Office of University Audit
“The Office of University Audit provides independent audit and advisory services to the University Community by assessing risks, analyzing controls, and ensuring that business practices are effective, efficient and compliant with University and regulatory Policies.”
URMC Compliance Office:
Department of Public Safety:
Office of Human Resources:
(585) 275 – 2815
University Ombud Office
Objective and scope
The objective of the Office of University Audit is to assist all members of the University in the effective discharge of their responsibilities by furnishing them with analyses, appraisals, recommendations and pertinent comments concerning the activities reviewed. This involves going beyond the accounting and financial records to obtain a full understanding of the operations under review. The attainment of this overall objective involves such activities as:
- Ascertaining that risks are appropriately identified and managed.
- Reviewing and appraising the soundness, adequacy, and application of accounting, financial, and other operating controls by promoting effective controls at a reasonable cost.
- Evaluating the level of compliance with established University policies, plans and procedures, with federal and state laws and government regulations.
- Ascertaining the stewardship of University assets.
- Ascertaining the reliability and security of management data developed within the University.
- Appraising the quality of performance in carrying out assigned responsibilities. (Does not include appraising the quality of teaching, research, nor patient care.)
- Evaluating the effectiveness, efficiency and economy with which resources are deployed.
- Recommending operating improvements.
- Performing Construction Audits and Post Completion Reviews.
Responsibility and authority
The responsibilities of the Office of University Audit are:
- To inform and advise management, and to discharge this responsibility in a manner that is consistent with the Code of Ethics of the Association of College and University Auditors and the Institute of Internal Auditors, and in accordance with the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards and the Definition of Internal Audit).
- To coordinate internal audit and co-sourced activities with external audit and assurance resources so as to best achieve the objectives of the department.
- To develop a flexible annual audit plan based on a prioritization determined by using relevant risk factors, including any risks or control concerns identified by management. Submit the plan to the Audit and Risk Assessment Committee of the board of Trustees, Medical Center Audit and Risk Assessment Committee and the respective Audit Committees of the affiliated entities for their review and approval.
- To communicate to senior management and the respective Audit and Risk Assessment Committees any significant interim changes to the internal audit plan and the impact of resource limitations on the internal audit plan.
- To review and adjust the internal audit plan, as necessary, in response to changes in University of Rochester’s business, risks, operations, programs, systems and controls.
- To perform audit engagements, according to the internal audit plan, and communicate the results in a written report.
- To meet with and report to the respective Audit and Risk Assessment Committees, at least on an
annual basis, on whether:
- Appropriate action has been taken on significant audit findings.
- Audit activities have been directed toward the highest exposures to risk and toward increasing effectiveness, efficiency, and economy of operations.
- There is any unwarranted restriction on the staffing and authority of the Office of University Audit or on access by internal auditors to all University activities, records, property, and personnel.
- The Office of University Audit resources are sufficient to achieve the submitted annual audit plan.
- To follow up on engagement findings and corrective actions, and report periodically to senior management and the respective Audit and Risk Assessment Committees of any corrective actions not effectively implemented.
- To investigate any allegations of unethical business practices and/or financial and operational misconduct to determine if allegations are substantiated and to prevent future occurrences and to work with the Office of Public Safety, when appropriate.
- To provide reasonable assurance that trends and emerging issues that could impact the University are considered and communicated to senior management and the respective Audit and Risk Assessment Committees, as appropriate.
The Office of University Audit is provided with authority for full access to all of the University's records, properties, and personnel relevant to the subject under review. The Office of University Audit is free to review and appraise policies, plans, procedures, and records.
In performing its functions, the Office of University Audit has no direct responsibility for, nor authority over any of the activities which are reviewed. Therefore, the internal audit review and appraisal does not in any way relieve other persons of the responsibilities assigned to them.
The Executive Director of the Office of University Audit reports functionally to the Audit and Risk Assessment Committee of the Board of Trustees, and administratively to the Senior Vice President for Administration and Finance and Chief Financial Officer. Further, the Executive Director of the Office of University Audit has direct access to the President, the Audit and Risk Assessment Committee of the Board of Trustees, the Medical Center Audit and Risk Assessment Committee and the Audit and Risk Assessment Committees of the Affiliated Entities.
In order to maintain objectivity, the Office of University Audit will not undertake to develop and install procedures, prepare records, or engage in any other activity which it would normally review and appraise, and which could reasonably be construed to compromise its independence. However, objectivity need not be adversely affected by University Audit's determination and recommendation of the standards of control to be applied in the development of systems and procedures under review.
Adopted By The Audit and Risk Assessment Committee,
Of The Board Of Trustees
Of The University Of Rochester,
October 3, 2019