About Internal Auditing

Mission Statement

Internal Auditing's mission is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

Internal Auditing Information

Internal Auditing Charter

PURPOSE
This Internal Audit Charter defines the function, authority and responsibility of the Internal Audit Department (the Department).

MISSION

Internal Auditing’s mission is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

FUNCTION
Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve the Houston Community College System’s (HCCS) operations. The Department helps HCCS accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

All the Department’s endeavors are to be conducted in compliance with objectives and policies of HCCS; as well as, the mandatory elements of the International Professional Practices Framework (IPPF) promulgated by the Institute of Internal Auditors, Inc. as follows:

  • Core Principles for the Professional Practice of Internal Auditing
  • Code of Ethics
  • Definition of Internal Auditing
  • International Standards for the Professional Practice of Internal Auditing

Periodic internal and external quality assessments and ongoing internal monitoring will be part of a quality assurance and improvement program designed to help the internal auditing activity add value.

INDEPENDENCE AND OBJECTIVITY

To provide for the independence of the Department, its personnel report to the Chief Audit Executive (“CAE”), who reports to both the Chancellor and the Audit Committee. The reporting relationships of the CAE enhance departmental independence, promote comprehensive audit coverage and encourage adequate consideration of audit reports and recommendations. To maintain objectivity, the CAE and the audit staff shall have no direct authority over the activities they review. In particular, Internal Audit may not develop policies and procedures for a function they might audit or direct the actions of the personnel in the performance of that function.  

Internal Audit may be asked to participate in management committees or project teams, to analyze controls built into processes, development systems, or analyze security products. Because Internal Audit is not a management decision-making function, decisions to develop, adopt and implement policies or procedures as a result of an internal audit advisory service must be made by management. The performance of these audits or reviews does not relieve management of any assigned responsibilities. The internal audit activity must be independent, and internal auditors must be objective in performing their work.

AUTHORITY
Personnel of the Department, in the performance of an assigned project, are authorized to have full, free, and unrestricted access to all functions, activities, properties, manual and automated information systems, personnel, and non-privileged records in the scope of that project.

Internal Audit may require written responses to audit observations describing corrective action that will be taken to adequately resolve the deficiencies, the responsible parties, and the expected completion dates. Deficient corrective action plans will be reported to the Board of Trustees for resolution.

RESPONSIBILITIES

In accordance with Board Policy, Internal Audit is responsible for assessing the various functions and control systems within HCCS and for advising management concerning their condition. The fulfillment of this accountability includes:

  • Developing a flexible risk based annual internal audit plan with input from Senior Management and the Board of Trustees as required by IIA Standard 2012. A1 and submit the audit plan to the Audit Committee for review and the Board for approval.
  • Reviewing and adjusting the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls with Audit Committee review and the Board for approval. 
  • Meeting regularly with the Board Audit Committee to provide updates by reviewing audits performed, audits in progress, future audits, and sufficiency of the Department resources.
  • Conducting independent and constructive audits to review effectiveness of controls, financial records, operations, or to review departmental records, the proper recording of transactions, and compliance with applicable rules, regulations, policies, and procedures.
  • Analyzing data obtained for evidence of deficiencies in controls, integrity, duplication of effort, or lack of compliance with College policies and procedures.
  • Conducting audits which examine the effectiveness of the governance, risk management, and internal control processes in promoting the achievement of strategic objectives concerning all reporting, operations, safeguarding of assets, and compliance.
  • Investigating allegations of fraud, waste, abuse and other wrongdoing as appropriate and in accordance with Board Policy, and coordinating such investigations as needed with Legal Counsel or the HCCS Police.
  • Offering Advisory services; Internal Control or Fraud training; Control Self-Assessment (CSA) services, and other audit technique workshops as warranted.
  • Coordinating audit efforts with those of external financial auditors and acting as a liaison for other external auditors.
  • Coordinate efforts with other control monitoring functions within HCCS (risk management, compliance, security, legal, ethics, safety and environment).
  • Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter and ensure that personnel in the Department have appropriate continuing education to foster advancement of technical knowledge and skills.

Approved by the Board of Trustees, October 20, 2016. 

Code of Ethics

The Code of Ethics states the principles and expectations governing the behavior of individuals and organizations in the conduct of internal auditing. It describes the minimum requirements for conduct, and behavioral expectations rather than specific activities.

Introduction to the Code of Ethics

The purpose of The Institute's Code of Ethics is to promote an ethical culture in the profession of internal auditing.

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about governance, risk management, and control.

The Institute's Code of Ethics extends beyond the Definition of Internal Auditing to include two essential components:

  1. Principles that are relevant to the profession and practice of internal auditing.
  2. Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors.

"Internal auditors" refers to Institute members, recipients of or candidates for IIA professional certifications, and those who perform internal audit services within the Definition of Internal Auditing.

Applicability and Enforcement of the Code of Ethics

This Code of Ethics applies to both entities and individuals that perform internal audit services.

