Docstoc

Ad Hoc Committee for the Review of Internal Controls

Document Sample
Ad Hoc Committee for the Review of Internal Controls Powered By Docstoc
					1996
Action Plan to Enhance Internal Controls
THE UNIVERSITY OF TEXAS SYSTEM

APPROVED BY THE CHANCELLOR AND PRESENTED TO THE BUSINESS AFFAIRS AND AUDIT COMMITTEE OF THE BOARD OF REGENTS ON JANUARY 22, 1996.

I N T R O D U C T I O N

In 1994, the Chancellor of The University of Texas System (U.T. System) formed an Ad Hoc Committee for the Review of Internal Controls; this committee included Chief Business Officers and Directors of Internal Audit from academic and health component institutions along with representatives from U.T. System Administration. In July of 1994, the committee issued an “Action Plan to Enhance Internal Controls through Awareness, Accountability, and Audit Committees.” The Action Plan included the following action items: Awareness:      Develop a Statement of Philosophy about responsibility for public resources, employee accountability, and personal ethics. Teach an internal control training course to administrative officials (i.e., department chairs, directors, deans, vice-presidents, etc.). Issue a Management Responsibilities Handbook to administrative officials. Communicate information about internal control using campus newsletters, electronic mail, etc. Issue an annual Statement of Responsibility and Accountability for Internal Controls to administrative officials.

Accountability:      Revise Regents’ Rules and Regulations to specify the Chief Administrative Officer’s overall responsibility for internal controls at the institution. Revise job descriptions of administrative positions to specify primary responsibility for internal controls at the department level. Include an evaluation of internal control performance in personnel evaluations. Take appropriate disciplinary action when an employee disregards his or her internal control responsibilities, including acts of commission and omission. Audit departments when a change in department management occurs.

Audit Committee:     Require the Chief Administrative Officer, Chief Business Officer, and Director of Internal Audit to be members of the Audit Committee. Develop an Audit Committee Statement of Responsibilities. Hold at least quarterly Audit Committee meetings. Submit annual audit plans to the Audit Committee for its review and approval.

In October 1995, the Ad Hoc Committee for Review of Internal Controls reconvened to review System-wide implementation of the 1994 Action Plan; committee members concluded that tremendous progress had been made. For example, over 4,000 U.T.

2

employees with administrative duties attended an internal control training course in 1995. Committee members also concluded, however, that a “1996 Action Plan to Enhance Internal Controls” was needed to advance continuous improvement of internal controls within the U.T. System. The 1996 Action Plan contains both carry-forward items from the 1994 Action Plan and some new items. New items in the 1996 Action Plan are as follows:           An internal control orientation packet for new administrative officials which includes a new internal control videotape. Internal audits of all departments every three to five years. Annual audits of the institution’s key financial and operating information. Chief Academic Officer membership on the Audit Committee. An Audit Committee Member Handbook. Risk Assessment and Implementation Plan to be completed by every department. Annual self-assessment reports on internal control from departments to the applicable Vice Presidents by August 31, 1997. Control self-assessment workshops. A “How to Reconcile Your Departmental Accounts” training course. An annual communication to principal investigators which outlines their administrative responsibilities for research activities.

The following pages present the 1996 Action Plan items by “Responsible Party.” It is recognized that the designated Responsible Party may choose to delegate implementation of an item to another person. The Responsible Party, however, remains accountable for the implementation of the action item. Several Action Plan items are to be implemented at the department level (e.g., departmental audits and Risk Assessment and Implementation Plans). For the most part, implementing Action Plan items at the department level makes sense because signature authority for purchase transactions has been delegated to department chairs and directors. On the other hand, if a department does not have signature authority and the department is small in terms of number of employees and scope of activities, then it may be advisable to implement certain Action Plan items at a higher level of the organizational structure (e.g., at the college level). The Ad Hoc Committee for Review of Internal Controls would like to thank the System Audit Office for providing administrative support for the committee’s work. In addition, committee members would like to thank the thousands of U.T. employees who have worked very hard to make the 1994 Action Plan a successful endeavor. Thank you for your continued support of U.T. System efforts to enhance internal controls.

