PURPOSE AND MISSION
Internal audit serves agency administrators and the governing Board by furnishing independent analyses, appraisals, and recommendations about the adequacy and effectiveness of TSBVI’s systems of internal control and the quality of performance in carrying out assigned responsibilities. Gov’t Code 2102.002
The Governmental Accounting Standards Board declares on their website: “GAAP (Generally Accepted Accounting Practices) is the only acceptable standard in the United States for governments and non-profits.” (12-1-2020)
The purpose of the Texas School for the Blind and Visually Impaired (TSBVI) Internal Audit activity is to provide independent, objective assurance and consulting services designed to add value and improve TSBVI’s operations. The mission of internal audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. The internal audit activity helps TSBVI to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes. Institute of Internal Auditors (IIA) Model Charter; Texas Internal Audit Act, Gov’t Code 2102
The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the Professional Practices Framework (the Core Principles, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The Internal Auditor must periodically review the internal audit charter and present it to senior management and the Board for approval. IIA Standard 1000; Gov’t Code 2102.007, .011
STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING
The internal audit program shall comply with the Texas Internal Audit Act, the Standards for the Professional Practice of Internal Auditing, the Code of Ethics contained in the Professional Practices Framework as promulgated by the Institute of Internal Auditors, and generally accepted governmental auditing standards. Gov’t Code 2102.011
The internal audit activity will govern itself by adherence to the mandatory elements of The Institute of Internal Auditors’ Professional Practices Framework, including the core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing. The Internal Auditor will report periodically to senior management and the Board regarding the internal audit activity’s conformance to the Code of Ethics and the Standards.
Standards for public sector audits have been established by the U.S. General Accounting Office in its publication GAS (revised 2018). These standards form the Generally Accepted Government Auditing Standards (GAGAS). When an auditor is to perform a financial audit in accordance with the higher standards set by GAGAS, the engagement letter and request for qualifications should specify this requirement. When auditors are engaged to perform a single audit (in accordance with the Single Audit Act Amendments of 1996), they must perform the audit in accordance with GAGAS in addition to Generally Accepted Auditing Standards (GAAS). The additional GAGAS relate to auditor communications, considering the results of previous audits and attestation engagements, detecting material misstatements resulting from violations of contract provisions or grant agreements or from abuse, developing elements of a finding for financial audits and audit documentation.
Audit documentation for financial audits performed under GAGAS should contain the additional items not explicitly addressed in the American Institute of Certified Public Accountants (AICPA) standards or elsewhere in GAGAS:
- Evidence of supervisory review of the work performed; and
- The auditor’s determination that certain additional government auditing standards do not apply or that an applicable standard was not followed; the reasons therefore; and the known effect that not following the applicable standard had, or could have had, on the audit.
Working papers must be retained by the auditor for a period of not less than 5 years.
See TEA’s 2020 Financial Accountability System Resource Guide
Ten Core Principles articulate what effective internal auditing looks like in practice:
- Demonstrates integrity
- Demonstrates competence and due professional care
- Is objective and free from undue influence (independent)
- Aligns with the strategies, objectives and risks of the organization
- Is appropriately positioned and adequately resourced
- Demonstrates quality and continuous improvement
- Communicates effectively
- Provides risk-based assurance
- Is insightful, proactive, and future-focused
- Promotes organizational improvement
The professional standards and guidance contained in Government Auditing Standards, commonly referred to as generally accepted government auditing standards (GAGAS), provide a framework for conducting high quality audits with competence, integrity, objectivity, and independence. These standards are for use by auditors of government entities and entities that receive government awards and audit organizations performing GAGAS audits. GAGAS contains requirements and guidance dealing with ethics, independence, auditors’ professional judgment and competence, quality control, performance of the audit, and reporting. GAGAS 1.04
The program of internal auditing conducted by a state agency must provide for the auditor to have access to the administrator; and be free of all operational and management responsibilities that would impair the auditor’s ability to review independently all aspects of the state agency’s operation. TGC Gov’t Code 2102.007
The Internal Auditor shall report functionally to the Board of trustees on internal auditing matters and administratively to the School Superintendent. The Internal Auditor must be a certified public accountant (CPA) or a certified internal auditor (CIA) and have at least three years of auditing experience. The board of trustees shall periodically review the resources dedicated to the internal audit program and determine if adequate resources exist to ensure that risks identified in the annual risk assessment are adequately covered within a reasonable time frame. Gov’t Code 2102.006
The Internal Auditor will report functionally to the Board and administratively (i.e., day-to-day operations) to the Superintendent. To establish, maintain, and assure that TSBVI’s internal audit activity has sufficient authority to fulfill its duties, the Board will:
- Approve the internal audit activity’s charter.
