Skip to main content About News Giving All Departments Contact Us Site Map
 University of Texas Southwestern Medical School
 
Search       
Print Friendly  
spacer Home Education Research Patient Care Faculty & Administration Resource Careers
Faculty Directory Administration Administrative Departments
| Home > Faculty & Administration > Administrative Departments > Internal Audit >
The Audit Process
 Welcome 
 The Audit Process 
 Staff 
 Resources 
 Other Sites 
 Employment Opportunities 
 

 "Partnering in Risk Management"

Mission Statement

The Office of Internal Audit is an independent appraisal function established within The University of Texas Medical Center at Dallas and charged to examine and evaluate its activities as a service to the Medical Center.

The Internal Audit
Recognizing the discomfort the word “audit” usually elicits, the Internal Audit staff has compiled the following overview of the Office of Internal Audit and the internal auditing process.  In order for this process to be successful, it is important that each area of the Medical Center understands its role in the audit and is familiar with the internal audit function at the Medical Center.

 How is the Office of Internal Audit organized?
In accordance with state law and U.T. System policy, the Medical Center is required to maintain an internal audit function.  The audit committee, which has general oversight authority for Internal Audit, includes the president, the executive vice president for Health System Affairs , the executive vice president for Business Affairs, and the director of Internal Audit.  In order to maintain Internal Audit's independence and objectivity, the director reports functionally to the president. 

Return to Top

 What is its purpose?
Internal Audit interacts with every school, department, division, center and area of the Medical Center.  Internal Audit is also responsible for coordinating audits performed by external auditors, including the State Auditor’s Office, U.T. System Audit Office, and federal and state agencies.  One important function of Internal Audit is to assess the operating performance of the different areas within the Medical Center.  Frequently, the auditors will recommend changes to improve an area's overall efficiency and effectiveness. 

Return to Top 

 What are Internal Audit's objectives?
In general, Internal Audit's objectives are to:

  • evaluate the adequacy of the internal control structure within a department to manage risk;
  • assess the extent of compliance of each area with applicable laws, regulations, policies and procedures;
  • verify the existence of assets and proper safeguards for their protection;
  • evaluate the adequacy, reliability and effectiveness of financial and personnel reporting systems and procedures;
  • appraise the quality of management's performance in carrying out assigned duties, and accomplishing goals and objectives;
  • perform audits directed toward cost savings or revenue enhancement opportunities; and
  • investigate management concerns relating to dishonest or fraudulent activities.

Return to Top 

 Who is audited and why?
Internal Audit develops an annual risk-based audit plan for the Medical Center.  The audit committee and the U.T. System Board of Regents approve the audit plan. 

The audit plan identifies which audits will be conducted during the upcoming fiscal year.  The audit plan may be amended at any time to include requested audits, special projects or changes in priorities.  The audit committee meets quarterly to review the progress of the audit plan.

“Why was I selected for an audit?” is the most commonly asked question concerning the audit plan.  The question is appropriate, and the answer varies with each area.  Not all audits are selected in the same way. 

An area can be selected for an audit if:

  • risk assessment factors are deemed high;
  • it has emerging compliance issues;
  • it is a core business process;
  • alleged irregular conduct has occurred; or
  • there is a request from management.

Selection based on an assessment of risk
The most common method of selecting an area for an audit is the application of a risk assessment model. Several risk factors are considered during the assessment, including the:

  • quality of internal controls;
  • financial materiality;
  • external impact;
  • complexity of operations; and
  • length of time since the area's last audit.

When this model is applied, areas are ranked according to their risk.  Areas with the greatest risk exposure become priority audits.  The risk assessment results in various types of audits including  financial, operational, compliance and information technology.

Core Business Processes
Some audits are performed annually.  These include core business processes such as expenditures, revenues, payroll, equipment and fiscal year-end inventory reviews.

Internal Control Audits
These audits are required when a change in the management of the department occurs.  The objective is to review the department’s internal control processes and provide a current assessment to the new department head.  If the internal controls are unsatisfactory, additional audit work may be performed.

Investigative Audits
These audits are initiated from requests by department personnel, administrative management, the police department, etc.  They focus on alleged, irregular conduct to determine whether civil or criminal violations of state or federal laws have occurred.  Reasons for investigative audits include internal theft, misuse of Medical Center assets and/or conflicts of interest.  Refer to U.T. System’s Business Procedure Memorandum 50-06-94 - Statement of Operating Policy Pertaining to Dishonest or Fraudulent Activities for proper procedures.

