Frequently Asked Questions

What Areas are Selected to be Audited?

Risk Analysis - The Internal Auditing Department has developed a three-year audit plan utilizing risk analysis to identify the major areas needing audit attention. Each year the audit staff evaluates the highest risk areas and determines which should be included in the annual audit plan. The plan is approved by the Board of Regents.

Special Projects - These projects are audits or investigations that are conducted upon request or in order to comply with existing policies. These include specific requests by administration, departmental requests, and investigations based on information obtained from various sources.

What Happens During an Audit?

The audit process includes the following steps:

Notification Letter - With few exceptions, auditees are notified in writing when their area is selected for an audit. These letters are sent to the Vice President of the area being audited as well as to the appropriate Dean, Chairperson, or Director. The notification letter states the objectives to be accomplished in the audit.

Entrance Conference - An entrance conference may be scheduled with the head of the department to discuss the purpose and scope of the audit. We encourage auditees to discuss any concerns or questions they have about the audit. Together, the auditee and the auditors determine the departmental personnel and physical facilities needed to conduct the audit.

Audit Work - It will often be necessary for the auditors to be in your area to review departmental records and conduct interviews of departmental personnel. The interviews are necessary for the auditor to become familiar with the department’s operations and procedures. We realize each person’s time is valuable so we attempt to arrange meetings in advance and to work around scheduling conflicts. Written policies and procedures may also be requested to aid the auditor in understanding the operations.The duration of the audit will vary depending upon its scope. The supervising auditor assigned to your audit will give you a reasonable estimate of the time needed to complete the audit.

Communicating Results - The results of our audit are communicated to the auditee via the record of audit findings, informal letters to the department and/or informal verbal communication. Our recommendations are intended to benefit the area and the University. The purpose of the audit finding is to establish, in writing, whether the auditee understands and agrees with the conclusions drawn from the audit tests, observations, and inquiries. The auditee is provided the opportunity to agree or disagree with the conclusions and to provide, in writing, their own proposed resolutions and estimated implementation date.

Exit Conference - An exit conference may be held to discuss the audit findings. Those attending usually include the auditors, the Dean, Chairperson, or Director, as well as anyone from the department that the auditee wishes to invite. The exit conference provides an opportunity to resolve any questions or concerns the auditee may have about the findings and to resolve any other issues before the final audit report is released. We encourage the auditee to attend the exit conference because it brings closure to the audit process.

Final Audit Report - The final audit report will include the findings, recommendations, and management’s responses. A management action plan which summarizes actions to be performed in response to each recommendation, lists the responsible party, and gives the estimated date of implementation is prepared for each report. Copies of the final report are distributed to the Board of Regents, Chancellor, Vice Chancellor, President, applicable Vice Presidents, and the head of the audited unit, as well as the Governor’s Office of Budget and Planning, the State Auditor, the Sunset Advisory Commission and the Legislative Budget Board.

Follow-up Reviews - There will be occasions when action to resolve a finding will not be accomplished until after the audit work is finished. Our professional standards require that we perform follow-up procedures to ascertain that appropriate action is taken on reported audit findings. Follow-up status reports are presented to the Board of Regents on all actions included in management action plans.

What Professional Standards Do Internal Auditors Follow?

The Internal Auditing Department provides a high level of professional service to the university by 1) following established professional standards, and 2) ensuring that its auditors have appropriate technical proficiency and educational background.

The following guidelines are used to perform internal audit activities:

Auditors participate in the following professional associations and certification programs:

    • Certified Public Accountant (CPA)
    • Certified Internal Auditor (CIA)
    • Certified Information Systems Auditor (CISA)
    • Certified Fraud Examiner (CFE)

Who Audits the Auditors?

The Internal Auditing Department is not immune to being audited. Members of the State Auditor’s Office annually review internal audit activity. In addition, every three years, a team of auditors from outside The University of Houston System performs a Quality Assurance Review on the Internal Auditing Department. This is a requirement of the Texas Internal Auditing Act and The International Standards for the Professional Practice of Internal Auditing.