7-1940: Internal Audit Charter

Purpose

The purpose of the internal audit function is to strengthen Sacramento County (County)’s ability to create, protect, and sustain value by providing the County Audit Committee (Committee), County Board of Supervisors (Board), and executive management with objective, risk-based, and objective assurance, advice, insight, and foresight.

The internal audit function enhances the County’s:

• Successful achievement of its objectives
• Governance, risk management, and control processes
• Decision-making and oversight
• Reputation and credibility among stakeholders
• Ability to serve the public interest

The County’s internal audit function is effective when:

• Internal auditing is performed by competent professionals in conformance with The Institute of Internal Auditors (IIA)’s Global Internal Audit Standards, which are established in public interest.
• The internal audit function is positioned with access and accountability to the Sacramento County Audit Committee.
• Internal auditors are free from undue influence and committed to making objective assessments.

Authority

The County’s internal audit function mandate is found in:

• Sacramento County Charter Sections 27 and 44 – As it relates to the Director of Finance performing the duties of County Auditor as required by constitution, general law, county charter, and county ordinances.
• Government Code 1236-1238
• Government Code 26881 Government Code 26883
• Government Code 26909
• Sacramento County Code Section 2.61.013
• Resolution 2026-0186 

The internal audit function’s authority is created by the laws and provisions identified above that empower the Director of Finance in the capacity as County Auditor to operate an internal audit function, subject to laws, regulations, and the policy direction of the Board of Supervisors.

To effectively implement the internal audit function, the County of Sacramento adopted Policy #1950, Audit Oversight Policy, which established an Audit Committee to oversee the internal audit function. The Committee’s responsibilities include approving and reviewing the audit charter and risk assessment, approving and overseeing the annual audit plan, and reviewing status and result of audits, among other duties.

The internal audit function has a functional reporting relationship to the Committee. This relationship allows for unrestricted access to the Committee.  

The authorities listed above and the Committee authorize the internal audit function to:

• Have full and unrestricted access to all functions, data, records, information, physical property, and personnel pertinent to carrying out internal audit responsibilities. Internal auditors are accountable for confidentiality and safeguarding records and information.
• Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques, and issue communications to accomplish the function’s objectives.
• Obtain assistance from necessary County personnel and other specialized services to complete internal audit services.

Policy

The County’s internal audit function, per Government Code 1237, must select either standards issued by the Government Accountability Office (Yellow Book) or standards issued by the Institute of Internal Auditors (Red Book).

The Internal Audit function has elected to follow the Institute of Internal Auditors (IIA) standards effective July 1, 2026. The internal audit function will adhere to the mandatory elements of the IIA International Professional Practices Framework, which include the Global Internal Audit Standards and Topical Requirements. In some areas, the internal audit function will need to document how it conforms to IIA standards while adhering to the legal and  regulatory framework that the Internal Audit function operates within as a governmental agency.

The Chief Audit Executive (CAE) will report annually to the Committee regarding the internal audit function’s conformance with the Standards, which will be assessed through a quality assurance and improvement program.  

Independence, Organizational Position, and Reporting Relationships

As required by various statutes within the California Government Code and the County Charter, the Director of Finance (as County Auditor-Controller) is mandated to perform certain accounting, auditing, and financial reporting functions. In addition, the Director of Finance performs additional banking, investing and collection responsibilities as the County Treasurer, Tax Collector, Licensing Official, and Director of Revenue Recovery. Due to the structure, these activities, in themselves, could impair the Internal Audit Unit’s independence and objectivity.

While statutorily the Director of Finance is the County Auditor, the Director may delegate responsibilities as needed to conduct the internal audit duties of the office. This includes responsibilities of the Chief Audit Executive (CAE) under IIA Standards. The individual, if authority is delegated by the Director of Finance, to serve as the CAE will be positioned at a level in the organization that enables internal audit services and responsibilities to be performed without interference, thereby establishing the independence and objectivity of the internal audit function. The CAE will report functionally to the Committee and administratively for day-to-day operations to the Assistant Auditor-Controller and/or Director of Finance. This provides the organizational authority and status to bring matters directly to executive management and escalate matters to the Committee, when necessary, without interference and supports the internal auditors’ ability to maintain objectivity.

The CAE will confirm to the Committee, at least annually, the organizational independence of the internal audit function, while recognizing the legal and regulatory structure. If the governance structure does not support organizational independence, the CAE will document the characteristics of the  governance structure that limit independence and outline any safeguards employed to achieve the principle of independence.

Per the Global Internal Audit Standards, “Independence” is defined as: “The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.”