- Approve the risk-based internal audit plan.
- Approve the internal audit activity’s budget and resource plan.
- Receive communications from the Internal Auditor on the internal audit activity’s performance relative to its plan and other matters.
- Hire and remove the Internal Auditor.
- Approve the contract for remuneration of the Internal Auditor.
- Make appropriate inquiries of management and the Internal Auditor to determine whether there is inappropriate scope or resource limitations.
The Internal Auditor will have unrestricted access to, and communicate and interact directly with, the Board and Audit Committee, including in private meetings without management present.
The Board authorizes the internal auditor to:
- Have full, free, and unrestricted access to all functions, records, property, and personnel pertinent to carrying out any engagement, subject to accountability for confidentiality and safeguarding of records and information.
- Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives, and issue reports.
- Obtain assistance from the necessary personnel of TSBVI, as well as other specialized services from within or outside TSBVI, in order to complete the engagement.
Administrative reporting is the reporting relationship within the organization’s management structure that facilitates the day-to-day operations of the internal audit activity. Administrative reporting typically includes:
- Budgeting and management accounting
- Human resource administration, including personnel evaluations and compensation
- Internal communications and information flows
- Administration of the internal audit activity’s policies and procedures. IIA PA 1110-1
INDEPENDENCE AND OBJECTIVITY
The program of internal auditing conducted by a state agency must provide for the auditor to:
- Have access to the administrator; and
- Be free of all operational and management responsibilities that would impair the auditor’s ability to review independently all aspects of the state agency’s operations. Gov’t Code 2102.007(b)
The Internal Auditor will ensure that the internal audit activity remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report content. If the Internal Auditor determines that independence or objectivity may be impaired in fact or appearance, the details of impairment will be disclosed to appropriate parties.
Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgment, including:
- Assessing specific operations for which they had responsibility within the previous year.
- Performing any operational duties for TSBVI or its affiliates.
- Initiating or approving transactions external to the internal audit activity.
- Directing the activities of any TSBVI employee not employed by the internal audit activity, except to the extent that such employees have been appropriately assigned to auditing teams or to otherwise assist internal auditors.
When the Internal Auditor has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards will be established to limit impairments to independence or objectivity.
Internal auditors will:
- Disclose any impairment of independence or objectivity, n fact or appearance, to appropriate parties.
- Exhibit professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined.
- Make balanced assessment of all available and relevant facts and circumstances.
- Take necessary precautions to avoid being unduly influenced by their own interests or by others in forming judgments.
