Introduction: The Office of Internal Audit (Internal Audit) performs independent and objective assurance and consulting activities that are guided by a philosophy of adding value to improve the operations of the Virginia Department of Health (VDH). Internal Audit assists VDH in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organizations governance, risk management, and internal control.
Role: Internal Audit assists the Board of Health, State Health Commissioner, and all levels of management achieve the agency’s mission and objectives by providing independent analyses, appraisals, counsel, recommendations, and information concerning office and district operations. More specifically, Internal Audit’s role includes:
- Appraising the efficiency and effectiveness of operations.
- Evaluating sufficiency of and adherence to agency policies and procedures, and compliance with Federal and State laws and regulations.
- Assessing the adequacy, effectiveness, and application of administrative and financial internal controls for safeguarding agency assets and ensuring the reliability of information and data.
- Performing special investigations at the request of agency management, as well as Fraud, Waste, and Abuse hotline allegations referred to VDH by the Office of the State Inspector General (OSIG).
- Consulting with management and staff during the development or updating of policies, procedures, or systems including the VDH Information Security program.
- Coordinating activities with the Auditor of Public Accounts (APA) and other outside reviewers, and monitoring the status of agency corrective action plans to resolve findings noted by the APA and other outside reviewers.
- Coordinating activities with the Agency Risk Management and Internal Controls (ARMICS) review.
Internal Audit’s efforts are primarily preventive in nature, and our focus is to provide accurate, reliable, and cost-effective information and solutions to mitigate business risks. By impartially reviewing current operations and recommending actions to influence future results, potential problems can be identified and resolved before they occur or become a material weakness.
Professionalism: Internal Audit will govern itself by adherence to The Institute of Internal Auditors’ mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the Internal Audit’s performance.
In addition, Internal Audit will adhere to relevant VDH policies and procedures, and the Internal Audit standard operating procedures manual.
Authority: Internal Audit, with strict accountability for confidentiality and safeguarding records and information, is granted for full, free, and unrestricted access to any and all VDH records, physical properties, and personnel pertinent to carrying out any engagement. All VDH employees are requested to assist Internal Audit in fulfilling its roles and responsibilities.
Organization: The Internal Audit Director will report directly to the State Health Commissioner. The Commissioner has also established an Audit and Risk Steering Committee (Audit Committee) made up of several VDH Office Directors, Deputy Commissioners, and Performance Improvement staff to provide the Commissioner and the Internal Audit Director input regarding internal audit, external audit, agency risk management and internal controls, and the agency’s ethics program activities. The Audit Committee will generally meet on a quarterly basis.
Independence and Objectivity: All Internal Audit activities shall remain free of influence by any element in the organization, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude.
Internal Audit staff will have no direct operational responsibility or authority over any activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair an internal auditor’s judgment.
Internal Audit staff will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors will make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
The Internal Audit Director will confirm to the State Health Commissioner and Audit Committee, at least annually, the organizational independence of Internal Audit.
Responsibility: The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the organization’s governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the organization’s stated goals and objectives. This includes:
- Evaluating risk exposure relating to achievement of the organization’s strategic objectives.
- Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information.
- Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the organization.
- Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
- Evaluating the effectiveness and efficiency with which resources are employed.
- Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.
- Monitoring and evaluating governance processes.
- Monitoring and evaluating the effectiveness of the organization’s risk management processes.
- Evaluating the quality of performance of external auditors and the degree of coordination with internal audit.
- Performing consulting and advisory services related to governance, risk management and control as appropriate for the organization.
- Reporting periodically on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan.
- Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Commissioner.
- Evaluating specific operations at the request of the Commissioner or management, as appropriate.
Internal Audit Plan: At least annually, the Internal Audit Director will submit to the State Health Commissioner an internal audit plan for review and approval. The Internal Audit Director will communicate the Internal Audit annual audit plan and resource requirements, impact of resource limitations, and any significant interim changes to the State Health Commissioner and Audit Committee.
The internal audit plan will be developed based on a prioritization of the audit universe using a risk-based methodology, including input from agency office managers, Deputy Commissioners, and the State Health Commissioner. The Internal Audit Director will review and adjust the plan, as necessary, in response to changes in the agency’s business, risks, operations, programs, systems, and controls. Any significant deviations from the approved internal audit plan will be communicated to the State Health Commissioner and Audit Committee through periodic activity reports.
Reporting and Monitoring: A written report will be prepared and issued by the Internal Audit Director or designee following the conclusion of each internal audit engagement and will be distributed as appropriate.
The internal audit report will include management’s response and corrective action taken or to be taken in regard to the specific findings and recommendations. Management’s response should include a timetable for anticipated completion of action to be taken and the person responsible for completing the action, or an explanation for any corrective actions that will not be implemented.
Internal Audit will be responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will remain open issues until cleared by the Internal Audit Director.
The Internal Audit Director will periodically report to the State Health Commissioner and Audit Committee on the Internal Audit’s purpose, authority, and responsibility, as well as performance relative to its annual audit plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the State Health Commissioner and Audit Committee.
Quality Assurance and Improvement Program: Internal Audit will maintain a quality assurance and improvement program. The program will include an evaluation of Internal Audit’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program will also assess the efficiency and effectiveness of Internal Audit and identify opportunities for improvement.
The Internal Audit Director will communicate to the State Health Commissioner and the Audit Committee the quality assurance and improvement program results for ongoing internal assessments and external assessments conducted at least every five years.
Approved by:
Dr Karen Shelton, MD, State Health Commissioner
Tasha M. Owens, MBA, CGAP, Director of Internal Audit
Approved and Reviewed by the Commissioner’s Audit and Risk Steering Committee on June 28, 2023