Â鶹ÌìÀǸ±ÀûÔº

a. The mission and purpose of the OAS is to strengthen TTU System’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight. The work of the OAS enhances TTU System’s:

• successful achievement of institutional objectives;

• governance, risk management, and control processes;

• decision-making and oversight;

• reputation and credibility with stakeholders; and

• ability to serve the public interest.  

b. The OAS is established by the board of regents in accordance with the Texas Internal Auditing Act, which serves as the mandate for OAS. The OAS serves all divisions, campuses, and locations of the TTU System. In order to provide organizational independence, the Chief Audit Executive (CAE), who coordinates and supervises all OAS offices and locations, reports directly to the board, functionally through the board's audit committee, and administratively to the chancellor.

Regents' Rule 07.02 serves as the OAS charter, defining its mission, purpose, mandate, standards of practice, authority, and other aspects of its operations.

c. Objectivity—the need for auditors to have an impartial, unbiased attitude— and integrity are essential to the audit function; therefore, the CAE organizes staff assignments to avoid actual or apparent conflicts of interest. Objectivity is not adversely affected by making recommendations for the improvement of governance, risk management, and internal control processes.

d. To accomplish their work, the CAE and staff members of OAS are authorized to have full, free, unrestricted access to all functions, data, information, records (including but not limited to student, personnel, and medical records), property, and personnel relevant to any audit or engagement. Auditors will be prudent in the use and protection of information acquired during the course of an engagement.

a. The CAE will prepare an annual audit plan based on a risk assessment that includes input from senior management. After approval each August by the board of regents through the audit committee, the plan will be disseminated to System leadership and posted on the TTU System website by September 1.

b. The CAE will prepare an annual report of OAS's activities in accordance with the form and content required by the State Auditor's Office. The CAE will ensure the report for each fiscal year is filed by November 1 of the following fiscal year in accordance with statutory requirements and posted on the TTU System website no later than December 31.

c. The CAE will periodically update the chancellor, presidents, and audit committee of the board of regents on the status and results of audits, investigations, and other projects, as well as on the implementation status of management action plans to address risks/issues identified in previous engagements.

d. Most final engagement reports are subject to requests filed under the Texas Public Information Act. The TTU System considers an audit report "final" and available for disclosure once it has been included in an OAS report approved by the board of regents.

e. Final reports containing certain types of information are confidential under Texas Government Code §552.139, Confidentiality of Government Information Related to Security or Infrastructure Issues for Computers. Reports for certain other engagements may be exempted from disclosure under the Act, as determined by the TTUS Office of General Counsel.

a. The comprehensive scope of services of the OAS covers the entire breadth of TTU System, including all of its activities, operations, locations, and personnel. OAS carries out its mandate by bringing a systematic, disciplined, and risk-based approach to evaluating and improving the effectiveness of the System’s governance, risk management, and control processes through objective examinations of evidence. OAS performs various types of engagements including assurance engagements, advisory services, and investigations.

(1) Assurance services are intended to provide reasonable assurance about governance, risk management, and control processes to organizational stakeholders, especially the board, senior management, and management of the activity under review. Through assurance services, auditors provide objective assessments of the activity under review as compared to evaluation criteria. The nature and scope of assurance services are generally set by auditors and may include requests by management to review specific activities. Examples of assurance services include but are not limited to compliance, financial, operational, and information technology audits.

(2) Advisory services are engagements where auditors provide information or advice to stakeholders without providing assurance or taking on management responsibilities. Advisory engagements may be initiated by auditors or performed at the request of the board or management. Examples of advisory services include but are not limited to advising on the design and implementation of new policies, processes, or systems; providing training; serving on institutional committees, facilitating discussions about risks and controls; and analyzing data. If auditors discover significant issues with internal control structures, compliance, or other matters, OAS may convert an advisory engagement to an assurance engagement.

b. Generally, the CAE or a representative will notify the appropriate members of management as to the timing, staffing, and scope of engagements to be conducted by OAS. The performance of certain procedures (e.g., cash or inventory procedures, investigative interviews, etc.) may be unannounced.

c. In certain cases as determined by the CAE, only senior management, the respective president, the chancellor, and/or the chair of the audit committee of the board of regents will be notified of an impending audit or investigation.

d. The progress or results of an engagement may result in shifting communication and reporting from the planned level of management to a more senior level as determined by the CAE.

e. Auditors will ordinarily communicate the progress and results of engagements with client management periodically during the engagement. At the conclusion of each assurance engagement, a draft report of detailed results, recommendations, and pertinent information will be presented to the appropriate level of management for addressing the identified risks. For advisory engagements, the report may be only the provision of information or advice without formal recommendations. In certain cases, reports may be made orally.

