Rule 20401: Audit, Compliance, and Risk Management Programs

1.  Title

Audit, Compliance, and Risk Management Programs

2.  Rule and Regulation

Sec. 1  Audit Program.  The Chancellor, as chief executive officer of the U. T. System, is responsible for ensuring the implementation of appropriate audit procedures for the U. T. System. Accordingly, the U. T. System Chief Audit Executive (CAE) prepares an executive summary of all internal audit activity by the U. T. System internal auditors and the institutional internal auditors for the Chancellor, and functions as a primary source of independent and objective information to the Audit, Compliance, and Risk Management Committee (ACRMC) of the Board of Regents. 

1.1  The CAE plays an important role in enabling the ACRMC to achieve its objectives through:

(a) Facilitating, as needed, the ACRMC Chairman’s interactions with Institutional Audit Committee Chairs and enabling robust sharing of risk and issue information.

(b) Assisting the ACRMC in following leading practices through the establishment of necessary formal meetings, executive sessions, and other important protocols.

(c) Recommending practices to improve the ACRMC.

1.2  U. T. System Chief Audit Executive's Responsibilities.  The U. T. System CAE is charged with assuring that an effective internal audit function is in place Systemwide. The U. T. System CAE accomplishes this through oversight of the following activities at U. T. System Administration and all U. T. System institutions:

(a) Developing a Systemwide internal audit plan based on a comprehensive risk assessment and coordinating the implementation of the audit plan with the chief audit executives at all U. T. System institutions.

(b) Providing support and advice to each institution’s internal audit committee. This includes:

(i) interviewing all candidates for an open institutional CAE position,

(ii) participating in the annual performance review for each institution’s CAE, and

(iii) participating, with the institution’s president and chair of the institution’s audit committee, in any decision to terminate the employment of an institution’s CAE.

(c) Establishing the standards and methodology to be followed by all U. T. System internal auditors in:

(i) preparation of the annual institutional audit plan, 

(ii) documentation required for all internal audit work papers,

(iii) establishment of a standard internal audit reporting format, and

(iv) provision of direction concerning findings that must be reported to the ACRMC.

(d) Establishing a quality assurance and improvement program that includes monitoring and assessments, to the extent considered necessary by the CAE, to evaluate the internal auditors’ conformance with prescribed standards.

(e) Providing audit assistance to the Chancellor, the Executive Vice Chancellors, and the Vice Chancellors in the exercise of their responsibilities.

(f) Providing information to the ACRMC in Executive Session concerning personnel matters relating to appointment, employment, evaluation, assignment, duties, discipline, or dismissal of individual U. T. System employees involved in internal audit functions.

1.3  Appointment and Evaluation of the CAE.  The CAE shall be appointed by the ACRMC after nomination by the Chancellor. The CAE shall hold office subject to the pleasure of the ACRMC and the Chancellor. The Chancellor's actions regarding the CAE are subject to review and approval by the ACRMC.

1.4  The U. T. System internal auditors are the internal auditors for the U. T. System and augment the audit work of the institutional internal auditor and the State Auditors at the institutions of the U. T. System.

Sec. 2  Compliance Program.  The Chancellor, as chief executive officer of the U. T. System, is responsible for ensuring the implementation of a compliance program for the U. T. System. U. T. System Administration shall adopt a policy further implementing the Systemwide compliance program.

The Systemwide compliance program shall be headed by a Chief Compliance and Risk Officer (CCRO) and is a fundamental part of the management structure of U. T. System Administration. The primary responsibility of the CCRO is developing the infrastructure for the effective operation of the Systemwide compliance program. The CCRO is also responsible for apprising System Administration and the ACRMC of the compliance functions and activities at System Administration, The University of Texas/Texas A&M Investment Management Company (UTIMCO), and each institution.

Sec. 3  Risk Management.  The Chancellor, as chief executive officer of the U. T. System, is responsible for ensuring Risk Management principles are integrated within leadership operation, practice, and activities. Accordingly, the Office of Risk Management (ORM) headed by the CCRO is a fundamental part of the management structure of U. T. System Administration. The primary responsibility of ORM is to provide the Chancellor and leadership with risk information, education, and the forum, when necessary, to encourage consideration of the most important risks. ORM will foster elements of prudent risk management including the structure for Executive Risk discussion, collaboration with risk assessing functions, and resolution of activities that mitigate important risks.

3.  Definitions

None

4.  Relevant Federal and State Statutes 

None 

5.  Relevant System Policies, Procedures, and Forms 

None 

6.  Who Should Know 

Administrators 
Internal Audit 
Compliance 

7.  System Administration Office(s) Responsible for Rule 

System Audit Office 
Office of Systemwide Compliance 
Office of Risk Management 

8.  Dates Approved or Amended 

Editorial amendment to Section 1.1(e) made September 25, 2018 
February 27, 2018 
Editorial amendment made May 25, 2017, per Board action on May 9-10, 2017 
Editorial amendments to Sections 1.1(f) and 2.1 made July 13, 2015 
February 12, 2015 
December 6, 2012 
Editorial amendments made March 17, 2008 
December 10, 2004 

9.  Contact Information 

Questions or comments regarding this Rule should be directed to: 
•  bor@utsystem.edu