Charter

Vanderbilt University Medical Center
Office of Internal Audit
Department Charter (approved (04/09/2024)


1. INTRODUCTION
Internal auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value by improving the Vanderbilt University Medical Center (VUMC) operations. The Office of Internal Audit (“Office” or “Internal Audit”) assists VUMC in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of VUMC’s governance, risk management, and internal control environment.


2. ROLE
Internal Audit’s activities are established by the Audit & Compliance Committee of the VUMC’s Board of Directors (“Audit & Compliance Committee”) and responsibilities are defined by the Audit & Compliance Committee as part of their oversight role.


3. PROFESSIONALISM
The Office of Internal Audit will govern itself by striving to adhere to The Institute of Internal Auditors (“IIA”) mandatory guidance, including the Definition of Internal Auditing (see Attachment A), the Code of Ethics (see Attachment B), and the International Standards for the Professional Practice of Internal Auditing (“Standards”) which can be viewed at: https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-I…. This guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of Internal Audit’s performance.
In addition, the Office will adhere to VUMC’s relevant policies and procedures and to the policies and procedures set forth in the Office of Internal Audit Manual.


4. AUTHORITY
The Office of Internal Audit, with strict accountability for confidentiality and safeguarding records and protected health information, is authorized full, free, and unrestricted access to any and all VUMC’s records, physical properties, and personnel pertinent to carrying out any review. All VUMC personnel are requested to assist Internal Audit in fulfilling its roles and responsibilities. Internal Audit will have free and unrestricted access to the Audit & Compliance Committee of the Board of Directors.
The Office’s scope of work includes all VUMC legal entities and majority-owned joint ventures.


5. ORGANIZATION
The VP (VP) of Internal Audit will report functionally to the Audit & Compliance Committee of the Board of Directors and to the President and Chief Executive Officer of VUMC (CEO). The VP of Internal Audit will report administratively to the VUMC Chief Operating Officer (COO). The VP will also work directly with members of Senior Management additional to the CEO and COO (General Counsel and Secretary, Chief Financial Officer and Deputy CEO & Chief Clinical Officer) on matters concerning their areas of oversight.
The Audit & Compliance Committee will:
• Approve the Internal Audit Charter.
• Approve the risk-based Internal Audit Work Plan.
• Receive communications from the VP of Internal Audit on Internal Audit’s performance relative to its work plan and other matters.
• In coordination with the CEO and COO, review the appointment, reassignment, or dismissal of the VP of Internal Audit and review the performance of the VP and concur with annual compensation, bonuses, and salary adjustments.
• Make appropriate inquiries of management and the VP of Internal Audit to determine whether inappropriate scope or resource limitations exist.
The VP of Internal Audit will communicate and interact directly with the Audit & Compliance Committee, including in executive sessions and between Audit & Compliance Committee meetings as appropriate.


6. INDEPENDENCE AND OBJECTIVITY
Internal Audit will remain free from interference by any element in VUMC, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude.
Internal Audit team members will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop policies or procedures, install systems, prepare records, or engage in any other activity that may impair Internal Audit team member judgment.


The maintenance of its independence does not preclude the Office from performing consulting services designed to assist management in the execution of their duties. In other words, Internal Audit may be invited by VUMC management to participate in initiatives or on teams whose objectives are to support the development and implementation of new systems or processes, to integrate new entities/practices, to review proposed polices and/or procedures, or to improve processes/performance. Internal Audit’s participation in these initiatives will be limited to providing insight into risks and common policies/procedures/internal controls to mitigate risks for management’s consideration.


