Skip Navigation and Go To Content

Charter

Background

An extensive program of internal auditing exists within The University of Texas (UT) System. This charter establishes the framework for internal auditing activities at UTHealth Houston within that broad structure and serves both for the institutional audit committee and the internal audit function. It aligns with the Global Internal Audit Standards issued by The Institute of Internal Auditors (IIA), ensuring that our internal audit practices meet the highest professional standards and contribute effectively to the UTHealth Houston governance, risk management, and control processes.

UT System Board of Regents’ (Board) Rule 10402 Committees and Other Appointments recognizes the institutional audit committee as an extension of the Board’s Audit, Compliance, and Risk Management Committee (ACRMC), and this charter should be considered in conjunction with the charter of the UT System Audit Office, which further addresses the relationship with the ACRMC.

A unique three-element oversight/reporting structure has been developed to ensure and support the effectiveness and independence of the internal audit function:

  1. Functional oversight – the ACRMC and institutional audit committees provide strategic oversight and direction of all internal audit activities.
  2. Institutional oversight – the presidents manage the operational and administrative matters of internal audit, including performance evaluation of the chief audit executives. Employment and termination of the chief audit executive by the president must have concurrence from the ACRMC Chairman.
  3. Professional oversight – the UT System Chief Audit Executive provides oversight and support related to conformance with professional standards, promulgates guidance to ensure a consistent, Systemwide approach to internal audit activities, and provides advice to the ACRMC Chairman during employment and termination decisions of institutional chief audit executives.

Purpose

The purpose of the internal audit function is to strengthen UTHealth Houston’s ability to create, protect, and sustain value by providing the audit committee and management with independent, risk-based, and objective assurance, advice, insight, and foresight.

The internal audit function enhances UTHealth Houston’s:

  • Successful achievement of its objectives.
  • Governance, risk management, and control processes.
  • Decision-making and oversight.
  • Reputation and credibility with its stakeholders.
  • Ability to serve the public interest.

UTHealth Houston’s internal audit function is most effective when:

  • Internal auditing is performed by competent professionals in conformance with the Texas Internal Auditing Act, including The IIA’s Global Internal Audit StandardsTM, which are set in the public interest.
  • The internal audit function is independently positioned with functional accountability to the audit committee and professional accountability to the UT System Chief Audit Executive.
  • Internal auditors are free from undue influence and committed to making objective assessments.

Commitment to Adhering to the Global Internal Audit Standards

The UTHealth Houston’s internal audit function will adhere to the mandatory elements of The IIA's International Professional Practices Framework, which are the Global Internal Audit Standards and Topical Requirements. The chief audit executive will report periodically to the audit committee and senior management regarding the internal audit function’s conformance with the Standards, which will be assessed through a quality assurance and improvement program.

Mandate

The Texas Internal Auditing Act (Texas Government Code, Chapter 2102) establishes guidelines for a program of internal auditing to assist agency administrators and governing boards by furnishing independent analyses, appraisals, and recommendations about the adequacy and effectiveness of a state agency's systems of internal control policies and procedures and the quality of performance in carrying out assigned responsibilities. This charter constitutes these guidelines.

Authority

The ACRMC grants the internal audit function the mandate to provide the ACRMC, audit committee, and senior management with objective assurance, advice, insight, and foresight.

The Systemwide internal audit function’s authority is created by the direct reporting relationship of the UT System Chief Audit Executive to the ACRMC. Such authority allows for unrestricted access to the ACRMC.

Through the chief audit executive’s professional oversight reporting relationship to the UT System Chief Audit Executive, the ACRMC authorizes the internal audit function to:

  • Have full and unrestricted access to all functions, data, records, information, physical property, and personnel pertinent to carrying out internal audit responsibilities. Internal auditors are accountable for confidentiality and safeguarding records and information.
  • Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques, and issue communications to accomplish the function’s objectives.
  • Obtain assistance from the necessary personnel of UTHealth Houston and other specialized services from within or outside UTHealth Houston to complete internal audit services.

