Internal Audit Reporting

Document Sample
Internal Audit Reporting Powered By Docstoc
					 UNIVERSITY OF TEXAS
    PERMIAN BASIN




   OFFICE OF
INTERNAL AUDITS
AUDIT MANUAL


       Revised March 16, 2009
  UNIVERSITY OF TEXAS-PERMIAN BASIN
      OFFICE OF INTERNAL AUDITS
            AUDIT MANUAL
                                                           TABLE OF CONTENTS

A. SCOPE, AUTHORITY, ORGANIZATION AND MISSION
   Scope and Authority ...............................................................................................................A-1
   Audit Charter ..........................................................................................................................A-2
   Audit Committee Charter........................................................................................................A-3
   Organizational Charts .............................................................................................................A-4
   The University of Texas – Permian Basin…...........................................................................A-4.1
   Office of Internal Audits..........................................................................................................A-4.2
   Mission Statement and Goals ..................................................................................................A-5




B. AUDITING STANDARDS (Institute of Internal Auditors & GAGAS “Yellow Book”)
 IIA Code of Ethics .......................................................................................................................B-1
 IIA Professional Practice Framework (PPF)................................................................................B-2
 IIA Standards ..............................................................................................................................B-3
 Attribute Standards .....................................................................................................................B-3.1
 Performance Standards ...............................................................................................................B-3.2
 GAGAS Yellow Book Standards................................................................................................B-4




C. AUDIT PROCEDURES
   Overview of Audit Procedures Section........................................................................................C-1
   Independence Procedureand Statement ............................................................................................C-2
   Types of Audits and Summary of Audit Process..........................................................................C-3
   Internal Control............................................................................................................................C-4
   Risk Assessment ..........................................................................................................................C-5
   TeamMate Work papers Guide....................................................................................................C-6
   Flowcharts....................................................................................................................................C-7
  Audit Findings ….........................................................................................................................C-8




C. AUDIT PROCEDURES CONTINUED

  Follow-ups and Significant Findings .......................................................................................C-10

  Quality Assurance Reviews .....................................................................................................C-11



D. OFFICE PROCEDURES
  Weekly Time and Status Reports..............................................................................................D-1
  Leave Request Policy................................................................................................................D-2
  Travel Policy..............................................................................................................................D-3
  State Property Policy.................................................................................................................D-4
  Administrative Procedures........................................................................................................D-5




E. RULES AND REGULATIONS
  Texas Internal Auditing Act (Government Code Section 2102).............................................E-1
  Board of Regents Rules and Regulations................................................................................E-2
  UT System Business Procedures Memoranda ........................................................................E-3
  Business Procedures Memorandum 18-02-04 ........................................................................E-3.1
  Business Procedures Memorandum 50-01-02 ........................................................................E-3.2
  UTPB Handbook of Operating Procedures (H.O.P.)...............................................................E-4
  State Auditor’s Office..............................................................................................................E-5
 University of Texas Permian Basin
     Office of Internal Audits
     Audit Manual Section A




SCOPE, AUTHORITY, ORGANIZATION AND MISSION
                                   SCOPE AND AUTHORITY


The University’s Office of Internal Audits, under the purview of the UT System Audit Office, has been
given the authority to conduct internal audits as established by the Texas Internal Auditing Act.

The First Texas Legislature passed the Texas Internal Auditing Act (Article 6252-5d, Vernon’s Texas
Civil Statutes) effective September 1, 1989, which established guidelines for a program of internal
auditing to assist agency administrators by furnishing independent analysis, appraisals, and
recommendations concerning the adequacy and effectiveness of an agency’s systems of internal
control policies and procedures, and the quality of performance in carrying out assigned
responsibilities. See Section E-1.

The Internal Audit Charter, approved by the University President, states the purpose authority, and
responsibility for the Office of Internal Audits. The internal auditor is a vital part of the university and
functions in accordance with the policies established by the President, The University of Texas System
Administration and the Board of Regents. To provide for the independence of the internal auditing
activity, the Director of Internal Audits reports directly to the President and must be free of all
operational and management responsibilities that would impair his or her ability to review
independently, all aspects of the institution (per the Texas Internal Auditing Act, Section 2101,
Government Code). The Director of Internal Audits also has an indirect reporting relationship to The
University of Texas System Director of Audits who has responsibility for oversight of the internal
auditing activity for the U.T. System and has the reporting responsibility for all components to the
Board of Regents. See Section A-2.

All internal audit activity is to be performed in a manner consistent with the International Standards for
the Professional Practice of Internal Auditing and the Code of Ethics, as promulgated by the Institute
of Internal Auditors, Inc. (IIA). See Section B-1 for the IIA’s Code of Ethics.
                                         AUDIT CHARTER
Introduction

Internal auditing is an independent appraisal function established to examine and evaluate activities as
a service to the Internal Audit Committee, the President, and senior management of U. T. Permian
Basin. The auditors must have a high degree of independence and not be assigned duties or engage in
any activities that they would normally be expected to review or appraise. Current editions of
Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal
Auditors, College and University Business Administration issued by the National Association of
College and University Business Officers, and the Texas Internal Auditing Act shall serve as
guidelines for the Office's activities.

Internal Audit Office Mission Statement:

Internal Audit provides independent, objective assurance and consulting services designed to add value
and improve UTPB’s operations. It helps the university accomplish its objectives by bringing a
systematic, disciplined approach to evaluating and improving the effectiveness of risk management,
control mechanisms, and operational and governance processes.

Organizational Status

The Office of Internal Audit is a vital part of U.T. Permian Basin management and functions in
accordance with the policies established by the President of The University of Texas of the Permian
Basin, the Internal Audit Committee of The University of Texas of the Permian Basin, The University
of Texas System, The Board of Regents of The University of Texas, and by the Legislature through the
Texas Internal Auditing Act. The internal auditing services are reported directly to the President and to
the Internal Audit Committee. The University of Texas of the Permian Basin Internal Audit Committee
obtains, reviews and reports to the President on all institutional audit reports; approves the institutional
internal audit plan; and transmits to the President such instructions as it deems necessary for the
implementation of appropriate internal auditing practices.

Purpose

The Office of Internal Audit is responsible for providing the President and senior management with
information about the adequacy and effectiveness of The University of Texas of the Permian Basin's
system of internal administrative and accounting controls and the quality of operating performance
when compared with established standards, and for recommending alternatives and modifications to
existing systems and operations to improve overall efficiency and effectiveness. To accomplish these
objectives the Office of Internal Audit is authorized to have full, free, and unrestricted access to all
functions, property, personnel, and records (including medical and electronic). Although such access
will be unlimited, the Office of Internal Audit shall ensure the safekeeping and confidentiality of all
records and information.

Internal Audit Committee Statement of Responsibility

One of the most significant areas of organizational governance is the audit committee. These are the
major assumptions and processes of that committee:

The single most important finding and the key to audit committee effectiveness is background
information and training. Management and internal auditors are identified as sources of this
information. Special sessions on internal controls and the impact of their effectiveness on the
committee's oversight responsibilities would acquaint committee members with the control
environment. The internal auditor should report to the committee regularly regarding weaknesses noted
in internal control. To enhance the effectiveness of the meeting, briefing materials should be supplied
to the committee well in advance, and committee members should take adequate time to review them.
State-of-the-art audit committees meet at least quarterly. The audit committee should review with
management their assessment of the external and internal risks and whether or not the risk factors are
being reasonably addressed. In addition, they should determine how internal auditing considers these
risks when establishing the scope of their respective audits. The audit committee should advise the
Director of Internal Audit that committee members expect to be advised of any areas requiring their
special attention. The Director of Internal Audit should report the results of the department's auditing
activities to the committee. Under normal circumstances, summary reporting should be made;
however, specific findings and recommendations related to significant matters should be reported. The
audit committee must be satisfied that internal auditing maintains its independence and objectivity.
The committee should be satisfied that internal auditing is organizationally independent by ensuring
the director reports to an appropriate executive level within the organization. The committee should be
satisfied that the department's staffing and budget are adequate to enable the department to effectively
perform its responsibilities.

Quality Assurance

The Office of Internal Audit shall establish and maintain a program of quality assurance designed to
evaluate the operations of the department. The purpose of this program is to provide reasonable
assurance that all work performed by the department conforms to the guidelines under which the
department operates. This program should include training, supervision, and internal and external
reviews. Internal reviews should be performed by members of the department on a routine basis to
appraise the quality of work performed. External reviews of the department should be performed every
three years, as required by the Texas Internal Auditing Act, by qualified persons who are independent
of the Office of Internal Audit. Purpose

                This procedureshall be reviewed biennially by the Internal Auditor.

                              AUDIT COMMITTEE CHARTER

The committee is to ensure that: the activities of U. T. Permian Basin comply with the appropriate Business
Procedures Memoranda, the Institute of Internal Auditors' Standards for the Professional Practice of
Internal Auditing, and the Texas Internal Auditing Act; audit coverage for U. T. Permian Basin adequately
encompasses all aspects of The University's operations and the coverage is not inhibited or limited by any
individual or department; audit activities are responsive to The University's needs and objectives; and
management is aware of internal audit activities, results of audits, and progress toward implementation of
audit recommendations.



Authority

The University of Texas System Administration Policy Library 129, Internal Audit Activities,
authorizes the establishment of an institutional audit committee. Appendix A, System-wide Internal
Audit Charter, states “Each component institution will organize and maintain an institutional audit
committee.”


Role

The University of Texas Permian Basin (UTPB) Audit Committee is an essential part of the risk
management and internal control infrastructure of the institution and of the UT System. Its primary
responsibilities are to assist the President in the:


x                Oversight and direction of the internal auditing activity.

x
                 Oversight of the process to manage business and financial risks.
x                Reporting of risk management and audit activity to the UT System,
                  including the Audit, compliance, and Management Review (ACMR)
                  Committee of the Board of Regents.
                 Oversight of institutional engagements that may be performed by the
                  external public accounting firm also conducting the UT System financial
                  audit.
x                Awareness of and responsibility for UTPB issues that may arise from the
                  UT System financial audit.

Membership

The President shall appoint the members of the Audit Committee. Membership will be composed of
the President, Executive Vice President, other members of management appointed by the President,
and at least one member from outside the institution. The Chairman will be the President or his/her
designee.

Other non-voting members whose sole purpose is to assist the audit committee in carrying out their
responsibilities include the Director of Audit Services (Chief Audit Executive), Director of Systems
Audits or his/her designee, and a representative of the UT System Office.
Education
Audit Services, the System Audit Office and the System Controller’s Office are responsible for
providing Audit Committee members with educational resources related to accounting principles and
procedures, business and financial risk management, internal auditing standards and best practices and
other information necessary to discharge their responsibilities.


Meetings
The Audit Committee meets four times a year, (at least once quarterly), or as necessary at the request
of the President. The meetings should provide for direct communication between members and the
chief audit executive. Discussions and actions taken by the committee should be documented in the
meeting minutes. A majority of members constitutes a quorum and attendance should be recorded in
the minutes.


Responsibilities
The Audit Committee’s specific responsibilities in carrying out its oversight and reporting roles are
delineated in the Audit Committee Responsibilities Checklist. The responsibilities checklist will be
updated annually by the Audit Committee to reflect changes in regulatory requirements, authoritative
guidance, UT System guidance, and best practices in business and financial risk management. As the
compendium of Audit Committee responsibilities, the most recently updated responsibilities checklist
will be considered an addendum to this charter.


INSTITUTIONAL AUDIT COMMITTEE RESPONSIBILITIES CHECKLIST

                                                     GENERAL

       1      The committee will perform functions as assigned by the Audit, Compliance, and management
              Review Committee of The University of Texas Board of Regents.

       2      The committee shall meet at least four times per year, or as necessary, at the request of the
              institution’s president.

       3      The Chairman of the Institutional Audit Committee in consultation with the Chief Audit
              Executive will prepare the agenda for the committee meetings.

       4      The Chief Audit Executive will be responsible for maintaining a record of the approved minutes
              of Institutional Audit Committee meeting.
5         Annually review the Institutional Audit Committee Charter and assess their performance of the
          responsibilities delineated in that charter.

6         Meet privately with the Chief Audit Executive, external public accounting firms, and the State
          Auditor’s Office at least annually, or as appropriate.

7         Other executive sessions may be appropriate to assess the performance of the internal audit
          function.




               OVERSIGHT OF FINANCIAL STATEMENT PREPARATION PROCESS

1         Determine that institution management has assumed responsibility for identifying (risk
          assessment) and managing (internal controls) the business and financial risks.

          2.      Oversee the preparation of the institution’s financial statements through the review of

          a.      The closing process used by the institution,

          b.      the certifications by the President and Financial Reporting Officer,

          c.      financial and internal controls information provided in internal audit documents,

          d.      financial and internal control information provided by external public accounting firm
audits,

        e.       analytical information provided by institution management, internal audit, and/or
external auditors,

        f.       the methodology used to identify, assess, and manage possibilities for fraud in business
and financial processes, and

         g.      any off-balance sheet transactions/arrangements that have, or are reasonably likely to
have, a current or future effect on the System’s or any of the institution’s financial condition, changes in
financial condition, revenues or expenses, results of operations, liquidity, capital expenditures, or capital
resources that is material to users of the financial statements reflecting the economics of such
transactions/arrangements.

                    OVERSIGHT OF THE INTERNAL AUDITING FUNCTION

1         Approve an Internal Audit Charter that is consistent with the Texas Internal Auditing Act and
          the Standards of the Professional Practice of Internal Auditing.

2         Periodically review the Internal Audit Charter to ensure it encompasses any required revisions.

3         Review the risk assessment methodology used to develop the internal audit Annual Work Plan
          to ensure that all applicable business and financial risks have been identified.
4      Review the Annual Work Plan to ensure appropriate coverage for risks identified in the risk
       assessment, including coverage of significant financial and information systems.

5      Approve the Annual Work Plan and all changes thereto.

6      Review quarterly the status of completion of the Annual Work Plan.

7      Receive the results of all completed internal audit engagements.

8      Receive reports of Confidential Reporting Mechanism activity that relates to internal controls,
       financial management, internal auditing, or external auditing.

9      Review all significant recommendations and management action plans to address those
       recommendations.

10     Monitor the status of management action plans for significant recommendations.

11     Approve the utilization of Internal Audit resources outside the Annual Work Plan.

12     Review staffing and organization of the internal audit activity for appropriateness in relation to
       the institution and it’s identified risks and make recommendations to the president if necessary.

13     Request an annual self-assessment by the internal audit function and review the results.

14     Ensure that an External Peer Review is performed at least once every three years and review the
       results.

15     Provide input to the president of the annual evaluation of the Chief Audit Executive.

16     Provide input to the president on the hiring and dismissal of the Chief Audit Executive.

                OVERSIGHT OF EXTERNAL PUBLIC ACCOUNTING FIRMS

1      Monitor the institution’s contracting with all external public accounting firms to ensure
       compliance with the requirements of UTS 03 “Annual Financial Report” and the operating rules
       of the Audit, Compliance, and Management Review Committee of The University of Texas
       Board of Regents.

2      Review the reports of all external public accounting firms contracted by the institution to
       perform audits of any institution functions, components, activities, or financial information.

3      Monitor all activity by the State Auditor’s Office.

                       REPORTING TO THE ACMR AND U.T. SYSTEM

The Institutional Audit Committee and the Chief Audit Executive are responsible for providing the
following information to the System Audit Office for use by the Audit, Compliance, and management
Review Committee in discharging its oversight duties for the U.T. System:

1      Annual work plan and changes thereto.
2   Quarterly status of the Annual Work Plan and completed engagements.

3   Confidential Reporting mechanism Activity

4   Significant recommendations

5   Status of significant recommendations.

6   Contracts with external public accounting firms.

7   Other matters as requested by the ACMR through the System Audit Office.
   University of Texas Permian Basin

        Internal Audit Manual




ORGANIZATIONAL CHARTS
President’s Office Organizational Chart
                  Internal Audit Office Organizational Chart




                          University of Texas Permian Basin
                          President, Dr. David Watts




                                                               UT System Audit Office

Audit Committee




                          Director of Internal Audits,

                          Narita Holmes MBA, CPA, CIA




                          Auditor II, Aaron Munoz CIA,
                          CGAP
                                    MISSION STATEMENT

Internal Audit provides independent, objective assurance and consulting services designed to add value
and improve UTPB’s operations. It helps the university accomplish its objectives by bringing a
systematic, disciplined approach to evaluating and improving the effectiveness of risk management,
control mechanisms, and operational and governance processes.

                                              GOALS

GOAL: Optimize institutional effectiveness and efficiency consistent with high quality organizational
standards.

                                         STRATEGIES
Develop an annual audit plan in accordance with the Texas Internal Audit Act and UT System
guidelines that evaluate and improve the effectiveness of risk management, control, operational and
governance processes.
             Perform institutional risk assessment to identify high risk areas and include those areas
                in the annual plan.
             Prepare annual audit plan in accordance with the Act and UT System guidelines and
                executive management needs.
             Include evaluations of appropriate Presidential initiatives in annual audit plan. Provide
                management with independent, objective assurance and consulting services designed to
                add value and improve University operation.
             Request operating management input to audit planning process
             Provide recommendations based on audit activity and results
             Provide consulting and advisory services as requested and approved.
             Provide risk assessment training to the university community.
             Provide internal control and control self assessment training as identified or requested
                by management. Office operation and audit engagements will be performed in
                accordance with professional audit standards.
             Conduct quality assurance reviews in accordance with professional auditing standards.
             Monitor office operations and staff engagement for conformance to IIA Standards.
             Audit staff will prepare a plan that includes long/short term professional development
                and training needs to maintain sufficient knowledge, skills, experience, and professional
                certifications to meet the requirements of professional audit standards.
University Of Texas Permian Basin
     Internal Audit Manual




   SECTION B
(Auditing Standards)
                                               CODE OF ETHICS
Note: Our Code of Ethics was closely modeled after that of the IIA’s as outlined in the Standard.

Internal auditors are expected to apply and uphold the following principles: Integrity, objectivity,
confidentiality and competency.


1. Integrity

Auditors are required to perform their work with honesty, diligence and responsibility while observing
the law. They should not, knowingly, be party to illegal activities or engage in acts discreditable to the
profession of internal auditing, or the organization.


2. Objectivity

Internal auditors should be objective and shall not participate in activities or relationships that may
impair or be presumed to impair their unbiased assessment. They shall not accept gifts or anything
that may impair or be presumed to impair their professional judgment and shall disclose all material
facts that if not disclosed, could distort the reporting of activities under review.


3. Confidentiality

Any information gained during the discharge of their duties is confidential and shall not be disclosed to
third parties or used for personal gain; therefore, internal auditors shall be prudent in the use and
protection of information acquired in the course of their duties.


4. Competency

Internal auditors shall perform auditing services in accordance with the International Standards for the
Professional Practice of Internal Auditing. They shall perform services for which they have the
required knowledge, skills and experience. Additionally, they shall continually improve their
proficiency, effectiveness and quality of their services.
                      International Professional Practices Framework
The Institute of Internal Auditors Inc. Florida USA [IIA] is the only international body dedicated to the
professional development of Internal Auditing. The IIA's International Board of Directors has
approved the new International Professional Practices Framework (IPPF), under the oversight of The
IIA's Professional Practices Council. This Framework was just released in January 2009.