Internal Audit team members will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal Audit team members will make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
The VP of Internal Audit will confirm to the Audit & Compliance Committee, at least annually, the organizational independence of Internal Audit’s activity.
Internal auditors should have an impartial, unbiased mental attitude and avoid actual or perceived conflicts of interest. Therefore,
• Team members are not to subordinate their judgment to others.
• Internal Audit team members must perform their work such that they honestly believe in the results of their work and no significant quality compromises have been made.
• Internal Audit team member assignments should be made to avoid potential and actual conflicts of interest and bias.
• Any conflict of interest or bias, which may develop during the year, should be reported to the VP & Director, so team member assignments may be reassigned, or appropriate disclosure made to parties involved.
• Team members must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an Internal Auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.
• If staff is transferred from operating departments to Internal Audit the individual Internal Audit team member should not be assigned to audit/review those activities for which they previously had some control within the previous year or until such time when objectivity does not seem to be impaired. Assignments are ultimately at the discretion of the Director/VP.
• Engagements reviewing functions for which the VP of Internal Audit has responsibility should be overseen by a party outside the Internal Audit Department.
• If Internal Audit team members have potential impairments to independence of objectivity relating to proposed services, disclosure must be made to the engagement colleagues prior to accepting the engagement.
• Internal Audit team members may provide consulting activities relating to operations for which they had previous responsibilities.
• The results of the Internal Audit team member’s work are reviewed before release of the report. The purpose of this review is for accuracy, consistency, quality, and objectivity in compliance with the professional standards.
If independence or objectivity is impaired in fact or appearance, the details of the impairment will be disclosed to the Director and VP of Internal Audit. The nature of the disclosure will depend upon the impairment.


7. RESPONSIBILITY
The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of VUMC’s governance, risk management, and internal controls. The scope also includes an evaluation of the quality of performance in carrying out assigned responsibilities to achieve the organization’s stated goals and objectives. This includes:
• Identifying and evaluating risk exposure relating to achievement of VUMC’s strategic objectives.
• Assessing the reliability and integrity of information and the means used to identify, measure, classify, and report such information.
• Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the organization.
• Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
• Evaluating the effectiveness and efficiency with which resources are employed.
• Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as designed.
• Monitoring and evaluating governance processes.
• Assisting management with establishing VUMC’s risk management processes and monitoring and evaluating the effectiveness of VUMC’s risk management processes in the future.
• Considering VUMC’s external audit firm’s scope of work and the work of regulators and the degree of coordination with Internal Audit’s work plan.
• Performing consulting services related to governance, risk management and control as appropriate for VUMC. Examples include facilitation, process design, review of policies and procedures, and training.
• Reporting periodically on Internal Audit’s purpose, authority, responsibility, and performance relative to its plan.
• Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Audit & Compliance Committee.
• Evaluating specific operations at the request of the Audit & Compliance Committee or management, as appropriate.
• Evaluating and assessing significant joint venture/acquisition activities and new or changing services, information systems, processes, operations coincident with their development, implementation or expansion.
• Assisting in the investigation of significant suspected fraudulent activities or wrong-doing within VUMC or its joint ventures.
• Performing follow up inquires and testing, as applicable, on management Action Plans included in audit reports.