For IIA members and recipients of or candidates for IIA professional certifications, breaches of the Code of Ethics will be evaluated and administered according to The Institute's Bylaws and Administrative Directives. The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being unacceptable or discreditable, and therefore, the member, certification holder, or candidate can be liable for disciplinary action.

Code of Ethics — Principles

Internal auditors are expected to apply and uphold the following principles:

  1. Integrity
    The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.
  2. Objectivity
    Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.
  3. Confidentiality
    Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
  4. Competency
    Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services.

Rules of Conduct

1. Integrity

Internal auditors:

1.1.Shall perform their work with honesty, diligence, and responsibility.

1.2.Shall observe the law and make disclosures expected by the law and the profession.

1.3.Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization.

1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.

2. Objectivity

Internal auditors: 

2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization. 

2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment.

2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.

3. Confidentiality

Internal auditors:

3.1. Shall be prudent in the use and protection of information acquired in the course of their duties.

3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.

4. Competency

Internal auditors:

4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience.

4.2. Shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing (Standards).

4.3. Shall continually improve their proficiency and the effectiveness and quality of their services.

https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx

2016 Internal Audit Annual Report

FY 2018 Internal Audit Plan

Approved by Board of Trustees August 17, 2017

Internal Audit Plan

Fiscal Year 2018

Executive Summary

The purpose of the Internal Audit Plan (Plan) is to outline audits and other activities the Houston Community College (HCC) Internal Audit Department (the Department) will conduct during fiscal year 2018. The Plan’s development and approval are intended to satisfy requirements under HCC’s Internal Audit Charter, International Standards for the Professional Practice of Internal Auditing, and the Texas Internal Auditing Act.

A significant amount of time will be devoted to the following two activities in FY 2018:

1) Implementing the internal audit management system software (TeamMate); and
2) Collaborating with Risk Management and other control monitoring functions within HCC to further refine the Enterprise Risk Management (ERM) Assessment Program.

 

Plan Development Methodology

The HCC audit universe is being developed through the ERM Assessment Program. The High Risk Audit Candidates identified during the FY 2017 Internal Audit Plan preparation were updated in Attachment I based on the ERM Assessment interviews conducted with Executive Cabinet members and other executive managers, reviewing HCC’s current major activities, and KPMG’s Internal Audit Top 10 Considerations for 2017.

 

Internal Audit Available Time

Total Hours(7 Staff * 52 Weeks *40 hours)

14,560

100%

Less: Staff Vacancies

0

0%

          Estimated Vacation, Holiday, & Sick

2,456

17%

          Training

760

5%

Various Meeting & Departmental Administration

2,960

20%

Total Hours Available for Audits & Other Projects

8,384

58%

 

Description of Project Types

Operational: These are projects in which some activity or other management assertion is evaluated so that improvements to operating efficiency and effectiveness can be made. These can also be projects in which the object is to develop new information on an activity so that management can use that information in their decision making process.

Compliance: Reviews focused on ensuring compliance with regulations and HCC policies.

Advisory Services: Consulting projects that improve management of risks, add value, and improve the organization’s operations.

Administrative: These include fraud investigations, special projects requested by the Board or management, and administrative projects within the department such as preparing the following year audit plan and the Annual Audit Report.

Observation action plan follow-ups: These are on-going status reviews on the resolution of deficiencies identified in past audits to ensure management completed action plans.

 

FY 2018 Internal Audit Plan

No.

Project

Description

Hours

Operational Audit Projects

17-3

*IT Cyber & Data Security

High level general controls review of the Information Technology data security

management system

160

17-15

*Website Review

Review compliance with HCC’s Web Standards and Guidelines and ensure adequate controls for information safety & soundness

640

18-O-1

Accreditation - SACS

Review the management system that ensures adequate documentation for SACS accreditation

640

18-O-2

Ethics Program Review

Evaluate the design, implementation, and effectiveness of HCC's ethics-related programs

and activities

640

18-O-3

PeopleSoft Application Controls

Review logical access controls in PeopleSoft software applications to ensure data is

processed accurately and as intended from input to storage to output

640

Compliance Audit Projects

18-C-1

Campus Safety & Environmental Operations Management

Planning for campus safety & environmental legal policy compliance management reviews

480

18-C-1-1

Northwest College

Safety & environmental legal policy compliance

200

18-C-1-2

Southeast College

Safety & environmental legal policy compliance

200

18-C-1-3

Southwest College

Safety & environmental legal policy compliance

200

18-C-2

Direct Payments Review

Review direct payment activity for compliance with the Procurement Manual procedures

320

18-C-3

Executive Expenses Review

Review executive expenses for compliance with HCC policies and procedures

160

18-C-4

Required Regulatory Reporting

Review the process for capturing required regulatory reporting and monitoring compliance

640

Advisory Services Projects

17-1-2

*Procurement - Contracting Advisory Services

Control framework advice on Procurement Operations implementing JAGGAER source-to-

pay suite

560

18-S-1

Committees & Task Forces

Participate on committees and task forces providing risk management and control advice

