UNIVERSITY OF VIRGINIA
BOARD OF VISITORS
MEETING OF THE
AUDIT AND COMPLIANCE
COMMITTEE
JUNE 5, 2014
AUDIT AND COMPLIANCE COMMITTEE
(Open Session)
Thursday, June 5, 2014
2:15 – 2:45 p.m.
Auditorium of the Albert & Shirley Small
Special Collections Library, Harrison Institute
Committee Members:
Hunter E. Craig, Chair
Frank B. Atkinson
Kevin J. Fay
Frank E. Genovese
Victoria D. Harker
Bobbie G. Kilberg
John L. Nau III
Linwood H. Rose
George Keith Martin, Ex-officio
Adelaide Wilcox King, Faculty
Consulting Member
AGENDA
PAGE
I.
II.
ACTION ITEMS (Ms. Deily)
A.
Audit Schedule, 2014–2015
B.
Corporate Compliance Project Schedule,
2014-2015, (Ms. Deily will introduce
Ms. Lori Strauss; Ms. Strauss to report)
INFORMATION ITEMS (Ms. Deily)
A.
Auditor of Public Accounts Report on
Implementation of Recommendations
(Ms. Deily to introduce Ms. Karen
Helderman; Ms. Helderman to report)
B.
Report on Enterprise Risk Management
(Ms. Deily to introduce Mr. Gary Nimax;
Mr. Nimax to report)
C.
Summary of Audit Findings
III.
EXECUTIVE SESSION – LIST OF ITEMS
IV.
APPROVAL OF THE SUMMARY OF AUDIT FINDINGS
1
8
10
11
12
19
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM SUMMARY
BOARD MEETING:
June 5, 2014
COMMITTEE:
Audit and Compliance
AGENDA ITEM:
I.A.
Audit Schedule, 2014-2015
BACKGROUND: Ms. Deily will present the proposed Audit Schedule
for the 2014-2015 fiscal year. The schedule has been developed
based on required work from state and external agencies, risk
assessment models, requests from management, and analyses of
work performed in prior years.
ACTION REQUIRED: Approval by the Audit and Compliance Committee
and by the Board of Visitors
AUDIT SCHEDULE FOR FISCAL YEAR 2014-2015
RESOLVED, the Audit Schedule for fiscal year 2014-2015 is
approved as recommended by the Audit and Compliance Committee.
1
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM SUMMARY
Determination of Hours Available
for 2014-2015 Audit Projects
Total
Total Hours Available
35,360
Less:
2,600
Vacancies
Sub-Total
32,760
Professional
Development
Holidays
Other Leave
Other Activities
 Office and Personnel
Administration
 Recruiting
 Committee & Council
Meetings
 Travel
Hours Available for Audit
Projects
Other
Activities
13%
1,124
1,668
4,173
4,390
21,405
Holidays
5%
Prof. Dev.
4%
Audits
65%
Other Leave
13%
2
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM SUMMARY
Allocation of Hours Available for Audit Projects
Fiscal Year 2014-2015
Total
Hours Available for Audit Projects
Less:
Wrap-up of FY 13-14 Audit
Schedule
Unscheduled Audits/Special
Requests/Hotline Projects
General Systems Development
& Consulting
External Assistance
21,405
510
4,730
1,330
683
Board Preparation & Meetings
340
IT Support of Projects/
Activities
860
General Project Support/
Supervision/Strategic Planning
3,823
Hours Available for Scheduled Audit
Projects
9,129
3
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM SUMMARY
2014-2015 Audit Schedule
UNIVERSITY
DEPARTMENT/DIVISION
EDUCATION
Curry School of Education
College at Wise
GOVERNANCE
Strategic Data Validation
PUBLIC SERVICE
Darden Fund Transfer
Football Attendance
RESEARCH
Office of Sponsored Programs
Grant Financial Audit
SUPPORT SYSTEMS
General Ledger Transfers
Procurement and Supplier Diversity
Housing & Residence Life
OTHER ACTIVITIES/ATTEST FUNCTIONS
Bookstore Inventories
Follow-Ups
UNIVERSITY TOTAL
BUDGETED
HOURS
400
600
500
150
20
400
150
350
400
400
150
266
3,786
4
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM SUMMARY
2014-2015 Audit Schedule
HEALTH SYSTEM
DEPARTMENT/DIVISION
GOVERNANCE
Epic Security Points
Epic Employee Access
PUBLIC SERVICE
Open Encounter Work Group
Outpatient Clinic Charge Capture
OTHER ACTIVITIES/ATTEST FUNCTIONS
Electronic Reconciliation System Development
Follow-Up Audits - Medical Center
Inventory – Pharmacy Services
Inventory – Surgical Supply
