stephen f. austin state universitysfasu.edu/audit/docs/2015-audit-report.pdf · iv. internal audit...

STEPHEN F. AUSTIN STATE UNIVERSITY FISCAL YEAR 2015 ANNUAL AUDIT REPORT

TABLE OF CONTENTS

I. Executive Summary

II. Compliance with House Bill 16

III. Proportionality

IV. Internal Audit Plan for FY 2015 and Explanation of Changes

V. FY 2015 List of Audits

VI. Non-Audit Services

VII. External Quality Assurance Review

VIII. Internal Quality Assessment

IX. Internal Audit Plan for FY 2016

X. Risk Assessment

XI. External Audit Services

XII. Reporting Fraud

XIII. Audit Charter

I.

Executive Summary

STEPHEN F. AUSTIN STATE UNIVERSITY EXECUTIVE SUMMARY

The purpose of this annual audit report is to provide information on the activities and the effectiveness of the internal audit function. In addition, the annual report assists central oversight agencies in work planning and coordination of efforts. This annual report is submitted in compliance with the Internal Auditing Act of the State of Texas (Government Code Chapter 2102) and the Rules and Regulations of the Board of Regents of Stephen F. Austin State University. The report format is recommended by the State Auditor’s Office. The mission of the Department of Audit Services is to provide the Board of Regents and President with an independent appraisal of the adequacy and effectiveness of the university’s system of internal administrative and accounting controls and the quality of performance when compared with established standards. The primary objective is to assist the Board of Regents, the President, and university management in the effective discharge of their responsibilities. Fiscal Year 2015 was a productive year for Audit Services. We completed thirteen audits including following up on outstanding management action plans. Audit Services staff members continued to participate as an advisory member on various university committees. We performed numerous special projects in addition to investigating reports made through the university’s fraud and ethics reporting system and the State Auditor’s Office hotline. We appreciate the support received during the year from the Board of Regents, President, Administration, Faculty, and Staff of the university. Upon approval by the Board of Regents, this report will be distributed to the State Auditor’s Office, the Office of the Governor, the Legislative Budget Board, the Sunset Advisory Commission, and posted on the Audit Services website.

II.

Compliance with Government Code 2102.015

STEPHEN F. AUSTIN STATE UNIVERSITY COMPLIANCE WITH TEXAS GOVERNMENT CODE,

SECTION 2102.015 In order to comply with Texas Government Code, Section 2102.015 regarding posting the Audit Plan, Audit Annual Report, and other audit information on the internet website, the Department of Audit Services will post the 2015 Audit Annual Report, which includes the required items, on its internal audit website at http://www.sfasu.edu/audit/ after approval by the SFASU Board of Regents on November 1, 2015.

http://www.sfasu.edu/audit/annualreport.asp

III.

Proportionality

STEPHEN F. AUSTIN STATE UNIVERSITY PROPORTIONAL BENEFITS FUNDING AUDIT

On May 29, 2014, Governor Rick Perry sent a memo to public university Board of Regents Chairmen requesting that all institutions of higher education have their internal auditor review to ensure that proportionality is being applied according to the established guidelines as set forth in Article IX, Section 6.08 of the General Appropriations Act. The findings are to be reported to the Governor. Audit Services performed the requested audit for fiscal year 2012 and 2013 and issued Report 14-XVI Benefits Proportional by Fund Audit. Rider 8, page III-39, the General Appropriations Act (84th Legislature, Conference Committee Report) requires each higher education institution, excluding public community/junior colleges, to conduct an internal audit of benefits proportional by fund. In summary, the rider requires the following:

• The audit must be conducted using the methodology approved by the SAO.

• The audit must examine fiscal years 2012 through 2014.

• Higher education institutions must submit a copy of the audit report to the

Legislative Budget Board, the Comptroller of Public Accounts, and the SAO no later than August 31, 2016.

• If the audit identifies that the institution received excess General Revenue due to noncompliance with the proportionality requirements provided by Section 6.08, page IX-27, the General Appropriations Act (84th Legislature, Conference Committee Report), the institution must submit a reimbursement payment to the Comptroller of Public Accounts within two years from the conclusion of the audit.

• Higher education institutions must consider audits of benefits proportionality when developing their annual internal audit plans for fiscal years 2016 and 2017.

Audit Services has included a Proportional Benefits Funding Audit on the fiscal year 2016 audit plan. The audit will include fiscal years 2014, 2013, and 2012. Audit Services will rely on the audit work from 14-XVI Benefits Proportional by Fund Audit as it incorporated the SAO methodology.

IV.

Internal Audit Plan for FY 2015 and Explanation of Changes

PROJECT DESCRIPTION HOURSFinancial, Compliance, Efficiency & Effectiveness Audits

Audit assistance to oversight agencies

Provide audit assistance to state and federal oversight agencies such as Texas State Auditor's Office, The Higher Education Coordinating Board, Texas State Comptroller's Office, and grant agencies

80

National Collegiate Athletic Association ReviewProvide assistance to external firm performing review of SFASU athletic financial statement as required by NCAA 50

SFASU Charter School AuditProvide assistance to external firm performing financial audit of SFASU Charter School 50

Public Funds Investment Act Audit Verify compliance with PFIA for operating investments 80

Travel Card Audit Review controls and compliance of new system 400

Family Educational Rights and Privacy Act (FERPA) Audit Review applicable controls and compliance with regulations 280

Property Inventory Review controls and verify existence 350

Departmental AuditsReview for compliance with various regulations and efficiency & effectiveness 1300

Transfers Review and test controls for transfers (wire, ACH) 250

Receivables AuditReview controls and test for accuracy, existence, and collectability 450

Non-Exempt Employee Payroll Audit - carry forwardReview controls, verify compliance with policies and procedures, and test for fraud 300

JAMP Grant Audit - carry forward Complete audit for compliance with JAMP requirements 65Proportionality of Benefits Funding Audit-carry forward Review controls, verify compliance and reporting 200Records Management- carry forward Complete review for compliance 100

Information Technology

IT Meetings/IssuesAdvise on issues affecting information technology and systems under development/enhancement 25

Texas Administrative Code Section 202 Audit Review compliance with Information Security Standards 350Cloud Audit Review controls 250

Follow-up AuditObtain representations from management regarding status and perform verification as necessary 400

Special ProjectsFraud & Ethics Program Facilitate university anonymous reporting system 24Hotline/Fraud Investigations Facilitate investigations 150

Other Special ProjectsBased on requests from Board of Regents or Administration 150

