Internal Audit Charter

(Charter Revised March 2026)

Purpose

The purpose of University of California (UC) Internal Audit (IA) is to strengthen UC’s ability to create, protect, and sustain value by providing the Board of Regents and management with independent, risk-based, and objective assurance, advice, insight, and foresight.

IA enhances UC’s:

  • Successful achievement of its objectives.
  • Governance, risk management, and control processes.
  • Decision-making and oversight.
  • Reputation and credibility with its stakeholders.
  • Ability to serve the public interest.
UC IA is most effective when:
  • Internal auditing is performed by competent professionals in conformance with The Institute of Internal Auditors’ (IIA) Global Internal Audit Standards, which are set in the public interest.
  • IA is independently positioned with direct accountability to the Board of Regents and President, with direct access to Regents as appropriate and consistent with Regents Bylaw 23.5(c).
  • Internal auditors are free from undue influence and committed to making objective assessments.

Back to top

Commitment to Adhering to the Global Internal Audit Standards

UC IA will adhere to the mandatory elements of the IIA's Global Internal Audit Standards (the Standards) published January 9, 2024. The Chief Compliance and Audit Officer (CCAO) will report annually to the Board of Regents and senior management regarding IA’s conformance with the Standards, which will be assessed through a quality assurance and improvement program.

Back to top

Vision

UC will be a universally recognized knowledgeable, collaborative and trusted resource on governance, risk management and control.

Back to top

Mission

The mission of UC IA is to provide the Regents, President, campus Chancellors and Laboratory Director with independent and objective assurance and consulting services designed to add value and improve operations. We do this through communication, monitoring and collaboration with management to assist the University community in the discharge of their oversight, management, and operating responsibilities. IA brings a systematic, risk-based and disciplined approach to evaluating and improving the effectiveness of risk management, control and governance processes.

Back to top

Mandate

Policy Statement

It is the policy of UC to maintain an independent and objective internal audit function to provide the Regents, President, campus Chancellors and Laboratory Director with information and assurance on the governance, risk management and internal control processes of the University. Further, it is the policy of the University to provide the resources necessary to enable Internal Audit (IA) to achieve its mission and discharge its responsibilities under its charter. Internal Audit is established by the Regents, and its responsibilities are defined by the Regents Compliance and Audit Committee as part of their oversight function.

Back to top

Authority

IA functions under the policies established by the Regents of the University of California and by University management under delegated authority.

IA is authorized to have full, free and unrestricted access to information it deems necessary to perform audit, consulting/advisory services, investigation projects and ongoing risk assessment activities, including, but not limited to, records, computer files, information systems, databases, property, and personnel of the University in accordance with the authority granted by approval of this charter and federal and state statutes. Except where limited by law, the work of IA is unrestricted. IA is free to review and evaluate all policies, procedures, and practices for any university activity, program, or function on behalf of the Board of Regents.

In performing the audit function, IA has no direct responsibility for, nor authority over, any of the activities reviewed. The IA review process does not in any way relieve other persons in the organization of the responsibilities assigned to them.

Information requested by IA shall be provided without delay. Any attempt to interfere with or prevent IA’s access to information, including termination of access to information required to perform IA’s duties, shall be immediately escalated to the local Chancellor/Laboratory Director and to the President of the University for resolution. If the access issues are not timely resolved through this escalation, the CCAO shall escalate the issues to the Chair of the Regents Compliance and Audit Committee for resolution.

Back to top

Independence and Reporting Structure

To permit the rendering of impartial and unbiased judgment essential to the proper conduct of audits, internal auditors will be independent of the activities they audit. This independence is based primarily upon organizational status and objectivity and is required by the Standards.

The CCAO has a dual reporting relationship to the Regents and President per Regents Bylaw 23.5(c), with direct access to the Board of Regents and the Regents Compliance and Audit Committee as appropriate regarding all elements of meaningful compliance and audit programs, including providing annual reports on compliance with applicable laws, regulations, and University policies. With regard to audits and investigations of the Office of the President, the CCAO reports solely and exclusively to the Board. The CCAO shall also consult with and advise the President and the Chair and Vice Chair of the Regents Compliance and Audit Committee on compliance and audit activities. The CCAO has established an active channel of communication with the Chair of the Regents Compliance and Audit Committee, as well as with campus/laboratory executive management, on audit matters. The CCAO has direct access to the President and the Regents Compliance and Audit Committee. In addition, the CCAO serves as a participating member on all campus/laboratory compliance oversight/audit committees.