HEALTH SYSTEM TOTAL
BUDGETED
HOURS
400
300
100
400
80
200
75
75
1,630
5
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM SUMMARY
2014-2015 Audit Schedule
INFORMATION TECHNOLOGY
DEPARTMENT/DIVISION
GOVERNANCE
Supervisory Control and Data Acquisition
(SCADA) - University
SCADA – Health System
Operating System – University
Operating System – Health System
Network/Firewall - University
Network/Firewall – Health System
OTHER ACTIVITIES/ATTEST FUNCTIONS
Follow-Up Audits
INFORMATION TECHNOLOGY TOTAL
BUDGETED
HOURS
260
260
320
300
390
390
153
2,073
6
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM SUMMARY
2014-2015 Audit Schedule
COMPLIANCE
DEPARTMENT/DIVISION
GOVERNANCE
Executive Turnover
Presidential Travel & Entertainment
OTHER ACTIVITIES/ATTEST FUNCTIONS
Compliance Projects
BUDGETED
HOURS
740
100
800
COMPLIANCE TOTAL
1,640
UNIVERSITY, HEALTH SYSTEM, INFORMATION
TECHNOLOGY AND COMPLIANCE TOTALS
9,129
7
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM SUMMARY
BOARD MEETING:
June 5, 2014
COMMITTEE:
Audit and Compliance
AGENDA ITEM:
I.B.
Corporate Compliance Project
Schedule, 2014-2015
BACKGROUND: Ms. Strauss will present the proposed Corporate
Compliance Project Schedule for the 2014-2015 fiscal year. The
schedule has been developed based on required work from federal,
state, and other regulatory agencies, risk assessment models,
requests from Medical Center management, and analyses of work
performed in prior years.
ACTION REQUIRED: Approval by the Audit and Compliance Committee
and by the Board of Visitors
CORPORATE COMPLIANCE PROJECT SCHEDULE FOR FISCAL YEAR 2014-2015
RESOLVED, the Corporate Compliance Project Schedule for
fiscal year 2014-2015 is approved as recommended by the Audit
and Compliance Committee.
8
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM
UVA Health System
Corporate Compliance and Privacy Office
Determination of Hours Available for 2014-2015
Corporate Compliance and Privacy Projects
Fiscal Year 2014-2015
Total Hours Available
Less: Vacancies
Sub-Total
Professional Development
Leave and Holidays
Other Activities: Office and Personnel Administration
Hours Available for Compliance & Privacy Projects
TOTAL
8,320
-08,320
320
1,160
320
6,520
Allocation of Hours Available for
Corporate Compliance & Privacy Projects
Fiscal Year 2014-2015
Total
Hours Available for Compliance & Privacy Projects
6,520
Consulting: Policy and Procedure Reviews, Guidance
420
Developing and Conducting Training: Department-Specific
300
Training, Website Content, Communications
Unscheduled Compliance Projects: Investigations, Industry
1,500
Alerts, Management Requests
Unscheduled Privacy Projects: Investigations, Notice
1,500
Revisions, Risk Assessments, Breach Notifications
Hours Available for Compliance & Privacy Scheduled Projects 2,800
Corporate Compliance & Privacy Projects
Fiscal Year 2014-2015
Scheduled Projects
Outpatient & Procedure Coding, Billing, & Documentation
Privacy Auditing and Monitoring: Monthly Site Visits
Inpatient Medicare Severity Diagnosis Related Groups:
Correct Coding Validation and Medical Necessity
Compliance and Privacy Training: Annual, New Hire, Hybrid
Total
9
HOURS
800
400
1,200
400
2,800
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM SUMMARY
BOARD MEETING:
June 5, 2014
COMMITTEE:
Audit and Compliance
AGENDA ITEM:
II.A. Auditor of Public Accounts (APA)
Report on Implementation of
Recommendations
ACTION REQUIRED:
None
BACKGROUND: At the February Board meeting, Ms. Karen Helderman
presented audit findings covering significant internal control
deficiencies identified by the APA in the area of access to
University information systems. Ms. Helderman will report to
the Board on the progress made in addressing those findings.
This does not require formal action, but is information of which
the Board should be made aware.