Independence, Organizational Position, and Reporting Relationships

The chief audit executive will be positioned at a level in the organization that enables internal audit services and responsibilities to be performed without interference from management, thereby establishing the independence of the internal audit function. The chief audit executive will report functionally to the audit committee, institutionally (administratively) to the president, and professionally to the UT System Chief Audit Executive. This positioning provides the organizational authority and status to bring matters directly to senior management and escalate matters to the audit committee, when necessary, without interference and supports the internal auditors’ ability to maintain objectivity.

The chief audit executive will confirm to the audit committee and UT System Chief Audit Executive, at least annually, the organizational independence of the internal audit function. The chief audit executive will disclose any interference internal auditors encounter related to the scope, performance, or communication of internal audit work and results. The disclosure will include communicating the implications of such interference on the internal audit function’s effectiveness and ability to fulfill its mandate.

Audit Committee Oversight

To establish, maintain, and ensure that UTHealth Houston’s internal audit function has sufficient authority to fulfill its duties, the audit committee will:

  • Discuss with the chief audit executive and senior management the appropriate authority, role, responsibilities, scope, and services (assurance and/or advisory) of the internal audit function.
  • Ensure the chief audit executive has unrestricted access to and communicates and interacts directly with the audit committee, including in private meetings without senior management present.
  • Participate in discussions with the chief audit executive and senior management about the “essential conditions,” described in the Global Internal Audit Standards, which establish the foundation that enables an effective internal audit function.
  • Review and approve the internal audit function’s charter, which includes the internal audit mandate and the scope and types of internal audit services.
  • Approve the risk-based internal audit plan.
  • Receive communications from the chief audit executive about the internal audit function including its performance relative to its plan.
  • Ensure a quality assurance and improvement program has been established and review the results annually.
  • Make appropriate inquiries of senior management and the chief audit executive to determine whether scope or resource limitations are inappropriate.
  • Collaborate with senior management to determine the qualifications and competencies the organization expects in a chief audit executive, as described in the Global Internal Audit Standards, including input on the review of the chief audit executive’s performance.

Membership

Membership in the audit committee consists of members external to the UTHealth Houston in addition to key institutional management team members. These individuals have voting rights.

At least three members must be external to the UTHealth Houston, including the Chair. External members serve three-year terms. Institutional management representatives may also be members and should include the president.

The audit committee’s Chair is nominated by the president and approved by the ACMRC Chairman. The audit committee supports the ACRMC’s oversight responsibilities for the UT System, fulfilling its duties as outlined in this charter.

The chief audit executive and the UT System Chief Audit Executive serve as ex-officio, non-voting members due to their roles. Other institutional representatives may be included as non-voting members.

Chief Audit Executive Roles and Responsibilities

Ethics and Professionalism

The chief audit executive will ensure that internal auditors:

  • Conform with the Global Internal Audit Standards, including the principles of Ethics and Professionalism: integrity, objectivity, competency, due professional care, and confidentiality.
  • Understand, respect, meet, and contribute to the legitimate and ethical expectations of the organization and be able to recognize conduct that is contrary to those expectations.
  • Encourage and promote an ethics-based culture in the organization.
  • Report organizational behavior that is inconsistent with the organization’s ethical expectations, as described in applicable policies and procedures.

Objectivity

The chief audit executive will foster an environment that keeps the internal audit function free from conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of engagement selection, scope, procedures, frequency, timing, and communication. If the chief audit executive determines that objectivity may be impaired in fact or appearance, the details of the impairment will be disclosed to appropriate parties.

Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively such that they believe in their work product, do not compromise quality, and do not subordinate their judgment on audit matters to others, either in fact or appearance.

Internal auditors will have no direct operational responsibility or authority over any of the activities they review. Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, or engage in other activities that may impair their judgment.

Internal auditors will:

  • Disclose impairments of independence or objectivity, in fact or appearance, to appropriate parties annually.
  • Exhibit professional objectivity in gathering, evaluating, and communicating information.
  • Make balanced assessments of all available and relevant facts and circumstances.
  • Take necessary precautions to avoid conflicts of interest, bias, and undue influence.

