What are the functions and responsibilities of the System Internal Audit Department?
The mission of the Texas A&M System Internal Audit Department is to assist The Texas A&M University System’s Board of Regents, Chancellor, and Chief Executive Officers by providing value-added auditing services using an independent, risk-based approach. The System Internal Audit Department responsibilities include determining the adequacy, efficiency and effectiveness of the System's internal control structure; reviewing the reliability and integrity of management, financial and operating information; reviewing the systems established to ensure compliance with policies, regulations, procedures and laws; reviewing the means of safeguarding the assets of the System; appraising the economy and efficiency with which resources are employed; reviewing operations or programs to determine whether results and outcomes consistent with established objectives and goals (performance measures) are being achieved; participating in the design of major information systems; and providing advisory and training services for System components as required or requested to ensure fiscal and administrative integrity of the System. In addition, the System Internal Audit Department is responsible for investigating fraud and other illegal activities. INFORMATION ON WEBSITE
Why and how was our department chosen for audit?
The Texas A&M System Internal Audit Department develops an annual audit plan based on risk and significance. Discussions are held with member universities and agencies during this planning process. An audit may be specifically selected because of the associated risk and included in the annual audit plan or at the request of a System member or the Board of Regents. The audit plan is presented to the Audit Committee and approved by the Board of Regents. The Board of Regents, as well as Texas A&M System member administration, can also recommend areas of interest to be reviewed. INFORMATION ON WEBSITE
What is an audit?
An audit is an independent review of the financial, operational or technical operations of an organization to determine the adequacy and effectiveness of internal control policies and procedures and the quality of performance in carrying out assigned responsibilities.
Audit results can assist management in improving an organization’s effectiveness of risk management, control and governance processes. An audit usually involves a planning phase (this provides the auditor an opportunity to identify higher risk areas in order to define the scope of audit testwork), a testwork phase (when specific testwork is performed), and a reporting phase (any findings are reported to the parties involved including recommendations). Audit reports are submitted to the Board of Regents quarterly.
Can an audit be requested?
Yes. Texas A&M System members can request audits for areas of interest or concern. The Board of Regents can also make requests for specific reviews.
What is the audit reporting process and timeline?
The reporting process is ongoing throughout the audit process. During the audit, the audit team will provide updates regarding findings and audit status. At the conclusion of the fieldwork, the auditor will discuss any findings noted during the audit process at the end of fieldwork meeting with responsible parties. This meeting is an opportunity for the client to discuss the findings and clarify any specific areas. The Exit Conference Draft, a draft presentation of the audit report, will then be provided to the director of the area reviewed usually within 30 days of the end of fieldwork meeting. The audit client will be given two weeks to provide feedback. The report is then revised and the draft is issued to the CEO requesting written responses. There is a 30-day time period for providing the responses. Client responses will be included in the final report. Once responses are received, the System Internal Audit Department will issue the final report. The final audit reports are distributed to appropriate management personnel, included in the quarterly reports presented to the Board of Regents, and made available to the public on the System Internal Audit website.
What are some common audit findings?
Some common issues have been identified within the Texas A&M System members in the areas of human resources, revenue management, and information technology. Human resources issues most prevalent include performance evaluations not performed timely, position descriptions not updated annually, leave not properly recorded, and discrimination and sexual harassment training not always completed in accordance with state law. Information technology issues include needed improvement in the level of IT representation and leadership within the organization structure to ensure IT perspective is present in strategic discussions of executive management, improvement in the analysis of institution-wide IT risks and related controls necessary to address the risks, the preparation and communication of IT security policies, and the preparation and testing of an institution-wide business continuity and disaster recovery plan. Revenue management is the largest most prevalent and ongoing area with findings and they include (for cash handling) lack of receipts, prenumbered receipts not tracked or monitored, checks not restrictively endorsed, funds not stored in secure locations, safe combinations not changed with personnel changes, keys not secured, access to funds not limited, transfer of funds not documented, deposits not made timely, lack of reconciliations, and segregation of duties.
How long will the audit take?
Audits vary in length depending on the area being reviewed, the detail being tested and the structure of the organization. Some follow-up audits may take only a few hours whereas some university-wide audits can take several months to complete. System Internal Audit makes every effort to inform clients of the timeline for their particular audit and provide updates to keep administrators aware of the audit status.
What is the audit client's responsibility once the audit report is issued?
Prior to issuance of the final report, audit clients are requested to provide a target date (this is a quarterly date) for implementation of audit recommendations Audit clients have a responsibility to address all audit recommendations, to take appropriate action to insure recommendations are implemented within their area, and to notify System Internal Audit of the progress.
What can the audit client do to prepare for an audit once they are aware they are on the schedule to be audited?
