04.A.02 – Audits and the Internal Auditing Department (IAD)

Section: Audit Function

Area: Audits

PDF version

1. PURPOSE

The Texas Internal Auditing Act, Texas Government Code, Section 2102 , requires each state agency that receives an appropriation to establish a program of internal auditing. Board of Regents Policy 41.01 provides for the implementation of the internal audit function within the University of Houston System (UHS). The purpose of this document is to define the objectives and baseline operation of the UHS Internal Auditing Department (IAD).

2. GENERAL

2.1. Philosophy: UHS IAD performs those audit activities necessary to ensure resources are being properly managed and accounted for and UHS complies with applicable policies, regulations, and law. IAD audits enable the UHS to assess the effectiveness and efficiency with which applicable policies, regulations and law are followed, objectives are met, and control systems function.

IAD is an independent, objective assurance and consulting activity designed to add value and improve the UHS operations. IAD brings a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes, including contract monitoring and oversight.

IAD will be free of all operational and management responsibilities that would impair its ability to independently review the UHS entities. Members of the IAD will have full, free, and unfettered access to all UHS activities, records, property, and personnel. IAD, at the Chief Audit Executive's discretion, may also request access to records of affiliated organizations. All UHS personnel are required to fully cooperate with members of IAD in carrying out their duties.

Failure to cooperate with or intentionally misleading the members of IAD may result in disciplinary action, up to and including termination of employment.

Audit observations, results, and recommendations will be filtered through the lens of risk mitigation to achieve the audited organization's strategic objectives.

2.2. Organizational Responsibility: The Chief Audit Executive (CAE) will report directly to the Chair of the Audit and Compliance Committee of the Board of Regents (BOR) and have access to the Chancellor. IAD will perform its duties in accordance with the International Professional Practices framework (IPPF), the Code of Professional Ethics contained in the IPPF as promulgated by the Institute of Internal Auditors (IIA), and Generally Accepted Government Auditing Standards (GAGAS).

2.3. The Internal Auditing Process: Prior to Fiscal Year (FY) Q1, the CAE will present to the Audit and Compliance Committee a next FY (annual) audit plan for the BOR's review and approval. In addition to the audits included in the plan, at a minimum, will be a summary of the resources dedicated to the IAD to assist the BOR in determining if adequate resources exist to provide reasonable assurance that identified risks in the annual risk assessment are adequately assessed. The plan will include testing of contract administration and monitoring. The CAE will meet with the Chancellor and the Chair of the Audit Committee (separately or together) on a regular basis (minimum quarterly) to review changes to the audit plan, audits performed, audit and advisory services in progress, and future efforts.

3. OBJECTIVES

The IAD evaluates and contributes to the improvement of UHS's Enterprise Risk Management (ERM), control, and governance systems through the following objectives:

3.1. Risk Management: IAD will assist UHS by identifying and evaluating exposures to risk and contributing to the improvement of ERM, control systems, and other risk issues as necessary.

3.2. Control: IAD will evaluate control, governance, and compliance systems and report those evaluations to executive management for mitigation of risk exposure.

3.3. Governance: IAD will evaluate and improve the governance process(es) through which strategic goals are attained and accountability of resources is assured.

3.4. IAD will conduct assessments of, including but not limited to, the following:

3.4.1. Reliability and integrity of financial and operational information;

3.4.2. Effectiveness and efficiency of operations to include information systems and cybersecurity;

3.4.3. Existence of assets and safeguarding controls; and

3.4.4. Compliance with laws, regulations, policies, and contracts.

3.5. IAD will coordinate efforts, when necessary, with the State Auditor's Office and other external audit stakeholders.

3.6. IAD will perform advisory services, including investigating reports of suspected fraud, misfeasance, malfeasance, misappropriation, misdirection, asset shrinkage, fiscal irregularity, and various other forms of loss.

4. METHOD OF OPERATION

4.1. IAD annually will consult key risk stakeholders for input to the audit plan and risk analysis.

4.2. The CAE will notify the appropriate stakeholder(s) and contact the auditee involved to establish appropriate timelines for audit activities. In sensitive activities, notification to the auditee may be limited.

4.3. IPPF and GAGAS require IAD to prepare work papers to document audits. These work papers, including audit report drafts, are not considered public information under Texas Government Code, Section 552.116 .

5. REPORT OF AUDIT OBSERVATIONS

5.1. The audit observations and associated issues will be discussed with the auditee and the executive stakeholder prior to the final audit report.

5.2. The CAE will inform the Chancellor and the Chair of the Audit and Compliance Committee on matters leaving the operational responsibility of the UHS. The CAE must comply with the provisions of SAM 01.C.04, Reporting/Investigating Fraudulent Acts .

5.3. When audit fieldwork has been completed and fieldwork issues have been resolved by the CAE, a Management Action and Discussion Memo (MADM) will be submitted for discussion to the management stakeholder. Responses regarding observations/issues/recommendations will be addressed before the issuance of the final report.

5.4. A report to BOR on the audit will be developed. That report will be considered the "Audit Report," as defined under GAGAS and the IPPF, and in accordance with Texas law will be sent to the State Auditor's Office. Audit reports will be distributed to the campus stakeholders at the discretion of the CAE and as required by the Texas Government Code, Section 2102 .

5.5. Reports on advisory services that contain recommendations will be distributed at the discretion of the CAE and in accordance with Texas law.

Issued: 10/26/1993
Last Reviewed/Revised: 02/15/2024
Responsible Office(s): Internal Audit