INTERNAL ANNUAL REPORT 21-A

For Ended August 31, 2020

Office of Internal

Leigh Kidwell, CPA, CIA, CGMA, Chief Audit Executive

3410 Taft Blvd. Wichita Falls, TX 76308 Phone: (940) 397-4914 www.msutexas.edu/internal-audits

October 9, 2020

Ms. Tiffany Burks, Chair Board of Regents’ Audit, Compliance, and Management Committee Midwestern State University Wichita Falls, Texas

Dear Regent Burks,

I am pleased to submit the annual report for the fiscal year ended August 31, 2020. This report itemizes the services provided and other activities performed by the Office of Internal Audits, and fulfills the Texas Internal Auditing Act (the Act) requirements set out in Texas Government Code, Section 2102.009.

Included in this report are the fiscal year 2020 audit plan, explanations for any deviations from the plan, engagements completed during the year and those in progress at year end, a list of all external audit services procured, the fiscal year 2021 audit plan, and other required disclosures. I believe the work of the Office of Internal Audits has contributed to the efficient and effective operations of Midwestern State University by making positive contributions to risk management efforts, control systems, and governance processes. During the year ended August 31, 2020, fifteen projects were completed; including the issuance of nine reports, assisting two oversight agencies, and finalizing four projects. The results of our work have been communicated to the Board of Regents through the Audit, Compliance and Management Committee and to University Administration.

The Act requires higher education institutions to submit their annual report by November 1, to the Governor’s Office, the Legislative Board, the State Auditor’s Office, the Board of Regents and the University President. Generally, no reports are submitted to oversight agencies prior to approval by the University’s Board of Regents. However, when the deadline precedes the Regents meeting, the oversight agencies will accept a draft version of the annual report To ensure compliance with the Act, the draft report will be submitted to the oversight agencies prior to November 1, and the final report will be submitted following approval by the Board of Regents at the November 12, 2020 meeting.

I want to thank the Board of Regents, the President, University management, faculty and staff for the support provided in the performance of my responsibilities and formally request this report be approved.

Respectfully,

Leigh Kidwell, CPA, CIA, CGMA Chief Audit Executive

TABLE OF CONTENTS

I. Executive Summary…….……………………………………….……………1

II. Compliance with Texas Government Code, Section 2102.015………..……1

III. Internal Audit Plan for Fiscal Year 2020 and Explanation of Changes …2

IV. Fiscal Year 2020 Completed Projects...………………………………….…..4

V. Consulting Services and Non-audit Services..….……………………………9

VI. External Quality Assurance Review……….…...…………….…….………10

VII. Internal Quality Assessment………………………………………………...10

VIII. Internal Audit Plan for Fiscal Year 2021…………..………………..……..12

IX. External Audit Services………….….………………………………….…...15

X. Reporting Suspected Fraud and Abuse…………..………………………...16

I. Executive Summary

The purpose of the internal audit annual report is to provide information on the , consulting services, and other activities of the internal audit function. Additionally, the annual report assists oversight agencies in their planning and coordination efforts. It is submitted in compliance with the Texas Internal Auditing Act, Texas Government Code (TGC), Section 2102, the Office of Internal Audits Charter, and the rules and regulations of the Board of Regents of Midwestern State University.

The Office of Internal Audits mission is to enhance and protect the University’s value by providing risk- based and objective assurance, advice and insight. A systematic, disciplined approach is used to evaluate risk management, internal controls, operational and governance processes. The primary objective of the internal audit function is to assist the Board of Regents, the President, and University management in effectively discharging their responsibilities.

Fiscal year 2020 was an unprecedented and challenging year. Due to coronavirus pandemic, the University closed the campus in March, switched from in-person instruction to online learning, implemented employee remote working agreements, prepared for employees and faculty return to campus, and welcomed students back to campus in August. The audit plan was modified as risks changed during the year, and social distancing became the operational model. Two projects were cancelled, five projects were added, and fifteen projects were completed during fiscal year 2020. Seven projects remain in progress at August 31, 2020. The audit staff consisted of a full time Chief Audit Executive and a full time Auditor.

