Вы находитесь на странице: 1из 116

UNIVERSITY OF TEXAS

PERMIAN BASIN

OFFICE OF
INTERNAL AUDITS

AUDIT MANUAL

Revised March 16, 2009


UNIVERSITY OF TEXAS-PERMIAN BASIN
OFFICE OF INTERNAL AUDITS
AUDIT MANUAL

TABLE OF CONTENTS
A. SCOPE, AUTHORITY, ORGANIZATION AND MISSION
Scope

and

Authority ...............................................................................................................A-1
Audit
Charter ........................................................................................................................
..A-2
Audit

Committee

Charter........................................................................................................A-3
Organizational
Charts .............................................................................................................A-4
The

University

of

Texas

Permian

Basin...........................................................................A-4.1
Office

of

Internal

Audits..........................................................................................................A-4.2
Mission

Statement

and

Goals ..................................................................................................A-5

B. AUDITING STANDARDS (Institute of Internal Auditors & GAGAS Yellow


Book)
IIA

Code

of

Ethics .......................................................................................................................B-

1
IIA

Professional

Practice

Framework

(PPF)................................................................................B-2
IIA
Standards ....................................................................................................................
..........B-3
Attribute
Standards ....................................................................................................................
.B-3.1
Performance
Standards

...............................................................................................................B-

3.2
GAGAS

Yellow

Book

Standards................................................................................................B-4

C. AUDIT PROCEDURES
Overview of Audit Procedures
Section........................................................................................C-1
Independence Procedureand
Statement ............................................................................................C-2
Types of Audits and Summary of Audit
Process..........................................................................C-3
Internal
Control......................................................................................................................
......C-4
Risk
Assessment ..............................................................................................................
............C-5
TeamMate Work papers
Guide....................................................................................................C-6

Flowcharts.................................................................................................................
...................C-7
Audit Findings
.........................................................................................................................C-8

C. AUDIT PROCEDURES CONTINUED


Follow-ups and Significant
Findings .......................................................................................C-10 Quality
Assurance
Reviews .....................................................................................................C-11

D. OFFICE PROCEDURES
Weekly Time and Status
Reports..............................................................................................D-1
Leave Request
Policy................................................................................................................D-2
Travel
Policy.........................................................................................................................
.....D-3
State Property
Policy.................................................................................................................D-4
Administrative
Procedures........................................................................................................D-5

E. RULES AND REGULATIONS


Texas Internal Auditing Act (Government Code Section

2102).............................................E-1
Board of Regents Rules and
Regulations................................................................................E-2
UT System Business Procedures
Memoranda ........................................................................E-3
Business Procedures Memorandum 18-0204 ........................................................................E-3.1
Business Procedures Memorandum 50-0102 ........................................................................E-3.2
UTPB Handbook of Operating Procedures
(H.O.P.)...............................................................E-4
State Auditors
Office..............................................................................................................E-5

University of Texas Permian Basin


Office of Internal Audits
Audit Manual Section A

SCOPE, AUTHORITY, ORGANIZATION AND


MISSION

SCOPE AND AUTHORITY


The Universitys Office of Internal Audits, under the purview of the UT System
Audit Office, has been given the authority to conduct internal audits as
established by the Texas Internal Auditing Act.
The First Texas Legislature passed the Texas Internal Auditing Act (Article 62525d, Vernons Texas Civil Statutes) effective September 1, 1989, which established
guidelines for a program of internal auditing to assist agency administrators by
furnishing independent analysis, appraisals, and recommendations concerning
the adequacy and effectiveness of an agencys systems of internal control
policies and procedures, and the quality of performance in carrying out assigned
responsibilities. See Section E-1.
The Internal Audit Charter, approved by the University President, states the
purpose authority, and responsibility for the Office of Internal Audits. The internal
auditor is a vital part of the university and functions in accordance with the
policies established by the President, The University of Texas System
Administration and the Board of Regents. To provide for the independence of the
internal auditing activity, the Director of Internal Audits reports directly to the
President and must be free of all operational and management responsibilities
that would impair his or her ability to review independently, all aspects of the
institution (per the Texas Internal Auditing Act, Section 2101, Government Code).
The Director of Internal Audits also has an indirect reporting relationship to The
University of Texas System Director of Audits who has responsibility for oversight
of the internal auditing activity for the U.T. System and has the reporting
responsibility for all components to the Board of Regents. See Section A-2.
All internal audit activity is to be performed in a manner consistent with the
International Standards for the Professional Practice of Internal Auditing and the
Code of Ethics, as promulgated by the Institute of Internal Auditors, Inc. (IIA).
See Section B-1 for the IIAs Code of Ethics.

AUDIT CHARTER
Introduction
Internal auditing is an independent appraisal function established to examine and
evaluate activities as a service to the Internal Audit Committee, the President,
and senior management of U. T. Permian Basin. The auditors must have a high
degree of independence and not be assigned duties or engage in any activities
that they would normally be expected to review or appraise. Current editions of
Standards for the Professional Practice of Internal Auditing issued by the Institute
of Internal Auditors, College and University Business Administration issued by the
National Association of College and University Business Officers, and the Texas
Internal Auditing Act shall serve as guidelines for the Office's activities.
Internal Audit Office Mission Statement:
Internal Audit provides independent, objective assurance and consulting services
designed to add value and improve UTPBs operations. It helps the university
accomplish its objectives by bringing a systematic, disciplined approach to
evaluating and improving the effectiveness of risk management, control
mechanisms, and operational and governance processes.
Organizational Status
The Office of Internal Audit is a vital part of U.T. Permian Basin management and
functions in accordance with the policies established by the President of The
University of Texas of the Permian Basin, the Internal Audit Committee of The
University of Texas of the Permian Basin, The University of Texas System, The
Board of Regents of The University of Texas, and by the Legislature through the
Texas Internal Auditing Act. The internal auditing services are reported directly to
the President and to the Internal Audit Committee. The University of Texas of the
Permian Basin Internal Audit Committee obtains, reviews and reports to the
President on all institutional audit reports; approves the institutional internal audit
plan; and transmits to the President such instructions as it deems necessary for
the implementation of appropriate internal auditing practices.
Purpose
The Office of Internal Audit is responsible for providing the President and senior
management with information about the adequacy and effectiveness of The
University of Texas of the Permian Basin's system of internal administrative and

accounting controls and the quality of operating performance when compared


with established standards, and for recommending alternatives and modifications
to existing systems and operations to improve overall efficiency and
effectiveness. To accomplish these objectives the Office of Internal Audit is
authorized to have full, free, and unrestricted access to all functions, property,
personnel, and records (including medical and electronic). Although such access
will be unlimited, the Office of Internal Audit shall ensure the safekeeping and
confidentiality of all records and information.
Internal Audit Committee Statement of Responsibility
One of the most significant areas of organizational governance is the audit
committee. These are the major assumptions and processes of that committee:
The single most important finding and the key to audit committee effectiveness is
background information and training. Management and internal auditors are
identified as sources of this information. Special sessions on internal controls and
the impact of their effectiveness on the committee's oversight responsibilities
would acquaint committee members with the control environment. The internal
auditor should report to the committee regularly regarding weaknesses noted in
internal control. To enhance the effectiveness of the meeting, briefing materials
should be supplied to the committee well in advance, and committee members
should take adequate time to review them. State-of-the-art audit committees
meet at least quarterly. The audit committee should review with management
their assessment of the external and internal risks and whether or not the risk
factors are being reasonably addressed. In addition, they should determine how
internal auditing considers these risks when establishing the scope of their
respective audits. The audit committee should advise the Director of Internal
Audit that committee members expect to be advised of any areas requiring their
special attention. The Director of Internal Audit should report the results of the
department's auditing activities to the committee. Under normal circumstances,
summary reporting should be made; however, specific findings and
recommendations related to significant matters should be reported. The audit
committee must be satisfied that internal auditing maintains its independence
and objectivity. The committee should be satisfied that internal auditing is
organizationally independent by ensuring the director reports to an appropriate
executive level within the organization. The committee should be satisfied that
the department's staffing and budget are adequate to enable the department to
effectively perform its responsibilities.
Quality Assurance
The Office of Internal Audit shall establish and maintain a program of quality
assurance designed to evaluate the operations of the department. The purpose of
this program is to provide reasonable assurance that all work performed by the
department conforms to the guidelines under which the department operates.

This program should include training, supervision, and internal and external
reviews. Internal reviews should be performed by members of the department on
a routine basis to appraise the quality of work performed. External reviews of the
department should be performed every three years, as required by the Texas
Internal Auditing Act, by qualified persons who are independent of the Office of
Internal Audit. Purpose
This procedureshall be reviewed biennially by the Internal Auditor.

AUDIT COMMITTEE CHARTER


The committee is to ensure that: the activities of U. T. Permian Basin comply with the
appropriate Business Procedures Memoranda, the Institute of Internal Auditors'
Standards for the Professional Practice of Internal Auditing, and the Texas Internal
Auditing Act; audit coverage for U. T. Permian Basin adequately encompasses all
aspects of The University's operations and the coverage is not inhibited or limited by
any individual or department; audit activities are responsive to The University's
needs and objectives; and management is aware of internal audit activities, results of
audits, and progress toward implementation of audit recommendations.

Authority
The University of Texas System Administration Policy Library 129, Internal Audit
Activities, authorizes the establishment of an institutional audit committee.
Appendix A, System-wide Internal Audit Charter, states Each component
institution will organize and maintain an institutional audit committee.

Role
The University of Texas Permian Basin (UTPB) Audit Committee is an essential
part of the risk management and internal control infrastructure of the institution
and of the UT System. Its primary responsibilities are to assist the President in
the:

Oversight and direction of the internal auditing activity.

Oversight of the process to manage business and


financial risks.
Reporting of risk management and audit activity to the
UT System, including the Audit, compliance, and
Management Review (ACMR) Committee of the Board of

Regents.

Oversight of institutional engagements that may be


performed by the external public accounting firm also
conducting the UT System financial audit.
Awareness of and responsibility for UTPB issues that may
arise from the UT System financial audit.

Membership
The President shall appoint the members of the Audit Committee. Membership
will be composed of the President, Executive Vice President, other members of
management appointed by the President, and at least one member from outside
the institution. The Chairman will be the President or his/her designee.
Other non-voting members whose sole purpose is to assist the audit committee in
carrying out their responsibilities include the Director of Audit Services (Chief
Audit Executive), Director of Systems Audits or his/her designee, and a
representative of the UT System Office.

Education
Audit Services, the System Audit Office and the System Controllers Office are
responsible for providing Audit Committee members with educational resources
related to accounting principles and procedures, business and financial risk
management, internal auditing standards and best practices and other
information necessary to discharge their responsibilities.

Meetings
The Audit Committee meets four times a year, (at least once quarterly), or as
necessary at the request of the President. The meetings should provide for direct
communication between members and the chief audit executive. Discussions and
actions taken by the committee should be documented in the meeting minutes.
A majority of members constitutes a quorum and attendance should be recorded
in the minutes.

Responsibilities
The Audit Committees specific responsibilities in carrying out its oversight and
reporting roles are delineated in the Audit Committee Responsibilities Checklist.
The responsibilities checklist will be updated annually by the Audit Committee to

reflect changes in regulatory requirements, authoritative guidance, UT System


guidance, and best practices in business and financial risk management. As the
compendium of Audit Committee responsibilities, the most recently updated
responsibilities checklist will be considered an addendum to this charter.

INSTITUTIONAL AUDIT COMMITTEE RESPONSIBILITIES CHECKLIST


GENERAL
1

The committee will perform functions as assigned by the Audit, Compliance, and management
Review Committee of The University of Texas Board of Regents.

The committee shall meet at least four times per year, or as necessary, at the request of the
institutions president.

The Chairman of the Institutional Audit Committee in consultation with the Chief Audit
Executive will prepare the agenda for the committee meetings.

The Chief Audit Executive will be responsible for maintaining a record of the approved minutes
of Institutional Audit Committee meeting.

Annually review the Institutional Audit Committee Charter and assess their performance of the
responsibilities delineated in that charter.

Meet privately with the Chief Audit Executive, external public accounting firms, and the State
Auditors Office at least annually, or as appropriate.

Other executive sessions may be appropriate to assess the performance of the internal audit
function.

OVERSIGHT OF FINANCIAL STATEMENT PREPARATION PROCESS


1

Determine that institution management has assumed responsibility for identifying (risk
assessment) and managing (internal controls) the business and financial risks.

2.

Oversee the preparation of the institutions financial statements through the review of

a.

The closing process used by the institution,

b.

the certifications by the President and Financial Reporting Officer,

c.

financial and internal controls information provided in internal audit documents,

5
d.
audits,

financial and internal control information provided by external public accounting firm

6
e.
analytical information provided by institution management, internal audit, and/or
external auditors,
7
f.
the methodology used to identify, assess, and manage possibilities for fraud in business
and financial processes, and
8
g.
any off-balance sheet transactions/arrangements that have, or are reasonably likely to
have, a current or future effect on the Systems or any of the institutions financial condition, changes in
financial condition, revenues or expenses, results of operations, liquidity, capital expenditures, or capital
resources that is material to users of the financial statements reflecting the economics of such
transactions/arrangements.
OVERSIGHT OF THE INTERNAL AUDITING FUNCTION
1

Approve an Internal Audit Charter that is consistent with the Texas Internal Auditing Act and
the Standards of the Professional Practice of Internal Auditing.

Periodically review the Internal Audit Charter to ensure it encompasses any required revisions.

Review the risk assessment methodology used to develop the internal audit Annual Work Plan
to ensure that all applicable business and financial risks have been identified.

Review the Annual Work Plan to ensure appropriate coverage for risks identified in the risk
assessment, including coverage of significant financial and information systems.

Approve the Annual Work Plan and all changes thereto.

Review quarterly the status of completion of the Annual Work Plan.

Receive the results of all completed internal audit engagements.

Receive reports of Confidential Reporting Mechanism activity that relates to internal controls,
financial management, internal auditing, or external auditing.

Review all significant recommendations and management action plans to address those
recommendations.

10

Monitor the status of management action plans for significant recommendations.

11

Approve the utilization of Internal Audit resources outside the Annual Work Plan.

12

Review staffing and organization of the internal audit activity for appropriateness in relation to
the institution and its identified risks and make recommendations to the president if necessary.

13

Request an annual self-assessment by the internal audit function and review the results.

14

Ensure that an External Peer Review is performed at least once every three years and review the
results.

15

Provide input to the president of the annual evaluation of the Chief Audit Executive.

16

Provide input to the president on the hiring and dismissal of the Chief Audit Executive.
OVERSIGHT OF EXTERNAL PUBLIC ACCOUNTING FIRMS

Monitor the institutions contracting with all external public accounting firms to ensure
compliance with the requirements of UTS 03 Annual Financial Report and the operating rules
of the Audit, Compliance, and Management Review Committee of The University of Texas
Board of Regents.

Review the reports of all external public accounting firms contracted by the institution to
perform audits of any institution functions, components, activities, or financial information.

Monitor all activity by the State Auditors Office.


REPORTING TO THE ACMR AND U.T. SYSTEM

The Institutional Audit Committee and the Chief Audit Executive are responsible for providing the
following information to the System Audit Office for use by the Audit, Compliance, and management
Review Committee in discharging its oversight duties for the U.T. System:
1

Annual work plan and changes thereto.

Quarterly status of the Annual Work Plan and completed engagements.

Confidential Reporting mechanism Activity

Significant recommendations

Status of significant recommendations.

Contracts with external public accounting firms.

Other matters as requested by the ACMR through the System Audit Office.

University of Texas Permian Basin


Internal Audit Manual

ORGANIZATIONAL CHARTS

Presidents Office Organizational Chart

Internal Audit Office Organizational Chart

University of Texas Permian


Basin President, Dr. David
Watts

UT System Audit
Office

Audit Committee

Director of Internal Audits,


Narita Holmes MBA, CPA,
CIA

Auditor II, Aaron Munoz


CIA, CGAP

MISSION STATEMENT
Internal Audit provides independent, objective assurance and consulting services
designed to add value and improve UTPBs operations. It helps the university
accomplish its objectives by bringing a systematic, disciplined approach to
evaluating and improving the effectiveness of risk management, control
mechanisms, and operational and governance processes.

GOALS
GOAL: Optimize institutional effectiveness and efficiency consistent with high
quality organizational standards.

STRATEGIES
Develop an annual audit plan in accordance with the Texas Internal Audit Act and
UT System guidelines that evaluate and improve the effectiveness of risk
management, control, operational and governance processes.
Perform institutional risk assessment to identify high risk areas and
include those areas in the annual plan.
Prepare annual audit plan in accordance with the Act and UT System
guidelines and executive management needs.
Include evaluations of appropriate Presidential initiatives in annual
audit plan. Provide management with independent, objective
assurance and consulting services designed to add value and improve
University operation.
Request operating management input to audit planning process
Provide recommendations based on audit activity and results
Provide consulting and advisory services as requested and approved.
Provide risk assessment training to the university community.
Provide internal control and control self assessment training as
identified or requested by management. Office operation and audit
engagements will be performed in accordance with professional audit
standards.
Conduct quality assurance reviews in accordance with professional
auditing standards.
Monitor office operations and staff engagement for conformance to
IIA Standards.
Audit staff will prepare a plan that includes long/short term
professional development and training needs to maintain sufficient
knowledge, skills, experience, and professional certifications to meet
the requirements of professional audit standards.

University Of Texas Permian Basin


Internal Audit Manual

SECTION B
(Auditing Standards)

CODE OF ETHICS
Note: Our Code of Ethics was closely modeled after that of the IIAs as outlined in the Standard.