The IPPF 2009 is the only internationally accepted standards for the professional practice of internal
auditing followed globally by all organizations around the world.

The entire IPPF 2009 is excellently structured and is broadly divided into two parts:

           1. Mandatory Guidance which comprises – Performance with the principles set forth in
              mandatory guidance is required and essential for the professional practices of internal
              auditing. Mandatory guidance is intended to be applicable to both entities and
              individuals that perform internal auditing. Mandatory guidance is developed following
              an established due diligence process, which includes a period of public exposure for
              stakeholders for stakeholder input.

                   a. Definition of Internal Auditing

                   b. Code of Ethics

                   c. International Standards

           2. Strongly Recommended Guidance which comprises – Strongly recommended guidance
              is endorsed by the IIA through a formal approval process. It describes practices for
              effective implementation of the IIAs definition of Internal Auditing, Code of Ethics and
              International Standards for the Professional Practice of Internal Auditing (Standards)

                   a. Position Papers

                   b. Practice Advisories

                   c. Practice Guides


In order to ensure compliance with the IIA’s International Standards for the Professional Practice of
Internal Auditing, our audits are conducted in a manner consistent with Mandatory and Strongly
Recommended Guidance standards described above.

Additionally, due to the nature of our work and the organizational status of the
Internal Audit Department, auditors hold positions that are highly visible within
the University; therefore, we, the Internal Audit Department, as a whole, and as
individuals are required to conduct ourselves with respect while upholding a high
level of Ethics, Values and Integrity as we provide high quality services to our
customers.


                             Institute of Internal Auditors Standards

The following is a brief overview of the mandatory standards to be followed by individuals
performing audit services.

      INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE
                 OF INTERNAL AUDITING (STANDARDS)

Attribute Standards

1000 – Purpose, Authority, and Responsibility
The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal
audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The
chief audit executive must periodically review the internal audit charter and present it to senior management and
the board for approval.

Interpretation:
The internal audit charter is a formal document that defines the internal audit activity's purpose, authority, and
responsibility. The internal audit charter establishes the internal audit activity's position within the organization;
authorizes access to records, personnel, and physical properties relevant to the performance of engagements;
and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the
board.

1000.A1 – The nature of assurance services provided to the organization must be defined in the internal audit
charter. If assurances are to be provided to parties outside the organization, the nature of these assurances must
also be defined in the internal audit charter.

1000.C1 – The nature of consulting services must be defined in the internal audit charter.

1010 – Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the
Internal Audit Charter
The mandatory nature of the Definition of Internal Auditing, the Code of Ethics, and the Standards must be
recognized in the internal audit charter. The chief audit executive should discuss the Definition of Internal
Auditing, the Code of Ethics, and the Standards with senior management and the board.

1100 – Independence and Objectivity
The internal audit activity must be independent, and internal auditors must be objective in performing their work.

Interpretation:
Independence is the freedom from conditions that threaten the ability of the internal audit activity or the chief
audit executive to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of
independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit
executive has direct and unrestricted access to senior management and the board. This can be achieved through
a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement,
functional, and organizational levels.

Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner
that they believe in their work product and that no quality compromises are made. Objectivity requires that
internal auditors do not subordinate their judgment on audit matters to others. Threats to objectivity must be
managed at the individual auditor, engagement, functional, and organizational levels.

1110 – Organizational Independence
The chief audit executive must report to a level within the organization that allows the internal audit activity to
fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the
organizational independence of the internal audit activity.

1110.A1 – The internal audit activity must be free from interference in determining the scope of internal auditing,
performing work, and communicating results.

1111 – Direct Interaction with the Board
The chief audit executive must communicate and interact directly with the board.

1120 – Individual Objectivity
Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.

Interpretation:
Conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a competing
professional or personal interest. Such competing interests can make it difficult to fulfill his or her duties
impartially. A conflict of interest exists even if no unethical or improper act results. A conflict of interest can
create an appearance of impropriety that can undermine confidence in the internal auditor, the internal audit
activity, and the profession. A conflict of interest could impair an individual's ability to perform his or her duties
and responsibilities objectively.

1130 – Impairment to Independence or Objectivity
If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed
to appropriate parties. The nature of the disclosure will depend upon the impairment.

Interpretation:
Impairment to organizational independence and individual objectivity may include, but is not limited to, personal
conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource
limitations, such as funding.

The determination of appropriate parties to which the details of an impairment to independence or objectivity
must be disclosed is dependent upon the expectations of the internal audit activity’s and the chief audit
executive’s responsibilities to senior management and the board as described in the internal audit charter, as
well as the nature of the impairment.

1130.A1 – Internal auditors must refrain from assessing specific operations for which they were previously
responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an
activity for which the internal auditor had responsibility within the previous year.

1130.A2 – Assurance engagements for functions over which the chief audit executive has responsibility must be
overseen by a party outside the internal audit activity.
    1130.C1 – Internal auditors may provide consulting services relating to operations for which they had previous
    responsibilities.

    1130.C2 – If internal auditors have potential impairments to independence or objectivity relating to proposed
    consulting services, disclosure must be made to the engagement client prior to accepting the engagement.

    1200 – Proficiency and Due Professional Care
    Engagements must be performed with proficiency and due professional care.

    1210 – Proficiency
    Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual
    responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other
    competencies needed to perform its responsibilities.

    Interpretation:
    Knowledge, skills, and other competencies is a collective term that refers to the professional proficiency required
    of internal auditors to effectively carry out their professional responsibilities. Internal auditors are encouraged
    to demonstrate their proficiency by obtaining appropriate professional certifications and qualifications, such as
    the Certified Internal Auditor designation and other designations offered by The Institute of Internal Auditors
    and other appropriate professional organizations.

    1210.A1 – The chief audit executive must obtain competent advice and assistance if the internal auditors lack the
    knowledge, skills, or other competencies needed to perform all or part of the engagement.

    1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in
    which it is managed by the organization, but are not expected to have the expertise of a person whose primary
    responsibility is detecting and investigating fraud.

    1210.A3 – Internal auditors must have sufficient knowledge of key information technology risks and controls and
    available technology-based audit techniques to perform their assigned work. However, not all internal auditors
    are expected to have the expertise of an internal auditor whose primary responsibility is information technology
    auditing.

    1210.C1 – The chief audit executive must decline the consulting engagement or obtain competent advice and
    assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part
    of the engagement.

    1220 – Due Professional Care
    Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor.
    Due professional care does not imply infallibility.

    1220.A1 – Internal auditors must exercise due professional care by considering the:

                                    Extent of work needed to achieve the engagement’s objectives;
                                    Relative complexity, materiality, or significance of matters to which assurance
    procedures are applied;
                                    Adequacy and effectiveness of governance, risk management, and control
    processes;
                                    Probability of significant errors, fraud, or noncompliance; and
                                    Cost of assurance in relation to potential benefits.
    1220.A2 – In exercising due professional care internal auditors must consider the use of technology-based audit
    and other data analysis techniques.

    1220.A3 – Internal auditors must be alert to the significant risks that might affect objectives, operations, or
    resources. However, assurance procedures alone, even when performed with due professional care, do not
    guarantee that all significant risks will be identified.

    1220.C1 – Internal auditors must exercise due professional care during a consulting engagement by considering
    the:

               Needs and expectations of clients, including the nature, timing, and communication of engagement
    results;
               Relative complexity and extent of work needed to achieve the engagement’s objectives; and
               Cost of the consulting engagement in relation to potential benefits.

    1230 – Continuing Professional Development
    Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional
    development.

    1300 – Quality Assurance and Improvement Program
    The chief audit executive must develop and maintain a quality assurance and improvement program that covers
    all aspects of the internal audit activity.

    Interpretation:
    A quality assurance and improvement program is designed to enable an evaluation of the internal audit activity’s
    conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal
    auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit
    activity and identifies opportunities for improvement.

    1310 – Requirements of the Quality Assurance and Improvement Program
    The quality assurance and improvement program must include both internal and external assessments.

    1311 – Internal Assessments
    Internal assessments must include:

                                Ongoing monitoring of the performance of the internal audit activity; and
                                Periodic reviews performed through self-assessment or by other persons within the
    organization with sufficient knowledge of internal audit practices.

    Interpretation:
    Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal
    audit activity. Ongoing monitoring is incorporated into the routine policies and practices used to manage the
    internal audit activity and uses processes, tools, and information considered necessary to evaluate conformance
    with the Definition of Internal Auditing, the Code of Ethics, and the Standards.

    Periodic reviews are assessments conducted to evaluate conformance with the Definition of Internal Auditing,
    the Code of Ethics, and the Standards.
    Sufficient knowledge of internal audit practices requires at least an understanding of all elements of the
    International Professional Practices Framework.

    1312 – External Assessments
    External assessments must be conducted at least once every five years by a qualified, independent reviewer or
    review team from outside the organization. The chief audit executive must discuss with the board:

                             The need for more frequent external assessments; and
                             The qualifications and independence of the external reviewer or review team, including
    any potential conflict of interest.

    Interpretation:
    A qualified reviewer or review team consists of individuals who are competent in the professional practice of
    internal auditing and the external assessment process. The evaluation of the competency of the reviewer and
    review team is a judgment that considers the professional internal audit experience and professional credentials
    of the individuals selected to perform the review. The evaluation of qualifications also considers the size and
    complexity of the organizations that the reviewers have been associated with in relation to the organization for
    which the internal audit activity is being assessed, as well as the need for particular sector, industry, or technical
    knowledge.

    An independent reviewer or review team means not having either a real or an apparent conflict of interest and
    not being a part of, or under the control of, the organization to which the internal audit activity belongs.

    1320 – Reporting on the Quality Assurance and Improvement Program
    The chief audit executive must communicate the results of the quality assurance and improvement program to
    senior management and the board.

    Interpretation:
    The form, content, and frequency of communicating the results of the quality assurance and improvement
    program is established through discussions with senior management and the board and considers the
    responsibilities of the internal audit activity and chief audit executive as contained in the internal audit charter.
    To demonstrate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards, the
    results of external and periodic internal assessments are communicated upon completion of such assessments
    and the results of ongoing monitoring are communicated at least annually. The results include the reviewer’s or
    review team’s assessment with respect to the degree of conformance.

    1321 – Use of “Conforms with the International Standards for the Professional Practice of Internal
    Auditing”
    The chief audit executive may state that the internal audit activity conforms with the International Standards for
    the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement
    program support this statement.

    1322 – Disclosure of Nonconformance
    When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the
    overall scope or operation of the internal audit activity, the chief audit executive must disclose the
    nonconformance and the impact to senior management and the board.

    Performance Standards

    2000 – Managing the Internal Audit Activity
    The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the
    organization.

    Interpretation:
    The internal audit activity is effectively managed when:

                    The results of the internal audit activity’s work achieve the purpose and responsibility included
    in the internal audit charter;
                    The internal audit activity conforms with the Definition of Internal Auditing and the Standards;
    and
                    The individuals who are part of the internal audit activity demonstrate conformance with the
    Code of Ethics and the Standards.

    2010 – Planning
    The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity,
    consistent with the organization’s goals.

    Interpretation:
    The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into
    account the organization’s risk management framework, including using risk appetite levels set by management
    for the different activities or parts of the organization. If a framework does not exist, the chief audit executive
    uses his/her own judgment of risks after consultation with senior management and the board.

    2010.A1 – The internal audit activity’s plan of engagements must be based on a documented risk assessment,
    undertaken at least annually. The input of senior management and the board must be considered in this process.

    2010.C1 – The chief audit executive should consider accepting proposed consulting engagements based on the
    engagement’s potential to improve management of risks, add value, and improve the organization’s operations.
    Accepted engagements must be included in the plan.

    2020 – Communication and Approval
    The chief audit executive must communicate the internal audit activity’s plans and resource requirements,
    including significant interim changes, to senior management and the board for review and approval. The chief
    audit executive must also communicate the impact of resource limitations.

    2030 – Resource Management
    The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively
    deployed to achieve the approved plan.

    Interpretation:
    Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the plan. Sufficient
    refers to the quantity of resources needed to accomplish the plan. Resources are effectively deployed when they
    are used in a way that optimizes the achievement of the approved plan.

    2040 – Policies and Procedures
    The chief audit executive must establish policies and procedures to guide the internal audit activity.

    Interpretation:
    The form and content of policies and procedures are dependent upon the size and structure of the internal audit
    activity and the complexity of its work.
     2050 – Coordination
    The chief audit executive should share information and coordinate activities with other internal and external
    providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts.

    2060 – Reporting to Senior Management and the Board
    The chief audit executive must report periodically to senior management and the board on the internal audit
    activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include
    significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed
    or requested by senior management and the board.




    Interpretation:
    The frequency and content of reporting are determined in discussion with senior management and the board and
    depend on the importance of the information to be communicated and the urgency of the related actions to be
    taken by senior management or the board.

    2100 – Nature of Work
    The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and
    control processes using a systematic and disciplined approach.

    2110 – Governance
    The internal audit activity must assess and make appropriate recommendations for improving the governance
    process in its accomplishment of the following objectives:

                           Promoting appropriate ethics and values within the organization;
                           Ensuring effective organizational performance management and accountability;
                           Communicating risk and control information to appropriate areas of the organization;
    and
                            Coordinating the activities of and communicating information among the board, external
    and internal auditors, and management.

    2110.A1 – The internal audit activity must evaluate the design, implementation, and effectiveness of the
    organization’s ethics-related objectives, programs, and activities.

    2110.A2 – The internal audit activity must assess whether the information technology governance of the
    organization sustains and supports the organization’s strategies and objectives.

    2110.C1 – Consulting engagement objectives must be consistent with the overall values and goals of the
    organization.

    2120 – Risk Management
    The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management
    processes.

    Interpretation:
    Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s
    assessment that:
                   Organizational objectives support and align with the organization’s mission;
                   Significant risks are identified and assessed;
                   Appropriate risk responses are selected that align risks with the organization’s risk appetite; and
                   Relevant risk information is captured and communicated in a timely manner across the
    organization, enabling staff, management, and the board to carry out their responsibilities.

    Risk management processes are monitored through ongoing management activities, separate evaluations, or
    both.

    2120.A1 – The internal audit activity must evaluate risk exposures relating to the organization’s governance,
    operations, and information systems regarding the:

                               Reliability and integrity of financial and operational information.
                               Effectiveness and efficiency of operations.
                               Safeguarding of assets; and
                               Compliance with laws, regulations, and contracts.

    2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the
    organization manages fraud risk.

    2120.C1 – During consulting engagements, internal auditors must address risk consistent with the engagement’s
    objectives and be alert to the existence of other significant risks.

    2120.C2 – Internal auditors must incorporate knowledge of risks gained from consulting engagements into their
    evaluation of the organization’s risk management processes.

    2120.C3 – When assisting management in establishing or improving risk management processes, internal
    auditors must refrain from assuming any management responsibility by actually managing risks.

    2130 – Control
    The internal audit activity must assist the organization in maintaining effective controls by evaluating their
    effectiveness and efficiency and by promoting continuous improvement.

    2130.A1 – he internal audit activity must evaluate the adequacy and effectiveness of controls in responding to
    risks within the organization’s governance, operations, and information systems regarding the:

                   Reliability and integrity of financial and operational information;
                   Effectiveness and efficiency of operations;
                   Safeguarding of assets; and
                   Compliance with laws, regulations, and contracts.

    2130.A2 – Internal auditors should ascertain the extent to which operating and program goals and objectives have
    been established and conform to those of the organization.

    2130.A3 – Internal auditors should review operations and programs to ascertain the extent to which results are
    consistent with established goals and objectives to determine whether operations and programs are being
    implemented or performed as intended.

    2130.C1 – During consulting engagements, internal auditors must address controls consistent with the
    engagement’s objectives and be alert to significant control issues.
    2130.C2 – Internal auditors must incorporate knowledge of controls gained from consulting engagements into
    evaluation of the organization’s control processes.

    2200 – Engagement Planning
    Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives,
    scope, timing, and resource allocations.

    2201 – Planning Considerations
    In planning the engagement, internal auditors must consider:

                       The objectives of the activity being reviewed and the means by which the activity controls its
    performance;
                       The significant risks to the activity, its objectives, resources, and operations and the means
    by which the potential impact of risk is kept to an acceptable level;
                       The adequacy and effectiveness of the activity’s risk management and control processes
    compared to a relevant control framework or model; and
                       The opportunities for making significant improvements to the activity’s risk management
    and control processes.

    2201.A1 – When planning an engagement for parties outside the organization, internal auditors must establish a
    written understanding with them about objectives, scope, respective responsibilities, and other expectations,
    including restrictions on distribution of the results of the engagement and access to engagement records.

    2201.C1 – Internal auditors must establish an understanding with consulting engagement clients about objectives,
    scope, respective responsibilities, and other client expectations. For significant engagements, this understanding
    must be documented.

    2210 – Engagement Objectives
    Objectives must be established for each engagement.

    2210.A1 – Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under
    review. Engagement objectives must reflect the results of this assessment.

    2210.A2 – Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other
    exposures when developing the engagement objectives.

    2210.A3 – Adequate criteria are needed to evaluate controls. Internal auditors must ascertain the extent to which
    management has established adequate criteria to determine whether objectives and goals have been
    accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal
    auditors must work with management to develop appropriate evaluation criteria.

    2210.C1 – Consulting engagement objectives must address governance, risk management, and control processes
    to the extent agreed upon with the client.

    2220 – Engagement Scope
    The established scope must be sufficient to satisfy the objectives of the engagement.

    2220.A1 – The scope of the engagement must include consideration of relevant systems, records, personnel, and
    physical properties, including those under the control of third parties.
2220.A2 – If significant consulting opportunities arise during an assurance engagement, a specific written
understanding as to the objectives, scope, respective responsibilities, and other expectations should be reached
and the results of the consulting engagement communicated in accordance with consulting standards.

2220.C1 – In performing consulting engagements, internal auditors must ensure that the scope of the engagement
is sufficient to address the agreed-upon objectives. If internal auditors develop reservations about the scope
during the engagement, these reservations must be discussed with the client to determine whether to continue
with the engagement.

2230 – Engagement Resource Allocation
Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on
an evaluation of the nature and complexity of each engagement, time constraints, and available resources.
2240 – Engagement Work Program
Internal auditors must develop and document work programs that achieve the engagement objectives.

2240.A1 – Work programs must include the procedures for identifying, analyzing, evaluating, and documenting
information during the engagement. The work program must be approved prior to its implementation, and any
adjustments approved promptly.

2240.C1 – Work programs for consulting engagements may vary in form and content depending upon the nature
of the engagement.

2300 – Performing the Engagement
Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the
engagement’s objectives.

2310 – Identifying Information
Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement’s
objectives.

Interpretation:
Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the
same conclusions as the auditor. Reliable information is the best attainable information through the use of
appropriate engagement techniques. Relevant information supports engagement observations and
recommendations and is consistent with the objectives for the engagement. Useful information helps the
organization meet its goals.

2320 – Analysis and Evaluation
Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations.

2330 – Documenting Information
Internal auditors must document relevant information to support the conclusions and engagement results.

2330.A1 – The chief audit executive must control access to engagement records. The chief audit executive must
obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties,
as appropriate.

2330.A2 – The chief audit executive must develop retention requirements for engagement records, regardless of
the medium in which each record is stored. These retention requirements must be consistent with the
organization’s guidelines and any pertinent regulatory or other requirements.