In accordance with TGC, Section 2102.009, Annual Report, internal audit annual reports must be submitted by November 1 to the following oversight agencies, the Governor’s Office, the Legislative Budget Board, and the State Auditor’s Office. A draft version of the report will be submitted to each agency to meet the November 1 deadline. The final report will be submitted after approval by the University’s Board of Regents during their November 12, 2020 meeting.

II. Compliance with Texas Government Code, Section 2102.015

Texas Government Code, Section 2102.015, Publication of Audit Plan and Annual Report on Internet, requires state agencies and higher education institutions to post certain information on their website. Higher education institutions are required to post the institution’s internal audit plan and internal audit annual report on its website within thirty days after approval by the governing board. It also requires institutions to update the website postings with detailed summaries of weaknesses, deficiencies, wrongdoings, or other concerns, if any, raised by the audit plan or annual report, and summaries of the actions taken by the institution to address those concerns.

1

In order to comply with TGC, Section 2102, the Office of Internal Audits posts its Internal Audit Annual Report and the Annual Audit Plan within thirty days following Board of Regents’ approval. Both reports are posted on two web pages, msutexas.edu/regents/board-minutes and on msutexas.edu/internal-audits/reports. The University retains the right to not post information contained in the audit plan or internal audit annual report if the information is exempt from public disclosure under Texas Government Code, Section 552.

III. Internal Audit Plan for Fiscal Year 2020 and Explanation of Changes

Available time for fiscal year 2020 projects after consideration of University holidays, vacation, sick leave and wellness release was 3,540 hours. Audit resources were allocated among required audits, risk-based audits, special projects, investigations, meetings, committee service, and audit department activities and administration.

Reproduced below is the fiscal year 2020 Audit Plan, which was approved by the University’s Board of Regents on August 1, 2019.

Project Description Hours

Financial, Compliance, Operational, Efficiency & Effectiveness Audits

Provide audit assistance to state and federal oversight agencies Audit Assistance to Oversight such as Texas State Auditor’s Office, Texas Higher Education 48 Agencies Coordinating Board, Texas State Comptroller’s Office and grant agencies.

Obtain representations from management and verification if Implementation of Prior Audit necessary, regarding implementation status of prior audit 160 Recommendations recommendations.

Verify compliance with safety and security requirements of Texas Safety and Security 200 Education Code, Section 51.217.

Review policies governing the admission process and controls Admissions 300 ensuring compliance with laws, policies, and regulations.

Verify compliance with requirements to pay benefits in proportion to the sources of funds from which the corresponding salaries and Benefits Proportional By Fund wages were paid in accordance with applicable statutes, General 200 Appropriations Act requirements, and related University policies and procedures.

Review for compliance with various regulations and/or for Departmental 300 efficiency and effectiveness.

2

Project Description Hours

Provide assistance to independent firm contracted to review the IT Information Security department’s plan to timely resume system resources should a 80 disaster occur in compliance with Texas Administrative Code 202

Conduct a self-assessment of the internal audit activity’s Internal Quality Assurance conformance with the Texas Internal Auditing Act and 80 Review professional standards in preparation for an independent validation.

National Collegiate Athletic Provide assistance to the independent auditors performing the Association (NCAA) Agreed agreed upon procedures of MSU athletic financial statements as 200 Upon Procedures required by NCAA.

Public Funds Investment Act Review compliance with PFIA, management controls on 240 (PFIA) investments, and adherence to University investment policies.

Annual Risk Assessment Facilitate annual University risk assessment. 40

Annual Audit Plan Prepare annual audit plan. 40

Annual Audit Report Prepare annual audit report. 40

Finalize prior fiscal year audits not complete at August 31, 2019 Audits Carried Forward 72 and carried forward into the current year. Total Audit Hours 2,000 Special Projects Hotline, Fraud, or Ethics Facilitate University anonymous reporting system and 48 Investigations investigations. Based on requests from Board of Regents, Administration or Special Projects 160 others. Total Special Projects 208 Meetings and Committee Service Ethics and Compliance Serve as advisory member of the committee and all sub- 220 Committee committees. Administrative Meetings Attend administrative meetings as requested. 240 Other University Meetings or Attend other meetings or events as requested. 48 Events Board of Regents Meetings Prepare for and attend Board of Regents meetings or events. 120 Total Meetings and Committee Service 628 Audit Department Activities and Administration Professional Development and Professional development, maintain certifications, continuing 160 Travel education and related travel. Records Management Manage records maintenance. 40 Audit Manual and Webpage Update audit manual and webpage. 24 Revisions

