Home » About Us » IAD Vision, Mission and Charter

IAD Vision, Mission and Charter

PURPOSE

This charter sets forth the authority and responsibility of the Emory Internal Audit Division (IAD), serving Emory University and Emory Healthcare.

DEFINITION OF INTERNAL AUDITING

IAD provides independent, objective assurance and consulting services designed to add value and improve Emory’s operations. IAD enhances and protects organizational value by providing risk-based and objective assurance, advice, and insight. IAD helps Emory accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.

VISION STATEMENT

To be a trusted and essential advisor for Emory’s Board of Trustees and executive leadership and provide valuable business insights that help protect and enhance Emory’s reputation.

MISSION STATEMENT

IAD delivers world-class assurance and advisory services by:

  • Aligning and prioritizing our work efforts to focus on the enterprise’s strategic goals and risk management objectives.
  • Attracting, retaining, and leveraging a talented team by cultivating a culture that empowers employees to be innovative and guides them towards success.
  • Building mutually respectful and trusted relationships with colleagues across our schools, business units and healthcare facilities.
  • Serving as thought leaders and catalysts for continuous improvement by sharing best practices and standards across the enterprise.

STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING

To provide for the independence of the IAD, the Vice President, Chief Audit and Risk Officer reports functionally to the Audit and Compliance Committee of the Emory Board of Trustees, and administratively to the Executive Vice President for Business and Administration and Chief Financial Officer, and to the Senior Vice President and General Counsel. To establish, maintain, and assure that IAD has sufficient authority to fulfill its duties, the Audit and Compliance Committee will:

  • Approve IAD’s charter
  • Approve the risk-based internal audit plan
  • Approve IAD’s budget and resource plan
  • Receive communications from the Vice President, Chief Audit and Risk Officer on IAD’s performance relative to its plan and other matters
  • Review and concur in the appointment, replacement or dismissal of the Vice President, Chief Audit and Risk Officer
  • Make appropriate inquiries of management and the Vice President, Chief Audit and Risk Officer to determine whether there are inappropriate scope or resource limitations.

The Audit and Compliance Committee authorizes IAD to:

  • Have full, free and unrestricted access to all computer data and files, records, physical properties, and personnel pertinent to carrying out any engagement, subject to accountability for confidentiality and safeguarding of records and information.
  • Make specific reports directly to the President of Emory University and key Emory University and Emory Healthcare Executive Vice Presidents.
  • Have free and unrestricted access to, and communicate and interact directly with, the Audit and Compliance Committee, including private meetings without management present.
  • Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives, and issue reports.
  • Obtain assistance from the necessary personnel of Emory, as well as other specialized services from within or outside Emory, in order to complete engagements.

 

INDEPENDENCE AND OBJECTIVITY

The Vice President, Chief Audit and Risk Officer will ensure that IAD remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report content. If the Vice President, Chief Audit and Risk Officer determines that independence or objectivity may be impaired in fact or appearance, the details of the impairment (i.e., any interference and related implications in determining the scope of internal auditing, performing work, and/or communicating results) will be disclosed to the Audit and Compliance Committee.

IAD personnel will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others.

Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgment, including:

  • Assessing specific operations for which they had responsibility within the previous year.
  • Performing any operational duties for Emory or its affiliates.
  • Initiating or approving transactions external to IAD.
  • Directing the activities of any Emory employee not employed by IAD, except to the extent that such employees have been appropriately assigned to auditing teams or to otherwise assist internal auditors.

Internal auditors will:

  • Disclose any impairment of independence or objectivity, in fact or appearance, to appropriate parties.
  • Exhibit professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined.
  • Make balanced assessments of all available and relevant facts and circumstances.
  • Take necessary precautions to avoid being unduly influenced by their own interests, or by others, in forming judgments.

The Vice President, Chief Audit and Risk Officer will confirm to the Audit and Compliance Committee, at least annually, the organizational independence of IAD.

Where the Vice President, Chief Audit and Risk Officer has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards will be established to limit impairments to independence or objectivity.