2330.C1 – The chief audit executive must develop policies governing the custody and retention of consulting
engagement records, as well as their release to internal and external parties. These policies must be consistent
with the organization’s guidelines and any pertinent regulatory or other requirements.
2340 – Engagement Supervision
Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is
developed.

Interpretation:
The extent of supervision required will depend on the proficiency and experience of internal auditors and the
complexity of the engagement. The chief audit executive has overall responsibility for supervising the
engagement, whether performed by or for the internal audit activity, but may designate appropriately
experienced members of the internal audit activity to perform the review. Appropriate evidence of supervision is
documented and retained.

2400 – Communicating Results
Internal auditors must communicate the engagement results.

2410 – Criteria for Communicating
Communications must include the engagement’s objectives and scope as well as applicable conclusions,
recommendations, and action plans.

2410.A1 – Final communication of engagement results must, where appropriate, contain internal auditors’ overall
opinion and/or conclusions.

2410.A2 – Internal auditors are encouraged to acknowledge satisfactory performance in engagement
communications.

2410.A3 – When releasing engagement results to parties outside the organization, the communication must
include limitations on distribution and use of the results.

2410.C1 – Communication of the progress and results of consulting engagements will vary in form and content
depending upon the nature of the engagement and the needs of the client.

2420 – Quality of Communications
Communications must be accurate, objective, clear, concise, constructive, complete, and timely.

Interpretation:
Accurate communications are free from errors and distortions and are faithful to the underlying facts. Objective
communications are fair, impartial, and unbiased and are the result of a fair-minded and balanced assessment of
all relevant facts and circumstances. Clear communications are easily understood and logical, avoiding
unnecessary technical language and providing all significant and relevant information. Concise communications
are to the point and avoid unnecessary elaboration, superfluous detail, redundancy, and wordiness. Constructive
communications are helpful to the engagement client and the organization and lead to improvements where
needed. Complete communications lack nothing that is essential to the target audience and include all significant
and relevant information and observations to support recommendations and conclusions. Timely
communications are opportune and expedient, depending on the significance of the issue, allowing management
to take appropriate corrective action.
    2421 – Errors and Omissions
    If a final communication contains a significant error or omission, the chief audit executive must communicate
    corrected information to all parties who received the original communication.

    2430 – Use of “Conducted in Conformance with the International Standards for the Professional Practice of
    Internal Auditing”
    Internal auditors may report that their engagements are “conducted in conformance with the International
    Standards for the Professional Practice of Internal Auditing”, only if the results of the quality assurance and
    improvement program support the statement.

    2431 – Engagement Disclosure of Nonconformance
    When nonconformance with the Definition of Internal Auditing, the Code of Ethics or the Standards impacts a
    specific engagement, communication of the results must disclose the:

                     Principle or rule of conduct of the Code of Ethics or Standard(s) with which full
    conformance was not achieved;
                     Reason(s) for nonconformance; and
                     Impact of nonconformance on the engagement and the communicated engagement results.

    2440 – Disseminating Results
    The chief audit executive must communicate results to the appropriate parties.

    Interpretation:
    The chief audit executive or designee reviews and approves the final engagement communication before issuance
    and decides to whom and how it will be disseminated.

    2440.A1 – The chief audit executive is responsible for communicating the final results to parties who can ensure
    that the results are given due consideration.

    2440.A2 – If not otherwise mandated by legal, statutory, or regulatory requirements, prior to releasing results to
    parties outside the organization the chief audit executive must:

                           Assess the potential risk to the organization;
                           Consult with senior management and/or legal counsel as appropriate; and
                           Control dissemination by restricting the use of the results.

    2440.C1 – The chief audit executive is responsible for communicating the final results of consulting
    engagements to clients.

    2440.C2 – During consulting engagements, governance, risk management, and control issues may be identified.
    Whenever these issues are significant to the organization, they must be communicated to senior management and
    the board.

    2500 – Monitoring Progress
    The chief audit executive must establish and maintain a system to monitor the disposition of results
    communicated to management.

    2500.A1 – The chief audit executive must establish a follow-up process to monitor and ensure that management
    actions have been effectively implemented or that senior management has accepted the risk of not taking action.
    2500.C1 – The internal audit activity must monitor the disposition of results of consulting engagements to the
    extent agreed upon with the client.

    2600 – Resolution of Senior Management’s Acceptance of Risks
    When the chief audit executive believes that senior management has accepted a level of residual risk that may be
    unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If
    the decision regarding residual risk is not resolved, the chief audit executive must report the matter to the board
    for resolution.


            GOVERNMENT ACCOUNTABILITY OFFICE “YELLOW BOOK”
                             STANDARDS

    SUMMARY
    The general standards contained in Generally Accepted Government Auditing Standards ("GAGAS")
    set forth requirements for auditor independence, using professional judgment, ensuring competent
    team members, and conducting peer reviews. Specific standards set forth requirements for fieldwork
    and reporting in the areas of financial, attestation, and performance assurance activities. In general,
    GAGAS standards are stricter than IIA standards in the types of non-audit services that auditors may
    provide, the amount of training auditors must undergo, the frequency of peer reviews, and the level of
    documentation contained in audits and the wording in those reports. The following are
    recommendations that UT System Audit Office has provided to all audit departments in order to ensure
    full compliance with it. Those recommendations are summarized below along with the corresponding
    reference in GAGAS. In order to be completely versed in the standards, it is critical that all
    auditors obtain and read them. GAGAS may be found at the Government Accountability Office's
    website:
    http://www.gao.gov/govaud/yb2003.pdf.

    GENERAL STANDARDS Independence
1) When using specialists for projects (e.g., co-sourced audits), obtain independence certifications and
    statements of knowledge of GAGAS independence requirements. Document qualifications of the
    specialist (they do not have to perform work under GAGAS, just acknowledge that they are
    independent under those standards).
2) Inventory non-audit activities performed and determine whether activities are allowable or unallowable
    based on criteria in 3.14 - 3.18. (Common non-audit activities to consider include management of
    participation in the institutional compliance program, participation in peer reviews, performance of
    consulting engagements, interviewing of candidates for management positions, oversight of
    management, both functionally and administratively, and development of organizational policies).
3) For allowable activities, document reasons for being allowable and how safeguards are met based on
    criteria in 3.17. 4) Ensure peer review team examines a selection of non-audit activities to test for
    compliance with 3.17.
5) Develop policies and procedures for identifying personal impairments, communicating them to all
    auditors in the organization, ensure understanding of policies through training, obtaining
    acknowledgement of policies, monitoring compliance with policies, establishing a disciplinary
    mechanism for violating policies, and stressing the importance of independence.
    6) Identify, report, and resolve impairments to independence timely. 7) Identify factors causing
    external impairments in 3.19 and ensure policies are in place      to identify them.
8) Identify factors causing organizational impairments and ensure policies are in place to identify them.
9) Ensure peer review teams assess whether policies and procedures are in place for identifying, resolving
    and reporting impairments and ensure that impairments identified are acted upon timely.

    Professional Judgment
10) Review working papers and audit programs to ensure evidence of the use of professional judgment in
    applying the right standards to an engagement, defining the scope of work, selecting the methodology,
    determining the types of evidence to be relied upon, and choosing tests and procedures, and evaluating
    results.

    Competence
11) Ensure a process is in place for recruitment, hiring, continuous development, and evaluation of staff to
    ensure adequate competence.
12) Ensure that staff members collectively possess the technical knowledge, skills, and experience
    necessary to be competent for the type of work being performed BEFORE beginning fieldwork.
13) When performing external financial statement work, ensure auditors on the engagement have
    knowledge of GAAP and external auditing standards.
14) Document compliance with CPE requirements of 80 hours every two years (minimum of 20 per year),
    with at least 24 hours in industry-specific courses.

    Peer Reviews
15) Ensure policies and procedures are in place to ensure the audit organization complies with GAGAS.
    Retain documentation evidencing compliance with policies and procedures. Procedures should include
    ongoing monitoring of policies and procedures to ensure they are effective.
16) Perform peer reviews every three years (with the review occurring no later than three years and 90 days
    after the start of fieldwork of the last review per footnote 38 of GAGAS).
    17) Perform remedial action on results of peer review.
18) Ensure team members have knowledge of GAGAS, are independent, and do not participate in a
    reciprocal review.
    19) Ensure peer review reports reference all standards under which they were performed.

    SPECIFIC PROJECT STANDARDS
     Fieldwork and Reporting Requirements (Open to determine whether GAGAS should be cited in
     reports)
20) If GAGAS is cited in the audit report, auditors are required to follow the standards outlined in chapters
     4 - 8, depending on the type of audit (financial, attestation, or performance).
21) Auditors should ensure that if GAGAS is cited in the audit report, the audit file and report should
     evidence compliance with the fieldwork and reporting standards, respectively, in chapters 7 and 8.
  University of Texas Permian Basin




       SECTION C
    (Audit Procedures)




OVERVIEW OF AUDIT PROCEDURES
The following audit procedures are intended to provide a guideline and maintain uniformity within the
Audit Department. Included in this section is a TeamMate guide that will assist you with documenting
your work within this electronic work paper software and attribute templates for expenditure testing

In order to ensure consistency among audit staff in carrying out their duties and responsibilities,
guidelines detailing minimal requirements pertaining to audit work-paper preparation and
documentation including standard audit report formats will be addressed.

Keep in mind that audit reports are official documents distributed to management within the university.
In addition, our reports are subject to exposure and review by external parties. For this reason, we must
implement standards in creating reports that demonstrate professionalism and consistency. All audit
reports issued by this office should exhibit the same format and be free of spelling and grammatical
errors. A sample report has been included for your benefit.
                            INDEPENDENCE PROCEDURE
Individual Objectivity

Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest. To
maintain this Standard, the Office has adopted an Annual Independence/Conflict of Interest Statement.
This form will be signed annually, at the beginning of the calendar year, by all audit staff members.
New audit staff members will sign when hired.

In addition, the QAR Form has been modified in order to report any potential independence or conflict
of interest with each audit engagement.


Impairments to Independence or Objectivity

                 objectivity is impaired in fact or appearance, the details of the impairment should be
If independence or
disclosed immediately to the Director of Internal Audits.

If an accidental impairment to independence or objectivity occurs, the Director shall inform the
University Ethics Office of the situation for his/her consideration. If necessary, the auditor will be
removed from the engagement. If warranted, the impairment will be included in the Report and the
Audit Committee will be notified.

Disciplinary action for willful neglect to disclose impairment to independence or objectivity may result
in a Letter of Reprimand by the Director of Internal Audits.

All University employees are required to complete a conflict of interest statement upon employment at the
University and this statement is submitted on an annual basis.

The Director of Internal Audits also performs teaching duties for the University and as part of her teaching plan
she involves her students in actual Departmental audits of the University. All audit work is reviewed by the Audit
Department before it is submitted to the Audit Committee. All students are required to fill out a non-disclosure
form seen below:
                     The University of Texas of the Permian Basin
     STATEMENT OF NON-DISCLOSURE FOR CONFIDENTIAL AND SENSITIVE DATA

I understand by virtue of my affiliation with the University of Texas of the Permian Basin through the audit project
in Accounting 4306, I may have access to records on various media which contain individually identifiable or
confidential information, the disclosure of which is prohibited by either state or federal law, or university-
designated as confidential or sensitive. I acknowledge that I fully understand that the intentional disclosure by me
of this information to any individual not authorized by the owner of the data could subject me to criminal and civil
penalties imposed by law. I further acknowledge that such willful or unauthorized disclosure also violates The
University of Texas of the Permian Basin’s procedureand could constitute just cause for disciplinary action
regardless of whether criminal or civil penalties are imposed.

I also acknowledge that failure to sign this statement could result in denial or revocation of my access to all audit
information and other sensitive data at The University of Texas of the Permian Basin.

                                                     Accounting 4306

Name Printed                                         Course




Signature                                            Date




   If there is any question or uncertainty, contact Narita K. Holmes, Internal Auditor for clarification as to what data
    are confidential or sensitive, who are data owners, and what constitutes authorized access.
                                        TYPES OF AUDITS

1. Change in Management /Departmental

These types of audits determine whether the department is conducting its financial and business
processes under an adequate system of internal control, as required by University policy and guidelines
and good business practice. These audits are normally performed when an administrator at the level of
Dean or above leaves office.

2. Compliance Audits

Compliance audits are performed to determine if a system is adequately designed to ensure compliance
with University policies and procedures as well as external requirements. External requirements
include compliance with federal and state laws and regulations, the National Collegiate Athletic
Association (NCAA) legislation, etc.

3. Financial Audits

This type of audit verifies that controls over acquisition and use of resources are adequate. It also
verifies that sufficient controls exist over assets, liabilities, revenues, and expenditures. They address
the accounting for and reporting of financial transactions, including commitments, authorizations, and
receipt and disbursement of funds.

4. Operational Audits

This type of audits examines the use of resources to evaluate whether those resources are being used in
the most efficient and effective way to fulfill the operations mission and objectives. An operational
audit can include elements of compliance, financial and IT audits.

5. Investigative Audits

Investigative audits focus on alleged civil or criminal violations of state or federal laws or university
policies and procedures that may result in prosecution or disciplinary action. Examples are allegations
of theft, misuse of university assets, white-collar crime and conflicts of interest.

6. Information Technology (IT) Audits

IT audits address the internal control environment of automated information processing systems.
Although IT audit projects focus primarily on systems in the development stages, they typically
evaluate system input, output, processing controls, backup and recovery plans, system security as well
as computer facilities.

                           SUMMARY OF AUDIT PROCESS
Engagement Memo -With few exceptions, audit clients are notified in writing when their area is
selected for review. These letters are sent to the vice president of the area being audited as well as to
the appropriate dean, chairperson, or director. The engagement memo states the date, time, and place
of the opening conference and the objectives to be accomplished in the audit. Due to the nature of
some audit work, we may give little or no advance notice.

Planning -During the planning process, the auditor gains an understanding of the area to be audited.
This includes interviewing key personnel, reviewing relevant policies and procedures and, if available,
reviewing prior audit work papers. A risk assessment is created documenting key activities, the risks
associated with those activities, the probability and impact of the risk.

Entrance Conference -An entrance conference is scheduled with the head of the department to
discuss the purpose and scope of the audit. We encourage audit clients to discuss any concerns or
questions they may have about the audit. Audit clients may also request a review of those areas of most
concern to them be included as part of the audit activity.

Fieldwork - During the audit fieldwork phase, the auditor will test the adequacy and effectiveness of
the internal control environment for the specific audited area. The nature of the work includes
interviews, sample selection, sample testing against the criteria and documentation of the results.
Written policies and procedures may be requested to aid the auditor in understanding departmental
operations; however, it is often necessary for auditors to reside in the department office(s) to conduct
interviews and review departmental records. In order to minimize disruption of daily operations, we try
to schedule meetings in advance to avoid potential scheduling conflicts. Duration of audits vary
depending upon scope. Hence, limited scope audits require less time than audits with broader scopes,
which could lengthen the audit time period. Additionally, the level of cooperation from auditees and
access to personnel and records has a direct bearing on the duration of audits.

Progress Meetings: During the audit, progress meetings are held to keep the customer apprised of any
potential observations and the status of our review.

Draft Audit Report: A draft report is prepared and distributed to management to verify factual
content after draft has been reviewed by Director of Internal Audits.

Exit Conference -At the conclusion of fieldwork, an exit conference is held to discuss the audit
observations and recommendations. An exit conference is held to discuss audit findings. Attendees
include the auditors, members of management responsible for oversight and operation of the area
under review, as well as those individuals who will have a direct or indirect involvement in resolving
audit concerns identified. The exit conference provides an opportunity to clear and resolve questions or
concerns pertaining to findings, or other issues, before the final audit report is released.

Communicating Results -Audit results are presented to audit clients via verbal or written
communication and usually include recommendations intended to benefit the area under review and
the University. Audit clients have an opportunity to discuss concerns identified within the audit and to
concur or disagree with conclusions and recommendations. In any event, audit clients are required to
provide, in writing, proposed resolutions including reasonably expected implementation dates.

Final Audit Report -The final audit report includes findings and recommendations along with
management's responses. Copies of the report are distributed to the president, appropriate vice
presidents, the audited unit's manager, and the System Audit Office. Audit findings are also included in
a summary of all UT component reports provided to the chancellor and the Audit Committee of the
Board of Regents.

Customer Survey - After the engagement is complete, our office will send a survey through our
survey monkey tool, requesting the audit client to provide feedback on the performance of the auditor.

Follow-up Reviews -Our professional standards require that we follow-up and report on previously
reported findings to determine if corrective action was taken and audit concerns were resolved.




                                  INTERNAL CONTROL

What is internal control?
Internal control is a process, affected by The University of Texas System ("UT System") Board of
Regents, management and other personnel, designed to provide reasonable assurance regarding
achievement of objectives in the following categories:

Operations -- relating to effective and efficient use of UT System's resources, x Financial reporting -
- relating to preparation of reliable published financial statements, and x Compliance -- relating to UT
System's compliance with applicable laws and regulations.

Internal control consists of five interrelated components as follows:

Control environment -- Control environment factors include the integrity, ethical values and
competence of the entity's people; management's philosophy and operating style; the way management
assigns authority and responsibility, and organizes and develops its people; and the attention and
direction provided by the Board of Regents.
Risk assessment -- A precondition to risk assessment is establishment of objectives, linked at different
levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to
achievement of objectives then forming a basis for determining how the risks should be managed.
Control activities -- Control activities are the policies and procedures that help ensure management
directives are carried out. They help ensure that necessary actions are taken to address risks to
achievement of the entity's objectives. They include a range of activities as diverse as approvals,
authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and
segregation of duties.
Information and communication -- Pertinent information must be identified, captured, and
communicated in a form and time frame that enables people to carry out their responsibilities.
Information systems produce reports, containing operational, financial, and compliance-related
information that make it possible to run and control the business. They deal not only with internally
generated data, but also with information about external events, activities, and conditions necessary for
informed business decision-making and external reporting.
Monitoring -- Internal control systems need to be monitored--a process that assesses the quality of the
  system's performance over time. It includes regular management and supervisory activities, and other
  actions personnel take when performing their duties.

  All components are relevant to each objectives category. When looking at any one category, all five
  components must be present and functioning effectively to conclude that internal control over
  operations is effective.
  What are the key concepts for internal controls?
  Internal control is a process. It is a means to an end, not an end in itself. Internal control is affected by
  people. It is not merely proceduremanuals and forms, but people at every level of an organization.
  Internal control can be expected to provide only reasonable assurance, not absolute assurance, to
  management and Board of Regents. Internal control is geared to the achievement of objectives in one
  or more separate but overlapping categories.

  When is internal control effective?
  Internal control can be judged effective in each of the three categories, respectively, if the Board of
Regents and management have reasonable assurance that they understand the extent to which: The
  entity's operational objectives are being achieved, Published financial statements are being prepared
  reliably, and x Applicable laws and regulations are being complied with.

  What are factors limiting internal controls?