Meetings & Committee ServiceInvestment Committee Serve as advisory member of committee 24Administrative Meetings Attend administrative meetings as requested 72Other University Meetings/Events Attend other meetings and events as deemed necessary 50Regent Meetings and events Preparation and attendance of meetings and events 120

Department ActivitiesAnnual Audit Plan and Report Prepare annual audit plan and report 80Audit Manual Revision Update audit manual and forms 40Annual Risk Assessment Facilitate annual university risk assessment 100

Quality AssurancePerform internal assessment of compliance with standards and assist with other QARs 80

Records Management Maintain file system and records for department 100Software Maintenance and Training Teammate and ACL audit software 100

STEPHEN F. AUSTIN STATE UNIVERSITYTotal 2015 University Budget All Funds: $238,648,681

Total 2015 Budgeted Audit Positions: 4.5 FISCAL YEAR 2015 AUDIT PLAN

PROJECT DESCRIPTION HOURS



Professional Development and TravelProfessional development, maintain certifications, training, and travel 300

General & AdministrativeAdministration (planning, purchasing, payroll, scheduling, reporting, meetings, etc.) 1025

General & Administrative GAGraduate Assistant help with routine audit department schedules and work 300

Total Allocated Hours 7,695

Total Hours Per Year All staff 9,120 Less estimated:Sick Leave (270)Vacation (525)Holidays (480)Wellness Leave (150)

Total Available Hours 7,695

STEPHEN F. AUSTIN STATE UNIVERSITY CHANGES TO FISCAL YEAR 2015 AUDIT PLAN

We completed thirteen audits this year. Changes to the 2015 audit plan are as follows:

• Cloud Audit – A separate audit was not performed as the changes to Texas Administrative Code 202 incorporated a security controls catalog requiring cloud policies effective February 2016. Audit Services has included in the fiscal year 2016 audit plan a TAC 202 Security Controls Catalog Audit to review the controls required as of February 2016.

• Travel Card – This audit was in the early stages of planning in fiscal year

2015, so it was carried forward to fiscal year 2016 and renamed Travel Program Administration.

V.

FY 2015 List of Audits

STEPHEN F. AUSTIN STATE UNIVERSITY FY 2015 LIST OF AUDITS COMPLETED

# NAME OF REPORT

15-I Athletics Department 15-II FERPA 15-III PFIA 15-IV Accounts Receivable 15-V Property Inventory 15-VI School of Nursing 15-VII Testing Services 15-VIII Environmental Health, Safety, and Risk Management 15-IX Electronic Fund Transfers 15-X TAC 202 15-XI Human Sciences 15-XII Travel Card – carried forward as Travel Program Administration 15-XIII Student Publications 15-XIV Follow-Up as of August 31, 2015 Current status of findings/recommendations is based on the following definitions and dependent upon the target implementation date:

• Implemented: Successful development and use of a process, system, or policy to implement a recommendation.

• Ongoing: Ongoing development of a process, system, or policy to address a recommendation.

• Not Implemented: Lack of a formal process, system, or policy to address a recommendation.

• No Action Required: No findings/recommendations were made.

Detailed information is included in the schedule that follows.

STEPHEN F. AUSTIN STATE UNIVERSITY LIST OF AUDITS FOR FISCAL YEAR 2014-2015

1

Report Number

Audit Date Name of Report

High-Level Audit Objective(s)

Observation/Findings and Recommendations Current Status

15-I

August 31,

2014

Athletics

Department

Our audit objectives were to determine that controls exist in the Athletics Department to ensure compliance with various university policies and applicable state and federal regulations; university resources and activities are effectively and efficiently administered; identified risks are mitigated; departmental information is documented correctly and reported accurately; confidential or critical information is protected; and opportunities for fraudulent activities are minimized.

During our audit procedures, we noted the following:

Eight property custodians did not have the required property training.

One employee in a security sensitive position did not have the required security awareness training.

Four employees did not have the required receipts training.

The employees should take the required trainings, and the Department should strengthen procedures to ensure trainings are current.

Implemented

We selected 24 property inventory items which was 10% of the total 231 items on inventory for verification with the following results:

21 of 24 (88%) items were verified without exception.

3 of 24 (12%) items were verified with one exception, lacking the required university inventory tag.

The Department needs to add procedures to ensure that property items display the required university inventory tag.

Implemented

We found the following regarding the Department's receipt procedures:

Receipts transactions were not fully documented.

The Department did not display the required receipt signage in field house locations where receipts were collected.

The Department lacks a ticket reconciliation process for Booster Club Luncheons.

Receipts language is not included in the job descriptions for six employees involved in

the receipts process. Procedures should be strengthened to reduce risk and ensure compliance with university policies and procedures for receipts.

Implemented


2

Report Number




15-I

(continued)

August 31,

2014

Athletics

Department


During our review of time reporting, we found the following:

Thirty-seven student employees who no longer work for the Department were still active employees in the Banner system.

Department employees did not request time off using the required online leave form. In addition, the Department did not have a formal process for record retention of leave requests.

The Department should add or strengthen procedures to ensure compliance with university policies and procedures for time reporting.

Ongoing

While performing our audit procedures, we noted the following:

35 of 36 (98%) expenditure items were reviewed without exception.

1 of 36 (2%) expenditure items was reviewed with one or more exceptions.

2 of 5 (40%) procurement card monthly transaction detail reports were reviewed with one or more exceptions.

74 of 90 (82%) procurement card transactions were reviewed without exception.

16 of 90 (18%) procurement card transactions were reviewed with one or more exceptions as follows:

# Exception Description

5 Lacked the required detailed documentation on file

2 Inappropriate purchases with a procurement card

2 Purchases by an unauthorized user

1 Non-use of HUB (Historically Underutilized Business) vendor

6 Food purchases lacked the required 5 w’s (Who, What, When, Where, Why)

2 Sales tax was paid

*The total does not add to 16 because some transactions had more than one exception.

The Department should add or strengthen procedures for procurement card transactions to ensure compliance with university policies and procedures.

Implemented


3

Report Number




15-I

(continued)

August 31,

2014

Athletics

Department


While performing our audit, we noted the following as of August 31, 2014:

The Department had four discretionary accounts that ended with a deficit balance totaling $5,841.65.

The Department had two unbudgeted accounts with miscoded expenditures resulting in a combined deficit balance of $12,730.05.

The Department had four inactive accounts totaling $13,367.31.

The Department should strengthen procedures related to budget monitoring and reconciliation. The deficit and inactive accounts should be reviewed and appropriate measures taken.

Implemented

During our audit, we noted probationary performance evaluations were not completed for two employees. The Department should strengthen procedures to ensure that probationary performance evaluations are completed in a timely manner.

