Risk assessments are performed to develop the risk-based approach to compliance monitoring. Risk assessment is performed as specified in the Texas Administration Code (TAC) Section 1.13. Factors specified in legislation include:
The Director provides an overview of the risk assessment process to the Commissioner before presenting the annual compliance monitoring plan to the Committee on Agency Operations at the July Board meeting for review and approval. The risk assessment must be performed annually; however, because conditions change, priorities determined through the risk assessment process may be reviewed and updated throughout the year.
Proper planning of audits helps ensure that major business risks are adequately considered and addressed during the audit, including those identified during the Annual Risk Assessment. Planning requires thorough definition of objectives and how they can be attained while establishing a balance between the audit scope and objectives, time frame, and staff availability to ensure optimum use of resources.
Audit objectivities are broad statements that define the intended audit accomplishments. Audit procedures are the work methods used to attain audit objectives. Together, audit objectives and audit procedures define the scope of work to be performed. The primary objectives of compliance are to ensure:
GAGAS, Chapter 6 states, "Auditors must adequately plan and document the planning of the work necessary to address the audit objectives."
Other audit objectives may be developed based on the results of the preliminary survey. Audit objectives and procedures should address the risks associated with audited activity. Objectives will depend on the type of audit to be performed.
Planning Steps, not limited to:
Background information on the audit area should be gathered and reviewed. Background information may continue to develop throughout the audit and can be gathered before, during and after the preliminary survey. Such items may include:
Any unusual items or potential concerns arising from the background review should be documented in the audit work papers and any limitations or effects on audit scope arising from the initial review of background information should be explained.
An entrance conference will be held with the management responsible for the activity under review. The compliance specialist at this meeting shall discuss, as applicable, the following:
The entrance conference will be used to solicit any input from client/management that might affect the completion of the audit. The entrance conference should be conducted in a professional, open atmosphere and should result in the development of mutual respect between the client and the compliance function. After the entrance conference is concluded, the results and conclusions of the meeting will be summarized in a work paper. The primary purpose of the work paper should be to provide evidence of the meeting, provide a basis for further planning, and to help insure there are no miscommunications between the compliance monitoring function and IHE management. The entrance conference can be done by phone or email on a case by case basis-depending on the specific circumstances.
Fieldwork is a systematic process of gathering evidence about the project area or activity under review, then objectively assessing to determine if established criteria are being followed. The results obtained during fieldwork are communicated to management in the audit report.
A field work program is developed based on the results in planning phase. The fieldwork program should be discussed with the Director and be approved during the planning phase. Key aspects of fieldwork may include:
The report is the official document by which management is apprised of compliance monitoring results. Once released, audit reports become public documents.
The client is kept informed throughout the audit of any pending issues. End of Fieldwork meetings occur on all projects and are an additional mechanism for such communications.
The Exit Conference with client personnel is used to present the written draft/unsigned report and to solicit feedback. A Draft Audit Report issued to the IHE President and other relevant personnel is sent thereafter, providing a two week response timeframe if audit issues exist (or longer timeframe for response at the discretion of the Director).
The final report is issued electronically to the IHE President and other relevant IHE personnel, the AOC chair, Board Chair and Vice Chair and other relevant Board personnel. Final reports are presented to the AOC at the regular quarterly meeting.
In completing fieldwork, an exit conference should be held with the person in charge of the organizational unit audited and relevant client staff. The appropriate Executive Staff should also be provided the opportunity to attend. During this conference reasonable efforts are made to develop a clear understanding by both parties of the findings and recommendations of the audit.
Please submit to the Board a final copy of any audits of funds administered by the Board or data reported to the Board.
Please send the final audit report to Texas Higher Education Coordinating Board, Director of Internal Audit and Compliance, 1200 East Anderson Lane, Austin, Texas 78752.
We appreciate your cooperation and look forward to coordinating our audit efforts with your oversight group(s).