Internal Audit & Advisory Services Charter

(As amended through September 25, 2025)

PURPOSE

The purpose of Internal Audit & Advisory Services (IA&AS) is to provide Senior Management and the Audit Committee of the Board of Trustees with independent, risk-based, and objective assurance, advice, insight and foresight. As an independent advisor, IA&AS helps strengthen the University’s ability to create, protect and sustain organizational value and to achieve its strategic objectives through a risk-based and data-driven approach. The internal audit program brings a systematic, disciplined approach to enhance the University’s:

  • Successful achievement of its objectives
  • Effectiveness and efficiency of risk management, control, and governance processes,
  • Decision-making and oversight.
  • Reputation and credibility with its stakeholders
  • Ability to service the public interest

IA&AS provides Senior Management with analyses, appraisals, and recommendations concerning the activities reviewed to assist them in maintaining and improving the overall control and process environment within the operations under their direction, and assists Senior Management in monitoring the overall effectiveness of the system of internal control in achieving the broad objectives of the University. Additionally, the internal audit function provides the Audit Committee with counsel and information regarding the activities reviewed to assist them in fulfilling their responsibilities. IA&AS will perform its work in conformance with The Institute of Internal Auditor’s (IIA) Global Internal Audit StandardsTM, which are set in the public interest.

COMMITMENT TO ADHERANCE TO THE GLOBAL INTERNAL AUDIT STANDARDS

IA&AS will adhere to the mandatory elements of IIA’s International Professional Practices Framework, which are the Global Internal Audit Standards and Topical Requirements. The chief audit executive will report annually to the board and senior management regarding the department’s conformance with the Standards, which will be assessed through a quality assurance and improvement program.

AUTHORITY

The Audit Committee of the Board of Trustees grants the Chief Audit Executive (CAE) of the University the authorization to direct a broad, comprehensive program of internal auditing and advisory services within the University and its related operations. In carrying out this program, the CAE and members of the audit and advisory staff are authorized to:

  • Have full, free, and unrestricted access to all University functions, records, properties, manual and automated systems, and personnel. Documents and information given to Internal Audit & Advisory Services will be handled in the same prudent manner as by those employees normally accountable for them.
  • Allocate resources, set frequencies, select reviews, determine scope of work, and apply the techniques required to accomplish objectives.
  • Obtain the appropriate assistance of University personnel where audits are performed as well as other specialized services from within or/outside the University.

Subject to the oversight of the Board of Trustees (to which it reports regularly), the Audit Committee has the authority and responsibility to act on behalf of the Board in monitoring the accounting and financial reporting practices of Boston University, and overseeing both internal and external audit functions. The CAE reports to the Audit Committee on all Internal Audit & Advisory Services activities and attends Committee meetings to report on significant findings and recommendations, the operations of the internal audit and advisory function, and such other information as is requested by the Committee. Additionally, the CAE will have full and free access to the Audit Committee.

The CAE will report functionally to the Audit Committee Chair. For purposes of administration, the CAE reports to an officer designated by the Committee. Currently, this officer is the Senior Vice President, Chief Financial Officer and Treasurer. The CAE may also communicate directly to Senior Leadership, the President, or the Chairman of the Audit Committee as needed, and will aim to hold, at least annually, a one-on-one with the University President.

INDEPENDENCE AND OBJECTIVITY

In executing the internal audit and advisory program, the CAE and audit staff have no direct authority over, or responsibility for, any system, procedure, or activity which Internal Audit & Advisory Services would be responsible to review. Therefore, Internal Audit & Advisory Services may not develop or institute procedures, prepare records, make management decisions, or engage in any other activity which could reasonably be construed to compromise its objectivity or independence. Such tasks are the complete responsibility of operating management. Objectivity is not adversely affected by the recommendation of the standards of control to be applied in the development of systems and procedures under review. The CAE will ensure that all work done in an advisory capacity does not adversely affect audit objectivity or independence and that issues identified during advisory work are resolved.

Internal auditors and advisors will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors and advisors will make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.

