About Internal Auditing

Mission Statement

Internal Auditing's mission is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

Internal Auditing Information

Internal Auditing Charter

PURPOSE
This Internal Audit Charter defines the function, authority and responsibility of the Internal Audit Department (the Department).

MISSION

Internal Auditing’s mission is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

FUNCTION
Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve the Houston Community College System’s (HCCS) operations. The Department helps HCCS accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

All the Department’s endeavors are to be conducted in compliance with objectives and policies of HCCS; as well as, the mandatory elements of the International Professional Practices Framework (IPPF) promulgated by the Institute of Internal Auditors, Inc. as follows:

  • Core Principles for the Professional Practice of Internal Auditing
  • Code of Ethics
  • Definition of Internal Auditing
  • International Standards for the Professional Practice of Internal Auditing

Periodic internal and external quality assessments and ongoing internal monitoring will be part of a quality assurance and improvement program designed to help the internal auditing activity add value.

INDEPENDENCE AND OBJECTIVITY

To provide for the independence of the Department, its personnel report to the Chief Audit Executive (“CAE”), who reports to both the Chancellor and the Audit Committee. The reporting relationships of the CAE enhance departmental independence, promote comprehensive audit coverage and encourage adequate consideration of audit reports and recommendations. To maintain objectivity, the CAE and the audit staff shall have no direct authority over the activities they review. In particular, Internal Audit may not develop policies and procedures for a function they might audit or direct the actions of the personnel in the performance of that function.  

Internal Audit may be asked to participate in management committees or project teams, to analyze controls built into processes, development systems, or analyze security products. Because Internal Audit is not a management decision-making function, decisions to develop, adopt and implement policies or procedures as a result of an internal audit advisory service must be made by management. The performance of these audits or reviews does not relieve management of any assigned responsibilities. The internal audit activity must be independent, and internal auditors must be objective in performing their work.

AUTHORITY
Personnel of the Department, in the performance of an assigned project, are authorized to have full, free, and unrestricted access to all functions, activities, properties, manual and automated information systems, personnel, and non-privileged records in the scope of that project.

Internal Audit may require written responses to audit observations describing corrective action that will be taken to adequately resolve the deficiencies, the responsible parties, and the expected completion dates. Deficient corrective action plans will be reported to the Board of Trustees for resolution.

RESPONSIBILITIES

In accordance with Board Policy, Internal Audit is responsible for assessing the various functions and control systems within HCCS and for advising management concerning their condition. The fulfillment of this accountability includes:

  • Developing a flexible risk based annual internal audit plan with input from Senior Management and the Board of Trustees as required by IIA Standard 2012. A1 and submit the audit plan to the Audit Committee for review and the Board for approval.
  • Reviewing and adjusting the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls with Audit Committee review and the Board for approval. 
  • Meeting regularly with the Board Audit Committee to provide updates by reviewing audits performed, audits in progress, future audits, and sufficiency of the Department resources.
  • Conducting independent and constructive audits to review effectiveness of controls, financial records, operations, or to review departmental records, the proper recording of transactions, and compliance with applicable rules, regulations, policies, and procedures.
  • Analyzing data obtained for evidence of deficiencies in controls, integrity, duplication of effort, or lack of compliance with College policies and procedures.
  • Conducting audits which examine the effectiveness of the governance, risk management, and internal control processes in promoting the achievement of strategic objectives concerning all reporting, operations, safeguarding of assets, and compliance.
  • Investigating allegations of fraud, waste, abuse and other wrongdoing as appropriate and in accordance with Board Policy, and coordinating such investigations as needed with Legal Counsel or the HCCS Police.
  • Offering Advisory services; Internal Control or Fraud training; Control Self-Assessment (CSA) services, and other audit technique workshops as warranted.
  • Coordinating audit efforts with those of external financial auditors and acting as a liaison for other external auditors.
  • Coordinate efforts with other control monitoring functions within HCCS (risk management, compliance, security, legal, ethics, safety and environment).
  • Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter and ensure that personnel in the Department have appropriate continuing education to foster advancement of technical knowledge and skills.

Approved by the Board of Trustees, October 20, 2016. 

Code of Ethics

The Code of Ethics states the principles and expectations governing the behavior of individuals and organizations in the conduct of internal auditing. It describes the minimum requirements for conduct, and behavioral expectations rather than specific activities.

Introduction to the Code of Ethics

The purpose of The Institute's Code of Ethics is to promote an ethical culture in the profession of internal auditing.

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about governance, risk management, and control.

The Institute's Code of Ethics extends beyond the Definition of Internal Auditing to include two essential components:

  1. Principles that are relevant to the profession and practice of internal auditing.
  2. Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors.

