Internal Audit Frequently Asked Questions
What is the difference between Internal Audit and Institutional Compliance at UT Permian Basin?
UT System Policy UTS 129, Internal Audit Activities, http://www.utsystem.edu/policy/policies/uts129.html (excerpt below) clarifies the roles of Institutional Compliance and Internal Audit in managing institutional risks.
Internal Audit's Relationship to the Institutional Compliance Function
Internal Audit is an independent function of the governance process of the University of Texas System. It provides periodic assurance to the Board of Regents and executive management on the component institution's ability to achieve its objectives.
Compliance is part of the control structure of the organization, whereas internal auditing evaluates the control structure - a key difference between the two functions.
Internal Audit may provide consulting and assurance services to the Compliance function. Consulting services may include: providing information and best practices in the design of the Compliance function; providing advice and information in the design of monitoring plans; providing training and educational services; and providing facilitation services for self-assessments of the Compliance function. Assurance services may include: audits of the Compliance program design; audits of the Compliance monitoring plans; audits of Compliance issues; and inspections of the monitoring plans.
For additional information on UT Permian Basin's Institutional Compliance Program, please visit their website at http://ba.utpb.edu/compliance/
What should I do if I suspect ethical violations, fraud, or a breach of the Standards of Conduct?
Employees shall notify their supervisor, the University's Ethics or Compliance Officer, or EthicsLine Hotline (1-888-288-7725) of all suspected ethical violations, fraud, or a breach of the Standards of Conduct.
Why was I selected to be audited?
The University conducts a regular, ongoing examination of its internal controls. Primary considerations in establishing which units will be audited include evaluation of risk, the results and length of time of previous internal and external audits, and specific requests from administrators. Audits for many high risk units are scheduled on a three-year cycle, while other units are randomly selected for audits. In addition, internal audits are initiated to investigate possible irregularities.
The Director of Internal Audits prepares an annual plan which is reviewed and approved by the Audit Committee and The University of Texas System Audit Office to ensure that objectives, scope and allocated audit hours support management goals. The plan is primarily developed based on the assessment of various risk factors such as: significant financial investment or impact, required regulatory or legal compliance, complex transactions or environment, new technology or processes and prior audit experience. Management requests, external audit support and standard annual audits are also included. Additionally, there are always projects we undertake that were unanticipated when the annual plan was developed.
What happens during an audit?
- Engagement Memo - With few exceptions, audit clients are notified in writing when their area is selected for review. These letters are sent to the vice president of the area being audited as well as to the appropriate dean, chairperson, or director. The engagement memo states the date, time, and place of the entrance conference and the objectives to be accomplished in the audit. Due to the nature of some audit work, we may give little or no advance notice.
- Entrance Conference - An entrance conference is scheduled with the head of the department to discuss the purpose and scope of the audit. We encourage audit clients to discuss any concerns or questions they may have about the audit. Audit clients may also request a review of those areas of most concern to them be included as part of the audit activity.
- Audit Work - Written policies and procedures may be requested to aid the auditor in understanding departmental operations; however, it is often necessary for auditors to reside in the department office(s) to conduct interviews and review departmental records. In order to minimize disruption of daily operations, we try to schedule meetings in advance to avoid potential scheduling conflicts.
- Duration of audits - These vary depending upon scope. Hence, limited scope audits require less time than audits with broader scopes, which could lengthen the audit time period. Additionally, the level of cooperation from auditees and access to personnel and records has a direct bearing on the duration of audits.
- Communicating Results - Audit results are presented to audit clients via verbal or written communication and usually include recommendations intended to benefit the area under review and the University. Audit clients have an opportunity to discuss concerns identified within the audit and to concur or disagree with conclusions and recommendations. In any event, audit clients are required to provide, in writing, proposed resolutions including reasonably expected implementation dates.
- Exit Conference - An exit conference is held to discuss audit findings. Attendees include the auditors, members of management responsible for oversight and operation of the area under review, as well as those individuals who will have a direct or indirect involvement in resolving audit concerns identified. The exit conference provides an opportunity to clear and resolve questions or concerns pertaining to findings, or other issues, before the final audit report is released.
- Final Audit Report - The final audit report includes findings and recommendations along with management's responses. Copies of the report are distributed to the president, appropriate vice presidents, the audited unit's manager, and the System Audit Office. Audit findings are also included in a summary of all UT component reports provided to the chancellor and the Audit Committee of the Board of Regents.
- Follow-up Reviews - Our professional standards require that we follow-up and report on previously reported findings to determine if corrective action was taken and audit concerns were resolved.
Are auditors looking for fraud when performing audits?
Auditors are not specifically searching for the existence of fraud. However, while conducting audits in accordance with the Institute of Internal Auditor's International Standards for the Professional Practice of Internal Auditing, improper activities may be identified.
A good system of internal controls and a control conscious organizational environment will reduce this risk.
Who audits the auditors?
Oversight of the Internal Audit Office is performed by the Institutional Audit Committee and the UT System Audit Office. In addition, a Quality Assurance Review, or peer review, is performed every three years by qualified auditors (external to the organization) in accordance with Professional Standards.
Also, in most instances, audit clients have an opportunity to evaluate the quality of service provided by our department by completing an evaluation form which we use to identify ways to improve our services.