10
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM SUMMARY
BOARD MEETING:
June 5, 2014
COMMITTEE:
Audit and Compliance
AGENDA ITEM:
II.B.
ACTION REQUIRED:
None
Report on Enterprise Risk Management
(ERM)
BACKGROUND: The University is revising its risk register given
the turnover in senior administration and board members, new
strategic plan and internal financial model, and changes in
higher education.
At the November 2013 meeting, Gary Nimax, the assistant
vice president for compliance and enterprise risk management,
reviewed the University‟s ERM program with the board and
discussed related goals for fiscal year 2013-14. At the
February 2014 meeting, Mr. Nimax reviewed a survey tool that has
been used to collect feedback from vice presidents and deans to
identify and rank key institutional risks.
DISCUSSION: Mr. Nimax will review the results of this effort, a
list of the top institutional risks in the academic division,
and a template to be used to document the mitigation strategies
identified for each of these risks.
11
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM SUMMARY
BOARD MEETING:
June 5, 2014
COMMITTEE:
Audit and Compliance
AGENDA ITEM:
II.C.
ACTION REQUIRED:
None
Summary of Audit Findings
BACKGROUND: Ms. Deily will present a summary of findings on the
following audit reports: Health System Management of
Information Technology, University Management of Information
Technology, and School of Engineering and Applied Science.
12
AUDIT DEPARTMENT
EXECUTIVE SUMMARY
Health System Management of IT
January 8, 2014
BACKGROUND
This audit report was a management „whitepaper‟ discussing the
state of University of Virginia (UVA) Health System (HS)
information technology (IT) and information security strategic
management for UVA management‟s information and consideration.
Strategic management is the highest level of management
framework and has significant importance to strong overall HS
services and IT governance and management. UVA Health System
(HS) consists of the following components: University of
Virginia Medical Center, School of Medicine, School of Nursing,
and The Claude Moore Health Sciences Library. Health System
Technology Services (HSTS) provides information, technology, and
project management services for the UVA Health System. HSTS
also provides the University Physicians Group, a separate
entity, with hosting services and application support. The
Health System Office of the Chief Information and Technology
Officer is responsible for management of HSTS.
AUDIT OBJECTIVES
Audit objectives included the review of IT strategic planning,
budgeting and management; policy, standards and procedures;
scope of services provided; strategic change and project
management; and strategic information security management.
OPINION ON AUDIT OBJECTIVES
Opportunities were observed to improve HS strategic governance
and management of information technology.
OBSERVATIONS NOTED FOR CONSIDERATION
1) Opportunities were observed to strengthen and formalize IT
steering committees and governance (organizational) structures
related to University and HS strategic IT governance, change
and project management.
2) Accelerated strategic planning, management, budgeting and
preparation were needed for high-impact initiatives facing HS.
3) The HSTS Technology Plan required update to reflect high
impact initiatives and increase focus on addressing legacy
systems and applications.
13
AUDIT DEPARTMENT
EXECUTIVE SUMMARY
Health System Management of IT
January 8, 2014
4) Extended use of business intelligence (BI) and dashboard
reporting was needed for key IT and information security
related metrics related to change and project management and
service management.
5) Formalized succession plans and successor development programs
were needed for key IT positions.
MANAGEMENT‟S RESPONSE
Management concurs and has agreed to consider our suggestions.
IMPACT TO THE UNIVERSITY
The impact of proper strategic IT management is always important
in the Health System environments because of the following
concerns:
 Competitive position and ability to be a leader in the health
care industry.
 Ability to successfully respond to global, national, and
local changes in economy, technology, health care industry,
and associated risks and threats.
 Quality, effectiveness, compliance, and security of mission
critical services and programs.
14
AUDIT DEPARTMENT
EXECUTIVE SUMMARY
University Management of IT
January 17, 2014
BACKGROUND
This audit report was a management „whitepaper‟ discussing the
state of University information technology (IT) and information
security strategic management for UVA management‟s information
and consideration. Strategic management is the highest level of
management framework and has significant importance to strong
overall University services and IT governance and management.
Recent resignation of the University Vice President/Chief
Information Officer (VPCIO) has this key management position in
transition and currently filled with an interim while
recruitment alternatives are being explored. Among
considerations are prior management‟s predominantly
„distributed‟ philosophies and what strategic IT approaches are
best for the University going forward.
For varying reasons,
this audit report has been a year in the making and a number of
the issues are being considered and addressed by current
Information Technology Services (ITS) management.
