Welcome to the webpage for the Office of Internal Audit – Sul Ross State University component. Our mission is to provide the Texas State University System (TSUS) Board of Regents, the Chancellor, the System Office, and institutional management with independent, objective evaluations regarding risk management, internal controls, and governance processes. Our Office assists all levels of management in achieving goals and objectives, identifying and addressing risks, continuously improving processes and operations, and ensuring compliance with applicable laws and regulations.

We are a unit of the System Office of Internal Audit in Austin, Texas, which reports directly to the Finance & Audit Committee of the TSUS Board of Regents.

The TSUS Rules and Regulations describe the responsibilities of the audit function, which include:

• Developing a risk-based annual audit plan
• Executing audits
• Reporting on open audit issues to the Board of Regents
• Investigating allegations
• Liaising with external audit entities

Professional Standards

The work performed by our Office is governed by the following:

The Office of Internal Audit performs a variety of work, including:

An audit is the objective assessment of evidence to provide an independent opinion or conclusion. The nature and scope of any audit engagement are determined by the audit department. Scope is not limited to accuracy of data and compliance with rules, but includes adequacy of controls, efficiency, reliability, safeguarding of assets, and consideration of any matters which may adversely impact the institution in pursuit of its objectives.

Each quarter, we follow-up on all identified issues to ascertain and report to the Board of Regents on whether management has taken appropriate remedial action on internal and external audit findings and recommendations.

Consulting services are advisory in nature and are generally performed at the specific request of management—the objectives and types of work performed will be collaboratively determined with management. Examples include:

  •  Reviewing client-prepared responses to external audit reports;
  •  Training on fraud prevention, internal controls, and risk assessment processes;
  •  Analyzing client or third-party prepared data; and
  •  Scribing client-facilitated risk assessment exercises.

The way in which such services are performed is generally agreed with management before work starts, although the process often follows that described elsewhere on this website for Audits.

In an effort to continually improve our service to management and to the Components, we may also request completion of a customer satisfaction survey upon completion of consulting services engagements.

Such reviews are undertaken whenever complaints are received or there are any indicators of fraud.

In the event a Component receives emergency appropriations from the State, the receipt, disbursement, and reporting of such appropriations will be subject to review by the System Director and Component Director.

An Annual Audit Plan is prepared each summer for the following fiscal year. As required by statute, this plan is based upon an assessment of risk, which is performed by the Office of Internal Audit in the period preceding plan development.

Typically, the risk assessment process includes interviewing managers to develop a “baseline” of information about activities, objectives, risks, and mitigating controls. This process takes about 30 minutes. In some years, managers will be asked merely to update the information with any changes. This assessment is NOT an audit. Rather, it collects information to enable the Office of Internal Audit to determine where it can best expend its resources.

This Risk Assessment, supplemented by information from management and the Board of Regents, is used by the Office of Internal Audit to develop the Annual Audit Plan, which is submitted to the Board of Regents for their approval at the August Board meeting.

Changes to the plan, however, are often required to adapt to changing circumstances and unidentified risks.

TSUS Audit and Compliance Plan Fiscal Year 2023

An Internal Audit Annual Report is prepared in accordance with the Texas Internal Auditing Act (TIAA). The TIAA requires certain state agencies and higher education institutions to submit an internal audit annual report each year by November 1st to the Governor, the Legislative Budget Board, the Sunset Advisory Commission, the State Auditor’s Office (SAO), and the entity’s governing board and chief executive.

In 2013, House Bill 16 became law and amended Chapter 2102 of the Texas Government Code to require state agencies, including institutions of higher education, to post on the agency’s Internet website the internal audit annual report. A state agency is not required to post information contained in the agency’s internal audit plan or annual report if the information is excepted from public disclosure under Chapter 552 of the Texas Government Code.

Annual Report

The audit process includes the following steps:


Whenever appropriate, the timing of an audit is discussed and agreed with management.

Engagement Letter

The engagement letter serves to notify management of a impending audit/consulting services engagement. Notification occurs via email, and usually includes a request for preliminary documentation needed for the review, such as written policies, procedures and flowcharts, etc. Depending on the nature of the audit work, some staff impacted may receive little or no advance notice.

Entrance Conference

An entrance conference may be scheduled with the department to discuss the purpose and scope of the audit. This may be accomplished via telephone or e-mail if the auditee so desires. We encourage auditees to discuss any concerns or questions they have about the audit and will solicit input regarding issues management would like us to include in the review.

Field Work

As much as practical, we will review documentation in our office; however, we may also need to work on-site to access necessary records and information. We will frequently conduct interviews and complete questionnaires with departmental personnel to gain a better understanding of operations and procedures. We realize each person’s time is valuable, so we attempt to arrange meetings in advance and to work around scheduling conflicts. Please note that TSUS Rules and Regulations provide that “auditors shall have full, free, and unrestricted access to all activities, records, property, infrastructure, and personnel.” The Rules further stipulate that documents and information we obtain during any review are to be safeguarded and handled in a professionally responsible and confidential manner in accordance with Texas Law.