Implemented

15-II

August 31,

2014

FERPA

Our audit objective was to determine that the University has controls in place to ensure compliance with the Family Educational Rights and Privacy Act.

The Registrar performs FERPA training when requested and makes a FERPA presentation to new faculty at orientation; however, FERPA training is not mandatory for faculty and staff with access to student education records. The University should consider requiring FERPA training on a periodic basis for faculty and staff with access to student education records.

Ongoing


4

Report Number




15-III

May 31,

2014

PFIA

Our audit objective was to determine that the university has controls in place to ensure compliance with the Public Funds Investment Act as of May 31, 2014.

We found that the University has controls in place to help ensure compliance with the Public Funds Investment Act.

No Action Required

15-IV

November 30, 2014

Accounts

Receivable

Our audit objective was to determine if adequate controls exist to ensure the receivables are valid and appropriately reflected in the university’s records; processes are efficient and effective; opportunities for fraudulent activities are minimized; and compliance with applicable policies, procedures, and regulations is achieved.

During the audit, we noted that the University was not in compliance with policy 3.28, Student Accounts Receivable, for the accounts receivable collection activity. Due to the Banner conversion, student accounts receivable were not sent to a collection agency as specified in policy until spring 2014. The Business Office has been and is still in the process of analyzing student accounts that were affected by the Banner conversion. Since collection agency activity resumed, progress has been made on collection of accounts. In addition, student accounts receivable have not been reported to the State Comptroller for warrant hold or reported to the Attorney General’s Office as specified in policy. The University should evaluate the billing and collection process including compliance with State of Texas regulations. Policy 3.28, Student Accounts Receivable, should be reviewed and updated accordingly. The Business Office should continue analyzing student accounts for collection or resolution.

Ongoing

The University’s approved record retention schedule requires varying periods of record retention for charges that may result in accounts receivable. All records are not readily available to support accounts receivable balances as departments were not able to provide documentation to support all or a portion of the accounts receivable balances for 15 of the 48 students in our sample. The University should review the record retention schedule for accounts receivable and related charges and add record retention procedures to ensure supporting documentation is maintained until the accounts receivable balance is resolved. Availability of records should be considered when analyzing student accounts as discussed in Observation 1.

Ongoing

We reviewed the reconciliation process between the student accounts receivable and the general ledger. We noted that the reconciliation as of November 30, 2014 was not complete with regard to approval and identification of outstanding items. In addition, the Controller’s Office lacked documented procedures for the reconciliation process. The Controller’s Office should formally document the procedures for the reconciliation process. The monthly reconciliation should be completed with required approval and resolution of the reconciling items.

Implemented


5

Report Number




15-V

January 31, 2015

Property Inventory

Our audit objective was to determine if adequate controls exist to ensure that personal property inventory is appropriately reflected in the University’s records; processes are efficient and effective; opportunities for fraudulent activities are minimized; and compliance with applicable policies, procedures, and regulations is achieved.

We reviewed access to Banner forms involved in the property inventory process. We found multiple employees with maintenance access to property inventory forms (FFAADJF, FFADEPR, FFAFDEL, FAMAST, FFATRAN, FFPOEXT, and FFVSDAT) where access should be more limited based on job function. In addition, access to working documents in the common file was not limited based on job function. We did not note any instances where access had been inappropriately used. Management should review and adjust maintenance access to the Banner forms and to the common file used in the property inventory process.

Implemented

We selected eleven departments for property testing and judgmentally chose a 10% sample of the items in each department for verification which resulted in 171 items for verification with the following results:

128 of 171 (75%) items were verified with no exceptions.

43 of 171 (25%) items were verified with one or more exceptions.

Only part of one item could not be found during the property inventory verification resulting in 99.7% of items verified.

The majority of the 25% of items verified with one or more exceptions were due to the item having a different custodian or location upon verification. Departments with exceptions noted in the property inventory verification include Art; Geology; Information Technology Services; Languages, Cultures, and Communication; Physical Plant; Secondary Education; Student Center Administration; and Marketing Communications. The following departments had no exceptions: Registrar; Printing Services; and Institutional Research. We reviewed procedures for requesting changes to a property inventory record. The current process is through an email from the department to the Property Manager or through a notation on the department’s annual inventory report. The departments with exceptions should follow current policies and procedures and update their inventory records with Procurement and Property Services. To aid in documentation and efficiency, Procurement and Property Services should investigate options for enhancements to the process for electronically submitting property inventory changes to the Property Manager instead of the current email process in place. In addition, to strengthen controls specifically related to location, Procurement and Property Services should consider adding a method to document in the fixed asset system that an item is appropriately considered moveable within the department and also add a university location for items with a “removal from campus form”.

Ongoing


6

Report Number




15-V

(continued)

January 31, 2015

Property Inventory

Our audit objective was to determine if adequate controls exist to ensure that personal property inventory is appropriately reflected in the University’s records; processes are efficient and effective; opportunities for fraudulent activities are minimized; and compliance with applicable policies, procedures, and regulations is achieved.

For our sampled items, we reviewed to ensure that property custodians had met the property training requirements. Overall, 69 out of 79 employees had taken the appropriate training. The 13% of employees who had not taken training were from five departments out of the eleven in our sample: Art; Geology; Languages, Cultures, and Communication; Physical Plant; and Secondary Education. The department heads of Art; Geology; Languages, Cultures, and Communication; Physical Plant; and Secondary Education should add procedures to ensure compliance with training requirements. Procurement and Property Services should strengthen procedures to ensure that all property custodians are added to the training system, so they will be notified of training requirements.

Implemented

We observed a University surplus property sale and noted that the Property Manager and Assistant Property Manager handle receipts and oversee the surplus assets. We found that receipt language is not included in the job descriptions, and the Property Manager’s receipt training had not been updated. Procurement and Property Services should review the segregation of duties for the Property Managers who handle receipts and have access to property inventory and consider having an employee unrelated to the process handle the receipts. If it is deemed that mitigating controls exist for the Property Managers to handle receipts, receipts language should be added to the job descriptions and training taken.

Implemented


7

Report Number




15-VI

August 31,

2014

School of Nursing

Our audit objectives were to determine that controls exist in the School of Nursing to ensure compliance with various university policies and applicable state and federal regulations; university resources and activities are effectively and efficiently administered; identified risks are mitigated; departmental information is documented correctly and reported accurately; confidential or critical information is protected; and opportunities for fraudulent activities are minimized.

We selected 40 property inventory items which was 10% of the total 396 items on inventory for verification with the following results:

Two items on the School's property listing should be transferred to another department’s control.

