Audit and Compliance Services Charter
Virginia Commonwealth University (university) and VCU Health System Authority (health system) maintain comprehensive and effective internal audit and compliance programs. The objective of Audit and Compliance Services (“department”) is to assist members of the Board of Visitors, Board of Directors, and management in the effective performance of their responsibilities. The department fulfills this objective by providing independent and impartial examinations, investigations, evaluations, counsel, and recommendations for the areas and activities reviewed.
Scope of Work
The scope of the department’s work is to determine whether the university’s and health system’s risk management, internal control, governance, and compliance processes, as designed and represented by management, are adequate and functioning in a manner to provide reasonable assurance that:
- Risks are appropriately identified and managed.
- Control processes are adequate and functioning as intended.
- Significant, financial, managerial, and operating information is accurate, reliable, and timely.
- An effective university compliance program is maintained to provide guidance and resources, in an oversight role, for all educational, research, and athletic compliance programs to optimize ethical and compliant behavior.
- An effective health system compliance program is implemented to further the health system’s mission, vision, and values by promoting a culture of compliance, and preventing, correcting, and investigating issues through education, monitoring, and enforcement.
- An effective program of information technology (IT) management and security is maintained by management to ensure health system and university IT and data assets are properly secured, integrity protected, available as needed and kept confidential as required by applicable policies laws and regulations.
- Employees’ actions are in compliance with the respective codes of conduct, policies, standards, procedures, and applicable laws and regulations.
- Resources are used efficiently and are adequately protected.
- Program plans and objectives are achieved.
- Significant legislative and regulatory issues impacting the university and health system are recognized and appropriately addressed.
Opportunities for improving management controls, accountability, fiscal performance and compliance processes, and for protecting organizational reputation will be addressed with the appropriate level of management when identified.
The Executive Director of Audit and Compliance Services shall be accountable to the Board of Visitors, through the Audit, Integrity, and Compliance Committee, and the Board of Directors, through the Audit and Compliance Committee, to maintain comprehensive and professional internal audit and compliance programs. In fulfilling those responsibilities, the Executive Director will:
- Establish annual goals and objectives for the department, and report periodically on the status of those efforts.
- Execute the annual work plans and initiatives.
- Coordinate efforts with other control and monitoring functions (risk management, financial officers, campus police, university counsel and health system general counsel, external auditors, government reviewers, etc.).
- Report significant issues related to the department’s scope of work, including potential improvements, and continue to provide information about those issues through resolution.
- Provide updates to the respective board committees, the university president, and the chief executive officer of the health system on the status of the work plans and initiatives, qualifications of staff, and sufficiency of department resources.
Independence and Objectivity
All work will be conducted in an objective and independent manner. Staff will maintain an impartial attitude in selecting and evaluating information and in reporting results. Independence in fact and appearance enables unbiased judgments that are essential to the proper conduct of the department’s scope of work.
To provide an appropriate reporting structure to support independence, the Executive Director shall report to the Audit, Integrity, and Compliance Committee of the Board of Visitors and to the Audit and Compliance Committee of the Board of Directors. The Executive Director shall report administratively to the university’s President.
The department will assist the Board of Visitors, Board of Directors, and management by:
- Maintaining a professional staff with sufficient knowledge, skills, and experience to fulfill the requirements of this charter.
- Developing and executing annual and long-range risk-based work plans and initiatives. The plans and initiatives will be submitted to management for review and comment and to the respective board committee for approval. The department recognizes that one of the primary benefits of these programs is the ability to respond to issues that arise during the normal course of business. Accordingly, the annual plans shall include time for management requests and special projects.
- Participating in an advisory capacity in the planning, development, implementation, or change of significant compliance and control processes or systems. The Executive Director shall ensure that the level of participation in these projects does not affect the department’s responsibility for future evaluation of evaluating these processes or systems nor compromise its independence.
- Conducting or assisting in the investigation of any suspected fraudulent activities, misconduct, or non-compliance issues, and notifying management and the respective board committees of the results.
- Issuing periodic reports to management and the respective board committees summarizing the results of the department’s activities.
- Considering the scope of work of the external auditors, as appropriate, to provide optimal audit coverage to the university and health system at a reasonable overall cost.
- Reporting at least annually to the Board of Visitors, Board of Directors, and senior management on the department’s purpose, authority, responsibility, and performance relative to its plans and initiatives, and on its conformance to standards and best practices. Reporting should also include significant risk exposures and control issues, corporate governance issues, serious misconduct or non-compliance, and other matters needed or requested by the Board and senior management.
The department and its staff are authorized to:
- Have unrestricted access to all activities, records, property, and personnel. Receive cooperation from all university and health system personnel and affiliates.
- Have full access to the respective board committee.
- Allocate departmental resources, set audit and review frequencies, determine scopes of work, and apply the techniques necessary to accomplish objectives.
- Obtain the necessary assistance of personnel in departments when performing work plans and initiatives, as well as that of other specialists.
The department and its staff are not authorized to:
- Perform operational duties in interim status, or otherwise, unless authorized in advance by the respective board committee.
- Initiate or approve accounting transactions external to the department.
Standards of Practice
The department will conduct its scope of work in accordance with requirements and best practices as established by relevant authoritative and objective sources from industry and government.
For internal audit functions, this includes both mandatory and recommended guidance from the Institute of Internal Auditors International Professional Practices Framework. The mandatory guidance requires our department to conform with the Core Principles for the Professional Practice of Internal Auditing, Definition of Internal Auditing, Code of Ethics, and International Standards for the Professional Practice of Internal Auditing (Standards). Internal auditing is an independent, objective assurance, and consulting activity designed to add value and improve an organization’s operations. Our department will help the university and health system accomplish its objectives by bringing a systematic, disciplined, and risk-based approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
For maintaining effective compliance programs, standards of practice are driven by the guidance provided in Chapter 8 of the Federal Sentencing Guidelines as promulgated by the US Sentencing Commission. The main focus of an effective program is to prevent and detect misconduct, remedy harm when identified, self-report where applicable, and maintain due diligence in promoting an organizational culture that encourages ethical conduct and a commitment to compliance with the law.
For the health system compliance program, guidance by the Health Care Compliance Association is also included. This organization sets the standard for professional values and ethics in the health care compliance field.
Quality Assurance and Improvement Program
The department will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. This program will be designed to:
- evaluate internal audit’s conformance with the Standards and application of the Code of Ethics;
- assess the efficiency and effectiveness of the department; and
- identify opportunities for improvement.
The quality program includes both internal and external assessments. Internal assessments will include ongoing monitoring and periodic assessments of internal audit activity. An external assessment will be performed at least once every five years by qualified individuals who are independent of the internal audit function.