Draft Audit Report

Throughout the review, potential issues and recommendations will be discussed with departmental management. After completion of our work, we will draft a report and present it to departmental management for review and commentary. We encourage open communication and the sharing of information with employees familiar with the details to ensure that issues noted in draft reports are accurate, fairly presented, and complete. There may be several iterations of draft reports, particularly if new, relevant information becomes available or circumstances change significantly during the drafting stages. Ultimately, we will request a response from management for each of the recommendations contained in the draft report. Per the TSUS Rules and Regulations, management’s responses must include a corrective action plan, those responsible for implementing the corrective actions, and an estimated timetable for completion. When the audit report has been developed at the institutional level, a copy is emailed to the Texas State University System Director of Audits and Analysis for review. Any further revisions are cleared with the auditee prior to release of the final report.

Exit Conference

A formal exit conference may be held at the option of the auditee. Sometimes, this process can be completed on an informal basis via e-mail, telephone or other forms of communication.

Report Distribution

Final audit reports are addressed to the President, with copies distributed to appropriate Component management, the Chancellor and other System Office executives, the Board of Regents, and state officials.


All TSUS components are required to provide a quarterly report to the Board of Regents about their progress resolving open issues. This information is included in the Board Book provided to Board members for each quarterly meeting. The Audit Director will send a list of all open issues to management each quarter and will perform brief audit procedures to verify the status provided. The Audit Director will coordinate these reports and communicate the necessary timetable. Managers are urged to respond promptly in order to ensure timely information is provided to the Board.

The Office of Internal Audit performs investigations into allegations of waste or abuse received via the System’s fraud reporting hotline, EthicsPoint, as well as allegations received through the State Auditor’s Office, and/or other sources.

Due to the special nature of investigations, management is informed about their nature and our related activities on a strictly “need to know” basis. All employees are required to provide information requested by auditors performing such investigations and must maintain confidentiality as requested by the auditor. In addition, we may require employees interviewed to sign attestations regarding the testimony provided and a confidentiality form.

The following is an excerpt from the TSUS Rules & Regulations:

Fraud Reviews. The Board of Regents has established an Anti- Fraud Policy in Chapter VIII, Paragraph 1 of these Rules and Regulations. The Director of Audits and Analysis will make every reasonable and lawful effort to protect the rights and the reputations of those involved in an internal audit review involving allegations of fraud, including the employee/complainant who reports alleged fraud; the individual(s) interviewed during the resultant review; and the individual(s)/entity(ies) against whom the allegations were made. The Director of Audits and Analysis is charged with responsibility for coordinating review activities as necessary with component Internal Audit Directors, component police departments, the Office of Vice Chancellor and General Counsel, human resources office(s), and appropriate external law enforcement and other oversight agencies.

Fraud review results are not routinely disclosed or discussed with anyone other than those who have a legitimate need to know. In the event that a review substantiates fraudulent activities, the Director or his/her designee will prepare and distribute a report in accordance with Paragraph 7.93 of this Chapter. The Director will communicate substantiated fraud committed by System employees to the State Auditor’s Office in accordance with Texas Government Code §321.022.

The Director, Office of Internal Audit, maintains an overview of all audit activities at the institution. The Director interfaces with outside agencies, such as the State Auditor’s Office. He/she should be kept informed about all audit activities on campus and should be provided with copies of all audit reports.

In the event that agencies, such as the State Auditor’s Office, notify component management about upcoming audits or send draft or final audit reports to components, recipients are requested to provide copies to the local Audit Director, unless the agency has already included the director on the copy list.

Sul Ross State University and Rio Grande College are committed to ensuring that our organizations maintain the highest standards of ethical conduct and integrity throughout all aspects of its operations. As public servants, System faculty and staff are guardians of the resources entrusted to it and have a responsibility to its students, parents, alumni, donors, and the citizens of Texas to ensure those resources are used efficiently and for their intended purpose.

The Texas State University System has established a reporting hotline through a private contractor, EthicsPoint, to provide a confidential avenue for reporting concerns about potential waste, fraud, and abuse of resources, the lack of compliance with laws and regulations, or violations of the System’s Code of Ethics. Reports can be submitted anonymously; reports filed through EthicsPoint are forwarded to and investigated by individuals who are independent of System management. EthicsPoint is available 24 hours a day, 7 days a week.


EthicsPoint can be accessed via the following link: https://secure.ethicspoint.com/domain/media/en/gui/12867/index.html.

Reports may also be submitted via telephone by calling (toll free) 866-294-0987. Para hacer un reporte en Espanol, favor de llame 866-294-0987.

Retaliation against anyone who, in good faith, reports unlawful activity is prohibited under the Texas Whistleblower’s Act. If provided, the identities of individuals who file reports through EthicsPoint will be kept confidential to the extent allowed by investigative processes and the law.

State Auditors Fraud Hotline

1-800-TX-AUDIT (892-8348)

Please provide as many specific details as possible; the main reason for an inconclusive result is because not enough information was provided to enable a meaningful investigation.
Note that it is not for general complaints, suggestions, or personnel issues, which should be pursued through your immediate management or the Human Resources department.

Nelly R. Herrera, J.D.
Vice Chancellor and General Counsel
Texas State University System

Scott Cupp, CIA
Director, Office of Internal Audit
Sul Ross State University

Kelly Wintemute, MBA, CCEP
Compliance Officer
Texas State University System

Internal Audit

Scott Cupp
Director, Office of Internal Audit
BAB 319 A
(432) 837-8303