The Office of Audit, Compliance & Privacy Charter

Purpose and Scope

The Office of Audit, Compliance & Privacy (OACP) serves as an independent appraisal activity consisting of two interrelated disciplines – internal audit and institutional compliance –that collectively support Auburn University’s mission across all divisions including Auburn Main Campus, AUM, AAES, and ACES.

Division of Internal Audit

The internal audit function enhances Auburn University’s capacity to create, protect, and sustain value by delivering independent, risk-based, and objective assurance, advisory services, and strategic insights to both management and the Auburn University Board of Trustees (the Board). Through systematic and evidence-based evaluations, internal audit assesses the effectiveness of governance, risk management, and internal controls.  These activities are designed to promote accountability and continuous improvement across the institution.

Division of Institutional Compliance & Privacy

Institutional Compliance & Privacy provides independent oversight of Auburn University’s compliance programs. The function evaluates  adherence to federal, state, local laws and regulations, and University policies. It works collaboratively with departments across the institution to identify, address, and mitigate regulatory risks.  The compliance team also supports the University’s commitment to ethical conduct and privacy protection.

Scope

OACP’s scope encompasses all University activities, assets and personnel.

Mandate

Authority of the Office of Audit, Compliance & Privacy (OACP)

OACP derives its authority from the Board, which formally mandates OACP to provide independent, objective assurance, advisory services, and strategic insight to both the Board and senior leadership.

OACP’s authority is established through its direct reporting relationship to the Audit & Compliance Committee of the Board and its administrative reporting line to the University President. 

Under this mandate, the Board authorizes OACP to:

  • Access all University resources: OACP is granted full and unrestricted access to all functions, data, systems, records, information, physical property, and personnel necessary to fulfill its audit, compliance, and privacy responsibilities. OACP is accountable for confidentiality and security of all information obtained.
  • Exercise professional discretion: OACP has the authority to allocate resources, determine audit and compliance priorities, set the frequency and scope of engagements, apply appropriate methodologies, and issue communications necessary to achieve its objectives.
  • Engage internal and external expertise: The office may request assistance from University personnel and, when necessary, engage specialized services from external providers to support the execution of its responsibilities.

Independence, Organizaitonal Position, and Reporting Relationships

OACP operates with organizational independence to ensure objectivity and integrity in its work.  The Vice President, Institutional Compliance & Security holds a dual reporting structure – functionally to the Board and administratively to the University President. This positioning empowers the Vice President to escalate matters directly to senior leadership or to the Board without interference, reinforcing the office’s ability to act independently and impartially.

The Vice President, Institutional Compliance & Security will confirm to the Board, at least annually, the organizational independence of OACP. The chief audit executive (CAE) will disclose to the Board any instances of interference internal auditors encounter affecting the scope, execution, or communication of internal audit activities. Such disclosures will include an assessment of the impact on the function’s effectiveness and its ability to fulfill its mandate.

Responsibility

OACP shall maintain the University's anonymous reporting system, which enables stakeholders to confidentially report concerns related to fraud, ethics violations, and compliance issues. OACP shall review all reports received and determine their appropriate disposition.

The Division of Internal Audit shall have the responsibility to:

  • Develop a dynamic annual audit plan using a risk-based methodology that incorporates input of the Board and senior management.
  • Present the annual audit plan to the Chair of the Audit & Compliance Committee of the Board for input and consideration.
  • Continuously review and revise the audit plan, as necessary, to reflect changes in business operations, risks, systems, and internal controls.
  • Execute audits and reviews as outlined on the audit plan.
  • Conduct special projects, investigations, and advisory services as requested by management and deemed high-risk by the Vice President and Chief Audit Executive.
  • Recommend enhancements to risk management, internal controls, and governance processes.
  • Report the results of audit work to senior management and the Chair of the Audit & Compliance Committee.
  • Follow up on engagement recommendations to verify implementation and effectiveness of corrective actions.
  • Provide an annual summary of audit activities to senior management and the Chair of the Audit & Compliance Committee.
  • Coordinate with external auditors and regulatory agencies to minimize duplication of audit services.
  • Maintain ongoing professional development to ensure the audit team possess the competencies required to meet the Global Internal Audit Standards and fulfill its mandate.
  • Monitor emerging risks and trends that may impact the University and communicate relevant insights to the Board and senior leadership.
  • Strive for conformance with the Global Internal Audit Standards, including the principles of Ethics and Professionalism.

 The Division of Institutional Compliance & Privacy shall have the responsibility to:

  • Develop and execute a risk-based compliance work plan that prioritizes the university’s highest-risk areas.
  • Periodically report compliance and privacy activities to the Chair of the Audit & Compliance Committee.
  • Collaborate with distributed compliance partners and senior leadership to foster a culture of ethics and compliance across the institution.
  • Promote and provide training on the institution’s Employee Code of Conduct & Ethics.
  • Convene the Institutional Compliance Committee periodically to ensure broad oversight of university regulatory matters.
  • Investigate and respond to allegations of non-compliance, including conducting reviews of reported issues in collaboration with Internal Audit as appropriate.
  • Maintain ongoing professional development to ensure the staff has the necessary skills and competencies for effective compliance work.
  • Strive to implement the best practices of effective compliance programs as outlined in the U.S. Federal Sentencing Guidelines.
  • Uphold the Code of Ethics for Compliance and Ethics Professionals, as issued by the Society of Corporate Compliance and Ethics.

 

Approved by the Auburn University Board of Trustees
Original: November 18, 2016
Revised: November 21, 2025