UNIVERSITY OF VIRGINIA
BOARD OF VISITORS
MEETING OF THE
AUDIT AND COMPLIANCE
COMMITTEE
June 10, 2011
AUDIT AND COMPLIANCE COMMITTEE
(Open Session)
Friday, June 10, 2011
8:30 – 8:45 a.m.
Board Room, The Rotunda
Committee Members:
The Honorable Alan A. Diamonstein, Chair
Hunter E. Craig
Randal J. Kirk
W. Heywood Fralin
Vincent J. Mastracco Jr.
Glynn D. Key
John O. Wynne, Ex-officio
AGENDA
PAGE
I.
II.
III.
IV.
ACTION ITEMS (Ms. Deily)
A.
Audit Schedule, 2011–2012
B.
Corporate Compliance Project Schedule,
2011-2012, (Ms. Deily will introduce
Ms. Lori Strauss, Ms. Strauss to report)
INFORMATION ITEM (Ms. Deily)

Summary of Findings
EXECUTIVE SESSION – LIST OF ITEMS
APPROVAL OF SUMMARY OF AUDIT FINDINGS
1
8
10
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM SUMMARY
BOARD MEETING:
June 10, 2011
COMMITTEE:
Audit and Compliance
AGENDA ITEM:
I.A.
Audit Schedule
BACKGROUND: Ms. Deily will present the proposed Audit Schedule
for the 2011-2012 Fiscal Year. The Schedule has been developed
based on required work from state and external agencies, risk
assessment models, requests from management, and analyses of
work performed in prior years.
ACTION REQUIRED: Approval by the Audit and Compliance
Committee and by the Board of Visitors
APPROVAL OF THE AUDIT SCHEDULE FOR FISCAL YEAR 2011-2012
RESOLVED, the Audit Schedule for Fiscal Year 2011-2012 is
approved as recommended by the Audit and Compliance Committee.
1
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM
Determination of Hours Available
for 2011-2012 Audit Projects
Total
Total Hours Available
35,360
Less:
2,080
Vacancies
Sub-Total
33,280
Professional
Development
Holidays
Other Leave
Other Activities
 Office and Personnel
Administration
 Recruiting
 Committee & Council
Meetings
 Travel
Hours Available for Audit
Projects
1,044
1,664
4,217
3,786
22,569
Other
Activities
11%
Vacancies
6%
Holidays
4%
Audits
64%
Prof. Dev.
3%
Other Leave
12%
2
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM
Allocation of Hours Available for Audit Projects
Fiscal Year 2011-2012
Total
Hours Available for Audit Projects
Less:
Wrap-up of FY 10-11 Audit
Schedule
Unscheduled Audits/Special
Requests/Hotline Projects
General Systems Development
& Consulting
External Assistance
22,569
Board Preparation & Mtgs
350
5,851
1,163
723
200
IT Support of Projects/
Activities
1,000
General Project Support/
Supervision/Strategic Planning
4,214
Hours Available for Scheduled Audit
Projects
9,068
3
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM
2011-2012 Audit Schedule
UNIVERSITY
DEPARTMENT/DIVISION
ADMINISTRATIVE & SUPPORT SERVICES
Darden School
Facilities Management Energy and Utilities
Athletics Business Office
Athletics Football Attendance
Development Office
Weldon Cooper Center
SOM Biomedical Engineering
SOM Biochemistry
OTHER ACTIVITIES
Bookstore Inventory
Follow-up Audits
Research Compliance
Travel
UNIVERSITY TOTAL
BUDGETED
HOURS
400
400
300
40
400
300
300
300
100
250
400
300
3,490
4
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM
2011-2012 Audit Schedule
HEALTH SYSTEM
DEPARTMENT/DIVISION
PATIENT CARE ACTIVITIES
Epic - System Access & Records Management
Epic - Ancillary Systems Interface
Epic - Post Implementation Assessment
SYSTEMS DEVELOPMENT
Electronic Reconciliation System
Consulting/Development
OTHER ACTIVITIES
ARMICS - Medical Center
Follow-Up Audit - Medical Center
Inventory – Pharmacy Services
Inventory – Surgical Supply
HEALTH SYSTEM TOTAL
BUDGETED
HOURS
420
300
420
160
125
250
75
50
1,800
5
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM
2011-2012 Audit Schedule
INFORMATION TECHNOLOGY
DEPARTMENT/DIVISION
EPIC Internal Interfaces/HS)
Network Security (U/HS)
UNIX (U/HS)
UVA Wise
3-Year Follow Up
BUDGETED
HOURS
410
410
525
220
233
INFORMATION TECHNOLOGY TOTAL
1,798
6
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM
2011-2012 Audit Schedule
COMPLIANCE
DEPARTMENT/DIVISION
Compliance Projects
Presidential Travel
Executive Turnover
ARMICS
BUDGETED
HOURS
1,000
200
480
300
COMPLIANCE TOTAL
1,980
UNIVERSITY, HEALTH SYSTEM, INFORMATION
TECHNOLOGY AND COMPLIANCE TOTALS
9,068
7
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM
BOARD MEETING:
June 10, 2011
COMMITTEE:
Audit and Compliance
AGENDA ITEM:
I.B. Corporate Compliance Project
Schedule
BACKGROUND: Ms. Strauss will present the proposed Corporate
Compliance Project Schedule for the 2011-2012 Fiscal Year. The
Schedule has been developed based on required work from
federal, state and other regulatory agencies, risk assessment
models, requests from Medical Center management, and analyses
of work performed in prior years.
