What is Internal Audit?
The official definition of internal auditing, from the Institute of Internal Auditors, states: “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
In Round Rock ISD, the internal audit department provides the Board of Trustees and the Superintendent with independent analysis, appraisals, and recommendations concerning the adequacy and effectiveness of the District’s systems of internal control and the quality of performance of management in carrying out assigned responsibilities.
Support from the administration and the Board of Trustees is essential for the audit staff to carry out this responsibility. For this reason, the internal audit department reports administratively to the Superintendent and functionally to the Board.
The purpose of this charter is to provide in summary form a general understanding of the role and responsibilities of internal auditing within Round Rock ISD.
It is the policy of the District to maintain an Internal Audit Department. Internal auditing is an independent appraisal function established within Round Rock ISD to examine and evaluate the District’s activities as a service to the Board and the Superintendent.
Objective & Scope
The objective of internal auditing is to assist members of the District in the effective discharge of their responsibilities. To this end, internal auditing furnishes them with analyses, appraisals, recommendations, and information concerning the activities reviewed. The audit objective includes promoting effective control at reasonable cost.
The scope of internal auditing encompasses the examination and evaluation of the adequacy and effectiveness of the District’s system of internal control and the quality of performance in carrying out assigned responsibilities and achieving established objectives.
- Evaluating the reliability and integrity of financial, operating, and performance information and the means used to identify, measure, classify, and report such information.
- Analyzing the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations that could have a significant impact on operations and reports, and determining whether the District is in compliance.
- Reviewing the means of safeguarding assets and, as appropriate, confirming the existence of such assets.
- Appraising the economy and efficiency with which resources are employed.
- Assessing operations and programs to ascertain whether results are consistent with established objectives and goals.
The internal auditor should be independent of the activities audited. Independence permits the auditor to render the impartial and unbiased judgments essential to the proper conduct of audits. Independence is achieved through organizational status and the auditor’s mental attitude in performing assigned audits. In order to retain the highest degree of independence and objectivity, internal audit has a reporting responsibility to the Board of Trustees.
Internal audit activities should be performed with proficiency and due professional care. Audit personnel are responsible for continuing their education in order to maintain proficiency and technical competence. The auditor should be kept informed of improvements and current developments in internal auditing standards, procedures, and techniques and should be provided continuing education through membership and participation in professional societies; attendance at conferences and seminars; and participation in self-study programs.
Due Professional Care
The auditor should use reasonable audit skill and judgment and exercise due professional care in performing every audit. The internal auditor is required to conduct examinations and verifications of the activity under audit to a reasonable extent, but is not required to perform detail audits of all transactions. Accordingly, the internal auditor cannot give absolute assurance that noncompliance or irregularities do not exist. Nevertheless, the possibility of material irregularities or noncompliance should be considered whenever the internal auditor undertakes an auditing assignment.
Types of Audits
Internal audit will perform the following types of audit, review, and analysis activities:
A confidential audit plan and schedule will be submitted to the Board of Trustees by September of each year for approval, describing suggested activities for the fiscal year. The schedule should list all departments, programs, and activities subject to review within the next fiscal year.
It is the responsibility of the department manager or campus administrator to make available to the auditor all financial records, documentation, and access to key individuals that are related to the audit being conducted. The auditor cannot be expected to be completely knowledgeable about all activities, systems, procedures, and programs within the organization. The auditor cannot be expected to search all files in the auditee’s office or to master all procedures in a limited time without full cooperation of the department or area under review.
Audit Workpaper Retention
It is the policy of the District that all audit workpapers and audit reports be kept for five and ten years, respectively. A longer retention period for special audits may be determined by the auditor’s professional judgment.
The internal auditor can contribute a wealth of information to the organization over and above the assurance provided by evaluating the quality of control systems and ongoing operations. The auditor should demonstrate an in-depth understanding of the strengths and weaknesses of the District, its accomplishments and current problems, the quality of its services, the concerns of its employees, and efficiencies and diseconomies of its operations.
This policy statement is meant to serve as a framework to guide the internal auditor in accomplishing assigned responsibilities. It is intended to be flexible enough to remain applicable as the auditing profession changes and as the structure and operations of the District and the individual campuses change through growth and reassessed needs.
The purpose of The Institute’s of Internal Auditors Code of Ethics is to promote an ethical culture in the profession of internal auditing.
A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about risk management, control, and governance.
Rules of Conduct
1.1 Shall perform their work with honesty, diligence, and responsibility.
1.2 Shall observe the law and make disclosures expected by the law and the profession.
1.3 Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization.
1.4 Shall respect and contribute to the legitimate and ethical objectives of the organization.
2.1 Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization.
2.2 Shall not accept anything that may impair or be presumed to impair their professional judgment.
2.3 Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.
3.1 Shall be prudent in the use and protection of information acquired in the course of their duties.
3.2 Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.
4.1 Shall engage only in those services for which they have the necessary knowledge, skills, and experience.
4.2 Shall perform internal auditing services in accordance with the International Standards for the Professional Practice of Internal Auditing.
