This Charter of the Lawrence Berkeley National Laboratory (Berkeley Lab or Laboratory) Internal Audit Services (IAS) Department is approved by the Laboratory Director and the University of California Senior Vice President/Chief Compliance and Audit Officer (SVP/CCAO).
Internal auditing is an objective, independent, risk based, assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of Berkeley Lab. It assists Laboratory management in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk management, control and governance processes.
The mission of IAS is to assess and monitor the Laboratory community in the discharge of their oversight, management, and operating responsibilities in relation to governance processes, systems of internal controls, and compliance with laws, Department of Energy (DOE) Contract DE-AC02-05CH11231 (Contract 31) requirements, and Laboratory and University of California (UC) policies and procedures. This is accomplished by providing relevant, timely, independent, and objective assurance, advisory and investigative services using a systematic, disciplined approach to evaluate risk and improve the effectiveness of control and governance processes.
Independence and Reporting Structure
The Internal Audit activity is a key element of the Laboratory’s Institutional Assurance Program and is specified under Contract 31 Clauses I.76 Management Controls and I.103 Accounts, Records and Inspection. To permit the rendering of impartial and unbiased judgment essential to the proper conduct of audits, internal auditors must be independent of the activities they audit. This independence is based primarily upon organizational status and objectivity required by external professional standards.
The Chief Audit Executive (CAE) reports administratively to the Laboratory Director or appropriate designee and functionally to the UC Regents Committee on Compliance and Audit through the SVP/CCAO, who has a direct, independent reporting relationship to the UC Regents. The SVP/CCAO communicates directly with the Board of Regents and the Regents’ Committee on Compliance and Audit regarding all elements of meaningful compliance and audit programs. Action to appoint a CAE requires the concurrence of the SVP/CCAO. Action to demote or dismiss a CAE requires the recommendation of the SVP/CCAO and concurrence of the UC President and the Chair of the Regents’ Compliance and Audit Committee.
The CAE has direct access to the SVP/CCAO, the UC President, and the Regents’ Committee on Compliance and Audit and may take directly to the Laboratory Director, the SVP/CCAO, the UC President, or the Regents, matters believed to be of sufficient magnitude and importance. Internal Auditors shall communicate directly to the University’s SVP/CCAO, any credible allegations of significant wrongdoing (including any wrongdoing for personal financial gain) by or about the Laboratory Director or a Laboratory executive, or any other credible allegations that, if true, could cause significant harm or damage to the reputation of the University, DOE or the Laboratory. Any such matters shall be reported to The Board of Regents or the Chair of the Regents’ Committee on Compliance & Audit at the discretion of the SVP/CCAO. Under separate charter, the Laboratory Director’s Audit Advisory Committee reviews and provides input to the risk assessment process, and advises the Laboratory Director regarding the annual Audit Plan, audit results, and areas of concern.
These reporting relationships and communication frameworks ensure departmental independence from audited activities, promote comprehensive and effective audit coverage, and ensure adequate consideration of audit recommendations.
To assure impartial, unbiased judgment essential to the proper conduct of audits, internal auditors will be independent of the activities they audit.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair the internal auditor’s objectivity or independence.
Internal auditors must exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors must make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
IAS shall comply with the International Standards for the Professional Practice of Internal Auditing(Standards) and the Code of Ethics promulgated by the Institute of Internal Auditors (IIA). IAS staff will serve the Laboratory in a manner consistent with University and Laboratory policies and guidelines, including procedures outlined in the UC Internal Audit Manual.
In accordance with IIA standards, a Quality Assessment Review (QAR) of the LBNL Internal Audit function will be performed at least once every five years. The DOE Contractors Internal Audit Directors (CIAD) group will administer these reviews. The results of these reviews will be shared with management and presented to the local Advisory Audit Committee.
IAS performs three types of assurance and consulting projects:
- Audits: Assurance services defined as examinations of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples include financial, performance, compliance, systems security and due diligence engagements.
- Advisory Services: The nature and scope of these are agreed with the client. These engagements are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include reviews, recommendations (advice), facilitation, and training.
- Investigations: Independent evaluations of allegations generally focused on improper governmental activities including misuse of resources, fraud, financial irregularities, significant control weaknesses and unethical behavior or actions.
Scope of Work
The scope of IAS work is to determine whether the Laboratory’s system of risk management, control, and governance processes, as designed and represented by management at all levels, is adequate and functioning in a manner to ensure:
- Programs, plans, and objectives are achieved.
- Risk management processes are effective and significant risks are appropriately identified and managed.
- Ethics and values are promoted within the organization.
- Financial and operational information is accurate, reliable, and timely.
- Employees’ actions comply with policies, standards, procedures, and applicable laws and regulations.
- Resources are acquired economically, used efficiently, and adequately protected.
- Quality and continuous improvement are fostered in the organization’s risk management and control processes.
- Significant legislative or regulatory compliance issues impacting the organization are recognized and addressed properly.
- Effective organizational performance management and accountability is fostered.
- Coordination of activities and communication of information among the various governance groups occur as needed.
- The potential occurrence of fraud is evaluated and fraud risk is managed.
- Information technology governance supports LBNL strategies, objectives, and privacy framework.
- Information technology security practices adequately protect information assets and are in compliance with applicable policies, rules and regulations.
Opportunities for improving management control, quality and effectiveness of services, and organizational image, as identified during audits, are communicated by IAS to the appropriate levels of management.
Click here to view a copy of the signed Audit Charter