[Minor revision–posted 8/18/16 (replaces 10/29/14 edition)]
Operating Policy and Procedure
OP 04.01: Operation of the Office of Audit Services
DATE: August 18, 2016
PURPOSE: This Operating Policy and Procedure (OP) sets forth the objectives and operation of the Office of Audit Services at Texas Tech University System.
REVIEW: This OP will be reviewed in September of even-numbered years by the Chief Audit Executive with recommended revisions forwarded to the President.
The Office of Audit Services (OAS) is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.
The OAS shall:
a. Provide independent, objective assurance and consulting services designed to add value and improve the operations of the TTU system; and
b. Assist the TTU System in accomplishing its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
3. Scope of Work
The comprehensive scope of work of the OAS is to determine if the TTU System's network of risk management, control, and governance processes is functioning in a manner that will enable goals and objectives of the TTU System to be met and to evaluate and improve the effectiveness of the TTU System's risk management, control, and governance processes. Specifically, the scope of work should provide reasonable assurance that such processes are designed and operating in a manner to ensure:
a. Risks are effectively identified and managed;
b. Risk management processes and internal control systems are adequate, effective, and efficient;
c. Organizational performance management and accountability systems are effective;
d. The governance process facilitates sound decision making, organizational effectiveness, appropriate communications, and promotion of ethics and values;
e. Financial, managerial, and operating information is accurate, reliable, and timely;
f. Employees' actions are in compliance with policies, standards, procedures, and applicable statutes and regulations
g. Resources are acquired economically, used efficiently, and adequately protected;
h. Programs, plans, and objectives are achieved; and
i. Systems are designed and implemented with proper control structures.
4. Functions and Reporting of Audit Services
a. The Office of Audit Services is established by the Board of Regents in accordance with the Texas Internal Auditing Act (the Act). In order to provide organizational independence, the Chief Audit Executive (CAE), who coordinates and supervises the Office of Audit Services, reports functionally to the Board of Regents through the Board's Audit Committee and administratively to the Chancellor.
b. The CAE will periodically update the President, the Chancellor, and the Chair of the Audit Committee of the Board of Regents on the status and results of audits, engagements, and other projects.
c. As required by the Act, the Office of Audit Services will comply with The Institute of Internal Auditors' (The IIA's) International Standards for the Professional Practice of Internal Auditing, The IIA's Code of Ethics, and generally accepted government auditing standards.
d. As required by the Act, the CAE will prepare an annual audit plan based on the assessment of risks facing Texas Tech and with input from various members of Texas Tech management. The plan will be flexible, allowing time for consideration of unplanned projects and management requests.
e. As required by the Act, the CAE will prepare an annual report of the office's activities in accordance with the form and content required by the State Auditor.
5. Method of Operation
a. Generally, the CAE or a representative will notify the appropriate level of university management as to the timing, staffing, and scope of engagements included in the annual audit plan. The performance of certain procedures (e.g., cash or inventory counts or reviews of cash handling procedures) may be unannounced.
b. In sensitive cases as determined by the CAE, only upper management, the President, the Chancellor, and/or the Chair of the Audit Committee of the Board of Regents will be notified of an impending audit.
c. When the progress or results of a routine engagement result in the engagement being deemed sensitive by the CAE, communication and reporting may be shifted from the planned level of university management to a higher level.
d. To accomplish these activities, the CAE and staff members of the Office of Audit Services are authorized to have full, free, and unrestricted access to all functions, manual and electronic records (including student, personnel, and medical records), property, and personnel relevant to any audit or engagement. Auditors will be prudent in the use and protection of information acquired during the course of an engagement.
e. Objectivity refers to the need for auditors to have an impartial, unbiased attitude and to avoid any conflict of interest. Objectivity is essential to the audit function; therefore, the CAE organizes staff assignments to prevent potential and actual conflict of interest and bias. Objectivity is not adversely affected by determining and recommending standards of control for systems or reviewing procedures before they are implemented. (The Institute of Internal Auditors, 2013)
6. Reporting Engagement Results
a. The progress and results of engagements ordinarily will be communicated with client management periodically during the engagement. At the conclusion of each engagement, a draft report of observations, recommendations, and pertinent information will be presented to the appropriate level of management for effecting change. In most cases, an exit conference will be held to discuss the report. In certain cases, reports may be made orally.
b. The CAE will incorporate a written response from management into most engagement reports. Generally, ten working days will be provided for the response, although a longer time period may be appropriate in some cases, depending on the nature of the report.
c. Upon receipt of the response, a final report will be prepared and submitted to the appropriate levels of management. If management fails to respond to the draft report in a timely manner, a final report may be issued without a response.
d. In especially sensitive cases, the CAE may report only to the President, the Chancellor, and/or the Chair of the Audit Committee of the Board of Regents and/or to appropriate levels of management as determined by the CAE.
e. On any matter involving a violation of state or federal law or in cases where fraud is suspected, the CAE will directly inform the President, the Chancellor, and/or the Chair of the Audit Committee of the Board of Regents. The CAE may also inform the Office of General Counsel, Texas Tech Police Department, and/or other law enforcement officials. As required by law, the CAE will notify the state auditor's office of suspected fraudulent activity.
04 Audit Services
30 Academic and Student Affairs – General
32 Academic Policies – Faculty
34 Academic Policies – Students
36 Academic Programs
40 Equal Opportunity and Affirmative Action
48 Communication Services
52 Information Technology
60 Environmental Health and Safety
61 Facilities Management
62 Financial and Accounting
63 General Services
64 Graduate Programs (Faculty and Students)
65 Research Accounting
67 Mail Services
68 Communications and Marketing
69 Payroll and Tax Services
70 Human Resources
72 Purchasing, Contracting, and Payables
77 Student Services and Registrar
78 Traffic and Parking