The Texas State University System (System) internal audit function, rules and policies shall comply with the mandatory elements of the International Professional Practices Framework (Internal Auditing Standards), as promulgated by The Institute of Internal Auditors and with the Texas Government Code, Chapter 2102, the Texas Internal Audit Act. The Rules and Regulations, as related to the audit function, shall serve as the Texas State University System Internal Audit Charter and the protocols under which the audit function shall operate. The System Chief Audit Executive shall develop and maintain internal policies and procedures to comply with the audit function rules.
7.11 Definition of Internal Auditing. Internal auditing is an independent objective, assurance and consulting activity designed to add value to an organization; improve its operations; and otherwise assist accomplishment of its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of control, governance, and risk management processes.
7.12 Mission of Internal Audit. The mission of the internal auditing function is to enhance organizational value by providing riskbased and objective assurance, advice, and insight.
7.13 Independence and Objectivity of Auditors. Because of the critical nature of the internal audit function to the fiscal, administrative, and operational integrity of the System and its Components, the Chief Audit Executive and auditors under her or his direct or indirect supervision shall maintain their independence and objectivity of judgment. System auditors shall be ineligible to hold any other appointment or title, whether paid or unpaid, with the System or any of its Components.
7.14 Core Principles. The internal auditing function will adhere to the Core Principles as defined by the International Professional Practices Framework.
7.15 Code of Ethics. In addition to complying with the System Standards of Conduct (see Chapter VIII), System auditors are also expected to comply with the Code of Ethics outlined in the International Professional Practices Framework.
7.2 Board, Management and Internal Audit Responsibilities.
The Board of Regents is primarily responsible for providing governance, guidance, and oversight of management within the System. Management is responsible for establishing and maintaining adequate internal controls to ensure achievement of System goals and objectives. The internal audit function is designed to provide positive support to the Board, System and Component administrations in the effective discharge of their respective responsibilities.
7.3 Reporting Structure.
The System Chief Audit Executive shall have sole responsibility for all System and Component audit functions and personnel, including, but not limited to, hiring and termination of audit staff, setting of salaries, and otherwise establishing terms and conditions of employment, and establishing the annual budget for the internal audit function, submitting the same to the Chancellor for approval. The System Chief Audit Executive will timely advise the Chancellor regarding desired audit budget initiatives.
7.4 Audit Space.
The Chair of the Finance and Audit Committee and the Chief Audit Executive will examine annually whether the provision of oncampus office spaces for the audit function creates a perceived conflict of interest or otherwise poses an impediment to the auditors' independence.
The System Chief Audit Executive and auditors under her or his direct or indirect supervision shall have full, free, and unrestricted access to all activities, records, property, infrastructure, and personnel of System and Component administrations. Any review, whether planned or unplanned, announced or unannounced, may involve the gathering of evidence and testimony from individuals within or outside the System.
7.6 Handling of Information Gathered.
7.61 Documents. Documents and information obtained during any audit review shall be safeguarded and otherwise handled in a professionally responsible and confidential manner in accordance with Texas Law.
7.62 Criminal or Serious Policy Violations. Information obtained during any audit review that may involve criminal or serious policy violations shall be communicated to the Board of Regents, the Chancellor, the Component President, and, where appropriate or otherwise required by law, to Component and/or outside law enforcement or other oversight agencies.
7.7 Nature and Scope of Work.
The internal audit activity will evaluate and contribute to the improvement of governance, risk management, and control processes, utilizing a systematic and disciplined approach.
7.71 Assurance Services (Audits). Assurance services involve the objective assessment of evidence to provide an independent opinion or conclusion regarding an entity, operation, function, process, system, or other subject matter. The nature and scope of the assurance engagement are determined by the internal auditor. Examples include, but are not limited to:
(1) Determining the adequacy, efficiency, and effectiveness of System and Component governance, control and risk management processes;
(2) Reviewing the reliability and integrity of financial and operating information;
(3) Reviewing the effectiveness of processes established to ensure compliance with policies, procedures, and applicable laws and regulations;
(4) Evaluating processes related to information systems and data security; the development and deployment of information systems; and the creation/modification of support infrastructures;
(5) Reviewing controls designed to safeguard System and Component assets;
(6) Evaluating economy and efficiency of resource utilization;
(7) Assessing achievement of results and outcomes as defined by established objectives, goals, and performance measures; and
(8) Performing follow-up work to ascertain and report on whether management has taken appropriate remedial action on internal and external audit findings or recommendations.
