UNIVERSITY OF TEXAS PERMIAN BASIN OFFICE OF INTERNAL AUDITS AUDIT MANUAL Revised March 16, 2009 UNIVERSITY OF TEXAS-PERMIAN BASIN OFFICE OF INTERNAL AUDITS AUDIT MANUAL TABLE OF CONTENTS A. SCOPE, AUTHORITY, ORGANIZATION AND MISSION Scope and Authority ...............................................................................................................A-1 Audit Charter ..........................................................................................................................A-2 Audit Committee Charter........................................................................................................A-3 Organizational Charts .............................................................................................................A-4 The University of Texas – Permian Basin…...........................................................................A-4.1 Office of Internal Audits..........................................................................................................A-4.2 Mission Statement and Goals ..................................................................................................A-5 B. AUDITING STANDARDS (Institute of Internal Auditors & GAGAS “Yellow Book”) IIA Code of Ethics .......................................................................................................................B-1 IIA Professional Practice Framework (PPF)................................................................................B-2 IIA Standards ..............................................................................................................................B-3 Attribute Standards .....................................................................................................................B-3.1 Performance Standards ...............................................................................................................B-3.2 GAGAS Yellow Book Standards................................................................................................B-4 C. AUDIT PROCEDURES Overview of Audit Procedures Section........................................................................................C-1 Independence Procedureand Statement ............................................................................................C-2 Types of Audits and Summary of Audit Process..........................................................................C-3 Internal Control............................................................................................................................C-4 Risk Assessment ..........................................................................................................................C-5 TeamMate Work papers Guide....................................................................................................C-6 Flowcharts....................................................................................................................................C-7 Audit Findings ….........................................................................................................................C-8 C. AUDIT PROCEDURES CONTINUED Follow-ups and Significant Findings .......................................................................................C-10 Quality Assurance Reviews .....................................................................................................C-11 D. OFFICE PROCEDURES Weekly Time and Status Reports..............................................................................................D-1 Leave Request Policy................................................................................................................D-2 Travel Policy..............................................................................................................................D-3 State Property Policy.................................................................................................................D-4 Administrative Procedures........................................................................................................D-5 E. RULES AND REGULATIONS Texas Internal Auditing Act (Government Code Section 2102).............................................E-1 Board of Regents Rules and Regulations................................................................................E-2 UT System Business Procedures Memoranda ........................................................................E-3 Business Procedures Memorandum 18-02-04 ........................................................................E-3.1 Business Procedures Memorandum 50-01-02 ........................................................................E-3.2 UTPB Handbook of Operating Procedures (H.O.P.)...............................................................E-4 State Auditor’s Office..............................................................................................................E-5 University of Texas Permian Basin Office of Internal Audits Audit Manual Section A SCOPE, AUTHORITY, ORGANIZATION AND MISSION SCOPE AND AUTHORITY The University’s Office of Internal Audits, under the purview of the UT System Audit Office, has been given the authority to conduct internal audits as established by the Texas Internal Auditing Act. The First Texas Legislature passed the Texas Internal Auditing Act (Article 6252-5d, Vernon’s Texas Civil Statutes) effective September 1, 1989, which established guidelines for a program of internal auditing to assist agency administrators by furnishing independent analysis, appraisals, and recommendations concerning the adequacy and effectiveness of an agency’s systems of internal control policies and procedures, and the quality of performance in carrying out assigned responsibilities. See Section E-1. The Internal Audit Charter, approved by the University President, states the purpose authority, and responsibility for the Office of Internal Audits. The internal auditor is a vital part of the university and functions in accordance with the policies established by the President, The University of Texas System Administration and the Board of Regents. To provide for the independence of the internal auditing activity, the Director of Internal Audits reports directly to the President and must be free of all operational and management responsibilities that would impair his or her ability to review independently, all aspects of the institution (per the Texas Internal Auditing Act, Section 2101, Government Code). The Director of Internal Audits also has an indirect reporting relationship to The University of Texas System Director of Audits who has responsibility for oversight of the internal auditing activity for the U.T. System and has the reporting responsibility for all components to the Board of Regents. See Section A-2. All internal audit activity is to be performed in a manner consistent with the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics, as promulgated by the Institute of Internal Auditors, Inc. (IIA). See Section B-1 for the IIA’s Code of Ethics. AUDIT CHARTER Introduction Internal auditing is an independent appraisal function established to examine and evaluate activities as a service to the Internal Audit Committee, the President, and senior management of U. T. Permian Basin. The auditors must have a high degree of independence and not be assigned duties or engage in any activities that they would normally be expected to review or appraise. Current editions of Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors, College and University Business Administration issued by the National Association of College and University Business Officers, and the Texas Internal Auditing Act shall serve as guidelines for the Office's activities. Internal Audit Office Mission Statement: Internal Audit provides independent, objective assurance and consulting services designed to add value and improve UTPB’s operations. It helps the university accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control mechanisms, and operational and governance processes. Organizational Status The Office of Internal Audit is a vital part of U.T. Permian Basin management and functions in accordance with the policies established by the President of The University of Texas of the Permian Basin, the Internal Audit Committee of The University of Texas of the Permian Basin, The University of Texas System, The Board of Regents of The University of Texas, and by the Legislature through the Texas Internal Auditing Act. The internal auditing services are reported directly to the President and to the Internal Audit Committee. The University of Texas of the Permian Basin Internal Audit Committee obtains, reviews and reports to the President on all institutional audit reports; approves the institutional internal audit plan; and transmits to the President such instructions as it deems necessary for the implementation of appropriate internal auditing practices. Purpose The Office of Internal Audit is responsible for providing the President and senior management with information about the adequacy and effectiveness of The University of Texas of the Permian Basin's system of internal administrative and accounting controls and the quality of operating performance when compared with established standards, and for recommending alternatives and modifications to existing systems and operations to improve overall efficiency and effectiveness. To accomplish these objectives the Office of Internal Audit is authorized to have full, free, and unrestricted access to all functions, property, personnel, and records (including medical and electronic). Although such access will be unlimited, the Office of Internal Audit shall ensure the safekeeping and confidentiality of all records and information. Internal Audit Committee Statement of Responsibility One of the most significant areas of organizational governance is the audit committee. These are the major assumptions and processes of that committee: The single most important finding and the key to audit committee effectiveness is background information and training. Management and internal auditors are identified as sources of this information. Special sessions on internal controls and the impact of their effectiveness on the committee's oversight responsibilities would acquaint committee members with the control environment. The internal auditor should report to the committee regularly regarding weaknesses noted in internal control. To enhance the effectiveness of the meeting, briefing materials should be supplied to the committee well in advance, and committee members should take adequate time to review them. State-of-the-art audit committees meet at least quarterly. The audit committee should review with management their assessment of the external and internal risks and whether or not the risk factors are being reasonably addressed. In addition, they should determine how internal auditing considers these risks when establishing the scope of their respective audits. The audit committee should advise the Director of Internal Audit that committee members expect to be advised of any areas requiring their special attention. The Director of Internal Audit should report the results of the department's auditing activities to the committee. Under normal circumstances, summary reporting should be made; however, specific findings and recommendations related to significant matters should be reported. The audit committee must be satisfied that internal auditing maintains its independence and objectivity. The committee should be satisfied that internal auditing is organizationally independent by ensuring the director reports to an appropriate executive level within the organization. The committee should be satisfied that the department's staffing and budget are adequate to enable the department to effectively perform its responsibilities. Quality Assurance The Office of Internal Audit shall establish and maintain a program of quality assurance designed to evaluate the operations of the department. The purpose of this program is to provide reasonable assurance that all work performed by the department conforms to the guidelines under which the department operates. This program should include training, supervision, and internal and external reviews. Internal reviews should be performed by members of the department on a routine basis to appraise the quality of work performed. External reviews of the department should be performed every three years, as required by the Texas Internal Auditing Act, by qualified persons who are independent of the Office of Internal Audit. Purpose This procedureshall be reviewed biennially by the Internal Auditor. AUDIT COMMITTEE CHARTER The committee is to ensure that: the activities of U. T. Permian Basin comply with the appropriate Business Procedures Memoranda, the Institute of Internal Auditors' Standards for the Professional Practice of Internal Auditing, and the Texas Internal Auditing Act; audit coverage for U. T. Permian Basin adequately encompasses all aspects of The University's operations and the coverage is not inhibited or limited by any individual or department; audit activities are responsive to The University's needs and objectives; and management is aware of internal audit activities, results of audits, and progress toward implementation of audit recommendations. Authority The University of Texas System Administration Policy Library 129, Internal Audit Activities, authorizes the establishment of an institutional audit committee. Appendix A, System-wide Internal Audit Charter, states “Each component institution will organize and maintain an institutional audit committee.” Role The University of Texas Permian Basin (UTPB) Audit Committee is an essential part of the risk management and internal control infrastructure of the institution and of the UT System. Its primary responsibilities are to assist the President in the: x Oversight and direction of the internal auditing activity. x Oversight of the process to manage business and financial risks. x Reporting of risk management and audit activity to the UT System, including the Audit, compliance, and Management Review (ACMR) Committee of the Board of Regents. Oversight of institutional engagements that may be performed by the external public accounting firm also conducting the UT System financial audit. Awareness of and responsibility for UTPB issues that may arise from the UT System financial audit. x Membership The President shall appoint the members of the Audit Committee. Membership will be composed of the President, Executive Vice President, other members of management appointed by the President, and at least one member from outside the institution. The Chairman will be the President or his/her designee. Other non-voting members whose sole purpose is to assist the audit committee in carrying out their responsibilities include the Director of Audit Services (Chief Audit Executive), Director of Systems Audits or his/her designee, and a representative of the UT System Office. Education Audit Services, the System Audit Office and the System Controller’s Office are responsible for providing Audit Committee members with educational resources related to accounting principles and procedures, business and financial risk management, internal auditing standards and best practices and other information necessary to discharge their responsibilities. Meetings The Audit Committee meets four times a year, (at least once quarterly), or as necessary at the request of the President. The meetings should provide for direct communication between members and the chief audit executive. Discussions and actions taken by the committee should be documented in the meeting minutes. A majority of members constitutes a quorum and attendance should be recorded in the minutes. Responsibilities The Audit Committee’s specific responsibilities in carrying out its oversight and reporting roles are delineated in the Audit Committee Responsibilities Checklist. The responsibilities checklist will be updated annually by the Audit Committee to reflect changes in regulatory requirements, authoritative guidance, UT System guidance, and best practices in business and financial risk management. As the compendium of Audit Committee responsibilities, the most recently updated responsibilities checklist will be considered an addendum to this charter. INSTITUTIONAL AUDIT COMMITTEE RESPONSIBILITIES CHECKLIST GENERAL 1 The committee will perform functions as assigned by the Audit, Compliance, and management Review Committee of The University of Texas Board of Regents. 2 The committee shall meet at least four times per year, or as necessary, at the request of the institution’s president. 3 The Chairman of the Institutional Audit Committee in consultation with the Chief Audit Executive will prepare the agenda for the committee meetings. 4 The Chief Audit Executive will be responsible for maintaining a record of the approved minutes of Institutional Audit Committee meeting. 5 Annually review the Institutional Audit Committee Charter and assess their performance of the responsibilities delineated in that charter. 6 Meet privately with the Chief Audit Executive, external public accounting firms, and the State Auditor’s Office at least annually, or as appropriate. 7 Other executive sessions may be appropriate to assess the performance of the internal audit function. OVERSIGHT OF FINANCIAL STATEMENT PREPARATION PROCESS 1 Determine that institution management has assumed responsibility for identifying (risk assessment) and managing (internal controls) the business and financial risks. 2. Oversee the preparation of the institution’s financial statements through the review of a. The closing process used by the institution, b. the certifications by the President and Financial Reporting Officer, c. financial and internal controls information provided in internal audit documents, d. financial and internal control information provided by external public accounting firm audits, e. analytical information provided by institution management, internal audit, and/or external auditors, f. the methodology used to identify, assess, and manage possibilities for fraud in business and financial processes, and g. any off-balance sheet transactions/arrangements that have, or are reasonably likely to have, a current or future effect on the System’s or any of the institution’s financial condition, changes in financial condition, revenues or expenses, results of operations, liquidity, capital expenditures, or capital resources that is material to users of the financial statements reflecting the economics of such transactions/arrangements. OVERSIGHT OF THE INTERNAL AUDITING FUNCTION 1 Approve an Internal Audit Charter that is consistent with the Texas Internal Auditing Act and the Standards of the Professional Practice of Internal Auditing. 2 Periodically review the Internal Audit Charter to ensure it encompasses any required revisions. 3 Review the risk assessment methodology used to develop the internal audit Annual Work Plan to ensure that all applicable business and financial risks have been identified. 4 Review the Annual Work Plan to ensure appropriate coverage for risks identified in the risk assessment, including coverage of significant financial and information systems. 5 Approve the Annual Work Plan and all changes thereto. 6 Review quarterly the status of completion of the Annual Work Plan. 7 Receive the results of all completed internal audit engagements. 8 Receive reports of Confidential Reporting Mechanism activity that relates to internal controls, financial management, internal auditing, or external auditing. 9 Review all significant recommendations and management action plans to address those recommendations. 10 Monitor the status of management action plans for significant recommendations. 11 Approve the utilization of Internal Audit resources outside the Annual Work Plan. 12 Review staffing and organization of the internal audit activity for appropriateness in relation to the institution and it’s identified risks and make recommendations to the president if necessary. 13 Request an annual self-assessment by the internal audit function and review the results. 14 Ensure that an External Peer Review is performed at least once every three years and review the results. 15 Provide input to the president of the annual evaluation of the Chief Audit Executive. 16 Provide input to the president on the hiring and dismissal of the Chief Audit Executive. OVERSIGHT OF EXTERNAL PUBLIC ACCOUNTING FIRMS 1 Monitor the institution’s contracting with all external public accounting firms to ensure compliance with the requirements of UTS 03 “Annual Financial Report” and the operating rules of the Audit, Compliance, and Management Review Committee of The University of Texas Board of Regents. 2 Review the reports of all external public accounting firms contracted by the institution to perform audits of any institution functions, components, activities, or financial information. 3 Monitor all activity by the State Auditor’s Office. REPORTING TO THE ACMR AND U.T. SYSTEM The Institutional Audit Committee and the Chief Audit Executive are responsible for providing the following information to the System Audit Office for use by the Audit, Compliance, and management Review Committee in discharging its oversight duties for the U.T. System: 1 Annual work plan and changes thereto. 2 Quarterly status of the Annual Work Plan and completed engagements. 3 Confidential Reporting mechanism Activity 4 Significant recommendations 5 Status of significant recommendations. 6 Contracts with external public accounting firms. 7 Other matters as requested by the ACMR through the System Audit Office. University of Texas Permian Basin Internal Audit Manual ORGANIZATIONAL CHARTS President’s Office Organizational Chart Internal Audit Office Organizational Chart University of Texas Permian Basin President, Dr. David Watts UT System Audit Office Audit Committee Director of Internal Audits, Narita Holmes MBA, CPA, CIA Auditor II, Aaron Munoz CIA, CGAP MISSION STATEMENT Internal Audit provides independent, objective assurance and consulting services designed to add value and improve UTPB’s operations. It helps the university accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control mechanisms, and operational and governance processes. GOALS GOAL: Optimize institutional effectiveness and efficiency consistent with high quality organizational standards. STRATEGIES Develop an annual audit plan in accordance with the Texas Internal Audit Act and UT System guidelines that evaluate and improve the effectiveness of risk management, control, operational and governance processes. Perform institutional risk assessment to identify high risk areas and include those areas in the annual plan. Prepare annual audit plan in accordance with the Act and UT System guidelines and executive management needs. Include evaluations of appropriate Presidential initiatives in annual audit plan. Provide management with independent, objective assurance and consulting services designed to add value and improve University operation. Request operating management input to audit planning process Provide recommendations based on audit activity and results Provide consulting and advisory services as requested and approved. Provide risk assessment training to the university community. Provide internal control and control self assessment training as identified or requested by management. Office operation and audit engagements will be performed in accordance with professional audit standards. Conduct quality assurance reviews in accordance with professional auditing standards. Monitor office operations and staff engagement for conformance to IIA Standards. Audit staff will prepare a plan that includes long/short term professional development and training needs to maintain sufficient knowledge, skills, experience, and professional certifications to meet the requirements of professional audit standards. University Of Texas Permian Basin Internal Audit Manual SECTION B (Auditing Standards) CODE OF ETHICS Note: Our Code of Ethics was closely modeled after that of the IIA’s as outlined in the Standard. Internal auditors are expected to apply and uphold the following principles: Integrity, objectivity, confidentiality and competency. 