All 40 sample items were verified; however, a number of items were found in a different

location.

The previous Simulator Laboratory Coordinator was listed as the custodian for all of the laboratory equipment. We found several other incorrect property custodians listed as well.

The School has checkout procedures in place for equipment. Employees were required

to complete removal of equipment from campus forms, but the forms were not submitted to the University’s Property Manager.

Although property training for custodians was completed, the equipment manager did not complete the required property training designated for equipment managers.

The School should consider developing an internal inventory tracking system since equipment is used in many areas of the School. The records for transferring two items, custodian corrections, and forms should be completed. The equipment manager should take the additional training.

Implemented


8

Report Number




15-VI

(continued)

August 31,

2014

School of Nursing


We found the following regarding the School's receipt procedures:

With regard to recordkeeping, deposits did not include a green receipt copy, and donation forms were not completed for two donations received by the School.

The School did not display the required receipt signage in locations where receipts are

collected.

The School did not have a proper segregation of duties in the receipt process.

The School is collecting receipts for a Basic Life Support (BLS) certification class that are not deposited with the University.

Procedures should be strengthened to reduce risk and ensure compliance with university policies and procedures for receipts with regard to additional receipt documentation and segregation of duties. In addition, the School should determine an alternative method to handle the receipts related to the required BLS certification class.

Implemented

. During our review of time reporting, we found the following:

One employee approved her own time in Time Clock Plus.

Errors were found in two employees’ Time Clock Plus reports.

The School is not using the online leave request form to request and approve leave. Subsequently, the School was unable to meet the record retention requirements for payroll records.

The School should add or strengthen procedures to ensure compliance with university policies and procedures for time reporting including segregating duties in Time Clock Plus and improving documentation.

Ongoing


9

Report Number




15-VI

(continued)

August 31,

2014

School of Nursing



1 of 2 (50%) monthly transaction detail reports had one or more exceptions.

34 of 39 (87%) procurement card transactions were reviewed with no exceptions.

5 of 39 (13%) procurement card transactions were reviewed with one or more exceptions as follows:

Exception Description2 Lacked the required detailed documentation on file 1 Inappropriate purchase with a procurement card 2 Purchases with an inappropriate fund 1 Promotional item purchased from a non-licensed merchant

*The number does not add to five because some transactions had more than one exception.

One procurement card use form was outdated.

The School should add or strengthen procedures for procurement card transactions to ensure compliance with university policies and procedures.

Implemented

While performing our audit, we found that the School had four inactive accounts as follows:

Organization – Fund Balance as of 8-31-14

School of Nursing – Indirect Cost Recovery $6,852.99

School of Nursing – Scholarship $13,937.94

Asthma Camp – Asthma Camp $1,942.60

Nursing Bishop – Indirect Cost Recovery $411.11

Total $23,144.64

The School should review the inactive accounts and take appropriate action.

Implemented


10

Report Number




15-VII

December 31, 2014

Testing

Services

Our audit objectives were to determine that controls exist in the Department of Testing Services to ensure compliance with various university policies and applicable state and federal regulations; university resources and activities are effectively and efficiently administered; identified risks are mitigated; departmental information is documented correctly and reported accurately; confidential or critical information is protected; and opportunities for fraudulent activities are minimized.

During our audit, we noted the following:

One employee had not completed procurement card refresher training.

One employee had not completed property training.

Ten employees (a combination of current employees and employees no longer with the Department) either had not completed receipts and/or payment card training or training was expired.

The current employees should take the required trainings. The Department should add procedures to ensure that all employees who take payments have the appropriate training.

Implemented

We selected 10 property inventory items for verification with the following results:

7 of 10 (70%) items were verified with no exceptions.

3 of 10 (30%) items were verified with one exception regarding the room number. The Department needs to add procedures to ensure that property items are designated in the correct room.

Ongoing


11

Report Number




15-VIII

March 31,

2015

Environmental Health, Safety

and Risk Management

Our audit objectives were to determine that controls exist in the Department of Environmental Health, Safety and Risk Management to ensure compliance with various university policies and applicable state and federal regulations; university resources and activities are effectively and efficiently administered; identified risks are mitigated; departmental information is documented correctly and reported accurately; confidential or critical information is protected; and opportunities for fraudulent activities are minimized.

We noted the Department does not have written policies and procedures for its financial operations. The Department should develop written policies and procedures covering its financial operations.

Implemented



3 of 22 (13%) procurement card transactions were reviewed with one exception, purchase made with a non-discretionary fund.

One procurement card use form was outdated.

The Department should investigate options for discretionary purchases and update the p-card use form.

Implemented

The Department collects only a small number of receipts related to insurance claims. Because of the type of receipts collected, the Department employees were not aware that they are subject to Policy 3.26, Receipts and Deposits. As a result, the Department was not in compliance with many requirements of the policy including training, signage, procedures, and documentation. The Department should develop receipts procedures to ensure compliance with University policy.

Implemented


12

Report Number




15-IX

April 30,

2015

Electronic

Fund Transfers

Our audit objective was to determine if adequate controls exist to ensure that electronic fund transfers are appropriately documented and properly recorded in the university’s accounts; processes are efficient and effective; opportunities for fraudulent activities are minimized; compliance with applicable policies, procedures, and regulations is achieved; and security controls for electronic fund transfers are appropriate.

The University has outdated signature cards with one financial institution. In addition, an updated master list of all employees with access to university accounts was not available. Management should review procedures to ensure authorizations are updated on a timely basis. In addition, a master list of all employees with the ability to access financial information for University accounts with various financial institutions and entities should be maintained.

Implemented

This observation relates to confidential security devices and procedures; thus specific details are not included.

Implemented

We noted in our walkthrough procedures and sample testing that the approval methods and documentation differ depending on the EFT purpose and receiving entity. Some of the processes do not include two approval signatures as required by procedures, though the processes in place appear to have sufficient mitigating internal controls. The EFT procedures should be reviewed and updated. Standardization of the documentation for approval would enhance the process.

Implemented


13

Report Number




15-X

May 31,

2015

TAC 202

Our audit objective was to determine whether the University’s information security program is in compliance with the TAC 202 information security standards applicable to institutions of higher education.

The four observations relate to confidential security devices and procedures; thus specific details are not included.

Ongoing


14

Report Number




15-XI

May 31,

2015

School of Human

Sciences

Our audit objectives were to determine that controls exist in the School of Human Sciences to ensure compliance with various university policies and applicable state and federal regulations; university resources and activities are effectively and efficiently administered; identified risks are mitigated; departmental information is documented correctly and reported accurately; confidential or critical information is protected; and opportunities for fraudulent activities are minimized.


