Internal Audit Charter

The mission of the Internal Audit Unit of McGill University (“IA”) is to provide independent, objective assurance and consulting activity designed to add value and improve McGill University’s operations. It assists McGill University in accomplishing its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

IA is responsible for:

• Ensuring that the University has implemented an effective system of internal control to manage the risks facing the institution
• Providing cost-effective and independent assurance that internal controls are effective
• Supporting members of the University in the effective discharge of their responsibilities through the provision of reports, recommendations, advice and information concerning activities reviewed

More particularly, the scope of IA activities includes (but is not limited to) the following:

• Evaluating, consulting, and educating on financial and operational processes, controls, related risks, and exposures
• Providing advice and guidance on control and risk aspects of new policies, systems, processes, and procedures
• Verifying the existence of university assets and determining whether proper safeguards are maintained to protect them from loss
• Determining the level of compliance with university policies and procedures
• Determining the level of compliance with the policies and procedures of agencies and other regulatory bodies that have oversight of University activities
• Determining the level of compliance with provincial and federal laws and regulations
• Evaluating the accuracy, effectiveness, and efficiency of the university's electronic information and processing systems
• Determining the effectiveness and efficiency of units in accomplishing their mission and identifying operational opportunities for cost savings and revenue enhancements
• Coordinating audit efforts with, and provide assistance to, the external auditors
• Investigating fraud and other types of fiscal misconduct

IA will remain free from interference by any element in the institution, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude.

Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair internal auditor’s judgment.

Internal auditors will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined.

There shall be an Executive Director of IA who shall be appointed by the Vice-President, Administration and Finance following consultation with the Chair of the Audit Committee of the Board of Governors (“Audit Committee”).

The terms and conditions of employment of the Executive Director shall be determined by the Vice-President, Administration and Finance following consultation with the Chair of the Audit Committee, and shall respect the standards and norms for the employment of senior members of the executive team.

To allow IA to fulfill its mandate, IA will have full and unrestricted access to the Audit Committee (through its chair) and has the authority to audit any and all of the University’s operations and to this end shall have unrestricted access to the following:

• All records of the University
• All University information systems
• All University units and its personnel
• All University property and assets

Note: IA shall, where necessary, require members of the University to actively cooperate with it and respond promptly to its request for information or access to facilities, records, and information systems.

The Audit Committee, in conjunction with the senior administrative officers of the University, shall ensure that IA and its Executive Director have the independence, resources and institutional support to perform its functions in an appropriate and effective manner.

The Executive Director in conjunction with the Audit Committee, and after consultation with the University’s senior administration, shall establish each year the activities for IA through the elaboration of an internal audit plan.

The internal audit plan will be developed using a risk based methodology and shall identify:

• All projected audit activities for the year
• The rationale for each audit activity
• The high-level objectives of each audit activity
• Those activities which may require the use of external resources

The plan shall make reasonable allowance for IA to respond to unforeseen matters that may arise during the course of the year. Any significant deviation from the approved internal audit plan will be communicated to the Audit Committee and the University’s senior administration through periodic status reports.

To the Audit Committee
The Executive Director shall report to the Audit Committee (through its chair). More particularly, the Executive Director shall report in writing to the Audit Committee:

• Periodically on the progress and results of IA activities of the current fiscal year and annually on the activities for the preceding fiscal year
• Whenever there is evidence of a defalcation or evidence of other inappropriate activity
• Whenever a unit or person fails to initiate appropriate corrective action after being notified by IA of matters that require attention

Where warranted the Executive Director shall report only to the Audit Committee.

To the Vice-President, Administration and Finance
The Executive Director shall report to the Vice-President, Administration and Finance on the day to day administration, activities and operation of IA.

To Units and Individuals
The Executive Director shall ensure that:

• Each unit or person whose records or activities are audited receives a written report on the conclusion of the audit
• Others with a legitimate interest in the audit of that unit or person also receive a copy of the report

In the event that the report discloses matters that require attention by the person or unit, the report shall:

• Include a response by the person or unit which identifies the corrective actions that have been or shall be taken to address the matter
• Stipulate the delay within which the person or unit shall implement the corrective action
• Identify the “best practices” of peer institutions for dealing with the matter (if applicable)

IA shall retain responsibility for ensuring that the corrective action taken is adequate to remedy significant risks identified.

The Executive Director of IA will periodically report to the Audit Committee and senior management on IA’s purpose, authority, and responsibility, as well as performance relative to its plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior administration or the Audit Committee.

In addition, the Executive Director of IA will communicate to the Audit Committee and senior administration on IA’s quality assurance and improvement program, including results of ongoing internal assessments and external assessments.

The Executive Director and all members of IA shall conduct themselves in conformity with the University’s policies governing conflict of interest and conflict of commitment and shall conform to the Code of Ethics of the Institute of Internal Auditors, which requires that they:

• Perform their work with honesty, diligence, and responsibility
• Observe the law and make disclosures expected by the law and the profession
• Not knowingly be a party to any inappropriate activity or engage in acts that are discreditable to the profession or to the University
• Respect and contribute to the legitimate and ethical objectives of the University
• Not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment
• Not accept anything that may impair or be presumed to impair their professional judgment
• Disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review
• Be prudent in the use and protection of all information acquired in the course of their duties
• Not use any information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the University