Texas Higher Education Coordinating Board
   Board Members  |  Commissioner   |  Agency Info   |  Staff Directory   |  Index A-Z   |  Search:
Subscribe to updates
TX Higher Education Data Center
College Compare
College For All Texans
Generation TX
Military and Their Families
Texas.gov Veterans Portal THECB HUB Link

Add Bookmark

Compliance Monitoring Process

Rules and Guidelines  

Risk Assessment

Risk assessments are performed to develop the risk-based approach to compliance monitoring. Risk assessment is performed as specified in the Texas Administration Code (TAC) Section 1.13. Factors specified in legislation include:

  1. The amount of student financial assistance or grant funds allocated to the IHE by the Board
  2. Whether the IHE is required to obtain and submit an independent audit
  3. The IHE's internal controls
  4. The length of time since the IHE's last desk review or site visit
  5. Past misuse of funds or data misreported by the IHE
  6. Regarding data verification, whether the data reported to the Board by the IHE is used for determining funding allocations
  7. Other factors considered appropriate by the Board

The Director provides an overview of the risk assessment process to the Commissioner before presenting the annual compliance monitoring plan to the Committee on Agency Operations at the July Board meeting for review and approval. The risk assessment must be performed annually; however, because conditions change, priorities determined through the risk assessment process may be reviewed and updated throughout the year.

Audit Process


Proper planning of audits helps ensure that major business risks are adequately considered and addressed during the audit, including those identified during the Annual Risk Assessment. Planning requires thorough definition of objectives and how they can be attained while establishing a balance between the audit scope and objectives, time frame, and staff availability to ensure optimum use of resources.


Audit objectivities are broad statements that define the intended audit accomplishments. Audit procedures are the work methods used to attain audit objectives. Together, audit objectives and audit procedures define the scope of work to be performed. The primary objectives of compliance are to ensure:

  • The reliability and integrity of information
  • Compliance with policies, plans, procedures, laws and regulations

GAGAS, Chapter 6 states, "Auditors must adequately plan and document the planning of the work necessary to address the audit objectives."

Other audit objectives may be developed based on the results of the preliminary survey. Audit objectives and procedures should address the risks associated with audited activity. Objectives will depend on the type of audit to be performed.

Planning Steps, not limited to:

  • Schedule and conduct the entrance conference meeting
  • Document the entrance conference notes, presentation and attendee sign in sheet in Teammate
  • Obtain background information, conduct interviews, as necessary, and document
  • Perform project related risk-assessment, identify high risk areas, and finalize audit objectives and scope
  • Consider the possibility of fraud, waste and abuse in the context of the specific audit objectives
  • Gather data for review and analysis
  • Conduct internal End of Planning meeting with the Director and other compliance staff members to review risk assessment, solidify scope/objectives, get approval on the fieldwork audit program, summarize in writing any issues already developed, as well as those that may become issues during fieldwork, review budget to actual hours, and amend scope/objectives and/or amend budget, as necessary
  • Communicate any amended audit objectives and scope to the client
  • Document overall planning summary memo, as needed.


Background information on the audit area should be gathered and reviewed. Background information may continue to develop throughout the audit and can be gathered before, during and after the preliminary survey. Such items may include:

  • Mission statements, goals, and plans of the audit project
  • Organizational information such as names of key employees, job descriptions, policy and procedures manuals, and details about any recent changes
  • Work flow chart
  • Budget, operating, and financial information
  • Prior audit reports and work papers
  • Prior compliance results
  • Results of other audits, completed or in process
  • Technical, legal or other authoritative literature applicable to the audit project.

Any unusual items or potential concerns arising from the background review should be documented in the audit work papers and any limitations or effects on audit scope arising from the initial review of background information should be explained.


An entrance conference will be held with the management responsible for the activity under review. The compliance specialist at this meeting shall discuss, as applicable, the following:

  • The planned audit objectives and scope of work
  • An overview of the audit process
  • Logistical requirements
  • The timing of audit work
  • The process of communicating throughout the audit, including the work methods, time frames and individuals who will be responsible
  • The operations of the activities being audited
  • The concerns and requests of IHE management
  • Description of compliance reporting procedures and follow-up process
  • The audit periods covered and estimated completion dates.

The entrance conference will be used to solicit any input from client/management that might affect the completion of the audit. The entrance conference should be conducted in a professional, open atmosphere and should result in the development of mutual respect between the client and the compliance function. After the entrance conference is concluded, the results and conclusions of the meeting will be summarized in a work paper. The primary purpose of the work paper should be to provide evidence of the meeting, provide a basis for further planning, and to help insure there are no miscommunications between the compliance monitoring function and IHE management. The entrance conference can be done by phone or email on a case by case basis-depending on the specific circumstances.


Fieldwork is a systematic process of gathering evidence about the project area or activity under review, then objectively assessing to determine if established criteria are being followed. The results obtained during fieldwork are communicated to management in the audit report.

A field work program is developed based on the results in planning phase. The fieldwork program should be discussed with the Director and be approved during the planning phase. Key aspects of fieldwork may include:

  • Interviewing appropriate internal or external personnel
  • Conducting surveys of the activity being reviewed
  • Evaluating controls in place to determine control weaknesses, which create or increase risk
  • Reviewing operations, activities, and/or transactions to determine if they are in compliance with laws and regulations
  • Informally discuss issues or concerns as a team, and with the client (throughout fieldwork as issues come to our attention) in the End of the Fieldwork Meeting. During End of Fieldwork meeting, present written synopsis of issues to client and solicit feedback; recap any information still needed from client.



The report is the official document by which management is apprised of compliance monitoring results. Once released, audit reports become public documents.

The client is kept informed throughout the audit of any pending issues. End of Fieldwork meetings occur on all projects and are an additional mechanism for such communications.

The Exit Conference with client personnel is used to present the written draft/unsigned report and to solicit feedback. A Draft Audit Report issued to the IHE President and other relevant personnel is sent thereafter, providing a two week response timeframe if audit issues exist (or longer timeframe for response at the discretion of the Director).

The final report is issued electronically to the IHE President and other relevant IHE personnel, the AOC chair, Board Chair and Vice Chair and other relevant Board personnel. Final reports are presented to the AOC at the regular quarterly meeting.


In completing fieldwork, an exit conference should be held with the person in charge of the organizational unit audited and relevant client staff. The appropriate Executive Staff should also be provided the opportunity to attend. During this conference reasonable efforts are made to develop a clear understanding by both parties of the findings and recommendations of the audit.

Audit Coordination

Please submit to the Board a final copy of any audits of funds administered by the Board or data reported to the Board.

Please send the final audit report to Texas Higher Education Coordinating Board, Director of Internal Audit and Compliance, 1200 East Anderson Lane, Austin, Texas 78752.

We appreciate your cooperation and look forward to coordinating our audit efforts with your oversight group(s).

College for all Texans

Site Map | Staff Directory | Employment | Site Policies | TRAIL | Texas.gov | Fraud Hotline | Public Information Requests | Student Complaints | Customer Satisfaction Survey | Notice of Non-Discrimination

1200 E. Anderson Lane, Austin, TX 78752 || P.O. Box 12788, Austin, TX 78711-2788
Main: (512) 427-6101 || Student Loans: (800)-242-3062 or (512)-427-6340
©2018 THECB