Internal auditors are expected to apply and uphold the following principles:
Integrity, objectivity, confidentiality and competency.
1. Integrity
Auditors are required to perform their work with honesty, diligence and
responsibility while observing the law. They should not, knowingly, be party to
illegal activities or engage in acts discreditable to the profession of internal
auditing, or the organization.
2. Objectivity
Internal auditors should be objective and shall not participate in activities or
relationships that may impair or be presumed to impair their unbiased
assessment. They shall not accept gifts or anything that may impair or be
presumed to impair their professional judgment and shall disclose all material
facts that if not disclosed, could distort the reporting of activities under review.
3. Confidentiality
Any information gained during the discharge of their duties is confidential and
shall not be disclosed to third parties or used for personal gain; therefore, internal
auditors shall be prudent in the use and protection of information acquired in the
course of their duties.
4. Competency
Internal auditors shall perform auditing services in accordance with the
International Standards for the Professional Practice of Internal Auditing. They

shall perform services for which they have the required knowledge, skills and
experience.
Additionally, they shall continually improve their proficiency,
effectiveness and quality of their services.

International Professional Practices Framework


The Institute of Internal Auditors Inc. Florida USA [IIA] is the only international
body dedicated to the professional development of Internal Auditing. The IIA's
International Board of Directors has approved the new International Professional
Practices Framework (IPPF), under the oversight of The IIA's Professional Practices
Council. This Framework was just released in January 2009.
The IPPF 2009 is the only internationally accepted standards for the professional
practice of internal auditing followed globally by all organizations around the
world.
The entire IPPF 2009 is excellently structured and is broadly divided into two
parts:
1. Mandatory Guidance which comprises Performance with the
principles set forth in mandatory guidance is required and essential
for the professional practices of internal auditing. Mandatory guidance
is intended to be applicable to both entities and individuals that
perform internal auditing. Mandatory guidance is developed following
an established due diligence process, which includes a period of
public exposure for stakeholders for stakeholder input.
a. Definition of Internal Auditing
b. Code of Ethics
c. International Standards
2. Strongly Recommended Guidance which comprises Strongly
recommended guidance is endorsed by the IIA through a formal
approval process. It describes practices for effective implementation
of the IIAs definition of Internal Auditing, Code of Ethics and

International Standards for the Professional Practice of Internal


Auditing (Standards)
a. Position Papers
b. Practice Advisories
c. Practice Guides
In order to ensure compliance with the IIAs International Standards for the
Professional Practice of Internal Auditing, our audits are conducted in a manner
consistent with Mandatory and Strongly Recommended Guidance standards
described above.

Additionally, due to the nature of our work and the


organizational status of the Internal Audit Department,
auditors hold positions that are highly visible within the
University; therefore, we, the Internal Audit Department, as a
whole, and as individuals are required to conduct ourselves
with respect while upholding a high level of Ethics, Values and
Integrity as we provide high quality services to our
customers.
Institute of Internal Auditors Standards
The following is a brief overview of the mandatory standards to be followed by
individuals performing audit services.

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE


OF INTERNAL AUDITING (STANDARDS)
Attribute Standards
1000 Purpose, Authority, and Responsibility
The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal
audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief
audit executive must periodically review the internal audit charter and present it to senior management and the
board for approval.
Interpretation:

The internal audit charter is a formal document that defines the internal audit activity's purpose, authority, and
responsibility. The internal audit charter establishes the internal audit activity's position within the organization;
authorizes access to records, personnel, and physical properties relevant to the performance of engagements;
and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the
board.
1000.A1 The nature of assurance services provided to the organization must be defined in the internal audit
charter. If assurances are to be provided to parties outside the organization, the nature of these assurances must
also be defined in the internal audit charter.
1000.C1 The nature of consulting services must be defined in the internal audit charter.
1010 Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the
Internal Audit Charter
The mandatory nature of the Definition of Internal Auditing, the Code of Ethics, and the Standards must be
recognized in the internal audit charter. The chief audit executive should discuss the Definition of Internal
Auditing, the Code of Ethics, and the Standards with senior management and the board.
1100 Independence and Objectivity
The internal audit activity must be independent, and internal auditors must be objective in performing their work.
Interpretation:
Independence is the freedom from conditions that threaten the ability of the internal audit activity or the chief
audit executive to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of
independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit
executive has direct and unrestricted access to senior management and the board. This can be achieved through
a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement,
functional, and organizational levels.
Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a
manner that they believe in their work product and that no quality compromises are made. Objectivity requires
that internal auditors do not subordinate their judgment on audit matters to others. Threats to objectivity must be
managed at the individual auditor, engagement, functional, and organizational levels.
1110 Organizational Independence
The chief audit executive must report to a level within the organization that allows the internal audit activity to
fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the
organizational independence of the internal audit activity.
1110.A1 The internal audit activity must be free from interference in determining the scope of internal auditing,
performing work, and communicating results.
1111 Direct Interaction with the Board
The chief audit executive must communicate and interact directly with the board.
1120 Individual Objectivity
Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.
Interpretation:
Conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a competing
professional or personal interest. Such competing interests can make it difficult to fulfill his or her duties

impartially. A conflict of interest exists even if no unethical or improper act results. A conflict of interest can
create an appearance of impropriety that can undermine confidence in the internal auditor, the internal audit
activity, and the profession. A conflict of interest could impair an individual's ability to perform his or her duties
and responsibilities objectively.
1130 Impairment to Independence or Objectivity
If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed
to appropriate parties. The nature of the disclosure will depend upon the impairment.
Interpretation:
Impairment to organizational independence and individual objectivity may include, but is not limited to, personal
conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource
limitations, such as funding.
The determination of appropriate parties to which the details of an impairment to independence or objectivity
must be disclosed is dependent upon the expectations of the internal audit activitys and the chief audit
executives responsibilities to senior management and the board as described in the internal audit charter, as
well as the nature of the impairment.
1130.A1 Internal auditors must refrain from assessing specific operations for which they were previously
responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an
activity for which the internal auditor had responsibility within the previous year.
1130.A2 Assurance engagements for functions over which the chief audit executive has responsibility must be
overseen by a party outside the internal audit activity.
1130.C1 Internal auditors may provide consulting services relating to operations for which they had previous
responsibilities.
1130.C2 If internal auditors have potential impairments to independence or objectivity relating to proposed
consulting services, disclosure must be made to the engagement client prior to accepting the engagement.
1200 Proficiency and Due Professional Care
Engagements must be performed with proficiency and due professional care.
1210 Proficiency
Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual
responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other
competencies needed to perform its responsibilities.
Interpretation:
Knowledge, skills, and other competencies is a collective term that refers to the professional proficiency required
of internal auditors to effectively carry out their professional responsibilities. Internal auditors are encouraged
to demonstrate their proficiency by obtaining appropriate professional certifications and qualifications, such as
the Certified Internal Auditor designation and other designations offered by The Institute of Internal Auditors
and other appropriate professional organizations.
1210.A1 The chief audit executive must obtain competent advice and assistance if the internal auditors lack the
knowledge, skills, or other competencies needed to perform all or part of the engagement.

1210.A2 Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in
which it is managed by the organization, but are not expected to have the expertise of a person whose primary
responsibility is detecting and investigating fraud.
1210.A3 Internal auditors must have sufficient knowledge of key information technology risks and controls and
available technology-based audit techniques to perform their assigned work. However, not all internal auditors
are expected to have the expertise of an internal auditor whose primary responsibility is information technology
auditing.
1210.C1 The chief audit executive must decline the consulting engagement or obtain competent advice and
assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part
of the engagement.
1220 Due Professional Care
Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor.
Due professional care does not imply infallibility.
1220.A1 Internal auditors must exercise due professional care by considering the:

Extent of work needed to achieve the engagements objectives;


Relative complexity, materiality, or significance of matters to which assurance
procedures are applied;

Adequacy and effectiveness of governance, risk management, and control


processes;

Probability of significant errors, fraud, or noncompliance; and


Cost of assurance in relation to potential benefits.
1220.A2 In exercising due professional care internal auditors must consider the use of technology-based audit
and other data analysis techniques.
1220.A3 Internal auditors must be alert to the significant risks that might affect objectives, operations, or
resources. However, assurance procedures alone, even when performed with due professional care, do not
guarantee that all significant risks will be identified.
1220.C1 Internal auditors must exercise due professional care during a consulting engagement by considering
the:

Needs and expectations of clients, including the nature, timing, and communication of engagement
results;

Relative complexity and extent of work needed to achieve the engagements objectives; and
Cost of the consulting engagement in relation to potential benefits.
1230 Continuing Professional Development
Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional
development.
1300 Quality Assurance and Improvement Program
The chief audit executive must develop and maintain a quality assurance and improvement program that covers
all aspects of the internal audit activity.

Interpretation:
A quality assurance and improvement program is designed to enable an evaluation of the internal audit activitys
conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal
auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal
audit activity and identifies opportunities for improvement.
1310 Requirements of the Quality Assurance and Improvement Program
The quality assurance and improvement program must include both internal and external assessments.
1311 Internal Assessments
Internal assessments must include:

Ongoing monitoring of the performance of the internal audit activity; and


Periodic reviews performed through self-assessment or by other persons within the
organization with sufficient knowledge of internal audit practices.
Interpretation:
Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal
audit activity. Ongoing monitoring is incorporated into the routine policies and practices used to manage the
internal audit activity and uses processes, tools, and information considered necessary to evaluate conformance
with the Definition of Internal Auditing, the Code of Ethics, and the Standards.
Periodic reviews are assessments conducted to evaluate conformance with the Definition of Internal Auditing,
the Code of Ethics, and the Standards.
Sufficient knowledge of internal audit practices requires at least an understanding of all elements of the
International Professional Practices Framework.
1312 External Assessments
External assessments must be conducted at least once every five years by a qualified, independent reviewer or
review team from outside the organization. The chief audit executive must discuss with the board:

The need for more frequent external assessments; and


The qualifications and independence of the external reviewer or review team, including
any potential conflict of interest.
Interpretation:
A qualified reviewer or review team consists of individuals who are competent in the professional practice of
internal auditing and the external assessment process. The evaluation of the competency of the reviewer and
review team is a judgment that considers the professional internal audit experience and professional credentials
of the individuals selected to perform the review. The evaluation of qualifications also considers the size and
complexity of the organizations that the reviewers have been associated with in relation to the organization for
which the internal audit activity is being assessed, as well as the need for particular sector, industry, or technical
knowledge.
An independent reviewer or review team means not having either a real or an apparent conflict of interest and
not being a part of, or under the control of, the organization to which the internal audit activity belongs.
1320 Reporting on the Quality Assurance and Improvement Program

The chief audit executive must communicate the results of the quality assurance and improvement program to
senior management and the board.
Interpretation:
The form, content, and frequency of communicating the results of the quality assurance and improvement
program is established through discussions with senior management and the board and considers the
responsibilities of the internal audit activity and chief audit executive as contained in the internal audit charter.
To demonstrate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards, the
results of external and periodic internal assessments are communicated upon completion of such assessments
and the results of ongoing monitoring are communicated at least annually. The results include the reviewers or
review teams assessment with respect to the degree of conformance.
1321 Use of Conforms with the International Standards for the Professional Practice of Internal
Auditing
The chief audit executive may state that the internal audit activity conforms with the International Standards for
the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement
program support this statement.
1322 Disclosure of Nonconformance
When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the
overall scope or operation of the internal audit activity, the chief audit executive must disclose the
nonconformance and the impact to senior management and the board.

Performance Standards
2000 Managing the Internal Audit Activity
The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the
organization.
Interpretation:
The internal audit activity is effectively managed when:

The results of the internal audit activitys work achieve the purpose and responsibility included
in the internal audit charter;
The internal audit activity conforms with the Definition of Internal Auditing and the Standards;
and
The individuals who are part of the internal audit activity demonstrate conformance with the
Code of Ethics and the Standards.
2010 Planning
The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity,
consistent with the organizations goals.
Interpretation:
The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into
account the organizations risk management framework, including using risk appetite levels set by management
for the different activities or parts of the organization. If a framework does not exist, the chief audit executive
uses his/her own judgment of risks after consultation with senior management and the board.

2010.A1 The internal audit activitys plan of engagements must be based on a documented risk assessment,
undertaken at least annually. The input of senior management and the board must be considered in this process.
2010.C1 The chief audit executive should consider accepting proposed consulting engagements based on the
engagements potential to improve management of risks, add value, and improve the organizations operations.
Accepted engagements must be included in the plan.
2020 Communication and Approval
The chief audit executive must communicate the internal audit activitys plans and resource requirements,
including significant interim changes, to senior management and the board for review and approval. The chief
audit executive must also communicate the impact of resource limitations.
2030 Resource Management
The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively
deployed to achieve the approved plan.
Interpretation:
Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the plan. Sufficient
refers to the quantity of resources needed to accomplish the plan. Resources are effectively deployed when they
are used in a way that optimizes the achievement of the approved plan.
2040 Policies and Procedures
The chief audit executive must establish policies and procedures to guide the internal audit activity.
Interpretation:
The form and content of policies and procedures are dependent upon the size and structure of the internal audit
activity and the complexity of its work.
2050 Coordination
The chief audit executive should share information and coordinate activities with other internal and external
providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts.
2060 Reporting to Senior Management and the Board
The chief audit executive must report periodically to senior management and the board on the internal audit
activitys purpose, authority, responsibility, and performance relative to its plan. Reporting must also include
significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed
or requested by senior management and the board.

Interpretation:
The frequency and content of reporting are determined in discussion with senior management and the board and
depend on the importance of the information to be communicated and the urgency of the related actions to be
taken by senior management or the board.
2100 Nature of Work
The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and
control processes using a systematic and disciplined approach.
2110 Governance

The internal audit activity must assess and make appropriate recommendations for improving the governance
process in its accomplishment of the following objectives:

Promoting appropriate ethics and values within the organization;


Ensuring effective organizational performance management and accountability;
Communicating risk and control information to appropriate areas of the organization;
and

Coordinating the activities of and communicating information among the board, external
and internal auditors, and management.
2110.A1 The internal audit activity must evaluate the design, implementation, and effectiveness of the
organizations ethics-related objectives, programs, and activities.
2110.A2 The internal audit activity must assess whether the information technology governance of the
organization sustains and supports the organizations strategies and objectives.
2110.C1 Consulting engagement objectives must be consistent with the overall values and goals of the
organization.
2120 Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management
processes.
Interpretation:
Determining whether risk management processes are effective is a judgment resulting from the internal auditors
assessment that:

Organizational objectives support and align with the organizations mission;


Significant risks are identified and assessed;
Appropriate risk responses are selected that align risks with the organizations risk appetite; and
Relevant risk information is captured and communicated in a timely manner across the
organization, enabling staff, management, and the board to carry out their responsibilities.
Risk management processes are monitored through ongoing management activities, separate evaluations, or
both.
2120.A1 The internal audit activity must evaluate risk exposures relating to the organizations governance,
operations, and information systems regarding the:

Reliability and integrity of financial and operational information.


Effectiveness and efficiency of operations.
Safeguarding of assets; and
Compliance with laws, regulations, and contracts.
2120.A2 The internal audit activity must evaluate the potential for the occurrence of fraud and how the
organization manages fraud risk.
2120.C1 During consulting engagements, internal auditors must address risk consistent with the engagements
objectives and be alert to the existence of other significant risks.

2120.C2 Internal auditors must incorporate knowledge of risks gained from consulting engagements into their
evaluation of the organizations risk management processes.
2120.C3 When assisting management in establishing or improving risk management processes, internal
auditors must refrain from assuming any management responsibility by actually managing risks.
2130 Control
The internal audit activity must assist the organization in maintaining effective controls by evaluating their
effectiveness and efficiency and by promoting continuous improvement.
2130.A1 he internal audit activity must evaluate the adequacy and effectiveness of controls in responding to
risks within the organizations governance, operations, and information systems regarding the:

Reliability and integrity of financial and operational information;


Effectiveness and efficiency of operations;
Safeguarding of assets; and
Compliance with laws, regulations, and contracts.
2130.A2 Internal auditors should ascertain the extent to which operating and program goals and objectives have
been established and conform to those of the organization.
2130.A3 Internal auditors should review operations and programs to ascertain the extent to which results are
consistent with established goals and objectives to determine whether operations and programs are being
implemented or performed as intended.
2130.C1 During consulting engagements, internal auditors must address controls consistent with the
engagements objectives and be alert to significant control issues.
2130.C2 Internal auditors must incorporate knowledge of controls gained from consulting engagements into
evaluation of the organizations control processes.
2200 Engagement Planning
Internal auditors must develop and document a plan for each engagement, including the engagements objectives,
scope, timing, and resource allocations.
2201 Planning Considerations
In planning the engagement, internal auditors must consider:

The objectives of the activity being reviewed and the means by which the activity controls its
performance;

The significant risks to the activity, its objectives, resources, and operations and the means
by which the potential impact of risk is kept to an acceptable level;
The adequacy and effectiveness of the activitys risk management and control processes
compared to a relevant control framework or model; and
The opportunities for making significant improvements to the activitys risk management
and control processes.

2201.A1 When planning an engagement for parties outside the organization, internal auditors must establish a
written understanding with them about objectives, scope, respective responsibilities, and other expectations,
including restrictions on distribution of the results of the engagement and access to engagement records.
2201.C1 Internal auditors must establish an understanding with consulting engagement clients about objectives,
scope, respective responsibilities, and other client expectations. For significant engagements, this understanding
must be documented.
2210 Engagement Objectives
Objectives must be established for each engagement.
2210.A1 Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under
review. Engagement objectives must reflect the results of this assessment.
2210.A2 Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other
exposures when developing the engagement objectives.
2210.A3 Adequate criteria are needed to evaluate controls. Internal auditors must ascertain the extent to which
management has established adequate criteria to determine whether objectives and goals have been
accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal
auditors must work with management to develop appropriate evaluation criteria.
2210.C1 Consulting engagement objectives must address governance, risk management, and control processes
to the extent agreed upon with the client.
2220 Engagement Scope
The established scope must be sufficient to satisfy the objectives of the engagement.
2220.A1 The scope of the engagement must include consideration of relevant systems, records, personnel, and
physical properties, including those under the control of third parties.
2220.A2 If significant consulting opportunities arise during an assurance engagement, a specific written
understanding as to the objectives, scope, respective responsibilities, and other expectations should be reached
and the results of the consulting engagement communicated in accordance with consulting standards.
2220.C1 In performing consulting engagements, internal auditors must ensure that the scope of the engagement
is sufficient to address the agreed-upon objectives. If internal auditors develop reservations about the scope
during the engagement, these reservations must be discussed with the client to determine whether to continue
with the engagement.
2230 Engagement Resource Allocation
Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on
an evaluation of the nature and complexity of each engagement, time constraints, and available resources.

