Policy Number: 66
I. POLICY AND GENERAL STATEMENT
The University of Texas Health Science Center at Houston ("university") manages risk exposures relating to its governance, operations, and information systems, in relation to:
- Effectiveness and efficiency of operations,
- Reliability and integrity of financial and operational information,
- Safeguarding of assets, and
- Compliance with laws, regulations, and contracts.
Auditing & Advisory Services ("A&AS"), the internal audit function, is responsible for providing the President and senior management, as well as the institutional Audit Committee, with independent and objective information on these aspects of the university's operation through the exercise of internal audits, reviews, and other services. Internal audit activities are performed according to state law, UT System regulations, professional standards, and the university's Internal Audit Charter.
Internal audits may be performed based on a specific request from university management or as part of the yearly audit plan approved by the Audit Committee. Included in the annual audit plan are audits required by state law, UT System regulations, or funding agencies and audits based on assessment of risk.
A. A&AS Access
A&AS staff is authorized to have full, free, and unrestricted access to all functions, property, personnel, and records (including medical and electronic) of the university. Such access will be unlimited and the A&AS staff will ensure the safekeeping and confidentiality of all records and information.
B. Audit Process
The audit process has five stages: coordination and discussion, planning, fieldwork, reporting, and follow-up.
Coordination and Discussion: The audit is scheduled with the area’s management, most often through a notice of scheduled audit letter. A preliminary audit scope and objectives are established based on input from the annual risk assessment, senior management, and preliminary background research. Members of the A&AS audit team will meet with area management to discuss and coordinate the audit and to obtain management’s perspective on risks and other concerns. This is usually done informally when gathering preliminary information and then at a formal entrance conference. The involvement of client personnel is discussed during this time, as well as the documentation and other information required to accomplish audit objectives.
Planning: During this stage, A&AS identifies systems of internal controls and develops an audit-level risk assessment. An audit program is designed to gather sufficient, competent, and relevant evidence.
Fieldwork: Processes are reviewed and tested using various audit techniques. The results are evaluated and any findings are discussed with those performing or responsible for the function.
Reporting: After fieldwork is completed, the audit team will discuss the results with area management, usually at an exit conference. The purpose of the exit conference is to inform area management of the audit findings, to clarify possible ambiguities, and to agree on the facts at issue. At this conference, the parties will review and possibly modify a draft audit report. Management is asked to respond to any recommendations included in the report. Management responses can be brought to the exit conference or furnished to A&AS within a reasonable time, usually two weeks. A&AS is available to work with management to develop action plans to address recommendations. Audit reports are addressed to the president, distributed to the area under audit and, after review by the Audit Committee, sent to UT System and various Texas state agencies.
Follow-up: A&AS has a quarterly process to verify whether action was taken on audit recommendations. The Audit Committee reviews the status of audit recommendations at its quarterly meetings. Those recommendations designated as significant by the Audit Committee are also tracked by UT System.
|Auditing and Advisory Services||713-500-3160||http://www.uthouston.edu/audit/contact.htm|