f. When there are audit findings, management will be asked to provide an action plan to address the identified risks. Generally, ten business days after issuance of the draft report will be provided for the action plan, although a different time period may be appropriate in some cases, depending on the nature of the report. Management's action plan will be incorporated into the final engagement report, which will be distributed to the board of regents, chancellor, president, and/or other members of management. The engagement is not considered complete until the final report has been issued.

g. If management fails to respond to the draft report in a timely manner, OAS will request the action plan from the next most senior level of management.

h. If management indicates acceptance of a risk and does not plan to take action to address the risk, the OAS will escalate the issue through the cognizant member of senior management (e.g., dean, vice president, vice chancellor) to the chancellor or president to request written confirmation of the acceptance of the risk. No member of management may accept risks that include violations of state or federal law.

i. In especially sensitive cases, the CAE may communicate information only to the president, the chancellor, and/or the chair of the audit committee of the board of regents and/or to appropriate levels of management as determined by the CAE.

j. On matters involving a material violation of state or federal law and/or in cases where fraud is suspected, the CAE will directly inform the respective president, the chancellor, and/or the chair of the audit committee of the board of regents. The CAE may also inform the Office of General Counsel, Texas Tech Police Department, and/or other law enforcement officials. As required by state statute, the CAE will notify the State Auditor's Office of suspected fraudulent activity.

a. OAS is committed to maintaining constructive and continuing communications with its clients. Routine communication between client management and staff regarding an audit is expected. However, to ensure there are no limitations on the scope of any engagement, client management should not require staff members to provide detailed write-ups or accounts of auditor communications, as doing so could unintentionally result in restrictions on communication.

b. If the CAE determines the existence of a scope limitation, the CAE or designee will first address the matter with client management.

c. If the CAE determines the scope limitation is not resolved, audit standards require the situation to be disclosed in the engagement report and brought to the attention of senior management and the board of regents.

a. Audit standards require OAS to establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.

b. The follow-up process involves auditors performing procedures to verify management has implemented corrective actions or that the noted issue/risk has been otherwise mitigated. Verification may involve walk-throughs, tests of transactions or records, reviews of policies, observation, interviews, or other procedures.

c. In cases where management is not making timely progress toward implementation of action plans, OAS will request assistance from the cognizant member of senior management.

d. If management indicates acceptance of a risk and no longer plans to take action to address the risk, the OAS will escalate the issue through the cognizant member of senior management (e.g., dean, vice president, vice chancellor) to the chancellor or president to request written confirmation of the acceptance of the risk. No member of management may accept risks that include violations of state or federal law.

e. When the CAE concludes that management has accepted a level of risk that may be unacceptable to TTU System or one of its institutions, audit standards require the CAE to discuss the matter with senior management. If the CAE determines that the matter has not been resolved, the CAE must communicate the matter to the board of regents.

a. The OAS will assist the TTU System in the procurement of audit services to be provided by external auditors. To begin the process of procuring an external audit, management should contact the CAE.

b. V.T.C.A. Government Code §321.020, Coordination of Certain Audits, requires that the state auditor give authorization through a delegation of authority prior to the engagement of any external auditor. The CAE will assist university administrators with obtaining the state auditor's authorization.

c. Once the state auditor has issued the delegation of authority, the CAE or designee will lead the selection process to engage external auditors.

d. The CAE will work with the appropriate members of management to determine the level of involvement of the OAS, if any, in the performance of each external audit.

e. When a written report is issued for an external audit, a draft should be provided to the OAS. The CAE will ensure communication of the final results of external engagements to the audit committee of the board of regents, chancellor, president and other appropriate administrators.

a. TTU System and its institutions are periodically the subject of audits or reviews performed by the State Auditor's Office, the Comptroller of Public Accounts, the Texas Higher Education Coordinating Board, other state or federal agencies, or external auditors engaged by those agencies. Such engagements not initiated within TTU System will be referred to as involuntary engagements.

b. When an administrator is notified of an involuntary engagement by a state or federal agency, regulatory body, or other external auditor, the administrator should notify the CAE. As part of the audit coordination process, OAS serves as liaison between administrative offices, institutional departments, and external auditors. 

c. The CAE will work with the appropriate members of management to determine the level of involvement of the OAS in involuntary engagements. At a minimum, a member of OAS may attend the entrance and/or exit conferences for the engagement. The OAS may also be involved in coordinating teams or communications, gathering data, assisting with fieldwork, reviewing draft reports or management responses, and/or distributing final reports.

d. When a written report is issued for an involuntary engagement, a draft should be provided to the OAS. The CAE will ensure communication of the final results of such engagements to the audit committee of the board of regents, chancellor, president, and other appropriate administrators.