The University of Toledo Finance and Audit Committee FY2016 Risk Assessment and Internal Audit and Compliance Plan September 21, 2015
FY2016 Internal Audit Risk Assessment KEY RISK AREAS INTERNAL AUDITS: ACADEMIC ENTRPRISE
BUSINESS RISK
PLANNED ACTIVITY
PREVIOUS ACTIVITY
• Are academic departments and support operations compliant with administrative policies and procedures pertaining to wise stewardship of State money?
• Conduct a series of departmental “field” reviews of UT academic departments and business units across all campuses
• • • •
Annual audit cycle Cover all high-risk areas within five years Identify “best” operating practices at UT Identify trends of internal control issues
• Is the employee staffing and compensation process effective and efficient, produce reliable financial reporting, and comply with applicable laws ?
• Lead a Control-Self Assessment of Human Resources, Talent Development, and Payroll business process, with emphasis on process redesign. Review employee dependent benefit eligibility.
• • • • •
Two-year audit cycle Changes in leadership Undocumented, non-standard processes Numerous employee overpayments Employee classification codes
• Are research and development expenses expended in accordance with the terms of individual grants and State, Federal, and University regulations?
• Review research grants procedures and test a sample of payroll expenses to ensure compliance with these procedures and external regulations.
• • • •
Three-year audit cycle Collaboration with Plante and Moran Financial conflict of interest issues Issues with ARRA grant reporting
• Is financial aid awarded only to eligible students consistent with the terms of the various award programs?
• Review student financial aid procedures and test a sample of loans to ensure that eligibility requirements are met and financial aid is disbursed accurately.
• • • •
Annual audit cycle Significant annual dollar throughput Collaboration with Plante and Moran Issues with financial aid disclosures
• Are purchases of materials and supplies, and the accounting for them, conducted in a controlled and consistent manner?
• Review supply chain operations, to include inventory procedures and purchasing and contracting practices
• Three-year audit cycle • High-dollar throughput • Significant changes since 2012
2
FY2016 Internal Audit Risk Assessment KEY RISK AREAS
BUSINESS RISK
PLANNED ACTIVITY
INTERNAL AUDITS: CLINICAL ENTERPRISE
• Are only healthcare professionals with a “need to know” accessing patient medical records?
• Audit a selection of patient medical records to determine who attempted to access them. Confirm whether these individuals had a legitimate business need to access them.
• • • • •
• Is the data given to the patient upon his/her medical discharge accurate and applicable only to that patient?
• Evaluate the process for discharging patients for effectiveness, efficiency, and quality?
• Four-year audit cycle • Changes to process since reorganization • Process varies by clinic/department
• Do the hospital and clinic computer systems under development promote a streamlined and secure process flow between the patient, Information Technology, and operating departments?
• Participate in the various “Meaningful Use” new clinical systems development projects as a controls consultant and identify opportunities for system and process integration.
• • • • •
3
PREVIOUS ACTIVITY Annual audit cycle Known problem area within UTMC Minimal improvement over time Significant fines and penalties Software purchased to facilitate this audit
Five-year audit cycle Recommendations on transaction testing Verified project milestone achievement Improved new systems methodology Advised on project planning
FY2016 Internal Audit Risk Assessment KEY RISK AREAS INFORMATION TECHNOLOGY
BUSINESS RISK
PLANNED ACTIVITY
PREVIOUS ACTIVITY
• Are the University’s computer systems protected against unauthorized and unapproved attempts to obtain access?
• Conduct an independent and objective test of the vulnerabilities of the University’s academic and clinical information systems (system penetration analysis). This would be accomplished using a combination of attempts to access the computer systems electronically and via “social engineering”.
• • • • • •
• Does the University comply with Payment Card Industry standards for network security when processing University credit card transactions at all locations?
• Self-Assess security and application controls over the computer networks that process student and patient credit card transactions. Independently evaluate compliance with these controls.
• • • • •
Two-year audit cycle Developed University PCI policy Developed PCI compliance procedure Procedure to vet PCI-compliant systems Process to secure network infrastructure
• Are changes to the University’s enterprise software made in a controlled environment, with established testing practices and separation of duties between the “test” and “live” environment?
• Determine the ability of IT programmers to promote tested programs into the “live” environment, without appropriate oversight. Confirm that unit and integrated testing is sufficient to ensure software integrity.
