FROM HINDSIGHT TO FORESIGHT
REPOSITIONING INTERNAL AUDIT TO
DELIVER HIGHER VALUE




Repositioning Internal Audit
FY 2016-FY2017 Audit Resource
Deployment Plan
Resources and Staffing
Supplemental Materials
Repositioning Internal Audit: Building Blocks
of the New Internal Audit Function
Our relationships embody
respect, insight, balance, trust,
and care.
We value:
Leadership development.
Civility.
The voices of our stakeholders.
We operate transparently.
We are aware of our impact.
We have an enterprise view.
We deliver insight and foresight
to our colleagues and
stakeholders through:
Professional competence.
Business acumen.
Focus on Cornerstone Plan and
Health System strategy.
Data-driven analyses.
Our network of colleagues and
connections throughout the
University and the
profession.
We serve the audit profession
in the Commonwealth of
Virginia, the higher education
industry, and around the
globe.
We collaborate and share our
knowledge generously.
We set the bar for excellence
and leading practice in
internal auditing.
2
How we built the risk-based audit plan
Audit Universe
Academic Div:
U.Va.’s Budget System
Hierarchical Org Data
(Unit, Expenditure $, Grant
$, FTEs)
TO BUILD THE AUDIT PLAN
WE ESTABLISHED AN “AUDIT
UNIVERSE” AND ASSIGNED
RISK WEIGHTINGS:
MC/Health System:
May 2015 Operating Margin
Report
Enterprise Risks:
1. Funding to achieve goals
• Relevant UVA ERM
Risks
• Regulatory
Compliance
• Emerging practices
(e.g. ACO, Value Based
Care)
Industry Risks:
Higher Ed
Healthcare
Peer Benchmarking
Hot Topics
Strategic Objectives:
Cornerstone Plan
U.Va. Health System Strategy
2. Management of human capital
3. Legal compliance
4. Keeping pace
5. Reputation w/key stakeholders
6. Geo-political and economic
risks
7. Safety/security
8. Cybersecurity/leveraging IT
9. Org/operational efficiencies
Stakeholder input including: ACR Chairman, MC Cabinet, EVP/COO, IT Leadership, Provost’s Office
3
Audit Resources Deployment
FY 16-FY 17
Academic
Team
Med Center
Team
Faculty Recruitment and
Retention
Research Expansion Initiative
Clinical Engineering
Charge Capture
IT Team
Cybersecurity
IT Governance and Standards
IT Asset Management
Change Control and System
Configuration
Integrated Team Audits and Reviews
Fiscal Stewardship (Pan-University)
EPIC Phase 2 Implementation
Managerial Reporting Implementation
PeopleSoft Upgrade
Physical Safety and Security
Integrated Assurance: Compliance Oversight Verification
Data Privacy
Segregation of Duties (Oracle, PeopleSoft, EPIC)
Audit Department Process Improvements
4
Audit Department Resources (future)
Chief Audit
Executive
Current vacancies in red
• Maintains current 17
position headcount while
increasing Managers’ span
of control (3rd Director role
not replaced)
• Reporting location of
Health System (HS)
Auditors depends on skill
sets of TBD Director
• Integrated Assurance
• Continuous
Monitoring/Fraud
Risk
• Hotline follow up
Redeployment of resources in green
Office Manager
Director IT Audit
Assoc Dir IT
Senior IT Auditor
New Hire
Senior IT Auditor
IT Auditor
Special Projects
(all areas)
• Will need to evaluate
where specialization of
audit skills is required as
we make new hires/shift
current resources/cosource
Director HS and
University Audits
Manager
Senior Auditor
Senior Auditor
Staff Auditor
Manager HS
Audits
• Audits will be conducted
using pooled resource
Senior HS Auditor
approach where possible.
Administrative reporting
would remain as shown.