Campus/Laboratory Internal Audit Directors (IADs) report administratively to the Chancellor/Laboratory Director and directly to the Regents Committee on Compliance and Audit through the CCAO. IADs have direct access to the CCAO and to the President or the Regents Compliance and Audit Committee as circumstances warrant.

Campus/laboratory IADs will report periodically to location compliance oversight/audit committees on the adequacy and effectiveness of the organization’s processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work, the status of the annual audit plan, and the sufficiency of audit resources. Local audit functions will coordinate with other control and monitoring functions involved in governance, such as risk management, compliance, security, legal, ethics, environmental health and safety, external audit, etc.

IADs may take directly to the respective Chancellor or Laboratory Director, the CCAO, the President, or the Regents matters that they believe to be of sufficient magnitude and importance. IADs shall take directly to the CCAO, who shall report to the President and the Regents Committee on Compliance and Audit Chair, any credible allegations of significant wrongdoing (including any wrongdoing for personal financial gain) by or about a Chancellor, Executive Vice Chancellor or Vice President, or any other credible allegations that if true could cause significant harm or damage to the reputation of the University.

The Chancellors/Laboratory Director may delegate other IAD administrative oversight responsibilities such as time and expense approval and departmental budget oversight to a position no lower than the Vice Chancellor/Associate Laboratory Director or Chief Operating Officer level. To maintain organizational independence, this position should generally not have responsibility over key operating units routinely reviewed by internal audit. The Chancellor/Laboratory Director shall retain responsibility for approval of the campus/laboratory annual audit plan and approval of local compliance oversight/audit committee charter, and shall meet with the IAD regularly to review the state of the internal audit function and the state of internal controls locally. The Regents have the ultimate authority to approve and/or amend the systemwide audit plan, which is a consolidation of all campus and laboratory audit plans.

Back to top

Scope of Work

The scope of IA work is to determine whether UC’s network of risk management, control, and governance processes, as designed and represented by management at all levels, is adequate and functioning in a manner to ensure:

  • Risk management processes are effective and significant risks are appropriately identified and managed.
  • Ethics and values are promoted within the organization.
  • Financial and operational information is accurate, reliable, and timely.
  • Employee’s actions are in compliance with policies, standards, procedures, and applicable laws and regulations.
  • Resources are acquired economically, used efficiently, and adequately protected.
  • Programs, plans, and objectives are achieved.
  • Quality and continuous improvement are fostered in the organization’s risk management and control processes.
  • Significant legislative or regulatory compliance issues impacting the organization are recognized and addressed properly.
  • Effective organizational performance management and accountability are fostered.
  • Coordination of activities and communication of information among the various governance groups occur as needed.
  • The potential occurrence of fraud is evaluated and fraud risk is managed.
  • Information technology governance supports UC’s strategies, objectives, and privacy framework.
  • Information technology security practices adequately protect information assets and are in compliance with applicable policies, rules and regulations.
  • Opportunities for improving management control, quality and effectiveness of services, and the organization’s image identified during audits are communicated by IA to the appropriate levels of management.

Back to top

Nature of Assurance and Consulting Services

IA performs three types of projects: 
  • Audits are assurance services defined as examinations of evidence for the purpose of providing an independent assessment of governance, risk management, and control processes for the organization. Examples include financial, performance, compliance, systems security and due diligence engagements
  • Consulting/Advisory Services, the nature and scope of which are agreed upon with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include reviews, recommendations (advice), facilitation, and training.
  • Investigations are independent evaluations of allegations generally focused on improper governmental activities, including misuse of university resources, fraud, financial irregularities, significant control weaknesses and unethical behavior or actions.

Back to top

Certain Personnel Matters

Action to appoint, demote or dismiss the CCAO requires the approval of the Regents.

Action to appoint an IAD requires the concurrence of the CCAO. Action to demote or dismiss an IAD requires the concurrence of the President and the Chair of the Regents Compliance and Audit Committee, upon the recommendation of the CCAO.

The CCAO shall participate in the annual performance management process for each IAD, including setting performance objectives and evaluating performance results. Annual performance appraisal results for IADs require concurrence of the CCAO.

Back to top