  Judgment – Managers in a well-controlled organization can make bad decisions.
  Breakdowns – People with control responsibilities may not carry them out effectively.
  Management Override – Managers may intentionally go outside established practices for illegitimate
  purposes.
  Cost vs. Benefit – Resources are limited. Managers properly accept a degree of risk when the cost of
  controlling the risk exceeds the benefit

  Note: The above definition of internal control and related concepts are taken directly from Internal
  Control -- Integrated Framework by the Committee of Sponsoring Organizations of the Treadway
  Commission (COSO). See COSO MODEL BELOW
                                       RISK ASSESSMENT
The Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of
Internal Auditing Performance Standard 2201 – Planning Considerations require “internal auditors to
consider the significant risks to the activity, its objectives, resources, and operations and the means by
which the potential impact of risk is kept to an acceptable level”. Other planning considerations can be
obtained from The Institute of Internal Auditors’ International Standards for the Professional
Practice of Internal Auditing.




              TEAMMATE WORK PAPERS GUIDE (AUDIT PROJECT)


Note: You will need the Audit Assignment Sheet to create the new audit project within TeamMate.

Creating a New Audit Project

To create a new TeamMate Audit Project, follow these steps:

       Open TeamMate (if not already running) by double clicking the TeamMate Suite icon.
       Click on TeamMate – EWP (Electronic Working Papers)

Note: The TeamMate Explorer is the first screen displayed when TeamMate is launched. If not
displayed, then Open TeamMate Explorer, using the File | Open menu option.

Click on the Master Tab and projects files should appear. If not, then the Master Tab must be mapped
to the shared drive. To map to the shared drive, follow these steps:
With the cursor on the Master Tab, right click and go to modify location tab and browse to the Shared
Drive V: TeamMate Backup Audit Files Folder>Audits>FY 20XX and click Open and then click
OK

TeamMate Explorer

TeamMate Explorer performs several important roles within TeamMate. Its primary function is to
create, open, restore, and delete Project files – including installing Replicas. It is also used to maintain
storage locations, allowing the user to create, edit, and delete Locations (tabs).

Click on the New button in the TeamMate Explorer to run the New Project
Wizard and follow these steps:

New Project Wizard (Step 1 of 3)

The New Project Wizard is a three step process used to create all new projects within TeamMate.
Step 1 of the New Project Wizard will be to create a new project from scratch.


Creating a New Project

The first Dialogue box is used to gather the basic information about the project file being setup.
Specifically, auditors must enter:
Project No. XX-FIN-ZZZ where XX=Fiscal Year, ZZZ=Sequential Numbers form (i.e., 06-FIN-001)
Project Group:
           Financial
           Departmental – Change in Management
           Institutional Compliance
           Risk Based Project
           Information Technology
           Management Services
Project Name/Title
Project Assigned Date
Location (Master Tab)

Note: TeamMate requires all the fields for this step to be completed before proceeding
to Step 2.

Once completed click the next button to move to Step 2

Step 2 of the New Project Wizard requires the selection of a TeamMate Library File. Files with a
.TML extension are TeamMate Library files. A TeamMate Library contains a number of properties
used to define any newly created projects. These files are created by TeamMate Coordinators and are
usually distributed with the TeamMate installation disks. These files should not be moved, edited, or
deleted. The TeamMate Library file will determine the type of project created. You must select a
valid .TML file before continuing to Step 3 of the New Project Wizard.

Select Base Library (With PA).tml or browse to the Shared Drive V: TeamMate Audit Backup
Files Folder and proceed to Step 3 by clicking the next button.

For Step 3 of the New Project Wizard, you are required to set up a project team member. Any project
file created in TeamMate must contain at least one Administrator. The team member created in the
New Project Wizard will (by default) become the Project Administrator. This role MUST be
reassigned to the Director.

The Last Name, First Name, Initials, Password and Verify fields are required, while the Title field is
optional. Once the Finish button has been clicked and the project successfully created, the Browser
will be displayed, and you can begin to setup and work on the project.

***For Change in Management Audits, the audit program has been created, reviewed, and
approved.
   Note: The New Project Wizard will (by default) create the project in the Master Location tab selected
   in TeamMate Explorer, when the New Project Wizard was activated.



   Setup and Work on the Audit Project

   Once you are within your newly created audit project, the Snapshot dialogue box will automatically be
   displayed along with the “Roaming Toolbar”. The “Roaming Toolbar” may be rolled up or down by
   double clicking the top of the toolbar.

   Snapshot

   The Snapshot provides a (point in time) statistical analysis of the status of the entire project. The
   Snapshot can be used as a review tool, showing the progress of the project at any point in time. The
   Snapshot is constantly and automatically updated and can easily be displayed by either selecting the
   Project | Snapshot menu option or by clicking on the Snapshot button in the Standard toolbar.

   The Browser

   The Browser acts as a hierarchical index or table of contents to all work documented within a
   TeamMate project. It is the first window displayed (after Snapshot) when a TeamMate project is
   opened.

    The Browser is divided into two re-sizeable panes similar to Windows Explorer.

1. The Left Browser pane acts as an index to the file and is used for navigation to the appropriate
   section. Only the following default folders and subfolders are displayed in the left pane.
   PA: Planning and Administration
   PA1: Planning
   PA2: Administration
   AS: Audit Summary
   AS1: Current Exceptions
   AS2: Reports
   CG: Component Groups

   Note: Each auditor will rename the component groups to “Fieldwork” so that it will look as follows
   CG: Fieldwork. To do this, right click on component groups and click rename. The auditor will now
   add to the Fieldwork folder.

   Adding Fieldwork Folders

   Adding a Fieldwork Folder to the Browser is completed by using the Add Folder button on the toolbar
   or by selecting the Edit | New Folder menu option, when the CG: Fieldwork folder is
   selected/highlighted in the Browser.
   The New Fieldwork / Area dialogue contains the following:

  Audit Reference Code (ARC) also known as folder or work paper references.

   Note: The auditor should be careful when adding folders or importing and/or adding work papers to
   TeamMate. The ARC is automatic and sequential and CANNOT be edited.
   Component Group Title The Component Group Title: field is used to specify the title of the folder
   being added to the Browser. This will be the major section of your audit program. For each
   component group folder created, they will be lettered. (i.e., A, B, C, D, etc.).

   First Component Title The First Component Title: field is used to specify the title of the parent folder
   being added to the Browser. This will be the same as the component group title unless you have a
   minor section within a major.

   When completed click OK. Two subfolders will automatically be created within each component
   group folder. A Supplementary Information and a major section subfolder (i.e., A: SI Supplementary
   Information and A.1). Disregard the Supplementary Information subfolder. This folder will not be
   used at this time.

   By double clicking the A.1 subfolder, the procedures summary will appear in the right browser pane as
   A.1.PS.

2. The Right Browser pane displays a detailed view of the contents of each folder in the file. As you
   move through the folders in the left pane, the right pane will adjust to display the contents of each
   selected folder. The first item in each newly created folder will be the Procedures Summary. This area
   will contain the audit steps, results of work done and the overall conclusion.


   Creating Procedures

   Procedures can be automatically added to the Browser by importing planning from a TeamStore, or
   manually added to Procedure Summaries of the required Procedure. Procedures are added by adding
   rows to the Procedure Summary.

   To manually add Procedures:

          Navigate to the CG: Field work folder to which the Procedure belongs.
          Navigate to the Procedure to which the new Procedures are to be added.
          Open the Procedure Summary for the required Procedure. (right browser pane)
          Click on the Add Row (or Insert Row) button in the TeamMate toolbar or use the Edit | Add
           Row menu option.
          Once the new Procedure has been added to the Procedure Summary, complete the required
           fields on the Procedure Summary and allocate the Procedure to a Team Member and a Visit.
          To save the added Procedures, close the Procedure Summary Schedule, saving the changes
           made.
When Procedures are added to the Procedure Summary, they are given the Title “New Row”. This
Procedure Title can be renamed, by either double clicking on the Procedure Title, or selecting the
Procedure Title and pressing <F2>.

Note: You must assign the Director with Administrator privileges and the Asst. Director with
Preparer/Reviewer privileges. To do this, click on Profile located on the navigation toolbar and select
the Team tab. Click on Add and fill in the information requested. A password must be created at this
time. The temporary password will be audit and should be changed when the person logs on.

Adding Work papers

As mentioned before, care must be taken when adding work papers to the Procedures Summary
because of the automatic referencing. To add work papers, you MUST be in the Procedures Summary
screen. You may perform either one of the following options:

   Right click and select add work paper or
   Drop the “Floating Toolbar” and select add work paper.

Audit Work papers

The following is a list of the work papers to be included under each folder:

PA: Planning and Administration
PA1: Planning
A.    Planning Memo
B.    Internal Control Questionnaire (ICQ)
C.    Background Information
D. Organization Chart
E. Goals, Objectives, ODP Map
F. Risk Assessment
G. Interviews
H. Flow Charts
I. Prior Audits
J. Audit Program

PA2: Administration
A. Assignment Sheet
B. Entrance Conference Memorandum
C. Entrance Conference Narrative
D. Exit Conference Memo/Narrative
E. Quality Assurance Review (QAR)

AS: Audit Summary

AS1: Current Exceptions
AS2: Reports

CG: Field work**
A. Background
   a. Policies and Procedures Manual
      b. Risk Assessment & Implementation Plan
      c. Employee Performance Evaluations

B. Reliability and Integrity of Key financial Information
      a. Expenditures
      b. Account Reconciliations
      c. Revenue and Cash Receipts
      d. Time Reporting
      f. Segregation of Duties

C. Safe guarding of Assets
   a. Inventory Test

D. Information Technology
   a. Computer Access

**NOTE: Change in Management Audits are being demonstrated in this example. Field work
folders may appear different for other types of audits.


Cross Referencing Work papers

Cross referencing may be performed by creating hyperlinks within the work papers and can be a one-
way or two-way hyperlink. For the most part, we will be creating two-way hyperlinks.
Creating a Hyperlink

Creating a Hyperlink is done by clicking on the Hyperlink button on the Application toolbar.

If creating a two way Hyperlink:

      Go to the location within the schedule where you want to place one end of the cross reference.
      Click on the Hyperlink button in the Application toolbar.
      Select the "Copy As Target" button.
      Once this has been done, you can complete (display) the link by going to the location where the
       other end of the cross reference is to be placed and clicking on Hyperlink button.
      Select the "Paste Link" tab.
      If you wish the link to be two way (visible from both linked schedules), select the "Create as 2-
       way Link" checkbox.
      Click on OK and the Hyperlink is created.

If creating a one way Hyperlink to a designated schedule:
          Position the text cursor or select the spreadsheet cell on the schedule where the Hyperlink is
           to be positioned.
          Click on the Hyperlink button in the Application Toolbar
          To create a Hyperlink to a particular schedule,
          Select the "Link to ARC" tab select the tab.
          Select the schedule to be linked to from the mini-Browser displayed
           After making your selections, click on the Insert button to place the link.

The Audit Programs, for non Change in Management audits, should be placed in the Planning folder
for approval by the Audit Director. These audit programs must be cross-referenced/linked to the work
papers. As work papers are completed, preparers should sign off as follows:

Signing Off Schedules

Schedules can be signed off using the Sign Off button in the Application Toolbar. To sign off a
schedule:

Open the Sign off and Edit History dialogue box by clicking on the Sign Off button.

      To sign the Schedule off as Prepared, click on the Green Sign Off button.
      To sign off a Schedule as Reviewed, click on the Blue Sign Off button.
      When the appropriate Sign Off button has the Team Member's initials and date stamped beside
       it, clicking on OK will save the sign off record.

Note: Coaching Notes and Procedures also require sign off, but this is achieved via the sign off buttons
displayed on the Coaching Notes dialogue box (Done By & Cleared By), and on the right pane of the
Procedure Summary, respectively.

TeamMate Reports

TeamMate provides the ability to automatically produce Reports from a number of TeamMate type
schedules. These Reports are generated in Microsoft Word, using a process similar to a mail merge.
When the report type is selected, TeamMate will launch Word, extract the information from TeamMate
and create a report based on information in the project.

Once the Report has been created, the data displayed is no longer linked to TeamMate. It should be
treated as a standard Word work paper. Subsequent changes to any of the TeamMate type schedules
after the report has been generated will not be reflected in the report file. For this reason, reports are
usually created towards the end of the project when the information is fairly static.

There are two ways in which a report can be generated from within TeamMate. To generate a report
based on the entire contents on the project file, use the Browser menu option Tools | Generate Report.
For more specific (filtered and sorted) information, you can generate a report based on the information
displayed in any TeamMate type schedule or summary viewer.

TeamMate provides the ability to produce reports based on Exceptions, Procedures, Coaching Notes,
and Schedules Status. The reports can be produced in either a narrative or table format. In addition,
TeamMate has the capability to create Customize TeamMate Report based on one of the above.

There is some limitation with respect to combining fields from the report types listed above. The
exception to this is the Profile fields. All but the large text fields (typically Planning, Background and
Objective) are available in any of the report types listed below.

To generate a TeamMate Report, the Report Wizard goes through the following steps:

1      Report Wizard - (Report) Selection
2.    Report Wizard - Scope (Filter & Sort) Selection
      Coaching Note Reports
      Exception Reports
      Procedure Reports
      Procedure Summary Report
      Schedule Status Report
      Profile Report

3.       Report Wizard - Data Preview
4.       Report Wizard - (Choose) Destination

After completing these Steps, TeamMate will generate a Report based on your selections.

Exception Reports

The auditor will generate an Exceptions report via the Report Wizard and Save the exceptions report
to the V/shared drive under the EXCEPTION REPORTS folder.
SEE EXHIBIT A

Audit Reports

Note: All Audit Reports will contain the following sections and in this order:

Executive Summary Background Audit Objective Audit Scope and Methodology Audit Results
Conclusion

There will be two draft reports and one final uploaded to TeamMate in the REPORTS section and all
findings and recommendations on the drafts will be cross-referenced to the work papers. SEE
EXHIBIT B

         First draft to auditee
         Second draft with auditee responses
         Final report will be uploaded in PDF format after approved by Audit Committee
Quality Assurance Review

At the completion of the audit, the auditor will complete a Quality Assurance Review (QAR) form and
upload it to the Administrative section. This form may be found on the shared drive under the Change
in Management folder. SEE AUDIT MANUAL SECTION H

At the conclusion of the audit project, the auditor assigned to the project is responsible for ensuring
that all work papers and coaching notes have been reviewed and signed-off in preparation for the
“finalization” process. The auditor should inform the Director that the project file is ready to be
closed. The Director is the only person authorized to close projects. The following steps provide an
overview of the finalization process.
Finalization

Finalization is the process which moves a project from the “Field Work” or “Post Field Work” stage to
“Finalized”. Projects should only be finalized when the work has been completed and no more changes
are necessary, as once the project has been finalized it will be marked as Read-Only.

To finalize a project:

      Select the Browser menu option File | Administration | Stages
      Click on the “Complete / Finalize” button
      This will start the Finalization Wizard.

Step 1 of the Finalization Wizard starts out by explaining to the Administrator what processes will take
place throughout the Finalization Wizard. No action is required for this step, so simply click on the
Next button to proceed to Step 2 .

Note: The Finalization process can be cancelled at any time prior to Step 6.

Step 2 of the wizard checks the signoff status of each schedule within the project. Click on the “Click
here to begin the scan” button, and TeamMate will display all schedules not signed off.

For Finalization, if the conditions set by the option buttons have not been met (i.e. Halt status found),
the Finalization Wizard will disable the Next button. However if performing the Post Field Work
wizard or the Finalization where no Halt conditions exist, click on the Next button to proceed to Step 3
of the process.

Step 3 of the wizard checks the status of each Procedure Summary Step within the project. Click on the
“Click here to begin the scan” button, and TeamMate will display all steps not signed off.

If the conditions set by the option buttons have not been met (i.e. Halt status found), the wizard will
disable the Next button. However if performing the Post Field Work wizard or the Finalization where
no Halt conditions exist, click on the Next button to proceed to Step 4 of the Finalization process.

Step 4 of the wizard checks the status of all the Coaching Notes within the project. This final check
performed by the wizard will display any Coaching Notes that have not been Cleared. Click on the
“Click here to begin the Scan” button and the Wizard will list the Coaching Notes not Cleared. It is
important (but not essential) that all Coaching Notes be Cleared before proceeding to Finalization Step
5 or Post Field Work Step 5.

Coaching Notes and Edit History may be permanently deleted from the project when the project is
actually finalized, depending on the option selected in Step 6 of the Finalization Page 10 of 17 Section
C–6 Rev. 1/07
wizard. To continue with the process, click on the Next button to proceed to the next step.

Note: The Coaching Notes and Edit History WILL NOT be deleted; therefore, it is imperative that the
defaults are changed to read the options in Step 6

Step 5 of the Finalization Wizard is a precautionary measure. Before the Finalization wizard finalizes
the Project, the Administrator has the option to make a Backup. Specify the location for the backup file
and click on the “Click here to start backup” button. Once the backup is complete, use the Next button
to proceed to the last step (Step 6) of the Finalization Wizard.

Note: A backup of the project prior to closing is required and should be saved under Shared Drive F:
TeamMate Folder>Backups (Prior to Close)

Step 6 of the Finalization Wizard is the decisive point of the process. First set the two option buttons
to retain Edit Histories and Coaching Notes, and then STOP AND THINK! Has all work on the
project been completed in accordance with the applicable Standards? Proceeding with this step is
irreversible.

Clicking on the “Click here to start the finalization process” button will perform the Finalization
process in accordance with the options chosen, and will then make the audit READ ONLY.

Note: A backup of the project after finalization is required and you need to save in Shared Drive V:
TeamMate Backup Files Folder>XX Backups_Post Closing, where XX = Fiscal Year.




FOR MORE DETAILED AND/OR TECHNICAL GUIDANCE ON USING TEAMMATE,
REFER TO THE HELP MENU
   ADDENDUM

   WORK PAPERS

   Work papers are the means by which auditors document the work performed. There are two types of
   work papers:

1. Manual work papers – they include hard copies of documents and files
   (NO LONGER KEPT AS A RESULT OF TEAMMATE)

2. Electronic work papers – documents in electronic format (PDF files, spreadsheets, and word
   documents, etc.) which are normally stored and maintained in an electronic median such as a
   computer.

   Work papers serve both as tools to aid the auditor in performing his work, and as written evidence of
   the work done to support the auditor’s report. Information included in work papers should be
   sufficient, competent, relevant, and useful to provide a sound basis for audit findings and
   recommendations. Section B-2 of the Standards for the Professional Practice of Internal Auditing
   defines sufficient, competent, relevant, and useful as follows:

      Sufficient information is factual, adequate, and convincing so that a prudent, informed person
       would reach the same conclusions as the auditor.

      Competent information is reliable and the best attainable through the use of appropriate audit
       techniques.

      Relevant information supports audit findings and recommendations and is consistent with the
       objectives for the audit.

      Useful information helps the organization meet its goals.

   Qualities of Good Work Papers

   1.      Complete
   Work papers must be able to “stand alone.” This means that all questions must be answered, all points
   raised by the reviewer must be cleared, and a logical, well-thought-out conclusion must be reached for
each audit segment.

2     Concise
Work papers must be confined to those that serve a useful purpose.

3      Neat
Work papers should not be crowded. Allow for enough space on each schedule so that all pertinent
information can be included in a logical and orderly manner. At the same time, keep work papers
economical. Forms and procedures should be included only when relevant to the audit or to an audit
recommendation. Also, try to avoid unnecessary listing and scheduling. All schedules should have a
purpose which relates to the audit procedures or recommendations.


Work Paper Techniques

1.     Organization
Work papers should be organized in a manner which would allow efficient retrieval of any needed
information.

