviewed within two years to include more detailed provisions on points considered unclear on the basis of experience. The formal statement of duties shall then be reviewed at regular intervals.

The formal statement of duties for the internal auditor at the University of Iceland states that one of the internal auditor’s responsibilities is to receive reasoned reports of waste and inefficiency in management practices and possible fraud in the handling of finances.

Waste and inefficiency

Staff, students and other members of the University community may report waste and inefficiency in management practices to the internal auditor. On receiving a report, the internal auditor shall determine whether the approved audit plan should be amended and an engagement carried out as soon as possible. If the internal auditor does not believe the report warrants such action, it will become part of the data for the next review of the internal auditor’s risk assessment.

All reports to the internal audit are disclosed in the internal auditor’s annual report.

Fraud

In accordance with the formal statement of duties, the internal auditor shall tackle any possible financial fraud. According to the definition from the National Audit Office, financial fraud is illegal conduct involving the acquisition of money or other valuables belonging to another party.  This covers, for example, theft, embezzlement, falsifying reports, bribery and unlawful collusion.

Staff, students and other parties should report any suspicion of financial fraud to the internal auditor immediately. Reports must be made in writing and supported with reasoned arguments. They must identify the person suspected of fraud by name and, if appropriate, provide relevant supporting data. The internal auditor is responsible for examining reports and shall determine whether there is cause to alert the University Council and rector.

Reports and supporting data can be sent to the internal auditor by email at: ingunno@hi.is.  The name of the informant shall remain confidential unless the individual in question gives permission to reveal his or her personal details. Those who do not feel comfortable making a report under their own name can send information by post or place it in the internal auditor’s pigeonhole in the Main Building.