• • • • • •
Two-year audit cycle High volume of software changes Previous history of issues in this area Programmers assuming user duties No user guidance on software testing Area of interest to Plante and Moran
• Are changes made to the University’s healthcare information systems in a structured, controlled manner, that supports authorizations, approvals, testing, documentation, and end user engagement?
• Determine the effectiveness of change management procedures within the University of Toledo’s healthcare informatics environment.
• • • • •
Three-year audit cycle Systems development methodology Information security issues Software change management issues Relationship with software vendor
4
Two-year audit cycle Finance and Audit Committee request Now required as part of PCI standards Recent email “phishing” incidents Benchmark to Ohio public universities Most peer institutions have already performed at least one • Partnership with independent, objective third-party subject matter expert
FY2016 Internal Audit Risk Assessment KEY RISK AREAS
BUSINESS RISK
PLANNED ACTIVITY
CAMPUS SAFETY
• Have the proper UT employees been informed of their responsibilities to act when faced with a campus safety issue?
• Assess the process for assigning and training employees designated as “Campus Security Authorities” (“CSAs”) per the Clery Act.
• • • •
Five-year audit cycle Are the correct people named as CSAs? Are they trained on their responsibilities? Are duties reflected in job description?
• Does the University have sufficient tested procedures to recover and restore to normal business operations following an emergency?
• Evaluate the effectiveness of emergency preparedness practices on all campuses when faced with a threat due to campus safety, natural disaster, or an IT interruption.
• • • • •
Three-year audit cycle Investment in monitoring technology Emergency procedures need testing Known issues with IT disaster recovery Known issues with UT Alert process
• Have the recommendations from the Title IX consultant been implemented properly, and is there appropriate ongoing monitoring/refinement of the process?
• Work with the Title IX compliance officer to draft, implement, and test an employee education and incident management process.
• • • • •
Annual audit cycle Recent attention to/investment in Title IX Some action items remain open Communication process is ongoing New processes not yet fully in place
• Is the University well positioned to accurately report crime and fire safety statistics, and to discharge its duties per the Violence Against Women Act?
• Prepare an “annual report” of the University’s preparedness under the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act.
• • • • •
Annual audit cycle Key provisions of relevant regulations Transform regulations into procedures Test for compliance with procedures Prepared by Clery Compliance Officer
5
PREVIOUS ACTIVITY
FY2016 Internal Audit Risk Assessment KEY RISK AREAS ATHLETICS
BUSINESS RISK
PLANNED ACTIVITY
PREVIOUS ACTIVITY
• Do student-athletes receive only those benefits permissible under NCAA regulations?
• Ensure that scholarships/academic awards contain only those benefits that are acceptable under NCAA rules.
• Three-year audit cycle • Only NCAA-permissible benefits • Athlete scholarships and financial aid
• Are coaches being paid in accordance with the terms of their contracts, including incentive compensation?
• Compare the financial terms of selected coaches’ compensation packages to the salaries, benefits, and bonuses recorded.
• Five-year audit cycle • Review contracts and amendments • Inspect payroll summary registers
• Are revenues and expenses pertaining to intercollegiate athletics accounted for according to NCAA rules and UT policy?
• Evaluate the financial controls over guarantees; administrative salaries and benefits paid by UT; and recruiting.
• • • •
• Are football attendance statistics accurately recorded and reported in a timely manner to the NCAA?
• Review and certify attendance counts for all University home football games per NCAA regulations.
• Annual audit cycle • Has historically met attendance levels • NCAA requirement
• Does “other” athletics income reported by UT qualify as operating income by the NCAA?
• Compare other operating revenues to the institution’s general ledger, and the statement, and recalculate totals.
• Five-year audit cycle • Review nature and purpose of expenses • Compare to budget and prior-year actual
• Does the University appropriately record income from barter agreements, sports camps, and other athletics ventures?
• Review athletics revenue-generating agreements and confirm that stated obligations have been met by all parties.
• Annual audit cycle • Document sources of coaching income • NCAA requirement
• Is UT’s methodology for allocating student fees to athletics programs consistent with NCAA expectations?
• Compare student fees reported by UT to student enrollments during the same reporting period
• Five-year audit cycle • Actual allocations has not historically always equaled planned allocations
• Is the University well positioned to meet the various student-athlete compliance requirements of the NCAA and the MidAmerican Conference?
• Prepare an “annual report” of the University’s preparedness under national and conference athletics requirements.
