Auditing
What is Internal Audit?
Internal Audit is an independent, objective assurance and consulting activity designed to add value and improve Lee College's (Lee) operations. Audit helps the Lee accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Why are audits performed?
Internal audits are conducted to determine if:
- Risks are appropriately identified, assesses and managed
- Controls are adequately designed and operate effectively
- Activities are in compliance with Lee policies, standards, procedures, and applicable laws and regulations
- Resources are acquired economically, used efficiently, and adequately protected.
- Program objectives are achieved
- Legislative or regulatory requirements impacting the organization are recognized and addressed appropriately and timely
- Material changes such as new service/product offerings, core system conversions, critical process enhancements, are well governed and executed
What are the benefits audits?
There are two main benefits: 1) an audit can provide reasonable assurance an area’s controls operate effectively, or 2) identify improvement opportunities that can reduce risk or enhance operations; e.g., identify a risk that can be better managed by adding a new control, enhancing an existing control, or eliminating a redundant control, discover process improvements, increase effectiveness/efficiency.
How are Internal Audits selected?
Internal Audit and College leadership conduct an annual risk assessment to determine what areas to assess. The risk assessment considers several factors such as size and complexity of operations; compliance, financial, operational, technology, and 3rd party risks; actual risk events, incidents, complaints; open issues and action plans; emerging trends in education, Texas, and our community; and changes in processes, systems, people, and third-party partners.
The inventory of potential audits is analyzed, aggregated, and prioritized to create the audit plan. After the proposed plan confirmed with the president, it is presented to the Audit and Investment Committee for review and approval.
What happens during an audit?
An audit consists of three standard phases: Planning, Fieldwork, and Reporting, which are followed by post audit Monitoring.
During the Planning Phase, the Internal Auditor and the area being audited work to identify the departmental actions, risks, controls, and time period to be assessed. Key inputs into this include the department’s purpose, objectives, primary activities, performance measures, current performance, key contacts for the audit, and location of departmental process, procedure, and standards documentation.
Using available documentation, discussions, and observation, Internal Audit will gain an understanding the process, and work with management to determine risks that can impact the department achieving its objectives. The department and Audit will rate the likelihood and impact of the risks on an inherent basis: do not consider current controls in place. For risks that are rated High or Elevated, the department and Audit will identify and rate the controls that address each of those risks as well as flag them as “key” or “supporting.” Those risks and controls are the scope of the audit. Based on the scope, Audit will develop the Audit Program which is a series of procedures Audit uses to assess controls, risk management, governance, effectiveness, efficiency.
During the Fieldwork Phase, the Internal Auditor will assess the adequacy of the design of the controls in scope. This may involve having the department walkthrough the control in real-time or showing documentation of the control’s use. If a control is deemed to be adequately designed, the Internal Auditor can choose to test the operating effectiveness of the control using multiple approaches from sampling to full file analysis.
If a control is determined to be inadequately designed or operate ineffectively, audit will confirm the issue with the department. If confirmed, the issue will be formally documented to allow the department to formulate a corrective action plan, develop a target completion date, and assign an owner.
During the Reporting Phase, the Internal Auditor will draft the report, work with the department to assure any corrective action plan will address the root cause of the risk issue identified, is cost-effective, and the target date is reasonable. Audit will also ensure the report is a fair representation of the audit result. Audit and the department will provide the confirmed report to the department’s Cabinet member for feedback. The final report will be distributed to Lee recipients, including the Audit and Investment Committee and posted at www.lee.edu. Per State of Texas requirements, within 30 days of the report’s issuance, copies are emailed to the Governor’s Office, Legislative Budget Board, and State Auditor’s Office.
After the report is released, based on action plan’ target dates, Internal Audit tracks (Monitor) progress to assure risk reduction and improvements will be achieved in a timely manner.
How will I know how an audit in my area is going?
Internal Audit transparently communicates throughout the audit process to ensure we are on the same page and there are no surprises. Typically, a 15-minute weekly status meeting is held.
How are issues and action plans tracked and monitored?
Issues and action plans are tracked in a web-based Issue Action Plan database. Periodic communications are sent to Issue and Action Plan owners to determine current progress vs. the plan.
How do I update the status of an action plan?
You can update the status of an action plan by using the web-based application at Corrective Action Plans (internal users only). You can learn how to update the status of your recommendation using the ????
Consulting Services
What types of consulting services are offered?
The types of consulting services offered include change reviews (e.g., new or updated technology, new product/service offering, process rationalization); business process effectiveness; Risk and Control Self-Assessment; procedures quality review; end-to-end process, risk, control mapping; vendor due-diligence; and training (Risk Management, Controls, Fraud). If you want something else, please ask.
Are there any approvals required when requesting consulting services or special projects?
Yes, the request must be approved by the relevant Cabinet member of area making request and by the Internal Auditor.
What factors are used when evaluating a request for consulting services or special project?
Internal Audit’s current workload in terms of value to Lee, the consulting project’s potential benefits to Lee, the potential risks of not doing the requested work, are al considered in the decision.
Are there certain consulting services that Internal Audit cannot perform?
Yes, those include:
- Performing any operational duties
- Initiating or approving accounting transactions not in Internal Audit’s budget center.
- Preparing account records and financial statements
- Accepting responsibility for designing, implementing, or maintaining internal control including responsibility for designing, implementing, or maintaining monitoring procedures
- Services related to information technology systems including the design or implementation of hardware or software systems; our involvement would be limited to that of an advisory capacity
What are management responsibilities in connection with consulting services?
Management responsibilities include:
- Assuming all management responsibilities
- Overseeing the services, by designating an individual, preferably within management, who possess suitable skill, knowledge, or experience
- Evaluating the adequacy and results of the services performed, and
- Accepting responsibility for the results of the services
How do I request consulting services or special projects?
Please contact Internal Audit at 281.425.6305 to discuss your request. A two-way conversation should be more effective and efficient.