Two employees have not completed property training.

Two student workers have not completed security awareness training.

One employee has not completed receipts training. The employees should take the required trainings.

Ongoing

While performing our audit, we noted the School’s designated course fee account (150003) had a positive balance of $18,963.62 as of August 31, 2015. The School should review the course fees currently charged for propriety and determine the appropriate manner to expend the balance in the course fee account.

Ongoing

Errors were found in one employee’s Time Clock Plus report. The School should add or strengthen procedures to ensure compliance with University policies and procedures for time reporting.

Ongoing



3 of 30 (10%) procurement card transactions were reviewed with one or more exceptions related to food purchase documentation.

The School should add or strengthen procedures for food purchases made with a procurement card to ensure compliance with University policies and procedures.

Ongoing


15

Report Number




15-XI

(continued)

May 31,

2015

School of Human

Sciences

Our audit objectives were to determine that controls exist in the School of Human Sciences to ensure compliance with various university policies and applicable state and federal regulations; university resources and activities are effectively and efficiently administered; identified risks are mitigated; departmental information is documented correctly and reported accurately; confidential or critical information is protected; and opportunities for fraudulent activities are minimized.

We found the following regarding the School’s receipts procedures:

5 of 7 (72%) revenue transactions were reviewed with no exceptions.

2 of 7 (28%) revenue transactions were reviewed with one or more exceptions.

The School does not display the required receipts signage in locations where receipts are collected.

Receipts language is not included in the job description of two employees who collect

receipts.

Although the School does have receipts procedures, the School has not effectively administered these procedures and the documentation lacks important details.

The School should strengthen receipts procedures to ensure compliance with University policy.

Ongoing


16

Report Number




15-XIII

May 31,

2015

Student

Publications

Our audit objectives were to determine that controls exist in the Department of Student Publications to ensure compliance with various university policies and applicable state and federal regulations; university resources and activities are effectively and efficiently administered; identified risks are mitigated; departmental information is documented correctly and reported accurately; confidential or critical information is protected; and opportunities for fraudulent activities are minimized.

We noted the Department does not have written policies and procedures. The Department should develop written policies and procedures.

Ongoing


One employee has not completed the correct property training.

Four student workers have not completed security awareness training.

Five employees have not completed payment card training. The current employees should take the required trainings.

Ongoing


Five student workers who no longer work for the Department are still active in the system.

Documented agreements stating terms such as rate of pay do not exist for the students

in the Department who are paid on a commission basis.

One student received another student’s commission in error. Termination EPAFs should be completed for inactive employees. The Department should document commission arrangements in an agreement and make the necessary changes to correct the erroneous payment.

Ongoing

The Department is not using controlled receipts issued by the Business Office for the collection of funds. In addition, the Department does not have documented receipts procedures. The Department should strengthen receipts procedures to ensure compliance with University policy.

Ongoing


17

Report Number




15-XIV

August 31,

2015

Follow-Up

Audit

Our audit objective was to determine whether management action plans have been implemented in a timely and appropriate manner.

Progress has been made toward implementing the management action plans as evidenced by the sixty-three (63) plans or 81% Implemented.

Ongoing

VI.

Non-Audit Services

STEPHEN F. AUSTIN STATE UNIVERSITY

NON–AUDIT SERVICE ACTIVITIES Audit Services did not perform any consulting engagements as defined in the Internal Audit Charter, but we did perform other internal audit services as listed below.

ACTIVITY IMPACT

Facilitate anonymous internet and hotline reporting system

Promote awareness of fraud and ethics issues across the university

Co-facilitate university wide risk assessment Identify university risks

Serve as advisory member of Investment Committee

Provide guidance on issues relating to university investments

Serve as advisor to departments for various issues

Provide guidance and strengthen department controls

Serve as an advisor on committees for information technology issues

Increase awareness of controls and security

Provide assistance on NCAA agreed upon procedures review

Coordinate and assist with external review to ensure compliance

Provide assistance on Charter School financial audit Coordinate and assist with external audit

Provide assistance to SAO for audits and other projects

Coordinate and assist to aid in efficiency and provide expertise

Provide assistance to other agencies such as State Comptroller’s Office, federal agencies, etc. for audits or reviews

Coordinate and assist to aid in efficiency and provide expertise

Review policies Review new or updated policies for internal control purposes

Investigate Fraud and Ethics Reports Investigate alleged claims relating to fraud and ethics issues

Other Special Projects Provide information and analysis

VII.

External Quality Assurance Review

Stephen F. Austin State University Department of Audit Services

Quality Assurance Review

June 28, 2013

Gina Oglesbee, CPA, CFE, Director David McFarland, CPA, CISA, Assistant Director

Norma Doan, Auditor Sarah Wood, Graduate Assistant

Box 6121, SFA Station

Nacogdoches, Texas 75962 Phone 936-468-5204

Fax 936-468-7698 Email [email protected]

of 11


2013 Quality Assurance Review Table of Contents

I. Quality Assurance Review Report Letter, Dated June 28, 2013

II. Independent Assessors’ Opinion

III. Quality Assurance Review Self-Assessment Report – Revised, Dated April 19, 2013

Attachment to the Quality Assurance Review June 28, 2013

Page 7 of 11


2013 Quality Assurance Review

Self-Assessment Report - Revised April 19, 2013

Gina Oglesbee, CPA, CFE Director of Audit Services


Page 8 of 11

OVERALL CONCLUSION After completing the self-assessment for our 2013 peer review, we conclude that the Stephen F. Austin State University Department of Audit Services is in compliance with the Institute of Internal Auditors (IIA) Standards for the Professional Practice of Internal Auditing, the U.S. Government Accountability Office’s Government Auditing Standards, the IIA Code of Ethics, and the Texas Internal Auditing Act. Our conclusion is based on completion of a self-assessment using the State Agency Internal Audit Forum (SAIAF) Master Peer Review Program, which included the review of a complete set of working papers using the SAIAF Working Paper Review Tool. As part of our commitment to continuous improvement, we identified opportunities to enhance our processes and have included them in the final section of this report entitled Goals for the Department of Audit Services. More detail regarding our self-assessment is found below. It includes an assessment of compliance with The IIA Code of Ethics, followed by eleven sections presented in the order of The IIA Standards.

