The mission of the UTHealth Office of Auditing and Advisory Services (A&AS) is to provide independent, objective assurance and consulting services designed to add value and improve the institution’s operations. A&AS helps the UTHealth accomplish its objectives by bringing a systematic, disciplined approach to evaluation and improving the effectiveness of risk management, control and governance processes.
The scope of work of the internal audit department is to determine whether the organization’s network of risk management, control, and governance processes, as designed and represented by management, is adequate and functioning in a manner to ensure:
- Risks are appropriately identified and managed.
- Interaction with the various governance groups occurs as needed.
- Significant financial, managerial, and operating information is accurate, reliable, and timely.
- Employees’ actions are in compliance with policies, standards, procedures, and applicable laws and regulations.
- Resources are acquired economically, used efficiently, and adequately protected.
- Programs, plans, and objectives are achieved.
- Quality and continuous improvement are fostered in the organization’s control process.
- Significant legislative or regulatory issues impacting the organization are recognized and addressed appropriately.
Opportunities for improving management control, profitability, and organization’s image may be identified during audits. These opportunities will be communicated to the appropriate level of management.
STANDARDS OF AUDIT PRACTICE
A&AS will practice according to the Institute of Internal Auditors’ International Professional Practices Framework (IPPF). The three mandatory elements of the IPPF are the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). The department will also abide by generally accepted governmental auditing standards.
- Provide assessments on the adequacy and effectiveness of the organization’s processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work.
- Report significant issues related to the processes for controlling the activities of the organization and its affiliates, including potential improvements to those processes, and provide information concerning such issues through resolution.
- Periodically provide information on the status and results of the annual audit plan and the sufficiency of department resources.
- Coordinate with other internal monitoring functions and external audit entities.
The CAO also has an indirect reporting relationship to the University of Texas System (UT System) director of audits who has responsibility for oversight of the internal auditing activity for the UT System and has reporting responsibility for all UT institutions to the Board of Regents.
To provide for the independence of the internal auditing department, its personnel report to the CAO who reports to the Office of President. The internal audit function must be free of all operational and management responsibilities that would impair its ability to review independently all aspects of the institution, as required by the Texas Internal Auditing Act (Government Code Chapter 2102).
The CAO enhances independence and meets the IIA Standard requirement of communication an indirect interaction with the board through periodic meetings with the Audit Committee, including private sessions.
The chief audit executive and staff of the internal audit department have responsibility to:
- Develop a flexible annual audit plan using an appropriate risk-based methodology, including any risks or control concerns identified by management, and submit that plan to the Office of the President, UTHealth Audit Committee, and the Board of Regents for review and approval as well a periodic updates.
- Implement the annual audit plan, as approved, including as appropriate, any special tasks or projects requested by executive management, UT System officials, or the Board of Regents.
- Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter and the Texas Internal Auditing Act.
- Evaluate and assess significant merging/consolidating functions and new or changing services, processes, operations, and control processes coincident with their development, implementation, and/or expansion.
- Issue period reports to the audit committee and management summarizing results of audit activities.
- Keep the Office of the President and the Audit Committee informed of emerging trends and successful practices in internal auditing.
- Assist in the investigation of significant suspected fraudulent activities within the organization and notify appropriate members of management of the results.
- Consider the scope of work of the external auditors and regulators, as appropriate, for the purpose of providing optimal audit coverage to the organization at a reasonable overall cost.
- Provide consulting and advisory services related to governance, risk management and control as appropriate. These services are generally performed at the specific request of an engagement client. The nature and scope of the engagement are subject to mutual agreement between internal audit and the client. In the performance of these engagements internal audit will maintain objectivity and not assume any management responsibility.
- Ensure that an appropriate quality control system is in place as required by University of Texas System Policy 129 and the IIA Professional Standards.
- Provide information to the UT System director of audits as required or requested.
- Fulfill reporting requirements for audit reports and related responses and the annual report required by the Texas Internal Auditing Act.
The chief audit officer and staff of the internal audit department are authorized to:
- Have unrestricted access to all functions, records, property, and personnel.
- Have full and free access to the audit committee
- Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish audit objectives.
- Obtain the necessary assistance of personnel in units of the organization where they perform audits, as well as other specialized services from within or outside the organization.
The chief audit officer and staff of the internal audit department are not authorized to:
- Perform any operational duties for the organization or its affiliates.
- Initiate or approve accounting transactions external to the internal auditing department.
- Direct the activities of any organization employee not employed by the internal auditing department, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the internal auditors.