AUDIT OBJECTIVES
Audit objectives included the review of IT strategic planning,
budgeting and management; policy, standards and procedures;
scope of services provided; strategic change and project
management; and strategic information security management.
OPINION ON AUDIT OBJECTIVES
Opportunities were observed to improve University strategic
governance and management of information technology.
OBSERVATIONS NOTED FOR CONSIDERATION
1) Opportunities were observed to strengthen and formalize IT
steering committees and governance (organizational) structures
related to University strategic IT governance, change and
project management.
2) IT strategic planning, budget, and management improvements
were identified related to strengthening development of
technology platforms and infrastructure, funding, risk
management, business intelligence (BI) and dashboard
reporting, and succession planning.
15
AUDIT DEPARTMENT
EXECUTIVE SUMMARY
University Management of IT
January 17, 2014
3) Opportunities existed to strengthen the University information
security strategic management practices including program
design, escalated reporting structure, strategic and annual
planning and budgets, access management, and incident
response management.
MANAGEMENT‟S RESPONSE
Management concurs and has agreed to consider our suggestions.
IMPACT TO THE UNIVERSITY
The impact of proper strategic IT management is always important
in the University System environments because of the following
concerns:
 Competitive position and ability to be a leader in the higher
education industry.
 Ability to successfully respond to global, national, and
local changes in economy, technology, higher education
industry, and associated risks and threats.
 Quality, effectiveness, compliance, and security of mission
critical services and programs.
16
AUDIT DEPARTMENT
EXECUTIVE SUMMARY
School of Engineering and Applied Science
January 27, 2014
BACKGROUND
Founded in 1836, the School of Engineering and Applied Science
(SEAS) combines research and educational opportunities at the
undergraduate and graduate levels. SEAS is comprised of nine
academic departments: Biomedical, Chemical, Civil &
Environmental, Computer Science, Electrical & Computer, Materials
Science, Mechanical & Aerospace, Systems & Information, and
Engineering and Society. There are 2,589 undergraduate students
and 595 graduate students enrolled on-grounds in SEAS programs.
The SEAS mission statement asserts: “Through the creation and
transfer of knowledge, SEAS educates leaders in the application
and development of engineering and scientific solutions that
benefit the world.”
AUDIT OBJECTIVES
The objectives of the audit were to determine whether: 1)
students who graduated from SEAS satisfied the requirements for
their degrees; 2) SEAS financial activities were compliant with
University policy and procedures; and 3) activities of the
Centers within SEAS were conducted in accordance with University
policies and procedures.
OPINION ON AUDIT OBJECTIVES
Our overall opinion is that: 1) the students were satisfying the
requirements to obtain their degrees; 2) opportunities for
improvement existed in the area of reconciliations to ensure the
accuracy of the University‟s financial information; and 3) the
Centers were substantially in compliance with the policies and
procedures of the University with one exception noted.
AREAS NOTED FOR IMPROVEMENT
1) All project reconciliations should be completed by the 15th
calendar day of the month for the previous month's activity
in order to be in compliance with University policy.
2) All operational contracts, including any future modification
to an existing contract, should be sent to the delegated
signatory authority for that contract for review and approval.
17
AUDIT DEPARTMENT
EXECUTIVE SUMMARY
School of Engineering and Applied Science
January 27, 2014
3) General Ledger cash reconciliations should be completed
according to University policy to ensure the accuracy of the
information within the Integrated System.
MANAGEMENT‟S RESPONSE
Management concurs and has agreed to correct the identified
conditions.
FINANCIAL IMPACT
Implementation of these recommendations will strengthen the
integrity of the financial data reported by the University
(Revised 2013 Budget of $96.6 million) and diminish the
potential liability and risk of the University related to
operational contracts.
18
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM SUMMARY
BOARD MEETING:
June 5, 2014
COMMITTEE:
Audit and Compliance
AGENDA ITEM:
IV.
Approval of the Summary of Audit
Findings
BACKGROUND: The resolution reflects discussion by the
Committee, in Executive Session, of a summary of recent
audits conducted by the Audit Department.
ACTION REQUIRED: Approval by the Audit and Compliance Committee
and by the Board of Visitors
SUMMARY OF AUDIT FINDINGS FOR THE PERIOD JANUARY 1, 2014
THROUGH APRIL 30, 2014
RESOLVED, the Summary of Audit Findings for the period
January 1, 2014 through April 30, 2014, as presented by the
Chief Audit Executive, is approved as recommended by the
Audit and Compliance Committee.
19