DETAILED CONCLUSIONS IIA Code of Ethics Our self-assessment indicates that the Internal Audit Charter documents the expectation that auditors will conform to the IIA Code of Ethics. Also, the Audit Manual specifies that all Department of Audit Services personnel must abide by the Code of Ethics. In addition, personnel complete an Independence Statement that references the IIA Code of Ethics. I. 1000 Purpose, Authority, and Responsibility The purpose, authority and responsibility of Internal Audit are specified in the Internal Audit Charter. The Internal Audit Charter defines the nature of assurance and consulting services. It was approved by the Board of Regents (BOR). Additional guidance is provided in the BOR Rules and Regulations. II. 1100 Independence and Objectivity Based on the self-assessment, our conclusion is that the Department of Audit Services is independent and free from impairments, and the auditors are objective in performing their work. The Director of Audit Services reports to the BOR, and they approve the Internal Audit Charter. The BOR reviews and approves the Annual Audit Plan and significant deviations to it. The BOR reviews and accepts all audit reports before they are issued. The Department of Audit Services has not experienced any scope limitations and has been able to report all findings and conclusions objectively. No instances of conflict of interest have occurred, but the Department of Audit Services has a process for addressing such situations if they arise. III. 1200 Proficiency and Due Professional Care Our conclusion is that Department of Audit Services’ work is performed with proficiency and due care; professional judgment is used in planning, performing, and reporting; and the staff collectively possesses adequate professional competence. The Director of Audit Services is licensed as a Certified Public Accountant (CPA) and Certified Fraud Examiner (CFE) and has over 26 years of experience in auditing and accounting, including eight years as the Director of


Page 9 of 11

Audit Services at SFA. The Assistant Director has three certifications including CPA, Certified Information Systems Auditor (CISA), and Certified in Risk and Information Systems Control (CRISC). The audit staff has sufficient knowledge to identify indicators of fraud and information technology risks. The budget provides funding for auditors to earn continuing education credits and maintain professional certifications. IV. 1300 Quality Assurance and Improvement Program We found that the Department of Audit Services has an effective quality assurance program that includes external peer review and internal review processes. The Director of Audit Services approves all audit plans and audit programs and reviews audit work papers. The SAIAF checklist is completed for each audit to review compliance with Standards. The Director reviews all audit reports. The audit staff has regular meetings to discuss issues. Audit reports state that they are performed in accordance with Standards. The Audit Director has open communication with all audit clients. V. 2000 Managing the Internal Audit Activity Our self-assessment review indicated that the Department of Audit Services is managed in accordance with relevant Standards. The Department’s Audit Manual and TeamMate Protocol Document are available on a network drive that is accessible to all audit staff but restricted to access by others. The Director prepares a risk-based Annual Audit Plan that is approved by the BOR; monitors and communicates the progress of projects; coordinates with other audit entities to prevent duplication; and prepares an Annual Audit Report. Audit reports provide value-added recommendations to address the risks and issues that are identified. Follow-up reviews add value by informing the BOR and management of the status of audit issues identified in previous reports. VI. 2100 Nature of Work Our conclusion based on the self-assessment is that the Department of Audit Services contributes to the improvement of risk management, control, and governance processes through its audits and management assistance services. The Director of Audit Services and the Vice President of Finance and Administration co-facilitate a university wide annual risk assessment that forms the basis for the Annual Audit Plan. The risk assessment survey considers areas of risk such as the reliability of information, safeguarding of assets, compliance, efficiency and effectiveness of operations, and the accomplishment of goals and objectives. Audit Programs ensure that fraud risks are considered. The Director has provided significant input on ethics and fraud prevention policies and facilitates the fraud awareness program through administration of the EthicsPoint hotline and distribution of fraud posters and brochures. VII. 2200 Engagement Planning Based on our review of the working papers for the Campus Program for Minors/Camps Audit, we conclude that the Department of Audit Services is in compliance with the Standards. The auditors develop an Audit Plan for each audit, which specifies the audit scope and objectives. An Audit Program is prepared for each audit that identifies the activities to be performed in order to accomplish the audit objectives. The Audit Director assigns audits in the Audit Plan according to the knowledge, skills, and experience of the auditors.


Page 10 of 11

VIII. 2300 Performing the Engagement We maintain that the Department of Audit Services complies with Standards in performing audits. The auditors prepare thorough working papers using TeamMate to document the audit program steps performed to achieve the objectives. Evidence provided to support results and conclusions is sufficient, competent, and relevant. Audits are properly supervised, and working papers are reviewed before reports are issued. IX. 2400 Communicating Results Based on our working paper review, we conclude that Department of Audit Services complies with the Standards regarding communicating the results of engagements. Written reports are prepared for all audits. Audit reports include the objectives, scope, and methodology. The results are communicated to the appropriate internal and external parties, including executive management, program management, BOR, the Governor’s Office, State Auditor’s Office, Legislative Budget Board, and Sunset Advisory Commission. X. 2500 Monitoring Progress We found that the Department of Audit Services has an effective system for monitoring the disposition of results communicated to management. The Department of Audit Services maintains a database for tracking the status of issues identified in audit reports and performs follow-up reviews of previously unresolved issues. The Annual Audit Plan includes a follow-up review to be performed each year. The results of follow-up reviews are communicated to the BOR and management. XI. 2600 Resolution of Senior Management’s Acceptance of Risks No instance has occurred in which the Director of Audit Services has believed that executive management has accepted a level of residual risk that is unacceptable to the organization, but if this situation were to occur, the Director would report it to the BOR.

GOALS FOR THE DEPARTMENT OF AUDIT SERVICES During the performance of our self-assessment, we identified opportunities to enhance our processes. We formulated these into goals for the Department over the next three years as follows: Goal #1 – The Department of Audit Services has an Audit Manual and various other policies and procedures maintained in manual and electronic formats. The Department will finish the update and conversion of the policies and procedures into an electronic comprehensive Audit Manual by June 30, 2013. Goal #2 – The Department of Audit Services, with help from the Department of Information Technology Services, converted to the database version of TeamMate on September 1, 2012. The Department will investigate other modules of the TeamMate software suite and start implementation of TeamRisk by August 31, 2015. Goal #3 – The Department of Audit Services uses ACL, Audit Command Language, as a data mining and analysis auditing tool. The Department will investigate options for ACL to work with Banner. The Department will seek to acquire an additional ACL license in order to cross train staff on the use of ACL by August 31, 2016.


Page 11 of 11

Goal #4 – The Department will hire an additional auditor to increase coverage for departmental audits as soon as possible.