2240 Engagement Work Program


Internal auditors must develop and document work programs that achieve the engagement objectives.
2240.A1 Work programs must include the procedures for identifying, analyzing, evaluating, and documenting
information during the engagement. The work program must be approved prior to its implementation, and any
adjustments approved promptly.
2240.C1 Work programs for consulting engagements may vary in form and content depending upon the nature
of the engagement.
2300 Performing the Engagement
Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the
engagements objectives.
2310 Identifying Information
Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagements
objectives.
Interpretation:
Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the
same conclusions as the auditor. Reliable information is the best attainable information through the use of
appropriate engagement techniques. Relevant information supports engagement observations and
recommendations and is consistent with the objectives for the engagement. Useful information helps the
organization meet its goals.
2320 Analysis and Evaluation
Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations.
2330 Documenting Information
Internal auditors must document relevant information to support the conclusions and engagement results.
2330.A1 The chief audit executive must control access to engagement records. The chief audit executive must
obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties,
as appropriate.
2330.A2 The chief audit executive must develop retention requirements for engagement records, regardless of
the medium in which each record is stored. These retention requirements must be consistent with the
organizations guidelines and any pertinent regulatory or other requirements.
2330.C1 The chief audit executive must develop policies governing the custody and retention of consulting
engagement records, as well as their release to internal and external parties. These policies must be consistent
with the organizations guidelines and any pertinent regulatory or other requirements.

2340 Engagement Supervision


Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is
developed.
Interpretation:
The extent of supervision required will depend on the proficiency and experience of internal auditors and the
complexity of the engagement. The chief audit executive has overall responsibility for supervising the
engagement, whether performed by or for the internal audit activity, but may designate appropriately
experienced members of the internal audit activity to perform the review. Appropriate evidence of supervision is
documented and retained.
2400 Communicating Results
Internal auditors must communicate the engagement results.
2410 Criteria for Communicating
Communications must include the engagements objectives and scope as well as applicable conclusions,
recommendations, and action plans.
2410.A1 Final communication of engagement results must, where appropriate, contain internal auditors overall
opinion and/or conclusions.
2410.A2 Internal auditors are encouraged to acknowledge satisfactory performance in engagement
communications.
2410.A3 When releasing engagement results to parties outside the organization, the communication must
include limitations on distribution and use of the results.
2410.C1 Communication of the progress and results of consulting engagements will vary in form and content
depending upon the nature of the engagement and the needs of the client.
2420 Quality of Communications
Communications must be accurate, objective, clear, concise, constructive, complete, and timely.
Interpretation:
Accurate communications are free from errors and distortions and are faithful to the underlying facts. Objective
communications are fair, impartial, and unbiased and are the result of a fair-minded and balanced assessment of
all relevant facts and circumstances. Clear communications are easily understood and logical, avoiding
unnecessary technical language and providing all significant and relevant information. Concise communications
are to the point and avoid unnecessary elaboration, superfluous detail, redundancy, and wordiness. Constructive
communications are helpful to the engagement client and the organization and lead to improvements where
needed. Complete communications lack nothing that is essential to the target audience and include all significant
and relevant information and observations to support recommendations and conclusions. Timely communications
are opportune and expedient, depending on the significance of the issue, allowing management to take
appropriate corrective action.

2421 Errors and Omissions


If a final communication contains a significant error or omission, the chief audit executive must communicate
corrected information to all parties who received the original communication.
2430 Use of Conducted in Conformance with the International Standards for the Professional Practice of
Internal Auditing
Internal auditors may report that their engagements are conducted in conformance with the International
Standards for the Professional Practice of Internal Auditing, only if the results of the quality assurance and
improvement program support the statement.
2431 Engagement Disclosure of Nonconformance
When nonconformance with the Definition of Internal Auditing, the Code of Ethics or the Standards impacts a
specific engagement, communication of the results must disclose the:

Principle or rule of conduct of the Code of Ethics or Standard(s) with which full
conformance was not achieved;
Reason(s) for nonconformance; and
Impact of nonconformance on the engagement and the communicated engagement results.
2440 Disseminating Results
The chief audit executive must communicate results to the appropriate parties.
Interpretation:
The chief audit executive or designee reviews and approves the final engagement communication before issuance
and decides to whom and how it will be disseminated.
2440.A1 The chief audit executive is responsible for communicating the final results to parties who can ensure
that the results are given due consideration.
2440.A2 If not otherwise mandated by legal, statutory, or regulatory requirements, prior to releasing results to
parties outside the organization the chief audit executive must:

Assess the potential risk to the organization;


Consult with senior management and/or legal counsel as appropriate; and
Control dissemination by restricting the use of the results.
2440.C1 The chief audit executive is responsible for communicating the final results of consulting
engagements to clients.
2440.C2 During consulting engagements, governance, risk management, and control issues may be identified.
Whenever these issues are significant to the organization, they must be communicated to senior management and
the board.
2500 Monitoring Progress
The chief audit executive must establish and maintain a system to monitor the disposition of results
communicated to management.
2500.A1 The chief audit executive must establish a follow-up process to monitor and ensure that management
actions have been effectively implemented or that senior management has accepted the risk of not taking action.

2500.C1 The internal audit activity must monitor the disposition of results of consulting engagements to the
extent agreed upon with the client.
2600 Resolution of Senior Managements Acceptance of Risks
When the chief audit executive believes that senior management has accepted a level of residual risk that may be
unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If
the decision regarding residual risk is not resolved, the chief audit executive must report the matter to the board
for resolution.

GOVERNMENT ACCOUNTABILITY OFFICE YELLOW BOOK


STANDARDS
SUMMARY
The general standards contained in Generally Accepted Government Auditing
Standards ("GAGAS") set forth requirements for auditor independence, using
professional judgment, ensuring competent team members, and conducting peer
reviews. Specific standards set forth requirements for fieldwork and reporting in
the areas of financial, attestation, and performance assurance activities. In
general, GAGAS standards are stricter than IIA standards in the types of non-audit
services that auditors may provide, the amount of training auditors must
undergo, the frequency of peer reviews, and the level of documentation
contained in audits and the wording in those reports. The following are
recommendations that UT System Audit Office has provided to all audit
departments in order to ensure full compliance with it. Those recommendations
are summarized below along with the corresponding reference in GAGAS. In
order to be completely versed in the standards, it is critical that all
auditors obtain and read them. GAGAS may be found at the Government
Accountability Office's website:
http://www.gao.gov/govaud/yb2003.pdf.
GENERAL STANDARDS Independence
1) When using specialists for projects (e.g., co-sourced audits), obtain independence
certifications and statements of knowledge of GAGAS independence
requirements. Document qualifications of the specialist (they do not have to
perform work under GAGAS, just acknowledge that they are independent under
those standards).
2) Inventory non-audit activities performed and determine whether activities are
allowable or unallowable based on criteria in 3.14 - 3.18. (Common non-audit
activities to consider include management of participation in the institutional
compliance program, participation in peer reviews, performance of consulting
engagements, interviewing of candidates for management positions, oversight of
management, both functionally and administratively, and development of
organizational policies).
3) For allowable activities, document reasons for being allowable and how safeguards
are met based on criteria in 3.17. 4) Ensure peer review team examines a

selection of non-audit activities to test for compliance with 3.17.


5) Develop policies and procedures for identifying personal impairments,
communicating them to all auditors in the organization, ensure understanding of
policies through training, obtaining acknowledgement of policies, monitoring
compliance with policies, establishing a disciplinary mechanism for violating
policies, and stressing the importance of independence.
6) Identify, report, and resolve impairments to independence timely. 7) Identify
factors causing external impairments in 3.19 and ensure policies are in place
to identify them.
8) Identify factors causing organizational impairments and ensure policies are in
place to identify them.
9) Ensure peer review teams assess whether policies and procedures are in place for
identifying, resolving and reporting impairments and ensure that impairments
identified are acted upon timely.
Professional Judgment
10) Review working papers and audit programs to ensure evidence of the use of
professional judgment in applying the right standards to an engagement, defining
the scope of work, selecting the methodology, determining the types of evidence
to be relied upon, and choosing tests and procedures, and evaluating results.
Competence
11) Ensure a process is in place for recruitment, hiring, continuous development, and
evaluation of staff to ensure adequate competence.
12) Ensure that staff members collectively possess the technical knowledge, skills,
and experience necessary to be competent for the type of work being performed
BEFORE beginning fieldwork.
13) When performing external financial statement work, ensure auditors on the
engagement have knowledge of GAAP and external auditing standards.
14) Document compliance with CPE requirements of 80 hours every two years
(minimum of 20 per year), with at least 24 hours in industry-specific courses.
Peer Reviews
15) Ensure policies and procedures are in place to ensure the audit organization
complies with GAGAS. Retain documentation evidencing compliance with policies
and procedures. Procedures should include ongoing monitoring of policies and
procedures to ensure they are effective.
16) Perform peer reviews every three years (with the review occurring no later than
three years and 90 days after the start of fieldwork of the last review per footnote
38 of GAGAS).
17) Perform remedial action on results of peer review.
18) Ensure team members have knowledge of GAGAS, are independent, and do not
participate in a reciprocal review.
19) Ensure peer review reports reference all standards under which they were
performed.

SPECIFIC PROJECT STANDARDS


Fieldwork and Reporting Requirements (Open to determine whether
GAGAS should be cited in reports)
20) If GAGAS is cited in the audit report, auditors are required to follow the standards
outlined in chapters 4 - 8, depending on the type of audit (financial, attestation,
or performance).
21) Auditors should ensure that if GAGAS is cited in the audit report, the audit file
and report should evidence compliance with the fieldwork and reporting
standards, respectively, in chapters 7 and 8.

University of Texas Permian Basin

SECTION C
(Audit Procedures)

OVERVIEW OF AUDIT PROCEDURES


The following audit procedures are intended to provide a guideline and maintain
uniformity within the Audit Department. Included in this section is a TeamMate
guide that will assist you with documenting your work within this electronic work
paper software and attribute templates for expenditure testing
In order to ensure consistency among audit staff in carrying out their duties and
responsibilities, guidelines detailing minimal requirements pertaining to audit
work-paper preparation and documentation including standard audit report
formats will be addressed.
Keep in mind that audit reports are official documents distributed to management
within the university. In addition, our reports are subject to exposure and review
by external parties. For this reason, we must implement standards in creating
reports that demonstrate professionalism and consistency. All audit reports
issued by this office should exhibit the same format and be free of spelling
and grammatical errors. A sample report has been included for your benefit.

INDEPENDENCE PROCEDURE
Individual Objectivity
Internal auditors should have an impartial, unbiased attitude and avoid conflicts
of interest. To maintain this Standard, the Office has adopted an Annual
Independence/Conflict of Interest Statement. This form will be signed annually, at
the beginning of the calendar year, by all audit staff members. New audit staff
members will sign when hired.
In addition, the QAR Form has been modified in order to report any potential

independence or conflict of interest with each audit engagement.


Impairments to Independence or Objectivity
independence or objectivity is impaired in fact or appearance, the details of the
impairment should be disclosed immediately to the Director of Internal Audits.
If

If an accidental impairment to independence or objectivity occurs, the Director


shall inform the University Ethics Office of the situation for his/her consideration.
If necessary, the auditor will be removed from the engagement. If warranted, the
impairment will be included in the Report and the Audit Committee will be
notified.
Disciplinary action for willful neglect to disclose impairment to independence or
objectivity may result in a Letter of Reprimand by the Director of Internal Audits.
All University employees are required to complete a conflict of interest statement upon
employment at the University and this statement is submitted on an annual basis.
The Director of Internal Audits also performs teaching duties for the University and as part
of her teaching plan she involves her students in actual Departmental audits of the
University. All audit work is reviewed by the Audit Department before it is submitted to the
Audit Committee. All students are required to fill out a non-disclosure form seen below:

The University of Texas of the Permian Basin


STATEMENT OF NON-DISCLOSURE FOR CONFIDENTIAL AND
SENSITIVE DATA
I understand by virtue of my affiliation with the University of Texas of the Permian Basin
through the audit project in Accounting 4306, I may have access to records on various media
which contain individually identifiable or confidential information, the disclosure of which is
prohibited by either state or federal law, or university-designated as confidential or
sensitive. I acknowledge that I fully understand that the intentional disclosure by me of this
information to any individual not authorized by the owner of the data could subject me to
criminal and civil penalties imposed by law. I further acknowledge that such willful or
unauthorized disclosure also violates The University of Texas of the Permian Basins

procedureand could constitute just cause for disciplinary action regardless of whether
criminal or civil penalties are imposed.
I also acknowledge that failure to sign this statement could result in denial or revocation of
my access to all audit information and other sensitive data at The University of Texas of the
Permian Basin.
Accounting 4306
Name Printed

Signature

Course

Date

If there is any question or uncertainty, contact Narita K. Holmes, Internal Auditor for
clarification as to what data are confidential or sensitive, who are data owners, and what
constitutes authorized access.

TYPES OF AUDITS
1. Change in Management /Departmental
These types of audits determine whether the department is conducting its
financial and business processes under an adequate system of internal control, as
required by University policy and guidelines and good business practice. These
audits are normally performed when an administrator at the level of Dean or
above leaves office.
2. Compliance Audits
Compliance audits are performed to determine if a system is adequately designed
to ensure compliance with University policies and procedures as well as external

requirements. External requirements include compliance with federal and state


laws and regulations, the National Collegiate Athletic Association (NCAA)
legislation, etc.
3. Financial Audits
This type of audit verifies that controls over acquisition and use of resources are
adequate. It also verifies that sufficient controls exist over assets, liabilities,
revenues, and expenditures. They address the accounting for and reporting of
financial transactions, including commitments, authorizations, and receipt and
disbursement of funds.
4. Operational Audits
This type of audits examines the use of resources to evaluate whether those
resources are being used in the most efficient and effective way to fulfill the
operations mission and objectives. An operational audit can include elements of
compliance, financial and IT audits.
5. Investigative Audits
Investigative audits focus on alleged civil or criminal violations of state or federal
laws or university policies and procedures that may result in prosecution or
disciplinary action. Examples are allegations of theft, misuse of university assets,
white-collar crime and conflicts of interest.
6. Information Technology (IT) Audits
IT audits address the internal control environment of automated information
processing systems. Although IT audit projects focus primarily on systems in the
development stages, they typically evaluate system input, output, processing
controls, backup and recovery plans, system security as well as computer
facilities.

SUMMARY OF AUDIT PROCESS


Engagement Memo -With few exceptions, audit clients are notified in writing
when their area is selected for review. These letters are sent to the vice president
of the area being audited as well as to the appropriate dean, chairperson, or
director. The engagement memo states the date, time, and place of the opening
conference and the objectives to be accomplished in the audit. Due to the nature
of some audit work, we may give little or no advance notice.
Planning -During the planning process, the auditor gains an understanding of
the area to be audited. This includes interviewing key personnel, reviewing
relevant policies and procedures and, if available, reviewing prior audit work

papers. A risk assessment is created documenting key activities, the risks


associated with those activities, the probability and impact of the risk.
Entrance Conference -An entrance conference is scheduled with the head of
the department to discuss the purpose and scope of the audit. We encourage
audit clients to discuss any concerns or questions they may have about the audit.
Audit clients may also request a review of those areas of most concern to them
be included as part of the audit activity.
Fieldwork - During the audit fieldwork phase, the auditor will test the adequacy
and effectiveness of the internal control environment for the specific audited
area. The nature of the work includes interviews, sample selection, sample
testing against the criteria and documentation of the results. Written policies and
procedures may be requested to aid the auditor in understanding departmental
operations; however, it is often necessary for auditors to reside in the department
office(s) to conduct interviews and review departmental records. In order to
minimize disruption of daily operations, we try to schedule meetings in advance
to avoid potential scheduling conflicts. Duration of audits vary depending upon
scope. Hence, limited scope audits require less time than audits with broader
scopes, which could lengthen the audit time period. Additionally, the level of
cooperation from auditees and access to personnel and records has a direct
bearing on the duration of audits.
Progress Meetings: During the audit, progress meetings are held to keep the
customer apprised of any potential observations and the status of our review.
Draft Audit Report: A draft report is prepared and distributed to management
to verify factual content after draft has been reviewed by Director of Internal
Audits.
Exit Conference -At the conclusion of fieldwork, an exit conference is held to
discuss the audit observations and recommendations. An exit conference is held
to discuss audit findings. Attendees include the auditors, members of
management responsible for oversight and operation of the area under review, as
well as those individuals who will have a direct or indirect involvement in
resolving audit concerns identified. The exit conference provides an opportunity
to clear and resolve questions or concerns pertaining to findings, or other issues,
before the final audit report is released.
Communicating Results -Audit results are presented to audit clients via verbal
or written communication and usually include recommendations intended to
benefit the area under review and the University. Audit clients have an
opportunity to discuss concerns identified within the audit and to concur or
disagree with conclusions and recommendations. In any event, audit clients are
required to provide, in writing, proposed resolutions including reasonably
expected implementation dates.