Ad Hoc Committee for Review of Internal Controls January 1996

3

1 9 9 6

A C T I O N

P L A N

Action Item

CarryForward Item

New Item

Responsible Party

Due Date

1. Communicate annually to all employees a Statement of Philosophy about responsibility for public resources, employee accountability, and personal ethics. Implementation Guidance: The Statement of Philosophy is most effectively communicated as an e-mail message or written memo from the Chief Administrative Officer to all employees. The Statement of Philosophy should emphasize the responsibility of all employees to be good stewards of public resources. In addition, the Statement of Philosophy should include or reference the U.T. System Code of Ethics. The Chief Administrative Officer may choose to attach or reference other materials which provide practical guidance on ethical issues. The purpose of the Statement of Philosophy is to communicate an appropriate “tone at the top” thereby enhancing the controlconsciousness of the institution.



Chief Administrative Officers

2/29/96

2. Communicate annually a Statement of Responsibility and Accountability for Internal Controls to all administrative officials (i.e., department chairs, directors, deans, vice presidents, etc.). Implementation Guidance: The purpose of the Statement of Responsibility and Accountability for Internal Controls is to advise administrative officials that they are primarily responsible and will be held accountable for the design and effectiveness of internal controls in their department(s). The Chief Administrative Officer should communicate this message in writing to all administrative officials.



Chief Administrative Officers

2/29/96

4

Action Item

CarryForward Item

New Item

Responsible Party

Due Date

3. Take appropriate disciplinary action, up to and including termination, against employees who disregard their internal control responsibilities, including acts of commission and omission. Implementation Guidance: It has been clearly communicated to administrative officials that they are primarily responsible for internal controls in their departments. When internal controls in a department are found to be weak, appropriate disciplinary action should be taken against the administrative official over the department regardless of whether a fraud has been committed. Appropriate disciplinary action must also be taken against the employee in a department who commits fraud or fails to perform assigned control activities. Disciplinary actions against administrative officials and other employees who disregard internal control responsibilities must be consistently applied regardless of position, stature, or tenure.



Chief Administrative Officers

Immediately

4. Require the Chief Administrative Officer, Chief Academic Officer (or equivalent), Chief Business Officer, and Director of Internal Audit to be members of the Audit Committee. Implementation Guidance: The 1994 Action Plan required the Chief Administrative Officer, the Chief Business Officer, and the Director of Internal Audit to be members of the Audit Committee. The 1996 Action Plan adds the Chief Academic Officer to the list of required members. Some institutions include external business leaders on their Audit Committees; these members have made very positive contributions.



Chief Administrative Officers

2/29/96

5. Require the Audit Committee to meet at least quarterly. Implementation Guidance: Effective audit committees meet at least quarterly for one to two hours; some meet bi-monthly.



Chief Administrative Officers

2/29/96

5

Action Item

CarryForward Item

New Item

Responsible Party

Due Date

6. Offer the internal control training course, “Effectively Controlling Risks: A Balancing Act,” at least semiannually for new administrative officials (i.e., department chairs, directors, deans, vice presidents, etc.). When a new administrative official assumes his or her responsibilities, provide him or her an internal control orientation packet which includes a Statement of Responsibility and Accountability for Internal Controls, a Management Responsibilities Handbook, and an internal control videotape which highlights internal control issues on campus. Implementation Guidance: The Chief Business Officer is responsible for making sure that the internal control training course is offered at least semiannually. The applicable Vice Presidents are responsible for making sure that new administrative officials in their areas of responsibility attend the internal control training course. The Chief Business Officer is responsible for making sure that an internal control orientation packet is distributed to new administrative officials when they assume their responsibilities. The System Audit Office will coordinate the production of an internal control videotape with the Business Management Council.



