The Director of Internal Audit is responsible for:
- Establishing policies for the auditing activity and directing its technical and administrative functions.
- Developing and, after receiving approval by the Board of Trustees, executing a comprehensive audit program for the evaluation of the management controls provided over all entities’ activities.
- Examining the effectiveness of all levels of management in their stewardship of all entities’ resources and their compliance with established policies and procedures.
- Recommending improvement of management controls designed to safeguard resources, promote growth, and ensure compliance with government laws and regulations.
- Reviewing procedures and records for their adequacy to accomplish intended objectives, and appraising policies and plans relating to the activity or function under audit review.
- Authorizing publication of reports on the results of audit examinations, including recommendations for improvement.
- Appraising the adequacy of the action taken by operating management to correct reported deficient conditions; accepting adequate corrective action; continuing reviews with appropriate management personnel on action he considers inadequate until there has been a satisfactory resolution on the matter.
- Conducting special examinations at the request of management, subject to the approval of the Board of Trustees, including the reviews of representations made by persons outside the University.
Internal auditors have no direct responsibility for, nor any authority over, any activities or operations of the organizations they review. The Director of Internal Audit reports directly, and solely, to the Board of Trustees of the Medical University of South Carolina and the Medical University Hospital Authority. The auditors do not develop and install procedures, prepare records or engage in any other activity that would impair their objectivity. However, internal auditors’ objectivity is not adversely affected when they recommend standards of control for systems or when they review procedures before they are implemented. The internal audit review and appraisal does not in any way relieve other persons in the reviewed entities of the responsibilities assigned to them.
The internal auditor may not be regarded as an insurer (guarantor) against the existence of fraud in the reviewed entities. He does have responsibility for ensuring the existence of control systems designed to prevent or deter the forms of fraud generally known to exist. He is responsible for seeking to identify areas of risk where theft or manipulation may be likely to occur. His ventures into all the sectors of the University, the Authority, and affiliated entities and related parties may not excuse him from ensuring the adequacy and effectiveness of controls in financial, accounting, and other areas subject to theft, fraud, or embezzlement. The internal auditor is responsible in all these undertakings for ordinary prudence, for reasonable assurance that fraud does not exist, or that if it does exist he will attempt to detect it.
COMMUNICATING AUDIT RESULTS
Internal auditors should report the results of their audit work.
- A signed, written report will be issued within 60 days after the audit examination is completed, if required. Interim reports may be written or oral and may be transmitted formally or informally. However, the final audit report should be written and transmitted formally to appropriate management.
- The internal auditor should discuss conclusions and recommendations at appropriate levels of management before issuing final written reports.
- Reports should be objective, clear, concise, and constructive.
- Reports should present the purpose, scope, and results of the audit; and, where appropriate, reports should contain an expression of the auditor’s opinion.
- Reports may include recommendations for potential improvements and acknowledge satisfactory performance and corrective action.
- The auditee’s views about audit conclusions or recommendations should be stated by the appropriate level of management in a written response sent to the internal auditors within thirty days after receipt of the final draft report. The internal auditors should include these views in their final audit report.
- The Director of Internal Audit or his designee should review the final report draft before issuance. Reports should be distributed to the Board of Trustees for information, management for acceptance and action, external auditors for coordination of audit efforts, and others deemed appropriate.
- The report will remain in draft format until presentation to and acceptance by the Board of Trustees.
- The Director of Internal Audit should submit activity reports to the Board of Trustees in August of each fiscal year. These reports should highlight findings and recommendations for the prior year and should inform the Board of Trustees of any significant deviations from approved audit work schedules and the reasons for them.
- The Director of Internal Audit should submit the Internal Audit Department’s budget to the Finance and Administration Committee, which will present it to the full Board of Trustees, for review and approval each fiscal year. The budget should include funding for all expected operations and salaries.
FOLLOWING UP AUDITS
Internal auditors should determine that corrective action was taken and is achieving the desired results, or that management or the Board of Trustees has assumed the risk of not taking corrective action on reported findings. Ultimately, however, the burden is on management to either correct control deficiencies or accept responsibility for not doing so.
Revised and approved by the Board of Trustees on October 10, 2003.