The objective of internal audit is to assist the Board of Trustees and all members of management in the effective discharge of their responsibilities by furnishing them with analyses, appraisals, recommendations, and pertinent comments concerning the activities reviewed. Internal auditors are concerned with any phase of business activity in which they may be of service. This involves going beyond the accounting and financial records to obtain a full understanding of the operations under review. The attainment of this overall objective involves, but is not limited to, such activities as:

• Reviewing and appraising the soundness, adequacy, and application of accounting, financial, and other operating controls and promoting effective control at reasonable cost.
• Ascertaining the extent of compliance with established policies, plans, procedures, and regulations.
• Ascertaining the extent to which University, Authority, and their affiliates’ and related parties’ assets are accounted for and safeguarded from losses of all kinds.
• Ascertaining the reliability of management data developed within all entities.
• Appraising the quality of performance in carrying out assigned responsibilities.
• Recommending operating improvements.

It is recognized that the Board of Trustees provides general direction as to the scope of work and the activities to be audited. The Board of Trustees desires that the MUSC Internal Audit Department provide services for all affiliate organizations and related parties of MUSC and MUHA.

The Director of Internal Audit is authorized by the Board of Trustees to direct a broad, comprehensive program of internal audit within the University, the Authority, and the affiliated organizations and related parties. Internal Audit examines and evaluates the adequacy and effectiveness of the systems of management control provided by the University, the Authority, and the affiliates and related parties to direct their activities toward the accomplishment of their missions and objectives in accordance with applicable policies and plans. In accomplishing his activities, the Director of Internal Audit and his representatives are authorized to have full, free, and unrestricted access to all University, Authority, and affiliated organization and related party functions, records, property, and personnel.

The Director of Internal Audit is responsible for:

• Establishing policies for the auditing activity and directing its technical and administrative functions.
• Developing and, after receiving approval by the Board of Trustees, executing a comprehensive audit program for the evaluation of the management controls provided over all entities’ activities.
• Examining the effectiveness of all levels of management in their stewardship of all entities’ resources and their compliance with established policies and procedures.
• Recommending improvement of management controls designed to safeguard resources, promote growth, and ensure compliance with government laws and regulations.
• Reviewing procedures and records for their adequacy to accomplish intended objectives, and appraising policies and plans relating to the activity or function under audit review.
• Authorizing publication of reports on the results of audit examinations, including recommendations for improvement.
• Appraising the adequacy of the action taken by operating management to correct reported deficient conditions; accepting adequate corrective action; continuing reviews with appropriate management personnel on action he considers inadequate until there has been a satisfactory resolution on the matter.
• Conducting special examinations at the request of management, subject to the approval of the Board of Trustees, including the reviews of representations made by persons outside the University.

Internal auditors have no direct responsibility for, nor any authority over, any activities or operations of the organizations they review. The Director of Internal Audit reports directly, and solely, to the Board of Trustees of the Medical University of South Carolina and the Medical University Hospital Authority. The auditors do not develop and install procedures, prepare records or engage in any other activity that would impair their objectivity. However, internal auditors’ objectivity is not adversely affected when they recommend standards of control for systems or when they review procedures before they are implemented. The internal audit review and appraisal does not in any way relieve other persons in the reviewed entities of the responsibilities assigned to them.

The internal auditor may not be regarded as an insurer (guarantor) against the existence of fraud in the reviewed entities. He does have responsibility for ensuring the existence of control systems designed to prevent or deter the forms of fraud generally known to exist. He is responsible for seeking to identify areas of risk where theft or manipulation may be likely to occur. His ventures into all the sectors of the University, the Authority, and affiliated entities and related parties may not excuse him from ensuring the adequacy and effectiveness of controls in financial, accounting, and other areas subject to theft, fraud, or embezzlement. The internal auditor is responsible in all these undertakings for ordinary prudence, for reasonable assurance that fraud does not exist, or that if it does exist he will attempt to detect it.

Internal auditors should report the results of their audit work.

• A signed, written report will be issued within 60 days after the audit examination is completed, if required. Interim reports may be written or oral and may be transmitted formally or informally. However, the final audit report should be written and transmitted formally to appropriate management.
• The internal auditor should discuss conclusions and recommendations at appropriate levels of management before issuing final written reports.
• Reports should be objective, clear, concise, and constructive.
• Reports should present the purpose, scope, and results of the audit; and, where appropriate, reports should contain an expression of the auditor’s opinion.
• Reports may include recommendations for potential improvements and acknowledge satisfactory performance and corrective action.
• The auditee’s views about audit conclusions or recommendations should be stated by the appropriate level of management in a written response sent to the internal auditors within thirty days after receipt of the final draft report. The internal auditors should include these views in their final audit report.
• The Director of Internal Audit or his designee should review the final report draft before issuance. Reports should be distributed to the Board of Trustees for information, management for acceptance and action, external auditors for coordination of audit efforts, and others deemed appropriate.
• The report will remain in draft format until presentation to and acceptance by the Board of Trustees.
• The Director of Internal Audit should submit activity reports to the Board of Trustees in August of each fiscal year. These reports should highlight findings and recommendations for the prior year and should inform the Board of Trustees of any significant deviations from approved audit work schedules and the reasons for them.
• The Director of Internal Audit should submit the Internal Audit Department’s budget to the Finance and Administration Committee, which will present it to the full Board of Trustees, for review and approval each fiscal year. The budget should include funding for all expected operations and salaries.

Internal auditors should determine that corrective action was taken and is achieving the desired results, or that management or the Board of Trustees has assumed the risk of not taking corrective action on reported findings. Ultimately, however, the burden is on management to either correct control deficiencies or accept responsibility for not doing so.