2      Tick marks
The auditor makes frequent use of a variety of symbols to indicate work that has been done. These
symbols are commonly referred to as tick marks. As these tick marks have no special or uniform
meaning in themselves, an explanation of each tick mark should be made on the schedule on which it
appears.

3. Cross-referencing
Cross-referencing within work papers should be complete and accurate. Refer to the section on cross-
referencing found on page 6. The audit program should be cross-referenced to work papers related to
each program step. Work papers should be cross-referenced to each other, as appropriate, and to any
resulting Audit Exception. A copy of the final audit report should be cross-referenced directly to
supporting work papers.

2      Carry forward
The auditor should make full use of the work papers developed in the prior audit. Flow charts, system
descriptions, and other data may still be valid. Copies of those papers which remain useful should be
made a part of the current working papers. They should be updated with current information,
renumbered, referenced, and initialed and dated by the current auditor.


Types of Work Papers

All work papers should be scanned (as necessary) and converted to electronic format for inclusion in
TEAMMATE.

1.    Schedules and Analyses
 Schedules and analyses are useful for identifying statistical trends, verifying the accuracy of data,
 developing projections or estimations, and determining if tasks or records have been properly
 completed.


2.        Documents

 Copies or actual samples of various documents can be used as examples, for clarification, and as
 physical evidence to support a conclusion or prove the existence of a problem. These documents can
 be memos, reports, computer printouts, procedures, forms, invoices, flow charts, contracts, or any of
 numerous other items. Any original documents or copies included in the work papers should serve a
 useful audit purpose.

 The following suggestions are offered for preparation of work papers using documents rather than the
 auditor’s notes:

    Indicate both the person and/or file that the document came from.

    Copy and insert only that portion of the report, memo, procedure, etc., which is needed for
     purposes of explanation or as documentation of a potential finding. Do not include the entire
     document in the work papers unless absolutely necessary.

    Fully explain the terms and notations found on the document, as well as its use. This is especially
     true when including maps, engineering drawings or flow charts in the papers. These explanations
     may be made on an attached preceding page or on the face of the document itself.

    Each document should be cross-referenced either to the page or separate analysis where it was
     discussed.

    No document should be included in the work papers without an explanation of why it was
     included.

    Documents larger than 8 ½ x 14 should be reduced when practicable.

3.      Process Write-ups and Flow Charts

 In many audits, it is necessary to describe systems or processes followed by the auditee. Describe such
 procedures or processes through the use of write-ups or flow charts, or a combination of the two. The
 choice of which method to use will depend on the relative efficiency of the method in relation to the
 complexities of the system being described.

 Write-ups are often easier to use, and should be used if the system or process can be described clearly
 and concisely. However, when write-ups would be lengthy and description of related control points
 difficult to integrate in the narrative, flow charting (or a combination of write-ups and flow charting) is
 an appropriate alternative. Flow charts conveniently describe complex relationships because they
 reduce narrative explanations to a picture of the system. They are concise and may be easier to
analyze than written descriptions. (Refer to section C-7, Flow Charting).

4.       Interviews

Certain information is best obtained through formal interviews conducted either in person or by
telephone. Formal interviews are most desirable because the interviewers know they are providing
input to the audit; however, impromptu interviews, or even casual discussions, can often provide
important information. All pertinent information obtained in interviews/discussions should be
documented in the work papers. Interviews are useful in identifying problem areas, obtaining general
knowledge of the audit subject, collecting data not in a document form, and documenting the auditee’s
opinions, assessments, or rationale for actions. Interview notes should contain only the information
provided by the person interviewed, and not include any of the auditor’s opinions.

5.   Observations

What the auditor observes can serve the same purposes as interviews. If observations can be used to
support any conclusions, then they should be documented. They are especially useful for physical
verifications. Observations used as supporting documentation should generally include the following
items:

         Time and date of the observation.

         Where the observation was made.

         Who accompanied the auditor during the observation?

         What was observed. When testing is involved, the work papers should include the sample
          selections and the basis of the sample.

6. Exceptions/Findings

All significant audit findings should be documented in the work papers (See C-8: Audit Findings).
All findings should be documented within the EXCEPTIONS SECTION in TeamMate as soon as
practical by the auditor discovering the situation
                                                     EXHIBIT A
                                                 Exception Report



EX.1 - Risk Assessment and Implementation Plan

Reference: A.1.PS

Finding:
1       The GEAR UP department had not developed a risk assessment and implementation plan.
2        The department had not developed a business continuity/disaster recovery plan.

Criteria/Standard:
1        As per UT System's 1996 Action Plan to Enhance Internal Controls, every department is required to complete a
Risk Assessment and Implementation Plan and to forward a copy of the form to its Vice President and to the Director of
Internal Audit.
2        As per UT System UTS 165 “a backup and recovery plan, commensurate with the risk and value of the computer
system and data, must be in place (business continuity plan)”.

Business Implication:
1         Without assessing financial, compliance, operational or strategic risks and mitigating these risks, the department
may not achieve its goals or objectives.
2         The department will not be able to continue operations in the event of a disaster without a business continuity plan
in place.

Cause:
Lack of knowledge of required department plans


Recommendation:
1         The GEAR UP department should develop a risk assessment focusing on financial, compliance, operational, and
strategic risks. Once the risks are identified, then an implementation plan should be developed to mitigate the risks.
2          Additionally, the department should identify all major components of its operations, develop procedures in the
event of a system failure or natural disaster to obtain business continuity and basic services, and incorporate these into a
business continuity/disaster recovery plan and it should be communicated to all employees.
                                                     EXHIBIT A
                                                 Exception Report



EX.2 - Inventory process breakdown

Reference: D.1.PS, D.1.1

Finding:
We identified one laptop missing (Tag #52720) that was originally identified on the Inventory Certification List submitted
to Assets Management as having been located in one of the GEAR UP Offices during inventory certification. The laptop
was not in working condition as stated by the property custodian and was thought to have been sent to surplus. No
documentation was available to support the laptop being sent to surplus.

Although the inventory process was effective, the process was not documented and the individual conducting the inventory
was a new hire.


Criteria/Standard:
As stated in the Handbook of Operating Procedures Section 8.1.2, paragraph F - Responsibilities of Accountable Officers
1        When the University’s property is entrusted to a person other than the Accountable Officer, the Accountable
Officer shall require a written receipt for such property from the person receiving custody.
2        Accountable Officers will take all reasonable precautions to assure that property is used only for official business,
and is safeguarded in such a manner as to ensure against loss or damage. If, in spite of such precautions, property is stolen,
missing, destroyed, or damaged, a report to the Property Manager via Assets Management should be filed. Lost or Stolen
Property to the University Police Department.
3        Accountable Officers are responsible for completing physical inventories of property assigned to their accounts.

Business Implication:
Negative publicity and loss of funding for future purchases


Cause:
Lack of knowledge of procedure caused by lack of department handbook


Recommendation:
The Account Manager should report this missing laptop to Assets Management and the University Police Department in
accordance with H.O.P Section 8.1.2. The process for conducting a physical inventory of equipment should be documented
in the department's manual. Those individuals responsible for completing physical inventories and transferring obsolete or
non working equipment should refer to the department's manual.
                                                      EXHIBIT A
                                                  Exception Report



EX.3 -Allocable Costs - Mileage Reimbursements

Reference:

Finding:
The GEAR UP department was improperly charging mileage to the original grant instead of allocating the mileage between
the original and the new grant based on the schools visited and the activities conducted by the Academic Advisors as
indicated in the supporting documentation.


Criteria/Standard:
In accordance with OMB Circular A-21 - Cost Principles for Educational Institutions, allocation means the process of
assigning a cost, or a group of costs, to one or more cost objective, in reasonable and realistic proportion to the benefit
provided or other equitable relationship. A cost objective may be a major function of the institution, a particular service or
project, a sponsored agreement, or a F&A cost activity, as described in Section F of the circular. The process may entail
assigning a cost(s) directly to a final cost objective or through one or more intermediate cost objectives. Any costs
allocable to a particular sponsored agreement under the standards provided in this Circular may not be shifted to other
sponsored agreements in order to meet deficiencies caused by overruns or other fund considerations, to avoid restrictions
imposed by law or by terms of the sponsored agreement, or for other reasons of convenience. Direct cost allocation
principles. If a cost benefits two or more projects or activities in proportions that can be determined without undue effort or
cost, the cost should be allocated to the projects based on the proportional benefit. If a cost benefits two or more projects or
activities in proportions that cannot be determined because of the interrelationship of the work involved, then,
notwithstanding subsection b, the costs may be allocated or transferred to benefited projects on any reasonable basis,
consistent with subsections d. (1) and (2).


Business Implication:
Funding on original grant depleted and non compliance with OMB Circular A-21 Cost Principles


Cause:
Improper review of mileage reimbursements and new grant awarded resulting in allocation of costs between two grants
with similar activities.

Recommendation:
The GEAR UP department should properly account for the mileage reimbursements based on the supporting
documentation. GEAR UP should correct the mileage costs incorrectly charged to the original grant and allocate those
costs to the new grant prior to close-out of the original grant.
                                         Executive Summary

The Student Financial Services Office (“Office”) currently consists of a Executive Director
(“Director”), 27 full-time employees, four direct wage employees and numerous work study
employees. The Director manages 205 accounts with a total FY 06 operating budget of approximately
$18,783,235. All of the funding for the financial aid programs is received from federal, state and local
agencies.

As required by the 1996 Action Plan to Enhance Internal Controls, a departmental audit is performed
when a department undergoes a change in management or a significant change in reporting lines. The
purpose of our audit was to evaluate the adequacy and effectiveness of the system of internal controls
with an emphasis on administrative and financial controls within the Office. Our scope encompasses
activity for the 2006 calendar year. Our audit was conducted in accordance with guidelines set forth in
The University of Texas System’s Policy UTS 129 and the Institute of Internal Auditor’s International
Standards for the Professional Practice of Internal Auditing.

Based on our audit, we determined that the Office had established adequate internal controls. However,
we identified a few areas where improvements to the Office’s internal controls could help to better
achieve their goals and objectives.

                                             Background

The Office is committed to the overall mission of the University and the Division of Enrollment &
Student Services. They are dedicated to helping students and families in the pursuit of their
educational goals by removing financial barriers which would otherwise discourage or prohibit
attendance by qualified students who lack adequate resources; by providing high quality customer
service in a professional, caring, and equitable manner; by enhancing recruitment and retention efforts
to attract promising undergraduates and graduates to the University; and by administering financial aid
programs in compliance with federal, state and institutional regulations and guidelines.

The Student Financial Services Director assumed her duties on March 20, 2006. The Director is
currently responsible for 27 full-time employees, four direct wage employees and numerous work
study employees. However, only the Office Administrative Associate, Account Technician, Associate
Director and Executive Associate Director were under her direct responsibility (i.e. responsible for
approving time sheets, sick and vacation leave, performance appraisals). The Director was also
responsible for 205 University accounts with a total FY 06 operating budget of approximately
$18,783,235.

One such program, established in 1999 and administered by the Texas Higher Education Coordinating
Board, is the Texas Grant Program. This program covers tuition and required fees for well-prepared
students attending Texas public Universities, community colleges and technical schools who have
successfully completed a recommended high school graduation program and show financial need. In
FY06 the operating budget for the Texas Grant Program alone was $17,113,777.

                                                    1
                          EXHIBIT B

                                           Audit Objective

The purpose of our audit was to evaluate the adequacy and effectiveness of the system of internal
controls with an emphasis on administrative and financial controls within the Student Financial
Services-Director’s Office.

                                   Audit Scope and Methodology

We conducted a standard change in management audit over the Office. The audit was conducted using
of the following procedures:

              We requested that the Director complete an Internal Control Questionnaire.
              We reviewed the completed Questionnaire with the Director in order to establish a
               better understanding of the Office’s workflows.
              We determined if the Director had established a control conscious environment,
               whether goals and objectives for the Office had been developed, and whether a risk
               assessment and implementation plan had been developed.
              We randomly selected 20 accounts under the Director for review to determine whether
               procedures for account reconciliations had been established.
              We determined if the Office was keeping adequate documentation on the preparation
               and review of their account reconciliations.
              We determined whether the Office had established adequate segregation of duties over
               account reconciliations and cash handling procedures.
              We examined their operating and financial information for reliability.
               We tested a random sample of 35 expenditures and examined supporting
               documentation for proper approval and authorization.
              We reviewed personnel files, selected time sheets for those employees directly under
               the supervision of the Director, and tested timesheets for approval and authorization. A
               total of 10 timesheets were tested
              We performed property inventory testing for the existence of selected assets, and
               determined whether selected assets were properly recorded on the University’s asset
               management system.
              We reviewed controls for personal computers to evaluate physical and data security. x
               We verified the Office’s compliance with University policies and procedures.

Our audit was conducted in accordance with guidelines set forth in The University of Texas System’s
Policy UTS 129 and the Institute of Internal Auditor’s International Standards for the Professional
Practice of Internal Auditing. The scope of our engagement was from September 2007 to August of
2008, the audit was conducted during the months of December 2008 through February 2009.
                                 EXHIBIT B
                                               Audit Results
   Monitoring

   Monitoring is the assessment of internal controls over time. We assessed the Office’s controls over
   their complaint procedures, personal use of Office property and account activity.

   We randomly selected 20 accounts under the responsibility of the Director for review and selected the
   months of May and August from each account for testing (40 reconciliations in total for testing). Of
   these 40 account reconciliations, we were unable to retrieve documentation for seven of them.
   According to the University account reconciliation training documentation, reconciliations are done to
   “Provide the account manager with an accurate amount of the remaining budget balance." Six of the
   missing reconciliations were related to federal programs. We determined, through inquires, that the six
   reconciliations related to the federal programs were not prepared due to the accounts inactivity.
   Additionally, these accounts had no activity for several years. Without the proper notification of the
   balances to the account manager, these accounts may stay open longer than necessary.
   The final missing reconciliation was related to an account used by the Office for salary payments and
   various operating expenses. The Office’s account technician stated that this was one of several
   reconciliations that had been misplaced by the Office and that they were in the process of recreating
   them. Documentation should be adequately maintained and safeguarded for verification purposes.

   We noted that the Office had established adequate controls over personal use of Office property and
   complaint procedures.

   Recommendation

1. The Director should be aware of accounts with inactivity and/or zero balances and should evaluate the
   need for maintaining those accounts.

   2. The Office should increase its controls over the safeguarding of documentation.
   The reconciliations should be stored on a network drive or backed up on removable storage devices.

   Management Response
                                          FLOWCHARTS
                                   General Flowcharting Guidelines


A. Clarity and simplicity in presentation are essential. Excessive detail may tend to conceal rather than
   expose key points. Complex processes and exception controls may be better explained in narrative
   form. However, narrative explanations should be kept brief. The combination of the flowchart and a
   narrative description tends to be far superior to either format alone.

B. Only transactions/documents with control significance should be shown (i.e. control over authorization,
   recording, safeguarding, reconciliation and valuation). This can generally be accomplished by
   including only those activities where data is initiated, changed or transferred to other functional areas.
   For a process to be flowcharted, it must be broken down into its component parts, namely actions and
   decisions. The name(s) and/or position(s) of individuals processing/handling the transactions should be
   indicated for each action. The names of each document should also be included within the document
   symbols.

C. The auditor usually obtains information necessary for preparing or updating flowcharts by interviewing
   employees at each site about procedures followed, and by reviewing procedure manuals, existing
   flowcharts and other system documentation. Sample documents should be collected and individuals in
   each area involved should be questioned about their specific duties.


   Specific Flowcharting Practices

A. To ensure completeness and consistency, the specific internal control objectives must be documented
   when flow charting a transaction processing system.

B. The flowchart should identify the specific internal control and these should be cross-referenced to the
   specific control objectives.

C. Flowcharting symbols should be limited to those shown in the Internal Audit Flow Chart Template (See
    Attached). The flowcharting software is available on the network to assist you in flowcharting.

D. Start the flowchart in the upper left-hand corner of the paper and work toward the lower right-hand
   corner.

E. The flowchart begins with the inception of the transaction and ends with its recording in financial
   records.

F. The individual and department responsible for each flowchart step should be indicated at the top of the
   appropriate symbol.
G. Use action verbs in the flowchart to save space.
H. Use oversized symbols in the information will not fit within the standard-sized symbols.
I. Use connector symbols rather than drawing lines around or over parts of the flow chart.
                                       AUDIT FINDINGS


Elements of a Well-Developed Audit Finding
A. Statement of Condition (What is.)
B. Criteria (What should be.)
C. Cause (Why did it happen.)
D. Effect (What is the impact?)
E. Recommendation (What should be done.)


A. STATEMENT OF CONDITION

The condition identifies the nature and extent of the finding or unsatisfactory condition. It often
answers the question: “What was wrong?” Normally, a clear and accurate statement of condition
evolves from the auditor’s comparison or results with appropriate evaluation criteria.

B. CRITERIA

This element establishes the legitimacy of the finding by identifying the evaluation criteria, and
answers the question: “By what standards was it judged?” In financial and compliance audits, criteria
could be accuracy, materiality, consistency, or compliance with applicable accounting principles and
legal or regulatory requirements. In audits of efficiency, economy, and program results (effectiveness),
criteria might be defined in mission, operation, or function statements; performance, production, and
cost standards; contractual agreements; program objectives; policies, procedures, and other command
media; or other external sources of authoritative criteria.

C. CAUSE

The third element identifies the underlying reasons for unsatisfactory conditions or findings, and
answers the question: “Why did it happen?”

If the condition has persisted for a long period of time or is intensifying, the contributing causes for
these characteristics of the condition should also be described.

Identification of the cause of an unsatisfactory condition or finding is a prerequisite to making
meaningful recommendations for corrective action. The cause may be quite obvious or may be
identified by deductive reasoning. The audit recommendation points out a specific and practical way to
correct the condition. However, failure to identify the cause of a finding may also mean the cause was
not determined because of limitation or defects in audit work, or was omitted to avoid direct
confrontation with responsible officials.

D. EFFECT

This element identifies the real or potential impact of the condition and answers the question: “What
effect did it have?”
The significance of a condition is usually judged by its effect. In performance audits, reduction in
efficiency and economy, or not attaining program objectives (effectiveness), are appropriate measures
of effect. These are frequently expressed in quantitative terms; e.g., dollars, number of personnel,
units of production, quantities or material, number of transactions, or elapsed time. If the real effect
cannot be determined, potential or intangible effects can sometimes be useful in showing the
significance of the condition.

E. RECOMMENDATIONS

The final element identifies suggested remedial action and answers the question: “What should be
done?”

The relationship between the audit recommendation and the underlying cause of the condition should
be clear and logical. If a relationship exists, the recommended action will most likely be feasible and
appropriately directed.

Recommendations in the audit report detail should state precisely what needs to be changed or fixed.
How the change will be made is the auditee’s responsibility. More generalized recommendations (e.g.,
greater attention be given, controls be reemphasized, a study be made, or consideration be given)
should only be used in the audit report detail when more specific recommendations are deemed too
restrictive or otherwise inappropriate. However, such language may be appropriate in summarizing
recommendations for top management.

Unless benefits of taking the recommended action are obvious, they should be stated. The cost of
implementing and maintaining recommendations should be compared to risk whenever practical.

Recommendations should be directed to those capable of taking action.

