The Office of Audits and Analysis performs a variety of work, including:
Assurance Services (Audits) - An audit is the objective assessment of evidence to provide an independent opinion or conclusion. The nature and scope of any audit engagement are determined by the audit department. Scope is not limited to accuracy of data and compliance with rules, but includes adequacy of controls, efficiency, reliability, safeguarding of assets, and consideration of any matters which may adversely impact the institution in pursuit of its objectives.
Each quarter, we follow-up on all identified issues to ascertain and report to the Board of Regents on whether management has taken appropriate remedial action on internal and external audit findings and recommendations.
Consulting Services - Consulting services are advisory in nature and are generally performed at the specific request of management—the objectives and types of work performed will be collaboratively determined with management. Examples include:
o Reviewing client-prepared responses to external audit reports;
o Training on fraud prevention, internal controls, and risk assessment processes;
o Analyzing client or third-party prepared data; and
o Scribing client-facilitated risk assessment exercises.
Fraud Reviews - Such reviews are undertaken whenever complaints are received or there are any indicators of fraud.
Emergency Appropriations - In the event a Component receives emergency appropriations from the State, the receipt, disbursement, and reporting of such appropriations will be subject to review by the System Director and Component Director.
An Annual Audit Plan is prepared each summer for the following fiscal year. As required by statute, this plan is based upon an assessment of risk, which is performed by the Office of Audits and Analysis in the period preceding plan development.
Typically, the risk assessment process includes interviewing managers to develop a “baseline” of information about activities, objectives, risks, and mitigating controls. This process takes about 30 minutes. In some years, managers will be asked merely to update the information with any changes. This assessment is NOT an audit. Rather, it collects information to enable the Office of Audits and Analysis to determine where it can best expend its resources.
This Risk Assessment, supplemented by information from management and the Board of Regents, is used by the Office of Audits and Analysis to develop the Annual Audit Plan, which is submitted to the Board of Regents for their approval at the August Board meeting.
Changes to the plan, however, are often required to adapt to changing circumstances and unidentified risks.
An Internal Audit Annual Report is prepared in accordance with the Texas Internal Auditing Act (TIAA). The TIAA requires certain state agencies and higher education institutions to submit an internal audit annual report each year by November 1st to the Governor, the Legislative Budget Board, the Sunset Advisory Commission, the State Auditor’s Office (SAO), and the entity’s governing board and chief executive.
In 2013, House Bill 16 became law and amended Chapter 2102 of the Texas Government Code to require state agencies, including institutions of higher education, to post on the agency’s Internet website the internal audit annual report. A state agency is not required to post information contained in the agency’s internal audit plan or annual report if the information is excepted from public disclosure under Chapter 552 of the Texas Government Code.
The audit process includes the following steps:
Scheduling - Whenever appropriate, the timing of an audit is discussed and agreed with management.
Engagement Letter - The engagement letter serves to notify management of a impending audit/consulting services engagement. Notification occurs via email, and usually includes a request for preliminary documentation needed for the review, such as written policies, procedures and flowcharts, etc. Depending on the nature of the audit work, some staff impacted may receive little or no advance notice.
Entrance Conference - An entrance conference may be scheduled with the department to discuss the purpose and scope of the audit. This may be accomplished via telephone or e-mail if the auditee so desires. We encourage auditees to discuss any concerns or questions they have about the audit and will solicit input regarding issues management would like us to include in the review.
Field Work - As much as practical, we will review documentation in our office; however, we may also need to work on-site to access necessary records and information. We will frequently conduct interviews and complete questionnaires with departmental personnel to gain a better understanding of operations and procedures. We realize each person's time is valuable, so we attempt to arrange meetings in advance and to work around scheduling conflicts. Please note that TSUS Rules and Regulations provide that “auditors shall have full, free, and unrestricted access to all activities, records, property, infrastructure, and personnel.” The Rules further stipulate that documents and information we obtain during any review are to be safeguarded and handled in a professionally responsible and confidential manner in accordance with Texas Law.
