Internal Audit Charter

Internal Auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of Queen’s University (“university”).  The Office of Internal Audit (“Internal Audit”) assists the university in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s governance, risk management and controls.

The internal audit activity is established by the Audit and Risk Committee of the Board of Trustees (“Board”). The internal audit activity’s responsibilities are defined by the Audit and Risk Committee as part of their oversight role.

The internal audit activity will be guided by the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing (“Standards”), including the Definition of Internal Auditing and the Code of Ethics. This guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance.

The Institute of Internal Auditors’ Practice Advisories, Practice Guides and Position Papers will be utilized as applicable to guide operations. In addition, the internal audit activity will adhere to university policies and procedures and the internal audit activity’s standard operating procedures.

The internal audit activity, with strict accountability for confidentiality and safeguarding records and information, is authorized full, free, and unrestricted access to any and all of the university’s records, physical properties, and personnel pertinent to carrying out any engagement, including organizations under the control[1] of the university. All employees are requested to assist the internal audit activity in fulfilling its roles and responsibilities. The internal audit activity will also have free and unrestricted access to the Principal and the Board.


[1] As of April 30, 2020, the University controls PARTEQ Research and Development Innovations, the Bader International Study Centre, the U.S. Foundation for Queen’s University at Kingston, QCED Inc., and Queen’s University Pooled Trust Fund. Source: Note #1 to Consolidated Financial Statement for the Year ended April 30, 2020.

The Director, Internal Audit will report functionally to the Audit and Risk Committee through its Chair and administratively (i.e. day to day operations) to the Vice Principal (Finance & Administration).

The Audit and Risk Committee will:

  • Approve the internal audit activity charter.

  • Approve the risk based internal audit plan.

  • Review the internal audit budget and approve the resource plan.

  • Receive communications from the Director, Internal Audit on the internal audit activity’s performance relative to its plan and other matters.

  • Review and concur decisions regarding the appointment, reassignment and dismissal of the Director, Internal Audit.

  • Make appropriate inquiries of administration and the Director, Internal Audit to determine where there is inappropriate scope or resource limitations.

The Director, Internal Audit will communicate and interact directly with the Audit and Risk Committee and the Board, including in executive sessions and between Audit and Risk Committee and Board meetings as appropriate.

The internal audit activity will remain free from influence by any element in the University, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude.

Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not develop nor install systems or procedures, prepare records, or engage in any other activity that may impair an internal auditor’s judgment.

Internal auditors will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined.  Internal auditors will make a balanced assessment of all relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.

The Director, Internal Audit will confirm to the Audit and Risk Committee, at least annually, the organizational independence of the internal audit activity.

The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the university's governance, risk management, and controls as well as the quality of performance in carrying out assigned responsibilities to achieve the university's stated goals and objectives. It includes:

  1. Evaluating risk exposure relating to the achievement of the university’s strategic objectives.

  2. Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information.

  3. Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the organization.

  4. Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets.

  5. Evaluating the effectiveness and efficiency with which resources are employed.

  6. Evaluating established systems of internal control to ascertain whether they are adequately designed and operating effectively.

  7. Evaluating operations or programs to ascertain whether results are consistent with established goals and objectives and whether the operations or programs are being carried out as planned.

  8. Monitoring and evaluating governance processes.

  9. Monitoring and evaluating the effectiveness of the university’s risk management processes.

  10. Performing consulting and advisory services related to governance, risk management and control as appropriate for the organization.

  11. Leading investigations of suspected frauds in accordance with the Fraud Policy, and the Fraud Investigation and Response Procedures
  12. Reporting incidents of fraud reports received, including the results of fraud investigations, to management, the Senior Leadership Team,
     and the Audit and Risk Committee as required under the Fraud Policy
  13. Reporting periodically on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan
  14. Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or 
    requested by the Audit and Risk Committee
  15. Evaluating specific operations at the request of the Audit and Risk Committee or the university’s administration, as appropriate

At least annually, the Director, Internal Audit will submit to senior management and the Audit and Risk Committee an internal audit plan for review and approval. The internal audit plan will consist of a work schedule as well as budget and resource requirements for the next fiscal year. The Director, Internal Audit will communicate the impact of resource limitations and significant interim changes to senior management and the Audit and Risk Committee.

The internal audit plan will be developed using a risk based methodology, including input of senior management, faculty administration, the Board of Trustees and the Audit and Risk Committee. The Director, Internal Audit will review and adjust the plan, as necessary, in response to changes in the University’s business, risks, operations, programs, systems and controls. Any significant deviation from the approved audit plan will be communicated to senior management and the Audit and Risk Committee through periodic activity reports.

A written report will be prepared and issued by the Director, Internal Audit following the conclusion of each internal audit engagement and will be distributed as appropriate.  Internal Audit results will also be communicated to the Audit and Risk Committee.

The internal audit report may include management's response and corrective action taken or to be taken in regard to the specific findings and recommendations. In cases where management action plans are not included within the audit report, management of the audited area should respond, in writing, to the Director, Internal Audit within thirty days of publication. Management's response, whether included within the original audit report or provided thereafter should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented. 

The internal audit activity will be responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will remain in an open issues file until cleared.

The Director, Internal Audit will periodically report to senior management and the Audit and Risk Committee on the internal audit activity’s purpose, authority, and responsibility, as well as performance relative to its plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the Audit and Risk Committee.