Final Audit Report -The final audit report includes findings and
recommendations along with management's responses. Copies of the report are
distributed to the president, appropriate vice presidents, the audited unit's
manager, and the System Audit Office. Audit findings are also included in a
summary of all UT component reports provided to the chancellor and the Audit
Committee of the Board of Regents.
Customer Survey - After the engagement is complete, our office will send a
survey through our survey monkey tool, requesting the audit client to provide
feedback on the performance of the auditor.
Follow-up Reviews -Our professional standards require that we follow-up and
report on previously reported findings to determine if corrective action was taken
and audit concerns were resolved.

INTERNAL CONTROL
What is internal control?
Internal control is a process, affected by The University of Texas System ("UT
System") Board of Regents, management and other personnel, designed to
provide reasonable assurance regarding achievement of objectives in the
following categories:
Operations -- relating to effective and efficient use of UT System's resources, x
Financial reporting -- relating to preparation of reliable published financial
statements, and x Compliance -- relating to UT System's compliance with
applicable laws and regulations.
Internal control consists of five interrelated components as follows:
Control environment -- Control environment factors include the integrity,
ethical values and competence of the entity's people; management's philosophy
and operating style; the way management assigns authority and responsibility,
and organizes and develops its people; and the attention and direction provided
by the Board of Regents.
Risk assessment -- A precondition to risk assessment is establishment of
objectives, linked at different levels and internally consistent. Risk assessment is
the identification and analysis of relevant risks to achievement of objectives then
forming a basis for determining how the risks should be managed.
Control activities -- Control activities are the policies and procedures that help
ensure management directives are carried out. They help ensure that necessary
actions are taken to address risks to achievement of the entity's objectives. They

include a range of activities as diverse as approvals, authorizations, verifications,


reconciliations, reviews of operating performance, security of assets, and
segregation of duties.
Information and communication -- Pertinent information must be identified,
captured, and communicated in a form and time frame that enables people to
carry out their responsibilities. Information systems produce reports, containing
operational, financial, and compliance-related information that make it possible to
run and control the business. They deal not only with internally generated data,
but also with information about external events, activities, and conditions
necessary for informed business decision-making and external reporting.
Monitoring -- Internal control systems need to be monitored--a process that
assesses the quality of the system's performance over time. It includes regular
management and supervisory activities, and other actions personnel take when
performing their duties.
All components are relevant to each objectives category. When looking at any
one category, all five components must be present and functioning effectively to
conclude that internal control over operations is effective.
What are the key concepts for internal controls?
Internal control is a process. It is a means to an end, not an end in itself. Internal
control is affected by people. It is not merely proceduremanuals and forms, but
people at every level of an organization. Internal control can be expected to
provide only reasonable assurance, not absolute assurance, to management and
Board of Regents. Internal control is geared to the achievement of objectives in
one or more separate but overlapping categories.
When is internal control effective?
Internal control can be judged effective in each of the three categories,
respectively, if the Board of
Regents and management have reasonable assurance that they understand the
extent to which: The entity's operational objectives are being achieved, Published
financial statements are being prepared reliably, and x Applicable laws and
regulations are being complied with.
What are factors limiting internal controls?
Judgment Managers in a well-controlled organization can make bad decisions.
Breakdowns People with control responsibilities may not carry them out
effectively.
Management Override Managers may intentionally go outside established
practices for illegitimate purposes.
Cost vs. Benefit Resources are limited. Managers properly accept a degree of
risk when the cost of controlling the risk exceeds the benefit
Note: The above definition of internal control and related concepts are taken

directly from Internal Control -- Integrated Framework by the Committee of


Sponsoring Organizations of the Treadway Commission (COSO). See COSO
MODEL BELOW

RISK ASSESSMENT
The Institute of Internal Auditors (IIA) International Standards for the Professional
Practice of Internal Auditing Performance Standard 2201 Planning
Considerations require internal auditors to consider the significant risks to the
activity, its objectives, resources, and operations and the means by which the
potential impact of risk is kept to an acceptable level.
Other planning
considerations can be obtained from The Institute of Internal Auditors
International Standards for the Professional Practice of Internal
Auditing.

TEAMMATE WORK PAPERS GUIDE (AUDIT PROJECT)


Note: You will need the Audit Assignment Sheet to create the new audit
project within TeamMate.
Creating a New Audit Project
To create a new TeamMate Audit Project, follow these steps:
Open TeamMate (if not already running) by double clicking the TeamMate Suite
icon.
Click on TeamMate EWP (Electronic Working Papers)

Note: The TeamMate Explorer is the first screen displayed when TeamMate is
launched. If not displayed, then Open TeamMate Explorer, using the File | Open
menu option.
Click on the Master Tab and projects files should appear. If not, then the Master
Tab must be mapped to the shared drive. To map to the shared drive, follow
these steps:
With the cursor on the Master Tab, right click and go to modify location tab and
browse to the Shared Drive V: TeamMate Backup Audit Files
Folder>Audits>FY 20XX and click Open and then click OK
TeamMate Explorer
TeamMate Explorer performs several important roles within TeamMate. Its primary
function is to create, open, restore, and delete Project files including installing
Replicas. It is also used to maintain storage locations, allowing the user to create,
edit, and delete Locations (tabs).
Click on the New button in the TeamMate Explorer to run the New Project
Wizard and follow these steps (steps for creating a departmental audit using a
template are also found below):
New Project Wizard (Step 1 of 3)
The New Project Wizard is a three step process used to create all new projects
within TeamMate.
Step 1 of the New Project Wizard will be to create a new project from scratch.
Creating a New Project
The first Dialogue box is used to gather the basic information about the project
file being setup. Specifically, auditors must enter:
Project No. XX-FIN-ZZ where XX=Audit Number, ZZ=Fiscal Year, the center letters
deal with the project group see below (i.e., 06-FIN-09)
Project Group:
Financial - FIN
Departmental Change in Management - DEP or CIM
Institutional Compliance - COM
Risk Based Project - RBP
Information Technology - IT
Management Services - MAS
Project Name/Title
Project Assigned Date
Location (Master Tab)

Note: TeamMate requires all the fields for this step to be completed before
proceeding
to Step 2.
Once completed click the next button to move to Step 2
Step 2 of the New Project Wizard requires the selection of a TeamMate Library
File. Files with a .TML extension are TeamMate Library files. A TeamMate Library
contains a number of properties used to define any newly created projects. These
files are created by TeamMate Coordinators and are usually distributed with the
TeamMate installation disks. These files should not be moved, edited, or deleted.
The TeamMate Library file will determine the type of project created. You must
select a valid .TML file before continuing to Step 3 of the New Project Wizard.
Departmental or Change in Management Program Set Up
1. For Departmental or Change in Management Audits hit the browse button
found on this page
2. The Departmental and Change in Management audit template can be found in
the V Drive
3. Within the V Drive go into the TeamMate Audit Back Up Files folder
4. Within this folder there is an Audit Program Templates folder Enter Here
5. Select the latest Departmental Audit program (Departmental and Change in
Management Audit have the same program) the programs are dated as to
when they were created
6. Proceed to the next section below indicated with a -

**

Select Base Library (With PA).tml or browse to the Shared Drive V:


TeamMate Audit Backup Files Folder and proceed to Step 3 by clicking the
next button.

**For Step 3 of the New Project Wizard, you are required to set up a project team
member. Any project file created in TeamMate must contain at least one
Administrator. The team member created in the New Project Wizard will (by
default) become the Project Administrator. This role MUST be reassigned to the
Director.
The Last Name, First Name, Initials, Password and Verify fields are required, while
the Title field is optional. Once the Finish button has been clicked and the project
successfully created, the Browser will be displayed, and you can begin to setup
and work on the project.

***For Change in Management Audits, the audit program has been


created, reviewed, and approved.

Note: The New Project Wizard will (by default) create the project in the Master
Location tab selected in TeamMate Explorer, when the New Project Wizard was
activated.

Setup and Work on the Audit Project


Once you are within your newly created audit project, the Snapshot dialogue box
will automatically be displayed along with the Roaming Toolbar. The Roaming
Toolbar may be rolled up or down by double clicking the top of the toolbar.
Snapshot
The Snapshot provides a (point in time) statistical analysis of the status of the
entire project. The Snapshot can be used as a review tool, showing the progress
of the project at any point in time. The Snapshot is constantly and automatically
updated and can easily be displayed by either selecting the Project | Snapshot
menu option or by clicking on the Snapshot button in the Standard toolbar.
The Browser
The Browser acts as a hierarchical index or table of contents to all work
documented within a TeamMate project. It is the first window displayed (after
Snapshot) when a TeamMate project is opened.
The Browser is divided into two re-sizeable panes similar to Windows Explorer.
1. The Left Browser pane acts as an index to the file and is used for navigation to
the appropriate section. Only the following default folders and subfolders are
displayed in the left pane.
PA: Planning and Administration
PA1: Planning
PA2: Administration
AS: Audit Summary
AS1: Current Exceptions
AS2: Reports
CG: Component Groups
Note: Each auditor will rename the component groups to Fieldwork so that it
will look as follows CG: Fieldwork. To do this, right click on component groups and
click rename. The auditor will now add to the Fieldwork folder.
Adding Fieldwork Folders
Adding a Fieldwork Folder to the Browser is completed by using the Add Folder

button on the toolbar or by selecting the Edit | New Folder menu option, when the
CG: Fieldwork folder is selected/highlighted in the Browser.
The New Fieldwork / Area dialogue contains the following:
Audit Reference Code (ARC) also known as folder or work paper references.
Note: The auditor should be careful when adding folders or importing and/or
adding work papers to TeamMate. The ARC is automatic and sequential and
CANNOT be edited.
Component Group Title The Component Group Title: field is used to specify the
title of the folder being added to the Browser. This will be the major section of
your audit program. For each component group folder created, they will be
lettered. (i.e., A, B, C, D, etc.).
First Component Title The First Component Title: field is used to specify the title of
the parent folder being added to the Browser. This will be the same as the
component group title unless you have a minor section within a major.
When completed click OK. Two subfolders will automatically be created within
each component group folder. A Supplementary Information and a major section
subfolder (i.e., A: SI Supplementary Information and A.1). Disregard the
Supplementary Information subfolder. This folder will not be used at this time.
By double clicking the A.1 subfolder, the procedures summary will appear in the
right browser pane as A.1.PS.
2. The Right Browser pane displays a detailed view of the contents of each folder
in the file. As you move through the folders in the left pane, the right pane will
adjust to display the contents of each selected folder. The first item in each
newly created folder will be the Procedures Summary. This area will contain the
audit steps, results of work done and the overall conclusion.
Creating Procedures
Procedures can be automatically added to the Browser by importing planning
from a TeamStore, or manually added to Procedure Summaries of the required
Procedure. Procedures are added by adding rows to the Procedure Summary.
To manually add Procedures:

Navigate to the CG: Field work folder to which the Procedure belongs.
Navigate to the Procedure to which the new Procedures are to be added.
Open the Procedure Summary for the required Procedure. (right browser

pane)
Click on the Add Row (or Insert Row) button in the TeamMate toolbar or use
the Edit | Add Row menu option.
Once the new Procedure has been added to the Procedure Summary,
complete the required fields on the Procedure Summary and allocate the
Procedure to a Team Member and a Visit.
To save the added Procedures, close the Procedure Summary Schedule,
saving the changes made.

When Procedures are added to the Procedure Summary, they are given the Title
New Row. This Procedure Title can be renamed, by either double clicking on the
Procedure Title, or selecting the Procedure Title and pressing <F2>.
Note: You must assign the Director with Administrator privileges and the Asst.
Director with Preparer/Reviewer privileges. To do this, click on Profile located on
the navigation toolbar and select the Team tab. Click on Add and fill in the
information requested. A password must be created at this time. The temporary
password will be audit and should be changed when the person logs on.
Adding Work papers
As mentioned before, care must be taken when adding work papers to the
Procedures Summary because of the automatic referencing. To add work papers,
you MUST be in the Procedures Summary screen. You may perform either one of
the following options:

Right click and select add work paper or


Drop the Floating Toolbar and select add work paper.

Audit Work papers


The following is a list of the work papers to be included under each folder:
PA: Planning and Administration
0
PA1: Planning
1
A.
Planning Memo
2
B.
Internal Control Questionnaire (ICQ)
3
C.
Background Information
4
D.
Organization Chart
5
E.
Goals, Objectives, ODP Map
6
F.
Risk Assessment
7
G. Interviews
8
H. Flow Charts
9
I.
Prior Audits
10
J. Audit Program

11
PA2: Administration
A. Assignment Sheet
B. Entrance Conference Memorandum
C. Entrance Conference Narrative
D. Exit Conference Memo/Narrative
E. Quality Assurance Review (QAR)
AS: Audit Summary
AS1: Current Exceptions
AS2: Reports
CG: Field work**
A. Background
a. Policies and Procedures Manual
b. Risk Assessment & Implementation Plan
a
c. Employee Performance Evaluations
B.

Reliability and Integrity of Key financial Information


a. Expenditures
b. Account Reconciliations
c. Revenue and Cash Receipts
d. Time Reporting
f. Segregation of Duties

C.

Safe guarding of Assets


a. Inventory Test

D.

Information Technology
a. Computer Access

**NOTE: Change in Management Audits are being demonstrated in this


example. Field work folders may appear different for other types of
audits.
Cross Referencing Work papers
Cross referencing may be performed by creating hyperlinks within the work
papers and can be a one-way or two-way hyperlink. For the most part, we will be
creating two-way hyperlinks.
Creating a Hyperlink
Creating a Hyperlink is done by clicking on the Hyperlink button on the

Application toolbar.
If creating a two way Hyperlink:

Go to the location within the schedule where you want to place one end of
the cross reference.
Click on the Hyperlink button in the Application toolbar.
Select the "Copy As Target" button.
Once this has been done, you can complete (display) the link by going to
the location where the other end of the cross reference is to be placed and
clicking on Hyperlink button.
Select the "Paste Link" tab.
If you wish the link to be two way (visible from both linked schedules),
select the "Create as 2-way Link" checkbox.
Click on OK and the Hyperlink is created.

If creating a one way Hyperlink to a designated schedule:

Position the text cursor or select the spreadsheet cell on the schedule
where the Hyperlink is to be positioned.
Click on the Hyperlink button in the Application Toolbar
To create a Hyperlink to a particular schedule,
Select the "Link to ARC" tab select the tab.
Select the schedule to be linked to from the mini-Browser displayed
After making your selections, click on the Insert button to place the link.

The Audit Programs, for non Change in Management audits, should be placed in
the Planning folder for approval by the Audit Director. These audit programs must
be cross-referenced/linked to the work papers. As work papers are completed,
preparers should sign off as follows:
Signing Off Schedules
Schedules can be signed off using the Sign Off button in the Application Toolbar.
To sign off a schedule:
Open the Sign off and Edit History dialogue box by clicking on the Sign Off button.

To sign the Schedule off as Prepared, click on the Green Sign Off button.
To sign off a Schedule as Reviewed, click on the Blue Sign Off button.
When the appropriate Sign Off button has the Team Member's initials and
date stamped beside it, clicking on OK will save the sign off record.

Note: Coaching Notes and Procedures also require sign off, but this is achieved
via the sign off buttons displayed on the Coaching Notes dialogue box (Done By &
Cleared By), and on the right pane of the Procedure Summary, respectively.
TeamMate Reports
TeamMate provides the ability to automatically produce Reports from a number of
TeamMate type schedules. These Reports are generated in Microsoft Word, using
a process similar to a mail merge. When the report type is selected, TeamMate
will launch Word, extract the information from TeamMate and create a report
based on information in the project.
Once the Report has been created, the data displayed is no longer linked to
TeamMate. It should be treated as a standard Word work paper. Subsequent
changes to any of the TeamMate type schedules after the report has been
generated will not be reflected in the report file. For this reason, reports are
usually created towards the end of the project when the information is fairly
static.
There are two ways in which a report can be generated from within TeamMate. To
generate a report based on the entire contents on the project file, use the
Browser menu option Tools | Generate Report. For more specific (filtered and
sorted) information, you can generate a report based on the information
displayed in any TeamMate type schedule or summary viewer.
TeamMate provides the ability to produce reports based on Exceptions,
Procedures, Coaching Notes, and Schedules Status. The reports can be produced
in either a narrative or table format. In addition, TeamMate has the capability to
create Customize TeamMate Report based on one of the above.
There is some limitation with respect to combining fields from the report types
listed above. The exception to this is the Profile fields. All but the large text fields
(typically Planning, Background and Objective) are available in any of the report
types listed below.
To generate a TeamMate Report, the Report Wizard goes through the following
steps:
1
2.

Report Wizard - (Report) Selection


Report Wizard - Scope (Filter & Sort) Selection
Coaching Note Reports
Exception Reports
Procedure Reports
Procedure Summary Report
Schedule Status Report


3.
4.

Profile Report
Report Wizard - Data Preview
Report Wizard - (Choose) Destination

After completing these Steps, TeamMate will generate a Report based on your
selections.
Exception Reports
The auditor will generate an Exceptions report via the Report Wizard and Save
the exceptions report to the V/shared drive under the EXCEPTION
REPORTS folder.
SEE EXHIBIT A
Audit Reports
Note: All Audit Reports will contain the following sections and in this order:
Executive Summary Background Audit Objective Audit Scope and Methodology
Audit Results Conclusion
There will be two draft reports and one final uploaded to TeamMate in the
REPORTS section and all findings and recommendations on the drafts will be
cross-referenced to the work papers. SEE EXHIBIT B

First draft to auditee

Second draft with auditee responses

Final report will be uploaded in PDF format after approved by Audit


Committee

Quality Assurance Review


At the completion of the audit, the auditor will complete a Quality Assurance
Review (QAR) form and upload it to the Administrative section. This form may be
found on the shared drive under the Change in Management folder. SEE AUDIT
MANUAL SECTION H
At the conclusion of the audit project, the auditor assigned to the project is
responsible for ensuring that all work papers and coaching notes have been
reviewed and signed-off in preparation for the finalization process. The auditor
should inform the Director that the project file is ready to be closed. The
Director is the only person authorized to close projects. The following
steps provide an overview of the finalization process.