ACKNOWLEDGEMENT The Department of Audit Services is committed to continuous improvement and as such will continue to revisit and improve our practices and stay abreast of auditing standards and techniques. We look forward to the assistance of Mr. Ken Schroeder, CIA, CISA, CRMA, Director of Internal Audit for the University of Texas at Arlington; and Ms. Lou Ann Viergever, CPA, CIA, Executive Director of Audit and Consulting Services for the University of Texas at Tyler in performing the Quality Assurance Review validation for the SFA Department of Audit Services in 2013. We appreciate the support of the Board of Regents, President, Administration, and SFA community in performing our duties as the auditors of Stephen F. Austin State University.

VIII.

Internal Quality Assessment

STEPHEN F. AUSTIN STATE UNIVERSITY 2015-2016 INTERNAL ASSESSMENT

Audit Services maintains a quality assurance and improvement program. To ensure adherence to auditing standards the Department of Audit Services performs the following:

• Annual review of compliance with International Standards for the Professional Practice of Internal Auditing and Generally Accepted Government Auditing Standards.

• Remain up-to-date on auditing standards through continuing education, membership in accounting and auditing associations, technical reading, and independent research.

• Completion of an audit standards compliance questionnaire at the end of each audit.

• Completion of annual independence disclosures. • Various other practices.

Audit Services is in compliance with auditing standards. The following department goals for 2016 will aid in continued compliance and efficiency:

• Investigate options for WebFOCUS training. • Upgrade TeamMate electronic audit software to version 11. • Update the audit manual. • Develop continuous auditing tools and techniques

We reassessed our three year goals during fiscal year 2015 and decided not to implement additional modules of TeamMate as the current risk assessment process outside of TeamRisk is appropriate at this time. We will continue to assess TeamMate modules for future implementation.

Ongoing assessment of the internal audit activity is maintained through daily supervision and review; audit exit conferences; annual performance evaluations; meetings with the President, Vice Presidents, and Board of Regents Finance and Audit Chair; and monitoring of factors such as:

• % of management action plans implemented in annual follow-up audit. • % of responses to annual risk assessment survey. • Meeting internal and external deadlines. • Completing audits and special projects. • Maintaining certifications.

IX.

Internal Audit Plan for FY 2016

STEPHEN F. AUSTIN STATE UNIVERSITY FISCAL YEAR 2016

The staff of Audit Services consists of a Chief Audit Executive; Assistant Director; Auditor; Risk and Compliance Auditor; and a Graduate Assistant/Student Worker. For fiscal year 2016, allocable time after consideration of sick leave, vacation, holidays, and wellness release time is 7,887 hours.

Required audits require use of audit resources, along with special projects and investigations, meetings and committee service, department activities, and audit administration. Audits are scheduled below in a five year audit plan. These audits are a combination of financial, compliance, operational, efficiency, effectiveness, and fraud audits.

Audit Projects 2016 2017 2018 2019 2020 Audit Assistance to Oversight Agencies X X X X X PFIA (biennial) X X TAC 202 (biennial) X X Charter School (annual) X X X X X NCAA (annual) X X X X X Follow-up (annual) X X X X X Contract Management and Purchasing (annual) X X X X X Benefits Proportionality X X Safety and Security Audit (triennial) X X Facilities Audit (every five years) X Departmental Audits X X X X X Risk Based and Other Audits X X X X X

Risk based and other audits planned for fiscal year 2016 include the following:

• Travel Administration Audit • Admissions Audit • TAC 202 Security Control Standards Audit • Agency Accounts Audit • Learning System Audit.

Details are included in the Fiscal Year 2016 Audit Plan.

PROJECT HIGH LEVEL DESCRIPTION HOURSFinancial, Compliance, Efficiency & Effectiveness Audits

Audit assistance to oversight agencies

Provide audit assistance to state and federal oversight agencies such as Texas State Auditor's Office, The Higher Education Coordinating Board, Texas State Comptroller's Office, and grant agencies

80

National Collegiate Athletic Association ReviewProvide assistance to external firm performing review of SFASU athletic financial statement as required by NCAA 40

SFASU Charter School AuditProvide assistance to external firm performing financial audit of SFASU Charter School 40

Travel Administration Audit Review controls and compliance of new system 300

Admissions Audit Review admission reports, controls, and procedures 450

Departmental AuditsReview for compliance with various regulations and efficiency & effectiveness 1000

Contract Management and Purchasing Audit Review compliance with Senate Bill 20 requirements 450

Benefits Proportional by Fund AuditReview controls, verify compliance, and reporting for FY 2012, 2013, and 2014 250

Facilities Audit Review and test compliance with THECB requirements 60Safety and Security Audit Review required by TEC 51.217 350Agency Accounts Review procedures for agency accounts 100

Information Technology

IT Meetings/IssuesAdvise on issues affecting information technology and systems under development/enhancement 25

Texas Administrative Code Section 202 Audit Review compliance with Information Security Standards 450Learning System Audit Review controls in Desire2Learn 400

Follow-up AuditsObtain representations from management regarding status and perform verification as necessary 525

Special Projects

Fraud & Ethics Program and InvestigationsFacilitate university anonymous reporting system and investigations 150

Special ProjectsBased on requests from Board of Regents, Administration, or others 150

Meetings & Committee ServiceInvestment Committee Serve as advisory member of committee 15Administrative Meetings Attend administrative meetings as requested 72Other University Meetings/Events Attend other meetings and events as deemed necessary 100Regent Meetings and events Preparation and attendance of meetings and events 120Compliance Committee & Activities Serve as advisory member of committee 60

Department ActivitiesAnnual Audit Plan and Report Prepare annual audit plan and report 80Audit Manual Revision Update audit manual and forms 40Annual Risk Assessment Facilitate annual university risk assessment 75

Quality AssurancePerform internal assessment and coordinate external assessment of compliance with standards 200

Records Management Maintain file system and records for department 100Software Maintenance and Training Teammate and ACL audit software 120Continuous Auditing Develop tools and techniques 180

Professional Development and TravelProfessional development, maintain certifications, training, and travel 325

Staff Meetings Weekly staff meetings 465



PROJECT HIGH LEVEL DESCRIPTION HOURS



General & AdministrativeAdministration (planning, purchasing, payroll, scheduling, reporting, etc.) 815

General & Administrative GA Graduate Assistant help with routine audit department work 300

Total Allocated Hours 7,887

Total Hours Per Year All staff 9,184 Less estimated:Sick Leave (160)Vacation (542)Holidays (520)Wellness Release Time (75)

Total Available Hours 7,887

X. Risk Assessment

STEPHEN F. AUSTIN STATE UNIVERSITY FISCAL YEAR 2016 RISK ASSESSMENT

The university continually assesses risk at all levels. As new regulations are proposed and enacted, changes in management occur, computer system updates are made, goals and objectives set and reviewed, and other factors, risks are discussed and evaluated.