1. Integrity Auditors are required to perform their work with honesty, diligence and responsibility while observing the law. They should not, knowingly, be party to illegal activities or engage in acts discreditable to the profession of internal auditing, or the organization. 2. Objectivity Internal auditors should be objective and shall not participate in activities or relationships that may impair or be presumed to impair their unbiased assessment. They shall not accept gifts or anything that may impair or be presumed to impair their professional judgment and shall disclose all material facts that if not disclosed, could distort the reporting of activities under review. 3. Confidentiality Any information gained during the discharge of their duties is confidential and shall not be disclosed to third parties or used for personal gain; therefore, internal auditors shall be prudent in the use and protection of information acquired in the course of their duties. 4. Competency Internal auditors shall perform auditing services in accordance with the International Standards for the Professional Practice of Internal Auditing. They shall perform services for which they have the required knowledge, skills and experience. Additionally, they shall continually improve their proficiency, effectiveness and quality of their services. International Professional Practices Framework The Institute of Internal Auditors Inc. Florida USA [IIA] is the only international body dedicated to the professional development of Internal Auditing. The IIA's International Board of Directors has approved the new International Professional Practices Framework (IPPF), under the oversight of The IIA's Professional Practices Council. This Framework was just released in January 2009. The IPPF 2009 is the only internationally accepted standards for the professional practice of internal auditing followed globally by all organizations around the world. The entire IPPF 2009 is excellently structured and is broadly divided into two parts: 1. Mandatory Guidance which comprises – Performance with the principles set forth in mandatory guidance is required and essential for the professional practices of internal auditing. Mandatory guidance is intended to be applicable to both entities and individuals that perform internal auditing. Mandatory guidance is developed following an established due diligence process, which includes a period of public exposure for stakeholders for stakeholder input. a. Definition of Internal Auditing b. Code of Ethics c. International Standards 2. Strongly Recommended Guidance which comprises – Strongly recommended guidance is endorsed by the IIA through a formal approval process. It describes practices for effective implementation of the IIAs definition of Internal Auditing, Code of Ethics and International Standards for the Professional Practice of Internal Auditing (Standards) a. Position Papers b. Practice Advisories c. Practice Guides In order to ensure compliance with the IIA’s International Standards for the Professional Practice of Internal Auditing, our audits are conducted in a manner consistent with Mandatory and Strongly Recommended Guidance standards described above. Additionally, due to the nature of our work and the organizational status of the Internal Audit Department, auditors hold positions that are highly visible within the University; therefore, we, the Internal Audit Department, as a whole, and as individuals are required to conduct ourselves with respect while upholding a high level of Ethics, Values and Integrity as we provide high quality services to our customers. Institute of Internal Auditors Standards The following is a brief overview of the mandatory standards to be followed by individuals performing audit services. INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) Attribute Standards 1000 – Purpose, Authority, and Responsibility The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval. Interpretation: The internal audit charter is a formal document that defines the internal audit activity's purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity's position within the organization; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the board. 1000.A1 – The nature of assurance services provided to the organization must be defined in the internal audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances must also be defined in the internal audit charter. 1000.C1 – The nature of consulting services must be defined in the internal audit charter. 1010 – Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter The mandatory nature of the Definition of Internal Auditing, the Code of Ethics, and the Standards must be recognized in the internal audit charter. The chief audit executive should discuss the Definition of Internal Auditing, the Code of Ethics, and the Standards with senior management and the board. 1100 – Independence and Objectivity The internal audit activity must be independent, and internal auditors must be objective in performing their work. Interpretation: Independence is the freedom from conditions that threaten the ability of the internal audit activity or the chief audit executive to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels. Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels. 1110 – Organizational Independence The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity. 1110.A1 – The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. 1111 – Direct Interaction with the Board The chief audit executive must communicate and interact directly with the board. 1120 – Individual Objectivity Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest. Interpretation: Conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a competing professional or personal interest. Such competing interests can make it difficult to fulfill his or her duties impartially. A conflict of interest exists even if no unethical or improper act results. A conflict of interest can create an appearance of impropriety that can undermine confidence in the internal auditor, the internal audit activity, and the profession. A conflict of interest could impair an individual's ability to perform his or her duties and responsibilities objectively. 1130 – Impairment to Independence or Objectivity If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment. Interpretation: Impairment to organizational independence and individual objectivity may include, but is not limited to, personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations, such as funding. The determination of appropriate parties to which the details of an impairment to independence or objectivity must be disclosed is dependent upon the expectations of the internal audit activity’s and the chief audit executive’s responsibilities to senior management and the board as described in the internal audit charter, as well as the nature of the impairment. 1130.A1 – Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year. 1130.A2 – Assurance engagements for functions over which the chief audit executive has responsibility must be overseen by a party outside the internal audit activity. 1130.C1 – Internal auditors may provide consulting services relating to operations for which they had previous responsibilities. 1130.C2 – If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement. 1200 – Proficiency and Due Professional Care Engagements must be performed with proficiency and due professional care. 1210 – Proficiency Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. Interpretation: Knowledge, skills, and other competencies is a collective term that refers to the professional proficiency required of internal auditors to effectively carry out their professional responsibilities. Internal auditors are encouraged to demonstrate their proficiency by obtaining appropriate professional certifications and qualifications, such as the Certified Internal Auditor designation and other designations offered by The Institute of Internal Auditors and other appropriate professional organizations. 1210.A1 – The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement. 1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. 1210.A3 – Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing. 1210.C1 – The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement. 1220 – Due Professional Care Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility. 1220.A1 – Internal auditors must exercise due professional care by considering the: Extent of work needed to achieve the engagement’s objectives; Relative complexity, materiality, or significance of matters to which assurance procedures are applied; Adequacy and effectiveness of governance, risk management, and control processes; Probability of significant errors, fraud, or noncompliance; and Cost of assurance in relation to potential benefits. 1220.A2 – In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques. 1220.A3 – Internal auditors must be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified. 1220.C1 – Internal auditors must exercise due professional care during a consulting engagement by considering the: Needs and expectations of clients, including the nature, timing, and communication of engagement results; Relative complexity and extent of work needed to achieve the engagement’s objectives; and Cost of the consulting engagement in relation to potential benefits. 1230 – Continuing Professional Development Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development. 1300 – Quality Assurance and Improvement Program The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. Interpretation: A quality assurance and improvement program is designed to enable an evaluation of the internal audit activity’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement. 1310 – Requirements of the Quality Assurance and Improvement Program The quality assurance and improvement program must include both internal and external assessments. 1311 – Internal Assessments Internal assessments must include: Ongoing monitoring of the performance of the internal audit activity; and Periodic reviews performed through self-assessment or by other persons within the organization with sufficient knowledge of internal audit practices. Interpretation: Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal audit activity. Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity and uses processes, tools, and information considered necessary to evaluate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards. Periodic reviews are assessments conducted to evaluate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards. Sufficient knowledge of internal audit practices requires at least an understanding of all elements of the International Professional Practices Framework. 1312 – External Assessments External assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. The chief audit executive must discuss with the board: The need for more frequent external assessments; and The qualifications and independence of the external reviewer or review team, including any potential conflict of interest. Interpretation: A qualified reviewer or review team consists of individuals who are competent in the professional practice of internal auditing and the external assessment process. The evaluation of the competency of the reviewer and review team is a judgment that considers the professional internal audit experience and professional credentials of the individuals selected to perform the review. The evaluation of qualifications also considers the size and complexity of the organizations that the reviewers have been associated with in relation to the organization for which the internal audit activity is being assessed, as well as the need for particular sector, industry, or technical knowledge. An independent reviewer or review team means not having either a real or an apparent conflict of interest and not being a part of, or under the control of, the organization to which the internal audit activity belongs. 1320 – Reporting on the Quality Assurance and Improvement Program The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board. Interpretation: The form, content, and frequency of communicating the results of the quality assurance and improvement program is established through discussions with senior management and the board and considers the responsibilities of the internal audit activity and chief audit executive as contained in the internal audit charter. To demonstrate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards, the results of external and periodic internal assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually. The results include the reviewer’s or review team’s assessment with respect to the degree of conformance. 1321 – Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing” The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement. 1322 – Disclosure of Nonconformance When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board. Performance Standards 2000 – Managing the Internal Audit Activity The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization. Interpretation: The internal audit activity is effectively managed when: The results of the internal audit activity’s work achieve the purpose and responsibility included in the internal audit charter; The internal audit activity conforms with the Definition of Internal Auditing and the Standards; and The individuals who are part of the internal audit activity demonstrate conformance with the Code of Ethics and the Standards. 2010 – Planning The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals. Interpretation: The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consultation with senior management and the board. 2010.A1 – The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process. 2010.C1 – The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve the organization’s operations. Accepted engagements must be included in the plan. 2020 – Communication and Approval The chief audit executive must communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and the board for review and approval. The chief audit executive must also communicate the impact of resource limitations. 2030 – Resource Management The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. Interpretation: Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the plan. Sufficient refers to the quantity of resources needed to accomplish the plan. Resources are effectively deployed when they are used in a way that optimizes the achievement of the approved plan. 2040 – Policies and Procedures The chief audit executive must establish policies and procedures to guide the internal audit activity. Interpretation: The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work. 2050 – Coordination The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts. 2060 – Reporting to Senior Management and the Board The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board. Interpretation: The frequency and content of reporting are determined in discussion with senior management and the board and depend on the importance of the information to be communicated and the urgency of the related actions to be taken by senior management or the board. 2100 – Nature of Work The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. 2110 – Governance The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: Promoting appropriate ethics and values within the organization; Ensuring effective organizational performance management and accountability; Communicating risk and control information to appropriate areas of the organization; and Coordinating the activities of and communicating information among the board, external and internal auditors, and management. 2110.A1 – The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities. 2110.A2 – The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives. 2110.C1 – Consulting engagement objectives must be consistent with the overall values and goals of the organization. 2120 – Risk Management The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. Interpretation: Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s assessment that: Organizational objectives support and align with the organization’s mission; Significant risks are identified and assessed; Appropriate risk responses are selected that align risks with the organization’s risk appetite; and Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities. Risk management processes are monitored through ongoing management activities, separate evaluations, or both. 2120.A1 – The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding the: Reliability and integrity of financial and operational information. Effectiveness and efficiency of operations. Safeguarding of assets; and Compliance with laws, regulations, and contracts. 2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. 2120.C1 – During consulting engagements, internal auditors must address risk consistent with the engagement’s objectives and be alert to the existence of other significant risks. 2120.C2 – Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization’s risk management processes. 2120.C3 – When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks. 2130 – Control The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. 2130.A1 – he internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the: Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations; Safeguarding of assets; and Compliance with laws, regulations, and contracts. 2130.A2 – Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization. 2130.A3 – Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended. 2130.C1 – During consulting engagements, internal auditors must address controls consistent with the engagement’s objectives and be alert to significant control issues. 2130.C2 – Internal auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the organization’s control processes. 2200 – Engagement Planning Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. 2201 – Planning Considerations In planning the engagement, internal auditors must consider: The objectives of the activity being reviewed and the means by which the activity controls its performance; The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level; The adequacy and effectiveness of the activity’s risk management and control processes compared to a relevant control framework or model; and The opportunities for making significant improvements to the activity’s risk management and control processes. 2201.A1 – When planning an engagement for parties outside the organization, internal auditors must establish a written understanding with them about objectives, scope, respective responsibilities, and other expectations, including restrictions on distribution of the results of the engagement and access to engagement records. 2201.C1 – Internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding must be documented. 2210 – Engagement Objectives Objectives must be established for each engagement. 2210.A1 – Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment. 2210.A2 – Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives. 2210.A3 – Adequate criteria are needed to evaluate controls. Internal auditors must ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management to develop appropriate evaluation criteria. 2210.C1 – Consulting engagement objectives must address governance, risk management, and control processes to the extent agreed upon with the client. 2220 – Engagement Scope The established scope must be sufficient to satisfy the objectives of the engagement. 2220.A1 – The scope of the engagement must include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties. 2220.A2 – If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities, and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards. 2220.C1 – In performing consulting engagements, internal auditors must ensure that the scope of the engagement is sufficient to address the agreed-upon objectives. If internal auditors develop reservations about the scope during the engagement, these reservations must be discussed with the client to determine whether to continue with the engagement. 2230 – Engagement Resource Allocation Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources. 2240 – Engagement Work Program Internal auditors must develop and document work programs that achieve the engagement objectives. 2240.A1 – Work programs must include the procedures for identifying, analyzing, evaluating, and documenting information during the engagement. The work program must be approved prior to its implementation, and any adjustments approved promptly. 2240.C1 – Work programs for consulting engagements may vary in form and content depending upon the nature of the engagement. 2300 – Performing the Engagement Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement’s objectives. 2310 – Identifying Information Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement’s objectives. Interpretation: Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Reliable information is the best attainable information through the use of appropriate engagement techniques. Relevant information supports engagement observations and recommendations and is consistent with the objectives for the engagement. Useful information helps the organization meet its goals. 2320 – Analysis and Evaluation Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations. 2330 – Documenting Information Internal auditors must document relevant information to support the conclusions and engagement results. 2330.A1 – The chief audit executive must control access to engagement records. The chief audit executive must obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties, as appropriate. 2330.A2 – The chief audit executive must develop retention requirements for engagement records, regardless of the medium in which each record is stored. These retention requirements must be consistent with the organization’s guidelines and any pertinent regulatory or other requirements. 