8. INTERNAL AUDIT RISK ASSESSEMENT & AGILE AUDIT PLAN DEVELOPMENT PROCESS
The VUMC Office of Internal Audit develops a risk-based audit plan that is designed to add value to the organization and its stakeholders by considering the organization’s strategies, objectives, and risks. The risk-based audit plan also establishes an objective method for the department to provide both assurance and advisory services.
To develop a risk-based audit plan, risk assessment discussions meetings are held throughout the year with Senior Management and other key stakeholders. Risk assessment meetings are held to obtain an understanding of the organization’s strategies, key business objectives, risks, and risk management processes. Meetings are facilitated by members of Internal Audit, including but not limited to, the VP of Internal Audit, Director of Internal Audit, Director of Information Technology Audit, and the Supervising Senior Internal Auditors.
As part of developing the risk-based audit plan, the Internal Audit leadership team links critical risks to specific objectives and business processes to organize and prioritize engagements. The Internal Audit leadership team uses a risk-factor approach to consider risks both internal and external to VUMC. Relevant risk factors include, but are not limited to, the degree of change in risk since the area was last audited, quality of controls, pending regulatory or legal changes, turnover, changes in people, processes or technology, and political and economic factors. Finally, the Audit Plan considers requests made by the Audit & Compliance Committee and Senior Management.
As part of the risk assessment process, VUMC Office of Internal Audit also considers the four risk assessment principles that are part of the Committee of Sponsoring Organizations (COSO) Internal Control- Integrated Framework Principles:
• The internal audit activity specifies objectives with enough clarity to enable the identification and assessment of risks relating to organizational objectives.
• The internal audit activity identifies risks to the achievement of leadership’s objectives across the entity.
• The internal audit activity considers the potential for fraud in assessing risks to the achievement of the organization’s objectives.
• The internal audit activity identifies and assesses changes that could significantly affect the organization’s internal controls.
For Information Technology reviews, the VUMC Office of Internal Audit also considers the HITRUST framework, as VUMC IT has adopted HITRUST as their control framework.
As part of the audit risk assessment process, VUMC Office of Internal Audit considers the work of internal and external providers of assurance to the organization by conducting risk assessment meetings with leaders in each area that provides
assurance to the organization. Stakeholders that provide assurance and are part of the risk assessment may include the following:
• VUMC Risk and Insurance Management
• VUMC Office of Legal Affairs
• VUMC Information and Privacy Office
• Vanderbilt Quality, Safety & Risk Prevention
• VUMC Enterprise Cybersecurity (VEC)
• VUMC Office of Compliance & Corporate Integrity
• Vanderbilt Environmental Health and Safety (VEHS)
• VUMC Finance, who deal directly with the external auditors and external consultants for Finance & Revenue Cycle
• Other external audit and consulting groups or firms
In considering the work of other organizations or groups during the risk assessment, VUMC Office of Internal Audit may consider the following criteria:
• The organization or group’s mission and vision statements.
• Competency and experience of the organization or group.
• Whether the organization or provider has, or may appear to have, any conflicts of interest.
• Objectivity and due professional care exercised by organization or group.
• Historical interaction of organization or group with VUMC.
• Scope and timing of the organization or group’s work.
• Findings or deliverables prepared and reported by organization or group.
Ultimately, even when reliance is placed on the work of others, per the Standards, the VP of Internal Audit is still accountable and responsible for ensuring adequate support for conclusions and opinions reached by the VUMC Office of Internal Audit.
Finally, the VP of Internal Audit is actively engaged with the VP of Risk Management who has direct responsibility for administering VUMC’s Enterprise Risk Management (ERM) Program. The VP meets with ERM leaders to advise and review deliverables prior to presentation to the leadership team and the Audit & Compliance Committee of the Board of Directors. Audit Plan engagements are mapped to ERM program risks, wherever applicable, to demonstrate and additional layer of coverage.


9. INTERNAL AUDIT PLAN
At least annually and utilizing the Risk Assessment methodology described above, the VP of Internal Audit will submit the Internal Audit Plan to Senior Management for review and to the Audit & Compliance Committee for review and approval. The Internal Audit Plan will consist of a work schedule as well as budget and resource requirements for the next fiscal year. The Internal Audit Competency Matrix assessment of staff’s skills and competencies will also be utilized to match resources to planned audits. The competency matrix is updated and reviewed annually. The VP of Internal Audit will communicate the impact of any resource or skill set limitations and significant interim changes to Senior Management and the Audit & Compliance Committee. Changes to the Internal Audit Plan will be made in “real-time” at the discretion of the VP of Internal Audit based upon the risk assessment considerations described above. The VP will present changes to the Audit Plan for review and approval at Audit & Compliance Committee meetings.
The Internal Audit Plan will be developed utilizing a risk-based methodology, including input of Senior Management and the Audit & Compliance Committee. The VP of Internal Audit will review and adjust the Audit Plan regularly, in response to changes in VUMC’s business, risks, operations, programs, systems, and controls. All changes to the Audit Plan will be summarized and communicated to Senior Management and the Audit & Compliance Committee through periodic activity reports.


