Charter

Charter:

1.      INTRODUCTION

Internal auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value by improving the Vanderbilt University Medical Center (VUMC) operations.  The Office of Internal Audit (“Office” or “Internal Audit”) assists VUMC in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of VUMC’s governance, risk management, and internal control environment.

 

2.      ROLE

Internal Audit’s activities are established by the Audit & Compliance Committee of the VUMC’s Board of Directors (“Audit & Compliance Committee”) and responsibilities are defined by the Audit & Compliance Committee as part of their oversight role.

 

3.      PROFESSIONALISM

The Office of Internal Audit will govern itself by striving to adhere to The Institute of Internal  Auditors (“IIA”) mandatory guidance, including the Definition of Internal Auditing (see Attachment A), the Code of Ethics (see Attachment B), and the International Standards for the Professional Practice of Internal Auditing (“Standards”) which can be viewed at: https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx.  This guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of Internal Audit’s performance.

In addition, the Office will adhere to VUMC’s relevant policies and procedures and to the policies and procedures set forth in the Office of Internal Audit Manual.

 

4.      AUTHORITY

The Office of Internal Audit, with strict accountability for confidentiality and safeguarding records and protected health information, is authorized full, free, and unrestricted access to any and all VUMC’s records, physical properties, and personnel pertinent to carrying out any review.  All VUMC personnel are requested to assist Internal Audit in fulfilling its roles and responsibilities.  Internal Audit will have free and unrestricted access to the Audit & Compliance Committee of the Board of Directors.

The Office’s scope of work includes all VUMC legal entities and majority-owned joint ventures.

 

5.      ORGANIZATION

The Vice President of Internal Audit will report functionally to the Audit & Compliance Committee of the Board of Directors and to the President and Chief Executive Officer of VUMC.  The Vice President of Internal Audit will report administratively to the VUMC Chief Administrative Officer.

The Audit & Compliance Committee will: 

  • Approve the Internal Audit Charter.
  • Approve the risk-based Internal Audit Work Plan.
  • Receive communications from the Vice President of Internal Audit on Internal Audit’s performance relative to its work plan and other matters.
  • Approve decisions regarding the appointment and removal of the Vice President of Internal Audit.
  • Make appropriate inquiries of management and the Vice President of Internal Audit to determine whether inappropriate scope or resource limitations exist.

The Vice President of Internal Audit will communicate and interact directly with the Audit & Compliance Committee, including in executive sessions and between Audit & Compliance Committee meetings as appropriate.

 

6.      INDEPENDENCE AND OBJECTIVITY

Internal Audit will remain free from interference by any element in VUMC, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude.

Internal Audit team members will have no direct operational responsibility or authority over any of the activities audited.  Accordingly, they will not implement internal controls, develop policies or procedures, install systems, prepare records, or engage in any other activity that may impair Internal Audit team member judgment. 

The maintenance of its independence does not preclude the Office from performing consulting services designed to assist management in the execution of their duties.  In other words, Internal Audit may be invited by VUMC management to participate in initiatives or on teams whose objectives are to support the development and implementation of new systems or processes, to integrate new entities/practices, to review proposed polices and/or procedures, or to improve processes/performance.  Internal Audit’s participation in these initiatives will be limited to providing insight into risks and common policies/procedures/internal controls to mitigate risks for management’s consideration. 

Internal Audit team members will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined.  Internal Audit team members will make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.

The Vice President of Internal Audit will confirm to the Audit & Compliance Committee, at least annually, the organizational independence of Internal Audit’s activity.

 

7.      RESPONSIBILITY

The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of VUMC’s governance, risk management, and internal controls.  The scope also includes an evaluation of the quality of performance in carrying out assigned responsibilities to achieve the organization’s stated goals and objectives.  This includes: 

  • Identifying and evaluating risk exposure relating to achievement of VUMC’s strategic objectives.
  • Assessing the reliability and integrity of information and the means used to identify, measure, classify, and report such information.
  • Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the organization.
  • Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
  • Evaluating the effectiveness and efficiency with which resources are employed.
  • Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as designed.
  • Monitoring and evaluating governance processes.
  • Assisting management with establishing VUMC’s risk management processes and monitoring and evaluating the effectiveness of VUMC’s risk management processes in the future.
  • Considering VUMC’s external audit firm’s scope of work and the work of regulators and the degree of coordination with Internal Audit’s work plan.
  • Performing consulting services related to governance, risk management and control as appropriate for VUMC.  Examples include facilitation, process design, review of policies and procedures, and training.
  • Reporting periodically on Internal Audit’s purpose, authority, responsibility, and performance relative to its plan.
  • Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Audit & Compliance Committee.
  • Evaluating specific operations at the request of the Audit & Compliance Committee or management, as appropriate.
  • Evaluating and assessing significant joint venture/acquisition activities and new or changing services, information systems, processes, operations coincident with their development, implementation or expansion.
  • Assisting in the investigation of significant suspected fraudulent activities or wrong-doing within VUMC or its joint ventures.
  • Performing follow up inquires and testing, as applicable, on management Action Plans included in audit reports.

 

8.      INTERNAL AUDIT WORK PLAN

At least annually, the Vice President of Internal Audit will submit the Internal Audit Work Plan to senior management for review and to the Audit & Compliance Committee for review and approval.  The Internal Audit Work Plan will consist of a work schedule as well as budget and resource requirements for the next fiscal year.  The Vice President of Internal Audit will communicate the impact of resource limitations and significant interim changes to senior management and the Audit & Compliance Committee.

The Internal Audit Plan will be developed utilizing a risk-based methodology, including input of senior management and the Audit & Compliance Committee.  The Vice President of Internal Audit will review and adjust the work plan, as necessary, in response to changes in VUMC’s business, risks, operations, programs, systems, and controls.  Any significant deviation from the approved Internal Audit Work Plan will be communicated to senior management and the Audit & Compliance Committee through periodic activity reports.

 

9.      REPORTING AND MONITORING

A written report will be prepared and issued by Internal Audit following the conclusion of each internal audit assurance engagement and will be distributed as appropriate.  A summary of internal audit results will be communicated to the Audit & Compliance Committee highlighting key observations and resulting action plans.

The internal audit report will include management’s action plans taken or to be taken in regard to the specific observations.  Management's action plans will include a timetable for anticipated completion of action to be taken and the names of the individuals responsible for the completion of the action plans.

Internal Audit will lead efforts for appropriate follow-up on Action Plans detailed in audit reports.  All Action Plans will remain as open issues until Internal Audit is in agreement they are effectively closed.  Internal Audit will provide a summary of Action Plan statuses to management and the Audit & Compliance Committee.

Internal Audit will generally prepare a written memo summarizing significant consulting activities or investigations involving fraud or wrong-doing.  A summary of results from consulting activities/investigations will generally be communicated to the Audit & Compliance Committee.

The Vice President of Internal Audit will periodically report to senior management and the Audit & Compliance Committee on Internal Audit’s purpose, authority, and responsibility, as well as performance relative to its plan.  Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the Audit & Compliance Committee.

 

10.  QUALITY ASSURANCE AND IMPROVEMENT PROGRAM:

Internal Audit will strive to maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.  The program will include an evaluation of Internal Audit’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal team members apply the Code of Ethics. The program will assess the efficiency and effectiveness of the Internal Audit function and will identify opportunities for improvement.

The Vice President of Internal Audit will communicate to senior management and the Audit & Compliance Committee on Internal Audit’s quality assurance and improvement program, including results of ongoing internal assessments and will strive to conduct external assessments every five years.

 

APPROVED:            06/13/2018 Audit & Compliance Committee of the Board of  Directors Meeting