SUMMARY

Well-written audit findings include: the nature of the findings, the criteria used to determine the
existence of the condition; the cause of the condition; the significance of its impact; and what the
auditors think should be done to correct the situation. Fully developed findings containing each of
these five elements are easily
understood and convey impact and significance to appropriate management officials.

Each finding should be documented in TeamMate through an Exceptions Report.

The status and disposition of all findings recorded in an audit should be monitored and documented for
follow-up.
                   AUDIT FOLLOW-UP & SIGNIFICANT FINDINGS

Audit follow-up will be performed to determine whether corrective action was taken and is achieving
the desired results. All audit follow-up activity will be identified with the same project code (i.e., 07-
FOL-000). Time spent on audit follow-up should be reported accordingly and identified on the weekly
Status Reports. A project file in TeamMate will be created at the beginning of every fiscal year and all
follow-up work papers will be maintained in the TeamMate follow-up project file.

Management responses are usually provided as part of the Audit Report and should provide
management's estimated implementation date. These estimated implementation dates are used to
establish the initial audit follow-up date. Audit follow-up activity is provided within the Quarterly
Status Report and initiating audit follow-up effort is the responsibility of the assigned auditor.

Due to the nature of audit follow-up, very little "audit planning" is required. However, it is advisable
that the assigned auditor initiate informal contact (usually via telephone) with the auditee to prearrange
the audit follow-up before the Audit Follow-up Memorandum is prepared and issued. If the timing of
the follow-up is inappropriate or unusual circumstances exist, other follow-up plans may be made in
consultation with the Director.

The results of the audit follow-up should be discussed with the responsible manager(s) and, if
necessary, a future follow-up date should be established. The audit follow-up memorandum should be
addressed to the manager responsible for the corrective action(s), with copies to the President and
appropriate Vice President(s). Work papers supporting the audit follow-up fieldwork should be
prepared, summarized, adequately cross-referenced, and included in TeamMate. Audit follow-up
activity, including follow-up memo and work papers within TeamMate, should be reviewed and
approved by the Director.

UT SYSTEM SIGNIFICANT FINDINGS (RED, YELLOW, GREEN)

An audit finding may be deemed significant by the Audit Director, by the Audit Committee, or by the
UT System Audit Office. If a finding was deemed “Significant”, the Auditor Assigned will contact the
responsible party to obtain an understanding of the overall progress towards completion of the
recommendation. The auditor will develop a work program within TeamMate follow-up project file
that will document the work performed to assess whether progress on the recommendation is one of
the following:

      Complete – as deemed by Audit Director in consultation with staff. These recommendations
       will receive a color coding of GREEN. This also requires that the auditor provide some
       substantive evidence that the recommendations have been implemented.
      Progress is Satisfactory – issues are in process of being addressed in a timely and appropriate
       fashion. These recommendations will receive a color coding of YELLOW.
      Progress is Unsatisfactory – issues are not being addressed in a timely and appropriate fashion.
       These recommendations will continue to receive a color-coding of RED.
The Auditor Assigned will present a summary of corrective action to the Audit Director to determine
the status of the significant finding(s). We will inform the appropriate VP and the VPBA of the status
of the significant finding(s) based upon our follow-up work prior to submitting to UT System. The
Audit Director will submit an updated Excel spreadsheet to the UT System Audit Office on a quarterly
basis.


                            QUALITY ASSURANCE REVIEWS

GENERAL

The establishment and implementation of a quality assurance program for the Office of Internal Audits
is required by the Standards for the Professional Practice of Internal Auditing (Standards). In
accordance with Attribute Standard 1310, Quality Program Assessments, “the internal audit activity
should adopt a process to monitor and assess the overall effectiveness of the quality program. The
process should include both internal and external assessments.”

A quality assurance program should include the following elements:
    Supervision
    Internal reviews
    External reviews

SUPERVISION

Supervision is a continuing process. It focuses on individual audits. The assurance given should
include:
     That staff auditors conformed to the Office's policy,
     Audit objectives were met,
     Working papers supported findings and conclusions,
     Work papers provide adequate information for a meaningful report,
     The work that was completed was in accordance with the Standards.

Properly supervised audit projects are the first and, perhaps, the most important step in a
program of quality assurance.

INTERNAL REVIEWS

Internal reviews can provide both quality assurances to the Director and training for the staff. The
reviews are appraisals of how well auditors complied with the Standards and office policy. They
encompass the work of both staff and Director and are an assessment of a sample of audit working
papers and reports. The review should also provide recommendations for improvement. The result of
this review should be beneficial in that the results are supplied to the Director regarding how well the
audit work and the audit reports are documented. Also, the testing of audit projects in an external
review can be reduced if the external evaluators see credible evidence of internal reviews of such or
similar projects. Hence, the internal reviews should be carried out with the formality and discipline of
any other audit examination/project through close and knowledgeable supervision and through
periodic, unsparing self-assessments. As a result of this ongoing self-assessment, the Office of Internal
Audits will be adequately prepared for a formal external/peer review.

A Quality Assurance Review form was developed with these assurances and is located in Section H-
12.
EXTERNAL/PEER REVIEWS

The purpose of the external/peer review is to provide an independent assurance of quality to those who
may rely on the work of the Office. The external review will be performed every three years to
appraise the quality of the Internal Audit Office operation, On completion, the Office will receive a
formal, written report expressing an opinion as to the Office compliance with the Standards and, as
appropriate, will include recommendations for improvement
University of Texas Permian Basin
     Internal Audit Manual




    SECTION D
 (Office Procedures)
                       WEEKLY TIME AND STATUS REPORTS

The Office of Internal Audits staff auditors must complete a bi-monthly time and status report. A time
reporting system has been established to assist the audit staff and management in reporting actual
hours worked on projects and in monitoring actual hours versus budgeted hours. The Following is an
Example of the Auditor Time and Status Report:
                          TASK TIME SPREADSHEET
                                 Aaron Munoz
                                 Internal Audit
                            For February 1-15, 2009

            Date            Task Description                        Time on Task
            2/2/2009     VPSS                                                             4
            2/3/2009     VPSS                                                             4
            2/4/2009     VPSS                                                             4
            2/5/2009     CEED                                                             4
            2/6/2009     CEED                                                           3.5

           2/9/2009      VPSS                                                              4
          2/10/2009      CEED                                                              4
          2/11/2009
          2/12/2009      VPSS                                                              4
          2/13/2009      VPSS                                                              4




                         Total time for September                                     35.5




                              LEAVE REQUEST PROCEDURE

The Office of Internal Audits employees must request vacation or other leave in advance to the
Director of Internal Audits. Requests to use State Compensatory Time must be in writing and approved
in advance by the Director of Audits.

If the employee is unable to request time off in advance (e.g., illness, death in the family, etc.), the
employee is required to notify the Director as soon as possible by calling the office main line
(432) 552-2700. Employees should also contact the office main line as soon as possible when coming
into the office late. If no one is available to answer, the employee should always leave a voice
message.
For further leave information such as jury duty; time off for voting; emergency leave; family and
medical leave act; employee leave of absence without pay; and military leave, please refer to the
policies issued by the Office of Human Resources found online at http://ba.utpb.edu/human-
resources/hr-policies-and-procedures/ or the Handbook of Operating Procedures found online at
http://www.utpb.edu/administration/operating-procedures/

                                    TRAVEL PROCEDURE

Procedure: The Office of Internal Audits Travel Procedure supplements The University of Texas-
Permian Basin (“UTPB”) which all UTPB employees must comply.


Travel
The Office of Internal Audits staff will travel occasionally to attend professional development
conferences or seminars. The mode of transportation will depend on the location of the destination and
on the rates.




                            STATE PROPERTY PROCEDURE

The Office of Internal Audits encourages employees to use information technology to do our work in
the most efficient, cost effective way. Employees are primarily responsible for identifying
opportunities to enhance their performance through the use of information technology and for
providing adequate stewardship of the information technology entrusted to them. Laptop computers
and other related equipment are issued to all internal auditors. Each auditor is responsible for the
proper care and safety of the computer and related equipment.

This statement establishes policies and procedures for information technology and telephone use at the
Office of Internal Audits. For this policy, the term information technology and telephone includes, but
is not limited to, the following items:

      System units (including internal drives and removable cards)
      Monitors and keyboards
      Laptop battery packs
      External disk drives
      Modems and LAN adapters
      Pointing devices (a mouse)
      Printers
      Graphics devices (projection units)
      Imaging devices (scanners)
      Software
      CD ROM drives
      Jump/Flash/USB drives (portable)
       Telephone (Audix)
       Fax machines
       Email and Internet

Stewardship of Equipment
Auditor are not allowed to take their laptop computer off the premises unless a “Request to Remove
State Property from Campus” form has been completed and approved with the required signatures.
Upon signing the removal of equipment from university premises, an employee assumes responsibility
for the equipment, following Texas Government Code Ann., Section 403.275, Liability for Property
Loss. This form should be completed as needed or annually and be maintained in the employee files
by the Secretary.


Personal Use of Computers
Incidental personal use of computers and/or software is allowed to the extent of maintaining or
improving proficiency or professional development. However, no hardware, software, or data
should be used for direct or indirect personal business use.
Physical Security
Each employee is responsible for ensuring that his/her work area provides reasonable physical security
from unauthorized use, vandalism, or theft of computer equipment during non-working hours or when
unattended. The inner office doors should be locked for each office and the main Office door should
also be locked at the end of the day. Physical security includes the safeguarding of software
applications and data. Employees should adequately store removable storage devices to ensure access
only by authorized persons.

Compliance with Licensing Agreements
It is the procedure of the Office of Internal Audits to comply with all contractual obligations contained
in license agreements to which it is a party.

   Office of Internal Audits must register all purchased software, as applicable, with the vendor and
    the Office of Information Technology.
   Office of Internal Audits prohibits employees from duplicating, modifying, selling, trading, or
    otherwise distributing licensed computer software and accompanying documentation if contrary to
    the vendor's license agreements.
   Employees will not purchase or accept copies of software from any source if they know, or
    reasonably should have known, that the copies were made contrary to legally enforceable
    provisions of a vendor's license agreement.
   Software licensed to Office of Internal Audits should not be used on equipment other than that
    assigned to Office of Internal Audits unless specifically authorized by the Director of Audits.


Backup of Data
All Office of Internal Audits work should be maintained on the Office of Internal Audits shared
network drive. If performing work off-site, it is the responsibility of the employee to make regular
backup copies of all data maintained on the internal hard disk drive of their system. Backup of hard
disk drive data should be made to removable disks or CDs. Backup provides a method to recover
destroyed, lost or stolen data. The frequency of backup will depend on several factors, including the
importance of data, frequency of data maintenance, and the number of users reaching data. Upon
returning to the Office of Internal Audits, employees should immediately transfer work from their
internal hard disk drives onto the shared network.

Telephone, Fax, Email and Internet
Incidental personal use of University e-mail, a University telephone call to make a local call, or the
Internet, provided that the use complies with applicable University policies, UT System policies, and
Regents’ Rules and Regulations, and does not result in additional cost to the University, is permissible.


                            ADMINISTRATIVE PROCEDURES

NEW AUDIT - PROJECT CODE

At the beginning of every audit a project code is issued and this project code template is located on the
shared drive V:\TeamMate Backup Files folder PROJECT CODE FOR FY 2009 (ex: 09-FIN-XXX)
09 for fiscal year - FIN (is a financial audit, each audit type has a different abbreviation. These are
located on ACCESS). The type of audit is determined from the audit plan. Once we have a project
code, the Secretary will input into ACCESS for time reporting purposes.


AUDIT REPORTS

After the audit is presented at the Audit Committee meeting a final clean (remove draft and do any
changes requested by the audit committee) copy needs to be distributed to all interested parties.
University of Texas Permian Basin
     Internal Audit Manual




     SCETION E
(Rules and Regulations)
GOVERNMENT CODE TITLE 10. GENERAL GOVERNMENTSUBTITLE C.
STATE ACCOUNTING, FISCAL MANAGEMENT, AND PRODUCTIVITY

CHAPTER 2102. INTERNAL AUDITING

         Sec. 2102.001. SHORT TITLE. This chapter may be cited as the Texas
Internal Auditing Act.

Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993.

         Sec. 2102.002. PURPOSE. The purpose of this chapter is to establish
guidelines for a program of internal auditing to assist agency administrators and
governing boards by furnishing independent analyses, appraisals, and recommendations
about the adequacy and effectiveness of a state agency's systems of internal control
policies and procedures and the quality of performance in carrying out assigned
responsibilities. Internal auditing is defined as an independent, objective assurance and
consulting activity designed to add value and improve an organization's operations. It
helps an organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control, and
governance processes.

Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
2003, 78th Leg., ch. 380, Sec. 1, eff. Sept. 1, 2003.

        Sec. 2102.003. DEFINITIONS. In this chapter:

                (1) "Administrator" means the executive head of a state agency.

                 (2) "Assurance services" means an examination of evidence for the
purpose of providing an independent assessment of risk management, control, or
governance processes for an organization. Assurance services include audits as defined
in this section.

                (3) "Audit" means:

                        (A) a financial audit described by Section 321.0131;

                        (B) a compliance audit described by Section 321.0132;

                        (C) an economy and efficiency audit described by Section
321.0133;

                        (D) an effectiveness audit described by Section 321.0134; or
                        (E) an investigation described by Section 321.0136.

                  (4) "Consulting services" means advisory and related client service
activities, the nature and scope of which are agreed upon with the client and are intended
to add value and improve an organization's operations. Consulting services include
counsel, advice, facilitation, and training.

               (5) "State agency" means a department, board, bureau, institution,
commission, or other agency in the executive branch of state government.

Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
1997, 75th Leg., ch. 1122, Sec. 11, eff. Sept. 1, 1997; Acts 2003, 78th Leg., ch. 380, Sec.
2, eff. Sept. 1, 2003.

          Sec. 2102.004. APPLICABILITY. (a) Sections 2102.005-2102.012 apply only
to a state agency that:

                (1) has an annual operating budget that exceeds $10 million;

               (2) has more than 100 full-time equivalent employees as authorized by
the General Appropriations Act; or

                (3) receives and processes more than $10 million in cash in a fiscal
year.

        (b) Sections 2102.013 and 2102.014 apply to each state agency that receives an
appropriation and that is not described by Subsection (a).



Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
2001, 77th Leg., ch. 804, Sec. 1, eff. Sept. 1, 2001; Acts 2003, 78th Leg., ch. 291, Sec. 1,
eff. June 18, 2003.



        Sec. 2102.005. INTERNAL AUDITING REQUIRED. A state agency shall
conduct a program of internal auditing that includes:

                (1) an annual audit plan that is prepared using risk assessment
techniques and that identifies the individual audits to be conducted during the year; and

                (2) periodic audits of the agency's major systems and controls,
including:

                        (A) accounting systems and controls;
                        (B) administrative systems and controls; and

                        (C) electronic data processing systems and controls.

Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
1997, 75th Leg., ch. 1122, Sec. 12, eff. Sept. 1, 1997.

         Sec. 2102.006. INTERNAL AUDITOR; STAFF. (a) The governing board of a
state agency or the administrator of a state agency that does not have a governing board
shall appoint an internal auditor.

         (b) An internal auditor must:

                (1) be a certified public accountant or a certified internal auditor; and

                (2) have at least three years of auditing experience.

         (c) The state agency shall employ additional professional and support staff the
administrator determines necessary to implement an effective program of internal
auditing.

          (d) The governing board of a state agency, or the administrator of a state
agency if the state agency does not have a governing board, shall periodically review the
resources dedicated to the internal audit program and determine if adequate resources
exist to ensure that risks identified in the annual risk assessment are adequately covered
within a reasonable time frame.

Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
2001, 77th Leg., ch. 804, Sec. 2, eff. Sept. 1, 2001; Acts 2003, 78th Leg., ch. 380, Sec. 3,
eff. Sept. 1, 2003.

         Sec. 2102.007. DUTIES OF INTERNAL AUDITOR. (a) The internal auditor
shall:

                (1) report directly to the state agency's governing board or the
administrator of the state agency if the state agency does not have a governing board;

                (2) develop an annual audit plan;

                (3) conduct audits as specified in the audit plan and document
deviations;

                (4) prepare audit reports;
                 (5) conduct quality assurance reviews in accordance with professional
standards as provided by Section 2102.011 and periodically take part in a comprehensive
external peer review; and

                 (6) conduct economy and efficiency audits and program results audits as
directed by the state agency's governing board or the administrator of the state agency if
the state agency does not have a governing board.

         (b) The program of internal auditing conducted by a state agency must provide
for the auditor to:

                (1) have access to the administrator; and

                (2) be free of all operational and management responsibilities that
would impair the auditor's ability to review independently all aspects of the state
agency's operation.

Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
2001, 77th Leg., ch. 804, Sec. 3, eff. Sept. 1, 2001.

         Sec. 2102.008. APPROVAL OF AUDIT PLAN AND AUDIT REPORT. The
annual audit plan developed by the internal auditor must be approved by the state
agency's governing board or by the administrator of a state agency if the state agency
does not have a governing board. Audit reports must be reviewed by the state agency's
governing board and the administrator.

Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
2001, 77th Leg., ch. 804, Sec. 4, eff. Sept. 1, 2001.

         Sec. 2102.009. ANNUAL REPORT. The internal auditor shall prepare an
annual report and submit the report before November 1 of each year to the governor, the
Legislative Budget Board, the Sunset Advisory Commission, the state auditor, the state
agency's governing board, and the administrator. The state auditor shall prescribe the
form and content of the report, subject to the approval of the legislative audit committee.

Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
1997, 75th Leg., ch. 1122, Sec. 13, eff. Sept. 1, 1997.

          Sec. 2102.0091. REPORTS OF PERIODIC AUDITS. (a) A state agency shall
file with the Sunset Advisory Commission, the budget division of the governor's office,
the state auditor, and the Legislative Budget Board a copy of each report submitted to the
state agency's governing board or the administrator of the state agency if the state agency
does not have a governing board by the agency's internal auditor.
        (b) Each report shall be filed not later than the 30th day after the date the report
is submitted to the state agency's governing board or the administrator of the state
agency if the state agency does not have a governing board.

         (c) In addition to the requirements of Subsection (a), a state agency shall file
with the budget division of the governor's office, the state auditor, and the Legislative
Budget Board any action plan or other response issued by the state agency's governing
board or the administrator of the state agency if the state agency does not have a
governing board in response to the report of the state agency's internal auditor.

Added by Acts 1999, 76th Leg., ch. 281, Sec. 7, eff. Sept. 1, 1999. Amended by Acts
2001, 77th Leg., ch. 804, Sec. 4, eff. Sept. 1, 2001.

         Sec. 2102.010. CONSULTATIONS. An internal auditor may consult the state
agency's governing board or the administrator of the state agency if the state agency does
not have a governing board, the governor's office, the state auditor, and legislative
agencies or committees about matters affecting duties or responsibilities under this
chapter.

Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
2001, 77th Leg., ch. 804, Sec. 4, eff. Sept. 1, 2001.

         Sec. 2102.011. INTERNAL AUDIT STANDARDS. The internal audit
program shall conform to the Standards for the Professional Practice of Internal
Auditing, the Code of Ethics contained in the Professional Practices Framework as
promulgated by the Institute of Internal Auditors, and generally accepted government
auditing standards.

Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
2003, 78th Leg., ch. 380, Sec. 4, eff. Sept. 1, 2003.

