Spotlight: Internal Audit

Addressing fraud and waste in the A&M System

The Internal Audit office receives approximately 65 to 75 anonymous reports of fraud and waste each year, according to Cathy Smock, the A&M System's chief internal auditor.

These reports come from the Internal Audit telephone hotline, its anonymous email hotline, and from management sending information that they have received from their employees.

Once a report is received, it is reviewed to determine the most efficient way to investigate the matter. Reports that do not involve fraudulent activities can be addressed administratively, Smock said.

The chief auditor determines how an issue will be investigated or reviewed. For issues reviewed administratively, the information is forwarded to management at the applicable A&M System member, which is asked to review the matter and report their findings back to Internal Audit.

For all other issues, the Investigative Audit Services Group within the Internal Audit Department conducts the investigation. These typically involve reviewing pertinent documentation and interviewing individuals with knowledge of, or involvement in, the matters in question.

Once the investigation is complete, Internal Audit issues a written report of its findings to the respective CEO, with a copy provided to the chancellor, and, in some cases, a copy to the State Auditor's Office. If evidence of criminal activity is found, the information is forwarded to law enforcement or the appropriate district attorney's office for further investigation.

"We do not make decisions as to whether an issue is pursued through the judicial system," Smock said. "All issues with evidence of possible criminal activity are forwarded to the appropriate legal authorities, who are responsible for determining if criminal charges are warranted."

Cathy Smock

Issues related to efficiency and accountability have become increasingly important in recent years. Here, Cathy Smock, the A&M System's chief internal auditor, describes the functions of the Internal Audit Office and the processes put into place to identify and prevent fraud and waste.

Government Code 2102 requires that Internal Audit must report directly to the Board of Regents. Why is this important?

Interesting enough, the Board of Regents required that the chief auditor report to its Committee on Audit before the state mandated the reporting relationship in law. The Board recognized the importance of the chief auditor being independent from all operational and management responsibilities and wanted to ensure that the audit function had a direct line of communication to the Committee on Audit.

Increasing efficiency has been an important priority of Gov. Perry and others in recent years. What are some examples of how Internal Audit has increased efficiencies in the A&M System?

Strong internal controls help prevent unplanned incidents that negatively impact operations and require rework and downtime. We have made recommendations to our A&M System members related to cash handling, voucher processing, information technology, human resources management, and so on that over time should provide for more efficient operations.

Additionally, Internal Audit has promoted the implementation of enterprise-wide risk management processes to assist our System members in determining where their greatest risks are so that their limited resources can be used to mitigate the risks in the operational areas that have the highest risks.

There are several types of reviews—financial, compliance, operational, management information systems, and system development and implementation. Is it common for more than one type of review to be used at the same time for an office or organization? For example, does a narrow financial review ever expand into a larger operational review?

Rarely do we perform narrow financial reviews. Our audits generally cover all aspects of an office's or department's operations, including reviewing the financial, compliance, management and operational processes.

The audit function is centralized in the A&M System. Does this mean that audit staff members travel frequently to A&M System campuses around the state?

Internal Audit staff travel to several A&M System members each year. Generally, we have three or four employees and sometimes even more traveling around the state each month. We are able to limit individual employee travel by rotating travel assignments among the audit staff.

How does Internal Audit make sure that recommendations are implemented after an audit is completed?

We ask management to provide us with the status of the implementation of recommendations from our audit reports. Once management reports to us that their recommendations are implemented, we will schedule a follow-up review to verify that the recommendation has been implemented. The follow up on prior audit recommendations is required by our internal auditing standards and state law.

The yearly audit plans that are found on the Internal Audit website state that "projects included in this plan were primarily identified through our System-wide risk assessment process." What does this process entail?

The risk assessment process is a method that assists us in focusing our limited resources on those areas that are high risk to our A&M System members' operations. To do this, we use a matrix format that lists the "auditable units" or processes, down the side of the matrix and the risk factors that measure the "impact" and "likelihood" of the risks across the top. We rank each auditable unit as a high, medium, or low risk, for each of the risk factors identified across the top of the matrix.

Auditable units are the key processes that our System members use to achieve their overall mission, goals, and objectives. Examples of auditable units include human resources management, purchasing, student services, information technology and research. Examples of some of the risk factors used in the matrix include strategic impact, financial impact, magnitude of oversight, change in mission or management, and institutional management concerns.

A matrix is completed for each A&M System member. Once the matrices are finalized, we review and evaluate the results for all of the System members and determine which risk-based audits should be included in our annual audit plan based on the number of resource hours we have available for audits.

What are some of the broad risk factors now being discussed in the higher education arena?

Currently, some of the areas identified as high risk by us, and our peers across the country, include IT network security and data protection; enterprise risk management (ERM) processes; federally sponsored research compliance especially in the areas of cost-sharing and effort reporting systems; management of procurement card programs; campus safety and security; and conflict of interest/"tone at the top" issues.

April 2007

Addressing fraud and waste in the A&M System