Audit Services, in conjunction with the Vice President of Finance and Administration, facilitates an annual university wide risk assessment. A survey of risks is developed with university input. One hundred and two members of the university community including administrators, deans, department chairs, and directors were asked to participate in the survey for fiscal year 2016. The survey required each respondent to assess the negative impact of eighteen identified risks as high, medium, or low. Administration along with the General Counsel, Chief Information Officer, and Chief Audit Executive assessed the negative impact of the risk along with the probability of the risk occurring as high, medium, or low. The survey also asked respondents to identify any other risks or potentially fraudulent activities. In addition, twenty-eight departmental questions were asked to assess departmental risks. Responses to these questions were weighted to determine an overall department risk ranking. We had a 100% response rate for the 2015-2016 survey. The survey was used by Audit Services in the development of the fiscal year audit plan and also by administration to address risks. The top 10 risks were evaluated to ensure that the university is mitigating the risk and/or Audit Services is performing audit procedures to review the risk.

In addition, the Vice President of Finance and Administration and the Chief Audit Executive review and discuss the Statement of Net Assets; Statement of Revenues, Expenses, and Changes in Net Assets; and Budget financial reports. Audit coverage is discussed along with risks and controls.

All of the risk assessment information is then reviewed with the President and Administration for any additional input and with the Board of Regents Chair of the Finance and Audit Committee and Board of Regents Chair. The proposed audit plan draft is sent to the Board of Regents ten days in advance of the fall Finance and Audit Committee meeting. The plan is submitted for formal approval at the fall quarterly meeting of the Board of Regents.

The fiscal year 2016 audit plan allocates resources for required audits and audits identified during the risk assessment process. High risk areas identified by Audit Services that are not covered in the current year Audit Plan include Financial Aid and Federal Funds, which are included in the State Auditor’s Office Single Audit; information technology security not assessed in TAC 202; specific compliance areas; and funds that are under the control of other entities or agencies.

XI. External Audit Services

STEPHEN F. AUSTIN STATE UNIVERSITY EXTERNAL AUDIT SERVICES

AUDITOR

PURPOSE

Goff & Herrington, P.C. Perform agreed-upon procedures engagement as required by the National Collegiate Athletic Association as of 08/31/2014.

Goff & Herrington, P.C Perform audit of financial statements of Stephen F. Austin State University Charter School for the year ended 8/31/2014.

XII. Reporting Fraud

STEPHEN F. AUSTIN STATE UNIVERSITY REPORTING SUSPECTED FRAUD AND ABUSE

In order to implement the requirements of Article IX, Section 7.09, page IX-37, the General Appropriations Act (84th Legislature) and Texas Government Code, Section 321.022, the university has taken the following actions:

SFASU has a fraud policy that includes the website and phone number to report fraud to the State Auditor’s Office at http://www.sfasu.edu/policies/fraud.pdf.

SFASU provides a link for reporting fraud on the SFASU website homepage at http://www.sfasu.edu/.

SFASU distributes fraud posters that include the website and phone number to report fraud to the State Auditor’s Office as shown below:

New employees are informed of the fraud and ethics program in employee orientation.

The Chief Audit Executive coordinates investigations with the State Auditor’s Office when necessary.

XIII. Audit Charter

1

STEPHEN F. AUSTIN STATE UNIVERSITY DEPARTMENT OF AUDIT SERVICES

INTERNAL AUDIT CHARTER November 1, 2015

Purpose Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve the university’s operations. It helps the university accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. The purpose of the Department of Audit Services is to provide the Board of Regents and the President an independent appraisal of the adequacy and the effectiveness of the University's system of internal administrative and accounting controls and the quality of performance when compared with established standards. The primary objective is to assist the Board of Regents, the President and University management in the effective discharge of their responsibilities. Authority The Department of Audit Services is an integral part of Stephen F. Austin State University and functions within established policies. The Chief Audit Executive is appointed by the Board of Regents in accordance with the Board of Regents Rules and Regulations. The Chief Audit Executive reports functionally to the Board of Regents and administratively to the President. The Department of Audit Services will have unrestricted access to all University activities; records, both manual and electronic; property; and personnel relevant to any area being reviewed. Members of the Audit Services' staff will handle all documents and other information acquired in the course of their duties prudently. Standards The Department will operate within the guidelines of the Texas Internal Auditing Act (Article 6252 – 5d., V.A.C.S.), the Institute of Internal Auditors Professional Practices Framework which includes the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing as mandatory guidance. In addition, where applicable the Department will follow Generally Accepted Government Auditing Standards. Principles and Independence The Department of Audit Services will uphold the principles of integrity, objectivity, confidentiality, and competency. Employees will be independent of the activities or operations they review and free of all operational and management responsibilities that will impair the auditor’s ability to review independently all aspects of the university’s operations.

2

Responsibility The Department of Audit Services will fulfill its responsibility to the Board of Regents and the President by:

developing an audit plan based on a risk analysis which includes consideration of the university’s goals and objectives and the concerns of management and the Board of Regents.

providing audit coverage that consistently meets the needs and expectations of management and the Board of Regents.

following up on identified weaknesses, findings and recommendations from previous audit work.

participating in a program of quality assurance designed to ensure the increasing professionalism of the department and standard of the work performed.

performing consulting services including advisory and related service activities, the nature and scope of which are agreed upon and which are intended to add value and improve the university’s governance, risk management, and control processes without assuming management responsibility.

Performing non-audit services such as special projects, policy reviews, facilitation, training, and committee service.

Annually the Chief Audit Executive will submit information on the annual audit plan, work schedule, and staffing plan to the President for his review and to the Board of Regents for their approval. Quarterly the Chief Audit Executive will provide activity reports to the President and the Board of Regents detailing progress against the annual audit plan, audit accomplishments, and highlights of any significant audit findings and recommendations. The Chief Audit Executive will submit reports as required to the State Auditor’s Office, Governor’s Office, Legislative Budget Board and Sunset Advisory Commission. The scope of audit activities will include all controls, reports and operations of the University. The Department of Audit Services will examine and evaluate:

The reliability and integrity of financial and operating information and the means used to identify, measure, classify and report information.

The systems established to ensure compliance with policies, plans, procedures, laws and regulations that could have a significant impact on the University.

The means of safeguarding assets and verifying their existence. The economy and the efficiency with which resources are employed. The extent to which the operations and programs of the University are

consistent with its objectives and goals. The ethics objectives and activities of the University. The potential for fraud and the management of fraud risk.

stephen f. austin state universitysfasu.edu/audit/docs/2015-audit-report.pdf · iv. internal audit...

Documents