3

Project Description Hours

General and Administrative Office administrative duties (planning, purchasing, recordkeeping 432 Tasks scheduling, reporting, etc.). Staff Meetings Intra office communications and planning. 48 Total Audit Department Activities and Administration 704 Total Allocated Hours 3,540

Available Hours for All Staff 4,160 Less estimated hours for: Holidays (240) Vacation & Birthday Leave (220) Sick Leave (80) Wellness Release (16) Breaks (64) Net Available Hours 3,540

The fiscal year 2020 audit plan was modified as risks changed due to the coronavirus pandemic. Two planned projects were cancelled; the Admissions Audit and departmental audits. Five projects were added; COVID- 19, Student Outreach, Athletics Return to Play, External Quality Assurance Peer Review, and providing assistance to an independent public firm engaged to review the University’s financial statements

IV. Fiscal Year 2020 Completed Projects

Fifteen projects were completed during this fiscal year, of which twelve were planned and three were added. Seven projects remain in-progress at August 31, 2020, of which five were planned and two were added. Completed projects are listed in the table below.

Project Completion Project Title High-Level Objective Number Date Determine if the University is in compliance with 19-04 01/16/20 International Services Audit regulations, laws, and policies, and to determine if sound financial controls have been established. Determine if the University is in compliance with policies 19-06 04/16/20 Gift Management Audit and procedures governing the acceptance of gifts. Outsourced closeout audit of all incurred prior to the 19-08 01/08/20 Post-Construction Contract Audit final payment for the Gunn College of Health Sciences and Human Services Building. Provide assistance to the State Auditor’s Office for their State Auditor’s Office Financial 19-b 03/01/20 Audit of Financial Processes at Selected Higher Education Processes and Controls Audit Institutions. Review compliance with PFIA, management controls on Public Funds Investment Act 20-01 10/11/19 investments, and adherence to University investment Audit (PFIA) policies.

4

Project Completion Project Title High-Level Objective Number Date Verify compliance with requirements to pay benefits in proportion to the sources of funds from which the Benefits Proportional by Fund corresponding salaries and wages were paid in accordance 20-02 06/29/20 Audit with applicable statutes, General Appropriations Act requirements, and related University policies and procedures. Conduct a self-assessment of the internal audit activity’s Internal Quality Assurance Review conformance with the Texas Internal Auditing Act and 20-06 08/12/20 (QAR) professional standards in preparation for an independent validation. Prepare the FY 2019 internal audit annual report in 20-A 10/10/19 Internal Audit Annual Report compliance with Texas Government Code, Chapter 2102. Texas Higher Education Provide assistance to THECB for their desk review of 20-a 01/17/20 Coordinating Board (THECB) formula funding at Midwestern State University. Desk Review Provide assistance to an independent public accounting 20-B 02/27/20 Review firm to prepare a financial statement review. Provide information and analysis to President’s Cabinet 20-D 04/16/20 COVID-19 Project on effects of COVID-19 on University processes. Preparation of the risk assessment to align internal audit 20-E 06/18/20 Annual Risk Assessment resources and determine priorities of the internal audit activity for fiscal year 2021. Connect with students during Spring 2020 to inquire about 20-F 05/15/20 Student Outreach Project struggles or concerns, and provide resource information. Semi-annual review of internal audit’s performance 20-G 05/08/20 Performance Measures Review measures. Preparation of an annual audit plan in conformance with 20-H 07/08/20 Audit Plan for fiscal year 2021 Texas Government Code, Section 2102.005

The General Appropriations Act (86th Legislature) Rider 8, page III-48, requires institutions of higher education to conduct an internal audit of benefits proportional by method of finance. The internal audit must be conducted using the methodology approved by the State Auditor’s Office (SAO), must examine fiscal years 2017 through 2019, and be submitted to the oversight agencies no later than August 31, 2020.

