Office of Internal Audits

1

• Office of Internal Audits
• Risk Assessment
• and
• the Annual Audit Planning Process

2
Internal Audit Organization
3
Office of Internal Audit

• Our Website

4
Audit Compliance Committee

• President
• Executive Vice President Provost
• Interim VP Business Affairs
• VP Student Affairs
• Dean of the School of Management
• Associate VP for Business Affairs
• External member (Director of Internal Audit at
  Southwest Airlines)
• UT System Audit Representative
• Director of Internal Audits (non-voting member)

5
Audit Compliance Committee

• Meets quarterly.
• Discusses
• Audit reports issued
• Status of audit plan
• Risks (compliance included)
• Approves annual audit plan.

6
Standards of Practice

• Standards for the Professional Practice of
  Internal Auditing - Institute of Internal
  Auditors
• Generally Accepted Government Auditing Standards
  (when applicable)
• Texas Internal Auditing Act (State law)
• University of Texas System guidelines and
  applicable Business Procedures Memoranda
• Adherence to IIAs Code of Ethics
• Objectivity and independence
• Independence Statements
• Confidentiality
• Non-disclosure Statements

7

• Independence Statements
• By my signature below, I certify that I have
  disclosed by attachment to this statement any
  personal impairment of which I am aware and which
  might be viewed as an impairment of my
  independence. In addition, I have been informed
  of and understand the independence policies of
  the Office of Internal Audits. If any
  information changes I will notify the Director of
  Internal Audits.
• Signed _________________ Date
  _____________________

8
(No Transcript)
9
Types of Internal Audits

• Required Audits
• Consulting Projects
• Risk-Based
• Financial, Compliance, IT, Academic Institutional
  Process
• Projects
• Follow-Ups
• Change of Management (departmental)

10
Annual Audit Planning Risk Assessment Process
11
Standards of Practice

• Standards for the Professional Practice of
  Internal Auditing - Institute of Internal
  Auditors Performance Standard 2010 Planning
• 2010.A1 The internal audit activitys plan of
  engagements should be based on a risk assessment,
  undertaken at least annually. The input of
  senior management and the board should be
  considered in this process.

12
Enterprise Risk Management

• We are beginning to implement ERM into our risk
  assessment and audit planning process.
• Enterprise risk management (ERM) is
• a continuous, proactive and systematic process
• to understand, manage, and communicate risk
• from an organization-wide perspective.
• Based on COSO.

13
Risk Assessment Step 1

• Identify the Audit Universe
• Strategic Plan
• Prior audit plans
• UT System input
• Budget
• Financial Statements
• UTD Website
• News articles, etc.
• Conversations with management and other
  employees, department heads, etc.

14
Risk Assessment Step 2

• Internal Audit staff discussions and
  brainstorming retreat
• Survey

15
(No Transcript)
16

• Assigned audit staff members to meet with
  representatives from various areas (student
  affairs, business affairs, academic affairs,
  information resources, research, etc.) -
  brainstorming
• Discussed risks with Audit Committee
• Created risk footprints for each of the audit
  areas

17
Risk Footprints

• Financial Audits
• Information Technology Audits
• Academic Institutional Processes

18
Institutional Compliance Audits

• Work with Compliance Office to determine which
  areas they want us to audit.

19
Risk Assessment Step 3Risk Footprints
(handout)

• The effect a single occurrence of that risk will
  have upon the achievement of UTDs goals and
  objectives.
• HIGH Show stopper the effect will cause UTD
  not to achieve its goals and objectives.
• MEDIUM - The effect will cause UTD to operate
  inefficiently and/or expend unplanned resources
  to meet goals and objectives.
• LOW - No measurable effect upon the achievement
  of UTD's goals and objectives.

IMPACT
20
Risk Assessment Risk Footprints

• The probability that a risk will become reality
  at UTD.
• High The risk will become a reality frequently
  at UTD.
• Medium The risk will become a reality
  infrequently at UTD.
• Low The risk will rarely become a reality at
  UTD.

PROBABILITY
21
Step 4 Analyze Results Select Audits

• Based primarily on risk assessment and number of
  audit hours available.
• Based on extent of external audit work.
• Certain audits REQUIRED.
• Example Lena Callier Trust, UT System-wide
  audits, etc.
• Certain audits performed based on past
  experience.
• Management request and input.