Once an audit is scheduled, the audit client can assist the audit team by preparing some information pertinent to their organization in advance. Some standard information that is helpful in the audit process includes a current organization chart (with current staff names and positions); key staff phone numbers, email addresses and points of contact for areas being reviewed; chart of accounts; and pertinent written policies and procedures. The client can provide a risk assessment matrix if one is available. The auditor may also request other relevant information depending on the type audit being performed.
Can you explain the audit report scoring system?
The report scoring system provides a mechanism to rank audit reports according to severity of findings. First, there are three levels of audit findings: notable, which are minor to moderate violations of controls, policies and laws; significant, which require CEO, Dean, Director or Vice President involvement for resolution; and major which are items most serious and have the probability of legal, financial or reputational damage and require Chancellor and/or members of the Board involvement.
The scoring system consists of five codes: Code 1 - Indicates No Observations; Code 2 - Notable Observations (Minor violations of controls, policies and regulations and laws); Code 3 - Many notable and/or some significant observations; Code 4 - Many significant observations; and Code 5 - One or more major observations.
What is a follow-up audit?
The follow-up process is a review performed by the audit team to verify the status of prior audit report recommendations. Follow-up audits review only specific areas from the prior audit to ensure recommendations have been implemented and the controls are working. While a follow-up is mainly addressing prior audit issues, during the process some issues could arise outside the normal scope of the follow-up. Follow-up results are reported to the highest level of the university or agency being reviewed.
Are follow-up audits performed on all audits and if so, how soon after the audit is completed can the follow-up be expected?
Follow-up reviews will be performed on all audits. Follow-up audits will be completed when the client notifies (quarterly) the System Internal Audit Department of the implementation of the prior report's recommendation and as audit teams become available to perform a review.
Where can we find copies of current or previously issued reports?
Texas A&M System Internal Audit has provided access to audit reports through their website. INFORMATION ON WEBSITE
Who makes up the Audit Committee and what is their role?
The Audit Committee - Their role, as stated in the Bylaws of the Board of Regents, is to assure that the Board maintains direct access to both internal and external functions of each university, agency and of the System. The Audit Committee recommends to the Board guidelines for the operation of the Committee and the auditing functions throughout the System. The Chief Auditor is responsible to the Board through the Audit Committee. The Committee provides oversight of internal and external audits; makes recommendations for the selection of external auditors; reviews the scope of audits; provides guidance for the Chief Auditor in Board functions; and reviews the findings of all external auditors. Each year, the Audit Committee presents the annual audit plan to the Board for approval.
What are the types of audits performed?
INFORMATION ON WEBSITE
What are internal controls?
INFORMATION ON WEBSITE
Are the Internal Auditors responsible for maintaining the A&M Member's system of internal controls?
No. Texas A&M System university and agency member's management is responsible for maintaining an adequate system of internal controls. System Internal Audit auditors independently evaluate the adequacy of the existing internal control systems by analyzing and testing controls. The A&M System Internal Audit Department makes recommendations to management to improve controls based on system testing and control analysis.
Are auditors looking for fraud when performing audits?
According to Standard 1220 of the International Standards for the Professional Practice of Internal Auditing, internal auditors must exercise due professional care by considering the probability of significant errors, fraud, or noncompliance. As part of the assurance activities, auditors of System Internal Audit watch for potential fraud risks, assess the adequacy of related controls and make recommendations for improvement. However, it is management’s responsibility to identify potential areas of risk and to be aware of the possibility of fraudulent acts in these areas.
Where and how do I report allegations of fraud?
If you suspect fraud, waste or abuse, you may report the information to any of the following:
- Your immediate supervisor
- Anyone in your chain of command
- A law enforcement official of the A&M System
- The Chief Executive Officer of the applicable A&M System member
- The Chief Auditor of the A&M System
- The A&M System Risk and Misconduct Hotline
You may call the Risk & Misconduct Hotline at 888.501.3850 or file a report electronically at www.ethicspoint.com. Links to the hotline are also located in the footer section of every A&M System member’s home page. The Risk & Misconduct Hotline is managed by EthicsPoint, an independent third party. Upon the receipt of a report, EthicsPoint personnel route the report to designated A&M System member officials for review and follow up. See additional frequently asked questions regarding the Risk & Misconduct Hotline at "Frequently Asked Questions".
You can also report suspected fraud to the Texas State Auditor’s Office by calling 1-800-TX-AUDIT.
Can university and System personnel seek advice from the System Internal Audit Department?
Yes. Texas A&M System Internal Audit can provide assistance on internal control matters and provide guidance on control aspects of new systems and procedures. Questions and requests can be directed to (979) 458-7100.
Who audits the Texas A&M System Internal Audit Department?
Every three years, a Peer Review (Quality Assurance Review) is performed on the Texas A&M System Internal Audit Department by an independent peer review team which is generally a team of auditors from other institutions of higher education.
Where do I get more information on the policies, regulations, and rules?
The Texas A&M System website provides access to all Texas A&M System Policies and Regulations as well as links to each member university and agency rules. The System Internal Audit website also provides helpful links to information.