Finalization
Finalization is the process which moves a project from the Field Work or Post
Field Work stage to Finalized. Projects should only be finalized when the work
has been completed and no more changes are necessary, as once the project has
been finalized it will be marked as Read-Only.
To finalize a project:

Select the Browser menu option File | Administration | Stages


Click on the Complete / Finalize button
This will start the Finalization Wizard.

Step 1 of the Finalization Wizard starts out by explaining to the Administrator


what processes will take place throughout the Finalization Wizard. No action is
required for this step, so simply click on the Next button to proceed to Step 2 .
Note: The Finalization process can be cancelled at any time prior to Step 6.
Step 2 of the wizard checks the signoff status of each schedule within the project.
Click on the Click here to begin the scan button, and TeamMate will display all
schedules not signed off.
For Finalization, if the conditions set by the option buttons have not been met (i.e.
Halt status found), the Finalization Wizard will disable the Next button. However if
performing the Post Field Work wizard or the Finalization where no Halt conditions
exist, click on the Next button to proceed to Step 3 of the process.
Step 3 of the wizard checks the status of each Procedure Summary Step within
the project. Click on the Click here to begin the scan button, and TeamMate will
display all steps not signed off.
If the conditions set by the option buttons have not been met (i.e. Halt status
found), the wizard will disable the Next button. However if performing the Post
Field Work wizard or the Finalization where no Halt conditions exist, click on the
Next button to proceed to Step 4 of the Finalization process.
Step 4 of the wizard checks the status of all the Coaching Notes within the
project. This final check performed by the wizard will display any Coaching Notes
that have not been Cleared. Click on the Click here to begin the Scan button
and the Wizard will list the Coaching Notes not Cleared. It is important (but not
essential) that all Coaching Notes be Cleared before proceeding to Finalization
Step 5 or Post Field Work Step 5.
Coaching Notes and Edit History may be permanently deleted from the project
when the project is actually finalized, depending on the option selected in Step 6

of the Finalization Page 10 of 17 Section C6 Rev. 1/07


wizard. To continue with the process, click on the Next button to proceed to the
next step.
Note: The Coaching Notes and Edit History WILL NOT be deleted; therefore, it is
imperative that the defaults are changed to read the options in Step 6
Step 5 of the Finalization Wizard is a precautionary measure. Before the
Finalization wizard finalizes the Project, the Administrator has the option to make
a Backup. Specify the location for the backup file and click on the Click here to
start backup button. Once the backup is complete, use the Next button to
proceed to the last step (Step 6) of the Finalization Wizard.
Note: A backup of the project prior to closing is required and should be saved
under Shared Drive F: TeamMate Folder>Backups (Prior to Close)
Step 6 of the Finalization Wizard is the decisive point of the process. First set the
two option buttons to retain Edit Histories and Coaching Notes, and then STOP
AND THINK! Has all work on the project been completed in accordance with the
applicable Standards? Proceeding with this step is irreversible.
Clicking on the Click here to start the finalization process button will perform
the Finalization process in accordance with the options chosen, and will then
make the audit READ ONLY.
Note: A backup of the project after finalization is required and you need to save
in Shared Drive V: TeamMate Backup Files Folder>XX Backups_Post
Closing, where XX = Fiscal Year.

FOR MORE DETAILED AND/OR TECHNICAL GUIDANCE ON USING


TEAMMATE, REFER TO THE HELP MENU

ADDENDUM
WORK PAPERS
Work papers are the means by which auditors document the work performed.
There are two types of work papers:
1. Manual work papers they include hard copies of documents and files
(NO LONGER KEPT AS A RESULT OF TEAMMATE)
2. Electronic work papers documents in electronic format (PDF files, spreadsheets,
and word documents, etc.) which are normally stored and maintained in an
electronic median such as a computer.
Work papers serve both as tools to aid the auditor in performing his work, and as
written evidence of the work done to support the auditors report. Information
included in work papers should be sufficient, competent, relevant, and useful to
provide a sound basis for audit findings and recommendations. Section B-2 of
the Standards for the Professional Practice of Internal Auditing defines sufficient,
competent, relevant, and useful as follows:

Sufficient information is factual, adequate, and convincing so that a


prudent, informed person would reach the same conclusions as the
auditor.

Competent information is reliable and the best attainable through the


use of appropriate audit techniques.

Relevant information supports audit findings and recommendations and


is consistent with the objectives for the audit.

Useful information helps the organization meet its goals.

Qualities of Good Work Papers


0
1

1.
Complete
Work papers must be able to stand alone. This means that all questions

must be answered, all points raised by the reviewer must be cleared, and a
logical, well-thought-out conclusion must be reached for each audit segment.
2
2
Concise
Work papers must be confined to those that serve a useful purpose.
3
Neat
Work papers should not be crowded. Allow for enough space on each schedule so
that all pertinent information can be included in a logical and orderly manner. At
the same time, keep work papers economical. Forms and procedures should be
included only when relevant to the audit or to an audit recommendation. Also, try
to avoid unnecessary listing and scheduling. All schedules should have a purpose
which relates to the audit procedures or recommendations.
Work Paper Techniques
0
1.
Organization
1
Work papers should be organized in a manner which would allow efficient
retrieval of any needed information.
2
2
Tick marks
The auditor makes frequent use of a variety of symbols to indicate work that has
been done. These symbols are commonly referred to as tick marks. As these tick
marks have no special or uniform meaning in themselves, an explanation of each
tick mark should be made on the schedule on which it appears.
0
3.
Cross-referencing
1
Cross-referencing within work papers should be complete and accurate.
Refer to the section on cross-referencing found on page 6. The audit program
should be cross-referenced to work papers related to each program step. Work
papers should be cross-referenced to each other, as appropriate, and to any
resulting Audit Exception. A copy of the final audit report should be crossreferenced directly to supporting work papers.
2
2
Carry forward
The auditor should make full use of the work papers developed in the prior audit.
Flow charts, system descriptions, and other data may still be valid. Copies of
those papers which remain useful should be made a part of the current working
papers. They should be updated with current information, renumbered,
referenced, and initialed and dated by the current auditor.
Types of Work Papers

All work papers should be scanned (as necessary) and converted to electronic
format for inclusion in TEAMMATE.
1.

Schedules and Analyses

Schedules and analyses are useful for identifying statistical trends, verifying the
accuracy of data, developing projections or estimations, and determining if tasks
or records have been properly completed.
2.

Documents

Copies or actual samples of various documents can be used as examples, for


clarification, and as physical evidence to support a conclusion or prove the
existence of a problem. These documents can be memos, reports, computer
printouts, procedures, forms, invoices, flow charts, contracts, or any of numerous
other items. Any original documents or copies included in the work papers should
serve a useful audit purpose.
The following suggestions are offered for preparation of work papers using
documents rather than the auditors notes:

3.

Indicate both the person and/or file that the document came from.

Copy and insert only that portion of the report, memo, procedure, etc.,
which is needed for purposes of explanation or as documentation of a
potential finding. Do not include the entire document in the work papers
unless absolutely necessary.

Fully explain the terms and notations found on the document, as well as
its use. This is especially true when including maps, engineering
drawings or flow charts in the papers. These explanations may be made
on an attached preceding page or on the face of the document itself.

Each document should be cross-referenced either to the page or


separate analysis where it was discussed.

No document should be included in the work papers without an


explanation of why it was included.

Documents larger than 8 x 14 should be reduced when practicable.

Process Write-ups and Flow Charts

In many audits, it is necessary to describe systems or processes followed by the


auditee. Describe such procedures or processes through the use of write-ups or

flow charts, or a combination of the two. The choice of which method to use will
depend on the relative efficiency of the method in relation to the complexities of
the system being described.
Write-ups are often easier to use, and should be used if the system or process can
be described clearly and concisely. However, when write-ups would be lengthy
and description of related control points difficult to integrate in the narrative, flow
charting (or a combination of write-ups and flow charting) is an appropriate
alternative. Flow charts conveniently describe complex relationships because
they reduce narrative explanations to a picture of the system. They are concise
and may be easier to analyze than written descriptions. (Refer to section C-7,
Flow Charting).
4.

Interviews

Certain information is best obtained through formal interviews conducted either


in person or by telephone. Formal interviews are most desirable because the
interviewers know they are providing input to the audit; however, impromptu
interviews, or even casual discussions, can often provide important information.
All pertinent information obtained in interviews/discussions should be
documented in the work papers. Interviews are useful in identifying problem
areas, obtaining general knowledge of the audit subject, collecting data not in a
document form, and documenting the auditees opinions, assessments, or
rationale for actions. Interview notes should contain only the information provided
by the person interviewed, and not include any of the auditors opinions.
5.

Observations

What the auditor observes can serve the same purposes as interviews. If
observations can be used to support any conclusions, then they should be
documented. They are especially useful for physical verifications. Observations
used as supporting documentation should generally include the following items:

Time and date of the observation.

Where the observation was made.

Who accompanied the auditor during the observation?

What was observed. When testing is involved, the work papers should
include the sample selections and the basis of the sample.

6. Exceptions/Findings
All significant audit findings should be documented in the work papers (See C-8:

Audit Findings). All findings should be documented within the EXCEPTIONS


SECTION in TeamMate as soon as practical by the auditor discovering the
situation

EXHIBIT A
Exception Report

EX.1 - Risk Assessment and Implementation Plan


Reference: A.1.PS
Finding:
1
The GEAR UP department had not developed a risk assessment and implementation plan.
2
The department had not developed a business continuity/disaster recovery plan.
Criteria/Standard:
1
As per UT System's 1996 Action Plan to Enhance Internal Controls, every department is
required to complete a Risk Assessment and Implementation Plan and to forward a copy of the
form to its Vice President and to the Director of Internal Audit.
2
As per UT System UTS 165 a backup and recovery plan, commensurate with the risk and
value of the computer system and data, must be in place (business continuity plan).
Business Implication:
1
Without assessing financial, compliance, operational or strategic risks and mitigating these
risks, the department may not achieve its goals or objectives.
2
The department will not be able to continue operations in the event of a disaster without a
business continuity plan in place.
Cause:
Lack of knowledge of required department plans
Recommendation:
1
The GEAR UP department should develop a risk assessment focusing on financial,
compliance, operational, and strategic risks. Once the risks are identified, then an implementation
plan should be developed to mitigate the risks.
2
Additionally, the department should identify all major components of its operations,
develop procedures in the event of a system failure or natural disaster to obtain business
continuity and basic services, and incorporate these into a business continuity/disaster recovery
plan and it should be communicated to all employees.

EXHIBIT A
Exception Report

EX.2 - Inventory process breakdown


Reference: D.1.PS, D.1.1
Finding:
We identified one laptop missing (Tag #52720) that was originally identified on the Inventory
Certification List submitted to Assets Management as having been located in one of the GEAR UP
Offices during inventory certification. The laptop was not in working condition as stated by the
property custodian and was thought to have been sent to surplus. No documentation was
available to support the laptop being sent to surplus.
Although the inventory process was effective, the process was not documented and the individual
conducting the inventory was a new hire.
Criteria/Standard:
As stated in the Handbook of Operating Procedures Section 8.1.2, paragraph F - Responsibilities
of Accountable Officers
1
When the Universitys property is entrusted to a person other than the Accountable Officer,
the Accountable Officer shall require a written receipt for such property from the person receiving
custody.
2
Accountable Officers will take all reasonable precautions to assure that property is used
only for official business, and is safeguarded in such a manner as to ensure against loss or
damage. If, in spite of such precautions, property is stolen, missing, destroyed, or damaged, a
report to the Property Manager via Assets Management should be filed. Lost or Stolen Property to
the University Police Department.
3
Accountable Officers are responsible for completing physical inventories of property
assigned to their accounts.
Business Implication:
Negative publicity and loss of funding for future purchases
Cause:
Lack of knowledge of procedure caused by lack of department handbook
Recommendation:
The Account Manager should report this missing laptop to Assets Management and the University
Police Department in accordance with H.O.P Section 8.1.2. The process for conducting a physical
inventory of equipment should be documented in the department's manual. Those individuals
responsible for completing physical inventories and transferring obsolete or non working
equipment should refer to the department's manual.

EXHIBIT A
Exception Report

EX.3 -Allocable Costs - Mileage Reimbursements


Reference:
Finding:
The GEAR UP department was improperly charging mileage to the original grant instead of
allocating the mileage between the original and the new grant based on the schools visited and
the activities conducted by the Academic Advisors as indicated in the supporting documentation.
Criteria/Standard:
In accordance with OMB Circular A-21 - Cost Principles for Educational Institutions, allocation
means the process of assigning a cost, or a group of costs, to one or more cost objective, in
reasonable and realistic proportion to the benefit provided or other equitable relationship. A cost
objective may be a major function of the institution, a particular service or project, a sponsored
agreement, or a F&A cost activity, as described in Section F of the circular. The process may
entail assigning a cost(s) directly to a final cost objective or through one or more intermediate
cost objectives. Any costs allocable to a particular sponsored agreement under the standards
provided in this Circular may not be shifted to other sponsored agreements in order to meet
deficiencies caused by overruns or other fund considerations, to avoid restrictions imposed by law
or by terms of the sponsored agreement, or for other reasons of convenience. Direct cost
allocation principles. If a cost benefits two or more projects or activities in proportions that can be
determined without undue effort or cost, the cost should be allocated to the projects based on the
proportional benefit. If a cost benefits two or more projects or activities in proportions that cannot
be determined because of the interrelationship of the work involved, then, notwithstanding
subsection b, the costs may be allocated or transferred to benefited projects on any reasonable
basis, consistent with subsections d. (1) and (2).
Business Implication:
Funding on original grant depleted and non compliance with OMB Circular A-21 Cost Principles
Cause:
Improper review of mileage reimbursements and new grant awarded resulting in allocation of
costs between two grants with similar activities.
Recommendation:
The GEAR UP department should properly account for the mileage reimbursements based on the
supporting documentation. GEAR UP should correct the mileage costs incorrectly charged to the
original grant and allocate those costs to the new grant prior to close-out of the original grant.

Executive Summary
The Student Financial Services Office (Office) currently consists of a Executive
Director (Director), 27 full-time employees, four direct wage employees and
numerous work study employees. The Director manages 205 accounts with a
total FY 06 operating budget of approximately $18,783,235. All of the funding for
the financial aid programs is received from federal, state and local agencies.
As required by the 1996 Action Plan to Enhance Internal Controls, a departmental
audit is performed when a department undergoes a change in management or a
significant change in reporting lines. The purpose of our audit was to evaluate the
adequacy and effectiveness of the system of internal controls with an emphasis
on administrative and financial controls within the Office. Our scope encompasses
activity for the 2006 calendar year. Our audit was conducted in accordance with
guidelines set forth in The University of Texas Systems Policy UTS 129 and the
Institute of Internal Auditors International Standards for the Professional Practice
of Internal Auditing.
Based on our audit, we determined that the Office had established adequate
internal controls. However, we identified a few areas where improvements to the
Offices internal controls could help to better achieve their goals and objectives.
Background
The Office is committed to the overall mission of the University and the Division
of Enrollment & Student Services. They are dedicated to helping students and
families in the pursuit of their educational goals by removing financial barriers
which would otherwise discourage or prohibit attendance by qualified students
who lack adequate resources; by providing high quality customer service in a
professional, caring, and equitable manner; by enhancing recruitment and
retention efforts to attract promising undergraduates and graduates to the
University; and by administering financial aid programs in compliance with
federal, state and institutional regulations and guidelines.
The Student Financial Services Director assumed her duties on March 20, 2006.
The Director is currently responsible for 27 full-time employees, four direct wage
employees and numerous work study employees. However, only the Office
Administrative Associate, Account Technician, Associate Director and Executive
Associate Director were under her direct responsibility (i.e. responsible for
approving time sheets, sick and vacation leave, performance appraisals). The
Director was also responsible for 205 University accounts with a total FY 06
operating budget of approximately $18,783,235.
One such program, established in 1999 and administered by the Texas Higher
Education Coordinating Board, is the Texas Grant Program. This program covers
tuition and required fees for well-prepared students attending Texas public

Universities, community colleges and technical schools who have successfully


completed a recommended high school graduation program and show financial
need. In FY06 the operating budget for the Texas Grant Program alone was
$17,113,777.
1

EXHIBIT B
Audit Objective
The purpose of our audit was to evaluate the adequacy and effectiveness of the
system of internal controls with an emphasis on administrative and financial
controls within the Student Financial Services-Directors Office.
Audit Scope and Methodology
We conducted a standard change in management audit over the Office. The audit
was conducted using of the following procedures:

We requested that the Director complete an Internal Control


Questionnaire.
We reviewed the completed Questionnaire with the Director in order
to establish a better understanding of the Offices workflows.
We determined if the Director had established a control conscious
environment, whether goals and objectives for the Office had been
developed, and whether a risk assessment and implementation plan
had been developed.
We randomly selected 20 accounts under the Director for review to
determine whether procedures for account reconciliations had been
established.
We determined if the Office was keeping adequate documentation on
the preparation and review of their account reconciliations.
We determined whether the Office had established adequate
segregation of duties over account reconciliations and cash handling
procedures.
We examined their operating and financial information for reliability.
We tested a random sample of 35 expenditures and examined
supporting documentation for proper approval and authorization.
We reviewed personnel files, selected time sheets for those
employees directly under the supervision of the Director, and tested
timesheets for approval and authorization. A total of 10 timesheets

were tested
We performed property inventory testing for the existence of selected
assets, and determined whether selected assets were properly
recorded on the Universitys asset management system.
We reviewed controls for personal computers to evaluate physical and
data security. x We verified the Offices compliance with University
policies and procedures.