To comply with this requirement, the Office of Internal Audits included a Benefits Proportional by Fund Audit in the fiscal years 2020, 2019 and 2018 audit plans. Audit Report #20-02 was issued on June 29, 2020 and examined fiscal year 2019, Report #19-05 issued on February 28 2019 examined fiscal year 2018, and Report #18-04 issued on June 28, 2018 examined fiscal year 2017. All three audits were conducted using the SAO methodology and were submitted to the oversight agencies prior to the August 31, 2020 deadline.

Texas Education Code (TEC), Section 51.9337(h), Purchasing Authority Conditional; Required Standards, as added by Senate Bill 20 (84th Legislature), requires higher education institutions to annually assess whether the institution has adopted the rules and policies required by this section and submit a report of findings to the state auditor.

5

The University was notified in June 2019 that the SAO selected it for an audit of financial processes. The audit objective was to determine whether selected higher education institutions have processes and related controls to help ensure they administer financial transactions in accordance with applicable requirements. Their scope included the Purchasing and Contract Management Department. Fieldwork began in August 2019 and continued through January 2020. The SAO issued their Audit Report No. 20-025 in March 2020, which included recommendations to improve processes and controls related to purchasing and contracts. To avoid duplication of efforts, the Office of Internal Audits did not perform an additional assessment. We believe the work performed by the SAO, and the Office of Internal Audits’ monitoring of the implementation of SAO’s recommendations complies with TEC, Section 51.9337(h).

Projects in progress at August 31, 2020 are listed in the table below.

Report Report Title Status High-Level Objective Number Business Continuity Draft report was issued Provide assistance to independent firm hired to create 19-03 Plan on 9/03/20. a business continuity plan consistent with Texas Administrative Code, Section 202 requirements. Verify compliance with safety and security Safety and Security Final report was issued 19-09 requirements of Texas Education Code, Section Audit on 9/29/20. 51.217. Provide assistance to independent firm hired to prepare Disaster Recovery Draft report was issued a disaster recovery plan in compliance with Texas 20-03 Plan on 9/11/20. Administrative Code 202, to resume system resources should a disaster occur. National Collegiate Provide assistance to the independent auditors Athletic Association 20-05 Fieldwork in progress. performing the agreed upon procedures of MSU (NCAA) Agreed Upon athletic financial statements as required by NCAA. Procedures Policy Management Provide guidance to committee charged with 20-C In progress/ Ongoing Software Project implementation of the software. External Quality Perform an independent validation of the assertions Final report was issued 20-I Assurance/Peer and conclusions made in the QAR Self-Assessment on 9/16/20. Review (QAR) Report for University of Texas Permian Basin. Athletics Return to 20-J In progress / Ongoing Provide management advisory services. Play Project

No planned projects were carried forward to the fiscal year 2021 audit plan.

The following fiscal year 2020 planned projects were cancelled.

Report Report Title Cancelation Reason High-Level Objective Number Departmental Cancelled due to the Review for compliance with various regulations and N/A audits pandemic. /or for efficiency and effectiveness. Review policies governing the admission process and Cancelled due to the 20-04 Admissions controls ensuring compliance with laws, policies, and pandemic. regulations.

6

Audit findings were monitored during the year to ensure that management’s action plans have been effectively implemented. Follow-up processes varied based on the significance of the findings and included performing limited procedures, inquiring of management, and issuing quarterly status reports of outstanding audit finding to management.

The table below presents the status of audit recommendations from projects completed during fiscal year 2020. The recommendation status is based on the following definitions and dependent upon the estimated implementation dates:

• Implemented: Successful development and use of a process, system, or policy to implement a recommendation. • Ongoing: Ongoing development of a process, system, or policy to address a recommendation. • Not Implemented: Lack of a formal process, system, policy to address a recommendation. • No Action Required: No recommendations were issued.