The CAE will disclose to the Committee any interference that internal auditors encounter related to the scope, performance, or communication of internal audit work and results. The disclosure will include an explanation of the implications of such interference on the internal audit function’s effectiveness and ability to fulfill its mandate.

Changes to the Mandate and Charter

Circumstances may justify a follow-up discussion between the CAE, Director of Finance, the Committee regarding the internal audit mandate or other aspects of the internal audit charter. Such circumstances may include but are not limited to:

• A significant change to the Global Internal Audit Standards.
• A significant reorganization within the County. Significant changes in the CAE, Director of Finance, and the Committee. Significant changes to the County’s strategies, objectives, risk profile, or operating environment.
• New laws or regulations that may affect the nature and/or scope of internal audit services. 

Audit Committee Oversight

To establish, maintain, and ensure that the County’s internal audit function under policy 1950 has sufficient authority to fulfill its duties, the Committee will:

• Discuss with the CAE and executive management the appropriate authority, role, responsibilities, scope, and services (assurance and/or advisory) of the internal audit function.
• Ensure the CAE has unrestricted access to the Committee and communicates and interacts directly with it, including in private meetings, in accordance with laws and/or regulations applicable to public records.  
• Discuss with the CAE and executive management other topics that should be included in the internal audit charter.
• Participate in discussions with the CAE and executive management about the essential conditions, described in the Global Internal Audit Standards, which establish the foundation for an effective internal audit function.
• Approve the internal audit function’s charter, which includes the internal audit mandate and the scope and types of internal audit services.
• Review the internal audit charter with the CAE to consider changes affecting the organization, such as changes in the type, severity, and interdependencies of risks to the organization; and review the internal audit charter annually.
• Approve the risk-based internal audit plan.
• Receive communications from the CAE about the internal audit function, including its performance relative to its plan.
• Ensure a quality assurance and improvement program has been established and review the results annually. Make appropriate inquiries of executive management and the CAE to determine whether scope or resource limitations are appropriate. 

Administrative Oversight

• The Director of Finance and the Assistant Auditor-Controller are responsible for submitting the internal audit function’s budget and review, supporting internal audit personnel, and reviewing and approving the internal audit function’s expenses.
• Selecting, delegating authority, evaluating performance, and, if necessary, removing the CAE, ensuring adequate competencies and qualifications and conformance with the Global Internal Audit Standards.
• Supervising the CAE and the internal audit’s day-to-day operations.

CAE Roles and Responsibilities

Ethics and Professionalism
The CAE will ensure that internal auditors:

• Conform to the Global Internal Audit Standards, including the principles of Ethics and Professionalism: integrity, objectivity, competency, due professional care, and confidentiality.
• Understand, respect, meet, and contribute to the legitimate and ethical expectations of the organization, and recognize conduct that is contrary to those expectations.
• Encourage and promote a culture of ethics in the organization. 
• Report to the Assistant Auditor Controller and/or Director of Finance or through established County processes any organizational behavior that is inconsistent with the organization’s ethical expectations, as described in applicable policies and procedures. 

Objectivity

The CAE will ensure that the internal audit function remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of engagement selection, scope, procedures, frequency, timing, and communication. If the CAE determines that objectivity may be impaired, in fact or appearance, the details of the impairment will be disclosed to appropriate parties.

Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively such that they believe in their work product, do not compromise quality, and do not subordinate their judgment on audit matters to others, either in fact or appearance.

Internal auditors will have no direct operational responsibility or authority over any of the activities they review. Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, or engage in other activities that may impair their judgment, including: 

• Assessing specific operations for which they had responsibility within the previous year.
• Performing operational duties for the County or related organizations. Initiating or approving transactions external to the internal audit function.
• Directing the activities of any County employee who is not employed by the internal audit function, except to the extent that such employees have been appropriately assigned to internal audit teams or to assist internal auditors.

Internal auditors will:

• Disclose impairments of independence or objectivity, in fact or appearance, to appropriate parties at least annually, including the CAE, Director of Finance, and the Committee.
• Exhibit professional objectivity in gathering, evaluating, and communicating information.
• Make balanced assessments of all available and relevant facts and circumstances.  
• Take necessary precautions to avoid conflicts of interest, bias, and undue influence.