Our audit was conducted in accordance with guidelines set forth in The University of Texas Systems
Policy UTS 129 and the Institute of Internal Auditors International Standards for the Professional
Practice of Internal Auditing. The scope of our engagement was from September 2007 to August of
2008, the audit was conducted during the months of December 2008 through February 2009.

EXHIBIT B
Audit Results
Monitoring
Monitoring is the assessment of internal controls over time. We assessed the
Offices controls over their complaint procedures, personal use of Office property
and account activity.
We randomly selected 20 accounts under the responsibility of the Director for
review and selected the months of May and August from each account for testing
(40 reconciliations in total for testing). Of these 40 account reconciliations, we
were unable to retrieve documentation for seven of them. According to the
University account reconciliation training documentation, reconciliations are done
to Provide the account manager with an accurate amount of the remaining
budget balance." Six of the missing reconciliations were related to federal
programs. We determined, through inquires, that the six reconciliations related to
the federal programs were not prepared due to the accounts inactivity.
Additionally, these accounts had no activity for several years. Without the proper
notification of the balances to the account manager, these accounts may stay
open longer than necessary.
The final missing reconciliation was related to an account used by the Office for
salary payments and various operating expenses. The Offices account technician
stated that this was one of several reconciliations that had been misplaced by the
Office and that they were in the process of recreating them. Documentation
should be adequately maintained and safeguarded for verification purposes.
We noted that the Office had established adequate controls over personal use of
Office property and complaint procedures.

Recommendation
1. The Director should be aware of accounts with inactivity and/or zero balances and
should evaluate the need for maintaining those accounts.
2. The Office should increase its controls over the safeguarding of documentation.
The reconciliations should be stored on a network drive or backed up on
removable storage devices.
Management Response

FLOWCHARTS
General Flowcharting Guidelines
A. Clarity and simplicity in presentation are essential.
Excessive detail may tend
to conceal rather than expose key points. Complex processes and exception
controls may be better explained in narrative form.
However, narrative
explanations should be kept brief. The combination of the flowchart and a
narrative description tends to be far superior to either format alone.
B. Only transactions/documents with control significance should be shown (i.e.
control over authorization, recording, safeguarding, reconciliation and valuation).
This can generally be accomplished by including only those activities where data
is initiated, changed or transferred to other functional areas. For a process to be
flowcharted, it must be broken down into its component parts, namely actions
and decisions. The name(s) and/or position(s) of individuals processing/handling
the transactions should be indicated for each action. The names of each
document should also be included within the document symbols.
C. The auditor usually obtains information necessary for preparing or updating
flowcharts by interviewing employees at each site about procedures followed, and
by reviewing procedure manuals, existing flowcharts and other system
documentation. Sample documents should be collected and individuals in each
area involved should be questioned about their specific duties.

Specific Flowcharting Practices


A. To ensure completeness and consistency, the specific internal control objectives
must be documented when flow charting a transaction processing system.
B. The flowchart should identify the specific internal control and these should be
cross-referenced to the specific control objectives.
C. Flowcharting symbols should be limited to those shown in the Internal Audit Flow
Chart Template (See Attached). The flowcharting software is available on the
network to assist you in flowcharting.
D. Start the flowchart in the upper left-hand corner of the paper and work toward the
lower right-hand corner.
E. The flowchart begins with the inception of the transaction and ends with its
recording in financial records.
F. The individual and department responsible for each flowchart step should be
indicated at the top of the appropriate symbol.
G. Use action verbs in the flowchart to save space.
H. Use oversized symbols in the information will not fit within the standard-sized
symbols.
I. Use connector symbols rather than drawing lines around or over parts of the flow
chart.

AUDIT FINDINGS
Elements of a Well-Developed Audit Finding
A. Statement of Condition (What is.)
B. Criteria (What should be.)
C. Cause (Why did it happen.)
D. Effect (What is the impact?)
E. Recommendation (What should be done.)
A. STATEMENT OF CONDITION
The condition identifies the nature and extent of the finding or unsatisfactory
condition. It often answers the question: What was wrong? Normally, a clear
and accurate statement of condition evolves from the auditors comparison or
results with appropriate evaluation criteria.
B. CRITERIA
This element establishes the legitimacy of the finding by identifying the
evaluation criteria, and answers the question: By what standards was it judged?
In financial and compliance audits, criteria could be accuracy, materiality,
consistency, or compliance with applicable accounting principles and legal or
regulatory requirements. In audits of efficiency, economy, and program results
(effectiveness), criteria might be defined in mission, operation, or function
statements; performance, production, and cost standards; contractual
agreements; program objectives; policies, procedures, and other command
media; or other external sources of authoritative criteria.
C. CAUSE
The third element identifies the underlying reasons for unsatisfactory conditions
or findings, and answers the question: Why did it happen?
If the condition has persisted for a long period of time or is intensifying, the
contributing causes for these characteristics of the condition should also be
described.
Identification of the cause of an unsatisfactory condition or finding is a
prerequisite to making meaningful recommendations for corrective action. The
cause may be quite obvious or may be identified by deductive reasoning. The
audit recommendation points out a specific and practical way to correct the
condition. However, failure to identify the cause of a finding may also mean the
cause was not determined because of limitation or defects in audit work, or was
omitted to avoid direct confrontation with responsible officials.

D. EFFECT
This element identifies the real or potential impact of the condition and answers
the question: What effect did it have?
The significance of a condition is usually judged by its effect. In performance
audits, reduction in efficiency and economy, or not attaining program objectives
(effectiveness), are appropriate measures of effect.
These are frequently
expressed in quantitative terms; e.g., dollars, number of personnel, units of
production, quantities or material, number of transactions, or elapsed time. If the
real effect cannot be determined, potential or intangible effects can sometimes
be useful in showing the significance of the condition.
E. RECOMMENDATIONS
The final element identifies suggested remedial action and answers the question:
What should be done?
The relationship between the audit recommendation and the underlying cause of
the condition should be clear and logical. If a relationship exists, the
recommended action will most likely be feasible and appropriately directed.
Recommendations in the audit report detail should state precisely what needs to
be changed or fixed. How the change will be made is the auditees responsibility.
More generalized recommendations (e.g., greater attention be given, controls be
reemphasized, a study be made, or consideration be given) should only be used
in the audit report detail when more specific recommendations are deemed too
restrictive or otherwise inappropriate. However, such language may be
appropriate in summarizing recommendations for top management.
Unless benefits of taking the recommended action are obvious, they should be
stated. The cost of implementing and maintaining recommendations should be
compared to risk whenever practical.
Recommendations should be directed to those capable of taking action.
SUMMARY
Well-written audit findings include: the nature of the findings, the criteria used to
determine the existence of the condition; the cause of the condition; the
significance of its impact; and what the auditors think should be done to correct
the situation. Fully developed findings containing each of these five elements are
easily
understood and convey impact and significance to appropriate management
officials.

Each finding should be documented in TeamMate through an Exceptions Report.


The status and disposition of all findings recorded in an audit should be monitored
and documented for follow-up.

AUDIT FOLLOW-UP & SIGNIFICANT FINDINGS


Audit follow-up will be performed to determine whether corrective action was
taken and is achieving the desired results. All audit follow-up activity will be
identified with the same project code (i.e., 07-FOL-000). Time spent on audit
follow-up should be reported accordingly and identified on the weekly Status
Reports. A project file in TeamMate will be created at the beginning of every fiscal
year and all follow-up work papers will be maintained in the TeamMate follow-up
project file.
Management responses are usually provided as part of the Audit Report and
should provide management's estimated implementation date. These estimated
implementation dates are used to establish the initial audit follow-up date. Audit
follow-up activity is provided within the Quarterly Status Report and initiating
audit follow-up effort is the responsibility of the assigned auditor.
Due to the nature of audit follow-up, very little "audit planning" is required.
However, it is advisable that the assigned auditor initiate informal contact
(usually via telephone) with the auditee to prearrange the audit follow-up before
the Audit Follow-up Memorandum is prepared and issued. If the timing of the
follow-up is inappropriate or unusual circumstances exist, other follow-up plans
may be made in consultation with the Director.
The results of the audit follow-up should be discussed with the responsible
manager(s) and, if necessary, a future follow-up date should be established. The
audit follow-up memorandum should be addressed to the manager responsible
for the corrective action(s), with copies to the President and appropriate Vice
President(s). Work papers supporting the audit follow-up fieldwork should be
prepared, summarized, adequately cross-referenced, and included in TeamMate.
Audit follow-up activity, including follow-up memo and work papers within
TeamMate, should be reviewed and approved by the Director.
UT SYSTEM SIGNIFICANT FINDINGS (RED, YELLOW, GREEN)

An audit finding may be deemed significant by the Audit Director, by the Audit
Committee, or by the UT System Audit Office. If a finding was deemed
Significant, the Auditor Assigned will contact the responsible party to obtain an
understanding of the overall progress towards completion of the
recommendation. The auditor will develop a work program within TeamMate
follow-up project file that will document the work performed to assess whether
progress on the recommendation is one of the following:

Complete as deemed by Audit Director in consultation with staff. These


recommendations will receive a color coding of GREEN. This also requires
that the auditor provide some substantive evidence that the
recommendations have been implemented.
Progress is Satisfactory issues are in process of being addressed in a
timely and appropriate fashion. These recommendations will receive a color
coding of YELLOW.
Progress is Unsatisfactory issues are not being addressed in a timely and
appropriate fashion. These recommendations will continue to receive a
color-coding of RED.

The Auditor Assigned will present a summary of corrective action to the Audit
Director to determine the status of the significant finding(s). We will inform the
appropriate VP and the VPBA of the status of the significant finding(s) based upon
our follow-up work prior to submitting to UT System. The Audit Director will
submit an updated Excel spreadsheet to the UT System Audit Office on a
quarterly basis.

QUALITY ASSURANCE REVIEWS


GENERAL
The establishment and implementation of a quality assurance program for the
Office of Internal Audits is required by the Standards for the Professional Practice
of Internal Auditing (Standards). In accordance with Attribute Standard 1310,
Quality Program Assessments, the internal audit activity should adopt a process
to monitor and assess the overall effectiveness of the quality program. The
process should include both internal and external assessments.
A quality assurance program should include the following elements:
Supervision
Internal reviews
External reviews
SUPERVISION

Supervision is a continuing process. It focuses on individual audits. The assurance


given should include:
That staff auditors conformed to the Office's policy,
Audit objectives were met,
Working papers supported findings and conclusions,
Work papers provide adequate information for a meaningful report,
The work that was completed was in accordance with the Standards.
Properly supervised audit projects are the first and, perhaps, the most
important step in a program of quality assurance.
INTERNAL REVIEWS
Internal reviews can provide both quality assurances to the Director and training
for the staff. The reviews are appraisals of how well auditors complied with the
Standards and office policy. They encompass the work of both staff and Director
and are an assessment of a sample of audit working papers and reports. The
review should also provide recommendations for improvement. The result of this
review should be beneficial in that the results are supplied to the Director
regarding how well the audit work and the audit reports are documented. Also,
the testing of audit projects in an external review can be reduced if the external
evaluators see credible evidence of internal reviews of such or similar projects.
Hence, the internal reviews should be carried out with the formality and discipline
of any other audit examination/project through close and knowledgeable
supervision and through periodic, unsparing self-assessments. As a result of this
ongoing self-assessment, the Office of Internal Audits will be adequately prepared
for a formal external/peer review.
A Quality Assurance Review form was developed with these assurances and is
located in Section H-12.
EXTERNAL/PEER REVIEWS
The purpose of the external/peer review is to provide an independent assurance
of quality to those who may rely on the work of the Office. The external review
will be performed every three years to appraise the quality of the Internal Audit
Office operation, On completion, the Office will receive a formal, written report
expressing an opinion as to the Office compliance with the Standards and, as
appropriate, will include recommendations for improvement

University of Texas Permian Basin


Internal Audit Manual

SECTION D
(Office Procedures)

WEEKLY TIME AND STATUS REPORTS


The Office of Internal Audits staff auditors must complete a bi-monthly time and
status report. A time reporting system has been established to assist the audit
staff and management in reporting actual hours worked on projects and in
monitoring actual hours versus budgeted hours. The Following is an Example of
the Auditor Time and Status Report:

LEAVE REQUEST PROCEDURE


The Office of Internal Audits employees must request vacation or other leave in
advance to the Director of Internal Audits. Requests to use State Compensatory
Time must be in writing and approved in advance by the Director of Audits.
If the employee is unable to request time off in advance (e.g., illness, death in the
family, etc.), the employee is required to notify the Director as soon as possible

by calling the office main line


(432) 552-2700. Employees should also contact the office main line as soon as
possible when coming into the office late. If no one is available to answer, the
employee should always leave a voice message.
For further leave information such as jury duty; time off for voting; emergency
leave; family and medical leave act; employee leave of absence without pay; and
military leave, please refer to the policies issued by the Office of Human
Resources found online at http://ba.utpb.edu/human-resources/hr-policies-andprocedures/ or the Handbook of Operating Procedures found online at
http://www.utpb.edu/administration/operating-procedures/

TRAVEL PROCEDURE
Procedure: The Office of Internal Audits Travel Procedure supplements The
University of Texas-Permian Basin (UTPB) which all UTPB employees must
comply.

Travel
The Office of Internal Audits staff will travel occasionally to attend professional
development conferences or seminars. The mode of transportation will depend
on the location of the destination and on the rates.

STATE PROPERTY PROCEDURE


The Office of Internal Audits encourages employees to use information technology
to do our work in the most efficient, cost effective way. Employees are primarily
responsible for identifying opportunities to enhance their performance through
the use of information technology and for providing adequate stewardship of the
information technology entrusted to them. Laptop computers and other related
equipment are issued to all internal auditors. Each auditor is responsible for the
proper care and safety of the computer and related equipment.
This statement establishes policies and procedures for information technology
and telephone use at the Office of Internal Audits. For this policy, the term
information technology and telephone includes, but is not limited to, the following
items:

System units (including internal drives and removable cards)


Monitors and keyboards
Laptop battery packs

External disk drives


Modems and LAN adapters
Pointing devices (a mouse)
Printers
Graphics devices (projection units)
Imaging devices (scanners)
Software
CD ROM drives
Jump/Flash/USB drives (portable)
Telephone (Audix)
Fax machines
Email and Internet

Stewardship of Equipment
Auditor are not allowed to take their laptop computer off the premises unless a
Request to Remove State Property from Campus form has been completed and
approved with the required signatures. Upon signing the removal of equipment
from university premises, an employee assumes responsibility for the equipment,
following Texas Government Code Ann., Section 403.275, Liability for Property
Loss. This form should be completed as needed or annually and be maintained in
the employee files by the Secretary.
Personal Use of Computers
Incidental personal use of computers and/or software is allowed to the extent of
maintaining or improving proficiency or professional development. However, no
hardware, software, or data should be used for direct or indirect
personal business use.
Physical Security
Each employee is responsible for ensuring that his/her work area provides
reasonable physical security from unauthorized use, vandalism, or theft of
computer equipment during non-working hours or when unattended. The inner
office doors should be locked for each office and the main Office door should also
be locked at the end of the day. Physical security includes the safeguarding of
software applications and data. Employees should adequately store removable
storage devices to ensure access only by authorized persons.
Compliance with Licensing Agreements
It is the procedure of the Office of Internal Audits to comply with all contractual
obligations contained in license agreements to which it is a party.

Office of Internal Audits must register all purchased software, as applicable,


with the vendor and the Office of Information Technology.
Office of Internal Audits prohibits employees from duplicating, modifying,
selling, trading, or otherwise distributing licensed computer software and

accompanying documentation if contrary to the vendor's license agreements.


Employees will not purchase or accept copies of software from any source if
they know, or reasonably should have known, that the copies were made
contrary to legally enforceable provisions of a vendor's license agreement.
Software licensed to Office of Internal Audits should not be used on
equipment other than that assigned to Office of Internal Audits unless
specifically authorized by the Director of Audits.

Backup of Data
All Office of Internal Audits work should be maintained on the Office of Internal
Audits shared network drive. If performing work off-site, it is the responsibility of
the employee to make regular backup copies of all data maintained on the
internal hard disk drive of their system. Backup of hard disk drive data should be
made to removable disks or CDs.
Backup provides a method to recover
destroyed, lost or stolen data. The frequency of backup will depend on several
factors, including the importance of data, frequency of data maintenance, and the
number of users reaching data. Upon returning to the Office of Internal Audits,
employees should immediately transfer work from their internal hard disk drives
onto the shared network.
Telephone, Fax, Email and Internet
Incidental personal use of University e-mail, a University telephone call to make a
local call, or the Internet, provided that the use complies with applicable
University policies, UT System policies, and Regents Rules and Regulations, and
does not result in additional cost to the University, is permissible.

ADMINISTRATIVE PROCEDURES
NEW AUDIT - PROJECT CODE
At the beginning of every audit a project code is issued and this project code
template is located on the shared drive V:\TeamMate Backup Files folder PROJECT
CODE FOR FY 2009 (ex: 09-FIN-XXX) 09 for fiscal year - FIN (is a financial audit,
each audit type has a different abbreviation. These are located on ACCESS). The
type of audit is determined from the audit plan. Once we have a project code, the
Secretary will input into ACCESS for time reporting purposes.
AUDIT REPORTS
After the audit is presented at the Audit Committee meeting a final clean (remove
draft and do any changes requested by the audit committee) copy needs to be
distributed to all interested parties.