"Internal auditors" refers to Institute members, recipients of or candidates for IIA professional certifications, and those who perform internal audit services within the Definition of Internal Auditing.

Applicability and Enforcement of the Code of Ethics

This Code of Ethics applies to both entities and individuals that perform internal audit services.

For IIA members and recipients of or candidates for IIA professional certifications, breaches of the Code of Ethics will be evaluated and administered according to The Institute's Bylaws and Administrative Directives. The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being unacceptable or discreditable, and therefore, the member, certification holder, or candidate can be liable for disciplinary action.

Code of Ethics — Principles

Internal auditors are expected to apply and uphold the following principles:

  1. Integrity
    The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.
  2. Objectivity
    Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.
  3. Confidentiality
    Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
  4. Competency
    Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services.

Rules of Conduct

1. Integrity

Internal auditors:

1.1.Shall perform their work with honesty, diligence, and responsibility.

1.2.Shall observe the law and make disclosures expected by the law and the profession.

1.3.Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization.

1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.

2. Objectivity

Internal auditors: 

2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization. 

2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment.

2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.

3. Confidentiality

Internal auditors:

3.1. Shall be prudent in the use and protection of information acquired in the course of their duties.

3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.

4. Competency

Internal auditors:

4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience.

4.2. Shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing (Standards).

4.3. Shall continually improve their proficiency and the effectiveness and quality of their services.

https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx

2016 Internal Audit Annual Report

FY 2017 Internal Audit Plan

Approved by Board of Trustees October 20, 2016

Internal Audit Plan

Fiscal Year 2017

Executive Summary

The purpose of the Internal Audit Plan (Plan) is to outline audits and other activities the Department will conduct during fiscal year 2017. The Plan’s development and approval are intended to satisfy requirements under HCC’s Internal Audit Charter and the Texas Internal Auditing Act (TGC Chapter 2102.015).

The Houston Community College (HCC) Internal Audit Department (the Department) will be in rebuilding mode during fiscal year 2017. The Department’s ability to function was significantly diminished by the previous Director’s illness and the loss of the entire professional audit staff during fiscal years 2015 and 2016. A significant amount of time will be devoted to the following three rebuilding activities:

  1. Recruiting quality staff with diversified skill sets;
  2. Implementing an automated internal audit management system; and
  3. Collaborating with Risk Management to produce an Enterprise Risk Management Assessment.

 

Plan Development Methodology

In the absence of a defined HCC audit universe and risk-based methodology, a list of High Risk Audit Candidates was developed by soliciting input from two Texas community colleges Internal Audit Executive Directors, HCC’s Risk Management Executive Director, and by reviewing HCC’s current major activities and KPMG’s Internal Audit Top 10 Key Risks in 2016. This list, as detailed in Attachment I, was used to survey the Board of Trustee members and HCC’s executive management to develop the Plan. Interviews with executive management were also performed to obtain an understanding of issues and desired scopes.

Internal Audit Available Time

Total Hours(7 Staff * 52 Weeks *40 hours)

14,560

100%

Less: Staff Vacancies

1,280

9%

          Estimated Vacation, Holiday, & Sick

2,456

17%

          Training

560

4%

Various Meeting & Departmental Administration

1,520

10%

Total Hours Available for Audits & Other Projects

8,744

60%

Description of Project Types

Audits: These are projects in which some activity or other management assertion is evaluated so that improvements to operating efficiency and effectiveness can be made. These can also be projects in which the object is to develop new information on an activity so that management can use that information in their decision making process.

Compliance: Reviews focused on ensuring compliance with regulations and HCC policies.

Action plan follow-ups: These are on-going status reviews on the resolution of deficiencies identified in past audits to ensure management completed action plans.

Other Projects: These include fraud investigations, special projects requested by the Board or management, and administrative projects within the department such as preparing the following year audit plan and the Annual Audit Report.

 

FY 2017 Audit Plan

No.

Project

Description

Est Hours

Priority Audit Projects

15-12

*Human Resources Operations

Review of reporting, operational efficiency, and compliance with applicable regulations.

480

17-1

*Procurement - Contracting

Review contracting process for regulatory compliance and ensuring timely procurement renewals.

560

17-2

*Procurement - Third Party Relationships/Vendor Set-up

Review the vendor set-up process and compliance with applicable regulations.

560

17-3

IT Cyber & Data Security

High level general controls review of the Information Technology data security management system.

560

17-4

Campus Safety & Security Regulatory Acts Compliance

Review of the management system ensuring Title IX, Clery, and Violence Against Women Acts compliance. 

560

17-5

Campus Safety & Security Operations Management

Review of campus physical security and safety and environmental regulatory compliance management.

560

17-6

Accreditation

Review the management system that ensures degree and certificate accreditations are maintained.

