Internal Audit Charter

Purpose

The purpose of the internal audit function is to strengthen VDH’s ability to create, protect and sustain value by providing the Audit and Risk Steering Committee (Audit Committee) and management with independent, risk-based, and objective assurance, advice, insight and foresight.

The internal audit function enhances VDH’s:

  • Successful achievement of its objectives.
  • Governance, risk management, and control processes.
  • Decision-making and oversight.
  • Reputation and credibility with its stakeholders.
  • Ability to serve the public interest.

Commitment to Adhering to the Global Internal Audit Standards

The VDH’s internal audit function will adhere to the mandatory elements of The Institute of Internal Auditors’ International Professional Practices Framework, which are the Global Internal Audit Standards and Topical Requirements. The Internal Audit Director will report periodically to the Audit Committee and senior management regarding the internal audit function’s conformance with the Standards, which will be assessed through a quality assurance and improvement program.

Organization

The Internal Audit Director will report directly to the State Health Commissioner. The Commissioner has also established on Audit Committee made up of several VDH Office Directors, Deputy Commissioners, and Performance Improvement staff to provide the Commissioner and the Internal Audit Director input regarding internal audit, external audit, agency risk management and internal controls, and the agency’s ethics program activities. The Audit Committee will generally meet on a periodic basis.

Authority

The VDH’s Audit Committee grants the internal audit function the mandate to provide the Audit Committee and senior management with objective assurance, advice, insight, and foresight.

The internal audit function’s authority is created by its direct reporting relationship to the Audit Committee. Such authority allows for unrestricted access to the Audit Committee.

The Audit Committee authorizes the internal audit function to:

  • Have full and unrestricted access to all functions, data, records, information, physical property, and personnel pertinent to carrying out internal audit responsibilities. Internal auditors are accountable for confidentiality and safeguarding records and information.
  • Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques, and issue communications to accomplish the function’s objectives.
  • Obtain assistance from necessary personnel of VDH and other specialized services from within or outside VDH to complete internal audit services.

Independence, Organizational Position, and Reporting Relationships

The Internal Audit Director will be positioned at a level in the organization that enables internal audit services and responsibilities to be performed without interference from management, thereby establishing the independence of the internal audit function. The Internal Audit Director will report functionally to the Audit Committee and administratively to the State Health Commissioner. This positioning provides the organizational authority and status to bring matters directly to senior management and escalate matters to the Audit Committee, when necessary, without interference and supports the internal auditors’ ability to maintain objectivity.

The Internal Audit Director will confirm to the Audit Committee, at least annually, the organizational independence of the internal audit function. If the governance structure does not support organizational independence, the Internal Audit Director will disclose to the Audit Committee any interference internal auditors encounter related to the scope, performance, or communication of internal audit work and results. The disclosure will include communicating the implications of such interference on internal audit function’s effectiveness and ability to fulfill its mandate.

Ethics and Professionalism

The Internal Audit Director will ensure that internal auditors:

  • Conform with the Global Internal Audit Standards, including the principles of Ethics and Professionalism: integrity, objectivity, competency, due professional care, and confidentiality.
  • Understand respect, meet, and contribute to the legitimate and ethical expectations of the organization and be able to recognize conduct that is contrary to those expectations.
  • Encourage and promote an ethics-based culture in the organization.
  • Report organizational behavior that is inconsistent with the organization’s ethical expectations, as described in in applicable policies and procedures.

Objectivity

The Internal Audit Director will ensure that the internal audit function remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of engagement selection, scope, procedures, frequency, timing, and communication. If the Internal Audit Director determines that objectivity may be impaired in fact or appearance, the details of the impairment will be disclosed to appropriate parties.

Internal auditors will have no direct operational responsibility or authority over any of the activities they review. Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, or engage in other activities that may impair their judgement, including:

  • Assessing specific operations for which they had responsibility within the previous year.
  • Performing operational duties for VDH or its affiliates.
  • Initiating or approving transactions external to the internal audit function.
  • Directing activities of any VDH employee that is not employed by the internal audit function, except to the extent that such employees have been appropriately assigned to internal audit teams or to assist internal auditors.

Internal Audit Plan

The internal audit plan will be developed based on prioritization of the audit universe using a risk -based methodology including input from agency Office Directors, Deputy Commissioners, and State Health Commissioner. The Internal Audit Director will review and adjust the plan, as necessary in response to changes in the agency’s business, risks, operations, programs, systems, and controls. Any significant deviations from the approved internal audit plan will be communicated to the State Health Commissioner and Audit Committee through periodic activity reports.

Reporting and Monitoring

A written report will be prepared and issued by the Internal Audit Director or designee following the conclusion of each internal audit engagement and will be distributed as appropriate.

The internal audit report will include management’s response and corrective action taken or to be taken in regard to the specific findings and recommendations. Management’s response should include a timetable for anticipated completion of action to be taken and the position responsible for completing the action, or an explanation for any corrective actions that will not be implemented.

Internal Audit will be responsible for appropriate follow up on engagement findings and recommendations. All significant findings will remain open issues until cleared by the Internal Audit Director.

Scope and Types of Internal Audit Services

The scope of internal audit services covers the entire breadth of the organization, including all of VDH’s activities, assets, and personnel. The scope of internal audit activities also encompasses but is not limited to objective examinations of evidence to provide independent assurance and advisory services to the Audit Committee and management on the adequacy and effectiveness of governance, risk management, and control processes for VDH.

The nature and scope of advisory services may be agreed with the party requesting the service, provided the internal audit function does not assume management responsibility. Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during advisory engagements. The opportunities will be communicated to the appropriate level of management.

Internal audit engagements may include evaluating whether:

  • Risks relating to the achievement of VDH’s strategic objectives are appropriately identified and managed.
  • The actions of VDH’s officers, directors, management, employees, and contractors comply with VDH’s policies, procedures, and applicable laws, regulations, and governance standards.
  • The results of operations and programs are consistent with established goals and objectives.
  • Operations and programs are being carried out effectively and efficiently.
  • Established processes and systems enable compliance with the policies, procedures, laws, and regulations that could significantly impact VDH.
  • The integrity of information and the means used to identify, measure, analyze, classify, and report such information is reliable.
  • Resources and assets are acquired economically, used efficiently and sustainably, and protected adequately.

Approved on June 4, 2025 by:
Dr Karen Shelton, MD, State Health Commissioner
Tasha M. Owens, MBA, CGAP, Director of Internal Audit

Last Updated: June 26, 2025