New Hire
HS Auditor
New Hire
HS Auditor
5
Unpacking the Audit Plan: Potential Scope of Audit Plan Topics
SUPPLEMENTARY MATERIALS
6
Unpacking the Plan:
Potential Scope Areas
Academic Team
Audit
Curry School of Education
Why Selected
In progress from prior year plan
Potential Scope
•
•
•
Faculty Recruitment and
Retention
•
•
Research Expansion Initiative
•
•
Degree audit
Centers and Clinics: licensure,
background checks, patient
health data, revenue
generation/charge capture
Academic Programming
Cornerstone Pillar IV:
Assemble and Support a
Distinguishing Faculty
ERM Risk: Management of
Human Capital
•
•
Large program governance
Effectiveness of risk
management for strategically
critical program
Cornerstone Pillar II: Advance
Knowledge
ERM Risks: Funding to Achieve
Goals; Keeping Pace
•
•
Large program governance
Effectiveness of risk
management for strategically
critical program
7
Unpacking the Plan:
Potential Scope Areas
Med Center Team
Audit
Why Selected
Pyxis Medstation Access Review
In progress from prior year plan
Clinical Engineering
•
•
•
User provisioning
Evaluation of biometric access
usage
•
•
Cyber/ Data Security of Patient
Information
Patient Care/Safety & Quality
of Patient Care
ERM Risk: Legal and
Compliance
Staff Productivity
Data security and privacy
practices
Device maintenance
scheduling and equipment
monitoring procedures
Useful life monitoring and
evaluation
•
•
•
•
•
OIG Workplan
Margin Management
ICD-10 Implementation
EMR/Medical Documentation
Regulatory Billing Compliance
•
•
Healthcare Industry Major
Trend
•
•
•
Charge Capture
Value Based Care
Potential Scope
•
•
•
Evaluation of facility/technical
fee billing by the MC for nurse
only and procedure visits
Billing of Medications and Med
Administration
TBD in partnership with MC
leadership
8
Unpacking the Plan:
Potential Scope Areas
IT
Audit
Information Security, Policy, and
Records Office
Why Selected
•
•
•
Cybersecurity
•
•
•
Change Control and System
Configuration
•
•
Potential Scope
KPMG 2015 IT Security
Assessment
CEB 2015 Audit Plan Hotspots
PCI Compliance
•
•
•
•
•
Governance/Standards
Information Security Policy
Monitoring Procedures
Data Loss Prevention
Malware Prevention
ERM Risk: Cybersecurity/
Leveraging IT
CEB 2015 Audit Plan Hotspots
KPMG 2015 IT Security
Assessment
•
•
•
•
•
Incident response
Network
Operating Systems
Databases (data-at-rest)
BYOD (Bring Your Own Device)
Key general computing
controls
KPMG 2015 IT Security
Assessment
•
Student Information System
(SIS)
Oracle & PS HR and FIN
modules
EPIC
•
•
9
Unpacking the Plan:
Potential Scope Areas
IT (Cont.)
Audit
Why Selected
Potential Scope
PeopleSoft
•
•
Significant Upgrade
Data Privacy
•
•
•
•
•
Privileged User Access
SOD
Service/Generic Accounts
Patching Procedures
Database Security
IT Asset Management
KPMG 2015 IT Security
Assessment
•
•
•
IT Inventory Management:
Central and Non-Central
Assets and Systems
Termination Handling
Disposal Procedures
•
•
•
Replication Process
Testing
Key Metrics and SLAs
Disaster Recovery
•
•
Key general computing
controls
Changing Technology
10
Unpacking the Plan:
Potential Scope Areas
Integrated Team Audits and Reviews
Audit
Why Selected
Fiscal Stewardship
Cornerstone Pillar V: Steward the
University's Resources to Promote
Academic Excellence and
Affordable Access
EPIC Phase 2 Implementation (HS
Revenue Module)
•
Potential Scope
•
•
•
Key internal financial controls
Unit-level fiscal discipline
Application of University
Financial Model
•
Significant financial
application
Significant capital expenditure
•
•
•
•
Program governance
Access/data security
Configuration settings
Segregation of duties
Managerial Reporting
Implementation
•
•
Significant financial application
Significant capital expenditure
•
•
Data security
Data integrity
Physical Safety and Security
ERM Risk: Safety/security of
students, faculty and staff
•
•
•
•
Clery audit follow up
Police training
Physical security
Building access
11
Unpacking the Plan:
Potential Scope Areas
Integrated Team Audits and Reviews (Cont’d)
Audit
Integrated Assurance
Why Selected
ERM Risk: Legal and
Compliance
Higher Education Industry risks
Reputational risks
CEB 2015 Audit Plan Hotspots
Effectiveness of 2nd line of defense
compliance functions:
• NCAA
• Environmental Health & Safety
• Research-related (OSP, IRB)
• Corp Compliance (Med Ctr)
• Title IX
• Clery Act
• ARMICS (“Government SOX”)
•
•
ERM Risk: Legal and
Compliance
CEB 2015 Audit Plan Hotspots
•
•
•
Foundational fraud risk control
Data security and integrity
Reporting accuracy
•
•
•
•
•
•
•
Privacy
Segregation of Duties
Potential Scope
•
•
•
•
PII (Personally Identifiable
Data)
Student Data
HIPAA compliance
Cloud and mobile
environments
Oracle
PeopleSoft
EPIC
12