Managing the Internal Audit Function

The CAE has the responsibilities to:

• At least annually, develop a risk-based internal audit plan that considers the input of the Director of Finance, Committee, and executive management. Discuss the plan with the Director of Finance and Committee, and submit it to the Committee for review and approval.
• Communicate the impact of any resource limitations on the internal audit plan to the Committee .
• Review and adjust the internal audit plan, as necessary, in response to changes in the County’s business, risks, operations, programs, systems, and controls.
• Communicate with the Committee if there are significant interim changes to the internal audit plan.
• Ensure internal audit engagements are performed, documented, and communicated in accordance with the Global Internal Audit Standards and other laws, regulations, or standards.
• Follow up on engagement findings and confirm the implementation of recommendations or action plans and communicate the results of internal audit services to the Committee periodically and for each engagement as appropriate.
• Ensure the internal audit function collectively possesses or obtains the knowledge, skills, and other competencies and qualifications needed to meet the requirements of the Global Internal Audit Standards and fulfill the internal audit mandate.
• Identify and consider trends and emerging issues that could impact the County and communicate these to the Director of Finance, Committee and County Executive as appropriate. Consider emerging trends and successful practices in internal auditing.
• Establish and ensure adherence to methodologies designed to guide the internal audit function.
• Ensure adherence to the County’s relevant policies and procedures unless such policies and procedures conflict with the internal audit charter or the Global Internal Audit Standards. Any such conflicts will be resolved, documented, and communicated to the Committee.
• Coordinate activities and consider relying upon the work of other internal and external providers of assurance and advisory services. If the CAE cannot achieve an appropriate level of coordination, the issue must be communicated to the Director of Finance and, if necessary, escalated to the Committee. 

Communication with the Committee and County Executive

The CAE will report periodically to the Committee and County Executive regarding:

• The internal audit function’s mandate.
• The internal audit plan and its performance.
• The internal audit budget resources. Potential impairments to independence, including relevant disclosures as applicable.
• Results from the quality assurance and improvement program, which include the internal audit function’s conformance with The IIA’s Global Internal Audit Standards and action plans to address the internal audit function’s deficiencies and opportunities for improvement.
• Significant risk exposures and control issues, including fraud risks, governance issues, and other areas of focus for the Committee that could interfere with the achievement of the County’s strategic objectives.
• Results of assurance and advisory services.
• Management’s responses to risks that the internal audit function determines may be unacceptable or the acceptance of a risks beyond the County’s risk appetite.  

Quality Assurance and Improvement Program

The CAE will develop, implement, and maintain a quality assurance and improvement program that covers all aspects of the internal audit function. The program will include external and internal assessments of the internal audit function’s conformance with the Global Internal Audit Standards, as well as performance measurement to assess the internal audit function’s progress toward achieving its objectives and promoting continuous improvement. The program also will assess, if applicable, compliance with laws and/or regulations relevant to internal auditing. Also, if applicable, the assessment will include plans to address the internal audit function’s deficiencies and opportunities for improvement.

Annually, the CAE will communicate with the Committee about the internal audit function’s quality assurance and improvement program, including the results of internal assessments (ongoing monitoring and periodic self-assessments) and external assessments. External assessments will be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the County.

Scope and Types of Internal Audit Services

The scope of internal audit services covers the entire breadth of the organization, including all of the County’s activities, assets, and personnel. The scope of internal audit activities also encompasses, but is not limited to, objective examinations of evidence to provide independent assurance and advisory services to the Director of Finance and Committee on the adequacy and effectiveness of governance, risk management, and control processes for the County. The internal audit activities will include those that are required to be performed by state law, local regulations, agreements or policy. Where resources are available, additional audit services will be performed according the risk assessment and approved annual audit plan.

Advisory services may be agreed upon with the party requesting the service, provided the internal audit function does not assume management responsibility. Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during advisory engagements. These opportunities will be communicated to the appropriate level of management.

Internal audit engagements may include evaluating whether:

• Risks relating to the achievement of the County’s strategic objectives are appropriately identified and managed.
• The actions of the County’s officers, directors, management, employees, and contractors, or other relevant parties comply with the County’s policies, procedures, and applicable laws, regulations, and governance standards.
• The results of operations and programs are consistent with established goals and objectives. Operations and programs are being carried out effectively, efficiently, ethically, and equitably.
• Established processes and systems enable compliance with the policies, procedures, laws, and regulations that could significantly impact the County.
• The integrity of information and the means used to identify, measure, analyze, classify, and report such information are reliable.  

Resources and assets are acquired economically, used efficiently and sustainably, and protected adequately.

Review

Review the Committee’s charter annually, reassess the adequacy of the charter, and recommend any proposed changes. This review shall include any required changes that are necessary as a result of new laws, regulations, or accounting and auditing standards.