10. REPORTING AND MONITORING
A written report will be prepared and issued by Internal Audit following the conclusion of each internal audit assurance engagement and will be distributed as appropriate. The results of advisory engagements are documented in a written report/memo. Advisory engagements may not result in management action plans; however, the results of advisory engagements that require management action plans will be tracked and are accessible to Internal Audit Management Action Plan (MAP) Liaisons. The VP of Internal Audit will determine if MAPs will be obtained and/or tracked. A summary of Internal Audit Plan results will be communicated to the Audit & Compliance Committee highlighting key observations and resulting action plans.
The internal audit report will include management’s action plans taken or to be taken in regard to the specific observations. Management's action plans will include a timetable for anticipated completion of action to be taken and the names of the individuals responsible for the completion of the action plans. Internal Audit will provide a summary of MAP statuses to Senior Management and the Audit & Compliance Committee.

Internal Audit will lead efforts for appropriate follow-up on Action Plans detailed in advisory and assurance reports. All Action Plans will remain as open issues until Internal Audit agrees they are effectively closed. In the rare event the VP of Internal Audit concludes that Management has accepted a level of risk that may be unacceptable to the organization, the VP of Internal Audit will discuss the matter with Senior Management. If the VP of Internal Audit determines that the matter regarding the level of risk has not been resolved, the matter will be communicated in writing to the CEO, who will have 30 days to respond in writing to the concerns. If the VP of Internal Audit finds the written response of the CEO does not appropriately addressed the matter regarding the level of risk, or that the subsequent actions of Senior Management are not consistent with the written response, the VP will inform the chair of the Audit & Compliance Committee of the Board of Directors (Chair) in writing, copied to the CEO. The Chair will inform the Audit & Compliance Committee of these matters no later than the next regularly scheduled committee meeting.
Internal Audit will generally prepare a written memo summarizing significant consulting activities or investigations involving fraud or wrong-doing or to the extent agreed upon with the VUMC stakeholder. A summary of results from consulting activities/investigations will be communicated to the General Counsel, the CEO, and the Audit & Compliance Committee.
The VP of Internal Audit will periodically report to Senior Management and the Audit & Compliance Committee on Internal Audit’s purpose, authority, and responsibility, as well as performance relative to its plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by Senior Management and the Audit & Compliance Committee.


11. QUALITY ASSURANCE AND IMPROVEMENT PROGRAM:
Internal Audit will strive to maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program will include an evaluation of Internal Audit’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal team members apply the Code of Ethics. The program will assess the efficiency and effectiveness of the Internal Audit function and will identify opportunities for improvement.

The VP of Internal Audit will communicate to Senior Management and the Audit & Compliance Committee on Internal Audit’s quality assurance and improvement program, including results of ongoing internal assessments and will strive to conduct external assessments every five years.
APPROVED: 04/09/2024 Audit & Compliance Committee of the Board of
Directors Meeting

Attachment A – Institute of Internal Auditors (IIA) Definition of Internal Auditing
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Attachment B – Institute of Auditors (IIA) Code of Ethics
Principles
Internal auditors are expected to apply and uphold the following principles:
1. Integrity The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.
2. Objectivity Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.
3. Confidentiality Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
4. Competency Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services.
Rules of Conduct
1. Integrity
Internal auditors:
1.1. Shall perform their work with honesty, diligence, and responsibility.
1.2. Shall observe the law and make disclosures expected by the law and the profession.
1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization.
1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.

2. Objectivity
Internal auditors:
2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization.
2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment.
2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.
3. Confidentiality
Internal auditors:
3.1. Shall be prudent in the use and protection of information acquired in the course of their duties.
3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.
4. Competency
Internal auditors:
4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience.
4.2. Shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing (Standards).
4.3. Shall continually improve their proficiency and the effectiveness and quality of their services.

 

APPROVED:            04/9/2024 Audit & Compliance Committee of the Board of Directors Meeting