Policy Number: 66
- Date Reviewed:
- November 2022
- Responsible Office:
- Auditing and Advisory Services
- Responsible Executive:
- Vice President and Chief Audit Officer
I. POLICY AND GENERAL STATEMENT
The University of Texas Health Science Center at Houston ("University") manages risk exposures relating to its governance, operations, and information systems, in relation to:
- Effectiveness and efficiency of operations,
- Reliability and integrity of financial and operational information,
- Safeguarding of assets, and
- Compliance with laws, regulations, and contracts.
Auditing and Advisory Services’ ("A&AS"), effectiveness and independence are ensured and supported through a unique three-element oversight/reporting structure:
- Functional oversight: The UT System Board of Regents’ Audit, Compliance and Risk Management Committee (ACRMC) and institutional audit committees provide strategic oversight and direction of all institutional audit activities.
- Institutional oversight: The President manages the operational and administrative matters of A&AS, including performance evaluation of the chief audit executive. Employment and termination of the chief audit executive by the president must have concurrence from the ACRMC Chair.
- Professional oversight: The UT System Chief Audit Executive provides oversight and support related to conformance with professional standards, promulgates guidance to ensure a consistent, System-wide approach to internal audit activities, and provides advice to the ACRMC Chair during employment and termination decisions of institutional chief audit executives.
A&AS activities are performed according to state law (Texas Government Code 2102), UT System policy (UTS 129) and regulations (Regents’ Rules 10402 and 20401), professional standards, and the University's Internal Audit Charter.
Internal audits may be performed based on a specific request from University management or as part of the yearly audit plan approved by the Audit Committee. Included in the annual audit plan are audits required by state law, UT System regulations, or funding agencies and audits based on assessed of risk.
A. A&AS Access
A&AS staff is authorized to have full, free, and unrestricted access to all functions, property, personnel, and records (including medical and electronic) of the University. Such access will be unlimited and the A&AS staff will ensure the safekeeping and confidentiality of all records and information.
B. Audit Process
The audit process has four stages: planning, fieldwork, reporting, and follow-up.
Planning: The audit is scheduled with the area’s management, most often through an engagement notice memorandum. A preliminary audit scope and objectives are established based on input from the annual risk assessment, senior management, and preliminary background research. Members of the A&AS audit team will meet with area management and responsible client personnel to discuss and obtain their perspective on risks and concerns. This is usually done informally when gathering preliminary information.
During this stage, A&AS identifies systems of internal controls and develops an audit-level risk assessment. An audit program is developed and designed to gather sufficient, competent, and relevant evidence. After the planning phase is complete, a formal entrance conference is held to discuss the audit scope, objectives, and procedures to be performed. Documentation and other information required to accomplish audit objectives are also discussed.
Fieldwork: Processes are reviewed and tested using various audit techniques. The results are evaluated and any observations are discussed with those performing or responsible for the function.
Reporting: After fieldwork is completed, the audit team will discuss the results with area management, typically at an exit conference. The purpose of the exit conference is to inform area management of the audit observations, clarify possible ambiguities, and obtain agreement on the facts reported. At this conference, the parties will review and possibly modify a draft audit report. Management is asked to respond to any recommendations included in the report. Management responses can be brought to the exit conference or furnished to A&AS within a reasonable time, typically two weeks. A&AS is available to work with management to develop action plans to address recommendations. Audit reports are addressed to the president, distributed to the area under audit and, after review by the Audit Committee, sent to UT System and various Texas state agencies.
Follow-up: A&AS has a quarterly process to verify whether action was taken on audit recommendations. The Audit Committee reviews the status of audit recommendations at its quarterly meetings.
- Auditing and Advisory Services