Texas A

1
Texas AM UniversityCouncil of Senior
BusinessAdministrators (CSBA)WorkshopCommon
Internal Audit Results

• May 20, 2003

2
(No Transcript)
3
(No Transcript)
4
How Are Audits Selected?
5
Audit Selection

• Auditable Units
• Risk Factors
• Rankings and Selections
• Annual Audit Plan

6
Typical Auditable Units

• Academic Colleges

• Business Functions

• Information Technology

• Human Resources

• Auxiliary Enterprises

• Student Financial Aid

7
Audit Selection

• Auditable Units
• Risk Factors
• Rankings and Selections
• Annual Audit Plan

8
Risk Factors(High, Medium, or Low)

• Funding Source
• Prior Audit Results
• Complexity
• Joint Appointments
• Change In Mission and/or Management
• Management Expressed Concern

9
Audit Selection

• Auditable Units
• Risk Factors
• Rankings and Selections
• Annual Audit Plan

10
Audit Selection

• Auditable Units
• Risk Factors
• Rankings and Selections
• Annual Audit Plan

11
Annual Audit Plan

• List of Proposed Audits is Provided to CEOs for
  feedback
• Committee on Audit Provides Feedback
• Audit Plan Approved by the BOR
• http//sago.tamu.edu/iaudit/

12
What Governs How Auditors Conduct Their Work?
13
Texas Internal Auditing Act(Government Code 2102)

• Every State Agency must have a program of
  internal auditing
• Internal Audit must answer directly to the Board
• Requires annual audit plan
• Annual summarized report to the Governors Office
• Distribution of individual audit reports
• Adherence to industry and government auditing
  standards

14
Auditing Standards Guidelines

• The Institute of Internal Auditors Standards for
  the Professional Practice of Internal Auditing
• United States General Accounting Office
  Government Auditing Standards
• System Policy Regulation Manual
• University Rules Standard Administrative
  Procedures
• Committee of Sponsoring Organizations (COSO) of
  the Treadway Commission Internal Control
  Integrated Framework

15
Common Themes From Recent Audits

• Human Resources
• Revenue and Cash Handling
• Information Technology
• Procurement and Disbursements

16
Information TechnologyLaws and Regulations

• State Department of Information Resources (DIR)
• Texas Administrative Code Title 1 Part 10 Chapter
  202 (TAC 202)
• University Rule 24.99.99.M1

17
Risk Assessment

• Departmental level
• ISAAC (Information Security Assessment,
  Awareness, and Compliance) developed by TAMU CIS
  Department
• Annual Requirement

18
Security Program

• Departmental level
• Based on Departmental Risk Assessment
• Must comply with DIR Security Standards
• Logical and physical security
• Disaster recovery and backups
• Monitoring

19
Logical Security

• Unauthorized users.
• Users access not removed upon termination.
• No required password changes.
• Password length less than 6 characters.
• Login attempts not limited.
• Grace logins not limited.
• Inactive workstations not locked.

20
Physical Security

• Lack of adequate environmental Controls.
• Unlocked server closets and offices.

21
Disaster Recovery and Back-ups

• No documented disaster recovery plan.
• No evidence that the plan has been tested.
• No regular backup of data.
• No Off-site storage of data.

22
Monitoring

• The following areas are not being monitored
• Unsuccessful login attempts
• Attempted hacks viruses
• Security patches
• Virus Scanner Signature Definitions

23
Procurement and Disbursements
24
Purchasing/Procurement

• Contracting through Purchasing Services
  Department
• Limited Purchases
• Exempt purchases

25
Pre-Approval for Travel

• Foreign
• Washington, D.C

26
Purchase Vouchers

• Timeliness of payment
• Reconciliations

27
Procurement Cards

• Quantity
• Vendor Charge Accounts/Cards
• Segregation of Duties
• Custody
• Transaction Log
• Receipts
• Cancellation
• Allowability of Charges

28
Human Resources
29
Personnel Files

• Confidential Medical Info
• Position Descriptions
• Performance Evaluations
• Probationary Evaluations
• File Security

30
Leave Records

• Accuracy
• Approval
• Deficit Balances
• Nine-Month Appointments
• Compensatory Leave
• Flex Schedules

31
Payroll

• Timesheets
• Manual Checks
• Terminations
• Contracts for Services

32
Miscellaneous

• Hiring Practices
• Segregation of Duties

33
Revenues and Cash Handling
34
Common Observations

• Cash Handling Procedures
• Accounts Receivable
• Segregation of Duties

35
Cash Handling Procedures

• System Policy 21.01.02, Receipt, Custody, and
  Deposit of Revenues
• If you handle funds, you need to be
  familiar with this policy!
• Another name for cash ---
• "Now You See It - Now You Don't!!!

36
Cash Handling Procedures

• Funds subject to unannounced count by auditors
  at any time
• Ask auditor for identification
• Remain present while funds are counted
• Fund custodian records not current

37
Cash Handling Procedures

• Receipting
• Receipts not issued
• Not official pre-numbered receipts
• Pre-numbered receipts not tracked/monitored
• Checks not restrictively endorsed
  immediately upon receipt

38
Cash Handling Procedures

• Safeguarding
• Funds not in a secure location
• Combinations not changed when there is a
  change in personnel
• Keys not secured
• Access to funds is not limited to two
  individuals

39
Cash Handling Procedures

• Transfer of funds between individuals not
  documented to maintain individual accountability
• Deposits not made in a made timely
• When the amount on hand reaches 200 or at
  least once every three business days
  regardless of amount

40
Accounts Receivable

• System Policy 21.01.04, Extension of Credit
• Reconciliations
• All differences should be explained
• Timely resolution of reconciling items
• Signed and dated by preparer
• Signed and dated by reviewer

41
Segregation of Duties

• Receipting, Depositing, Recording
• Back-up duties

42
How to Contact SIAD

• Phone 979/845-3476
• Fax 979/845-6536
• Web http//sago.tamu.edu/iaudit/
• Hotline 800-501-3850
• Charlie Hrncir chrncir_at_tamu.edu
• Bob Cates robert-w-cates_at_tamu.edu
• Amanda Dotson adotson_at_tamu.edu
• David Maggard dmaggard_at_tamu.edu
• Sandy Ordner sordner_at_tamu.edu