A&AS Program Charter
Internal audit is the independent, objective, and systematic examination and evaluation of an institution’s operations, procedures, systems, and/or compliance with laws, regulations, guidelines, and policies.
2. Purpose –Audit and Advisory Services Program
At OHSU, the A&AS Program is implemented to assist and advise the Board of Directors, the President and Vice Presidents, and all levels of management.
a. Audit Focus Areas
The A&AS Program may examine and evaluate effectiveness in any of OHSU’s operations. There are certain Core Audit Areas that will be evaluated on a regular basis.
3. Audit and Advisory Services Roles and Responsibilities
a. Audit and Advisory Services Program
The A&AS Program will establish audit priorities and plans via the A&AS Committee. The Chief Integrity Officer and A&AS staff are responsible for addressing the priorities and plan by identifying and assessing risks; recommending systems and procedures that intend to manage, reduce, or eliminate those risks; identifying gaps in policies and procedures that are critical to OHSU’s missions; facilitating the economical, efficient, and responsible use of resources entrusted to OHSU; and recommending means for correcting or ameliorating problems or issues of non-compliance that are identified in the audit process.
b. Chief Integrity Officer
The Chief Integrity Officer is responsible for the budget, overall function, and implementation of the A&AS Program. This position makes periodic internal audit reports to the A&AS Committee, the Executive Leadership Team, the Finance & Audit Committee, and the Board of Directors. The Chief Integrity Officer will review and sign all audits and other projects prior to forwarding them to the Client for requested follow-up actions. It the Chief Integrity Officer has a conflict of interest related to a specific project or an area that is the subject of a project, the Director of the OHSU Integrity Office will provide oversight and sign the reports.
c. Director, OHSU Integrity Office
The Director of the OHSU Integrity Office is responsible for assisting the Chief Integrity Officer in guiding the development and function of the A&AS Program. In this capacity, the Director will meet with and advise the Audit Manager and other auditors, participate in reporting to various committees and groups, and review and sign audits and other projects when there may be a conflict of interest or the appearance of such on the part of the Chief Integrity Officer.
d. Audit Manager
The Audit Manager is responsible for the day-to-day operation and management of the A&AS Program and its staff, development and implementation of the audit plan, and staffing of the A&AS Committee.
e. Audit and Advisory Services Committee
The A&AS Committee advises the Chief Integrity Officer concerning the A&AS Program, including budget, audit priorities, and other matters related to A&AS that the Chief Integrity Officer might bring to the A&AS Committee. This committee will determine internal audit priorities on at least an annual basis and will approve the internal audit plan periodically.
f. Audit and Advisory Services Committee Process
The A&AS Committee will meet on a regular basis but no less than quarterly. The Committee may meet more often if it determines there are agenda items needing prompt attention. The A&AS Committee may also conduct business via electronic (i.e., e-mail) means. The group will generate audit priorities on a continuous basis (i.e., a prioritized list of audit areas will be confirmed, amended, or re-prioritized as appropriate). The Committee will receive reports of completed audits, advisory services projects, and investigations and provide advice regarding recommendations and follow-up.
i. Core, supplemental, and follow-up audits determined by the A&AS Committee: The VP responsible for the area being audited or reviewed.
ii. Audits/services performed at the direction of legal counsel: The General Counsel and the attorney directing the audit or service.
iii. Advisory services or investigations not done at the direction of legal counsel: The person requesting the service and the VP and school/unit director responsible for the area being reviewed.
4. Professional Standards
a. Published Standards
The A&AS Program functions in a manner consistent with professional standards established by the Institute of Internal Auditors (IIA). The three documents that define these standards are:
i. The IIA Code of Ethics;
ii. The IIA Standards for the Professional Practice of Internal Auditing; and
iii. The IIA Practice Advisories
The documents may be found on the Institute’s website ( http://www.theiia.org/) . Exhibit B contains these three documents.
All audit activities and auditors shall be free of any conflict of interest or the appearance of conflict of interest related to the area being audited. Auditors must have no direct operational responsibility or authority over the activities, procedures, or systems being audited. In addition, auditors will not be responsible for, nor have been responsible for the development or implementation of policies, procedures, systems, or management of the area being audited at anytime within the 24 months preceding the audit.
If a Client believes that a specific auditor may lack objectivity in performing a project, the concern will be brought to the Chief Integrity Officer and the Director of the OHSU Integrity Office, who will discuss the concerns with the Client and make a final decision regarding the assignment. When conducting internal audits, internal auditors shall be free from interference in determining the scope of projects, performing their work, and communicating results (IIA Standards 1110.A1).
5. Audit Activities, Planning, and Scope
a. Audit Activities
Internal auditors, at the direction of the Chief Integrity Officer, will use accepted internal audit methods and procedures to collect data for analysis. Data will be appropriately analyzed, tabulated (when necessary), and presented to the Chief Integrity Officer in written reports. Auditors will be expected to present suggestions for potential remediation of problems or issues that are identified. The Chief Integrity Officer will share the report with the appropriate Vice President or other executive member as detailed in section 7(a) of this Charter.
b. Audit Planning
The A&AS plan will be approved by the A&AS Committee, implemented by the Chief Integrity Officer, and updated and re-prioritized according to on-going analysis of risk-based information and service requests brought to the Chief Integrity Officer.
c. Audit Scope
Except for audits performed at the direction of counsel, the Chief Integrity Officer, in conjunction with A&AS staff, will determine the scope of each audit on a case-by-case basis. The scope of any services performed at the direction of legal counsel to assist counsel in providing legal advice to the institution, shall be determined by the OHSU attorney who is directing the service.