Managing the Internal Audit Function

The chief audit executive has the responsibility to:

  • At least annually, develop a risk-based internal audit plan that considers the input of the audit committee and senior management. Discuss the plan with the audit committee and senior management and submit the plan to the audit committee and ACRMC for review and approval.
  • Communicate the impact of resource limitations on the internal audit plan to the audit committee and senior management.
  • Review and adjust the internal audit plan, as necessary, in response to changes in UTHealth Houston’s business, risks, operations, programs, systems, and controls.
  • Communicate with the audit committee and senior management if there are significant interim changes to the internal audit plan.
  • Ensure internal audit engagements are performed, documented, and communicated in accordance with the Global Internal Audit Standards.
  • Follow up on engagement findings and confirm the implementation of recommendations or action plans and communicate the results of internal audit services to the audit committee and senior management quarterly] and for each engagement as appropriate.
  • Ensure the internal audit function collectively possesses or obtains the knowledge, skills, and other competencies and qualifications needed to meet the requirements of the Global Internal Audit Standards and fulfill the internal audit mandate.
  • Identify and consider trends and emerging issues that could impact UTHealth Houston and communicate to the audit committee and senior management as appropriate.
  • Consider emerging trends and successful practices in internal auditing.
  • Establish and ensure adherence to methodologies designed to guide the internal audit function.
  • Coordinate activities and consider relying upon the work of other internal and external providers of assurance and advisory services. If the chief audit executive cannot achieve an appropriate level of coordination, the issue must be communicated to senior management and if necessary escalated to the audit committee.
  • Ensure adherence to UTHealth Houston’s relevant policies and procedures.

Communication with the Audit Committee and Senior Management

The chief audit executive will report at a minimum annually or as necessary to the audit committee and senior management regarding:

  • The internal audit function’s mandate.
  • The internal audit plan and performance relative to its plan.
  • Internal audit budget.
  • Significant revisions to the internal audit plan and budget.
  • Potential impairments to independence, including relevant disclosures as applicable, as referenced in the “Objectivity” section.
  • Results from the quality assurance and improvement program, which include the internal audit function’s conformance with The IIA’s Global Internal Audit Standards and action plans to address the internal audit function’s deficiencies and opportunities for improvement.
  • Significant risk exposures and control issues, including fraud risks, governance issues, and other areas of focus for the audit committee.
  • Results of assurance and advisory services.
  • Resource requirements.
  • Management’s responses to risk that the internal audit function determines may be unacceptable or acceptance of a risk that is beyond UTHealth Houston’s risk appetite.

Quality Assurance and Improvement Program

The chief audit executive will develop, implement, and maintain a quality assurance and improvement program that covers all aspects of the internal audit function. The program will include external and internal assessments of the internal audit function’s conformance with the Global Internal Audit Standards, as well as performance measurement to assess the internal audit function’s progress toward the achievement of its objectives and promotion of continuous improvement. The program also will assess, if applicable, compliance with laws and/or regulations relevant to internal auditing. Also, if applicable, the assessment will include plans to address the internal audit function’s deficiencies and opportunities for improvement.

Annually, the chief audit executive will communicate with the audit committee and senior management about the internal audit function’s quality assurance and improvement program, including the results of internal assessments (ongoing monitoring and periodic self-assessments) and external assessments. External assessments will be conducted at least once every three years by a qualified, independent assessor or assessment team from outside UTHealth Houston; qualifications must include at least one assessor holding an active Certified Internal Auditor® credential.

Scope and Types of Internal Audit Services

The scope of internal audit services covers the entire breadth of the organization, including all UTHealth Houston’s activities, assets, and personnel. The scope of internal audit activities also encompasses but is not limited to objective examinations of evidence to provide independent assurance and advisory services to the audit committee and management on the adequacy and effectiveness of governance, risk management, and control processes for UTHealth Houston.

The nature and scope of advisory services may be agreed upon with the party requesting the service, provided the internal audit function does not assume management responsibility. Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during advisory engagements. These opportunities will be communicated to the appropriate level of management.

Relevant Statutes and Policies

Approval

The Internal Audit Charter was approved on June 12, 2025, by the UTHealth Houston Institutional Audit Committee.