SCOPE OF INTERNAL AUDIT ACTIVITIES

The scope of internal audit activities encompasses, but is not limited to, objective examinations of evidence for the purpose of providing independent assessments to management and the Audit and Compliance Committee on the adequacy and effectiveness of governance, risk management, and control processes for Emory. Internal audit assessments include evaluating whether:

  • Risks relating to the achievement of Emory’s strategic objectives are appropriately identified and managed.
  • The actions of Emory’s officers, directors, employees, and contractors are in compliance with Emory’s policies, procedures, and applicable laws, regulations, and governance standards.
  • The results of operations or programs are consistent with established goals and objectives.
  • Operations or programs are being carried out effectively and efficiently.
  • Established processes and systems enable compliance with the policies, procedures, laws, and regulations that could significantly impact Emory.
  • Information and the means used to identify, measure, analyze, classify, and report such information are reliable and have integrity.
  • Resources and assets are acquired economically, used efficiently, and protected adequately.

The Vice President, Chief Audit and Risk Officer will report periodically to senior management and the Audit and Compliance Committee regarding:

  • IAD’s purpose, authority, and responsibility.
  • IAD’s plan and performance relative to its plan.
  • IAD’s conformance with The IIA’s Code of Ethics and Standards, and action plans to address any significant conformance issues.
  • Significant risk exposures and control issues, including fraud risks, governance issues, and other matters requiring theattention of, or requested by, the Audit and Compliance Committee.
  • Results of audit engagements or other activities.
  • Resource requirements.
  • Any management response to risk that may be unacceptable to Emory.

COORDINATION WITH OTHER DEPARTMENTS

The Vice President, Chief Audit and Risk Officer also coordinates activities, where possible, and considers relying upon the work of other internal and external consulting service providers as needed. Specifically, IAD coordinates effort and collaborates with the Emory University Office of Ethics and Compliance, the Emory Healthcare Office of Compliance Programs, and the Emory University Office of the General Counsel. IAD also coordinates efforts and collaborates with the external auditor.

IAD may perform advisory and related client service activities, the nature and scope of which will be agreed with the client, provided IAD does not assume management responsibility.

RESPONSIBILITY

The Vice President, Chief Audit and Risk Officer has the responsibility to:

  • Submit, at least annually, to senior management and the Audit and Compliance Committee a risk-based internal audit plan for review and approval.
  • Communicate to senior management and the Audit and Compliance Committee the impact of resource limitations on the internal audit plan.
  • Review and adjust the internal audit plan, as necessary, in response to changes in Emory’s business, risks, operations, programs, systems, and controls.
  • Communicate to senior management and the Audit and Compliance Committee any significant interim changes to the internal audit plan.
  • Ensure each engagement of the internal audit plan is executed, including the establishment of objectives and scope, the assignment of appropriate and adequately supervised resources, the documentation of work programs and testing results, and the communication of engagement results with applicable conclusions and recommendations to appropriate parties.
  • Periodically provide information on the status and results of the enterprise risk management activities.
  • Follow up on engagement findings and corrective actions, and report periodically to senior management and the Audit and Compliance Committee any corrective actions not effectively implemented.
  • Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and upheld.
  • Ensure IAD collectively possesses or obtains the knowledge, skills, and other competencies needed to meet the requirements of the internal audit charter.
  • Ensure trends and emerging issues that could impact Emory are considered and communicated to senior management and the Audit and Compliance Committee as appropriate.
  • Ensure emerging trends and successful practices in internal auditing are considered.
  • Establish and ensure adherence to policies and procedures designed to guide IAD.
  • Ensure adherence to Emory’s relevant policies and procedures, unless such policies and procedures conflict with the internal audit charter. Any such conflicts will be resolved or otherwise communicated to senior management and the Audit and Compliance Committee.

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM

IAD will maintain a quality assurance and improvement program that covers all aspects of IAD. The program will include an evaluation of IAD’s conformance with the Standards and an evaluation of whether internal auditors apply The IIA’s Code of Ethics. The program will also assess the efficiency and effectiveness of IAD and identify opportunities for improvement. The Vice President, Chief Audit and Risk Officer will communicate to senior management and the Audit and Compliance Committee on IAD’s quality assurance and improvement program, including results of internal assessments (both ongoing and periodic) and external assessments conducted at least once every five years by a qualified, independent assessor or assessment team from outside Emory.

REVISION HISTORY

  • Approved March 24, 2016
  • Amended October 10, 2019
  • Amended June 4, 2020
  • Amended September 14, 2023