RESPONSIBILITY

Ethics and Professionalism
The CAE and staff are responsible for:

  1. Ensuring that the work of the department is consistent with the Global Internal Audit Standards, including the Principles of Ethics and Professionalism: integrity, objectivity, competency, due professional care, and confidentiality.
  2. Promoting ethical practices and supporting governance processes that encourage ethical decision-making and behavior at all levels of the University.
  3. Advising management on the University’s Code of Ethical Conduct and the Conflict of Interest Policy, including participation in the University Compliance Committee and assisting with the review of reports filed through EthicsPoint.
  4. Maintaining an unbiased attitude that allows them to perform engagements objectively such that they believe their work product does not compromise quality and does not subordinate judgment on audit matters to others, either in fact or appearance.

Managing the Internal Audit Function
The CAE is responsible—directly or through delegation—for:

  1. Establishing policies for Internal Audit & Advisory Services activities and directing technical and administrative functions.
  2. Developing a flexible annual audit and advisory plan using a risk based methodology that incorporates findings from the Enterprise Risk Management process, the University’s strategic objectives, and input from the Office of Compliance Services. The plan will be presented to the Audit Committee of the Board of Trustees for review and approval.
  3. Reviewing the adequacy and effectiveness of management’s processes for risk management, internal control, safeguarding University assets, governance, and compliance with local, state, federal, and international laws and regulations.
  4. Reviewing and adjusting the internal audit plan, as necessary, in response to changes in BU’s business, risks, operations, programs, systems, and controls. These changes will be communicated to the Audit Committee.
  5. Issuing a written report for each audit and reporting periodically on audit findings and the status of corrective actions to the Audit Committee. Appraising the adequacy of action taken by management to correct reported deficiencies.
  6. Coordinating activities with the University’s independent public accountants to avoid duplication of efforts, maximizing the benefits of the University’s total investment in audit activities, and providing the University with adequate audit services.
  7. Conducting special examinations and/or consulting services requested by management and communicating results. These are services explicitly requested by University management and outside the scope of the agreed upon annual audit plan. Management is ultimately responsible for decision-making and implementation of any outcomes from these engagements.
  8. Supporting the University’s Enterprise Risk Management process by facilitating the identification, assessment, and reporting of key risks that may impair the achievement of the University’s strategic objectives. This includes trends and emerging risks that could impact BU.
  9. Collaborating with the Office of Compliance Services on the identification of gaps in compliance controls and validating the effectiveness of management compliance systems.
  10. Conducting an annual self-assessment of departmental objectives, procedures, performance, and metrics along with a periodic, external Quality Assessment Review as part of the Quality Assurance and Improvement Program in accordance with the Standards.

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM

The chief audit executive will develop, implement, and maintain a quality assurance and improvement program (QAIP) that covers all aspects of the internal audit function. The program will include external and internal assessments of the internal audit function’s conformance with the Global Internal Audit Standards, as well as performance measurement to assess the internal audit function’s progress toward the achievement of its objectives and promotion of continuous improvement. Also, if applicable, the assessment will include plans to address the internal audit function’s deficiencies and opportunities for improvement.

Annually, the chief audit executive will communicate with the board and senior management about the internal audit function’s QAIP, including the results of internal assessments (ongoing monitoring and periodic self-assessments) and external assessments. External assessments will be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization.

COMMUNICATING WITH THE BOARD AND SENIOR MANAGEMENT

The chief audit executive will report annually to the Audit Committee and Senior Management on the following topics:

  • IA&AS Mandate through review of the Charter
  • IA&AS Annual Audit Plan and performance against the Plan
  • Use of IA&AS resources
  • IA&AS resource requirements
  • Significant revisions to the Plan
  • Potential impairments to objectivity or independence, including relevant disclosures as applicable
  • Results from the QAIP program
  • Results of assurance and advisory services – noting any significant risk exposures or control issues
  • Management’s responses to findings and/or risks that IA&AS deems unacceptable beyond BU’s risk appetite