The Internal Auditor will confirm to the Board, at least annually, the organizational independence of the internal audit activity. The organizational independence of the internal audit activity at TSBVI is affirmed through the annual review and update of the Internal Audit Charter. Gov’t Code 2102.009
The Internal Auditor will disclose to the Board any interference and related implications in determining the scope of internal auditing, performing work, and/or communicating results. IIA Model Charter
Many different circumstances, or combinations of circumstances, are relevant in evaluating threats to independence. Therefore, GAGAS establishes a conceptual framework that auditors use to identify, evaluate, and apply safeguards to address threats to independence. The conceptual framework assists auditors in maintaining both independence of mind and independence in appearance. It can be applied to any variations in circumstances that create threats to independence and allows auditors to address threats to independence that result from activities that are not specifically prohibited. GAGAS 3.07
SCOPE OF INTERNAL AUDIT ACTIVITIES
The scope of internal audit activities encompasses, but is not limited to, objective examinations of evidence for the purpose of providing independent assessment to the Board, management, and outside parties on the adequacy and effectiveness of governance, risk management, and control processes for TSBVI. Internal audit assessments include evaluating whether:
- Risks relating to the achievement of the TSBVI’s strategic objectives are appropriately identified and managed.
- The actions of TSBVI’s officers, directors, employees, and contractors are in compliance with TSBVI’s policies, procedures, and applicable laws, regulations, and governance standards.
- The results of operations or programs are consistent with established goals and objectives.
- Operations or programs are being carried out effectively and efficiently.
- Established processes and systems enable compliance with the policies, procedures, laws, and regulations that could significantly impact TSBVI.
- Information and the means used to identify, measure, analyze, classify, and report such information are reliable and have integrity.
- Resources and assets are acquired economically, used efficiently, and protected adequately.
The Internal Auditor will report periodically to senior management and the Board and/or Audit Committee regarding:
- The internal audit activity’s purpose, authority, and responsibility.
- The internal audit activity’s plan and performance relative to its plan.
- The internal audit activity’s conformance with the IIA’s Code of Ethics and Standards, and action plans to address any significant conformance issues.
- Significant risk exposures and control issues, including fraud risks, governance issues, and other matters requiring the attention of, or requested by, the Board.
- Results of audit engagement or other activities.
- Resource requirements.
- Any response to risk by management that may be unacceptable to TSBVI.
The Internal Auditor also coordinates activities, where possible, and considers relying upon the work of other internal and external assurance and consulting service providers as needed. The internal audit activity may perform advisory and related client service activities, the nature and scope of which will be agreed with the client in writing, provided the internal audit activity does not assume management responsibility.
Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during engagements. These opportunities will be communicated to the appropriate level of management. IIA Model Charter
Using professional judgment is important to auditors in carrying out all aspects of their professional
responsibilities, including following the independence standards and related conceptual framework;
maintaining objectivity and credibility; assigning competent staff to the audit; defining the scope of work; evaluating, documenting, and reporting the results of the work; and maintaining appropriate quality control over the audit process. GAGAS 3.64
The Internal Auditor has the responsibility to:
- Submit, at least annually, to senior management and the Board a risk-based internal audit plan for review and approval.
- Communicate to senior management and the Board the impact of resource limitations on the internal audit plan.
- Review and adjust the internal audit plan, as necessary, in response to changes in TSBVI’s business, risks, operations, programs, systems, and controls.
- Communicate to senior management and the Board any significant interim changes to the internal audit plan.
- Ensure each engagement of the internal audit plan is executed, including the establishment of objectives and scope, the assignment of appropriate and adequate resources, the documentation of work programs and testing results, and the communication of engagement results with applicable conclusions and recommendations to appropriate parties.
- Follow up on engagement findings and corrective actions, and report periodically to senior management and the Board any corrective actions not effectively implemented.
- Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and upheld.
- Ensure the internal audit activity possesses or obtains the knowledge, skills, and other competencies needed to meet the requirements of the internal audit charter.
- Ensure trends and emerging issues that could impact TSBVI are considered and communicated to senior management and the Board as appropriate.
- Ensure emerging trends and successful practices in internal auditing are considered.
- Establish and ensure adherence to policies and procedures designed to guide the internal audit activity.
- Ensure adherence to TSBVI’s relevant policies and procedures, unless such policies and procedures conflict with the internal audit charter. Any such conflicts will be resolved or otherwise communicated to senior management and the Board.