University of Texas Permian Basin


Internal Audit Manual

SCETION E
(Rules and Regulations)

GOVERNMENT CODE TITLE 10. GENERAL GOVERNMENTSUBTITLE C. STATE


ACCOUNTING, FISCAL MANAGEMENT, AND PRODUCTIVITY
CHAPTER 2102. INTERNAL AUDITING
Sec. 2102.001. SHORT TITLE. This chapter may be cited as the Texas Internal
Auditing Act.
Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993.
Sec. 2102.002. PURPOSE. The purpose of this chapter is to establish
guidelines for a program of internal auditing to assist agency administrators and
governing boards by furnishing independent analyses, appraisals, and recommendations
about the adequacy and effectiveness of a state agency's systems of internal control
policies and procedures and the quality of performance in carrying out assigned
responsibilities. Internal auditing is defined as an independent, objective assurance and
consulting activity designed to add value and improve an organization's operations. It
helps an organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control, and
governance processes.
Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
2003, 78th Leg., ch. 380, Sec. 1, eff. Sept. 1, 2003.
Sec. 2102.003. DEFINITIONS. In this chapter:
(1) "Administrator" means the executive head of a state agency.
(2) "Assurance services" means an examination of evidence for the
purpose of providing an independent assessment of risk management, control, or
governance processes for an organization. Assurance services include audits as defined
in this section.
(3) "Audit" means:
(A) a financial audit described by Section 321.0131;
(B) a compliance audit described by Section 321.0132;
(C) an economy and efficiency audit described by Section
321.0133;
(D) an effectiveness audit described by Section 321.0134; or

(E) an investigation described by Section 321.0136.


(4) "Consulting services" means advisory and related client service
activities, the nature and scope of which are agreed upon with the client and are intended
to add value and improve an organization's operations. Consulting services include
counsel, advice, facilitation, and training.
(5) "State agency" means a department, board, bureau, institution,
commission, or other agency in the executive branch of state government.
Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
1997, 75th Leg., ch. 1122, Sec. 11, eff. Sept. 1, 1997; Acts 2003, 78th Leg., ch. 380, Sec.
2, eff. Sept. 1, 2003.
Sec. 2102.004. APPLICABILITY. (a) Sections 2102.005-2102.012 apply only
to a state agency that:
(1) has an annual operating budget that exceeds $10 million;
(2) has more than 100 full-time equivalent employees as authorized by
the General Appropriations Act; or
(3) receives and processes more than $10 million in cash in a fiscal year.
(b) Sections 2102.013 and 2102.014 apply to each state agency that receives an
appropriation and that is not described by Subsection (a).

Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
2001, 77th Leg., ch. 804, Sec. 1, eff. Sept. 1, 2001; Acts 2003, 78th Leg., ch. 291, Sec. 1,
eff. June 18, 2003.

Sec. 2102.005. INTERNAL AUDITING REQUIRED. A state agency shall


conduct a program of internal auditing that includes:
(1) an annual audit plan that is prepared using risk assessment
techniques and that identifies the individual audits to be conducted during the year; and
(2) periodic audits of the agency's major systems and controls,
including:
(A) accounting systems and controls;

(B) administrative systems and controls; and


(C) electronic data processing systems and controls.
Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
1997, 75th Leg., ch. 1122, Sec. 12, eff. Sept. 1, 1997.
Sec. 2102.006. INTERNAL AUDITOR; STAFF. (a) The governing board of a
state agency or the administrator of a state agency that does not have a governing board
shall appoint an internal auditor.
(b) An internal auditor must:
(1) be a certified public accountant or a certified internal auditor; and
(2) have at least three years of auditing experience.
(c) The state agency shall employ additional professional and support staff the
administrator determines necessary to implement an effective program of internal
auditing.
(d) The governing board of a state agency, or the administrator of a state
agency if the state agency does not have a governing board, shall periodically review the
resources dedicated to the internal audit program and determine if adequate resources
exist to ensure that risks identified in the annual risk assessment are adequately covered
within a reasonable time frame.
Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
2001, 77th Leg., ch. 804, Sec. 2, eff. Sept. 1, 2001; Acts 2003, 78th Leg., ch. 380, Sec. 3,
eff. Sept. 1, 2003.
Sec. 2102.007. DUTIES OF INTERNAL AUDITOR. (a) The internal auditor
shall:
(1) report directly to the state agency's governing board or the
administrator of the state agency if the state agency does not have a governing board;
(2) develop an annual audit plan;
(3) conduct audits as specified in the audit plan and document
deviations;
(4) prepare audit reports;

(5) conduct quality assurance reviews in accordance with professional


standards as provided by Section 2102.011 and periodically take part in a comprehensive
external peer review; and
(6) conduct economy and efficiency audits and program results audits as
directed by the state agency's governing board or the administrator of the state agency if
the state agency does not have a governing board.
(b) The program of internal auditing conducted by a state agency must provide
for the auditor to:
(1) have access to the administrator; and
(2) be free of all operational and management responsibilities that
would impair the auditor's ability to review independently all aspects of the state
agency's operation.
Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
2001, 77th Leg., ch. 804, Sec. 3, eff. Sept. 1, 2001.
Sec. 2102.008. APPROVAL OF AUDIT PLAN AND AUDIT REPORT. The
annual audit plan developed by the internal auditor must be approved by the state
agency's governing board or by the administrator of a state agency if the state agency
does not have a governing board. Audit reports must be reviewed by the state agency's
governing board and the administrator.
Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
2001, 77th Leg., ch. 804, Sec. 4, eff. Sept. 1, 2001.
Sec. 2102.009. ANNUAL REPORT. The internal auditor shall prepare an
annual report and submit the report before November 1 of each year to the governor, the
Legislative Budget Board, the Sunset Advisory Commission, the state auditor, the state
agency's governing board, and the administrator. The state auditor shall prescribe the
form and content of the report, subject to the approval of the legislative audit committee.
Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
1997, 75th Leg., ch. 1122, Sec. 13, eff. Sept. 1, 1997.
Sec. 2102.0091. REPORTS OF PERIODIC AUDITS. (a) A state agency shall
file with the Sunset Advisory Commission, the budget division of the governor's office,
the state auditor, and the Legislative Budget Board a copy of each report submitted to the
state agency's governing board or the administrator of the state agency if the state agency
does not have a governing board by the agency's internal auditor.

(b) Each report shall be filed not later than the 30th day after the date the report
is submitted to the state agency's governing board or the administrator of the state
agency if the state agency does not have a governing board.
(c) In addition to the requirements of Subsection (a), a state agency shall file
with the budget division of the governor's office, the state auditor, and the Legislative
Budget Board any action plan or other response issued by the state agency's governing
board or the administrator of the state agency if the state agency does not have a
governing board in response to the report of the state agency's internal auditor.
Added by Acts 1999, 76th Leg., ch. 281, Sec. 7, eff. Sept. 1, 1999. Amended by Acts
2001, 77th Leg., ch. 804, Sec. 4, eff. Sept. 1, 2001.
Sec. 2102.010. CONSULTATIONS. An internal auditor may consult the state
agency's governing board or the administrator of the state agency if the state agency does
not have a governing board, the governor's office, the state auditor, and legislative
agencies or committees about matters affecting duties or responsibilities under this
chapter.
Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
2001, 77th Leg., ch. 804, Sec. 4, eff. Sept. 1, 2001.
Sec. 2102.011. INTERNAL AUDIT STANDARDS. The internal audit
program shall conform to the Standards for the Professional Practice of Internal
Auditing, the Code of Ethics contained in the Professional Practices Framework as
promulgated by the Institute of Internal Auditors, and generally accepted government
auditing standards.
Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
2003, 78th Leg., ch. 380, Sec. 4, eff. Sept. 1, 2003.
Sec. 2102.012. PROFESSIONAL DEVELOPMENT. (a) Subject to approval
by the legislative audit committee, the state auditor may make available and coordinate a
program of training and technical assistance to ensure that state agency internal auditors
have access to current information about internal audit techniques, policies, and
procedures and to provide general technical and audit assistance to agency internal
auditors on request.
(b) The state auditor is entitled to reimbursement for costs associated with
providing the services under the terms of interagency cooperation contracts negotiated
between the state auditor and each agency. The costs may not exceed those allowed by
the General Appropriations Act. Work performed under this section by the state auditor is
subject to approval by the legislative audit committee for inclusion in the audit plan
under Section 321.013(c).

Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
2003, 78th Leg., ch. 785, Sec. 33, eff. Sept. 1, 2003.
Sec. 2102.013. ANNUAL RISK ASSESSMENT; REPORT. (a) A state agency
described by Section 2102.004(b) shall conduct each year a formal risk assessment
consisting of an executive management review of agency functions, activities, and
processes.
(b) The risk assessment must:
(1) evaluate the probability of occurrence and the likely effect of
financial, managerial, and compliance risks and of risks related to the use of information
technology; and
(2) rank risks according to the probability of occurrence and likely
effect of the risks evaluated.
(c) The state agency shall submit the written risk assessment to the state auditor
in the form and at the time prescribed by the state auditor.
Added by Acts 2003, 78th Leg., ch. 291, Sec. 2, eff. June 18, 2003.
Sec. 2102.014. EVALUATION OF RISK ASSESSMENT REPORTS;
AUDITS. (a) Based on risk assessment and subject to the legislative audit committee's
approval of including the work described by this subsection in the audit plan under
Section 321.013(c), the state auditor shall:
(1) evaluate each report submitted under Section 2102.013;
(2) identify agencies with significant financial, managerial, or
compliance risk or significant risk related to the use of information technology; and
(3) recommend to the governor that the identified agencies obtain an
audit to address the significant risks identified by the state auditor.
(b) The governor may order an agency identified under this section to:
(1) obtain an audit under governmental auditing standards;
(2) submit reports and corrective action plans as prescribed by Section
2102.0091; and
(3) report to the state auditor the status of the agency's implementation
of audit recommendations in the form and addressing issues as prescribed by the state
auditor.

(c) The governor may provide funds to agencies as necessary to pay the costs of
audits ordered under this section from any funds appropriated to the governor for this
purpose.
Added by Acts 2003, 78th Leg., ch. 291, Sec. 2, eff. June 18, 2003.

Regents' Rules & Regulations

The Rules and Regulations of the Board of Regents of The University of Texas System
for the Government of The University of Texas System were reissued on December 10,
2004. A Disposition Table is available to assist in locating rules as they existed in the
Regents' Rules and Regulations prior to December 10, 2004. Also, a Summary of the
Significant Changes to the Regents' Rules is available.
The official copy of the Regents' Rules and Regulations is maintained by the Office of the
Board of Regents.
Rules and Regulations Table of Contents:
Series 10000: Board Governance
Series 20000: Administration
Series 30000: Personnel
Series 40000: Academic Issues
Series 50000: Student Issues
Series 60000: Development
Series 70000: Investments
Series 80000: Facilities
Series 90000: Intellectual Property

Series 10000: Board Governance

Rule 10100

Rule on Rules and Regulations

Rule 10101

Authority

Rule 10102

Chairman and Vice Chairmen (last amended 11/9/07)

Rule 10201

General Counsel to the Board of Regents (last amended


11/9/07)

Rule 10401

Meetings of the Board and Standing Committees (last


amended 8/10/06)

Rule 10402

Committees and Other Appointments (last editorial

Regrents Rule and Regulation

1.

Series:20401

Title
Audit and Compliance

2.

Rule and Regulation


Sec 1 Audit.
The Chancellor, as chief executive officer of the U. T. System, is responsible for
ensuring the implementation of appropriate audit procedures for the U. T. System.
Accordingly, the Chief Audit Executive prepares an executive summary of all internal
audit activity by the U. T. System internal auditors and the institutional internal
auditors for the Chancellor.
1.1 Chief Audit Executive. The U. T. System Chief Audit Executive is responsible for
coordinating the effective auditing of the U. T. System as set out in Section 1.1 (b)
below. The Chief Audit Executive provides audit assistance to the Chancellor, the
Executive Vice Chancellors, and the Vice Chancellors in the exercise of their
responsibilities.
(a)
The Chief Audit Executive shall be appointed by the Audit, Compliance, and
Management Review Committee after nomination by the Chancellor. The Chief Audit
Executive shall hold office without fixed term, subject to the pleasure of the
Chancellor. The Chancellor's actions regarding the Chief Audit Executive are subject
to review and approval by the Audit, Compliance, and Management Review
Committee.
(b)
The primary responsibilities of the Chief Audit Executive include developing a
Systemwide internal audit plan based on a Systemwide risk assessment and
coordinating the implementation of this plan with the institutional internal auditors.
This Systemwide audit plan is submitted to the Audit, Compliance, and Management
Review Committee for review and approval after the Chancellor's review and
approval. Responsibilities of the Chief Audit Executive also include conducting audits
of the System including the revenue produced from the Permanent University Fund
lands and formulating policies for the internal audit activity at each institution.
1.2
The U. T. System internal auditors are the internal auditors for the U. T. System
and augment the audit work of the institutional internal auditor and the State Auditors
at the institutions of the U. T. System.

Sec. 2 Compliance. The Chancellor, as chief executive officer of the U. T. System, is


responsible for ensuring the implementation of a compliance program for the U. T.
System. Accordingly, the Systemwide Compliance Officer prepares an executive
summary of all compliance activity of the institutions, UTIMCO, and System
Administration.
2.1 Systemwide Compliance Officer. The Systemwide Compliance Officer is
responsible, and will be held accountable for, apprising the Chancellor and the Audit,
Compliance, and Management Review Committee of the institutional compliance
functions and activities at System Administration, UTIMCO, and at each of the
institutions as set out in Section 2.1 (b) below. The Systemwide Compliance Officer
provides institutional compliance assistance to the Chancellor, the Executive Vice
Chancellors, the Vice Chancellors, and the Chief Compliance Officer of UTIMCO in
the exercise of their responsibilities.
(a)
The Systemwide Compliance Officer shall be appointed by the Chancellor. The
Systemwide Compliance Officer is the senior compliance official of the U. T. System;
provides assistance and advice covering all institution, UTIMCO, and System
Administration compliance programs; and shall hold office without fixed term, subject
to the pleasure of the Chancellor.
(b)
The primary responsibilities of the Systemwide Compliance Officer include
developing an infrastructure for the effective operation of the U. T. System
Institutional Compliance Program; chairing the Systemwide Compliance Committee
and the Compliance Officers Council; and prescribing the format for the annual risk
based compliance plan and the quarterly compliance status reports to be submitted by
each institution, UTIMCO, and System Administration.
3.

Definitions
None

4.

Relevant Federal and State Statutes


None

5.

Relevant System Policies, Procedures, and Forms


None

6.

Who Should Know


Administrators
Internal Audit

7.

System Administration Office(s) Responsible for Rule

Audit Office
8.

Dates Approved or Amended


Editorial amendments made March 17, 2008
December 10, 2004

9.

Contact Information
Questions or comments regarding this rule should be directed to:

bor@utsystem.edu

University of Texas System Policy Library Home


The University of Texas System Policy Library is the official repository of all current
system-wide and System Administration internal policies. In addition to a keyword search
and full-text search, we have provided five other ways to browse our collection of
policies: subject index, alphabetical index, policy number index, office index, and
keyword index.
There are two categories of policy numbers. One group of policies affects the entire UT
System and System Administration, and this group of policies is preceded by the letters
UTS in front of the policy number. The other set of policies applies to UT System
Administration internally, and this set of policies is preceded by the letters INT.

UT System Administration Policy Library Policy UTS129


Internal Audit Activities
Responsible Officer: General Counsel to the Board of Regents
Sponsoring Office: System Audit Office
Effective Date: February 16, 2004
Last Reviewed: February 18, 2009
Next Scheduled Review: August 1, 2011
POLICY STATEMENT
The purpose of an internal auditing program is to assist the Board of Regents and
institution administrators to accomplish System objectives by bringing a systematic and
disciplined approach to evaluate and improve the effectiveness of risk management,
control and governance processes. Internal auditing is recognized as a highly regarded
professional management support and control activity by the Texas Internal Auditing Act
(Chapter 2102, Government Code) and by the Board of Regents' Rules and Regulations,
Rules 10402 and 20401.
RATIONALE
The guidelines contained in this UTS establish a System-wide program to furnish
independent analyses, appraisals and recommendations about the adequacy and
effectiveness of the Systems internal control policies and procedures and the quality of
performance in carrying out assigned responsibilities.

SCOPE
All institutions and UT System Administration
WEBSITE ADDRESS FOR THIS POLICY
http://www.utsystem.edu/policy/policies/uts129.html
RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS
UT System Administration Policies & Standards
Other Statutes, Policies & Standards
UTS 129 Internal Audit Activities
Board of Regents Rules and Regulations, Rule 10201
Board of Regents Rules and Regulations, Rule 10402
Board of Regents Rules and Regulations, Rule 20402
Texas Government Code, Chapter 2102
Institute of Internal Auditors, Standards for the Professional Practice of Internal Auditing
Institute of Internal Auditors, Code of Ethics
Government Accountability Office, Generally Accepted Government Auditing Standards
RESPONSIBILITIES
Audit, Compliance and Management Review Committee of the Board of Regents
Performs duties outlined in the Board of Regents Rules and Regulations, Rule 10402,
Section 1.6.
Appoints the System Chief Audit Executive.
General Counsel of the Board of Regents
UTS 129 Internal Audit Activities

Supervises the System Audit Office as described in the Board of Regents Rules and
Regulations, Rule 10201, Section 3.
System Administration Internal Audit Committee
Approves, maintains, and adheres to the audit committee charter.
Approves, maintains, and oversees an internal audit charter of the System Audit Office
modeled after the System-wide charter.
Chancellor
Nominates the System Chief Audit Executive.
Chairs the System Administration Audit Committee (or designates a chair) and ensures the
audit committee adheres to the audit committee charter.
Selects outside members of the System Administration Audit Committee.
System Audit Office
Directed by System Chief Audit Executive who reports functionally to the Audit,
Compliance, and Management Review Committee (ACMR) of the Board of Regents and
administratively to the General Counsel of the Board of Regents.
The System Chief Audit Executive provides ACMR and the System Administration
Internal Audit Committee with a written summary of System audit activity on a quarterly
basis.
Fulfills the audit function for System Administration, provides temporary staffing to
institutions when a shortage occurs, and provides oversight and coordination of the
System-wide internal audit function.
Oversees System-wide audits requested by the ACMR including establishing the audit
program, providing guidance and direction on executing the program, reviewing the work
performed, reporting results to ACMR, and evaluating the performance of the internal
auditors.
The System Audit Office will perform an audit of the institutional Presidents offices on a
rotating five year basis.
Institutional Internal Audit Committee
Approves, maintains, and adheres to an audit committee charter.