2330.C1 – The chief audit executive must develop policies governing the custody and retention of consulting engagement records, as well as their release to internal and external parties. These policies must be consistent with the organization’s guidelines and any pertinent regulatory or other requirements. 2340 – Engagement Supervision Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed. Interpretation: The extent of supervision required will depend on the proficiency and experience of internal auditors and the complexity of the engagement. The chief audit executive has overall responsibility for supervising the engagement, whether performed by or for the internal audit activity, but may designate appropriately experienced members of the internal audit activity to perform the review. Appropriate evidence of supervision is documented and retained. 2400 – Communicating Results Internal auditors must communicate the engagement results. 2410 – Criteria for Communicating Communications must include the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans. 2410.A1 – Final communication of engagement results must, where appropriate, contain internal auditors’ overall opinion and/or conclusions. 2410.A2 – Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications. 2410.A3 – When releasing engagement results to parties outside the organization, the communication must include limitations on distribution and use of the results. 2410.C1 – Communication of the progress and results of consulting engagements will vary in form and content depending upon the nature of the engagement and the needs of the client. 2420 – Quality of Communications Communications must be accurate, objective, clear, concise, constructive, complete, and timely. Interpretation: Accurate communications are free from errors and distortions and are faithful to the underlying facts. Objective communications are fair, impartial, and unbiased and are the result of a fair-minded and balanced assessment of all relevant facts and circumstances. Clear communications are easily understood and logical, avoiding unnecessary technical language and providing all significant and relevant information. Concise communications are to the point and avoid unnecessary elaboration, superfluous detail, redundancy, and wordiness. Constructive communications are helpful to the engagement client and the organization and lead to improvements where needed. Complete communications lack nothing that is essential to the target audience and include all significant and relevant information and observations to support recommendations and conclusions. Timely communications are opportune and expedient, depending on the significance of the issue, allowing management to take appropriate corrective action. 2421 – Errors and Omissions If a final communication contains a significant error or omission, the chief audit executive must communicate corrected information to all parties who received the original communication. 2430 – Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing” Internal auditors may report that their engagements are “conducted in conformance with the International Standards for the Professional Practice of Internal Auditing”, only if the results of the quality assurance and improvement program support the statement. 2431 – Engagement Disclosure of Nonconformance When nonconformance with the Definition of Internal Auditing, the Code of Ethics or the Standards impacts a specific engagement, communication of the results must disclose the: Principle or rule of conduct of the Code of Ethics or Standard(s) with which full conformance was not achieved; Reason(s) for nonconformance; and Impact of nonconformance on the engagement and the communicated engagement results. 2440 – Disseminating Results The chief audit executive must communicate results to the appropriate parties. Interpretation: The chief audit executive or designee reviews and approves the final engagement communication before issuance and decides to whom and how it will be disseminated. 2440.A1 – The chief audit executive is responsible for communicating the final results to parties who can ensure that the results are given due consideration. 2440.A2 – If not otherwise mandated by legal, statutory, or regulatory requirements, prior to releasing results to parties outside the organization the chief audit executive must: Assess the potential risk to the organization; Consult with senior management and/or legal counsel as appropriate; and Control dissemination by restricting the use of the results. 2440.C1 – The chief audit executive is responsible for communicating the final results of consulting engagements to clients. 2440.C2 – During consulting engagements, governance, risk management, and control issues may be identified. Whenever these issues are significant to the organization, they must be communicated to senior management and the board. 2500 – Monitoring Progress The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management. 2500.A1 – The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. 2500.C1 – The internal audit activity must monitor the disposition of results of consulting engagements to the extent agreed upon with the client. 2600 – Resolution of Senior Management’s Acceptance of Risks When the chief audit executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive must report the matter to the board for resolution. GOVERNMENT ACCOUNTABILITY OFFICE “YELLOW BOOK” STANDARDS SUMMARY The general standards contained in Generally Accepted Government Auditing Standards ("GAGAS") set forth requirements for auditor independence, using professional judgment, ensuring competent team members, and conducting peer reviews. Specific standards set forth requirements for fieldwork and reporting in the areas of financial, attestation, and performance assurance activities. In general, GAGAS standards are stricter than IIA standards in the types of non-audit services that auditors may provide, the amount of training auditors must undergo, the frequency of peer reviews, and the level of documentation contained in audits and the wording in those reports. The following are recommendations that UT System Audit Office has provided to all audit departments in order to ensure full compliance with it. Those recommendations are summarized below along with the corresponding reference in GAGAS. In order to be completely versed in the standards, it is critical that all auditors obtain and read them. GAGAS may be found at the Government Accountability Office's website: http://www.gao.gov/govaud/yb2003.pdf. GENERAL STANDARDS Independence 1) When using specialists for projects (e.g., co-sourced audits), obtain independence certifications and statements of knowledge of GAGAS independence requirements. Document qualifications of the specialist (they do not have to perform work under GAGAS, just acknowledge that they are independent under those standards). 2) Inventory non-audit activities performed and determine whether activities are allowable or unallowable based on criteria in 3.14 - 3.18. (Common non-audit activities to consider include management of participation in the institutional compliance program, participation in peer reviews, performance of consulting engagements, interviewing of candidates for management positions, oversight of management, both functionally and administratively, and development of organizational policies). 3) For allowable activities, document reasons for being allowable and how safeguards are met based on criteria in 3.17. 4) Ensure peer review team examines a selection of non-audit activities to test for compliance with 3.17. 5) Develop policies and procedures for identifying personal impairments, communicating them to all auditors in the organization, ensure understanding of policies through training, obtaining acknowledgement of policies, monitoring compliance with policies, establishing a disciplinary mechanism for violating policies, and stressing the importance of independence. 6) Identify, report, and resolve impairments to independence timely. 7) Identify factors causing external impairments in 3.19 and ensure policies are in place to identify them. 8) Identify factors causing organizational impairments and ensure policies are in place to identify them. 9) Ensure peer review teams assess whether policies and procedures are in place for identifying, resolving and reporting impairments and ensure that impairments identified are acted upon timely. Professional Judgment 10) Review working papers and audit programs to ensure evidence of the use of professional judgment in applying the right standards to an engagement, defining the scope of work, selecting the methodology, determining the types of evidence to be relied upon, and choosing tests and procedures, and evaluating results. Competence 11) Ensure a process is in place for recruitment, hiring, continuous development, and evaluation of staff to ensure adequate competence. 12) Ensure that staff members collectively possess the technical knowledge, skills, and experience necessary to be competent for the type of work being performed BEFORE beginning fieldwork. 13) When performing external financial statement work, ensure auditors on the engagement have knowledge of GAAP and external auditing standards. 14) Document compliance with CPE requirements of 80 hours every two years (minimum of 20 per year), with at least 24 hours in industry-specific courses. Peer Reviews 15) Ensure policies and procedures are in place to ensure the audit organization complies with GAGAS. Retain documentation evidencing compliance with policies and procedures. Procedures should include ongoing monitoring of policies and procedures to ensure they are effective. 16) Perform peer reviews every three years (with the review occurring no later than three years and 90 days after the start of fieldwork of the last review per footnote 38 of GAGAS). 17) Perform remedial action on results of peer review. 18) Ensure team members have knowledge of GAGAS, are independent, and do not participate in a reciprocal review. 19) Ensure peer review reports reference all standards under which they were performed. SPECIFIC PROJECT STANDARDS Fieldwork and Reporting Requirements (Open to determine whether GAGAS should be cited in reports) 20) If GAGAS is cited in the audit report, auditors are required to follow the standards outlined in chapters 4 - 8, depending on the type of audit (financial, attestation, or performance). 21) Auditors should ensure that if GAGAS is cited in the audit report, the audit file and report should evidence compliance with the fieldwork and reporting standards, respectively, in chapters 7 and 8. University of Texas Permian Basin SECTION C (Audit Procedures) OVERVIEW OF AUDIT PROCEDURES The following audit procedures are intended to provide a guideline and maintain uniformity within the Audit Department. Included in this section is a TeamMate guide that will assist you with documenting your work within this electronic work paper software and attribute templates for expenditure testing In order to ensure consistency among audit staff in carrying out their duties and responsibilities, guidelines detailing minimal requirements pertaining to audit work-paper preparation and documentation including standard audit report formats will be addressed. Keep in mind that audit reports are official documents distributed to management within the university. In addition, our reports are subject to exposure and review by external parties. For this reason, we must implement standards in creating reports that demonstrate professionalism and consistency. All audit reports issued by this office should exhibit the same format and be free of spelling and grammatical errors. A sample report has been included for your benefit. INDEPENDENCE PROCEDURE Individual Objectivity Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest. To maintain this Standard, the Office has adopted an Annual Independence/Conflict of Interest Statement. This form will be signed annually, at the beginning of the calendar year, by all audit staff members. New audit staff members will sign when hired. In addition, the QAR Form has been modified in order to report any potential independence or conflict of interest with each audit engagement. Impairments to Independence or Objectivity If independence or objectivity is impaired in fact or appearance, the details of the impairment should be disclosed immediately to the Director of Internal Audits. If an accidental impairment to independence or objectivity occurs, the Director shall inform the University Ethics Office of the situation for his/her consideration. If necessary, the auditor will be removed from the engagement. If warranted, the impairment will be included in the Report and the Audit Committee will be notified. Disciplinary action for willful neglect to disclose impairment to independence or objectivity may result in a Letter of Reprimand by the Director of Internal Audits. All University employees are required to complete a conflict of interest statement upon employment at the University and this statement is submitted on an annual basis. The Director of Internal Audits also performs teaching duties for the University and as part of her teaching plan she involves her students in actual Departmental audits of the University. All audit work is reviewed by the Audit Department before it is submitted to the Audit Committee. All students are required to fill out a non-disclosure form seen below: The University of Texas of the Permian Basin STATEMENT OF NON-DISCLOSURE FOR CONFIDENTIAL AND SENSITIVE DATA I understand by virtue of my affiliation with the University of Texas of the Permian Basin through the audit project in Accounting 4306, I may have access to records on various media which contain individually identifiable or confidential information, the disclosure of which is prohibited by either state or federal law, or universitydesignated as confidential or sensitive. I acknowledge that I fully understand that the intentional disclosure by me of this information to any individual not authorized by the owner of the data could subject me to criminal and civil penalties imposed by law. I further acknowledge that such willful or unauthorized disclosure also violates The University of Texas of the Permian Basin’s procedureand could constitute just cause for disciplinary action regardless of whether criminal or civil penalties are imposed. I also acknowledge that failure to sign this statement could result in denial or revocation of my access to all audit information and other sensitive data at The University of Texas of the Permian Basin. Accounting 4306 Name Printed Course Signature Date If there is any question or uncertainty, contact Narita K. Holmes, Internal Auditor for clarification as to what data are confidential or sensitive, who are data owners, and what constitutes authorized access. TYPES OF AUDITS 1. Change in Management /Departmental These types of audits determine whether the department is conducting its financial and business processes under an adequate system of internal control, as required by University policy and guidelines and good business practice. These audits are normally performed when an administrator at the level of Dean or above leaves office. 2. Compliance Audits Compliance audits are performed to determine if a system is adequately designed to ensure compliance with University policies and procedures as well as external requirements. External requirements include compliance with federal and state laws and regulations, the National Collegiate Athletic Association (NCAA) legislation, etc. 3. Financial Audits This type of audit verifies that controls over acquisition and use of resources are adequate. It also verifies that sufficient controls exist over assets, liabilities, revenues, and expenditures. They address the accounting for and reporting of financial transactions, including commitments, authorizations, and receipt and disbursement of funds. 4. Operational Audits This type of audits examines the use of resources to evaluate whether those resources are being used in the most efficient and effective way to fulfill the operations mission and objectives. An operational audit can include elements of compliance, financial and IT audits. 5. Investigative Audits Investigative audits focus on alleged civil or criminal violations of state or federal laws or university policies and procedures that may result in prosecution or disciplinary action. Examples are allegations of theft, misuse of university assets, white-collar crime and conflicts of interest. 6. Information Technology (IT) Audits IT audits address the internal control environment of automated information processing systems. Although IT audit projects focus primarily on systems in the development stages, they typically evaluate system input, output, processing controls, backup and recovery plans, system security as well as computer facilities. SUMMARY OF AUDIT PROCESS Engagement Memo -With few exceptions, audit clients are notified in writing when their area is selected for review. These letters are sent to the vice president of the area being audited as well as to the appropriate dean, chairperson, or director. The engagement memo states the date, time, and place of the opening conference and the objectives to be accomplished in the audit. Due to the nature of some audit work, we may give little or no advance notice. Planning -During the planning process, the auditor gains an understanding of the area to be audited. This includes interviewing key personnel, reviewing relevant policies and procedures and, if available, reviewing prior audit work papers. A risk assessment is created documenting key activities, the risks associated with those activities, the probability and impact of the risk. Entrance Conference -An entrance conference is scheduled with the head of the department to discuss the purpose and scope of the audit. We encourage audit clients to discuss any concerns or questions they may have about the audit. Audit clients may also request a review of those areas of most concern to them be included as part of the audit activity. Fieldwork - During the audit fieldwork phase, the auditor will test the adequacy and effectiveness of the internal control environment for the specific audited area. The nature of the work includes interviews, sample selection, sample testing against the criteria and documentation of the results. Written policies and procedures may be requested to aid the auditor in understanding departmental operations; however, it is often necessary for auditors to reside in the department office(s) to conduct interviews and review departmental records. In order to minimize disruption of daily operations, we try to schedule meetings in advance to avoid potential scheduling conflicts. Duration of audits vary depending upon scope. Hence, limited scope audits require less time than audits with broader scopes, which could lengthen the audit time period. Additionally, the level of cooperation from auditees and access to personnel and records has a direct bearing on the duration of audits. Progress Meetings: During the audit, progress meetings are held to keep the customer apprised of any potential observations and the status of our review. Draft Audit Report: A draft report is prepared and distributed to management to verify factual content after draft has been reviewed by Director of Internal Audits. Exit Conference -At the conclusion of fieldwork, an exit conference is held to discuss the audit observations and recommendations. An exit conference is held to discuss audit findings. Attendees include the auditors, members of management responsible for oversight and operation of the area under review, as well as those individuals who will have a direct or indirect involvement in resolving audit concerns identified. The exit conference provides an opportunity to clear and resolve questions or concerns pertaining to findings, or other issues, before the final audit report is released. Communicating Results -Audit results are presented to audit clients via verbal or written communication and usually include recommendations intended to benefit the area under review and the University. Audit clients have an opportunity to discuss concerns identified within the audit and to concur or disagree with conclusions and recommendations. In any event, audit clients are required to provide, in writing, proposed resolutions including reasonably expected implementation dates. Final Audit Report -The final audit report includes findings and recommendations along with management's responses. Copies of the report are distributed to the president, appropriate vice presidents, the audited unit's manager, and the System Audit Office. Audit findings are also included in a summary of all UT component reports provided to the chancellor and the Audit Committee of the Board of Regents. Customer Survey - After the engagement is complete, our office will send a survey through our survey monkey tool, requesting the audit client to provide feedback on the performance of the auditor. Follow-up Reviews -Our professional standards require that we follow-up and report on previously reported findings to determine if corrective action was taken and audit concerns were resolved. INTERNAL CONTROL What is internal control? Internal control is a process, affected by The University of Texas System ("UT System") Board of Regents, management and other personnel, designed to provide reasonable assurance regarding achievement of objectives in the following categories: Operations -- relating to effective and efficient use of UT System's resources, x Financial reporting - relating to preparation of reliable published financial statements, and x Compliance -- relating to UT System's compliance with applicable laws and regulations. Internal control consists of five interrelated components as follows: Control environment -- Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the Board of Regents. Risk assessment -- A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of objectives then forming a basis for determining how the risks should be managed. Control activities -- Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties. Information and communication -- Pertinent information must be identified, captured, and communicated in a form and time frame that enables people to carry out their responsibilities. Information systems produce reports, containing operational, financial, and compliance-related information that make it possible to run and control the business. They deal not only with internally generated data, but also with information about external events, activities, and conditions necessary for informed business decision-making and external reporting. Monitoring -- Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. It includes regular management and supervisory activities, and other actions personnel take when performing their duties. All components are relevant to each objectives category. When looking at any one category, all five components must be present and functioning effectively to conclude that internal control over operations is effective. What are the key concepts for internal controls? Internal control is a process. It is a means to an end, not an end in itself. Internal control is affected by people. It is not merely proceduremanuals and forms, but people at every level of an organization. Internal control can be expected to provide only reasonable assurance, not absolute assurance, to management and Board of Regents. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories. When is internal control effective? Internal control can be judged effective in each of the three categories, respectively, if the Board of Regents and management have reasonable assurance that they understand the extent to which: The entity's operational objectives are being achieved, Published financial statements are being prepared reliably, and x Applicable laws and regulations are being complied with. What are factors limiting internal controls? Judgment – Managers in a well-controlled organization can make bad decisions. Breakdowns – People with control responsibilities may not carry them out effectively. Management Override – Managers may intentionally go outside established practices for illegitimate purposes. Cost vs. Benefit – Resources are limited. Managers properly accept a degree of risk when the cost of controlling the risk exceeds the benefit Note: The above definition of internal control and related concepts are taken directly from Internal Control -- Integrated Framework by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). See COSO MODEL BELOW RISK ASSESSMENT The Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing Performance Standard 2201 – Planning Considerations require “internal auditors to consider the significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level”. Other planning considerations can be obtained from The Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing. TEAMMATE WORK PAPERS GUIDE (AUDIT PROJECT) Note: You will need the Audit Assignment Sheet to create the new audit project within TeamMate. Creating a New Audit Project To create a new TeamMate Audit Project, follow these steps: Open TeamMate (if not already running) by double clicking the TeamMate Suite icon. Click on TeamMate – EWP (Electronic Working Papers) Note: The TeamMate Explorer is the first screen displayed when TeamMate is launched. If not displayed, then Open TeamMate Explorer, using the File | Open menu option. Click on the Master Tab and projects files should appear. If not, then the Master Tab must be mapped to the shared drive. To map to the shared drive, follow these steps: With the cursor on the Master Tab, right click and go to modify location tab and browse to the Shared Drive V: TeamMate Backup Audit Files Folder>Audits>FY 20XX and click Open and then click OK TeamMate Explorer TeamMate Explorer performs several important roles within TeamMate. Its primary function is to create, open, restore, and delete Project files – including installing Replicas. It is also used to maintain storage locations, allowing the user to create, edit, and delete Locations (tabs). Click on the New button in the TeamMate Explorer to run the New Project Wizard and follow these steps (steps for creating a departmental audit using a template are also found below): New Project Wizard (Step 1 of 3) The New Project Wizard is a three step process used to create all new projects within TeamMate. Step 1 of the New Project Wizard will be to create a new project from scratch. Creating a New Project The first Dialogue box is used to gather the basic information about the project file being setup. Specifically, auditors must enter: Project No. XX-FIN-ZZ where XX=Audit Number, ZZ=Fiscal Year, the center letters deal with the project group – see below (i.e., 06-FIN-09) Project Group: Financial - FIN Departmental – Change in Management - DEP or CIM Institutional Compliance - COM Risk Based Project - RBP Information Technology - IT Management Services - MAS Project Name/Title Project Assigned Date Location (Master Tab) Note: TeamMate requires all the fields for this step to be completed before proceeding to Step 2. Once completed click the next button to move to Step 2 Step 2 of the New Project Wizard requires the selection of a TeamMate Library File. Files with a .TML extension are TeamMate Library files. A TeamMate Library contains a number of properties used to define any newly created projects. These files are created by TeamMate Coordinators and are usually distributed with the TeamMate installation disks. These files should not be moved, edited, or deleted. The TeamMate Library file will determine the type of project created. You must select a valid .TML file before continuing to Step 3 of the New Project Wizard. 1. 2. 3. 4. 5. Departmental or Change in Management Program Set Up For Departmental or Change in Management Audits hit the browse button found on this page The Departmental and Change in Management audit template can be found in the V Drive Within the V Drive go into the TeamMate Audit Back Up Files folder Within this folder there is an Audit Program Templates folder – Enter Here Select the latest Departmental Audit program (Departmental and Change in Management Audit have the same program) – the programs are dated as to when they were created 6. Proceed to the next section below indicated with a - ** Select Base Library (With PA).tml or browse to the Shared Drive V: TeamMate Audit Backup Files Folder and proceed to Step 3 by clicking the next button. **For Step 3 of the New Project Wizard, you are required to set up a project team member. Any project file created in TeamMate must contain at least one Administrator. The team member created in the New Project Wizard will (by default) become the Project Administrator. This role MUST be reassigned to the Director. The Last Name, First Name, Initials, Password and Verify fields are required, while the Title field is optional. Once the Finish button has been clicked and the project successfully created, the Browser will be displayed, and you can begin to setup and work on the project. ***For Change in Management Audits, the audit program has been created, reviewed, and approved. Note: The New Project Wizard will (by default) create the project in the Master Location tab selected in TeamMate Explorer, when the New Project Wizard was activated. Setup and Work on the Audit Project Once you are within your newly created audit project, the Snapshot dialogue box will automatically be displayed along with the “Roaming Toolbar”. The “Roaming Toolbar” may be rolled up or down by double clicking the top of the toolbar. Snapshot The Snapshot provides a (point in time) statistical analysis of the status of the entire project. The Snapshot can be used as a review tool, showing the progress of the project at any point in time. The Snapshot is constantly and automatically updated and can easily be displayed by either selecting the Project | Snapshot menu option or by clicking on the Snapshot button in the Standard toolbar. The Browser The Browser acts as a hierarchical index or table of contents to all work documented within a TeamMate project. It is the first window displayed (after Snapshot) when a TeamMate project is opened. The Browser is divided into two re-sizeable panes similar to Windows Explorer. 1. The Left Browser pane acts as an index to the file and is used for navigation to the appropriate section. Only the following default folders and subfolders are displayed in the left pane. PA: Planning and Administration PA1: Planning PA2: Administration AS: Audit Summary AS1: Current Exceptions AS2: Reports CG: Component Groups Note: Each auditor will rename the component groups to “Fieldwork” so that it will look as follows CG: Fieldwork. To do this, right click on component groups and click rename. The auditor will now add to the Fieldwork folder. Adding Fieldwork Folders Adding a Fieldwork Folder to the Browser is completed by using the Add Folder button on the toolbar or by selecting the Edit | New Folder menu option, when the CG: Fieldwork folder is selected/highlighted in the Browser. The New Fieldwork / Area dialogue contains the following: Audit Reference Code (ARC) also known as folder or work paper references. Note: The auditor should be careful when adding folders or importing and/or adding work papers to TeamMate. The ARC is automatic and sequential and CANNOT be edited. Component Group Title The Component Group Title: field is used to specify the title of the folder being added to the Browser. This will be the major section of your audit program. For each component group folder created, they will be lettered. (i.e., A, B, C, D, etc.). First Component Title The First Component Title: field is used to specify the title of the parent folder being added to the Browser. This will be the same as the component group title unless you have a minor section within a major. When completed click OK. Two subfolders will automatically be created within each component group folder. A Supplementary Information and a major section subfolder (i.e., A: SI Supplementary Information and A.1). Disregard the Supplementary Information subfolder. This folder will not be used at this time. By double clicking the A.1 subfolder, the procedures summary will appear in the right browser pane as A.1.PS. 2. The Right Browser pane displays a detailed view of the contents of each folder in the file. As you move through the folders in the left pane, the right pane will adjust to display the contents of each selected folder. The first item in each newly created folder will be the Procedures Summary. This area will contain the audit steps, results of work done and the overall conclusion. Creating Procedures Procedures can be automatically added to the Browser by importing planning from a TeamStore, or manually added to Procedure Summaries of the required Procedure. Procedures are added by adding rows to the Procedure Summary. To manually add Procedures: Navigate to the CG: Field work folder to which the Procedure belongs. Navigate to the Procedure to which the new Procedures are to be added. Open the Procedure Summary for the required Procedure. (right browser pane) Click on the Add Row (or Insert Row) button in the TeamMate toolbar or use the Edit | Add Row menu option. Once the new Procedure has been added to the Procedure Summary, complete the required fields on the Procedure Summary and allocate the Procedure to a Team Member and a Visit. To save the added Procedures, close the Procedure Summary Schedule, saving the changes made. When Procedures are added to the Procedure Summary, they are given the Title “New Row”. This Procedure Title can be renamed, by either double clicking on the Procedure Title, or selecting the Procedure Title and pressing <F2>. Note: You must assign the Director with Administrator privileges and the Asst. Director with Preparer/Reviewer privileges. To do this, click on Profile located on the navigation toolbar and select the Team tab. Click on Add and fill in the information requested. A password must be created at this time. The temporary password will be audit and should be changed when the person logs on. Adding Work papers As mentioned before, care must be taken when adding work papers to the Procedures Summary because of the automatic referencing. To add work papers, you MUST be in the Procedures Summary screen. You may perform either one of the following options: Right click and select add work paper or Drop the “Floating Toolbar” and select add work paper. Audit Work papers The following is a list of the work papers to be included under each folder: PA: Planning and Administration PA1: Planning A. Planning Memo B. Internal Control Questionnaire (ICQ) C. Background Information D. Organization Chart E. Goals, Objectives, ODP Map F. Risk Assessment G. Interviews H. Flow Charts I. Prior Audits J. Audit Program PA2: Administration A. Assignment Sheet B. Entrance Conference Memorandum C. Entrance Conference Narrative D. Exit Conference Memo/Narrative E. Quality Assurance Review (QAR) AS: Audit Summary AS1: Current Exceptions AS2: Reports CG: Field work** A. Background a. Policies and Procedures Manual b. Risk Assessment & Implementation Plan c. Employee Performance Evaluations B. Reliability and Integrity of Key financial Information a. Expenditures b. Account Reconciliations c. Revenue and Cash Receipts d. Time Reporting f. Segregation of Duties C. Safe guarding of Assets a. Inventory Test D. Information Technology a. Computer Access **NOTE: Change in Management Audits are being demonstrated in this example. Field work folders may appear different for other types of audits. Cross Referencing Work papers Cross referencing may be performed by creating hyperlinks within the work papers and can be a oneway or two-way hyperlink. For the most part, we will be creating two-way hyperlinks. Creating a Hyperlink Creating a Hyperlink is done by clicking on the Hyperlink button on the Application toolbar. If creating a two way Hyperlink: Go to the location within the schedule where you want to place one end of the cross reference. Click on the Hyperlink button in the Application toolbar. Select the "Copy As Target" button. Once this has been done, you can complete (display) the link by going to the location where the other end of the cross reference is to be placed and clicking on Hyperlink button. Select the "Paste Link" tab. If you wish the link to be two way (visible from both linked schedules), select the "Create as 2way Link" checkbox. Click on OK and the Hyperlink is created. If creating a one way Hyperlink to a designated schedule: Position the text cursor or select the spreadsheet cell on the schedule where the Hyperlink is to be positioned. Click on the Hyperlink button in the Application Toolbar To create a Hyperlink to a particular schedule, Select the "Link to ARC" tab select the tab. Select the schedule to be linked to from the mini-Browser displayed After making your selections, click on the Insert button to place the link. The Audit Programs, for non Change in Management audits, should be placed in the Planning folder for approval by the Audit Director. These audit programs must be cross-referenced/linked to the work papers. As work papers are completed, preparers should sign off as follows: Signing Off Schedules Schedules can be signed off using the Sign Off button in the Application Toolbar. To sign off a schedule: Open the Sign off and Edit History dialogue box by clicking on the Sign Off button. To sign the Schedule off as Prepared, click on the Green Sign Off button. To sign off a Schedule as Reviewed, click on the Blue Sign Off button. When the appropriate Sign Off button has the Team Member's initials and date stamped beside it, clicking on OK will save the sign off record. Note: Coaching Notes and Procedures also require sign off, but this is achieved via the sign off buttons displayed on the Coaching Notes dialogue box (Done By & Cleared By), and on the right pane of the Procedure Summary, respectively. TeamMate Reports TeamMate provides the ability to automatically produce Reports from a number of TeamMate type schedules. These Reports are generated in Microsoft Word, using a process similar to a mail merge. When the report type is selected, TeamMate will launch Word, extract the information from TeamMate and create a report based on information in the project. Once the Report has been created, the data displayed is no longer linked to TeamMate. It should be treated as a standard Word work paper. Subsequent changes to any of the TeamMate type schedules after the report has been generated will not be reflected in the report file. For this reason, reports are usually created towards the end of the project when the information is fairly static. There are two ways in which a report can be generated from within TeamMate. To generate a report based on the entire contents on the project file, use the Browser menu option Tools | Generate Report. For more specific (filtered and sorted) information, you can generate a report based on the information displayed in any TeamMate type schedule or summary viewer. TeamMate provides the ability to produce reports based on Exceptions, Procedures, Coaching Notes, and Schedules Status. The reports can be produced in either a narrative or table format. In addition, TeamMate has the capability to create Customize TeamMate Report based on one of the above. There is some limitation with respect to combining fields from the report types listed above. The exception to this is the Profile fields. All but the large text fields (typically Planning, Background and Objective) are available in any of the report types listed below. To generate a TeamMate Report, the Report Wizard goes through the following steps: 1 2. 3. 4. Report Wizard - (Report) Selection Report Wizard - Scope (Filter & Sort) Selection Coaching Note Reports Exception Reports Procedure Reports Procedure Summary Report Schedule Status Report Profile Report Report Wizard - Data Preview Report Wizard - (Choose) Destination After completing these Steps, TeamMate will generate a Report based on your selections. Exception Reports The auditor will generate an Exceptions report via the Report Wizard and Save the exceptions report to the V/shared drive under the EXCEPTION REPORTS folder. SEE EXHIBIT A Audit Reports Note: All Audit Reports will contain the following sections and in this order: Executive Summary Background Audit Objective Audit Scope and Methodology Audit Results Conclusion There will be two draft reports and one final uploaded to TeamMate in the REPORTS section and all findings and recommendations on the drafts will be cross-referenced to the work papers. SEE EXHIBIT B First draft to auditee Second draft with auditee responses Final report will be uploaded in PDF format after approved by Audit Committee Quality Assurance Review At the completion of the audit, the auditor will complete a Quality Assurance Review (QAR) form and upload it to the Administrative section. This form may be found on the shared drive under the Change in Management folder. SEE AUDIT MANUAL SECTION H At the conclusion of the audit project, the auditor assigned to the project is responsible for ensuring that all work papers and coaching notes have been reviewed and signed-off in preparation for the “finalization” process. The auditor should inform the Director that the project file is ready to be closed. The Director is the only person authorized to close projects. The following steps provide an overview of the finalization process. Finalization Finalization is the process which moves a project from the “Field Work” or “Post Field Work” stage to “Finalized”. Projects should only be finalized when the work has been completed and no more changes are necessary, as once the project has been finalized it will be marked as Read-Only. To finalize a project: Select the Browser menu option File | Administration | Stages Click on the “Complete / Finalize” button This will start the Finalization Wizard. Step 1 of the Finalization Wizard starts out by explaining to the Administrator what processes will take place throughout the Finalization Wizard. No action is required for this step, so simply click on the Next button to proceed to Step 2 . Note: The Finalization process can be cancelled at any time prior to Step 6. Step 2 of the wizard checks the signoff status of each schedule within the project. Click on the “Click here to begin the scan” button, and TeamMate will display all schedules not signed off. For Finalization, if the conditions set by the option buttons have not been met (i.e. Halt status found), the Finalization Wizard will disable the Next button. However if performing the Post Field Work wizard or the Finalization where no Halt conditions exist, click on the Next button to proceed to Step 3 of the process. Step 3 of the wizard checks the status of each Procedure Summary Step within the project. Click on the “Click here to begin the scan” button, and TeamMate will display all steps not signed off. If the conditions set by the option buttons have not been met (i.e. Halt status found), the wizard will disable the Next button. However if performing the Post Field Work wizard or the Finalization where no Halt conditions exist, click on the Next button to proceed to Step 4 of the Finalization process. Step 4 of the wizard checks the status of all the Coaching Notes within the project. This final check performed by the wizard will display any Coaching Notes that have not been Cleared. Click on the “Click here to begin the Scan” button and the Wizard will list the Coaching Notes not Cleared. It is important (but not essential) that all Coaching Notes be Cleared before proceeding to Finalization Step 5 or Post Field Work Step 5. Coaching Notes and Edit History may be permanently deleted from the project when the project is actually finalized, depending on the option selected in Step 6 of the Finalization Page 10 of 17 Section C–6 Rev. 1/07 wizard. To continue with the process, click on the Next button to proceed to the next step. Note: The Coaching Notes and Edit History WILL NOT be deleted; therefore, it is imperative that the defaults are changed to read the options in Step 6 Step 5 of the Finalization Wizard is a precautionary measure. Before the Finalization wizard finalizes the Project, the Administrator has the option to make a Backup. Specify the location for the backup file and click on the “Click here to start backup” button. Once the backup is complete, use the Next button to proceed to the last step (Step 6) of the Finalization Wizard. Note: A backup of the project prior to closing is required and should be saved under Shared Drive F: TeamMate Folder>Backups (Prior to Close) Step 6 of the Finalization Wizard is the decisive point of the process. First set the two option buttons to retain Edit Histories and Coaching Notes, and then STOP AND THINK! Has all work on the project been completed in accordance with the applicable Standards? Proceeding with this step is irreversible. Clicking on the “Click here to start the finalization process” button will perform the Finalization process in accordance with the options chosen, and will then make the audit READ ONLY. Note: A backup of the project after finalization is required and you need to save in Shared Drive V: TeamMate Backup Files Folder>XX Backups_Post Closing, where XX = Fiscal Year. FOR MORE DETAILED AND/OR TECHNICAL GUIDANCE ON USING TEAMMATE, REFER TO THE HELP MENU ADDENDUM WORK PAPERS Work papers are the means by which auditors document the work performed. There are two types of work papers: 1. Manual work papers – they include hard copies of documents and files (NO LONGER KEPT AS A RESULT OF TEAMMATE) 2. Electronic work papers – documents in electronic format (PDF files, spreadsheets, and word documents, etc.) which are normally stored and maintained in an electronic median such as a computer. Work papers serve both as tools to aid the auditor in performing his work, and as written evidence of the work done to support the auditor’s report. Information included in work papers should be sufficient, competent, relevant, and useful to provide a sound basis for audit findings and recommendations. Section B-2 of the Standards for the Professional Practice of Internal Auditing defines sufficient, competent, relevant, and useful as follows: Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Competent information is reliable and the best attainable through the use of appropriate audit techniques. Relevant information supports audit findings and recommendations and is consistent with the objectives for the audit. Useful information helps the organization meet its goals. Qualities of Good Work Papers 1. Complete Work papers must be able to “stand alone.” This means that all questions must be answered, all points raised by the reviewer must be cleared, and a logical, well-thought-out conclusion must be reached for each audit segment. 