120

18-S-2

Continuous Auditing

Create automated extracts of data and reports to analyze specific business risks

480

18-S-3

Fraud & Special Investigations

Responsive to provide services as required

324

Administrative Projects

18-A-1

FY 2019 Audit Planning & ERM Assessment

Collaborate with HCC Risk Management continuously updating the Enterprise Risk

Management (ERM) assessment and audit planning

800

18-A-2

TeamMate System Implementation & Training

TeamMate automated internal audit management system implementation & training

500

18-A-3

Internal Quality Assurance

Review

Perform a formal internal quality assurance

review

240

18-A-4

FY 2018 Annual Audit Report

Compile and prepare State required audit report

120

Observation Action Plan Follow-ups

 

Observation Action Plan Follow- ups

Follow-up on completion of previous audit observations action plans

320

* Carry-over projects from FY 2017 Internal Audit Plan

 

 

Attachment I

FY 2018

High Risk Audit Candidates 

 

Accreditation – Southern Association of Colleges and Schools (SACS) – 18-O-1
Accreditation – Third Party Programs – 17-6

Regulatory Compliance

• Title IX, Violence Against Women, and Clery Acts – 17-4
• Safety and environmental – 17-5 and 18-C-1
• Campus security
• Data security and handling – 17-3
• Contracting Process – 17-1-1 and 17-1-2
• Student Financial Aid (audited by Grant Thornton & Texas Higher Education Coordinating Board (THECB) in FY 2017)
• Contact hours reporting (THECB audited in FY 2017)
• Required regulatory reporting – 18-C-4
• Required regulatory training
• Government funding formula changes - monitoring and preparedness
• Taxation rule changes - monitoring and preparedness 

IT
• Cybersecurity – intrusion prevention/detection system – 17-3
• Network infrastructure and security – 17-3
• Applications management – 18-O-3
• Server environment – 17-3
• Customer/Technical support

Third Party Relationships/Vendor Management – 17-2

Bond Construction Management (Jacobs - management & R L Townsend - auditing)

Grant Portfolio Management (consider that funders usually audit grants)

Asset Management (consider coverage in external auditor financial audit)

Business Continuity Plans (Risk Management started plan development in 2016)

Emergency Response Plans

Student Enrollment

Student Customer Service

Website Management – 17-15

Ethics Program – 18-O-2

Trustees, Chancellor and Executive expenditures – 18-C-3

Fraud

Internal Audit Standards

The Standards for the Professional Practice of Internal Auditing published by the Institute of Internal Auditors, Inc., generally accepted governmental auditing standards and the certified Internal Auditor Code of Professional Ethics shall serve as guidelines for Houston Community College System internal audit activities as required by the Texas Internal Auditing Act.

* Standards for the Professional Practice of Internal Auditing - issued by the Institute of Internal Auditors.

* Generally Accepted Governmental Auditing Standards - issued by the US General Accounting Office, Comptroller General.

* The Certified Internal Auditor Code of Professional Ethics - issued by the Institute of Internal Auditors.

Responsibilities

In accordance with Board Policy, Internal Audit is responsible for assessing the various functions and control systems within HCCS and for advising management concerning their condition. The fulfillment of this accountability includes:

  • Developing a flexible risk based annual internal audit plan with input from Senior Management and the Board of Trustees as required by IIA Standard 2012. A1 and submit the audit plan to the Audit Committee for review and the Board for approval.
  • Reviewing and adjusting the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls with Audit Committee review and the Board for approval. 
  • Meeting regularly with the Board Audit Committee to provide updates by reviewing audits performed, audits in progress, future audits, and sufficiency of the Department resources.
  • Conducting independent and constructive audits to review effectiveness of controls, financial records, operations, or to review departmental records, the proper recording of transactions, and compliance with applicable rules, regulations, policies, and procedures.
  • Analyzing data obtained for evidence of deficiencies in controls, integrity, duplication of effort, or lack of compliance with College policies and procedures.
  • Conducting audits which examine the effectiveness of the governance, risk management, and internal control processes in promoting the achievement of strategic objectives concerning all reporting, operations, safeguarding of assets, and compliance.
  • Investigating allegations of fraud, waste, abuse and other wrongdoing as appropriate and in accordance with Board Policy, and coordinating such investigations as needed with Legal Counsel or the HCCS Police.
  • Offering Advisory services; Internal Control or Fraud training; Control Self-Assessment (CSA) services, and other audit technique workshops as warranted.
  • Coordinating audit efforts with those of external financial auditors and acting as a liaison for other external auditors.
  • Coordinate efforts with other control monitoring functions within HCCS (risk management, compliance, security, legal, ethics, safety and environment).
  • Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter and ensure that personnel in the Department have appropriate continuing education to foster advancement of technical knowledge and skills.

Approved by the Board of Trustees, October 20, 2016.