Charter INTRODUCTION Internal Auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the N.C. Department of Public Safety (hereafter referred to as the Department). It assists the Department in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization's governance, risk management, and internal control. DEFINITIONS OF ASSURANCE AND CONSULTING SERVICESAssurance: An objective examination of evidence for providing an independent assessment on governance, risk management, and control processes for the organization. Examples include financial, operational, compliance, system security, and due diligence engagements. Consulting: Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training. MISSION/ROLE The internal audit activity is established within the Department to provide departmental management and staff with information and support necessary to effectively fulfill their responsibilities and to assist in promoting the department’s mission of prevention, protection and preparation. The mission of Internal Audit is to add value by providing independent, objective and risk-based assurance and consulting appraisals within the Department. Internal Audit will assist all levels of departmental management in the effective discharge of their responsibilities by furnishing them with analyses, recommendations, counsel, and information concerning the activities reviewed, and by promoting effective internal controls. The internal audit activity is established by General Statute Chapter 143, Article 79. The internal audit activity’s responsibilities are defined by these laws. The Council of Internal Auditing has authority to set policy related to the internal audit function. PROFESSIONALISM STANDARDS The internal audit activity will govern itself by adherence to The Institute of Internal Auditors’(IIA) Mandatory Guidance, which includes the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing. The IIA’s Mandatory Guidance constitutes the fundamental requirements for the professional practice of internal auditing and the principles against which to evaluate the effectiveness of the internal audit activity’s performance. The Institute of Internal Auditors' Practice Advisories, Practice Guides, and Position Papers will also be adhered to as applicable to guide operations. In addition, the internal audit activity will adhere to the Department’s relevant policies and procedures and the internal audit activity's standard operating procedures manual. The North Carolina Internal Audit Act, General Statute § 143-746(b) mandates all internal audit functions comply with the current standards for the professional practice of internal auditing. AUTHORITY DPS Internal Audit, with strict accountability for confidentiality and safeguarding records and information, is authorized full, free, and unrestricted access to any and all of the Department’s records, physical properties, and personnel pertinent to carrying out any engagement. This authority shall include all Type II transfers pursuant to NCGS 143A-6(b) such as the State Bureau of Investigation (SBI), ABC Commission, Boxing and Combat Sports Commission and the Criminal Justice Information Network (CJIN). All employees are requested to assist DPS Internal Audit in fulfilling its roles and responsibilities. DPS Internal Audit will also have free and unrestricted access to the Secretary of the N.C. Department of Public Safety (hereafter referred to as the Secretary). ORGANIZATION The DPS Internal Audit Director will serve as the Chief Audit Executive and will report functionally and administratively (i.e., day to day operations) to the Department of Public Safety’s Chief Deputy Secretary for Administration (hereafter referred to as the Chief Deputy Secretary). The Chief Deputy Secretary for Administration will Approve the internal audit charter. Approve the risk-based internal audit plan. Approve the internal audit budget and resource plan. Receive communications from the Internal Audit Director on the internal audit activity’s performance relative to its plan and other matters. Make appropriate inquiries of management and the Internal Audit Director to determine whether there is inappropriate scope or resource limitations. The Internal Audit Director will communicate and interact directly with the Chief Deputy Secretary, including in executive sessions and between meetings as appropriate. INDEPENDENCE AND OBJECTIVITY The internal audit activity will remain free from interference by any element in the organization, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude. Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair internal auditor’s judgment. Internal auditors will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors will make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments. The Internal Audit Director will confirm to Senior Management, at least annually, the organizational independence of DPS Internal Audit. RESPONSIBILITY The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the organization's governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the organization’s stated goals and objectives. This includes: Evaluating risk exposure relating to achievement of the organization’s strategic objectives. Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information. Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the organization. Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets. Evaluating the effectiveness and efficiency with which resources are employed. Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned. Monitoring and evaluating governance processes. Monitoring and evaluating the effectiveness of the organization's risk management processes. Performing consulting and advisory services related to governance, risk management and control as appropriate for the organization. Evaluating specific operations at the request of management, as appropriate. INTERNAL AUDIT PLAN At least annually, the Internal Audit Director will submit to senior management an internal audit plan for review and approval for the next fiscal/calendar year. The Internal Audit Director will communicate the impact of resource limitations and significant interim changes. The internal audit plan will be developed based on a prioritization of the audit universe using a risk-based methodology, including input of senior management. The Internal Audit Director will review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls. Any significant deviation from the approved internal audit plan will be communicated to senior management. REPORTING A written report will be prepared and issued by the Internal Audit Director or designee following the conclusion of each internal audit engagement and will be distributed as appropriate. All internal audit results will be distributed to the appropriate parties, to include Secretary and Chief Deputy Secretary. The internal audit report may include management’s response and corrective action taken or to be taken in regard to the specific findings and recommendations. Management's response, whether included within the original audit report or provided thereafter by management of the audited area should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented. The internal audit activity will be responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will remain in an open issues file until cleared. The Internal Audit Director will periodically report to senior management on the internal audit activity’s purpose, authority, and responsibility, as well as performance relative to its plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management. QUALITY ASSURANCE AND IMPROVEMENT PROGRAM The internal audit activity will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program will include an evaluation of the internal audit activity’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement. The Internal Audit Director will communicate to senior management on the internal audit activity’s quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years.