The mission of internal audit is to enhance and protect organizational value by providing risk‐based and objective assurance, advice and insight. Internal audit assists UT Austin in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization's governance, risk management, and internal control.
The purpose, authority, and responsibility of the Office of Internal Audits is defined in the Office of Internal Audits Charter, and is approved by the University President. The charter clearly outlines the purpose of the internal auditing department, specifies the unrestricted scope of its work, and declares that auditors are to have no authority or responsibility for the activities they audit.
Internal Audit Office Charter
The internal audit activity is established by the University of Texas (UT) System Board of Regents. The UT System Board of Regents’ Audit, Compliance, and Management Review Committee (ACMRC) and the institutional audit committee provide oversight responsibilities. In that role, internal audit works to be a trusted advisor to management in the areas of governance, risk management and internal controls.
The internal audit activity will adhere to The Institute of Internal Auditors' mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, the Core Principles, the International Standards for the Professional Practice of Internal Auditing (Standards), and Generally Accepted Governmental Auditing Standards as required by the Texas Internal Auditing Act. This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance.
The Institute of Internal Auditors' Practice Advisories, Practice Guides, and Position Papers will also be adhered to as applicable to guide operations. In addition, the internal audit activity will adhere to UT Austin relevant policies and procedures and the internal audit activity's standard operating procedures manual.
Maintaining an internal audit activity is required by Texas state agencies under the Texas Internal Auditing Act (Texas Government Code, Chapter 2102). The internal audit activity, with strict accountability for confidentiality and safeguarding records and information, is authorized full, free, and unrestricted access to any and all of UT Austin records, physical properties, and personnel pertinent to carrying out any engagement. All employees are requested to assist the internal audit activity in fulfilling its roles and responsibilities. The internal audit activity will also have free and unrestricted access to the institutional audit committee and ACMRC.
Internal audit is a vital part of the University and functions in accordance with the policies established by the President, UT System Administration, and the UT System Board of Regents. To provide for the independence of the internal auditing activity, the Chief Audit Executive (CAE) reports functionally to the institutional audit committee. The CAE reports administratively to UT Austin’s President and has an indirect reporting relationship to the UT System CAE.
The CAE will communicate and interact directly with the institutional audit committee, including in executive sessions and between committee meetings, as appropriate. Responsibilities of the institutional audit committee are outlined in its charter.
Independence and Objectivity
The internal audit activity will remain free from interference by any element in the organization, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair internal auditor’s judgment. Internal auditors may provide assurance services where they have previously performed consulting services provided the nature of the consulting did not impair objectivity, and provided individual objectivity is managed when assigning resources to the engagement.
Internal auditors will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors will make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
The CAE will confirm to the UT System CAE, at least annually, the organizational independence of the internal audit activity and its staff members. The UT System CAE reports this to the ACMRC.
The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the organization's governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the organization’s stated goals and objectives. This includes:
- Developing a flexible, annual audit plan using an appropriate risk-based methodology, including any risks or control concerns identified by management, and submitting that plan to the President, institutional audit committee, and the UT System Board of Regents for review and approval on an annual basis. UT System provides advice throughout the development of the annual audit plan.
- Developing relationships throughout the organization to become a trusted advisor to management on risk management and internal control matters.
- Maintaining a professional audit staff with sufficient knowledge, skills, abilities, experience, and professional certifications.
- Evaluating risk exposure relating to achievement of the organization’s strategic objectives.
- Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information.
- Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the organization.
- Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
- Evaluating the effectiveness and efficiency with which resources are employed.
- Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.
- Monitoring and evaluating governance processes.
- Monitoring and evaluating the effectiveness of the organization's risk management processes.
- Evaluating the quality of performance of external auditors and the degree of coordination with internal audit, as applicable.
- Performing consulting and advisory services related to governance, risk management and control as appropriate for the organization. Such services include management requests, participation on institutional committees, and participation on implementation teams for information technology projects and business process improvements.
- Evaluating specific operations at the request of the institutional audit committee or management, as appropriate.
- Conducting investigations of significant suspected fraudulent activities in accordance with UTS 118 - Dishonest or Fraudulent Activities.
Internal Audit Plan
At least annually, the CAE will submit to the institutional audit committee an internal audit plan for review and approval. The internal audit plan will consist of a work schedule as well as budget and resource requirements for the next fiscal year. The CAE will communicate the impact of any resource limitations or significant interim changes to the institutional audit committee.
The internal audit plan will be developed based on a prioritization of the audit universe using a risk-based methodology, including input of senior management and the institutional audit committee. The CAE will review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls. Any significant deviation from the internal audit plan will be communicated to and approved by the institutional audit committee through periodic activity reports.
Reporting and Monitoring
A written report will be prepared and issued by the CAE or designee following the conclusion of each internal audit engagement and will be distributed as appropriate. Internal audit results will also be communicated to the institutional audit committee.
Communication of the engagement results may vary in form and content depending upon the nature of the engagement and the needs of the client. A formal internal audit report will include management’s response and corrective action taken or to be taken in regard to the specific findings and recommendations. Management's response should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented.
The internal audit activity will be responsible for appropriate follow-up on engagement findings and recommendations and reporting the results to management. All significant findings will remain as open issues until reviewed and cleared by internal audit.
The CAE will periodically report to the institutional audit committee on the internal audit activity’s purpose, authority, and responsibility, as well as performance relative to its plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the institutional audit committee.
Internal audit will fulfill reporting requirements for audit reports and the annual report, including the annual audit plan, as prescribed by the Texas Internal Auditing Act.
Quality Assurance and Improvement Program
The internal audit activity will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program will include an evaluation of the internal audit activity’s conformance with the Definition of Internal Auditing, the Core Principles, and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement.
The CAE will communicate to senior management and the institutional audit committee on the internal audit activity’s quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every three years.