Recommendation Status Report Report Report Issue Recommendation Not No Action # Name Implemented Ongoing Date Implemented Required

International Eighteen audit findings were issued. 19-04 Services 01/16/20 Fifteen recommendations have been X Audit implemented. Establish process to automate X address maintenance. Comply with SEVP requirements. X Establish automated processes. X Gift Thirteen audit findings were issued. 19-06 Management 04/16/20 Six recommendations have been X Audit fully implemented. Create scholarship administrator's X resource guide. Role based computer access rights X are preferred. Develop written procedures for user X access. Perform and document periodic user X access reviews. Review university policy #4.146. X Communicate scholarship criteria and donor restrictions to X administrators. Document scholarship changes. X

7

Recommendation Status Report Report Report Issue Recommendation Not No Action # Name Implemented Ongoing Date Implemented Required

Post Construction One audit finding was issued. It has 19-08 01/08/20 X Contract been fully implemented Audit State Auditor's Seven audit findings were issued. 19-b Office- 03/01/20 All recommendations have been X Financial fully implemented Processes Public Six audit findings were issued. All Funds 20-01 10/11/19 recommendations have been fully X Investment implemented Act Audit Benefits Proportional 20-02 06/29/20 No recommendations were issued X by Fund Audit Internal Quality 20-06 Assurance 08/12/20 No recommendations were issued X Review (QAR) Internal Audit 20-A 10/10/19 No recommendations were issued X Annual Report THECB Desk 20-a Review of 01/17/20 No recommendations were issued X Formula Funding Financial 20-B Statement 02/27/20 No recommendations were issued X Review COVID-19 20-D 04/16/20 No recommendations were issued X Project Annual Risk 20-E Assessment 06/18/20 No recommendations were issued X for FY 2021 Student 20-F Outreach 05/15/20 No recommendations were issued X Project Performance 20-G Measures 05/08/20 No recommendations were issued X Review Audit Plan 20-H 07/08/20 No recommendations were issued X for FY 2021 8

The status of outstanding audit recommendations from projects completed in previous years continued to be monitored during Fiscal Year 2020. Listed below are the outstanding audit recommendations at August 31, 2020 from audits issued in previous years.

Recommendation Status Report Report Report Issue Recommendation Not # Name Implemented Ongoing Date Implemented

TAC 202 39 recommendations were issued, Information as of 9/23/20, 92% or 36 16-01 Security 09/22/16 recommendations have been fully X X Program implemented up from 90% the Assessment previous year.

342 recommendations were issued, Clery Act as of 9/23/20, 94% or 321 17-01 Compliance 12/13/17 recommendations have been fully X X Assessment implemented up from 87% the previous year.

10 recommendations were issued, Minors on as of 9/23/20, 70% or 7 19-01 01/17/19 X X Campus recommendations have been fully implemented.

V. Consulting Services and Non-audit Services

The Office of Internal Audits did not perform any consulting services as defined by the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing or non-audit services as defined by Governmental Auditing Standards, 2018 Revision, Sections 3.64 – 3.106.

Other value-added activities performed during Fiscal Year 2020 are included in the following table.

Activity Impact Provide assistance with the State Auditor’s Coordinate and assist to aid in audit efficiency and Financial Processes and Controls Audit. provide expertise. Provide assistance with the Texas Higher Education Coordinate and assist to aid in audit efficiency and Coordinating Board’s Desk Review of Formula provide expertise. Funding. Provide assistance for the independent public Coordinate and assist to aid in project efficiency accounting firm engaged to perform a financial and provide expertise. statement review. Perform external quality assurance review at Strengthen professional commitments and University of Texas Permian Basin. knowledge base. Serve as advisor to committee charged with Provide guidance to committee. implementing the policy management software.