7.72 Consulting Services. Consulting services are advisory in nature and are generally performed at the specific request of management. Examples include but are not limited to:
(1) Reviewing client-prepared responses to external audit reports;
(2) Training on fraud prevention, internal controls, and risk assessment processes;
(3) Analyzing client or third-party prepared data; and
7.73 Fraud Reviews and Internal Investigations of Suspected Defalcation, Misappropriation, and Other Fiscal Irregularities. The Board of Regents has established an Anti-Fraud Policy in Chapter VIII, Paragraph 1 of these Rules and Regulations. The System Chief Audit Executive is charged with responsibility for coordinating review and investigative activities as necessary with Component-housed Directors, Component police departments, the Office of Vice Chancellor and General Counsel, human resources office(s), and appropriate external law enforcement and other oversight agencies. The System Chief Audit Executive will make every reasonable and lawful effort to protect the rights and the reputations of those involved in an internal audit review involving allegations of fraud, including the employee/complainant who reports alleged fraud; the individual(s) interviewed during the resultant review; and the individual(s)/entity(ies) against whom the allegations were made.
Fraud review results are not routinely disclosed or discussed with anyone other than those who have a legitimate need to know. In the event that a review substantiates fraudulent activities, the System Chief Audit Executive or his/her designee will prepare and distribute a report in accordance with Paragraph 7.93 of this Chapter. The System Chief Audit Executive will communicate substantiated fraud committed by System employees to the State Auditor’s Office in accordance with Texas Government Code §321.022.
7.74 Emergency Appropriations. In the event a Component receives emergency appropriations from the state, the receipt, disbursement, and reporting of such appropriations will be subject to review by the System Chief Audit Executive and Component-housed auditors.
7.75 Intercollegiate Athletics. The System Chief Audit Executive shall conduct periodic audits of intercollegiate athletics and related activities and report the same in accordance with processes established elsewhere in these Rules and Regulations.
7.76 Systemwide Compliance Program. The Systemwide compliance program is conducted under the auspices of the audit function and is designed to promote and encourage, through objective assessments and other activities, behavior and compliance with applicable policies, laws, and rules governing higher education.
7.8 Audit Risk Assessment and Audit and Compliance Plan Development.
7.81 Component Audit Risk Assessment and Plans. On an annual basis, each Component-housed Director shall perform a risk assessment to be used in developing a Component Audit Plan for the subsequent fiscal year. The risk assessment process shall include input from Component management and utilize other procedures as may be necessary and reasonable to ensure that risks unique to the Component are considered and evaluated in the planning process. Component Audit Plans shall be submitted to the System Chief Audit Executive for input and approval. Risk-based testing of contract administration shall be included in the annual Audit Plan. An assessment as to whether the institution has adopted the rules and policies required by Section 51.9337 of the Texas Education Code shall be performed annually.
7.82 System Administration Audit Risk and Compliance Assessment and Plan. The System Chief Audit Executive shall solicit input from the Finance and Audit Committee, the Chancellor, and Vice Chancellors regarding the risk assessment to be used in developing an Audit and Compliance Plan for System Administration. Riskbased testing of contract administration shall be included in the annual Audit and Compliance Plan. An assessment as to whether System Administration has adopted the rules and policies required by Section 51.9337 of the Texas Education Code shall be performed annually.
7.83 Consolidation of Audit Plans. The System Administration and Component Audit Plans shall be consolidated into a Systemwide Audit and Compliance Plan, which will be presented by the System Chief Audit Executive to the Finance and Audit Committee for approval at the meeting to be held prior to the fourth quarter Board of Regents meeting. The Finance and Audit Committee shall include discussion of the status of current and subsequent year Audit Plans and submit its recommendations for approval to the full Board.