Draft Audit Report - Throughout the review, potential issues and recommendations will be discussed with departmental management. After completion of our work, we will draft a report and present it to departmental management for review and commentary. We encourage open communication and the sharing of information with employees familiar with the details to ensure that issues noted in draft reports are accurate, fairly presented, and complete. There may be several iterations of draft reports, particularly if new, relevant information becomes available or circumstances change significantly during the drafting stages. Ultimately, we will request a response from management for each of the recommendations contained in the draft report. Per the TSUS Rules and Regulations, management’s responses must include a corrective action plan, those responsible for implementing the corrective actions, and an estimated timetable for completion. When the audit report has been developed at the institutional level, a copy is emailed to the Texas State University System Director of Audits and Analysis for review. Any further revisions are cleared with the auditee prior to release of the final report.
Exit Conference - A formal exit conference may be held at the option of the auditee. Sometimes, this process can be completed on an informal basis via e-mail, telephone or other forms of communication.
Report Distribution - Final audit reports are addressed to the President, with copies distributed to appropriate Component management, the Chancellor and other System Office executives, the Board of Regents, and state officials.
All TSUS components are required to provide a quarterly report to the Board of Regents about their progress resolving open issues. This information is included in the Board Book provided to Board members for each quarterly meeting. The Audit Director will send a list of all open issues to management each quarter and will perform brief audit procedures to verify the status provided. The Audit Director will coordinate these reports and communicate the necessary timetable. Managers are urged to respond promptly in order to ensure timely information is provided to the Board.
The Office of Audits and Analysis performs investigations into allegations of waste or abuse received via the System’s fraud reporting hotline, EthicsPoint, as well as allegations received through the State Auditor’s Office, and/or other sources.
Due to the special nature of investigations, management is informed about their nature and our related activities on a strictly “need to know” basis. All employees are required to provide information requested by auditors performing such investigations and must maintain confidentiality as requested by the auditor. In addition, we may require employees interviewed to sign attestations regarding the testimony provided and a confidentiality form.
The following is an excerpt from the TSUS Rules & Regulations:
Fraud Reviews. The Board of Regents has established an Anti- Fraud Policy in Chapter VIII, Paragraph 1 of these Rules and Regulations. The Director of Audits and Analysis will make every reasonable and lawful effort to protect the rights and the reputations of those involved in an internal audit review involving allegations of fraud, including the employee/complainant who reports alleged fraud; the individual(s) interviewed during the resultant review; and the individual(s)/entity(ies) against whom the allegations were made. The Director of Audits and Analysis is charged with responsibility for coordinating review activities as necessary with component Internal Audit Directors, component police departments, the Office of Vice Chancellor and General Counsel, human resources office(s), and appropriate external law enforcement and other oversight agencies.
Fraud review results are not routinely disclosed or discussed with anyone other than those who have a legitimate need to know. In the event that a review substantiates fraudulent activities, the Director or his/her designee will prepare and distribute a report in accordance with Paragraph 7.93 of this Chapter. The Director will communicate substantiated fraud committed by System employees to the State Auditor’s Office in accordance with Texas Government Code §321.022.
The Director, Office of Audits and Analysis, maintains an overview of all audit activities at the institution. The Director interfaces with outside agencies, such as the State Auditor’s Office. He/she should be kept informed about all audit activities on campus and should be provided with copies of all audit reports.
In the event that agencies, such as the State Auditor’s Office, notify component management about upcoming audits or send draft or final audit reports to components, recipients are requested to provide copies to the local Audit Director, unless the agency has already included the director on the copy list.
Consulting services are advisory in nature and are generally performed at the specific request of management—the objectives and types of work performed will be collaboratively determined with management. Examples include:
• Reviewing client-prepared responses to external audit reports;
• Training on fraud prevention, internal controls, and risk assessment processes;
• Analyzing client or third-party prepared data; and
• Scribing client-facilitated risk assessment exercises.
The way in which such services are performed is generally agreed with management before work starts, although the process often follows that described elsewhere on this website for Audits.
In an effort to continually improve our service to management and to the Components, we may also request completion of a customer satisfaction survey upon completion of consulting services engagements.