9

Activity Impact Serve as advisor on multiple compliance Provide guidance to sub-committees formed to committees. address specific compliance areas. Provide guidance for maintaining an effective Serve on the University’s Compliance Support and compliance program and investigating reported Advisory Committee. compliance concerns. Facilitate anonymous, 24/7 accessible, hotline Promote commitment to ethical behavior; improve reporting system. information gathering, and mitigation of risk. Investigate complaints or claims of fraud, waste or Review information, investigate allegations, and abuse. determine if grounds exist to initiate an audit. Serve as advisor to departments for various issues. Provide guidance and/or to strengthen controls. Other special projects. Provide information and analysis.

VI. External Quality Assurance Review

Our most recent external quality assurance review, dated February 28, 2018, examined the audit activities for the three-year period, January 1, 2014 through December 31, 2016. The review indicated the Office of Internal Audits generally conforms with the Texas Internal Auditing Act (Texas Government Code Chapter 2102), the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing and Code of Ethics, and the U.S. Government Accountability Office’s Generally Accepted Government Auditing Standards. Our next external quality assurance review will examine the three-year period, January 1, 2017 through December 31, 2019, and will be conducted during the fall of 2020.

VII. Internal Quality Assessment

The Office of Internal Audits maintains a quality assurance and improvement program. To ensure adherence to auditing standards the following is performed:

• Review for continued compliance with International Standards for the Professional Practice of Internal Auditing, and Generally Accepted Government Auditing Standards (GAGAS). • Remain up-to-date on auditing standards through continuing professional education, membership in accounting and auditing associations, technical reading, and independent research. • Complete an audit standards compliance review at the end of each audit. • Complete independence disclosure statements annually. • Comply with annual continuing professional education requirements.

10

Ongoing quality assessment of the internal audit activity is maintained through daily supervision and review; audit exit conferences; annual employee performance evaluations; monitoring of performance measures; and meetings with the President, Vice-Presidents, and the Board of Regents’ Audit, Compliance and Management Committee Chair.

Monitoring of performance measures include:

• Effective utilization of resources, • Meeting internal and external deadlines, • Timely completion of audits and special projects, • Percentage of audit recommendations implemented by management, and • Achievement of audit client satisfaction.

The Chief Audit Executive (CAE) set the following goals for Fiscal Year 2020 to aid in compliance with standards and increase efficiency. The outcomes for each goal are discussed below.

1. Continue to enhance knowledge in the use of TeamMate auditing software and add technology based audit and other data analysis techniques. This goal was partially met. Fiscal year 2020 was the second year of using TeamMate auditing software. Enhanced knowledge and utilization of two modules, TeamCentral and TeamTec have transformed the Office of Internal Audits. a. TeamCentral provides web-based access for tracking audit issues and recommendation implementation. Use of the TeamCentral automated notification system has increased the percentage of current year recommendation implementation rates from 68% in fiscal year 2018 to 78% in fiscal year 2020. b. TeamTEC is a web-based tool for capturing and reporting auditor time related to projects and tasks. Capturing auditor time by task for every project allows the manager to: control project in real time, evaluate total project time during post-audit performance reviews, and create more accurate time budgets for future projects. c. The goal to add TeamMate’s Data Analytics module was put on hold due to two factors: • The need to reduce expenditures due to COVID-19 during the spring of 2020, and • MSU’s announcement it was exploring the invitation to join the Texas Tech University System. The System’s internal audit function has data analytic software so the Office of Internal Audits postponed purchasing TeamMate’s software until a decision was reached.

2. Enhance overall auditing skills in information technology risks and controls. This goal was partially met. The Auditor attended professional education on auditing IT general controls. One audit was expanded to perform limited procedures on software controls. Continued enhancement of information technology risks and controls should be pursued with additional education.

3. Complete the policy manual update to reflect electronic working papers protocol. This goal was met. The Office of Internal Audits’ Policies and Audit Procedures Manual was completely revised and updated to reflect electronic working paper protocols in July 2020.

11

4. Fulfill the requirements for Certified Internal Auditor designation by the Auditor. This goal was partially met. The auditor passed the first of three exams required to receive the Certified Internal Auditor designation in the prior fiscal year. She passed the second exam in December 2019 and was scheduled to take the third exam during the spring of 2020. Testing centers were shut down due to the coronavirus pandemic preventing her from testing for several months. Her third exam test date is scheduled for November 2020.