2 Concise Work papers must be confined to those that serve a useful purpose. 3 Neat Work papers should not be crowded. Allow for enough space on each schedule so that all pertinent information can be included in a logical and orderly manner. At the same time, keep work papers economical. Forms and procedures should be included only when relevant to the audit or to an audit recommendation. Also, try to avoid unnecessary listing and scheduling. All schedules should have a purpose which relates to the audit procedures or recommendations. Work Paper Techniques 1. Organization Work papers should be organized in a manner which would allow efficient retrieval of any needed information. 2 Tick marks The auditor makes frequent use of a variety of symbols to indicate work that has been done. These symbols are commonly referred to as tick marks. As these tick marks have no special or uniform meaning in themselves, an explanation of each tick mark should be made on the schedule on which it appears. 3. Cross-referencing Cross-referencing within work papers should be complete and accurate. Refer to the section on crossreferencing found on page 6. The audit program should be cross-referenced to work papers related to each program step. Work papers should be cross-referenced to each other, as appropriate, and to any resulting Audit Exception. A copy of the final audit report should be cross-referenced directly to supporting work papers. 2 Carry forward The auditor should make full use of the work papers developed in the prior audit. Flow charts, system descriptions, and other data may still be valid. Copies of those papers which remain useful should be made a part of the current working papers. They should be updated with current information, renumbered, referenced, and initialed and dated by the current auditor. Types of Work Papers All work papers should be scanned (as necessary) and converted to electronic format for inclusion in TEAMMATE. 1. Schedules and Analyses Schedules and analyses are useful for identifying statistical trends, verifying the accuracy of data, developing projections or estimations, and determining if tasks or records have been properly completed. 2. Documents Copies or actual samples of various documents can be used as examples, for clarification, and as physical evidence to support a conclusion or prove the existence of a problem. These documents can be memos, reports, computer printouts, procedures, forms, invoices, flow charts, contracts, or any of numerous other items. Any original documents or copies included in the work papers should serve a useful audit purpose. The following suggestions are offered for preparation of work papers using documents rather than the auditor’s notes: Indicate both the person and/or file that the document came from. Copy and insert only that portion of the report, memo, procedure, etc., which is needed for purposes of explanation or as documentation of a potential finding. Do not include the entire document in the work papers unless absolutely necessary. Fully explain the terms and notations found on the document, as well as its use. This is especially true when including maps, engineering drawings or flow charts in the papers. These explanations may be made on an attached preceding page or on the face of the document itself. Each document should be cross-referenced either to the page or separate analysis where it was discussed. No document should be included in the work papers without an explanation of why it was included. Documents larger than 8 ½ x 14 should be reduced when practicable. 3. Process Write-ups and Flow Charts In many audits, it is necessary to describe systems or processes followed by the auditee. Describe such procedures or processes through the use of write-ups or flow charts, or a combination of the two. The choice of which method to use will depend on the relative efficiency of the method in relation to the complexities of the system being described. Write-ups are often easier to use, and should be used if the system or process can be described clearly and concisely. However, when write-ups would be lengthy and description of related control points difficult to integrate in the narrative, flow charting (or a combination of write-ups and flow charting) is an appropriate alternative. Flow charts conveniently describe complex relationships because they reduce narrative explanations to a picture of the system. They are concise and may be easier to analyze than written descriptions. (Refer to section C-7, Flow Charting). 4. Interviews Certain information is best obtained through formal interviews conducted either in person or by telephone. Formal interviews are most desirable because the interviewers know they are providing input to the audit; however, impromptu interviews, or even casual discussions, can often provide important information. All pertinent information obtained in interviews/discussions should be documented in the work papers. Interviews are useful in identifying problem areas, obtaining general knowledge of the audit subject, collecting data not in a document form, and documenting the auditee’s opinions, assessments, or rationale for actions. Interview notes should contain only the information provided by the person interviewed, and not include any of the auditor’s opinions. 5. Observations What the auditor observes can serve the same purposes as interviews. If observations can be used to support any conclusions, then they should be documented. They are especially useful for physical verifications. Observations used as supporting documentation should generally include the following items: Time and date of the observation. Where the observation was made. Who accompanied the auditor during the observation? What was observed. When testing is involved, the work papers should include the sample selections and the basis of the sample. 6. Exceptions/Findings All significant audit findings should be documented in the work papers (See C-8: Audit Findings). All findings should be documented within the EXCEPTIONS SECTION in TeamMate as soon as practical by the auditor discovering the situation EXHIBIT A Exception Report EX.1 - Risk Assessment and Implementation Plan Reference: A.1.PS Finding: 1 The GEAR UP department had not developed a risk assessment and implementation plan. 2 The department had not developed a business continuity/disaster recovery plan. Criteria/Standard: 1 As per UT System's 1996 Action Plan to Enhance Internal Controls, every department is required to complete a Risk Assessment and Implementation Plan and to forward a copy of the form to its Vice President and to the Director of Internal Audit. 2 As per UT System UTS 165 “a backup and recovery plan, commensurate with the risk and value of the computer system and data, must be in place (business continuity plan)”. Business Implication: 1 Without assessing financial, compliance, operational or strategic risks and mitigating these risks, the department may not achieve its goals or objectives. 2 The department will not be able to continue operations in the event of a disaster without a business continuity plan in place. Cause: Lack of knowledge of required department plans Recommendation: 1 The GEAR UP department should develop a risk assessment focusing on financial, compliance, operational, and strategic risks. Once the risks are identified, then an implementation plan should be developed to mitigate the risks. 2 Additionally, the department should identify all major components of its operations, develop procedures in the event of a system failure or natural disaster to obtain business continuity and basic services, and incorporate these into a business continuity/disaster recovery plan and it should be communicated to all employees. EXHIBIT A Exception Report EX.2 - Inventory process breakdown Reference: D.1.PS, D.1.1 Finding: We identified one laptop missing (Tag #52720) that was originally identified on the Inventory Certification List submitted to Assets Management as having been located in one of the GEAR UP Offices during inventory certification. The laptop was not in working condition as stated by the property custodian and was thought to have been sent to surplus. No documentation was available to support the laptop being sent to surplus. Although the inventory process was effective, the process was not documented and the individual conducting the inventory was a new hire. Criteria/Standard: As stated in the Handbook of Operating Procedures Section 8.1.2, paragraph F - Responsibilities of Accountable Officers 1 When the University’s property is entrusted to a person other than the Accountable Officer, the Accountable Officer shall require a written receipt for such property from the person receiving custody. 2 Accountable Officers will take all reasonable precautions to assure that property is used only for official business, and is safeguarded in such a manner as to ensure against loss or damage. If, in spite of such precautions, property is stolen, missing, destroyed, or damaged, a report to the Property Manager via Assets Management should be filed. Lost or Stolen Property to the University Police Department. 3 Accountable Officers are responsible for completing physical inventories of property assigned to their accounts. Business Implication: Negative publicity and loss of funding for future purchases Cause: Lack of knowledge of procedure caused by lack of department handbook Recommendation: The Account Manager should report this missing laptop to Assets Management and the University Police Department in accordance with H.O.P Section 8.1.2. The process for conducting a physical inventory of equipment should be documented in the department's manual. Those individuals responsible for completing physical inventories and transferring obsolete or non working equipment should refer to the department's manual. EXHIBIT A Exception Report EX.3 -Allocable Costs - Mileage Reimbursements Reference: Finding: The GEAR UP department was improperly charging mileage to the original grant instead of allocating the mileage between the original and the new grant based on the schools visited and the activities conducted by the Academic Advisors as indicated in the supporting documentation. Criteria/Standard: In accordance with OMB Circular A-21 - Cost Principles for Educational Institutions, allocation means the process of assigning a cost, or a group of costs, to one or more cost objective, in reasonable and realistic proportion to the benefit provided or other equitable relationship. A cost objective may be a major function of the institution, a particular service or project, a sponsored agreement, or a F&A cost activity, as described in Section F of the circular. The process may entail assigning a cost(s) directly to a final cost objective or through one or more intermediate cost objectives. Any costs allocable to a particular sponsored agreement under the standards provided in this Circular may not be shifted to other sponsored agreements in order to meet deficiencies caused by overruns or other fund considerations, to avoid restrictions imposed by law or by terms of the sponsored agreement, or for other reasons of convenience. Direct cost allocation principles. If a cost benefits two or more projects or activities in proportions that can be determined without undue effort or cost, the cost should be allocated to the projects based on the proportional benefit. If a cost benefits two or more projects or activities in proportions that cannot be determined because of the interrelationship of the work involved, then, notwithstanding subsection b, the costs may be allocated or transferred to benefited projects on any reasonable basis, consistent with subsections d. (1) and (2). Business Implication: Funding on original grant depleted and non compliance with OMB Circular A-21 Cost Principles Cause: Improper review of mileage reimbursements and new grant awarded resulting in allocation of costs between two grants with similar activities. Recommendation: The GEAR UP department should properly account for the mileage reimbursements based on the supporting documentation. GEAR UP should correct the mileage costs incorrectly charged to the original grant and allocate those costs to the new grant prior to close-out of the original grant. Executive Summary The Student Financial Services Office (“Office”) currently consists of a Executive Director (“Director”), 27 full-time employees, four direct wage employees and numerous work study employees. The Director manages 205 accounts with a total FY 06 operating budget of approximately $18,783,235. All of the funding for the financial aid programs is received from federal, state and local agencies. As required by the 1996 Action Plan to Enhance Internal Controls, a departmental audit is performed when a department undergoes a change in management or a significant change in reporting lines. The purpose of our audit was to evaluate the adequacy and effectiveness of the system of internal controls with an emphasis on administrative and financial controls within the Office. Our scope encompasses activity for the 2006 calendar year. Our audit was conducted in accordance with guidelines set forth in The University of Texas System’s Policy UTS 129 and the Institute of Internal Auditor’s International Standards for the Professional Practice of Internal Auditing. Based on our audit, we determined that the Office had established adequate internal controls. However, we identified a few areas where improvements to the Office’s internal controls could help to better achieve their goals and objectives. Background The Office is committed to the overall mission of the University and the Division of Enrollment & Student Services. They are dedicated to helping students and families in the pursuit of their educational goals by removing financial barriers which would otherwise discourage or prohibit attendance by qualified students who lack adequate resources; by providing high quality customer service in a professional, caring, and equitable manner; by enhancing recruitment and retention efforts to attract promising undergraduates and graduates to the University; and by administering financial aid programs in compliance with federal, state and institutional regulations and guidelines. The Student Financial Services Director assumed her duties on March 20, 2006. The Director is currently responsible for 27 full-time employees, four direct wage employees and numerous work study employees. However, only the Office Administrative Associate, Account Technician, Associate Director and Executive Associate Director were under her direct responsibility (i.e. responsible for approving time sheets, sick and vacation leave, performance appraisals). The Director was also responsible for 205 University accounts with a total FY 06 operating budget of approximately $18,783,235. One such program, established in 1999 and administered by the Texas Higher Education Coordinating Board, is the Texas Grant Program. This program covers tuition and required fees for well-prepared students attending Texas public Universities, community colleges and technical schools who have successfully completed a recommended high school graduation program and show financial need. In FY06 the operating budget for the Texas Grant Program alone was $17,113,777. 1 EXHIBIT B Audit Objective The purpose of our audit was to evaluate the adequacy and effectiveness of the system of internal controls with an emphasis on administrative and financial controls within the Student Financial Services-Director’s Office. Audit Scope and Methodology We conducted a standard change in management audit over the Office. The audit was conducted using of the following procedures: We requested that the Director complete an Internal Control Questionnaire. We reviewed the completed Questionnaire with the Director in order to establish a better understanding of the Office’s workflows. We determined if the Director had established a control conscious environment, whether goals and objectives for the Office had been developed, and whether a risk assessment and implementation plan had been developed. We randomly selected 20 accounts under the Director for review to determine whether procedures for account reconciliations had been established. We determined if the Office was keeping adequate documentation on the preparation and review of their account reconciliations. We determined whether the Office had established adequate segregation of duties over account reconciliations and cash handling procedures. We examined their operating and financial information for reliability. We tested a random sample of 35 expenditures and examined supporting documentation for proper approval and authorization. We reviewed personnel files, selected time sheets for those employees directly under the supervision of the Director, and tested timesheets for approval and authorization. A total of 10 timesheets were tested We performed property inventory testing for the existence of selected assets, and determined whether selected assets were properly recorded on the University’s asset management system. We reviewed controls for personal computers to evaluate physical and data security. x We verified the Office’s compliance with University policies and procedures. Our audit was conducted in accordance with guidelines set forth in The University of Texas System’s Policy UTS 129 and the Institute of Internal Auditor’s International Standards for the Professional Practice of Internal Auditing. The scope of our engagement was from September 2007 to August of 2008, the audit was conducted during the months of December 2008 through February 2009. EXHIBIT B Audit Results Monitoring Monitoring is the assessment of internal controls over time. We assessed the Office’s controls over their complaint procedures, personal use of Office property and account activity. We randomly selected 20 accounts under the responsibility of the Director for review and selected the months of May and August from each account for testing (40 reconciliations in total for testing). Of these 40 account reconciliations, we were unable to retrieve documentation for seven of them. According to the University account reconciliation training documentation, reconciliations are done to “Provide the account manager with an accurate amount of the remaining budget balance." Six of the missing reconciliations were related to federal programs. We determined, through inquires, that the six reconciliations related to the federal programs were not prepared due to the accounts inactivity. Additionally, these accounts had no activity for several years. Without the proper notification of the balances to the account manager, these accounts may stay open longer than necessary. The final missing reconciliation was related to an account used by the Office for salary payments and various operating expenses. The Office’s account technician stated that this was one of several reconciliations that had been misplaced by the Office and that they were in the process of recreating them. Documentation should be adequately maintained and safeguarded for verification purposes. We noted that the Office had established adequate controls over personal use of Office property and complaint procedures. Recommendation 1. The Director should be aware of accounts with inactivity and/or zero balances and should evaluate the need for maintaining those accounts. 