Finance and Audit Committee
FY2014 Risk Assessment and
Internal Audit and Compliance Plan
August 12, 2013
FY2014 Risk Assessment
KEY RISK AREAS
ACADEMIC
ENTRPRISE:
STUDENT- AND
FACULTY-BASED
PROCESSES
BUSINESS RISK
PLANNED ACTIVITY
• Are internal processes and computer systems
designed to facilitate the student experience?
• Support the University-wide initiative to improve student
customer service through the implementation of system
and process improvements that will minimize student wait
time and complaints/concerns.
• Is the student and employee community aware of
and abiding by their obligations to report oncampus crimes, and is the University’s reporting of
these incidents accurate and complete?
• Review the completeness, accuracy, and timeliness of
campus police’s gathering and reporting of crime
statistics pursuant to the Jeanne Clery Act.
• Is financial aid awarded only to eligible students
consistent with the terms of the various award
programs?
• Review student financial aid procedures and test a
sample of loans to ensure that eligibility requirements are
met and financial aid is disbursed accurately.
• Does the research and innovation division of the
University conduct its financial business in a
responsible and transparent manner, consistent
with appropriate accounting principles?
• Review financial transactions of the University of Toledo
Innovation Enterprises. Ensure that appropriated
amounts were used for their intended purposes.
2
FY2014 Risk Assessment
KEY RISK AREAS
ACADEMIC
ENTERPRISE:
BUSINESS SUPPORT
FUNCTIONS
BUSINESS RISK
PLANNED ACTIVITY
• Is the University’s cost base aligned with trends
and projects for student enrollment and retention,
patient registrations, and projected support from
the State and Federal Government?
• Support the Redesign Coordination Group and the
University President in implementing business process
improvements intended to appropriately position the
University to meet future business realities.
• Is information and software processed in the data
center environment secured and protected?
• Review IT “general controls”, such as information security
and change control that impact numerous computer
systems.
• Does The University provide reasonable
accommodations to students, patients, and staff
that have a form of disability.
• Progress the University’s Americans with Disabilities Act
compliance program, which includes a comprehensive
series of audits in the following areas …
 Academic Accommodations
 Distance Learning
 Facilities
 Web Accessibility
3
FY2014 Risk Assessment
KEY RISK AREAS
ACADEMIC
ENTERPRISE:
INTERCOLLEGIATE
ATHLETICS
BUSINESS RISK
PLANNED ACTIVITY
• Does the University appropriately record income
from barter agreements, sports camps, and other
athletics ventures?
• Review athletics revenue-generating agreements
(“outside income”) and confirm that stated obligations
have been met by all parties.
• Does The University limit its organized practice
activities, the length of its playing seasons and
number of its regular-season contests and/or dates
of competition in all sports, as well as the extent of
its participation in non-collegiate sponsored
athletics activities, to minimize interference with the
academic programs of its student-athletes.
•
• Is University contact with prospective studentathletes in accordance with NCAA regulations, and
is it being monitored accordingly and appropriately
for all team sports?
• Review phone, email, Internet, and letter correspondence
between coaches/administrators and prospective studentathletes on a surprise basis. Report results and monitor
corrective action.
• Are revenues and expenses pertaining to
intercollegiate athletics accounted for properly
according to National Collegiate Athletics
Association (NCAA) rules and University policy?
•
4
Determine the level of compliance with NCAA
regulations pertaining to playing and practice sessions.
These include general playing-season regulations,
foreign tours, and playing rules.
Evaluate the quality of financial controls over athletic
student aid; guarantees; support staff/administrative
salaries, benefits and bonuses paid by the University
and related entities; and recruiting.
FY2014 Risk Assessment
KEY RISK AREAS
CLINICAL
ENTERPRISE:
BUSINESS PROCESS
REVIEWS
BUSINESS RISK
PLANNED ACTIVITY
• Are all billable transactions captured at the time of
inpatient diagnosis and fully reflected in customer
bills?
• Review the accuracy and reliability of the charge master
databases, the charge capture process, and procedures
for maximizing inpatient margins.
• Do construction and supply chain vendors doing
business with the University comply with the
provisions of their contracts?
• Review commercial contracts of selected vendors and
projects.
• Are policies and procedures currently in place at
UTMC clinics effective in managing business
risks?
• Assess whether adequate internal controls existed in the
areas of IT, personnel, registration, charge capture and
recording, billing, cash collections and drug storage and
dispensing.
• Are UTMC business units effective in managing
customer wait times, operating expenses, and
patient satisfaction?
• Collaborating with the Redesign Coordination Group,
benchmark UTMC operating departments with Lean Six
Sigma and other process engineering principles.
• Is UTMC prepared for upcoming changes to coding
of medical transactions?
• Review system and documentation requirements to
ensure readiness for future ICD-10 coding classifications.
• Do the hospital and clinic computer systems under
development promote a streamlined and secure
process flow between the patient, Information
Technology, and operating departments?
• Participate in the various “Meaningful Use” new clinical
systems development projects as a controls consultant
and identify opportunities for system and process
integration.
5
FY2014 Risk Assessment
KEY RISK AREAS
BUSINESS RISK
PLANNED ACTIVITY
CLINICAL
ENTERPRISE:
CLINICAL
COMPLIANCE
• Does the compliance plan protect the academic
and clinical enterprises from significant violations of
the law and internal policies, as well as preserve
the confidentiality of patient and student
information?
6
• Update the Finance and Audit Committee on the nature
and resolution of clinical and academic compliance and
privacy events processed by the University, including …












Claim Development and Submission
Confidentiality Policy
Emergency Patients
Handling of Government Inquiries, Etc.
Patient Resident Stay
Medical Documentation
Patient Resident Intake
Quality of Care
HIPAA
FERPA
Stark Law
Other aspects of clinical compliance