• Annual audit cycle • Transform regulations into procedures • Test for compliance with procedures
6
Annual audit cycle Collaboration with Plante and Moran Reporting to Ohio Auditor of State Monitoring of actual & budget variances
FY2016 Internal Audit Risk Assessment KEY RISK AREAS
INSTITUTIONAL COMPLIANCE
BUSINESS RISK
PLANNED ACTIVITY
PREVIOUS ACTIVITY
• Is an effective process in place for identifying and acting on allegations of lapses in business ethics by UT employees?
• Document the process for investigating allegations made via the University’s Anonymous Reporting Line (“Hotline”).
• Annual audit cycle • Summarize recent cases and resolution • Process for publicizing the Hotline
• Does the University effectively identify and act on violations of Federal and State requirements of grants and sponsored programs?
• Prepare an “annual report” of compliance with the various regulatory compliance in the research area to which the University is accountable.
• • • •
• Is the University compliant with federal and state laws and regulations tied to state authorization and the Federal Program Integrity Rules under Misrepresentation.
• Create processes, policies and procedures addressing the existing legal and regulatory requirements and will provide necessary and relevant information to internal and external stakeholders about state authorization and professional licensure requirements in states outside of Ohio.
• • • • •
• Does the University’s governance structure promote compliance with applicable laws and regulations for both the academic and clinical enterprises?
• Conduct a risk assessment of all aspects of institutional compliance to include (but not be limited to): capital projects, facilities, contracts, healthcare, human resources, labor relations, and research.
• Annual audit cycle • Project will form the basis for a UT enterprise risk management framework.
7
Annual audit cycle Identify requirements of applicable laws Test compliance with these requirements Monitor and resolve action items
Annual audit cycle Research statutes Submit applications to states, as needed Document & track essential information Discuss issues with accreditation staff and regulatory decision makers • Publish information on how students can file a complaint in each state
FY2016 Internal Audit Risk Assessment KEY RISK AREAS HEALTHCARE COMPLIANCE
BUSINESS RISK
PLANNED ACTIVITY
• Does the various University of Toledo Medical Center (UTMC) operating units align with its compliance operating plan, as evidenced by departmental “field” reviews (certain of which are documented here)?
• • • • • • •
• Is the University well positioned to address the various operational compliance and data privacy requirements for which UTMC is accountable?
• Prepare an “annual report” of the University’s level of compliance with healthcare regulations, including the gaps that UTMC management should address in the near term.
Addiction Recovery Program Cardiovascular Unit Dana Cancer Center Endoscopy Horizon Patient Portal Pain Management Pharmacy Log
8
PREVIOUS ACTIVITY • • • • • • •
Annual audit cycle Healthcare Compliance Committee Privacy and Security Committee Physician chart audits Joint Commission preparedness Status reports to Board UTMC administrative support needed
• • • • •
Annual audit cycle Key provisions of relevant regulations Transform regulations into procedures Test for compliance with procedures Monitor and report on compliance issues
FY2016 Internal Audit Risk Assessment KEY RISK AREAS
BUSINESS RISK
PLANNED ACTIVITY
AMERICANS WITH DISABILITIES ACT
• Does The University provide reasonable accommodations to students that have a form of disability?
• Progress the University’s Americans with Disabilities Act compliance program, which includes a comprehensive series of audits to evaluate academic accommodations.
• • • • •
Annual audit cycle Student Disability Services function Granting required ADA accommodations Services to students Support to faculty
• Does the University provide reasonable accommodations to patients that have a form of disability?
• Progress the University’s Americans with Disabilities Act compliance program, which includes a comprehensive series of audits to evaluate facilities and facilities transition plans.
• • • • •
Annual audit cycle Incorporating ADA in UT facilities policies Ensure new facilities are ADA compliant Develop a plan for older facilities Evaluate progress toward the plan
• Has the University of Toledo Medical Center developed a plan to ensure Americans with Disabilities Act compliance in all its forms, and is it progressing this plan?
• Progress the University’s Americans with Disabilities Act compliance program, which includes a comprehensive series of audits to evaluate compliance of the clinical enterprise.
• • • • •
Annual audit cycle Clinical facilities transition plan Accessible pathways Process for requesting accommodations Services to patients, families, and staff
• Is the University well positioned to meet the expectations of the Department Of Education and Office of Civil Rights regarding providing ADA accommodations to its stakeholders?
• Prepare an “annual report” of the University’s preparedness under the ADA and Section 504 of the Rehabilitation Act of 1973.
• • • • • •
Annual audit cycle Key provisions of relevant regulations Transform regulations into procedures Test for compliance with procedures Facilities and services compliance Technology compliance
9
PREVIOUS ACTIVITY
