UTMDACC INSTITUTIONAL POLICY # ADM0336

INTERNAL AUDIT POLICY

PURPOSE The purpose of this policy is to outline the authorities and responsibilities of The University of Texas MD Anderson Cancer Center (MD Anderson) Internal Audit Department (Department).

POLICY STATEMENT It is the policy of MD Anderson to maintain an Internal Audit Department to assist MD Anderson and its governing boards, with independent Assurance and Consulting Services, as needed, to ensure the adequacy, effectiveness, and efficiency of MD Anderson’s systems of internal control and operations.

SCOPE The scope of work of Internal Audit is to determine whether MD Anderson’s network of risk management, control, and processes, as designed and represented by management, is adequate and functioning in a manner to help ensure: 

Risks are appropriately identified and managed.



Significant financial, managerial, and operating information is accurate, reliable, and timely.



Employees’ actions are in compliance with policies, standards, procedures, and applicable laws and regulations.



Resources are acquired economically, used efficiently, and adequately protected.



Programs, plans, and objectives are achieved.



Quality and continuous improvement are fostered in the institution’s control process.

Opportunities for improving management control may be identified within Internal Audit’s scope of work. These opportunities will be communicated to the appropriate level of management. The policy applies, but is not limited, to all departments, programs, funding sources, and to all faculty, trainees/students, and other members of MD Anderson’s workforce.

TARGET AUDIENCE The target audience for this policy includes, but is not limited to, all faculty, trainees/students, and other members of MD Anderson’s workforce.

Page 1 of 6

UTMDACC INSTITUTIONAL POLICY # ADM0336

DEFINITIONS Assurance Services: An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements. Consulting Services: Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training. Internal Auditing: An independent objective assurance and consulting activity, designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Institutional Audit Committee (Audit Committee): The Institutional Audit Committee is an advisory body which operates in accordance with the delegated authorities afforded to them by the University of Texas System Board of Regents (Board of Regents). An important objective of the Institutional Audit Committee is to support and oversee the activities of Internal Audit, thereby maximizing the value of the Internal Auditing function within MD Anderson.

PROCEDURE 1.0

Authority 1.1

The Internal Audit Department at MD Anderson functions in accordance with policies established by the President, the University of Texas System Administration, the Board of Regents, the Texas Internal Auditing Act, and the International Standards for the Professional Practice of Internal Auditing of the Institute of Internal Auditors.

1.2

The Vice President and Chief Audit Officer of Internal Audit reports functionally to the President and the University of Texas System Chief Audit Executive, and administratively to the Sr. Vice President of Business and Regulatory Affairs. The Vice President and Chief Audit Officer may also consult, as needed, with the administration of The University of Texas System, the Chancellor, the Board of Regents, or other governmental bodies.

1.3

The Internal Audit Department has full, free, and unrestricted access to all information needed to accomplish its duties.

1.4

In the performance of an audit or investigation, the auditors have the authority to examine all reports and documentation whether business, research, patient-related, or protected health information (PHI); to access all electronically stored data and review any system of processing such data; to interview all personnel; and to observe or inspect all items of property or equipment.

1.5

In addition, the auditors have the authority to perform any other audit procedures or tests that the Vice President and Chief Audit Officer deems necessary to accomplish the objectives of the audit or investigation.

1.6

Internal Audit staff is not authorized to: A.

Perform any operational duties.

B.

Initiate or approve accounting transactions external to Internal Audit. Page 2 of 6

UTMDACC INSTITUTIONAL POLICY # ADM0336

C.

2.0

Direct the activities of any MD Anderson employee not employed by Internal Audit, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the auditors.

Responsibilities 2.1

Develop and implement a flexible annual work plan using an appropriate risk-based methodology, including any risks or control concerns identified by management, UT System officials, or the Board of Regents. The plan will be submitted to the MD Anderson President, the Audit Committee, and the Board of Regents for review and approval, and any revisions will be approved by the Audit Committee.

2.2

Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of the Internal Auditing Charter, the Texas Internal Auditing Act, and the International Standards for the Professional Practice of Internal Auditing of The Institute of Internal Auditors.

2.3

Issue periodic reports to the President and the Audit Committee summarizing results of audit activities.

2.4

Keep the President and the Audit Committee informed of emerging trends and successful practices in Internal Auditing.

2.5

Assist in the investigation of significant issues within the institution and notify appropriate members of executive management of the results.

2.6

Consider the scope of work of the external auditors and regulators, as appropriate, for the purpose of providing optimal audit coverage to the institution.

2.7

Conduct quality assurance reviews in accordance with professional Internal Auditing standards and periodically take part in an external peer review.

2.8

Provide consulting and advisory services, as appropriate.

2.9

Guide the institution on control self-assessment by assisting managers with risk selfassessment and conducting self-audits.

2.10 Provide information to the University of Texas System Chief Audit Executive as required or requested to fulfill the System-wide audit oversight and reporting responsibilities. 2.11 File Internal Audit reports and related responses or action plans with the University of Texas System Audit Office, budget division of the Governor’s Office, State Auditor, and the Legislative Budget Board within two weeks after their presentation to the Audit Committee. 2.12 Prepare the annual report required by the Texas Internal Auditing Act (Section 2102, Government Code) and submit the report to the MD Anderson President, University of Texas System Audit Office, Budget Division of the Governor’s Office, State Auditor, and the Legislative Budget Board. 2.13 The activities of Internal Audit will meet or exceed the International Standards for the Professional Practice of Internal Auditing of The Institute of Internal Auditors. Internal Audit will also abide by generally accepted government auditing standards, the Texas Internal Auditing Act, and University of Texas System policies and guidelines. 2.14 Obtain management action plans from responsible audit areas within ten (10) business days of audit report distribution, unless other arrangements have been made. Management action plans will be approved by the respective Executive Vice President or their designee. Page 3 of 6

UTMDACC INSTITUTIONAL POLICY # ADM0336

2.15 Perform validations to ensure that agreed upon action plans are implemented by management within the agreed upon time frame.

Page 4 of 6

UTMDACC INSTITUTIONAL POLICY # ADM0336

ATTACHMENTS / LINKS None.

RELATED POLICIES None.

JOINT COMMISSION STANDARDS / NATIONAL PATIENT SAFETY GOALS None.

OTHER RELATED ACCREDITATION / REGULATORY STANDARDS None.

REFERENCES The Board of Regents of The University of Texas System. The International Standards for the Professional Practice of Internal Auditing. Texas Internal Auditing Act (Texas Government Code, Chapter 2102).

Page 5 of 6

UTMDACC INSTITUTIONAL POLICY # ADM0336

___________________________________________________________________________________

POLICY APPROVAL Approved With Revisions Date: 11/11/2013 Approved Without Revisions Date: Implementation Date: 11/11/2013 Version: 16.0

___________________________________________________________________________________

RESPONSIBLE DEPARTMENT(S) Internal Audit

Page 6 of 6