INTEGRATED ASSURANCE UVA Internal Audit
Current Compliance Environment Internal Audit’s Challenge Three Lines of Defense Defining Integrated Assurance UVA’s Internal Audit Methodology
The Compliance Risk Universe is Extensive Title IX Clery Act Public Health and Safety NCAA HIPAA Sponsored Programs Tax requirements Financial regulations Employment regulations And more…
Audit’s Traditional Role in Monitoring Compliance Controls • Examples of full scope audits performed in prior years: Clery Act compliance NCAA requirements Export controls Health system billing compliance (Medicare/Medicaid) FLSA overtime compliance Financial policy compliance
Balancing Complexity and Control Core Challenges in Providing Assurance Over the Compliance Environment
Internal Audit Challenge
Root Causes
Assessing the effectiveness of compliance throughout the organization is inefficient and complex.
Size and Complexity Highly complex and regulated support functions make it difficult for one entity to provide assurance over all controls and risks.
Lack of Insight into Assurance Function Activity Decentralized compliance model makes it difficult to assess whether compliance functions are fulfilling their mandate
Resource Constraints Internal Audit did not have the resources to provide assurance over every control and compliance risk.
How Can Audit Maximize Its Assurance Coverage Over the Compliance Environment?
Polling Question Does your organization have a Chief Compliance Officer?
Understanding Sources of Assurance: The Three Lines of Defense
First Line:
Second Line:
Management Control Framework
Functional Assurance (Compliance Network)
Management Action Low
Assurance Scale
Third Line: Internal Audit
Independent Action High
What’s Integrated Assurance? •
•
•
Integrated Assurance is a new methodology Audit is developing to broaden our risk coverage and assurance reporting to the Audit, Compliance, and Risk Committee (ACR) of the Board of Visitors and avoid redundant assurance activities Our methodology will evaluate the breadth and depth of functional compliance units’ monitoring and control activities, support for key reported metrics, org reporting structure, etc. to establish Audit’s reliance strategy Where Audit can adopt a high reliance strategy, compliance reporting can be integrated into risk reporting to the ACR Committee
Internal Audit’s High Level Methodology Identify
Monitor and Adjust
Four Key Steps
Report
Evaluate
Attorney Client Privilege • General Counsel was engaged to determine need for Attorney-Client Privilege. • Performing the audit work under Attorney-Client Privilege allows the University to assess the legal sufficiency of processes and conduct self-critical analysis to improve compliance activities
Risk Based Audit Plan •
Management-Led Compliance Risk Assessment
• Compliance Regulations were assessed using the following criteria: 1. Legal Consequences of Non-Compliance 2. Operations/Mission Consequences of Non-Compliance 3. Brand/Reputation Consequences of Non-Compliance 4. Level of Effort to Address Regulatory or Statutory Changes (past calendar year) 5. Regulatory Scrutiny 6. Highly Cross-Functional •
Two Distinct but Integrated Assurance Risk Assessments – Medical and University
•
Determining a Risk Based Audit Plan
Integrated Assurance Audit Program • Based on Seven Elements of the Federal Sentencing Guidelines for an Effective Compliance Program • “Quick Hit” approach to extend Audit’s assurance over multiple compliance functions • Standardized Audit program to ensure consistency and minimize time in the field. • Audit Program Criteria (2).xlsx
Communicating Levels of Assurance •Audit is currently working with General Counsel to determine the most appropriate routes of communicating results to maintain AttorneyClient Privilege •Areas with high risk, low maturity compliance oversight could be scheduled for more in-depth audits as part of the overall audit plan.
Monitoring Changes and Adjusting Audit Plan • AVP of Compliance in partnership with Audit will continuously monitor the compliance environment to assess material changes that may increase levels of risk or decrease levels of assurance over an audited function. • Some examples of material changes include: 1. Decrease in staffing in a compliance area. 2. Decrease in funding to a compliance area. 3. Increase scrutiny or media awareness of a compliance topic. 4. Material changes in legislation.
QUESTIONS? Contact Info: Thomas Gorski
[email protected] 434-924-0904
Auditing Fiscal Stewardship @ UVa CUAV 2016
Fiscal Stewardship IIA and Internal Control Audit Objectives Data Elements Hypotheses/Indicators Next Steps Questions/Comments
Fiscal Stewardship Stewardship refers to processes and structures that allocate, manage, and monitor resources critical to the Institution’s mission. At UVa, we considered a. Key internal financial controls in the decentralized environment b. Unit-level fiscal discipline c. Application of University Financial Model (Budget)
Phase 1: Key Internal Financial Controls in the Decentralized Environment
Slide Number 3
IIA and Internal Control 2130 – Control The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. 2130.A1- The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization's governance, operations, and information systems regarding the: •Achievement of the organization's strategic objectives; •Reliability and integrity of financial and operational information; •Effectiveness and efficiency of operations and programs; •Safeguarding of assets; and •Compliance with laws, regulations, policies, procedures, and contracts.
Slide Number 4
Polling Question How frequently do you use data analytics to test internal control? a)Frequently b)Sometimes c)Rarely / Never
Slide Number 5
Audit Objectives • To define, develop and validate key internal control risk indicators using data analytics. • Because of the decentralized environment at the University, conduct unit-level reviews of internal control effectiveness.
Slide Number 6
To Develop Indicators We Needed Data Spend Data – FY14 and FY15 • • • •
Spending at the organization, award (State/Gifts/Grants/etc.) and project level (volume of transactions per month); Spending at the expenditure type level (OTPS vs Personnel Services, OT, Travel, P-card, Supplies, Scholarships, etc.); Spending broken down by transaction amount; and Monthly reconciliation information.
Staffing Data – FY14 and FY15 • • • •
FTE count; vacancy rates; vacancy rate in finance/research positions; and turnover rates.
Other data sources: Cash Receipts, Cost Transfers, Fixed Assets, Sole Source PO information, Research Funding, Student Information, Budget data (Carry forward), and School Administration Hierarchy and Centers
Slide Number 7
Potential Indicators Potential Indicators – Research • High $ amount of research • Research funding from multiple sources (Federal, Industry, or Foundation) • Low staff to faculty ratio • High vacancy rate in research staff positions • Turnover in research staff positions Potential Hypothesis – Departments that pop on X of these 5 indicators point to higher internal control risk
Slide Number 8
Next Steps • •
• • • • • •
Identify units to audit based on those areas where the indicators pop Develop standardized quick-hitter fieldwork program that will include data analytics, questionnaires, and sampling approaches for critical decentralized fiscal processes Perform audits and test internal controls in the selected units Assess whether the indicators support our hypotheses Fine tune indicators and develop additional indicators Use data visualization tools to communicate results to management Continue completing quick-hitter audits in units based on data and improving the forecasting value of the indicators Ultimately share the indicators with management
Slide Number 9
Any Questions/Comments/Suggestions?
Contact Information Dan Reid
[email protected] 434 924-0536
Slide Number 10