         Sec. 2102.012. PROFESSIONAL DEVELOPMENT. (a) Subject to approval
by the legislative audit committee, the state auditor may make available and coordinate a
program of training and technical assistance to ensure that state agency internal auditors
have access to current information about internal audit techniques, policies, and
procedures and to provide general technical and audit assistance to agency internal
auditors on request.

         (b) The state auditor is entitled to reimbursement for costs associated with
providing the services under the terms of interagency cooperation contracts negotiated
between the state auditor and each agency. The costs may not exceed those allowed by
the General Appropriations Act. Work performed under this section by the state auditor
is subject to approval by the legislative audit committee for inclusion in the audit plan
under Section 321.013(c).
Added by Acts 1993, 73rd Leg., ch. 268, Sec. 1, eff. Sept. 1, 1993. Amended by Acts
2003, 78th Leg., ch. 785, Sec. 33, eff. Sept. 1, 2003.

          Sec. 2102.013. ANNUAL RISK ASSESSMENT; REPORT. (a) A state
agency described by Section 2102.004(b) shall conduct each year a formal risk
assessment consisting of an executive management review of agency functions,
activities, and processes.

         (b) The risk assessment must:

                (1) evaluate the probability of occurrence and the likely effect of
financial, managerial, and compliance risks and of risks related to the use of information
technology; and

                  (2) rank risks according to the probability of occurrence and likely
effect of the risks evaluated.

          (c) The state agency shall submit the written risk assessment to the state auditor
in the form and at the time prescribed by the state auditor.

Added by Acts 2003, 78th Leg., ch. 291, Sec. 2, eff. June 18, 2003.

         Sec. 2102.014. EVALUATION OF RISK ASSESSMENT REPORTS;
AUDITS. (a) Based on risk assessment and subject to the legislative audit committee's
approval of including the work described by this subsection in the audit plan under
Section 321.013(c), the state auditor shall:

                 (1) evaluate each report submitted under Section 2102.013;

                (2) identify agencies with significant financial, managerial, or
compliance risk or significant risk related to the use of information technology; and

                 (3) recommend to the governor that the identified agencies obtain an
audit to address the significant risks identified by the state auditor.

         (b) The governor may order an agency identified under this section to:

                 (1) obtain an audit under governmental auditing standards;

                 (2) submit reports and corrective action plans as prescribed by Section
2102.0091; and

               (3) report to the state auditor the status of the agency's implementation
of audit recommendations in the form and addressing issues as prescribed by the state
auditor.
              (c) The governor may provide funds to agencies as necessary to pay the costs of
     audits ordered under this section from any funds appropriated to the governor for this
     purpose.

     Added by Acts 2003, 78th Leg., ch. 291, Sec. 2, eff. June 18, 2003.




                                Regents' Rules & Regulations
    The Rules and Regulations of the Board of Regents of The University of Texas System
    for the Government of The University of Texas System were reissued on December 10,
    2004. A Disposition Table is available to assist in locating rules as they existed in the
    Regents' Rules and Regulations prior to December 10, 2004. Also, a Summary of the
    Significant Changes to the Regents' Rules is available.

    The official copy of the Regents' Rules and Regulations is maintained by the Office of
    the Board of Regents.

    Rules and Regulations Table of Contents:


          Series 10000: Board Governance
          Series 20000: Administration
          Series 30000: Personnel
          Series 40000: Academic Issues
          Series 50000: Student Issues
          Series 60000: Development
          Series 70000: Investments
          Series 80000: Facilities
          Series 90000: Intellectual Property

    Series 10000: Board Governance


    Rule 10100      Rule on Rules and Regulations
Rule 10101    Authority

Rule 10102    Chairman and Vice Chairmen (last amended 11/9/07)
              General Counsel to the Board of Regents (last amended
Rule 10201
              11/9/07)
              Meetings of the Board and Standing Committees (last
Rule 10401
              amended 8/10/06)
              Committees and Other Appointments (last editorial
Rule 10402
              amendment 3/17/08)

Rule 10403    Procedure (last amended 8/11/05)
              Delegation to Act on Behalf of the Board (last amended
Rule 10501
              11/13/08)
Rule 10601    Guidelines for the Santa Rita Award

              Policy Against Discrimination (last editorial amendment
Rule 10701
              8/25/08)

Series 20000: Administration


Rule 20101    Chancellor (last editorial amendment 3/17/08)

Rule 20102    Appointment of Officers

Rule 20201    Presidents (last amended 8/23/07)
              Cash Compensation for Chief Administrative Officers (last
Rule 20202
              amended 8/10/06)

Rule 20203    Compensation for Key Executives (last amended 8/10/06)
              Determining and Documenting the Reasonableness of
Rule 20204
              Compensation (last editorial amendment 3/18/08)
              Expenditures for Travel, Entertainment, and Housing by
Rule 20205
              Chief Administrators (last editorial amendment 3/17/08)

Rule 20301    Honorary Titles and Degrees

Rule 20401    Audit and Compliance (last editorial amendment 3/17/08)
              Provision of Audit and Non-Audit Services by External
Rule 20402
              Firms
              Accounting, Operating Budgets, and Legislative
Rule 20501
              Appropriation Requests
Rule 20601    Aircraft Use

              Use of Historically Underutilized Businesses (last editorial
Rule 20701
              amendment 3/18/08)
Rule 20801    Travel
              Procurement of Certain Goods and Services (last amended
Rule 20901
              2/8/07)




Series 30000: Personnel


Rule 30101    Classified Personnel Pay Plan (last amended 2/10/05)

Rule 30102    General Appointment Information

Rule 30103    Standards of Conduct

Rule 30104    Conflict of Interest (last editorial amendment 4/17/08)

Rule 30105    Sexual Harassment and Misconduct

Rule 30106    Nepotism

Rule 30107    Veteran's Employment Preferences

Rule 30112    Training and Education

Rule 30201    Leave Policies (last editorial amendment 4/1/08)

Rule 30202    Employee Benefits (last amended 11/13/08)

Rule 30203    Sick Leave Pool

Rule 30301    Employment of Retirees
Rule 30401    Employee and Faculty Advisory Councils

Rule 30501    Employee Evaluations
              Discipline and Dismissal of Classified Employees (last
Rule 30601
              amended 11/9/07)

Rule 30602    Employee Grievance
              Faculty Appointments and Titles (last editorial amendment
Rule 31001
              2/3/09)
              Notice of Nonrenewal to Nontenured Faculty Members (last
Rule 31002
              amended 8/23/07)
Rule 31003    Abandonment of Academic Positions or Programs

Rule 31004    Rights and Responsibilities of Faculty Members

Rule 31005    Faculty or Staff Absence

Rule 31006    Academic Workload Requirements

Rule 31007    Tenure (last amended 8/23/07)

Rule 31008    Termination of a Faculty Member (last amended 2/12/09)

Rule 31101    Evaluation of Administrators (last amended 2/9/06)

Rule 31102    Evaluation of Tenured Faculty


Series 40000: Academic Issues


Rule 40101    Faculty Role in Educational Policy Formulation

Rule 40201    Registered Organizations

Rule 40301    General Admission Policy

Rule 40302    Provisional Admission Policy
              Establishing Both Admission Policies and Criteria for Award
Rule 40303    of Scholarships and Fellowships (last editorial amendment
              9/16/08)
Rule 40304   Affirmative Action Plans (last editorial amendment 2/12/08)

Rule 40305   Coordinated Admission Program

Rule 40306   Summer Enrollment Plan

             Academic Program Approval Standards(last amended
Rule 40307
             7/14/06)
Rule 40308   Review of Excess Core Curricula

Rule 40309   Administration of Courses Offered in Shortened Format

Rule 40310   Accessibility of Teacher Certification Courses

Rule 40311   Graduate Education
             Assessment, Collection, and Waiver of Tuition and Fees (last
Rule 40401
             editorial amendment 9/17/08)
Rule 40402   Emergency Student Loan Program for Tuition and Fees

             Fees for Continuing Education Courses (last editorial
Rule 40403
             amendment 9/17/08)
             Tuition Rates for Students Residing in Certain Counties and
Rule 40404   States and Attending Certain Institutions (last editorial
             amendment 9/17/08)
             Tuition Rates for Undergraduate Students with Excessive
Rule 40405
             Semester Credit Hours (last editorial amendment 9/17/08)

Rule 40406   Administration of Scholarships

Rule 40407   Texas Public Education Grants/Loan Program

Rule 40501   Speech and Assembly

Rule 40502   Negotiations Related to Disruptive Activities Prohibited

             Institutions Comprising The University of Texas System (last
Rule 40601
             amended 8/14/08)
Rule 40602   Organized Research Units

Rule 40701   Medical and Hospital Services
Rule 40703    Healthcare Risk Management

Rule 40801    Official Seal, Colors, Logo, and Mascot

Rule 40901    Charter Schools

              Guidelines for Cooperative Use of Courses and Facilities with
Rule 40902
              Texas A&M University

Series 50000: Student Issues


Rule 50101    Student Conduct and Discipline (last amended 8/14/08)

Rule 50201    Student Advisory Council

Rule 50202    Student Organizations

Rule 50203    Participation in Student Government

Rule 50301    Off-Campus Student Housing

              Student Participation in Selection and Monitoring of Food
Rule 50302
              Service Contractors
Rule 50303    Debts of Students

Rule 50304    Student Debit Cards

Rule 50305    Employment of a Student's Attorney

Rule 50401    Immunization of Students Against Hepatitis B
              Health Insurance Requirements for Certain International
Rule 50402
              Students (last editorial amendment 2/4/08)
Rule 50403    Student Health Insurance Requirement

Rule 50501    Liability Insurance for Students

Rule 50601    Student Travel

Rule 50701    Visiting U. T. System Students Program


Series 60000: Development
              Acceptance and Administration of Gifts (last amended
Rule 60101
              11/13/08)
              Fees for Endowment Administration and Management (last
Rule 60102
              amended 10/12/07)
Rule 60103    Guidelines for Acceptance of Gifts of Real Property

Rule 60201    Administration of Fellowships, Scholarships, and Loan Funds

Rule 60202    Endowed Academic Positions

Rule 60301    Development Board of an Institution (last amended 11/9/07)

Rule 60302    Advisory Councils of an Institution (last amended 8/10/06)

Rule 60304    Internal Nonprofit Corporations

Rule 60305    External Nonprofit Corporations

Rule 60306    Use of University Resources


Series 70000: Investments


Rule 70101     Authority to Accept and Manage Assets

Rule 70201     Investment Policies (last editorial amendment 4/23/08)

Rule 70202     Interest Rate Swap Policy (last amended 8/23/07)
               Matters Relating to Real Property (last editorial amendment
Rule 70301
               12/5/08)
Rule 70401     Oversight Responsibilities for UTIMCO


Series 80000: Facilities


Rule 80101     Category of Facilities and Authorized Users

Rule 80102     Alcoholic Beverages

Rule 80103     Solicitation (last amended 5/15/08)
Rule 80104   Use of Facilities
             Joint Sponsorship of the Use of Property or Buildings (last
Rule 80105
             editorial amendment 6/4/08)

Rule 80106   Special Use Facilities (last editorial amendment 5/27/08)
             Filming Motion Pictures or Television Productions (last
Rule 80107
             editorial amendment 5/5/08)
Rule 80108   Use of Facilities for Weddings

             Parking and Traffic Regulations (last editorial amendment
Rule 80109
             3/18/08)
Rule 80110   Protection of Artificial Bodies of Water and Other Property

Rule 80111   Smoke Free Facilities

Rule 80112   Residential Conference Centers

Rule 80201   Disposal of U. T. System Property (last amended 8/11/05)
             Capital Improvement Program (last amendment 5/15/08,
Rule 80301
             effective 7/1/08)
Rule 80302   Building Committees (last amended 11/9/07)
             Use of the Available University Fund (last amendment
Rule 80303
             8/14/08)

Rule 80305   Debt Policy

Rule 80307   Naming Policy (last amended 8/23/07)

Rule 80308   Inscriptions on Building Plaques

Rule 80401   Prevailing Wage Rates

             Major Construction and Repair and Rehabilitation Projects
Rule 80402
             (last editorial amendment 12/5/08)
             Minor Construction and Repair and Rehabilitation Projects
Rule 80403
             (last editorial amendment 12/5/08)
             Institutional Management of Major Construction and Repair
Rule 80404
             and Rehabilitation Projects (last amendment 5/15/08,
               effective 7/1/08)
Rule 80501     Utility Easements

               Property and Casualty Insurance and Surety Bonds (last
Rule 80601
               amended 2/10/05)
Rule 80702     Indirect Cost Recoveries

Rule 80801     Flags

               Constitutional and Legislative Restrictions on Capital
Rule 80901
               Improvements




Series 90000: Intellectual Property


               Complete 90000 Series

               Rules for Intellectual Property: Purpose, Scope, Authority
Rule 90101
               (last amended 2/8/07)
               Intellectual Property Rights and Obligations(last amended
Rule 90102
               2/8/07)
Rule 90103     Equity Interests(last amended 2/8/07)

Rule 90104     Business Participation and Reporting(last amended 2/8/07)
               Execution of Legal Documents Related to Intellectual
Rule 90105
               Property (last amended 2/8/07)
Rule 90106     Income from Intellectual Property
Regrent’s Rule and Regulation        Series:20401



1.   Title


     Audit and Compliance

2.   Rule and Regulation

     Sec 1 Audit.

      The Chancellor, as chief executive officer of the U. T. System, is responsible for
       ensuring the implementation of appropriate audit procedures for the U. T. System.
       Accordingly, the Chief Audit Executive prepares an executive summary of all internal
       audit activity by the U. T. System internal auditors and the institutional internal
       auditors for the Chancellor.

     1.1 Chief Audit Executive. The U. T. System Chief Audit Executive is responsible for
       coordinating the effective auditing of the U. T. System as set out in Section 1.1 (b)
       below. The Chief Audit Executive provides audit assistance to the Chancellor, the
       Executive Vice Chancellors, and the Vice Chancellors in the exercise of their
       responsibilities.

     (a)     The Chief Audit Executive shall be appointed by the Audit, Compliance, and
       Management Review Committee after nomination by the Chancellor. The Chief Audit
       Executive shall hold office without fixed term, subject to the pleasure of the
       Chancellor. The Chancellor's actions regarding the Chief Audit Executive are subject
       to review and approval by the Audit, Compliance, and Management Review
       Committee.

     (b)     The primary responsibilities of the Chief Audit Executive include developing a
       Systemwide internal audit plan based on a Systemwide risk assessment and
       coordinating the implementation of this plan with the institutional internal auditors.
       This Systemwide audit plan is submitted to the Audit, Compliance, and Management
       Review Committee for review and approval after the Chancellor's review and
       approval. Responsibilities of the Chief Audit Executive also include conducting audits
       of the System including the revenue produced from the Permanent University Fund
       lands and formulating policies for the internal audit activity at each institution.

     1.2     The U. T. System internal auditors are the internal auditors for the U. T. System
       and augment the audit work of the institutional internal auditor and the State Auditors
       at the institutions of the U. T. System.
     Sec. 2 Compliance. The Chancellor, as chief executive officer of the U. T. System, is
      responsible for ensuring the implementation of a compliance program for the U. T.
      System. Accordingly, the Systemwide Compliance Officer prepares an executive
      summary of all compliance activity of the institutions, UTIMCO, and System
      Administration.

     2.1 Systemwide Compliance Officer. The Systemwide Compliance Officer is
       responsible, and will be held accountable for, apprising the Chancellor and the Audit,
       Compliance, and Management Review Committee of the institutional compliance
       functions and activities at System Administration, UTIMCO, and at each of the
       institutions as set out in Section 2.1 (b) below. The Systemwide Compliance Officer
       provides institutional compliance assistance to the Chancellor, the Executive Vice
       Chancellors, the Vice Chancellors, and the Chief Compliance Officer of UTIMCO in
       the exercise of their responsibilities.

     (a)     The Systemwide Compliance Officer shall be appointed by the Chancellor. The
       Systemwide Compliance Officer is the senior compliance official of the U. T. System;
       provides assistance and advice covering all institution, UTIMCO, and System
       Administration compliance programs; and shall hold office without fixed term, subject
       to the pleasure of the Chancellor.

     (b)     The primary responsibilities of the Systemwide Compliance Officer include
       developing an infrastructure for the effective operation of the U. T. System
       Institutional Compliance Program; chairing the Systemwide Compliance Committee
       and the Compliance Officers Council; and prescribing the format for the annual risk
       based compliance plan and the quarterly compliance status reports to be submitted by
       each institution, UTIMCO, and System Administration.

3.   Definitions

     None

4.   Relevant Federal and State Statutes

     None

5.   Relevant System Policies, Procedures, and Forms

     None

6.   Who Should Know

     Administrators
     Internal Audit

7.   System Administration Office(s) Responsible for Rule
     Audit Office

8.   Dates Approved or Amended

     Editorial amendments made March 17, 2008
     December 10, 2004

9.   Contact Information

     Questions or comments regarding this rule should be directed to:

           bor@utsystem.edu
               University of Texas System Policy Library Home

The University of Texas System Policy Library is the official repository of all current
system-wide and System Administration internal policies. In addition to a keyword search
and full-text search, we have provided five other ways to browse our collection of
policies: subject index, alphabetical index, policy number index, office index, and
keyword index.

There are two categories of policy numbers. One group of policies affects the entire UT
System and System Administration, and this group of policies is preceded by the letters
UTS in front of the policy number. The other set of policies applies to UT System
Administration internally, and this set of policies is preceded by the letters INT.



UT System Administration Policy Library – Policy UTS129

Internal Audit Activities

Responsible Officer: General Counsel to the Board of Regents

Sponsoring Office: System Audit Office

Effective Date: February 16, 2004

Last Reviewed: February 18, 2009

Next Scheduled Review: August 1, 2011

POLICY STATEMENT

The purpose of an internal auditing program is to assist the Board of Regents and
institution administrators to accomplish System objectives by bringing a systematic and
disciplined approach to evaluate and improve the effectiveness of risk management,
control and governance processes. Internal auditing is recognized as a highly regarded
professional management support and control activity by the Texas Internal Auditing Act
(Chapter 2102, Government Code) and by the Board of Regents' Rules and Regulations,
Rules 10402 and 20401.

RATIONALE

The guidelines contained in this UTS establish a System-wide program to furnish
independent analyses, appraisals and recommendations about the adequacy and
effectiveness of the System’s internal control policies and procedures and the quality of
performance in carrying out assigned responsibilities.
SCOPE

All institutions and UT System Administration

WEBSITE ADDRESS FOR THIS POLICY

http://www.utsystem.edu/policy/policies/uts129.html

RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS

UT System Administration Policies & Standards

Other Statutes, Policies & Standards

UTS 129 Internal Audit Activities

Board of Regents’ Rules and Regulations, Rule 10201

Board of Regents’ Rules and Regulations, Rule 10402

Board of Regents’ Rules and Regulations, Rule 20402

Texas Government Code, Chapter 2102

Institute of Internal Auditors, Standards for the Professional Practice of Internal Auditing

Institute of Internal Auditors, Code of Ethics

Government Accountability Office, Generally Accepted Government Auditing Standards

RESPONSIBILITIES

Audit, Compliance and Management Review Committee of the Board of Regents

Performs duties outlined in the Board of Regents’ Rules and Regulations, Rule 10402,
Section 1.6.