Requests for Advisory Services
Executive management and/or department managers may contact the director to request a review of specific functions or operations.  The scope of the service varies depending on the request.  The final report is issued to the appropriate party.

Return to Top

 How is the scope of the audit determined?
The scope of the audit is determined from one or more of the following:

  • specific client concerns in the department;
  • information collected during a preliminary survey, which includes interview with the appropriate client personnel;
  • evaluation of answers received on an internal control questionnaire; and
  • assessment of risk associated with the area's functions.

Sometimes discoveries or events, which occur during an audit, can change the scope. 

In order to achieve our audit objectives, the Internal Audit staff has authority to access all financial, personnel, research and medical records.  The Internal Audit staff ensures the safekeeping and confidentiality of all records and information used during an audit. 

Return to Top 

 How long do audits last?
Audits vary in length.  The amount of time required depends on the audit scope, the ease in obtaining the required information, the number of auditors assigned to the audit and the quality of the client's records.  The internal control audit may take a week or two, while other broad based audits may take six to eight weeks.  A positive working relationship between the client and the auditors is an important factor in the accuracy of information gathered and the timely completion of the audit. 

Return to Top 

 What is the actual audit process?
Engagement Letter

Internal Audit notifies the client in writing when his or her area is selected for an audit.  This document, which is referred to as an engagement letter, indicates the objective of the audit, audit staff members assigned to the audit, the projected time frame of the audit and the information the auditors will need the client to supply. 

Entrance Conference

An entrance conference is scheduled with the client to discuss the purpose, scope and process of the audit.  The director of Internal Audit and the assigned auditor(s) attend the entrance conference with personnel deemed appropriate by the client.  Clients are encouraged to present any questions or concerns they may have about the audit.  Clients may request a specific function or area of their office be examined during the audit or in future work.

Preliminary Survey

During this portion of the audit, the auditor(s) will gain an understanding of the client's procedures, objectives, size, etc.  Written policies and procedures, organizational charts, related forms and job descriptions enable auditors to plan the audit tests to be performed and to become familiar with the client's operations.  Internal controls are reviewed and documented during this portion of the audit.

Fieldwork

During this phase, the auditors will be in the client's area.  This phase of the audit includes testing the internal controls and performing other audit procedures necessary to accomplish the objectives of the audit.  Internal Audit appreciates the value of each person's time and tries to use the time allotted to auditors carefully.  However, please be aware the auditors need to ask questions and will try to work around scheduling conflicts.  Audit recommendations will be given to the appropriate person in writing.

Throughout the audit, the auditor will discuss any proposed recommendation with the client and then prepare a finding sheet.  A written response is required.  The response must include the client's plan for corrective action, the name and title of the person responsible for implementing the corrective action and the date by which the action will be implemented.

Review Audit Work

Continuous review is performed from the planning phase, fieldwork and through the final report, by the supervisor, assistant director and director.  The review process might require additional work be performed in some cases. 

Draft Audit Report

Internal Audit's goal is to complete the audit and issue a draft audit report within 30 days after the completion of fieldwork.  The draft is prepared with a background section, the scope of the audit, any recommendations that were made, and the written response.  An exit conference is scheduled and a copy of the draft report is sent to the client.  The conference is an opportunity to discuss the audit recommendations, clarify any ambiguities and, if necessary, modify the draft report.

Final Report

The final report is issued to the Medical Center president, appropriate senior management, U.T. System administration, and department or division management.  U.T. System prepares a quarterly summary of reports completed by the Medical Center to present to the Board of Regents.  In addition, copies of reports are required to be distributed to the Governor’s Office, the Legislative Budget Board and the State Auditor’s Office. 

Follow-up Audits

Follow-up audits are performed on all audit findings.  These are usually performed within six to twelve months after the initial audit report is issued.

Return to Top

If you would like to request an audit or have questions, please contact Robert Rubel, CPA, CIA, CISA, director of Internal Audit, or Daniel K. Podolsky, M.D., president of the Medical Center and audit committee chair.

 

Home  |  Education  |  Research  |  Patient Care  |  Faculty and Administration  |  Careers
About UT Southwestern  |  News  |  Giving  |  All Departments  |  Contact Us  |  Site Map  |  Legal Policies
President's Message on Diversity   |  State of Texas  |  Texas Homeland Security  |  Statewide Search


Copyright 2009. The University of Texas Southwestern Medical Center at Dallas
5323 Harry Hines Boulevard, Dallas, Texas 75390.     Telephone 214-648-3111