2. The Office should increase its controls over the safeguarding of documentation. The reconciliations should be stored on a network drive or backed up on removable storage devices. Management Response FLOWCHARTS General Flowcharting Guidelines A. Clarity and simplicity in presentation are essential. Excessive detail may tend to conceal rather than expose key points. Complex processes and exception controls may be better explained in narrative form. However, narrative explanations should be kept brief. The combination of the flowchart and a narrative description tends to be far superior to either format alone. B. Only transactions/documents with control significance should be shown (i.e. control over authorization, recording, safeguarding, reconciliation and valuation). This can generally be accomplished by including only those activities where data is initiated, changed or transferred to other functional areas. For a process to be flowcharted, it must be broken down into its component parts, namely actions and decisions. The name(s) and/or position(s) of individuals processing/handling the transactions should be indicated for each action. The names of each document should also be included within the document symbols. C. The auditor usually obtains information necessary for preparing or updating flowcharts by interviewing employees at each site about procedures followed, and by reviewing procedure manuals, existing flowcharts and other system documentation. Sample documents should be collected and individuals in each area involved should be questioned about their specific duties. Specific Flowcharting Practices A. To ensure completeness and consistency, the specific internal control objectives must be documented when flow charting a transaction processing system. B. The flowchart should identify the specific internal control and these should be cross-referenced to the specific control objectives. C. Flowcharting symbols should be limited to those shown in the Internal Audit Flow Chart Template (See Attached). The flowcharting software is available on the network to assist you in flowcharting. D. Start the flowchart in the upper left-hand corner of the paper and work toward the lower right-hand corner. E. The flowchart begins with the inception of the transaction and ends with its recording in financial records. F. The individual and department responsible for each flowchart step should be indicated at the top of the appropriate symbol. G. Use action verbs in the flowchart to save space. H. Use oversized symbols in the information will not fit within the standard-sized symbols. I. Use connector symbols rather than drawing lines around or over parts of the flow chart. AUDIT FINDINGS Elements of a Well-Developed Audit Finding A. Statement of Condition (What is.) B. Criteria (What should be.) C. Cause (Why did it happen.) D. Effect (What is the impact?) E. Recommendation (What should be done.) A. STATEMENT OF CONDITION The condition identifies the nature and extent of the finding or unsatisfactory condition. It often answers the question: “What was wrong?” Normally, a clear and accurate statement of condition evolves from the auditor’s comparison or results with appropriate evaluation criteria. B. CRITERIA This element establishes the legitimacy of the finding by identifying the evaluation criteria, and answers the question: “By what standards was it judged?” In financial and compliance audits, criteria could be accuracy, materiality, consistency, or compliance with applicable accounting principles and legal or regulatory requirements. In audits of efficiency, economy, and program results (effectiveness), criteria might be defined in mission, operation, or function statements; performance, production, and cost standards; contractual agreements; program objectives; policies, procedures, and other command media; or other external sources of authoritative criteria. C. CAUSE The third element identifies the underlying reasons for unsatisfactory conditions or findings, and answers the question: “Why did it happen?” If the condition has persisted for a long period of time or is intensifying, the contributing causes for these characteristics of the condition should also be described. Identification of the cause of an unsatisfactory condition or finding is a prerequisite to making meaningful recommendations for corrective action. The cause may be quite obvious or may be identified by deductive reasoning. The audit recommendation points out a specific and practical way to correct the condition. However, failure to identify the cause of a finding may also mean the cause was not determined because of limitation or defects in audit work, or was omitted to avoid direct confrontation with responsible officials. D. EFFECT This element identifies the real or potential impact of the condition and answers the question: “What effect did it have?” The significance of a condition is usually judged by its effect. In performance audits, reduction in efficiency and economy, or not attaining program objectives (effectiveness), are appropriate measures of effect. These are frequently expressed in quantitative terms; e.g., dollars, number of personnel, units of production, quantities or material, number of transactions, or elapsed time. If the real effect cannot be determined, potential or intangible effects can sometimes be useful in showing the significance of the condition. E. RECOMMENDATIONS The final element identifies suggested remedial action and answers the question: “What should be done?” The relationship between the audit recommendation and the underlying cause of the condition should be clear and logical. If a relationship exists, the recommended action will most likely be feasible and appropriately directed. Recommendations in the audit report detail should state precisely what needs to be changed or fixed. How the change will be made is the auditee’s responsibility. More generalized recommendations (e.g., greater attention be given, controls be reemphasized, a study be made, or consideration be given) should only be used in the audit report detail when more specific recommendations are deemed too restrictive or otherwise inappropriate. However, such language may be appropriate in summarizing recommendations for top management. Unless benefits of taking the recommended action are obvious, they should be stated. The cost of implementing and maintaining recommendations should be compared to risk whenever practical. Recommendations should be directed to those capable of taking action. SUMMARY Well-written audit findings include: the nature of the findings, the criteria used to determine the existence of the condition; the cause of the condition; the significance of its impact; and what the auditors think should be done to correct the situation. Fully developed findings containing each of these five elements are easily understood and convey impact and significance to appropriate management officials. Each finding should be documented in TeamMate through an Exceptions Report. The status and disposition of all findings recorded in an audit should be monitored and documented for follow-up. AUDIT FOLLOW-UP & SIGNIFICANT FINDINGS Audit follow-up will be performed to determine whether corrective action was taken and is achieving the desired results. All audit follow-up activity will be identified with the same project code (i.e., 07FOL-000). Time spent on audit follow-up should be reported accordingly and identified on the weekly Status Reports. A project file in TeamMate will be created at the beginning of every fiscal year and all follow-up work papers will be maintained in the TeamMate follow-up project file. Management responses are usually provided as part of the Audit Report and should provide management's estimated implementation date. These estimated implementation dates are used to establish the initial audit follow-up date. Audit follow-up activity is provided within the Quarterly Status Report and initiating audit follow-up effort is the responsibility of the assigned auditor. Due to the nature of audit follow-up, very little "audit planning" is required. However, it is advisable that the assigned auditor initiate informal contact (usually via telephone) with the auditee to prearrange the audit follow-up before the Audit Follow-up Memorandum is prepared and issued. If the timing of the follow-up is inappropriate or unusual circumstances exist, other follow-up plans may be made in consultation with the Director. The results of the audit follow-up should be discussed with the responsible manager(s) and, if necessary, a future follow-up date should be established. The audit follow-up memorandum should be addressed to the manager responsible for the corrective action(s), with copies to the President and appropriate Vice President(s). Work papers supporting the audit follow-up fieldwork should be prepared, summarized, adequately cross-referenced, and included in TeamMate. Audit follow-up activity, including follow-up memo and work papers within TeamMate, should be reviewed and approved by the Director. UT SYSTEM SIGNIFICANT FINDINGS (RED, YELLOW, GREEN) An audit finding may be deemed significant by the Audit Director, by the Audit Committee, or by the UT System Audit Office. If a finding was deemed “Significant”, the Auditor Assigned will contact the responsible party to obtain an understanding of the overall progress towards completion of the recommendation. The auditor will develop a work program within TeamMate follow-up project file that will document the work performed to assess whether progress on the recommendation is one of the following: Complete – as deemed by Audit Director in consultation with staff. These recommendations will receive a color coding of GREEN. This also requires that the auditor provide some substantive evidence that the recommendations have been implemented. Progress is Satisfactory – issues are in process of being addressed in a timely and appropriate fashion. These recommendations will receive a color coding of YELLOW. Progress is Unsatisfactory – issues are not being addressed in a timely and appropriate fashion. These recommendations will continue to receive a color-coding of RED. The Auditor Assigned will present a summary of corrective action to the Audit Director to determine the status of the significant finding(s). We will inform the appropriate VP and the VPBA of the status of the significant finding(s) based upon our follow-up work prior to submitting to UT System. The Audit Director will submit an updated Excel spreadsheet to the UT System Audit Office on a quarterly basis. QUALITY ASSURANCE REVIEWS GENERAL The establishment and implementation of a quality assurance program for the Office of Internal Audits is required by the Standards for the Professional Practice of Internal Auditing (Standards). In accordance with Attribute Standard 1310, Quality Program Assessments, “the internal audit activity should adopt a process to monitor and assess the overall effectiveness of the quality program. The process should include both internal and external assessments.” A quality assurance program should include the following elements: Supervision Internal reviews External reviews SUPERVISION Supervision is a continuing process. It focuses on individual audits. The assurance given should include: That staff auditors conformed to the Office's policy, Audit objectives were met, Working papers supported findings and conclusions, Work papers provide adequate information for a meaningful report, The work that was completed was in accordance with the Standards. Properly supervised audit projects are the first and, perhaps, the most important step in a program of quality assurance. INTERNAL REVIEWS Internal reviews can provide both quality assurances to the Director and training for the staff. The reviews are appraisals of how well auditors complied with the Standards and office policy. They encompass the work of both staff and Director and are an assessment of a sample of audit working papers and reports. The review should also provide recommendations for improvement. The result of this review should be beneficial in that the results are supplied to the Director regarding how well the audit work and the audit reports are documented. Also, the testing of audit projects in an external review can be reduced if the external evaluators see credible evidence of internal reviews of such or similar projects. Hence, the internal reviews should be carried out with the formality and discipline of any other audit examination/project through close and knowledgeable supervision and through periodic, unsparing self-assessments. As a result of this ongoing self-assessment, the Office of Internal Audits will be adequately prepared for a formal external/peer review. A Quality Assurance Review form was developed with these assurances and is located in Section H12. EXTERNAL/PEER REVIEWS The purpose of the external/peer review is to provide an independent assurance of quality to those who may rely on the work of the Office. The external review will be performed every three years to appraise the quality of the Internal Audit Office operation, On completion, the Office will receive a formal, written report expressing an opinion as to the Office compliance with the Standards and, as appropriate, will include recommendations for improvement University of Texas Permian Basin Internal Audit Manual SECTION D (Office Procedures) WEEKLY TIME AND STATUS REPORTS The Office of Internal Audits staff auditors must complete a bi-monthly time and status report. A time reporting system has been established to assist the audit staff and management in reporting actual hours worked on projects and in monitoring actual hours versus budgeted hours. The Following is an Example of the Auditor Time and Status Report: TASK TIME SPREADSHEET Aaron Munoz Internal Audit For February 1-15, 2009 Date 2/2/2009 2/3/2009 2/4/2009 2/5/2009 2/6/2009 2/9/2009 2/10/2009 2/11/2009 2/12/2009 2/13/2009 Task Description VPSS VPSS VPSS CEED CEED Time on Task 4 4 4 4 3.5 VPSS CEED 4 4 VPSS VPSS 4 4 Total time for September 35.5 LEAVE REQUEST PROCEDURE The Office of Internal Audits employees must request vacation or other leave in advance to the Director of Internal Audits. Requests to use State Compensatory Time must be in writing and approved in advance by the Director of Audits. If the employee is unable to request time off in advance (e.g., illness, death in the family, etc.), the employee is required to notify the Director as soon as possible by calling the office main line (432) 552-2700. Employees should also contact the office main line as soon as possible when coming into the office late. If no one is available to answer, the employee should always leave a voice message. For further leave information such as jury duty; time off for voting; emergency leave; family and medical leave act; employee leave of absence without pay; and military leave, please refer to the policies issued by the Office of Human Resources found online at http://ba.utpb.edu/humanresources/hr-policies-and-procedures/ or the Handbook of Operating Procedures found online at http://www.utpb.edu/administration/operating-procedures/ TRAVEL PROCEDURE Procedure: The Office of Internal Audits Travel Procedure supplements The University of TexasPermian Basin (“UTPB”) which all UTPB employees must comply. Travel The Office of Internal Audits staff will travel occasionally to attend professional development conferences or seminars. The mode of transportation will depend on the location of the destination and on the rates. STATE PROPERTY PROCEDURE The Office of Internal Audits encourages employees to use information technology to do our work in the most efficient, cost effective way. Employees are primarily responsible for identifying opportunities to enhance their performance through the use of information technology and for providing adequate stewardship of the information technology entrusted to them. Laptop computers and other related equipment are issued to all internal auditors. Each auditor is responsible for the proper care and safety of the computer and related equipment. This statement establishes policies and procedures for information technology and telephone use at the Office of Internal Audits. For this policy, the term information technology and telephone includes, but is not limited to, the following items: System units (including internal drives and removable cards) Monitors and keyboards Laptop battery packs External disk drives Modems and LAN adapters Pointing devices (a mouse) Printers Graphics devices (projection units) Imaging devices (scanners) Software CD ROM drives Jump/Flash/USB drives (portable) Telephone (Audix) Fax machines Email and Internet Stewardship of Equipment Auditor are not allowed to take their laptop computer off the premises unless a “Request to Remove State Property from Campus” form has been completed and approved with the required signatures. Upon signing the removal of equipment from university premises, an employee assumes responsibility for the equipment, following Texas Government Code Ann., Section 403.275, Liability for Property Loss. This form should be completed as needed or annually and be maintained in the employee files by the Secretary. Personal Use of Computers Incidental personal use of computers and/or software is allowed to the extent of maintaining or improving proficiency or professional development. However, no hardware, software, or data should be used for direct or indirect personal business use. Physical Security Each employee is responsible for ensuring that his/her work area provides reasonable physical security from unauthorized use, vandalism, or theft of computer equipment during non-working hours or when unattended. The inner office doors should be locked for each office and the main Office door should also be locked at the end of the day. Physical security includes the safeguarding of software applications and data. Employees should adequately store removable storage devices to ensure access only by authorized persons. Compliance with Licensing Agreements It is the procedure of the Office of Internal Audits to comply with all contractual obligations contained in license agreements to which it is a party. Office of Internal Audits must register all purchased software, as applicable, with the vendor and the Office of Information Technology. Office of Internal Audits prohibits employees from duplicating, modifying, selling, trading, or otherwise distributing licensed computer software and accompanying documentation if contrary to the vendor's license agreements. Employees will not purchase or accept copies of software from any source if they know, or reasonably should have known, that the copies were made contrary to legally enforceable provisions of a vendor's license agreement. Software licensed to Office of Internal Audits should not be used on equipment other than that assigned to Office of Internal Audits unless specifically authorized by the Director of Audits. Backup of Data All Office of Internal Audits work should be maintained on the Office of Internal Audits shared network drive. If performing work off-site, it is the responsibility of the employee to make regular backup copies of all data maintained on the internal hard disk drive of their system. Backup of hard disk drive data should be made to removable disks or CDs. Backup provides a method to recover destroyed, lost or stolen data. The frequency of backup will depend on several factors, including the importance of data, frequency of data maintenance, and the number of users reaching data. Upon returning to the Office of Internal Audits, employees should immediately transfer work from their internal hard disk drives onto the shared network. Telephone, Fax, Email and Internet Incidental personal use of University e-mail, a University telephone call to make a local call, or the Internet, provided that the use complies with applicable University policies, UT System policies, and Regents’ Rules and Regulations, and does not result in additional cost to the University, is permissible. ADMINISTRATIVE PROCEDURES NEW AUDIT - PROJECT CODE At the beginning of every audit a project code is issued and this project code template is located on the shared drive V:\TeamMate Backup Files folder PROJECT CODE FOR FY 2009 (ex: 09-FIN-XXX) 09 for fiscal year - FIN (is a financial audit, each audit type has a different abbreviation. These are located on ACCESS). The type of audit is determined from the audit plan. Once we have a project code, the Secretary will input into ACCESS for time reporting purposes. AUDIT REPORTS After the audit is presented at the Audit Committee meeting a final clean (remove draft and do any changes requested by the audit committee) copy needs to be distributed to all interested parties. University of Texas Permian Basin Internal Audit Manual SCETION E (Rules and Regulations) GOVERNMENT CODE TITLE 10. GENERAL GOVERNMENTSUBTITLE C. STATE ACCOUNTING, FISCAL MANAGEMENT, AND PRODUCTIVITY CHAPTER 2102. INTERNAL AUDITING Sec. 2102.001. SHORT TITLE. This chapter may be cited as the Texas Internal Auditing Act. Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Sec. 2102.002. PURPOSE. The purpose of this chapter is to establish guidelines for a program of internal auditing to assist agency administrators and governing boards by furnishing independent analyses, appraisals, and recommendations about the adequacy and effectiveness of a state agency's systems of internal control policies and procedures and the quality of performance in carrying out assigned responsibilities. Internal auditing is defined as an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts 2003, 78th Leg., ch. 380, Sec. 1, eff. Sept. 1, 2003. Sec. 2102.003. DEFINITIONS. In this chapter: (1) "Administrator" means the executive head of a state agency. (2) "Assurance services" means an examination of evidence for the purpose of providing an independent assessment of risk management, control, or governance processes for an organization. Assurance services include audits as defined in this section. (3) "Audit" means: (A) a financial audit described by Section 321.0131; (B) a compliance audit described by Section 321.0132; (C) an economy and efficiency audit described by Section 321.0133; (D) an effectiveness audit described by Section 321.0134; or (E) an investigation described by Section 321.0136. (4) "Consulting services" means advisory and related client service activities, the nature and scope of which are agreed upon with the client and are intended to add value and improve an organization's operations. Consulting services include counsel, advice, facilitation, and training. (5) "State agency" means a department, board, bureau, institution, commission, or other agency in the executive branch of state government. Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts 1997, 75th Leg., ch. 1122, Sec. 11, eff. Sept. 1, 1997; Acts 2003, 78th Leg., ch. 380, Sec. 2, eff. Sept. 1, 2003. Sec. 2102.004. APPLICABILITY. (a) Sections 2102.005-2102.012 apply only to a state agency that: (1) has an annual operating budget that exceeds $10 million; (2) has more than 100 full-time equivalent employees as authorized by the General Appropriations Act; or (3) receives and processes more than $10 million in cash in a fiscal year. (b) Sections 2102.013 and 2102.014 apply to each state agency that receives an appropriation and that is not described by Subsection (a). Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts 2001, 77th Leg., ch. 804, Sec. 1, eff. Sept. 1, 2001; Acts 2003, 78th Leg., ch. 291, Sec. 1, eff. June 18, 2003. Sec. 2102.005. INTERNAL AUDITING REQUIRED. A state agency shall conduct a program of internal auditing that includes: (1) an annual audit plan that is prepared using risk assessment techniques and that identifies the individual audits to be conducted during the year; and (2) periodic audits of the agency's major systems and controls, including: (A) accounting systems and controls; (B) administrative systems and controls; and (C) electronic data processing systems and controls. Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts 1997, 75th Leg., ch. 1122, Sec. 12, eff. Sept. 1, 1997. Sec. 2102.006. INTERNAL AUDITOR; STAFF. (a) The governing board of a state agency or the administrator of a state agency that does not have a governing board shall appoint an internal auditor. (b) An internal auditor must: (1) be a certified public accountant or a certified internal auditor; and (2) have at least three years of auditing experience. (c) The state agency shall employ additional professional and support staff the administrator determines necessary to implement an effective program of internal auditing. (d) The governing board of a state agency, or the administrator of a state agency if the state agency does not have a governing board, shall periodically review the resources dedicated to the internal audit program and determine if adequate resources exist to ensure that risks identified in the annual risk assessment are adequately covered within a reasonable time frame. Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts 2001, 77th Leg., ch. 804, Sec. 2, eff. Sept. 1, 2001; Acts 2003, 78th Leg., ch. 380, Sec. 3, eff. Sept. 1, 2003. Sec. 2102.007. DUTIES OF INTERNAL AUDITOR. (a) The internal auditor shall: (1) report directly to the state agency's governing board or the administrator of the state agency if the state agency does not have a governing board; (2) develop an annual audit plan; (3) conduct audits as specified in the audit plan and document deviations; (4) prepare audit reports; (5) conduct quality assurance reviews in accordance with professional standards as provided by Section 2102.011 and periodically take part in a comprehensive external peer review; and (6) conduct economy and efficiency audits and program results audits as directed by the state agency's governing board or the administrator of the state agency if the state agency does not have a governing board. (b) The program of internal auditing conducted by a state agency must provide for the auditor to: (1) have access to the administrator; and (2) be free of all operational and management responsibilities that would impair the auditor's ability to review independently all aspects of the state agency's operation. Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts 2001, 77th Leg., ch. 804, Sec. 3, eff. Sept. 1, 2001. Sec. 2102.008. APPROVAL OF AUDIT PLAN AND AUDIT REPORT. The annual audit plan developed by the internal auditor must be approved by the state agency's governing board or by the administrator of a state agency if the state agency does not have a governing board. Audit reports must be reviewed by the state agency's governing board and the administrator. Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts 2001, 77th Leg., ch. 804, Sec. 4, eff. Sept. 1, 2001. Sec. 2102.009. ANNUAL REPORT. The internal auditor shall prepare an annual report and submit the report before November 1 of each year to the governor, the Legislative Budget Board, the Sunset Advisory Commission, the state auditor, the state agency's governing board, and the administrator. The state auditor shall prescribe the form and content of the report, subject to the approval of the legislative audit committee. Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts 1997, 75th Leg., ch. 1122, Sec. 13, eff. Sept. 1, 1997. Sec. 2102.0091. REPORTS OF PERIODIC AUDITS. (a) A state agency shall file with the Sunset Advisory Commission, the budget division of the governor's office, the state auditor, and the Legislative Budget Board a copy of each report submitted to the state agency's governing board or the administrator of the state agency if the state agency does not have a governing board by the agency's internal auditor. (b) Each report shall be filed not later than the 30th day after the date the report is submitted to the state agency's governing board or the administrator of the state agency if the state agency does not have a governing board. (c) In addition to the requirements of Subsection (a), a state agency shall file with the budget division of the governor's office, the state auditor, and the Legislative Budget Board any action plan or other response issued by the state agency's governing board or the administrator of the state agency if the state agency does not have a governing board in response to the report of the state agency's internal auditor. Added by Acts 1999, 76th Leg., ch. 281, Sec. 7, eff. Sept. 1, 1999. Amended by Acts 2001, 77th Leg., ch. 804, Sec. 4, eff. Sept. 1, 2001. Sec. 2102.010. CONSULTATIONS. An internal auditor may consult the state agency's governing board or the administrator of the state agency if the state agency does not have a governing board, the governor's office, the state auditor, and legislative agencies or committees about matters affecting duties or responsibilities under this chapter. Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts 2001, 77th Leg., ch. 804, Sec. 4, eff. Sept. 1, 2001. Sec. 2102.011. INTERNAL AUDIT STANDARDS. The internal audit program shall conform to the Standards for the Professional Practice of Internal Auditing, the Code of Ethics contained in the Professional Practices Framework as promulgated by the Institute of Internal Auditors, and generally accepted government auditing standards. Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts 2003, 78th Leg., ch. 380, Sec. 4, eff. Sept. 1, 2003. Sec. 2102.012. PROFESSIONAL DEVELOPMENT. (a) Subject to approval by the legislative audit committee, the state auditor may make available and coordinate a program of training and technical assistance to ensure that state agency internal auditors have access to current information about internal audit techniques, policies, and procedures and to provide general technical and audit assistance to agency internal auditors on request. (b) The state auditor is entitled to reimbursement for costs associated with providing the services under the terms of interagency cooperation contracts negotiated between the state auditor and each agency. The costs may not exceed those allowed by the General Appropriations Act. Work performed under this section by the state auditor is subject to approval by the legislative audit committee for inclusion in the audit plan under Section 321.013(c). Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts 2003, 78th Leg., ch. 785, Sec. 33, eff. Sept. 1, 2003. Sec. 2102.013. ANNUAL RISK ASSESSMENT; REPORT. (a) A state agency described by Section 2102.004(b) shall conduct each year a formal risk assessment consisting of an executive management review of agency functions, activities, and processes. (b) The risk assessment must: (1) evaluate the probability of occurrence and the likely effect of financial, managerial, and compliance risks and of risks related to the use of information technology; and (2) rank risks according to the probability of occurrence and likely effect of the risks evaluated. (c) The state agency shall submit the written risk assessment to the state auditor in the form and at the time prescribed by the state auditor. Added by Acts 2003, 78th Leg., ch. 291, Sec. 2, eff. June 18, 2003. Sec. 2102.014. EVALUATION OF RISK ASSESSMENT REPORTS; AUDITS. (a) Based on risk assessment and subject to the legislative audit committee's approval of including the work described by this subsection in the audit plan under Section 321.013(c), the state auditor shall: (1) evaluate each report submitted under Section 2102.013; (2) identify agencies with significant financial, managerial, or compliance risk or significant risk related to the use of information technology; and (3) recommend to the governor that the identified agencies obtain an audit to address the significant risks identified by the state auditor. (b) The governor may order an agency identified under this section to: (1) obtain an audit under governmental auditing standards; (2) submit reports and corrective action plans as prescribed by Section 2102.0091; and (3) report to the state auditor the status of the agency's implementation of audit recommendations in the form and addressing issues as prescribed by the state auditor. (c) The governor may provide funds to agencies as necessary to pay the costs of audits ordered under this section from any funds appropriated to the governor for this purpose. Added by Acts 2003, 78th Leg., ch. 291, Sec. 2, eff. June 18, 2003. Regents' Rules & Regulations The Rules and Regulations of the Board of Regents of The University of Texas System for the Government of The University of Texas System were reissued on December 10, 2004. A Disposition Table is available to assist in locating rules as they existed in the Regents' Rules and Regulations prior to December 10, 2004. Also, a Summary of the Significant Changes to the Regents' Rules is available. The official copy of the Regents' Rules and Regulations is maintained by the Office of the Board of Regents. Rules and Regulations Table of Contents: Series 10000: Board Governance Series 30000: Personnel Series 50000: Student Issues Series 70000: Investments Series 80000: Facilities Series 20000: Administration Series 40000: Academic Issues Series 60000: Development Series 90000: Intellectual Property Series 10000: Board Governance Rule 10100 Rule on Rules and Regulations Rule 10101 Authority Rule 10102 Chairman and Vice Chairmen (last amended 11/9/07) Rule 10201 General Counsel to the Board of Regents (last amended 11/9/07) Rule 10401 Meetings of the Board and Standing Committees (last amended 8/10/06) Rule 10402 Committees and Other Appointments (last editorial amendment 3/17/08) Rule 10403 Procedure (last amended 8/11/05) Rule 10501 Delegation to Act on Behalf of the Board (last amended 11/13/08) Rule 10601 Guidelines for the Santa Rita Award Rule 10701 Policy Against Discrimination (last editorial amendment 8/25/08) Series 20000: Administration Rule 20101 Chancellor (last editorial amendment 3/17/08) Rule 20102 Appointment of Officers Rule 20201 Presidents (last amended 8/23/07) Rule 20202 Cash Compensation for Chief Administrative Officers (last amended 8/10/06) Rule 20203 Compensation for Key Executives (last amended 8/10/06) Rule 20204 Determining and Documenting the Reasonableness of Compensation (last editorial amendment 3/18/08) Rule 20205 Expenditures for Travel, Entertainment, and Housing by Chief Administrators (last editorial amendment 3/17/08) Rule 20301 Honorary Titles and Degrees Rule 20401 Audit and Compliance (last editorial amendment 3/17/08) Rule 20402 Provision of Audit and Non-Audit Services by External Firms Rule 20501 Accounting, Operating Budgets, and Legislative Appropriation Requests Rule 20601 Aircraft Use Rule 20701 Use of Historically Underutilized Businesses (last editorial amendment 3/18/08) Rule 20801 Travel Rule 20901 Procurement of Certain Goods and Services (last amended 2/8/07) Series 30000: Personnel Rule 30101 Classified Personnel Pay Plan (last amended 2/10/05) Rule 30102 General Appointment Information Rule 30103 Standards of Conduct Rule 30104 Conflict of Interest (last editorial amendment 4/17/08) Rule 30105 Sexual Harassment and Misconduct Rule 30106 Nepotism Rule 30107 Veteran's Employment Preferences Rule 30112 Training and Education Rule 30201 Leave Policies (last editorial amendment 4/1/08) Rule 30202 Employee Benefits (last amended 11/13/08) Rule 30203 Sick Leave Pool Rule 30301 Employment of Retirees Rule 30401 Employee and Faculty Advisory Councils Rule 30501 Employee Evaluations Rule 30601 Discipline and Dismissal of Classified Employees (last amended 11/9/07) Rule 30602 Employee Grievance Rule 31001 Faculty Appointments and Titles (last editorial amendment 2/3/09) Rule 31002 Notice of Nonrenewal to Nontenured Faculty Members (last amended 8/23/07) Rule 31003 Abandonment of Academic Positions or Programs Rule 31004 Rights and Responsibilities of Faculty Members Rule 31005 Faculty or Staff Absence Rule 31006 Academic Workload Requirements Rule 31007 Tenure (last amended 8/23/07) Rule 31008 Termination of a Faculty Member (last amended 2/12/09) Rule 31101 Evaluation of Administrators (last amended 2/9/06) Rule 31102 Evaluation of Tenured Faculty Series 40000: Academic Issues Rule 40101 Faculty Role in Educational Policy Formulation Rule 40201 Registered Organizations Rule 40301 General Admission Policy Rule 40302 Provisional Admission Policy Rule 40303 Establishing Both Admission Policies and Criteria for Award of Scholarships and Fellowships (last editorial amendment 9/16/08) Rule 40304 Affirmative Action Plans (last editorial amendment 2/12/08) Rule 40305 Coordinated Admission Program Rule 40306 Summer Enrollment Plan Rule 40307 Academic Program Approval Standards(last amended 7/14/06) Rule 40308 Review of Excess Core Curricula Rule 40309 Administration of Courses Offered in Shortened Format Rule 40310 Accessibility of Teacher Certification Courses Rule 40311 Graduate Education Rule 40401 Assessment, Collection, and Waiver of Tuition and Fees (last editorial amendment 9/17/08) Rule 40402 Emergency Student Loan Program for Tuition and Fees Fees for Continuing Education Courses (last editorial Rule 40403 amendment 9/17/08) Rule 40404 Tuition Rates for Students Residing in Certain Counties and States and Attending Certain Institutions (last editorial amendment 9/17/08) Rule 40405 Tuition Rates for Undergraduate Students with Excessive Semester Credit Hours (last editorial amendment 9/17/08) Rule 40406 Administration of Scholarships Rule 40407 Texas Public Education Grants/Loan Program Rule 40501 Speech and Assembly Rule 40502 Negotiations Related to Disruptive Activities Prohibited Rule 40601 Institutions Comprising The University of Texas System (last amended 8/14/08) Rule 40602 Organized Research Units Rule 40701 Medical and Hospital Services Rule 40703 Healthcare Risk Management Rule 40801 Official Seal, Colors, Logo, and Mascot Rule 40901 Charter Schools Rule 40902 Guidelines for Cooperative Use of Courses and Facilities with Texas A&M University Series 50000: Student Issues Rule 50101 Student Conduct and Discipline (last amended 8/14/08) Rule 50201 Student Advisory Council Rule 50202 Student Organizations Rule 50203 Participation in Student Government Rule 50301 Off-Campus Student Housing Rule 50302 Student Participation in Selection and Monitoring of Food Service Contractors Rule 50303 Debts of Students Rule 50304 Student Debit Cards Rule 50305 Employment of a Student's Attorney Rule 50401 Immunization of Students Against Hepatitis B Rule 50402 Health Insurance Requirements for Certain International Students (last editorial amendment 2/4/08) Rule 50403 Student Health Insurance Requirement Rule 50501 Liability Insurance for Students Rule 50601 Student Travel Rule 50701 Visiting U. T. System Students Program Series 60000: Development Rule 60101 Acceptance and Administration of Gifts (last amended 11/13/08) Rule 60102 Fees for Endowment Administration and Management (last amended 10/12/07) Rule 60103 Guidelines for Acceptance of Gifts of Real Property Rule 60201 Administration of Fellowships, Scholarships, and Loan Funds Rule 60202 Endowed Academic Positions Rule 60301 Development Board of an Institution (last amended 11/9/07) Rule 60302 Advisory Councils of an Institution (last amended 8/10/06) Rule 60304 Internal Nonprofit Corporations Rule 60305 External Nonprofit Corporations Rule 60306 Use of University Resources Series 70000: Investments Rule 70101 Authority to Accept and Manage Assets Rule 70201 Investment Policies (last editorial amendment 4/23/08) Rule 70202 Interest Rate Swap Policy (last amended 8/23/07) Rule 70301 Matters Relating to Real Property (last editorial amendment 12/5/08) Rule 70401 Oversight Responsibilities for UTIMCO Series 80000: Facilities Rule 80101 Category of Facilities and Authorized Users Rule 80102 Alcoholic Beverages Rule 80103 Solicitation (last amended 5/15/08) Rule 80104 Use of Facilities Rule 80105 Joint Sponsorship of the Use of Property or Buildings (last editorial amendment 6/4/08) Rule 80106 Special Use Facilities (last editorial amendment 5/27/08) Rule 80107 Filming Motion Pictures or Television Productions (last editorial amendment 5/5/08) Rule 80108 Use of Facilities for Weddings Rule 80109 Parking and Traffic Regulations (last editorial amendment 3/18/08) Rule 80110 Protection of Artificial Bodies of Water and Other Property Rule 80111 Smoke Free Facilities Rule 80112 Residential Conference Centers Rule 80201 Disposal of U. T. System Property (last amended 8/11/05) Capital Improvement Program (last amendment 5/15/08, Rule 80301 effective 7/1/08) Rule 80302 Building Committees (last amended 11/9/07) Rule 80303 Use of the Available University Fund (last amendment 8/14/08) Rule 80305 Debt Policy Rule 80307 Naming Policy (last amended 8/23/07) Rule 80308 Inscriptions on Building Plaques Rule 80401 Prevailing Wage Rates Major Construction and Repair and Rehabilitation Projects Rule 80402 (last editorial amendment 12/5/08) Rule 80403 Minor Construction and Repair and Rehabilitation Projects (last editorial amendment 12/5/08) Rule 80404 Institutional Management of Major Construction and Repair and Rehabilitation Projects (last amendment 5/15/08, effective 7/1/08) Rule 80501 Utility Easements Rule 80601 Property and Casualty Insurance and Surety Bonds (last amended 2/10/05) Rule 80702 Indirect Cost Recoveries Rule 80801 Flags Rule 80901 Constitutional and Legislative Restrictions on Capital Improvements Series 90000: Intellectual Property Complete 90000 Series Rule 90101 Rules for Intellectual Property: Purpose, Scope, Authority (last amended 2/8/07) Rule 90102 Intellectual Property Rights and Obligations(last amended 2/8/07) Rule 90103 Equity Interests(last amended 2/8/07) Rule 90104 Business Participation and Reporting(last amended 2/8/07) Rule 90105 Execution of Legal Documents Related to Intellectual Property (last amended 2/8/07) Rule 90106 Income from Intellectual Property Regrent’s Rule and Regulation 1. Series:20401 Title Audit and Compliance 2. Rule and Regulation Sec 1 Audit. The Chancellor, as chief executive officer of the U. T. System, is responsible for ensuring the implementation of appropriate audit procedures for the U. T. System. Accordingly, the Chief Audit Executive prepares an executive summary of all internal audit activity by the U. T. System internal auditors and the institutional internal auditors for the Chancellor. 1.1 Chief Audit Executive. The U. T. System Chief Audit Executive is responsible for coordinating the effective auditing of the U. T. System as set out in Section 1.1 (b) below. The Chief Audit Executive provides audit assistance to the Chancellor, the Executive Vice Chancellors, and the Vice Chancellors in the exercise of their responsibilities. (a) The Chief Audit Executive shall be appointed by the Audit, Compliance, and Management Review Committee after nomination by the Chancellor. The Chief Audit Executive shall hold office without fixed term, subject to the pleasure of the Chancellor. The Chancellor's actions regarding the Chief Audit Executive are subject to review and approval by the Audit, Compliance, and Management Review Committee. (b) The primary responsibilities of the Chief Audit Executive include developing a Systemwide internal audit plan based on a Systemwide risk assessment and coordinating the implementation of this plan with the institutional internal auditors. This Systemwide audit plan is submitted to the Audit, Compliance, and Management Review Committee for review and approval after the Chancellor's review and approval. Responsibilities of the Chief Audit Executive also include conducting audits of the System including the revenue produced from the Permanent University Fund lands and formulating policies for the internal audit activity at each institution. 1.2 The U. T. System internal auditors are the internal auditors for the U. T. System and augment the audit work of the institutional internal auditor and the State Auditors at the institutions of the U. T. System. Sec. 2 Compliance. The Chancellor, as chief executive officer of the U. T. System, is responsible for ensuring the implementation of a compliance program for the U. T. System. Accordingly, the Systemwide Compliance Officer prepares an executive summary of all compliance activity of the institutions, UTIMCO, and System Administration. 2.1 Systemwide Compliance Officer. The Systemwide Compliance Officer is responsible, and will be held accountable for, apprising the Chancellor and the Audit, Compliance, and Management Review Committee of the institutional compliance functions and activities at System Administration, UTIMCO, and at each of the institutions as set out in Section 2.1 (b) below. The Systemwide Compliance Officer provides institutional compliance assistance to the Chancellor, the Executive Vice Chancellors, the Vice Chancellors, and the Chief Compliance Officer of UTIMCO in the exercise of their responsibilities. (a) The Systemwide Compliance Officer shall be appointed by the Chancellor. The Systemwide Compliance Officer is the senior compliance official of the U. T. System; provides assistance and advice covering all institution, UTIMCO, and System Administration compliance programs; and shall hold office without fixed term, subject to the pleasure of the Chancellor. (b) The primary responsibilities of the Systemwide Compliance Officer include developing an infrastructure for the effective operation of the U. T. System Institutional Compliance Program; chairing the Systemwide Compliance Committee and the Compliance Officers Council; and prescribing the format for the annual risk based compliance plan and the quarterly compliance status reports to be submitted by each institution, UTIMCO, and System Administration. 