University System of Maryland
Office of Internal Audit


The University System of Maryland maintains a central Internal Audit Office that independently appraises the System's activities to assist the Board of Regents and its Audit Committee in fulfilling the Board's fiduciary responsibilities. Internal Audit primarily functions to help managers discharge their responsibilities effectively, efficiently, and economically.

To that end, the Internal Audit staff reviews financial and operating activities, analyzes internal control structures and procedures, and recommends corrective measures to both administrators and operating managers. Internal Audit functions as a member of the System's management team, but responsibility for correcting deficiencies rests with the responsible administrators.


The function, which is part of the University of Maryland System, reports to and is responsible to the Board of Regents Audit Committee. The Audit Committee has authority for hiring and terminating the Director of Internal Audit; determining appropriate compensation; and performing annual performance reviews.  For administrative purposes, the Internal Audit Office reports to the Chancellor. Administratively, the Chancellor will work with the Director of Internal Audit to ensure that the Internal Audit Office maintains a professional level of independence, and that the internal audit function has adequate resources to accomplish its mission.

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.  It helps an organization accomplish objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

In carrying out its mission, the Internal Audit Office will have full, free, and unrestricted access to all System activities, including records, reports, property, and personnel. In addition, the Director of Internal Audit will have direct access to the Audit Committee, including meeting privately at least annually.

The Office of Internal Audit is authorized, but not limited, to perform the following engagements:

  • Financial Audits
  • Operational Audits
  • Compliance Audits
  • Investigative Audits
  • Follow-up Audits
  • Information Systems Audits
  • Cyber Security Audits
  • Internal Control Reviews
  • Consulting Services

Internal Audit will be responsive and responsible to administrators and managers at all levels in the System. Similarly, each President and unit Director will ensure the cooperation of their administrators and managers throughout the internal audit process.

Each President is responsible for submitting a written response to each audit report. 

Code of Ethics

Principles - Internal auditors are expected to apply and uphold the following principles:

1.Integrity - The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.

2.Objectivity - Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments

3.Confidentiality - Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.

4.Competency - Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services.  Internal auditors will have a BA or BS degree and will have a Certified Public Accountant, a Certified Internal Auditor, and/or a JD designation (or be a candidate for each designation).  Internal Auditors will complete continuing education to keep their certifications Active.


Rules of Conduct


Internal auditors:

1.1 Shall perform their work with honesty, diligence, and responsibility.

1.2 Shall observe the law and make disclosures expected by the law and the profession.

1.3 Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization.

1.4 Shall respect and contribute to the legitimate and ethical objectives of the organization.


Internal auditors:

2.1 Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization.

2.2 Shall not accept anything that may impair or be presumed to impair their professional judgment.

2.3 Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.


Internal auditors:

3.1 Shall be prudent in the use and protection of information acquired in the course of their duties.

3.2 Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.


Internal auditors:

4.1 Shall engage only in those services for which they have the necessary knowledge, skills, and experience.

4.2 Shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing.

4.3 Shall continually improve their proficiency and the effectiveness and quality of their services.

4.4 Shall ensure timely reporting of audit results.

The Director of Internal Audit will Ensure that:

  • The audit staff is appropriately organized and competently supervised, and that professionalism is maintained through adherence to the applicable standards of the Institute of Internal Auditors (IIA), the Information System Audit and Control Association (ISACA),
  • Internal Auditors apply and uphold the IIA’s Code of Ethics.
  • Audits have been designed to detect significant operational and financial risks as well as to review the effectiveness, efficiency, and economy of operations.
  • The audit staff has sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
  • Operating managers, administrators, and chief executive officers are promptly and fully informed about the scope of each review, the findings, and the recommended measures for improvement.
  • An annual audit schedule is submitted for approval to the Board of Regents Audit Committee.

In addition, the Director of Internal Audit will periodically report audit activities to the Audit Committee, and will submit other reports as requested by the Audit Committee. Such written reports will include statements as to whether:

  • The Internal Audit Office has had the unrestricted access necessary to carry out its duties;
  • Appropriate action has been taken to correct findings described in audit reports; and
  • Internal and external audits have been coordinated to avoid duplicating effort.

The Director, with the Audit Committee's approval, is authorized to establish and revise procedures for carrying out this policy.


APPROVED BY THE BOARD OF REGENTS ON: 11/15/2007; REVISED: 12/21/2016; REVISED 06/22/18