Chief Business Officers (or applicable Vice President)

6/30/96

7. Maintain a current edition of the Management Responsibilities Handbook and distribute it to all administrative officials (i.e., department chairs, directors, deans, vice presidents, etc.). Implementation Guidance: The purpose of the Management Responsibilities Handbook is to outline administrative responsibilities, to provide some brief practical guidance, and to highlight departments who can provide assistance. The Handbook, at a minimum, should address those administrative activities common to most departments (e.g., budgeting, purchasing, hiring, etc.).



Chief Business Officers

8/31/96

6

Action Item

CarryForward Item

New Item

Responsible Party

Due Date

8. Amend job descriptions of administrative positions (i.e., department chairs, directors, deans, vice presidents, etc.) to specify responsibility for internal controls in their department(s). Implementation Guidance: Job descriptions of administrative positions should include wording similar to the following: “Responsible for the design, execution, and effectiveness of a system of internal controls which provides reasonable assurance that department operations are effective and efficient, department assets are safeguarded, department financial information is reliable, and the department complies with applicable laws, regulations, policies, and procedures.”



Chief Business Officers (or applicable Vice President)

5/31/96

9. Amend the institution’s performance evaluation form to include a specific evaluation of internal control performance. Implementation Guidance: The institution should amend its performance evaluation form to include a specific evaluation of an employee’s internal control performance. Wording on the form might be as follows: “INTERNAL CONTROL--Evaluate performance as it relates to the individual’s internal control responsibilities.”



Chief Business Officers (or applicable Vice President)

5/31/96

10. Offer an optional internal control training course, “How to Reconcile Your Departmental Accounts.” Implementation Guidance: The System Audit Office has developed a model “How to Reconcile Your Departmental Accounts” training course (including a participant’s manual). This one-hour course is designed for employees in departments who are responsible for reconciling departmental accounts. Institutions can tailor the model course or develop their own course. Some institutions already offer a similar course.



Chief Business Officers

4/30/96

7

Action Item

CarryForward Item

New Item

Responsible Party

Due Date

11. Use campus newsletters, electronic mail, or other means to highlight internal control issues. Communicate internal control information at least quarterly. Share internal control best practices on the Internet. Implementation Guidance: The purpose of these “general awareness initiatives” is to foster ongoing risk identification and proactive risk management. An article in a campus newsletter and an electronic mail message are inexpensive ways to alert employees to risks and internal control best practices. The Internet can be used both to access and to share internal control information.



Chief Business Officers

3/31/96

12. Require new administrative officials (i.e., department chairs, directors, deans, associate vice presidents, etc.) to attend the internal control training course, “Effectively Controlling Risks: A Balancing Act” within six months of assuming responsibilities. Implementation Guidance: The Chief Business Officer is responsible for offering the internal control training course at least semi-annually for new administrative officials. It is the responsibility of the applicable Vice President to make sure that new administrative officials in his or her area of responsibility attend the internal control training course within six months of assuming their responsibilities. This one and one-half hour course provides an overview of internal control and focuses on financial and administrative duties.



Applicable Vice Presidents

6/30/96

13. Require every department to complete a Risk Assessment and Implementation Plan and to forward a copy of the form to its Vice President and to the Director of Internal Audit. Implementation Guidance: The internal control training course teaches participants how to prepare this form.



Applicable Vice Presidents

6/30/96

8

Action Item

CarryForward Item

New Item

Responsible Party

Due Date

14. Require every department to perform an annual control self-assessment and to issue a self-assessment report on internal control to its Vice President beginning in fiscal 1997; the department should forward a copy of the report to the Director of Internal Audit. Implementation Guidance: A control selfassessment is a “self-audit” of a department’s internal controls resulting in a formal self-assessment report on internal control to senior management. The System Audit Office is preparing a Control Self-Assessment Manual which guides a department through the selfassessment process; the Manual includes a model self-assessment report on internal control. In addition, the System Audit Office is developing and piloting “Control Self-Assessment Workshops,” a new internal auditing service. During these optional workshops, internal auditors facilitate a department’s control self-assessment.