3. Definitions None 4. Relevant Federal and State Statutes None 5. Relevant System Policies, Procedures, and Forms None 6. Who Should Know Administrators Internal Audit 7. System Administration Office(s) Responsible for Rule Audit Office 8. Dates Approved or Amended Editorial amendments made March 17, 2008 December 10, 2004 9. Contact Information Questions or comments regarding this rule should be directed to: bor@utsystem.edu University of Texas System Policy Library Home The University of Texas System Policy Library is the official repository of all current system-wide and System Administration internal policies. In addition to a keyword search and full-text search, we have provided five other ways to browse our collection of policies: subject index, alphabetical index, policy number index, office index, and keyword index. There are two categories of policy numbers. One group of policies affects the entire UT System and System Administration, and this group of policies is preceded by the letters UTS in front of the policy number. The other set of policies applies to UT System Administration internally, and this set of policies is preceded by the letters INT. UT System Administration Policy Library – Policy UTS129 Internal Audit Activities Responsible Officer: General Counsel to the Board of Regents Sponsoring Office: System Audit Office Effective Date: February 16, 2004 Last Reviewed: February 18, 2009 Next Scheduled Review: August 1, 2011 POLICY STATEMENT The purpose of an internal auditing program is to assist the Board of Regents and institution administrators to accomplish System objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal auditing is recognized as a highly regarded professional management support and control activity by the Texas Internal Auditing Act (Chapter 2102, Government Code) and by the Board of Regents' Rules and Regulations, Rules 10402 and 20401. RATIONALE The guidelines contained in this UTS establish a System-wide program to furnish independent analyses, appraisals and recommendations about the adequacy and effectiveness of the System’s internal control policies and procedures and the quality of performance in carrying out assigned responsibilities. SCOPE All institutions and UT System Administration WEBSITE ADDRESS FOR THIS POLICY http://www.utsystem.edu/policy/policies/uts129.html RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS UT System Administration Policies & Standards Other Statutes, Policies & Standards UTS 129 Internal Audit Activities Board of Regents’ Rules and Regulations, Rule 10201 Board of Regents’ Rules and Regulations, Rule 10402 Board of Regents’ Rules and Regulations, Rule 20402 Texas Government Code, Chapter 2102 Institute of Internal Auditors, Standards for the Professional Practice of Internal Auditing Institute of Internal Auditors, Code of Ethics Government Accountability Office, Generally Accepted Government Auditing Standards RESPONSIBILITIES Audit, Compliance and Management Review Committee of the Board of Regents Performs duties outlined in the Board of Regents’ Rules and Regulations, Rule 10402, Section 1.6. Appoints the System Chief Audit Executive. General Counsel of the Board of Regents UTS 129 Internal Audit Activities Supervises the System Audit Office as described in the Board of Regents’ Rules and Regulations, Rule 10201, Section 3. System Administration Internal Audit Committee Approves, maintains, and adheres to the audit committee charter. Approves, maintains, and oversees an internal audit charter of the System Audit Office modeled after the System-wide charter. Chancellor Nominates the System Chief Audit Executive. Chairs the System Administration Audit Committee (or designates a chair) and ensures the audit committee adheres to the audit committee charter. Selects outside members of the System Administration Audit Committee. System Audit Office Directed by System Chief Audit Executive who reports functionally to the Audit, Compliance, and Management Review Committee (ACMR) of the Board of Regents and administratively to the General Counsel of the Board of Regents. The System Chief Audit Executive provides ACMR and the System Administration Internal Audit Committee with a written summary of System audit activity on a quarterly basis. Fulfills the audit function for System Administration, provides temporary staffing to institutions when a shortage occurs, and provides oversight and coordination of the System-wide internal audit function. Oversees System-wide audits requested by the ACMR including establishing the audit program, providing guidance and direction on executing the program, reviewing the work performed, reporting results to ACMR, and evaluating the performance of the internal auditors. The System Audit Office will perform an audit of the institutional Presidents’ offices on a rotating five year basis. Institutional Internal Audit Committee Approves, maintains, and adheres to an audit committee charter. Approves, maintains, and oversees the internal audit charter of the Internal Auditor modeled after the System-wide internal audit charter. UT System President UTS 129 Internal Audit Activities Chairs the Institutional Internal Audit Committee (or designates a chair) and ensures that the Institutional Internal Audit Committee adheres to the audit committee charter. Selects and recommends outside members of the Institutional Internal Audit Committee for approval by the appropriate Executive Vice Chancellor and System Chief Audit Executive. Internal Auditor Reports functionally to the institution President and to the Institutional Internal Audit Committee. May report administratively to another senior executive. Provides an executive summary of the significant issues discussed at the Internal Audit Committee meetings to their respective Executive Vice Chancellor (i.e. Academic Affairs or Health Affairs). Has an indirect reporting relationship to the System Chief Audit Executive who is responsible for the oversight and coordination of the System-wide internal audit activity. May have a direct reporting relationship to the System Chief Audit Executive for Systemwide audits requested by ACMR. Addresses audit reports to the Institutional Internal Audit Committee by means of an executive summary and/or full report. Forwards audit report to the appropriate Executive Vice Chancellor, System Chief Audit Executive, and appropriate state agencies. Internal Audit Council Facilitates communication and the sharing of ideas, audit plans, and programs among the institutions' internal auditors. PROCEDURES A System-wide internal audit charter (Exhibit A) has been developed as recommended in the Standards for the Professional Practice of Internal Auditing. Each institution and System Administration should also have an audit charter modeled after the System-wide charter and approved by the Institutional Internal Audit Committee or System Administration Internal Audit Committee. The institutional internal audit charter should be distributed in the same manner as all institutional-wide policies or procedures. In the charter, the singular term "Internal Auditor" refers to the entire internal audit department or staff. Responsibilities and relationships of UT System management, the institutions, and committees are described in The UT System Internal Audit Reporting Structure (Exhibit D). The relationship with the institutional compliance function is described in Exhibit E. UTS 129 Internal Audit Activities The audit report format recommended by the System Audit Office is included as Exhibit B. All audit reports should be addressed to the President and/or the Institutional Internal Audit Committee by means of an executive summary. After the President and/or the Institutional Internal Audit Committee have reviewed/approved the report, the executive summary and the audit report should be forwarded to the appropriate Executive Vice Chancellor, System Audit Office, and appropriate state agencies. The System Audit Office will provide the ACMR and the System Administration Internal Audit Committee with a written summary of all audit activity on a quarterly basis. The guidance for the staffing level for internal auditors based upon total expenditures is attached as Exhibit C. Section 2102.006(b) of the Texas Internal Auditing Act, sets qualifications for the Director of Internal Audit as one "who shall be either a certified public accountant or a certified internal auditor and who shall have at least three years of auditing experience." The Standards for the Professional Practice of Internal Auditing, which must be followed under the Texas Internal Auditing Act, require the appointment of a chief audit executive. The Chancellor recommends and the ACMR appoints the System Chief Audit Executive. The UT System Audit Office may, in consultation with the institutional President or designee, temporarily provide direct audit assistance to an institution when one or more of the following circumstances exist: no institutional internal audit staff is available; a temporary or ongoing institutional audit staff shortage exists in accordance with commonly defined audit needs; or occasional or unusual auditing is required beyond local institutional capacity. Funding for such audit assistance is normally an institutional responsibility but payment for such temporary assistance will be determined on a case-by-case basis dependent on the budget or audit circumstances requiring the assistance. When audit assistance is provided to an institution, the auditor(s) will report to the institution President, unless audit circumstances dictate otherwise. The Internal Audit Council facilitates communication and the sharing of ideas, audit plans, and programs among the institutions' internal auditors. The System Chief Audit Executive is chairman of this Council, and membership is composed of the internal auditor directors from each of the institutions. The Council meets from time to time as circumstances require, and all members are expected to attend. The members may invite their assistant directors, managers, supervisors, and staff to attend from time to time. UTS 129 Internal Audit Activities FORMS AND TOOLS/ONLINE PROCESSES (Exhibit A) System-wide Internal Audit Charter (Exhibit B) Standard Audit Report Format (Exhibit C) Internal Audit Staffing Level (Exhibit D) Reporting Structure (Exhibit E) Internal Audit's Relationship to the Institutional Compliance Function UT System Administration Policy Library – Policy UTS118 Statement of Operating Policy Pertaining to Dishonest or Fraudulent Activities Responsible Officer: Executive Vice Chancellor for Business Affairs Sponsoring Office: System Audit Office Effective Date: February 4, 2002 Last Reviewed: April 2, 2009 Next Scheduled Review: April 3, 2009 UTS 118 Statement of Operating Policy Pertaining to Dishonest or Fraudulent Activities POLICY STATEMENT Each institution has established reporting structures and responsibilities within their institution. The purpose of this statement is to establish System policy regarding internal investigations of suspected defalcation, misappropriation and other fiscal irregularities which is supplemental to the internal administrative policies established at each institution. RATIONALE Good business practice dictates that every suspected defalcation, misappropriation and other fiscal irregularity be promptly identified and investigated. RESPONSIBILITIES Management Establishes and maintains a system of internal control that provides reasonable assurance that improprieties are prevented and detected. Supports the System's fiduciary responsibilities and cooperates with law enforcement agencies in the detection, investigation, and reporting of criminal acts, including prosecution of offenders Office of Internal Audit Supervises all audits of allegations of defalcation, misappropriation and other fiscal irregularities. Coordinates assistance provided to state, federal, and local law enforcement agencies. Assists the University Police in investigations of suspected defalcation, misappropriation and other fiscal irregularities that require accounting and auditing knowledge of System records. Keeps its workpapers secure and limits access to only those individuals designated by the Director of Internal Audit. Receives relevant information on a confidential basis, subject to the provisions of the Texas Public Information Act. Reviews each investigation to determine if additional work needs to be done in order to provide the Audit Committee and management with a basis for taking any corrective action necessary. Director of Internal Audit When appropriate, notifies the Chief Administrative Officer or his or her designee when an audit involves allegations or reveals suspected criminal activity which may constitute a felony offense. Consults with the Office of General Counsel or institution legal advisors about all requests for information and assistance related to investigations conducted by auditors of federal and state agencies . Chief Administrative Officer Notifies the appropriate Executive Vice Chancellor of criminal activity, as appropriate. University Police Makes the Director of Police of aware of all felony fraud investigations and keeps him or her up to date. Coordinates criminal investigation once probable criminal activity has been detected. Chief Business Officer Notifies the Executive Vice Chancellor of Business Affairs as soon as it is known that a loss has occurred for approval of all insurance and fidelity bond claims. Institution Legal Advisors Coordinates assistance provided to state, federal, and local law enforcement agencies Office of General Counsel Coordinates assistance provided to state, federal, and local law enforcement agencies Reporting Individual Avoids incorrect accusations, avoids alerting suspected individuals that an audit is underway, or avoids making statements that could provide a basis for a suit for false accusation or other offenses. PROCEDURES 1. General 1.1 The terms defalcation, misappropriation, and other fiscal irregularities include but are not limited to any: a) Dishonest, illegal, or fraudulent act involving System property; b) Forgery or alteration of checks, drafts, promissory notes, and securities; c) Forgery or alteration of employee benefit or salary related items such as time cards, billings, claims, surrenders, assignments, or changes in beneficiary; d) Forgery or alteration of medical related items such as reports, charts, prescriptions, x-rays, billings, or claims; e) Forgery or alteration by employees, of student related items such as grades, transcripts, loans, or fee or tuition documents; f) Misappropriation of funds, securities, supplies, or any other asset; g) Illegal or fraudulent handling or reporting of money transactions; h) Acceptance or solicitation of any gift, favor, or service that might reasonably tend to influence the employee in the discharge of his or her official duties; or i) Destruction or disappearance of records, furniture, fixtures, or equipment where theft is suspected. 1.2 Allegations involving scientific misconduct will be handled in accordance with the controlling institutional policies based upon the OGC Model Policy entitled "Procedure for Dealing with Allegations of Misconduct in Science". 1.3 Management shall establish and maintain a system of internal control that provides reasonable assurance that improprieties are prevented and detected. Each manager must be familiar with the types of improprieties that might occur in his or her area and be alert for any indication that such a defalcation, misappropriation or other fiscal irregularity has occurred. 1.4 Management must support the System's fiduciary responsibilities and must cooperate with law enforcement agencies in the detection, investigation, and reporting of criminal acts, including prosecution of offenders. Every effort should be made to recover System losses. 1.5 The Office of Internal Audit must supervise all audits of allegations of defalcation, misappropriation, and other fiscal irregularities. When an audit reveals suspected criminal activity, or an audit is initiated due to an allegation of criminal activity, the University Police must be notified immediately. 1.6 When an audit involves allegations or reveals suspected criminal activity which may constitute a felony offense, the Director of Internal Audit shall, when appropriate, immediately notify the Chief Administrative Officer, or his or her designee, and then notification must be given to the System Director of Audits. The Director of Internal Audit shall consult with institution legal advisors or the Office of General Counsel, and the Office of General Counsel must be kept informed regarding the progress of the audit. 1.7 The Chief Administrative Officer shall notify the appropriate Executive Vice Chancellor of criminal activity, as appropriate. 1.8 The Director of Police must be made aware of all felony fraud investigations, and must be kept current by University Police of the progress of investigations conducted by institution police departments. 1.9 In accordance with the Board of Regents' Rules and Regulations, Rule 80601, the appropriate Chief Business Officer will notify the Executive Vice Chancellor of Business Affairs as soon as it is known that a loss has occurred for approval of all insurance and fidelity bond claims. 1.10 The Office of Internal Audit, University Police, institution legal advisors, and the Office of General Counsel must coordinate assistance provided to state, federal, and local law enforcement agencies. All requests for information or assistance from such agencies that are received by other areas shall be immediately forwarded to the University Police for determination and handling. All reasonable assistance must be given to law enforcement agencies when requested. 1.11 All requests for information and assistance related to investigations conducted by auditors of federal and state agencies that are concerned with potential dishonest or fraudulent activities within the System, shall also be forwarded immediately to the Director of Internal Audit who shall consult with the Office of General Counsel, or with institution legal advisors who shall notify the Office of General Counsel. 1.12 In order to avoid the use of investigatory techniques that might prevent evidence from being used in a criminal prosecution, University Police must coordinate the criminal investigation once probable criminal activity has been detected. The Office of Internal Audit shall assist the University Police in investigations of suspected defalcation, misappropriation, and other fiscal irregularities that require accounting and auditing knowledge of System records. 1.13 The Office of Internal Audit must keep its workpapers secure and limit access to only those individuals designated by the Director of Internal Audit. 1.14 The Office of Internal Audit must be available and receptive to receiving relevant information on a confidential basis, subject to the provisions of the Texas Public Information Act. Employees and students may directly contact the Director of Internal Audit, the Compliance Officer, the University Police, or executive management whenever an activity is suspected to be dishonest or fraudulent. The reporting individual should not attempt to personally conduct investigations or interviews/interrogations in order to determine whether or not a suspected activity is improper. 1.15 In order to avoid damaging the reputations of innocent persons initially suspected of wrongful conduct, and to protect the System from potential civil liability, the results of audits or investigations may not be disclosed or discussed with anyone other than authorized representatives of law enforcement or regulatory agencies and only those persons associated with the System who have a legitimate need to know such results in order to perform their duties and responsibilities, subject to the provisions of the Texas Public Information Act. 2. Audits/Investigations 2.1 Audits revealing violations of the Penal Code for which an audit report will be issued should be reduced to final report form only after consultation by University Police with the local prosecutor or the Office of General Counsel to ensure that appropriate documentation of the facts has been achieved in order to permit appropriate personnel action, protect innocent persons, support appropriate civil or criminal actions, document claims made pursuant to applicable fidelity bonds, preserve the integrity of the criminal investigation and prosecution, and avoid unnecessary litigation. 2.2 Great care must be taken in the investigation of suspected improprieties or irregularities so as to avoid incorrect accusations or alerting suspected individuals that an audit is underway and also to avoid making statements which could provide a basis for a suit for false accusation or other offenses. Accordingly, the reporting individual should not: 2.3 Contact the suspected individual to determine facts or demand restitution; or 2.4 Discuss any facts, suspicions, or allegations associated with the case with anyone, unless specifically directed to do so by the Office of Internal Audit, Compliance Office, University Police, institution legal advisors, or the Office of General Counsel. 2.5 All inquiries from the suspected individual or his or her representative or attorney shall be directed to institution legal advisors or the Office of General Counsel. Proper response to such an inquiry should be, "I'm not at liberty to discuss this matter." Under no circumstances should there be any reference to "what you did," "the crime," "the fraud," "the forgery," "the misappropriation," or similar references. 2.6 All reproduction of documents, evidence and reports shall be performed within the secured work area of the Office of Internal Audit or University Police. 2.7 To the extent permitted by the applicable provisions of the Texas Public Information Act, confidentiality of those reporting dishonest or fraudulent activities will be maintained. However, the confidentiality cannot be maintained if that individual is required to serve as a witness in legal proceedings. 2.8 When an audit initiated due to an allegation of criminal activity has failed to detect criminal activity or when advised by the Office of General Counsel, the Director of Internal Audit has the discretion to stop the audit. However, with regard to criminal investigations conducted by University Police, only the Office of the District Attorney is authorized to review the progress of the criminal investigation and make the legal determination regarding whether to pursue a criminal prosecution. 3. Operational Audit Findings 3.1 Each investigation of possible dishonest or fraudulent activities has the potential to provide a unique insight into specific activities conducted by the System and may disclose control weaknesses and other areas that need additional auditing or management's attention. 3.2 The office of Internal Audit must review each investigation to determine if additional work needs to be done in order to provide the Audit Committee and management with a basis for taking any corrective action necessary. The State Auditor's Office The State Auditor's Office (SAO) is the independent auditor for Texas state government. The SAO operates with oversight from the Legislative Audit Committee, a six-member permanent standing committee of the Texas Legislature, jointly chaired by the Lieutenant Governor and the Speaker of the House of Representatives. The SAO is authorized, by Chapter 321, Texas Government Code, to perform audits, reviews, and investigations of any entity receiving state funds, including state agencies and higher education institutions. Audits are performed in accordance with generally accepted government auditing standards, which include standards issued by the American Institute of Certified Public Accountants. Types of audits the SAO performs include financial statement opinion audits, financial audits, compliance audits, economy and efficiency audits, effectiveness audits, and other special audits. The SAO may also perform reviews, which are less rigorous than audits and do not follow auditing standards, but provide a certain degree of assurance to decision makers. Investigations are performed whenever there is evidence of fraud or abuse of state resources. Other SAO responsibilities include managing the State Classification Plan and providing support to state agency and higher education human resource offices, which is performed by the State Classification Team. In addition, the SAO coordinates and provides continuing educational opportunities for audit and accounting professionals. The work and activities performed by the SAO are included in an annual audit plan, approved by the Legislative Audit Committee. This includes mandatory work, required by state statute, or discretionary work which is determined through an ongoing risk assessment process. Click this link for a History of the State Auditor's Office. Legislative Audit Committee State Auditor John Keel, CPA General Counsel and Risk Manager Anita D'Souza Assistant State Auditor Michael C. Apperley, CPA Audits and Assistant State Auditor Lisa R. Collier, CPA Administration Reviews Audit Managers Michael Apperley, Assistant State Auditor Lisa R. Collier, Assistant State Auditor Sandra Vice, Assistant State Auditor Kelly Linder, Business Services Michael Apperley Human Resources Barry Holcomb, Senior HR Specialist Assistant State Auditor Sandra Vice, CIA, CGAP, CISA Federal Funds Audit Manager Babette Laibovitz, Audit Manager RAT Ralph McClendon, Audit Manager ISAT Worth Ferguson, Audit Manager QCT Verma Elliott, Audit Manager Nicole Guerrero, Audit Manager Angelica Martinez, Audit Manager John Young, Audit Manager Audit Research and Legislative Coordination Daniel Wattles, Manager Information Systems Audit Team Ralph McClendon, Audit Manager Quality Control Team/Reporting Team Worth Ferguson, Audit Manager Information Systems Support / User Network Services Sandra Vice Professional Development Jo Dale Guzman, Manager Project Manager Cody Smith Ombudsman Courtney Ambres-Wade Risk Assessment Team and Internal Audit Coordination Babette Laibovitz, Audit Manager State Classification Team Nicole Guerrero, Audit Manager Special Investigations Unit Pamela Munn, Audit Manager University of Texas Permian Basin Internal Audit Manual SECTION G (Coordination with State Auditors Office)