7.84 Deviations from Audit and Compliance Plans. Circumstances may require deviations from the Audit and Compliance Plan. Component-level deviations may be recommended to the System Chief Audit Executive by the Component-housed Director or initiated by the System Chief Audit Executive. The System Chief Audit Executive shall promptly notify the Finance and Audit Committee and the Chancellor of such deviations, which may be approved, in writing, by the Chair of the Finance and Audit Committee. Investigations resulting from EthicsPoint or other fraud reporting mechanisms are not considered deviations from the Audit and Compliance Plan.
7.9 Audit and Compliance Reports.
7.91 Content. Each report shall contain, at a minimum.
(1) A brief description of the scope and objectives of the project;
(2) A brief summary highlighting significant observations and/or recommendations;
(3) A summary of management responses and the total financial impact, if any, of recommendations (this summary shall be provided to the Finance and Audit Committee at each regular Board meeting); and
(4) A detailed discussion of the observations and recommendations, including management’s written response;
7.92 Management Response.
7.921 Time for Response. Management must respond to each report within two weeks of the issuance of the report draft. Upon a showing of extenuating circumstances by management and the Component-housed Director’s recommendation, the System Chief Audit Executive may extend the time for response.
7.922 Content of Response. Management responses to each report shall include:
(1) A statement of agreement or disagreement with each recommendation.
(2) In cases where management agrees to implement a recommendation, the response shall include a summary of planned actions, a timetable for implementation, and the names and titles of the individuals responsible for ensuring implementation of the recommendation.
(3) In cases where management does not agree to implement a recommendation, the response shall include justification for disagreement. In such cases, the System Chief Audit Executive may include follow-up comments, addressing the adequacy of the justification provided.
(4) The President of a Component, who has an audit involving circumstances described in Paragraph 7.93, of this Chapter shall include in his or her quarterly Board report the status of the recommendations/findings until they have been verified and resolved by the Component-housed Director to the System Chief Audit Executive’s satisfaction.
7.93 Distribution. The Director shall review, approve, and timely distribute draft audit and compliance reports (internal and external) to System or Component administrations, Finance and Audit Committee members, the Board of Regents and outside parties, including the Governor’s Office, the Legislative Budget Board, the Sunset Commission, and the State Auditor’s Office. The System Chief Audit Executive shall forward the draft reports, in their entirety to the Board of Regents in instances involving:
(1) Fraud or theft;
(2) A financial impact of more than $20,000 savings or cost;
(3) Significant instances of non-compliance with Component and/or System rules, policies or procedures, internal controls, state or federal regulations or laws; (4) Situations in which a Component-housed auditor has experienced undue management pressure or delay; or,
(5) Other circumstances (or amounts), which, in the System Chief Audit Executive’s discretion, are material and substantial.
7.94 Delegation. The System Chief Audit Executive may delegate to Component-housed Directors the task of distributing draft audit reports (internal and external) at their respective Components, as well as a mechanism to inform applicable Component parties of subsequent distribution to the Chancellor, Board members, and mandated external entities. All draft internal audit and compliance reports will be submitted to the System Chief Audit Executive for review and approval.
7.(10)1 Periodic Status Reports. The Component-housed auditors shall forward a summary of audit reports and the status of their respective Audit Plans in a format and time prescribed by the System Chief Audit Executive for inclusion in the quarterly Board agenda materials.
7.(10)2 Follow-Up Audit Work. The System Chief Audit Executive shall prescribe a follow-up audit tracking system for use by the Component-housed auditors to ensure timely follow-up on all audit recommendations.
7.(10)3 External Audit Communications. The System Chief Audit Director shall act as the System and Component general liaison with the State Auditor’s Office. Each Component-housed Director shall function as the on-site liaison between that Component and the State Auditor’s Office or other external auditors. The Component-based Director shall notify the System Chief Audit Executive of any external audit work, planned entrance and exit conferences, and significant audit issues promptly and timely upon notification by the State Auditor’s Office or external auditors.