5. Integrate the Internal Control Integrated Framework published by the Committee of Sponsoring Organizations (COSO) into the risk assessment process. This goal was partially met. The COSO internal control framework is now used at the project level to assess whether internal controls are significant to the audit objective(s) and to comply with generally accepted government auditing standards (GAGAS). However, the annual risk assessment process did not integrate the COSO framework. Instead, the process was revamped to use a risk factor approach that calculated a total risk score and evaluated any prior audit coverage and determined if the audit was required by statute or policy.

The Office of Internal Audits is in compliance with the Standards based on the annual self-assessment and on-going monitoring. As part of the assessment, the following goals for Fiscal Year 2021 were set: 1. Increase evaluation of and contribution to the improvement of governance processes. 2. Increase evaluation of and contribution to the improvement of risk management processes. 3. Assist the University in maintaining effective controls by evaluating their effectiveness and by promoting continuous improvement. 4. Strengthen internal audit’s project level monitoring processes for continuous improvement.

VIII. Internal Audit Plan for Fiscal Year 2021

The Board of Regents approved the Fiscal Year 2021 Internal Audit Plan during their August 6, 2020 meeting. A full time chief audit executive and a full time auditor currently staff the Office of Internal Audits. After consideration of estimated time for staff meetings, continuing professional education, holidays, and annual leave, we determined our allocable chargeable time for fiscal year 2021 to be 2,711 hours.

Of this time, 400 hours will be dedicated to performing required audits, assisting oversight agency auditors, and completing other mandatory projects. Additionally, 162 audit hours are needed to complete engagements from fiscal year 2020 that were in progress at year-end. We have set aside thirty percent of total time (849 hours) for scheduled projects and other value-added work, including board and management requests, investigations, institutional committee service, follow-up on prior audit recommendations, and special projects. The remaining 1,300 hours have been allocated to the projects determined through the risk assessment process. The required projects, risk based audits as well as other value-added work are listed below.

12

Project Description Hours

Required Audits, Assisting Oversight Agencies, Mandatory Projects

Provide audit assistance to state and federal oversight agencies such as Audit Assistance to Oversight Texas State Auditor’s Office, Texas Higher Education Coordinating Board, 80 Agencies Texas State Comptroller’s Office and grant agencies.

Senate Bill (SB) 20 Contract Annual assessment required by Texas Education Code, Section 51.9337, to 80 Management verify the University has adopted the rules and policies of SB 20.

Public Funds Investment Act / Verify compliance with Public Funds Investment Act, Texas Government 80 Investment Report Review Code, Section 2256.023(d) Internal Management Reports.

Provide assistance to external auditors to determine the University’s Information Security compliance with information security standards outlined in Texas 40 (outsourced) Administrative Code 202.

Annual Risk Assessment Facilitate annual University risk assessment. 40

Annual Audit Plan Prepare annual audit plan. 40

Annual Audit Report Prepare annual audit report. 40

Required Audits, Assistance, Mandatory Projects Total Hours 400

Completion of Engagements from Previous Year

Projects In-progress at Year Finalize prior fiscal year projects not complete at August 31, 2020 and 162 End carried forward into the current year.

Special Projects and Other Value-Added Work

Hotline, Fraud, or Ethics Facilitate University anonymous reporting system and investigations. 80 Investigations Contribute to the policy management project and other requests from Special Projects 195 Board of Regents, Administration or others.

Institutional Committee Contribute to the oversight of the University’s compliance program and 334 Service other committee service.

Prior Audit Recommendations Obtain representations from management and verification if necessary, 240 Follow-up regarding implementation status of prior audit recommendations.

Special Projects and Other Value-Added Work Total Hours 849

13

Project Description Hours

Audits Identified Through the Risk Assessment Process

To review the governance activities and institutional policies for distance Academic Outreach education activities, and to ensure security controls comply with governing 360 regulations and standards.

Review policies governing the admission process and controls ensuring Admissions 360 compliance with laws, policies, and regulations.

Verify that controls exist to ensure electronic timekeeping transactions and Payroll/ Timekeeping System related activities are appropriate and in compliance with laws, policies and 300 regulations.