6. Audit and Advisory Services Program Authority and Access
a. Chief Integrity Officer
The Chief Integrity Officer and those auditors directed by him/her are granted authority to carry out their duties by the President and the Board of Directors. The Chief Integrity Officer and designated auditors are granted complete and unrestricted access to any and all of OHSU’s records, physical properties, employees, students, and other personnel as required for them to discharge their responsibilities. OHSU legal counsel may determine that an audit or other service must be done in order to assist counsel in providing legal advice. In such instances, counsel will advise the Chief Integrity Officer and the Audit Manager that the work will proceed at the advice of counsel and according to the rules of attorney-client privilege.
b. Audit & Advisory Services Committee
The A&AS Committee will be advised of audit results and of the Client’s response to the results. The Committee will determine whether or not a Client’s response to the recommendations of the auditor is complete and adequate. In instances where an auditor and the Client are not able to agree upon the status of recommendations or response, the matter will be referred to the A&AS Committee, which will provide direction for appropriate action.
c. OHSU President
In instances where the Client’s response to the recommendations of the auditor is determined by the A&AS Committee to be insufficient and the Client refuses to modify that response, the matter will be remanded to the OHSU President. The President may enforce the A&AS Committee’s decision as it stands or request that the Committee consider new facts/information that may modify the decision.
d. OHSU Board of Directors
The OHSU Board of Directors has ultimate authority to determine the completeness and adequacy of a Client’s response to the recommendations of the auditor. In instances where a controverted matter is related to legal or regulatory requirement or may result in inaccuracies on OHSU’s financial statements, and disagreement persists, the matter will be taken to the Board of Directors, by the Chief Integrity Officer and/or the Director of the OHSU Integrity Office for a final decision.
a. Operational Structure
The Chief Integrity Officer reports to the Vice President and General Counsel. For the purposes of reporting audit findings and proposing follow-up action, the Chief Integrity Officer will report to the President, Vice Presidents, Integrity Program Oversight Council, Board of Directors Finance and Audit Committee, and A&AS Committee as appropriate.
b. Audit & Advisory Services Committee Membership
The A&AS Committee will include the following members:
· OHSU Vice President and Chief Financial Officer;
· Executive Vice President;
· Associate Director of Finance for Hospitals & Clinics;
· Associate Dean for Finance, School of Medicine;
· Vice Provost – Main Campus;
· Vice Provost – West Campus;
· Representative – OHSU Foundation;
· Representative – OHSUMG;
· Chief Integrity Officer;
· Director of the OHSU Integrity Office;
· Director of Risk Management;
· Representative – OHSU Research Development & Administration;
· Manager, A&AS; and
· OHSU’s Vice President and General Counsel (attending as counsel to the A&AS Committee but not a member of the Committee).
In compliance with published professional standards and Section 4 of this Charter, no auditor or member of the A&AS Committee may be the sole determiner in selecting or rejecting an area for internal audit, determining the scope of the audit, or performing any part of the audit for a school, unit, department, division, function, or other area for which he/she has oversight or other operational responsibility. If any member of the A&AS Committee perceives impairment to independence or objectivity in making an internal audit decision or deliberating about internal audit priorities, he or she shall declare that impairment and recuse himself or herself from that part of the discussion.
During or prior to the conduct of an audit, a member of the A&AS Committee who oversees or has operational responsibility for an area that is the subject of an internal audit may share information about the internal audit with staff and others in that area only as directed by the Audit Manager conducting the audit or the Chief Integrity Officer. Members of the A&AS Committee will maintain a high degree of confidentiality related to areas selected for audit; audit findings, recommendations, and responses; and the deliberations of the Committee. As a general rule, this information may be shared on a need to know basis and as authorized by the Chief Integrity Officer or the Audit Manager. With respect to audits done at the direction of legal counsel, any/all disclosures relating to the audit shall be consistent with and only as directed by counsel.
Other than reports prepared at the direction of legal counsel, written reports produced for all internal audits will be forwarded to the Chief Integrity Officer. The Chief Integrity Officer will review the reports for completeness, responsiveness, independence, objectivity, due professional care, and other IIA performance standards. The reports will then be distributed to the Client. Per national internal auditing standards, the internal auditors will propose methods of corrective action and best practices related to matters within the scope of an audit for management’s consideration; they do not dictate to management. Through the process of conducting an exit conference with the client, agreement should be reached on the facts and a reasonable course of action. This agreement will then be reflected in the final report. The Chief Integrity Officer and/or Audit Manager will work with the Client to determine the types and extent of follow-up actions related to significant audit findings. Summary reports of audit findings, recommendations, and responses will be provided to the A&AS Committee.