How are University areas selected for audits?

Areas are selected for review in several ways: our annual audit risk analysis, state or federal requirements, and special requests or other circumstances such as investigations.

Each year the audit staff performs a risk analysis of UT departments or auditable areas to determine next year’s audit schedule. The following factors are considered in determining the relative risk of each area to the University:

  • Findings from prior audits
  • Time since last audit
  • Size and/or complexity of operations (by budget or transactions)
  • Whether the department collects revenue and/or volume of collections
  • Recent changes in management, staff, and/or operating systems
  • Public sensitivity
  • Evaluation of internal controls
  • Comments and concerns of senior management

We use this information to establish priorities and develop our annual audit schedule. Because Audit and Compliance operates as a service to management, our schedule is open to possible revision any time during the fiscal year to accommodate administrative requests or other special circumstances.

Back to top »

What are auditable activities?

Auditable University activities may include:

  • Cost centers and auxiliary services
  • General ledger account balances
  • Information systems (manual and computerized)
  • Grants and contracts
  • Academic programs
  • Athletics programs and NCAA compliance
  • Equipment inventory
  • Functions such as information technology, procurement, financial aid, and human resources
  • Transaction activities such as sales and accounts receivable, purchasing, accounts payable and disbursements, inventory management and valuation, and payroll
  • Financial statements
  • Compliance with laws and regulations

Back to top »

What are internal controls?

“Internal control” is a term commonly used by auditors as they plan and carry out departmental audits. The integrity of the University’s accounting and operating systems depends on properly functioning controls. The system of internal controls consists of all measures taken by an organization to:

  • Safeguard assets from waste and fraud
  • Promote accuracy and reliability in the accounting records
  • Encourage and measure compliance with policies
  • Evaluate the efficiency of operations

Some examples of internal controls include separating the duties of handling cash and reconciling deposits, limiting access to petty cash and safe combinations to a few employees, and separating the duties of preparing payroll and distributing paychecks.

Back to top »

What internal controls should my department have in place?

Each year University departments are required to complete the Self-Assessment of Internal Controls Questionnaire. To help you determine what internal controls you should have in place, a Self-Audit Sampler is available online. This document contains several self-assessment questionnaires and can be used in conducting a self-audit to evaluate the adequacy of your department’s controls. The questions address key areas such as returned checks, movable equipment, and grants and contracts. However, the questionnaires are not interactive and not meant to substitute for completing the annual self-assessment.

Back to top »

What happens in an audit?

When an area is selected for review, the following process generally occurs.

Audit Planning

The auditor assigned to the audit will review the files of prior audits in your area (if any), review applicable professional literature, research any applicable policies or statutes, and then prepare an initial audit program, which is basically a list of steps we will perform in the audit.


Opening Conference

This is a meeting between the manager(s) of the area being audited and the internal auditor(s). In the meeting we explain what we expect to happen in the audit and give you the opportunity to share any concerns you may have. For example, if you would like us to review a particular process or procedure in your unit, let us know at this meeting and we will try to include it in our audit.



During this process we will likely interview employees in the department to inquire about their duties. We may flowchart the processes being reviewed to better understand and evaluate them. Also, we will perform tests of departmental documents, e.g., payroll and equipment records, to determine the adequacy of the internal controls, or safeguards, in place and compliance with applicable policies. Some of this work will be performed in our office and some in the unit being audited.


Exit Conference

Throughout our review we will try to be open regarding what we find and plan to recommend in the audit report. Once we complete the fieldwork, we will meet informally with departmental management to discuss our preliminary results. If we have misinterpreted anything in the review, or if you disagree with our conclusions, you have the opportunity to let us know so that we can make clarifications before issuing our report.


Report Writing

After the exit conference, the auditor in charge will write a report stating what we did, what we found, and any recommendations for improvement.

Management Response

When we have completed a draft of the report, we will send a copy to the department head for his or her review. At this point we will ask for management’s written response to the recommendations, which will be included in the report.


Reporting Process

The report will be sent to all levels of management involved in the audited area, other University officials, and the Audit and Compliance Committee of the Board of Trustees. Each month an executive summary of reports issued is sent to the president and the Audit and Compliance Committee.

When the report is distributed, we will request your written response within 30 days regarding the recommendation(s) made and your planned corrective action(s). After receiving your response, we will determine whether your planned actions are appropriate.


Follow-up Process

Often we will follow up to determine whether the recommendations have been implemented. If they have not been implemented, we will restate in writing the reason(s) for and importance of addressing our recommendation(s).

Back to top »