Internal auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of assessing the effectiveness of the institution's system of internal control to improve the controls and operations of the institution.

Internal Audit serves as proactive business partner with Stockton University (Stockton or the institution) to assist the institution in accomplishing its objectives by bringing a systematic and disciplined approach to evaluating and improving the effectiveness of the institution's risk management, control, and governance processes.

Internal Audit serves Stockton by upholding the highest professional standards; providing high quality, cost effective audit and management services; and communicating value-added outcomes to the Audit Committee of the Board of Trustees and senior management.

The internal audit activity is established by the Audit Committee of the Board of Trustees (hereafter referred to as the Audit Committee). The internal audit activity's responsibilities are defined by the Audit Committee as part of their oversight role.

The internal audit activity will govern itself by adherence to the Institute of lnternal Auditors' (IIA) mandatory guidance including the Definition of lnternal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity's performance.

The Institute of Internal Auditors' Practice Advisories, Practice Guides, and Position Papers will also be adhered to for operational guidance. In addition, the internal audit activity will adhere to Stockton's relevant policies and procedures and the internal audit activity's standard operating procedures manual.

The internal audit activity, with strict accountability for confidentiality and safeguarding of records and information, is authorized full, free, and unrestricted access to any and all of Stockton records, physical properties, and personnel pertinent to carrying out any engagement. All employees are requested to assist the internal audit activity in fulfilling its roles and responsibilities. The internal audit activity will also have free and unrestricted access to the Audit Committee.

Stockton will outsource the role of Chief Audit Executive to public accounting and advisory firm, Baker Tilly Virchow Krause, LLP (Baker Tilly), which will ensure the internal audit function remains objective and independent. The Chief Audit Executive, a CPA and partner with Baker Tilly, is not an employee of Stockton University; his or her only business relationship with Stockton will be through the internal audit outsourcing arrangement that Stockton enters into with Baker Tilly.

The Chief Audit Executive will receive staffing support on engagements from Baker Tilly auditors and from a Stockton internal auditor, who is an employee of the institution. The Stockton internal auditor will report functionally to the Chief Audit Executive, who will provide direction on all audit engagements, and will report administratively to the Executive Vice President and Chief of Staff of Stockton.

The Chief Audit Executive will report functionally to the Audit Committee and administratively (i.e., day-to-day operations) to the Executive Vice President and Chief of Staff. The Chief Audit Executive will communicate and interact directly with the Audit Committee, including in executive sessions and in between Audit Committee meetings as appropriate.

The Audit Committee will approve the internal audit charter and the risk-based internal audit plan at least annually. It will also approve all decisions regarding the performance evaluation, appointment, or removal of the Chief Audit Executive.

The internal audit activity will remain free from interference by any element in the institution, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude.

Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair the internal auditor's judgment.

Internal auditors must exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors must make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.

The Chief Audit Executive will confirm to the Audit Committee, at least annually, the organizational independence of the internal audit activity.

• Evaluating the reliability and integrity of information and the means used to identify,measure, classify, and report such
• Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the
• Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
• Evaluating the effectiveness and efficiency with which resources are
• Evaluating operations or programs to asce1iain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as
• Evaluating the compliance programs in place to determine operational effectiveness of those compliance procedures (including but not limited to Regulation Systems Compliance and Integrity).
• Monitoring and evaluating governance processes.
• Monitoring and evaluating the effectiveness of the institution's risk management.
• Evaluating the quality of performance of external auditors and the degree of coordination with internal audit.
• Performing consulting and advisory services related to governance, risk management and control as appropriate for the institution.
• Reporting periodically on the internal audit activity's purpose, authority, responsibility, and performance relative to its plan.
• Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Audit Committee.
• Performing follow-up review activity, at the direction and timeline of the Audit Committee, on all observations noted from internal audit activity and any other third-party reviews performed yielding observations warranting Management Action.
• Evaluating specific operations at the request of the Audit Committee or senior management, as appropriate.

At least annually, the Chief Audit Executive will submit to senior management and the Audit Committee an internal audit plan for review and approval. The internal audit plan will consist of a work schedule as well as budget and resource requirements for the next fiscal/calendar year. The Chief Audit Executive will communicate the impact of resource limitations and significant interim changes to senior management and the Audit Committee.

The internal audit plan will be developed based on a prioritization of the audit universe using a risk-based methodology, including input of senior management and the Audit Committee as well as Internal Audit's independent assessment of risks. Any significant deviation from the approved internal audit plan will be communicated to senior management and the Audit Committee through periodic activity reports.

A written report will be prepared and issued by the Chief Audit Executive or designee following the conclusion of each internal audit engagement and will be distributed as appropriate. Internal audit results will also be communicated to the Audit Committee.

The internal audit report may include management's response and corrective action taken or to be taken in regard to the specific findings and recommendations. Management's response, whether included within the original audit report or provided thereafter (i.e., within thirty days) by management of the audited area should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented.

The internal audit activity will be responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will remain in an open issues file until cleared. On a monthly basis, Internal Audit will discuss open items with senior management to determine timeline for resolution as well as to determine if adverse trends in closure are developing.

The Chief Audit Executive will periodically report to senior management and the Audit Committee on the internal audit activity's purpose, authority, and responsibility, as well as performance relative to its plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the Audit Committee.

In addition, the Chief Audit Executive will communicate to senior management and the Audit Committee on the internal audit activity's quality assurance and improvement program.