Verify compliance with the Coronavirus Aid, Relief, and Economic CARES Act Institutional 280 Security (CARES) Act Higher Education Emergency Relief Fund Funds institutional reporting.

Audits Identified Through the Risk Assessment Process Total Hours 1,300

Total Allocable Chargeable Time 2,711

Administrative

Professional Development and Professional development, maintain required certifications, continuing 192 Travel education and related travel.

Staff Meetings Intra office communications and planning. 48

Administrative Meetings Attend administrative meetings as requested. 120

Records Management Manage records maintenance. 24

Audit Manual and Webpage Update audit manual and webpage. 24 Revisions General and Administrative Office administrative duties (planning, purchasing, recordkeeping 432 Tasks scheduling, reporting, etc.). Administrative Total Hours 840 Allocable and Administrative Total Hours 3,551

Available Hours for All Staff 4,176 Less estimated hours for: Holidays (224) Vacation & Birthday Leave (237) Sick Leave (80) Wellness Release (16) Breaks (68) Net Available Hours 3,551 14

The Office of Internal Audits allocates its resources in a manner that is consistent with its charter and with the mission of Midwestern State University. In accordance with the Texas Internal Auditing Act, TGC, Section 2102.005, Internal Auditing Required, we prepared the fiscal year 2021 audit plan based on the results of a formal risk assessment process.

The risk assessment process included conducting interviews with members of the President’s Cabinet and with key members of operational and compliance related departments. During the interviews, key risks were identified that could affect the University’s ability to achieve its goals and objectives. The Office of Internal Audits also provided input into the assessment process based on institutional knowledge, information from past audit engagements, and knowledge of trends and occurrences in higher education.

The result of the assessment was the identification of strategic, financial, operational, compliance, reputation, and environmental risks. In the development of the audit plan, we considered the most significant risks and included audits and other projects that could reduce the likelihood or impact of those risks.

IX: External Audit Services

External audit services procured or ongoing during Fiscal Year 2020 include:

• Procured: Belt Harris Pechacek LLLP, Certified Public , Houston, TX, to perform a review engagement with respect to the University’s financial statements as of August 31, 2019.

• Procured: Edgin, Parkman, Fleming & Fleming, PC, Wichita Falls, TX, to apply the agreed-upon procedures specified by the National Collegiate Athletic Association for the year ended August 31, 2020.

• Procured: Myers and Stauffer, LC, Austin, TX, to develop a disaster recovery plan that aligns with national and state standards, and to provide a plan document.

• Ongoing: CBIZ Risk & Advisory Services, LLC, Boston, MA, to perform a construction project closeout audit.

• Ongoing: Myers and Stauffer, LC, Austin TX, to develop a continuity of operations plan, and provide a plan document.

15

X: Reporting Suspected Fraud and Abuse

To comply with the fraud reporting requirements of Section 7.09, of the General Appropriations Act (86th Legislature), and the investigation coordination requirements of Texas Government Code, Section 321.022, Midwestern State University has taken the following actions:

• A direct link on the University’s website home page is provided to report suspected fraud, compliance, or ethics concerns.

• The University’s Fraud, Compliance, and Ethics Concerns web page at www.msutexas.edu/internal- audits/fraud provides instructions, a toll free phone number and website link to the anonymous hotline provider, EthicsPoint. Also listed is the State Auditor’s Office Fraud Hotline phone number and a direct link to the SAO’s online fraud reporting web page.

• University Policy 4.117, Suspected Dishonest or Fraudulent Activities established processes regarding internal investigations of suspected defalcation, misappropriation, and other fiscal irregularities by providing for administrative steps to promptly identify and investigate suspected cases. It assigns responsibilities to specific University employees involved in handling these cases. The policy was approved by the University Board of Regents in February 2017 and complies with the requirements of Texas Government Code, Section 321.022 and Texas Education Code, Section 51.9337 as added by Senate Bill 20 (84th Legislature).

• New employee orientation includes a review of University policies, standards of conduct for state employees, and ethics.

16