22
Types of Audits FY 2006 Audit Plan based on
risk assessment

• Required Audits 16
• Consulting Projects 2
• Compliance Audits 21
• IT Audits 13
• Academic Institutional Processes 31
• Change of Management Audits 6
• Follow-Up Audits 1
• Projects 10

23
Scheduling the Audits
Audits scheduled according to risk,
availability, etc. ERM procedures will be
continued at least quarterly, and Audit Plan will
be revised as necessary.
24
Previous Risk Assessments

• Prior to FY 2005, we used different risk
  assessment process.
• Process involved assessing risk for different
  audit types (financial, compliance, IT, etc.)
  based on values given to certain risk factors.
• We get the same results!

25
Audits Conducted with EIAP Students in the Past

• Fall 2003
• Key Shop
• Spring 2004
• Salaries Wages
• Time Effort Reporting
• TAC 202 (Information Technology Security)

• Fall 2004
• Financial Statement Certifications
• Spring 2005
• Contracting
• Registration
• Follow-Up of FY 2004 Audit Recommendations
• Expenditures
• ACL Project

26
Fall 2005 Class Audit Projects

• Required Audits
• ATP/ARP Grants (Financial, Compliance)
• TAC 202 Security Audit (IT)
• Risk-Based Audits
• The Pub (academic institutional process
  operational)
• Physical Plant Billing/Work Order System (all
  types includes IT)
• Compliance Audits
• If needed.

27
Planning for Individual Audits
28
Audit Scopes

• ATP/ARP Grants Required every two years by the
  Coordinating Board. Compliance with grant
  provisions.

29

• TAC 202 Security Audit Required by Texas
  Administrative Code (State Law)

30

• The Pub - Requested by management. Operational
  audit of The Pub. UTD took over operations of
  this area. To determine if assets are
  safeguarded, resources are employed efficiently
  and economically, established operating and
  strategic goals and objectives are accomplished.

31

• Physical Plant Billing/Work Order System To
  determine if assets are safeguarded, resources
  are employed efficiently and economically,
  established operating and strategic goals and
  objectives are accomplished.

32
Internal Audit Process

• Audit is assigned by Director Report Tracking
  and Assignment Sheet
• In-charge prepares planning audit program
• Planning conference - approved by Director
• Audit notification submitted to customer
• Entrance conference held
• Preliminary evaluation work research
• Based on preliminary work, fieldwork audit
  program prepared and approved by Director
• In-charge/Director review process
• Exit conference
• Report
• Working paper wrap-up/final procedures
• Follow-up

33
Professional Presence

• Verbal
• Listening
• Written
• Professional presence dress according to the
  department
• Emails/phone calls
• Protocols organization structure

34
Working Papers

• Currently in process of converting to Teammate
  electronic working papers.
• All work done in Word, Excel, etc.
• ACL software.
• How to do the working papers?
• Will discuss at individual team meetings.
• Format depends on the audit department.

35
Weekly Status Reports

• VERY IMPORTANT
• Keep in-charge auditor informed of weekly
  progress via status report.
• Status reports submitted to Director each week.
• Track time charged to audit.

• STATUS REPORTS
• Activities worked on during the week.
• Time charges.
• Problems encountered.
• Estimated completion date.
• Activities planned for next week.
• Explanation of budget variances, delays in due
  date.

36
Planning the Audit of The Pub (class example)

• Audit Objective per Audit Plan
• Requested by management. Operational audit of
  The Pub. UTD took over operations of this area.
  To determine if assets are safeguarded, resources
  are employed efficiently and economically,
  established operating and strategic goals and
  objectives are accomplished.
• The Pub's Website

37
Planning the Audit of The Pub (class example)

• Planning Audit Program general planning
  procedures performed on all audits.
• Get the Assignment
• Meet with team
• Identify Resources Needed
• Communication with Customer
• Obtain Preliminary Background Information
• RISK ASSESSMENT
• Documentation of Planning Results
• Development of the Audit Program
• Approval of the Audit Plan/Audit Program
• Begin fieldwork!

38
Risk Assessment Footprint The Pub
ACTIVITIES?
RISKS?
39
Concluding the Audit

• Write up summary of issues.
• Discuss with team.
• Discuss with Director.
• Keep customer informed of any issues so no
  surprises!
• Draft report.
• Director review.
• Exit conference.
• Final report issued.

40
Questions?