- Ensure conformance of the internal audit activity with the Standards, with the following qualifications:
- If the internal audit activity is prohibited by law or regulation from conformance with certain parts of the Standards, the Internal Auditor will ensure appropriate disclosures and will ensure conformance with all other parts of the Standards.
- If the Standards are used in conjunction with requirements issued by the GAO, the Internal Auditor will ensure that the internal audit activity conforms with the Standards, even if the internal audit activity also conforms with the more restrictive requirements of GAO.
DEFINITION OF ASSURANCE SERVICES
Assurance services involve the internal auditor’s objective assessment of evidence to provide an independent opinion or conclusions regarding an entity, operation, function, process, system, or other subject matter. The nature and scope of the assurance engagement are determined by the internal
auditor. There are generally three parties involved in assurance services: (1) the person or group directly involved with the entity, operation, function, process, system, or other subject matter – the process owner, (2) the person or group making the assessment – the internal auditor, and (3) the person or group using the assessment – the user. IIA Standard 1000.A1
“Assurance services” means an examination of evidence for the purpose of providing an independent assessment of risk management, control, or governance processes. Assurance services include audits as defined in this section. Gov’t Code 2102.003(2)
- a financial audit described by Section 321.0131;
- a compliance audit described by Section 321.0132;
- an economy and efficiency audit described by Section 321.0133;
- an effectiveness audit described by Section 321.0134; or
- an investigation described by Section 321.0136. GAGAS establishes requirements and provides guidance for audits that includes financial audits, attestation engagements, and performance audits. GAGAS 2.01
Gov’t Code 2102.003
DEFINITION OF CONSULTING SERVICES
Consulting services are advisory in nature, and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties: (1) the person or group offering the advice – the internal auditor, and (2) the person or group seeking and receiving the advice – the engagement client. When performing consulting services, the internal auditor should maintain objectivity and not assume management responsibility. IIA Standard 1000.C1
“Consulting services” means advisory and related service activities, the nature and scope of which are agreed upon with the client and are intended to add value and improve an organization’s operations. Consulting services include counsel, advice, facilitation, and training. Gov’t Code 2102.003(4)
GAGAS does not cover non-audit services, which are defined as professional services other than audits or attestation engagements. GAGAS 2.12
REPORTING AND MONITORING
A state agency shall file with the budget and policy division of the governor’s office, the state auditor, and the Legislative Budget Board a copy of each report submitted to the state agency’s governing board by the agency’s internal auditor. Each report shall be filed not later than the 30th day after the date the report is submitted to the state agency’s governing board. In addition, a state agency shall file with the budget division of the governor’s office, the state auditor, and the Legislative Budget Board any action plan or other response issued by the state agency’s governing board in response to the report of the state agency’s internal auditor. Gov’t Code 2102.0091
The Superintendent is responsible for ensuring that actions on recommendations are reported back to the Internal Auditor on a timely basis. The report will indicate what actions were taken in regard to the specific findings and recommendations in the internal audit reports. If appropriate, a timetable for the anticipated completion of these actions will be included.
The Internal Auditor must establish and maintain a system to monitor the disposition of results communicated to management. The Internal Auditor must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. IIA Standard 2500
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM
The internal audit activity will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program will include an evaluation of the internal audit activity’s conformance with the Standards and an evaluation of whether internal auditors apply the IIA’s Code of Ethics. The program will also assess the efficiency and effectiveness of the internal audit activity and identify opportunities for improvement.
The Internal Auditor will communicate to senior management and the Board on the internal audit activity’s quality assurance and improvement program, including results of internal assessments (both ongoing and periodic) and external assessments conducted at least once every three years by a qualified, independent assessor or assessment team from outside TSBVI. IIA Model Charter
Amended: 11/15/96, 9/22/00, 11/21/03, 11/21/08, 11/9/12, 11/20/15, 09/30/16, 9/29/17, 8/6/21
Reviewed: 9/24/93, 11/19/10, 11/18/11, 1/31/14