560

Priority Administrative Projects

17-7

Automated Internal Audit Management System Implementation

Select and install a software program that will facilitate the internal audit process automation and document maintenance.

1,200

17-8

FY 2018 Audit Planning & ERM Assessment

Collaborate with HCC Risk Management to complete an Enterprise Risk Management (ERM) assessment for use in 2018 Audit Plan preparation.

800

17-9

Internal Quality Assurance Review

Perform a formal internal quality assurance review.

240

17-10

FY 2017 Annual Audit Report

Compile and prepare State required audit report.

120

17-11

Action Plan Follow-ups

Follow-up on completion of previous audit action plans.

240

17-12

Fraud & Special Investigations

As required

560

Other Planned Audit Projects

17-13

Contact Hours Reporting

Review of the process for reporting contact hours to the Texas Higher Education Coordinating Board.

560

17-14

*Student Financial Aid Operations

Review of operational processes and compliance with applicable regulations including security and privacy of student records.

560

17-15

*Web Presence

Review the process for approval and posting of Student Catalog.

560

* Rollover project from 2016 Audit Plan 

Attachment I

FY 2017

High Risk Audit Candidates 

Accreditation

  • Fifth Year Interim Report
  • Degrees and Certifications

Regulatory Compliance

  • Affordable Care Act
  • Title IX
  • Violence Against Women Act (VAWA)
  • Clery Act - timely warnings and emergency notifications, victim options and campus crime reporting processes
  • Contracting Process
  • Student Financial Aid (consider coverage in external auditor financial audit)
  • Contact hours reporting to the Texas Higher Education Coordinating Board for state funding
  • Regulatory compliance training
  • Government funding formula changes - monitoring and preparedness
  • Taxation rule changes - monitoring and preparedness

Bond Construction Management (R L Townsend auditing)

IT

  • Cybersecurity (also consider internal/external penetration assessment)
  • Data Security

Reputation

  • Delegation of Authority
  • Trustees, Chancellor and Executive expenditures

Grant Portfolio Management (consider that funders usually audit grants)

Fraud and Other Special Investigations

Third Party Relationships/Vendor Management

Business Continuity Plans (Plan developed by Risk Management in 2016)

Asset Management (consider coverage in external auditor financial audit)

Lab Safety

Campus Security

Internal Audit Standards

The Standards for the Professional Practice of Internal Auditing published by the Institute of Internal Auditors, Inc., generally accepted governmental auditing standards and the certified Internal Auditor Code of Professional Ethics shall serve as guidelines for Houston Community College System internal audit activities as required by the Texas Internal Auditing Act.

* Standards for the Professional Practice of Internal Auditing - issued by the Institute of Internal Auditors.

* Generally Accepted Governmental Auditing Standards - issued by the US General Accounting Office, Comptroller General.

* The Certified Internal Auditor Code of Professional Ethics - issued by the Institute of Internal Auditors.

Responsibilities

In accordance with Board Policy, Internal Audit is responsible for assessing the various functions and control systems within HCCS and for advising management concerning their condition. The fulfillment of this accountability includes:

  • Developing a flexible risk based annual internal audit plan with input from Senior Management and the Board of Trustees as required by IIA Standard 2012. A1 and submit the audit plan to the Audit Committee for review and the Board for approval.
  • Reviewing and adjusting the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls with Audit Committee review and the Board for approval. 
  • Meeting regularly with the Board Audit Committee to provide updates by reviewing audits performed, audits in progress, future audits, and sufficiency of the Department resources.
  • Conducting independent and constructive audits to review effectiveness of controls, financial records, operations, or to review departmental records, the proper recording of transactions, and compliance with applicable rules, regulations, policies, and procedures.
  • Analyzing data obtained for evidence of deficiencies in controls, integrity, duplication of effort, or lack of compliance with College policies and procedures.
  • Conducting audits which examine the effectiveness of the governance, risk management, and internal control processes in promoting the achievement of strategic objectives concerning all reporting, operations, safeguarding of assets, and compliance.
  • Investigating allegations of fraud, waste, abuse and other wrongdoing as appropriate and in accordance with Board Policy, and coordinating such investigations as needed with Legal Counsel or the HCCS Police.
  • Offering Advisory services; Internal Control or Fraud training; Control Self-Assessment (CSA) services, and other audit technique workshops as warranted.
  • Coordinating audit efforts with those of external financial auditors and acting as a liaison for other external auditors.
  • Coordinate efforts with other control monitoring functions within HCCS (risk management, compliance, security, legal, ethics, safety and environment).
  • Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter and ensure that personnel in the Department have appropriate continuing education to foster advancement of technical knowledge and skills.

Approved by the Board of Trustees, October 20, 2016.