4.3 Shall continually improve their proficiency and the effectiveness and quality of their services.
Anonymous Reporting Hotline
Fraud Hotline Website (online form available in English and Spanish)
All reports are confidential and the employee’s identity will remain anonymous.
The Round Rock Independent School District is committed to the highest possible standards of ethical, moral and legal business conduct. In line with this commitment, the District has established an anonymous reporting hotline. The hotline is intended to be used to report serious concerns or questionable actions that:
- May lead to incorrect financial reporting;
- Are unlawful;
- Are not in line with Round Rock ISD policies and procedures;
- Otherwise amount to serious improper conduct.
The hotline is operated by Lighthouse, a third party provider. The hotline is available 24 hours a day, 7 days a week, 365 days a year, for use by employees, or the general public who wish to report an incident anonymously.
All calls to the Round Rock ISD Reporting Hotline should be made in good faith to report fraud, waste or abuse rather than as a means for malicious allegations or to report general dissatisfaction with supervisors or job duties.
Call the Round Rock ISD Hotline to report:
- Theft or embezzlement
- Vandalism and sabotage
- Violation of District policies and procedures
- Conflicts of interest
- Alcohol and substance abuse
- Ethical violations
- Misuse of District property
- Violation of the law
- Bribery or kickbacks
- Falsification of contracts, reports, or records
- Unsafe working conditions
- Sexual harassment
- Improper Conduct
Internal auditing is an integral part of the District and functions under the policies established by the Superintendent and the Board of Trustees. Internal auditing is authorized to direct a broad, comprehensive program of examination within the District. To allow the internal audit function to be discharged in an effective manner, the auditor has the authority to audit all functions and have unrestricted access to all records, personnel, and physical properties within the District.
To ensure independence and objectivity, internal audit shall not develop and install procedures, prepare records, or engage in any activity that would normally be subject to its review. Moreover, internal audit shall have no authority over, or responsibility for, any of the activities audited. Internal auditing is not intended to be a replacement for operating management’s responsibility to implement and ensure the adequacy, effectiveness, and efficiency of internal controls, but rather is an evaluator of those controls.
The auditor shall develop a comprehensive internal audit plan to ensure all activities and programs of the District are reviewed at appropriate intervals based on a documented risk analysis. The audit plan shall encompass financial, operational, and compliance performance concerns as identified in the assessment of the District’s risk. The internal audit plan should be reviewed and approved annually by the Board of Trustees.
A written report will be prepared and issued by the auditor following the conclusion of each audit and will be distributed as appropriate. Should corrective action be indicated, as evidenced by specific recommendations contained in the internal audit report, management shall include in its response specific steps taken or planned to effect the corrective action. Their response may also indicate that they assume the risk of not correcting the deficiency reported. Depending upon the potential consequences of identified risks, these situations may be brought to the attention of the Superintendent or the Board of Trustees for further review.
With respect to program audits, reports will focus on achievement of established objectives and measurement of outputs, benefits, and impacts. Program audits may result in recommendations to expand, improve, limit, or discontinue a program. Again, depending upon the impact of these recommendations, these situations may be brought to the attention of the Superintendent or the Board of Trustees for further review and public discussion.
The internal auditor will be an indirect line of responsibility to the Superintendent and a direct line of responsibility to the Board of Trustees. The evaluation of the performance of the internal auditor shall be the responsibility of the Superintendent, with input from the Board.
Standards of Internal Audit
The audit department shall adhere to the professional and ethical standards regarding internal auditing as set by the Institute of Internal Auditors and the American Institute of Certified Public Accountants.
Due to the complexity of District operations and limited internal audit resources, a risk assessment is performed annually to measure the financial, compliance and operational risks associated with each department and/or activity. All areas identified for audit coverage are evaluated against eight criteria presented below. A rating scale of 1 to 5, with 5 having the greatest risk, is applied to these criteria.
- Risk of diversion or loss of assets
- Materiality to the financial statements
- Seriousness of deficiencies indicated in previous internal, external, or management audit reports
- Change in management or key personnel positions
- Complexity of the activity or complexity of the transactions processed
- Activity changes: service, technology, or objectives; regulations or regulatory emphasis; or any other change or unusual situation
- Need for an audit presence in terms of the time elapsed since the previous audit
- Management response to the departmental risk assessment questionnaire
After compiling this information, the audit areas are prioritized into three categories: high risk, moderate risk, and low risk. Our ultimate goal is that all high-risk areas will be audited within 24 months of the previous audit report date, moderate-risk areas will be audited within 36 months of the previous audit date, and low-risk areas will be audited within 48 months of the prior audit report date. This risk assessment will be performed on an annual basis, and it is likely that some category reassignments will occur each year. In addition to the risk methodology for operational audits, the audit department has created risk criteria to assess the need for individual campus audits. All campuses identified for audit coverage are evaluated against three criteria explained below. A rating scale of 1 to 3, with 3 having the greatest risk is applied to these criteria.
- Materiality of annual cash receipts
- Time since last audit
- Change in campus principal or secretary/bookkeeper at the campus
- Internal control environment at the campus