Employees’ Retirement System of the State of Hawaii

BOARD OF TRUSTEES INTERNAL AUDIT CHARTER

Internal auditing is an independent, objective assurance and consulting activity1 designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The Internal Audit function of the Employees’ Retirement System (“ERS”) is established by the ERS Board of Trustees (“Board”) and its responsibilities are defined in this charter which is approved by the Board. The Chief Audit Executive (“CAE”), which may be an individual employee or a firm contracted to outsource or co-source the internal audit function, reports functionally to the ERS Administrative & Audit Committee (“Committee”) and administratively to the ERS Executive Director (“ED”) or designee. Approval from the Board is required for the hiring, compensation, removal, or replacement of the CAE.

The objectives of Internal Audit are to assist management and employees of the ERS in the effective discharge of their responsibilities by providing them with analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed and to promote effective internal controls at a reasonable cost.

The CAE and the Internal Audit staff are authorized to:

A. Review all areas of the ERS;

B. Have full, free, and unrestricted access to all of the ERS’s activities, records, physical property, and personnel necessary to complete their work;

C. Have full, free, and unrestricted access to the Board, Committee, ED, Deputy ED, Chief Investment Officer, Branch Chiefs, and all members of management;

D. Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish audit objectives; and

E. Obtain the necessary assistance of personnel in units of the ERS where they perform audits, as well as other specialized services from within or outside the ERS.

The CAE and the Internal Audit staff are not authorized to:

A. Perform any operational duties for the ERS;

B. Initiate or approve accounting transactions external to the internal audit function; nor

C. Direct the activities of any ERS employee not employed by the internal audit function, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the internal auditors.

Internal auditors have no direct responsibility or any authority over any of the activities or operations that they review. They should not develop and install procedures, prepare records, or engage in activities that would normally be reviewed by internal auditors.

Internal Audit’s objectivity is not adversely affected, however, by recommending standards of controls to be applied in developing systems and procedures, or by evaluating existing or planned financial and operating systems and related procedures, and making recommendations for modification and improvements thereto in order to improve controls and/or enhance operational effectiveness.

The scope of work of the Internal Audit function is to determine whether the ERS’s network of risk management, control, and governance processes, as designed and represented by management, is adequate and functioning in a manner to ensure:

• Risks are appropriately identified and managed.

• Interaction with the various governance groups occurs as needed.

• Significant financial, managerial, and operating information is accurate, reliable, and timely.

• Employee actions are in compliance with policies, standards, procedures, and applicable laws and regulations.

• Resources are acquired economically, used efficiently, and adequately protected.

• Programs, plans, and objectives are achieved.

• Quality and continuous improvement are fostered in the ERS’s control process.

• Significant legislative or regulatory issues impacting the ERS are recognized and addressed properly.

Opportunities for improving management control, process efficiency, and the ERS’s image may be identified during audits. They will be communicated to the appropriate level of management.

Internal Audit is responsible for the following activities:

Standards

A. The CAE is responsible for ensuring that all activities of the internal audit function are carried out in compliance with the Institute of Internal Auditors’ (“IIA”) mandatory guidance including the “Definition of Internal Auditing,” the “Code of Ethics,” and applicable standards found in the “International Standards for the Professional Practice of Internal Auditing.”

B. Conduct a periodic risk assessment for the ERS and present the results to the Committee.

C. Develop a flexible annual Internal Audit Plan using an appropriate risk-based methodology, which considers risks or control concerns identified by management, and submit the plan to the Committee and the Board for review and approval.

D. Implement the annual Internal Audit Plan, as approved, including, and as appropriate, any special tasks or projects requested by management, the Committee, and the Board.

Ethics

E. Review the adequacy of the ERS’s adopted code of conduct activities, including the process to receive, retain, and treat complaints received on accounting and auditing matters.

F. Monitor management’s process for ensuring compliance with Hawaii Revised Statutes – Chapter 84, Standards of Conduct (“State Ethics Code”).

Monitoring & Follow-Up

G. Evaluate any plans to correct reported conditions for satisfactory improvement of the business process.

H. Provide adequate follow-up to ensure corrective action is taken and evaluate its effectiveness before recommending closure of an issue.

I. Monitor and evaluate the effectiveness of the organization’s risk management processes.

Reporting

J. Prepare and issue a written report following the conclusion of each audit and follow-up audit. This report shall include significant findings, recommendations to management, and management’s action plan. A copy of the report will be forwarded to the Committee, ED, Deputy ED, and appropriate members of management.

K. Inform and advise management and the Committee as to significant deficiencies or other substantive issues noted in the course of its activities.

L. Provide periodic reports on Internal Audit’s progress on implementing the annual Internal Audit Plan, including management’s progress on addressing previously reported matters, the impact of resource limitations, and significant interim changes.

M. On a regular basis, the CAE will meet separately with the Committee to discuss any matters that is deemed necessary by the Committee or Internal Audit.

Other

N. Conduct special examinations at the request of management or the Committee.

O. Perform consulting services, beyond internal auditing assurance services, to assist management in meeting its objectives. Examples may include facilitation, consultation on internal control improvement initiatives, training, and advisory services.

P. Assist in the investigation of significant suspected fraudulent activities within the organization and notify management and the Committee of the results.

Q. Coordinate audit efforts with those of the ERS’s external auditors and other regulatory agencies.

R. Evaluate and assess significant merging/consolidating functions and new or changing services, processes, operations, and control processes coincident with their development, implementation, and/or expansion.

S. Keep the Committee informed of emerging trends and successful practices in internal auditing.

T. Review this Internal Audit Charter on a periodic basis to ensure the purpose, authority, and responsibilities of Internal Audit continue to be adequate in accomplishing its objectives. Modify as appropriate, and submit to the Committee and ED for review and approval.

Last Revised & Adopted by the Board: May 2020