Approves, maintains, and oversees the internal audit charter of the Internal Auditor
modeled after the System-wide internal audit charter.

UT System President
UTS 129 Internal Audit Activities
Chairs the Institutional Internal Audit Committee (or designates a chair) and ensures that
the Institutional Internal Audit Committee adheres to the audit committee charter.
Selects and recommends outside members of the Institutional Internal Audit Committee
for approval by the appropriate Executive Vice Chancellor and System Chief Audit
Executive.
Internal Auditor
Reports functionally to the institution President and to the Institutional Internal Audit
Committee. May report administratively to another senior executive.
Provides an executive summary of the significant issues discussed at the Internal Audit
Committee meetings to their respective Executive Vice Chancellor (i.e. Academic Affairs
or Health Affairs).
Has an indirect reporting relationship to the System Chief Audit Executive who is
responsible for the oversight and coordination of the System-wide internal audit activity.
May have a direct reporting relationship to the System Chief Audit Executive for Systemwide audits requested by ACMR.
Addresses audit reports to the Institutional Internal Audit Committee by means of an
executive summary and/or full report.
Forwards audit report to the appropriate Executive Vice Chancellor, System Chief Audit
Executive, and appropriate state agencies.
Internal Audit Council
Facilitates communication and the sharing of ideas, audit plans, and programs among the
institutions' internal auditors.
PROCEDURES
A System-wide internal audit charter (Exhibit A) has been developed as recommended in
the Standards for the Professional Practice of Internal Auditing. Each institution and
System Administration should also have an audit charter modeled after the System-wide

charter and approved by the Institutional Internal Audit Committee or System


Administration Internal Audit Committee. The institutional internal audit charter should be
distributed in the same manner as all institutional-wide policies or procedures. In the
charter, the singular term "Internal Auditor" refers to the entire internal audit department
or staff.
Responsibilities and relationships of UT System management, the institutions, and
committees are described in The UT System Internal Audit Reporting Structure (Exhibit
D). The relationship with the institutional compliance function is described in Exhibit E.
UTS 129 Internal Audit Activities
The audit report format recommended by the System Audit Office is included as Exhibit
B. All audit reports should be addressed to the President and/or the Institutional Internal
Audit Committee by means of an executive summary. After the President and/or the
Institutional Internal Audit Committee have reviewed/approved the report, the executive
summary and the audit report should be forwarded to the appropriate Executive Vice
Chancellor, System Audit Office, and appropriate state agencies.
The System Audit Office will provide the ACMR and the System Administration Internal
Audit Committee with a written summary of all audit activity on a quarterly basis.
The guidance for the staffing level for internal auditors based upon total expenditures is
attached as Exhibit C. Section 2102.006(b) of the Texas Internal Auditing Act, sets
qualifications for the Director of Internal Audit as one "who shall be either a certified
public accountant or a certified internal auditor and who shall have at least three years of
auditing experience."
The Standards for the Professional Practice of Internal Auditing, which must be followed
under the Texas Internal Auditing Act, require the appointment of a chief audit executive.
The Chancellor recommends and the ACMR appoints the System Chief Audit Executive.
The UT System Audit Office may, in consultation with the institutional President or
designee, temporarily provide direct audit assistance to an institution when one or more of
the following circumstances exist:
no institutional internal audit staff is available;
a temporary or ongoing institutional audit staff shortage exists in accordance with
commonly defined audit needs; or
occasional or unusual auditing is required beyond local institutional capacity.
Funding for such audit assistance is normally an institutional responsibility but payment
for such temporary assistance will be determined on a case-by-case basis dependent on the
budget or audit circumstances requiring the assistance.

When audit assistance is provided to an institution, the auditor(s) will report to the
institution President, unless audit circumstances dictate otherwise.
The Internal Audit Council facilitates communication and the sharing of ideas, audit plans,
and programs among the institutions' internal auditors. The System Chief Audit Executive
is chairman of this Council, and membership is composed of the internal auditor directors
from each of the institutions. The Council meets from time to time as circumstances
require, and all members are expected to attend. The members may invite their assistant
directors, managers, supervisors, and staff to attend from time to time.
UTS 129 Internal Audit Activities
FORMS AND TOOLS/ONLINE PROCESSES
(Exhibit A) System-wide Internal Audit Charter (Exhibit B) Standard Audit Report Format
(Exhibit C) Internal Audit Staffing Level (Exhibit D) Reporting Structure (Exhibit E)
Internal Audit's Relationship to the Institutional Compliance Function

UT System Administration Policy Library Policy UTS118


Statement of Operating Policy Pertaining to Dishonest or Fraudulent
Activities
Responsible Officer: Executive Vice Chancellor for Business Affairs
Sponsoring Office: System Audit Office
Effective Date: February 4, 2002
Last Reviewed: April 2, 2009
Next Scheduled Review: April 3, 2009
UTS 118 Statement of Operating Policy Pertaining to Dishonest or Fraudulent
Activities
POLICY STATEMENT
Each institution has established reporting structures and responsibilities within their
institution. The purpose of this statement is to establish System policy regarding
internal investigations of suspected defalcation, misappropriation and other fiscal
irregularities which is supplemental to the internal administrative policies established
at each institution.

RATIONALE
Good business practice dictates that every suspected defalcation, misappropriation and
other fiscal irregularity be promptly identified and investigated.
RESPONSIBILITIES
Management Establishes and maintains a system of internal control that provides
reasonable assurance that improprieties are prevented and detected. Supports the
System's fiduciary responsibilities and cooperates with law enforcement agencies in
the detection, investigation, and reporting of criminal acts, including prosecution of
offenders
Office of Internal Audit Supervises all audits of allegations of defalcation,
misappropriation and other fiscal irregularities. Coordinates assistance provided to
state, federal, and local law enforcement agencies. Assists the University Police in
investigations of suspected defalcation, misappropriation and other fiscal irregularities
that require accounting and auditing knowledge of System records. Keeps its
workpapers secure and limits access to only those individuals designated by the
Director of Internal Audit. Receives relevant information on a confidential basis,
subject to the provisions of the Texas Public Information Act. Reviews each
investigation to determine if additional work needs to be done in order to provide the
Audit Committee and management with a basis for taking any corrective action
necessary.
Director of Internal Audit When appropriate, notifies the Chief Administrative Officer
or his or her designee when an audit involves allegations or reveals suspected criminal
activity which may constitute a felony offense. Consults with the Office of General
Counsel or institution legal advisors about all requests for information and assistance
related to investigations conducted by auditors of federal and state agencies .
Chief Administrative Officer Notifies the appropriate Executive Vice Chancellor of
criminal activity, as appropriate.
University Police Makes the Director of Police of aware of all felony fraud
investigations and keeps him or her up to date. Coordinates criminal investigation once
probable criminal activity has been detected.
Chief Business Officer Notifies the Executive Vice Chancellor of Business Affairs as
soon as it is known that a loss has occurred for approval of all insurance and fidelity
bond claims.
Institution Legal Advisors Coordinates assistance provided to state, federal, and local
law enforcement agencies

Office of General Counsel Coordinates assistance provided to state, federal, and local
law enforcement agencies
Reporting Individual Avoids incorrect accusations, avoids alerting suspected
individuals that an audit is underway, or avoids making statements that could provide a
basis for a suit for false accusation or other offenses.
PROCEDURES
1. General
1.1 The terms defalcation, misappropriation, and other fiscal irregularities include but
are not limited to any:
a) Dishonest, illegal, or fraudulent act involving System property;
b) Forgery or alteration of checks, drafts, promissory notes, and securities;
c) Forgery or alteration of employee benefit or salary related items such as time cards,
billings, claims, surrenders, assignments, or changes in beneficiary;
d) Forgery or alteration of medical related items such as reports, charts, prescriptions,
x-rays, billings, or claims;
e) Forgery or alteration by employees, of student related items such as grades,
transcripts, loans, or fee or tuition documents;
f) Misappropriation of funds, securities, supplies, or any other asset;
g) Illegal or fraudulent handling or reporting of money transactions;
h) Acceptance or solicitation of any gift, favor, or service that might reasonably tend to
influence the employee in the discharge of his or her official duties; or
i) Destruction or disappearance of records, furniture, fixtures, or equipment where theft
is suspected.
1.2 Allegations involving scientific misconduct will be handled in accordance with the
controlling institutional policies based upon the OGC Model Policy entitled
"Procedure for Dealing with Allegations of Misconduct in Science". 1.3 Management
shall establish and maintain a system of internal control that provides reasonable
assurance that improprieties are prevented and detected. Each manager must be
familiar with the types of improprieties that might occur in his or her area and be alert
for any indication that such a defalcation, misappropriation or other fiscal irregularity
has occurred. 1.4 Management must support the System's fiduciary responsibilities and
must cooperate with law enforcement agencies in the detection, investigation, and

reporting of criminal acts, including prosecution of offenders. Every effort should be


made to recover System losses.
1.5 The Office of Internal Audit must supervise all audits of allegations of defalcation,
misappropriation, and other fiscal irregularities. When an audit reveals suspected
criminal
activity, or an audit is initiated due to an allegation of criminal activity, the University
Police must be notified immediately. 1.6 When an audit involves allegations or reveals
suspected criminal activity which may constitute a felony offense, the Director of
Internal Audit shall, when appropriate, immediately notify the Chief Administrative
Officer, or his or her designee, and then notification must be given to the System
Director of Audits. The Director of Internal Audit shall consult with institution legal
advisors or the Office of General Counsel, and the Office of General Counsel must be
kept informed regarding the progress of the audit. 1.7 The Chief Administrative Officer
shall notify the appropriate Executive Vice Chancellor of criminal activity, as
appropriate. 1.8 The Director of Police must be made aware of all felony fraud
investigations, and must be kept current by University Police of the progress of
investigations conducted by institution police departments. 1.9 In accordance with the
Board of Regents' Rules and Regulations, Rule 80601, the appropriate Chief Business
Officer will notify the Executive Vice Chancellor of Business Affairs as soon as it is
known that a loss has occurred for approval of all insurance and fidelity bond claims.
1.10 The Office of Internal Audit, University Police, institution legal advisors, and the
Office of General Counsel must coordinate assistance provided to state, federal, and
local law enforcement agencies. All requests for information or assistance from such
agencies that are received by other areas shall be immediately forwarded to the
University Police for determination and handling. All reasonable assistance must be
given to law enforcement agencies when requested. 1.11 All requests for information
and assistance related to investigations conducted by auditors of federal and state
agencies that are concerned with potential dishonest or fraudulent activities within the
System, shall also be forwarded immediately to the Director of Internal Audit who
shall consult with the Office of General Counsel, or with institution legal advisors who
shall notify the Office of General Counsel. 1.12 In order to avoid the use of
investigatory techniques that might prevent evidence from being used in a criminal
prosecution, University Police must coordinate the criminal investigation once
probable criminal activity has been detected. The Office of Internal Audit shall assist
the University Police in investigations of suspected defalcation, misappropriation, and
other fiscal irregularities that require accounting and auditing knowledge of System
records. 1.13 The Office of Internal Audit must keep its workpapers secure and limit
access to only those individuals designated by the Director of Internal Audit.

1.14 The Office of Internal Audit must be available and receptive to receiving relevant
information on a confidential basis, subject to the provisions of the Texas Public
Information Act. Employees and students may directly contact the Director of Internal
Audit, the Compliance Officer, the University Police, or executive management
whenever an activity is suspected to be dishonest or fraudulent. The reporting
individual should not attempt to personally conduct investigations or
interviews/interrogations in order to determine whether or not a suspected activity is
improper. 1.15 In order to avoid damaging the reputations of innocent persons initially
suspected of wrongful conduct, and to protect the System from potential civil liability,
the results of audits or investigations may not be disclosed or discussed with anyone
other than authorized representatives of law enforcement or regulatory agencies and
only those persons associated with the System who have a legitimate need to know
such results in order to perform their duties and responsibilities, subject to the
provisions of the Texas Public Information Act. 2. Audits/Investigations 2.1 Audits
revealing violations of the Penal Code for which an audit report will be issued should
be reduced to final report form only after consultation by University Police with the
local prosecutor or the Office of General Counsel to ensure that appropriate
documentation of the facts has been achieved in order to permit appropriate personnel
action, protect innocent persons, support appropriate civil or criminal actions,
document claims made pursuant to applicable fidelity bonds, preserve the integrity of
the criminal investigation and prosecution, and avoid unnecessary litigation. 2.2 Great
care must be taken in the investigation of suspected improprieties or irregularities so as
to avoid incorrect accusations or alerting suspected individuals that an audit is
underway and also to avoid making statements which could provide a basis for a suit
for false accusation or other offenses. Accordingly, the reporting individual should not:
2.3 Contact the suspected individual to determine facts or demand restitution; or 2.4
Discuss any facts, suspicions, or allegations associated with the case with anyone,
unless specifically directed to do so by the Office of Internal Audit, Compliance
Office, University Police, institution legal advisors, or the Office of General Counsel.
2.5 All inquiries from the suspected individual or his or her representative or attorney
shall be directed to institution legal advisors or the Office of General Counsel. Proper
response to such an inquiry should be, "I'm not at liberty to discuss this matter." Under
no circumstances should there be any reference to "what you did," "the crime," "the
fraud," "the forgery," "the misappropriation," or similar references.
2.6 All reproduction of documents, evidence and reports shall be performed within the
secured work area of the Office of Internal Audit or University Police. 2.7 To the
extent permitted by the applicable provisions of the Texas Public Information Act,
confidentiality of those reporting dishonest or fraudulent activities will be maintained.
However, the confidentiality cannot be maintained if that individual is required to
serve as a witness in legal proceedings. 2.8 When an audit initiated due to an allegation

of criminal activity has failed to detect criminal activity or when advised by the Office
of General Counsel, the Director of Internal Audit has the discretion to stop the audit.
However, with regard to criminal investigations conducted by University Police, only
the Office of the District Attorney is authorized to review the progress of the criminal
investigation and make the legal determination regarding whether to pursue a criminal
prosecution.
3. Operational Audit Findings
3.1 Each investigation of possible dishonest or fraudulent activities has the potential to
provide a unique insight into specific activities conducted by the System and may
disclose control weaknesses and other areas that need additional auditing or
management's attention.
3.2 The office of Internal Audit must review each investigation to determine if
additional work needs to be done in order to provide the Audit Committee and
management with a basis for taking any corrective action necessary.

The State Auditor's Office


The State Auditor's Office (SAO) is the independent auditor for Texas state government.
The SAO operates with oversight from the Legislative Audit Committee, a six-member
permanent standing committee of the Texas Legislature, jointly chaired by the Lieutenant
Governor and the Speaker of the House of Representatives.
The SAO is authorized, by Chapter 321, Texas Government Code, to perform audits,
reviews, and investigations of any entity receiving state funds, including state agencies
and higher education institutions. Audits are performed in accordance with generally
accepted government auditing standards, which include standards issued by the American
Institute of Certified Public Accountants.
Types of audits the SAO performs include financial statement opinion audits, financial
audits, compliance audits, economy and efficiency audits, effectiveness audits, and other
special audits. The SAO may also perform reviews, which are less rigorous than audits
and do not follow auditing standards, but provide a certain degree of assurance to
decision makers. Investigations are performed whenever there is evidence of fraud or
abuse of state resources.
Other SAO responsibilities include managing the State Classification Plan and providing
support to state agency and higher education human resource offices, which is performed
by the State Classification Team. In addition, the SAO coordinates and provides
continuing educational opportunities for audit and accounting professionals.

The work and activities performed by the SAO are included in an annual audit plan,
approved by the Legislative Audit Committee. This includes mandatory work, required
by state statute, or discretionary work which is determined through an ongoing risk
assessment process.
Click this link for a History of the State Auditor's Office.

Legislative Audit Committee

State Auditor
John Keel, CPA

General
Counsel
and
Risk
Manager
Anita
D'Souza

Assistant
State
Auditor
Michael
C.
Apperley,
CPA

Audits and
Reviews

Assistant
State
Auditor
Lisa R.
Collier,
CPA

Administration

Assistant
State
Auditor
Sandra
Vice,
CIA,
CGAP,
CISA

Audit Managers
Michael Apperley,
Assistant State
Auditor
Lisa R. Collier,
Assistant State
Auditor
Sandra Vice,
Assistant State
Auditor
Kelly Linder,
Federal Funds
Audit Manager
Babette Laibovitz,
Audit Manager
RAT
Ralph McClendon,
Audit Manager
ISAT
Worth Ferguson,
Audit Manager
QCT
Verma Elliott, Audit
Manager
Nicole Guerrero,
Audit Manager
Angelica Martinez,
Audit Manager
John Young, Audit
Manager
Audit Research
and Legislative
Coordination
Daniel Wattles,
Manager
Information
Systems Audit
Team

Business
Services
Michael Apperley

Human
Resources
Barry Holcomb,
Senior HR
Specialist
Information
Systems
Support /
User Network
Services
Sandra Vice
Professional
Development
Jo Dale
Guzman,
Manager
Project
Manager
Cody Smith

Ombudsman
Courtney AmbresWade

Ralph
McClendon, Audit
Manager
Quality Control
Team/Reporting
Team
Worth Ferguson,
Audit Manager
Risk
Assessment
Team and
Internal Audit
Coordination
Babette Laibovitz,
Audit Manager
State
Classification
Team
Nicole Guerrero,
Audit Manager
Special
Investigations
Unit
Pamela Munn,
Audit Manager

University of Texas Permian Basin


Internal Audit Manual

SECTION G
(Coordination with State Auditors Office)