Applicable Vice Presidents

8/31/97

15. Communicate annually a Statement of Administrative Responsibilities for Research Activities to principal investigators. Implementation Guidance: The purpose of the Statement of Administrative Responsibilities for Research Activities is to acquaint principal investigators with institutional policies and procedures and applicable federal and state laws which pertain to research activities. The Vice President over research activities should communicate this information in writing to all principal investigators annually.



Applicable Vice Presidents (or equivalent)

6/30/96

16. Require internal auditors to audit departments with new management. Implementation Guidance: New management would include a new department chair, director, dean, etc. The scope of the audit should include financial and administrative controls.



Audit Committees

2/29/96

9

Action Item

CarryForward Item

New Item

Responsible Party

Due Date

17. Require internal audits of all departments every 3 to 5 years. Implementation Guidance: The Audit Committee should review the internal auditing department’s annual audit plan and long-term audit plan to ensure itself that all departments will be audited every 3 to 5 years. The scope of these audits should include financial and administrative controls. The Audit Committee should review the results of departmental audits and the implementation status of the audit plan at each of its meetings.



Audit Committees

9/1/96

18. Require annual audits of the institution’s key financial and operating information. Implementation Guidance: The Texas Internal Auditing Act requires that internal auditing departments comply with “Standards for the Professional Practice of Internal Auditing.” Those Standards require that internal auditors perform audits of an entity’s key financial and operating information. In higher education, that normally means that the following financial information and systems be audited: tuition and fees, state appropriations, hospital revenue, MSRDP income, major federal grants, endowment income, significant auxiliary enterprises, payroll, benefits, major capital expenditures, student records, patient records, etc. These audits of key financial and operating information should be included in the annual audit plan as either stand-alone audits or within the scope of departmental audits.



Audit Committees

9/1/96

19. Update the Audit Committee Statement of Responsibilities. Implementation Guidance: The System Audit Office is developing an Audit Committee Member Handbook. Audit Committees should update their Audit Committee Statement of Responsibilities to be consistent with the Handbook.



Audit Committees

3/31/96

10

Action Item

CarryForward Item

New Item

Responsible Party

Due Date

20. Offer optional Control SelfAssessment Workshops. Implementation Guidance: Beginning in fiscal 1997, every department will be required to perform an annual control self-assessment and issue a selfassessment report on internal control to its Vice President. A control selfassessment is a “self-audit” of a department’s internal controls resulting in a formal self-assessment report on internal control to senior management. The System Audit Office is preparing a Control Self-Assessment Manual which guides a department through the selfassessment process; the Manual includes a model self-assessment report on internal control. In addition, the System Audit Office is developing and piloting “Control Self-Assessment Workshops,” a new internal auditing service. During these optional workshops, internal auditors facilitate a department’s control self-assessment. The System Audit Office will provide Directors of Internal Audit a model Control Self-Assessment Workshops participant’s manual and presentation overheads. In addition, internal auditor facilitation skills for Control Self-Assessment Workshops will be taught at the U.T. System Internal Auditing Spring Conference. It is the responsibility of the Directors of Internal Audit to offer Control Self-Assessment Workshops no later than September 1, 1996.



Directors - Internal Audit (or other qualified individuals designated by the Chief Administrative Officer)

9/1/96

21. Develop a model Audit Committee Member Handbook.



System Audit Office

2/29/96

22. Develop a model “How to Reconcile Your Departmental Accounts” training course including participant’s manual.



System Audit Office

3/31/96

23. Develop a model “Control SelfAssessment Workshops” participant’s manual and presentation slides.



System Audit Office

4/30/96

11

Action Item

CarryForward Item

New Item

Responsible Party

Due Date

24. Produce an internal control videotape for new administrative officials.



System Audit Office

6/30/96

25. Develop a model Control SelfAssessment Manual for departments.



System Audit Office

9/1/96

26. Review institutional implementation of the 1996 Action Plan to Enhance Internal Controls.



System Audit Office

8/31/97

12


				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:5
posted:1/23/2010
language:English
pages:12