Appoints the System Chief Audit Executive.

General Counsel of the Board of Regents

UTS 129 Internal Audit Activities
Supervises the System Audit Office as described in the Board of Regents’ Rules and
Regulations, Rule 10201, Section 3.

System Administration Internal Audit Committee

Approves, maintains, and adheres to the audit committee charter.

Approves, maintains, and oversees an internal audit charter of the System Audit Office
modeled after the System-wide charter.

Chancellor

Nominates the System Chief Audit Executive.

Chairs the System Administration Audit Committee (or designates a chair) and ensures the
audit committee adheres to the audit committee charter.

Selects outside members of the System Administration Audit Committee.

System Audit Office

Directed by System Chief Audit Executive who reports functionally to the Audit,
Compliance, and Management Review Committee (ACMR) of the Board of Regents and
administratively to the General Counsel of the Board of Regents.

The System Chief Audit Executive provides ACMR and the System Administration
Internal Audit Committee with a written summary of System audit activity on a quarterly
basis.

Fulfills the audit function for System Administration, provides temporary staffing to
institutions when a shortage occurs, and provides oversight and coordination of the
System-wide internal audit function.

Oversees System-wide audits requested by the ACMR including establishing the audit
program, providing guidance and direction on executing the program, reviewing the work
performed, reporting results to ACMR, and evaluating the performance of the internal
auditors.

The System Audit Office will perform an audit of the institutional Presidents’ offices on a
rotating five year basis.

Institutional Internal Audit Committee

Approves, maintains, and adheres to an audit committee charter.
Approves, maintains, and oversees the internal audit charter of the Internal Auditor
modeled after the System-wide internal audit charter.



UT System President

UTS 129 Internal Audit Activities

Chairs the Institutional Internal Audit Committee (or designates a chair) and ensures that
the Institutional Internal Audit Committee adheres to the audit committee charter.

Selects and recommends outside members of the Institutional Internal Audit Committee
for approval by the appropriate Executive Vice Chancellor and System Chief Audit
Executive.

Internal Auditor

Reports functionally to the institution President and to the Institutional Internal Audit
Committee. May report administratively to another senior executive.

Provides an executive summary of the significant issues discussed at the Internal Audit
Committee meetings to their respective Executive Vice Chancellor (i.e. Academic Affairs
or Health Affairs).

Has an indirect reporting relationship to the System Chief Audit Executive who is
responsible for the oversight and coordination of the System-wide internal audit activity.
May have a direct reporting relationship to the System Chief Audit Executive for System-
wide audits requested by ACMR.

Addresses audit reports to the Institutional Internal Audit Committee by means of an
executive summary and/or full report.

Forwards audit report to the appropriate Executive Vice Chancellor, System Chief Audit
Executive, and appropriate state agencies.

Internal Audit Council

Facilitates communication and the sharing of ideas, audit plans, and programs among the
institutions' internal auditors.

PROCEDURES

A System-wide internal audit charter (Exhibit A) has been developed as recommended in
the Standards for the Professional Practice of Internal Auditing. Each institution and
System Administration should also have an audit charter modeled after the System-wide
charter and approved by the Institutional Internal Audit Committee or System
Administration Internal Audit Committee. The institutional internal audit charter should
be distributed in the same manner as all institutional-wide policies or procedures. In the
charter, the singular term "Internal Auditor" refers to the entire internal audit department
or staff.

Responsibilities and relationships of UT System management, the institutions, and
committees are described in The UT System Internal Audit Reporting Structure (Exhibit
D). The relationship with the institutional compliance function is described in Exhibit E.

UTS 129 Internal Audit Activities

The audit report format recommended by the System Audit Office is included as Exhibit
B. All audit reports should be addressed to the President and/or the Institutional Internal
Audit Committee by means of an executive summary. After the President and/or the
Institutional Internal Audit Committee have reviewed/approved the report, the executive
summary and the audit report should be forwarded to the appropriate Executive Vice
Chancellor, System Audit Office, and appropriate state agencies.

The System Audit Office will provide the ACMR and the System Administration Internal
Audit Committee with a written summary of all audit activity on a quarterly basis.

The guidance for the staffing level for internal auditors based upon total expenditures is
attached as Exhibit C. Section 2102.006(b) of the Texas Internal Auditing Act, sets
qualifications for the Director of Internal Audit as one "who shall be either a certified
public accountant or a certified internal auditor and who shall have at least three years of
auditing experience."

The Standards for the Professional Practice of Internal Auditing, which must be followed
under the Texas Internal Auditing Act, require the appointment of a chief audit executive.
The Chancellor recommends and the ACMR appoints the System Chief Audit Executive.

The UT System Audit Office may, in consultation with the institutional President or
designee, temporarily provide direct audit assistance to an institution when one or more of
the following circumstances exist:

no institutional internal audit staff is available;

a temporary or ongoing institutional audit staff shortage exists in accordance with
commonly defined audit needs; or

occasional or unusual auditing is required beyond local institutional capacity.

Funding for such audit assistance is normally an institutional responsibility but payment
for such temporary assistance will be determined on a case-by-case basis dependent on the
budget or audit circumstances requiring the assistance.
When audit assistance is provided to an institution, the auditor(s) will report to the
institution President, unless audit circumstances dictate otherwise.

The Internal Audit Council facilitates communication and the sharing of ideas, audit plans,
and programs among the institutions' internal auditors. The System Chief Audit Executive
is chairman of this Council, and membership is composed of the internal auditor directors
from each of the institutions. The Council meets from time to time as circumstances
require, and all members are expected to attend. The members may invite their assistant
directors, managers, supervisors, and staff to attend from time to time.

UTS 129 Internal Audit Activities

FORMS AND TOOLS/ONLINE PROCESSES

(Exhibit A) System-wide Internal Audit Charter (Exhibit B) Standard Audit Report
Format (Exhibit C) Internal Audit Staffing Level (Exhibit D) Reporting Structure (Exhibit
E) Internal Audit's Relationship to the Institutional Compliance Function



UT System Administration Policy Library – Policy UTS118

Statement of Operating Policy Pertaining to Dishonest or Fraudulent
Activities
Responsible Officer: Executive Vice Chancellor for Business Affairs

Sponsoring Office: System Audit Office

Effective Date: February 4, 2002

Last Reviewed: April 2, 2009

Next Scheduled Review: April 3, 2009

UTS 118 Statement of Operating Policy Pertaining to Dishonest or Fraudulent
Activities

POLICY STATEMENT

Each institution has established reporting structures and responsibilities within their
institution. The purpose of this statement is to establish System policy regarding
internal investigations of suspected defalcation, misappropriation and other fiscal
irregularities which is supplemental to the internal administrative policies established
at each institution.
RATIONALE

Good business practice dictates that every suspected defalcation, misappropriation and
other fiscal irregularity be promptly identified and investigated.

RESPONSIBILITIES

Management Establishes and maintains a system of internal control that provides
reasonable assurance that improprieties are prevented and detected. Supports the
System's fiduciary responsibilities and cooperates with law enforcement agencies in
the detection, investigation, and reporting of criminal acts, including prosecution of
offenders

Office of Internal Audit Supervises all audits of allegations of defalcation,
misappropriation and other fiscal irregularities. Coordinates assistance provided to
state, federal, and local law enforcement agencies. Assists the University Police in
investigations of suspected defalcation, misappropriation and other fiscal irregularities
that require accounting and auditing knowledge of System records. Keeps its
workpapers secure and limits access to only those individuals designated by the
Director of Internal Audit. Receives relevant information on a confidential basis,
subject to the provisions of the Texas Public Information Act. Reviews each
investigation to determine if additional work needs to be done in order to provide the
Audit Committee and management with a basis for taking any corrective action
necessary.

Director of Internal Audit When appropriate, notifies the Chief Administrative Officer
or his or her designee when an audit involves allegations or reveals suspected criminal
activity which may constitute a felony offense. Consults with the Office of General
Counsel or institution legal advisors about all requests for information and assistance
related to investigations conducted by auditors of federal and state agencies .

Chief Administrative Officer Notifies the appropriate Executive Vice Chancellor of
criminal activity, as appropriate.

University Police Makes the Director of Police of aware of all felony fraud
investigations and keeps him or her up to date. Coordinates criminal investigation once
probable criminal activity has been detected.

Chief Business Officer Notifies the Executive Vice Chancellor of Business Affairs as
soon as it is known that a loss has occurred for approval of all insurance and fidelity
bond claims.

Institution Legal Advisors Coordinates assistance provided to state, federal, and local
law enforcement agencies
Office of General Counsel Coordinates assistance provided to state, federal, and local
law enforcement agencies

Reporting Individual Avoids incorrect accusations, avoids alerting suspected
individuals that an audit is underway, or avoids making statements that could provide a
basis for a suit for false accusation or other offenses.

PROCEDURES

1. General

1.1 The terms defalcation, misappropriation, and other fiscal irregularities include but
are not limited to any:

a) Dishonest, illegal, or fraudulent act involving System property;

b) Forgery or alteration of checks, drafts, promissory notes, and securities;

c) Forgery or alteration of employee benefit or salary related items such as time cards,
billings, claims, surrenders, assignments, or changes in beneficiary;

d) Forgery or alteration of medical related items such as reports, charts, prescriptions,
x-rays, billings, or claims;

e) Forgery or alteration by employees, of student related items such as grades,
transcripts, loans, or fee or tuition documents;

f) Misappropriation of funds, securities, supplies, or any other asset;

g) Illegal or fraudulent handling or reporting of money transactions;

h) Acceptance or solicitation of any gift, favor, or service that might reasonably tend to
influence the employee in the discharge of his or her official duties; or

i) Destruction or disappearance of records, furniture, fixtures, or equipment where theft
is suspected.

1.2 Allegations involving scientific misconduct will be handled in accordance with the
controlling institutional policies based upon the OGC Model Policy entitled
"Procedure for Dealing with Allegations of Misconduct in Science". 1.3 Management
shall establish and maintain a system of internal control that provides reasonable
assurance that improprieties are prevented and detected. Each manager must be
familiar with the types of improprieties that might occur in his or her area and be alert
for any indication that such a defalcation, misappropriation or other fiscal irregularity
has occurred. 1.4 Management must support the System's fiduciary responsibilities and
must cooperate with law enforcement agencies in the detection, investigation, and
reporting of criminal acts, including prosecution of offenders. Every effort should be
made to recover System losses.

1.5 The Office of Internal Audit must supervise all audits of allegations of defalcation,
misappropriation, and other fiscal irregularities. When an audit reveals suspected
criminal

activity, or an audit is initiated due to an allegation of criminal activity, the University
Police must be notified immediately. 1.6 When an audit involves allegations or reveals
suspected criminal activity which may constitute a felony offense, the Director of
Internal Audit shall, when appropriate, immediately notify the Chief Administrative
Officer, or his or her designee, and then notification must be given to the System
Director of Audits. The Director of Internal Audit shall consult with institution legal
advisors or the Office of General Counsel, and the Office of General Counsel must be
kept informed regarding the progress of the audit. 1.7 The Chief Administrative
Officer shall notify the appropriate Executive Vice Chancellor of criminal activity, as
appropriate. 1.8 The Director of Police must be made aware of all felony fraud
investigations, and must be kept current by University Police of the progress of
investigations conducted by institution police departments. 1.9 In accordance with the
Board of Regents' Rules and Regulations, Rule 80601, the appropriate Chief Business
Officer will notify the Executive Vice Chancellor of Business Affairs as soon as it is
known that a loss has occurred for approval of all insurance and fidelity bond claims.
1.10 The Office of Internal Audit, University Police, institution legal advisors, and the
Office of General Counsel must coordinate assistance provided to state, federal, and
local law enforcement agencies. All requests for information or assistance from such
agencies that are received by other areas shall be immediately forwarded to the
University Police for determination and handling. All reasonable assistance must be
given to law enforcement agencies when requested. 1.11 All requests for information
and assistance related to investigations conducted by auditors of federal and state
agencies that are concerned with potential dishonest or fraudulent activities within the
System, shall also be forwarded immediately to the Director of Internal Audit who
shall consult with the Office of General Counsel, or with institution legal advisors who
shall notify the Office of General Counsel. 1.12 In order to avoid the use of
investigatory techniques that might prevent evidence from being used in a criminal
prosecution, University Police must coordinate the criminal investigation once
probable criminal activity has been detected. The Office of Internal Audit shall assist
the University Police in investigations of suspected defalcation, misappropriation, and
other fiscal irregularities that require accounting and auditing knowledge of System
records. 1.13 The Office of Internal Audit must keep its workpapers secure and limit
access to only those individuals designated by the Director of Internal Audit.
1.14 The Office of Internal Audit must be available and receptive to receiving relevant
information on a confidential basis, subject to the provisions of the Texas Public
Information Act. Employees and students may directly contact the Director of Internal
Audit, the Compliance Officer, the University Police, or executive management
whenever an activity is suspected to be dishonest or fraudulent. The reporting
individual should not attempt to personally conduct investigations or
interviews/interrogations in order to determine whether or not a suspected activity is
improper. 1.15 In order to avoid damaging the reputations of innocent persons initially
suspected of wrongful conduct, and to protect the System from potential civil liability,
the results of audits or investigations may not be disclosed or discussed with anyone
other than authorized representatives of law enforcement or regulatory agencies and
only those persons associated with the System who have a legitimate need to know
such results in order to perform their duties and responsibilities, subject to the
provisions of the Texas Public Information Act. 2. Audits/Investigations 2.1 Audits
revealing violations of the Penal Code for which an audit report will be issued should
be reduced to final report form only after consultation by University Police with the
local prosecutor or the Office of General Counsel to ensure that appropriate
documentation of the facts has been achieved in order to permit appropriate personnel
action, protect innocent persons, support appropriate civil or criminal actions,
document claims made pursuant to applicable fidelity bonds, preserve the integrity of
the criminal investigation and prosecution, and avoid unnecessary litigation. 2.2 Great
care must be taken in the investigation of suspected improprieties or irregularities so as
to avoid incorrect accusations or alerting suspected individuals that an audit is
underway and also to avoid making statements which could provide a basis for a suit
for false accusation or other offenses. Accordingly, the reporting individual should not:
2.3 Contact the suspected individual to determine facts or demand restitution; or 2.4
Discuss any facts, suspicions, or allegations associated with the case with anyone,
unless specifically directed to do so by the Office of Internal Audit, Compliance
Office, University Police, institution legal advisors, or the Office of General Counsel.
2.5 All inquiries from the suspected individual or his or her representative or attorney
shall be directed to institution legal advisors or the Office of General Counsel. Proper
response to such an inquiry should be, "I'm not at liberty to discuss this matter." Under
no circumstances should there be any reference to "what you did," "the crime," "the
fraud," "the forgery," "the misappropriation," or similar references.

2.6 All reproduction of documents, evidence and reports shall be performed within the
secured work area of the Office of Internal Audit or University Police. 2.7 To the
extent permitted by the applicable provisions of the Texas Public Information Act,
confidentiality of those reporting dishonest or fraudulent activities will be maintained.
However, the confidentiality cannot be maintained if that individual is required to
serve as a witness in legal proceedings. 2.8 When an audit initiated due to an allegation
of criminal activity has failed to detect criminal activity or when advised by the Office
of General Counsel, the Director of Internal Audit has the discretion to stop the audit.
However, with regard to criminal investigations conducted by University Police, only
the Office of the District Attorney is authorized to review the progress of the criminal
investigation and make the legal determination regarding whether to pursue a criminal
prosecution.

3. Operational Audit Findings

3.1 Each investigation of possible dishonest or fraudulent activities has the potential to
provide a unique insight into specific activities conducted by the System and may
disclose control weaknesses and other areas that need additional auditing or
management's attention.

3.2 The office of Internal Audit must review each investigation to determine if
additional work needs to be done in order to provide the Audit Committee and
management with a basis for taking any corrective action necessary.


                          The State Auditor's Office
The State Auditor's Office (SAO) is the independent auditor for Texas state government.
The SAO operates with oversight from the Legislative Audit Committee, a six-member
permanent standing committee of the Texas Legislature, jointly chaired by the Lieutenant
Governor and the Speaker of the House of Representatives.

The SAO is authorized, by Chapter 321, Texas Government Code, to perform audits,
reviews, and investigations of any entity receiving state funds, including state agencies
and higher education institutions. Audits are performed in accordance with generally
accepted government auditing standards, which include standards issued by the American
Institute of Certified Public Accountants.

Types of audits the SAO performs include financial statement opinion audits, financial
audits, compliance audits, economy and efficiency audits, effectiveness audits, and other
special audits. The SAO may also perform reviews, which are less rigorous than audits
and do not follow auditing standards, but provide a certain degree of assurance to
decision makers. Investigations are performed whenever there is evidence of fraud or
abuse of state resources.

Other SAO responsibilities include managing the State Classification Plan and providing
support to state agency and higher education human resource offices, which is performed
by the State Classification Team. In addition, the SAO coordinates and provides
continuing educational opportunities for audit and accounting professionals.
The work and activities performed by the SAO are included in an annual audit plan,
approved by the Legislative Audit Committee. This includes mandatory work, required
by state statute, or discretionary work which is determined through an ongoing risk
assessment process.

Click this link for a History of the State Auditor's Office.

                         Legislative Audit Committee



                        State Auditor
                       John Keel, CPA



General                       Assistant                        Assistant          Assistant
Counsel                       State                              State              State
and                           Auditor                           Auditor            Auditor
Risk                          Michael                           Lisa R.            Sandra
Manager                       C.                                Collier,            Vice,
Anita                         Apperley,                          CPA                CIA,
D'Souza                       CPA                                                  CGAP,
                                                                                    CISA




                     Audits and                          Administration

                      Reviews

                   Audit Managers                              Business
                   Michael Apperley,                           Services
                    Assistant State                             Michael
                        Auditor                                Apperley
                    Lisa R. Collier,
                    Assistant State
                        Auditor                                Human
                     Sandra Vice,                            Resources
                    Assistant State                        Barry Holcomb,
                        Auditor                              Senior HR
                     Kelly Linder,                            Specialist
  Federal Funds       Information
 Audit Manager          Systems
Babette Laibovitz,     Support /
 Audit Manager       User Network
      RAT               Services
Ralph McClendon,      Sandra Vice
 Audit Manager
      ISAT
 Worth Ferguson,     Professional
 Audit Manager       Development
      QCT              Jo Dale
  Verma Elliott,       Guzman,
 Audit Manager         Manager
 Nicole Guerrero,
 Audit Manager         Project
     Angelica          Manager
 Martinez, Audit      Cody Smith
     Manager
   John Young,
 Audit Manager       Ombudsman
                      Courtney
Audit Research       Ambres-Wade
and Legislative
 Coordination
Daniel Wattles,
   Manager


 Information
Systems Audit
    Team
    Ralph
 McClendon,
Audit Manager


Quality Control
Team/Reporting
     Team
Worth Ferguson,
 Audit Manager
     Risk
 Assessment
  Team and
Internal Audit
 Coordination
    Babette
Laibovitz, Audit
   Manager


     State
 Classification
     Team
Nicole Guerrero,
 Audit Manager


   Special
Investigations
     Unit
 Pamela Munn,
Audit Manager
           University of Texas Permian Basin
                Internal Audit Manual




             SECTION G
(Coordination with State Auditors Office)

				
DOCUMENT INFO
Description: Internal Audit Reporting document sample