ACTION REQUIRED: Approval by the Audit and Compliance
Committee and by the Board of Visitors
APPROVAL OF THE CORPORATE COMPLIANCE PROJECT SCHEDULE FOR
FISCAL YEAR 2011-2012
RESOLVED, the Corporate Compliance Project Schedule for
Fiscal Year 2011-2012 is approved as recommended by the Audit
and Compliance Committee.
8
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM
UVA Health System
Corporate Compliance and Privacy Office
Determination of Hours Available for 2011-2012
Corporate Compliance and Privacy Projects
Fiscal Year 2011-2012
TOTAL
Total Hours Available
8,320
Less: Vacancies
0
Sub-Total
8,320
Professional Development
320
Leave and Holidays
1,173
Other Activities: Office and Personnel Administration
427
Hours Available for Corporate Compliance & Privacy Projects 6,400
Allocation of Hours Available for
Corporate Compliance & Privacy Projects
Fiscal Year 2011-2012
Total
Hours Available for Corporate Compliance & Privacy Projects 6,400
Consulting
700
Developing and Conducting Training
1,000
Special Projects
1,100
Hours Available for Corporate Compliance & Privacy
3,600
Scheduled Projects
Corporate Compliance & Privacy Projects
Fiscal Year 2011-2012
Scheduled Projects
Outpatient Department Coding, Billing, & Documentation
Privacy Monitoring and Auditing
Inpatient Medicare Severity Diagnosis Related Groups
Total
9
HOURS
800
1,600
1,200
3,600
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM
BOARD MEETING:
June 10, 2011
COMMITTEE:
Audit and Compliance
AGENDA ITEM:
II. Summary of Findings
ACTION REQUIRED:
None
BACKGROUND: Ms. Deily will present a summary of findings on
the following audit and compliance reports: Medical Center
Procurement, GPS Technology Review and School of Medicine
Follow-Up. The summary does not require formal action, but it
is information of which the Board should be made aware.
10
AUDIT DEPARTMENT
EXECUTIVE SUMMARY
Medical Center Procurement
January 7, 2011
BACKGROUND
Medical Center Procurement, a department of Medical Center Supply
Chain Management, conducts procurement activities for goods and
services other than construction, architecture, and engineering.
Medical Center Procurement serves the needs of a growing clinical
enterprise through an on-going systems focus, levering increased
automation and yielding staffing efficiencies. Specific statistics
that reflect this system focus include: over 1,000 employees trained
and active on eProcurement, 100% compliance with eProcurement being
used for every Medical Center requisition, over 18,800 EDI orders
transmitted in fiscal year 2010, over 170 company templates are
currently active in eProcurement, and 245 separate contracts have
been loaded in the item master file for ease of ordering.
AUDIT OBJECTIVES
The objectives of the audit were to ensure controls over
eProcurement and the vendor master file were present and working as
intended, determine if the procurement process was conducted with
fairness and impartiality, and to assist the department in
evaluating contract compliance for selected vendors.
OPINION ON AUDIT OBJECTIVES
In our opinion, the controls over eProcurement and the vendor master
file were present and working as intended. Moreover, the
procurement process was being conducted with fairness and
impartiality, and was consistent with established policies. Our
audit revealed a smooth-running operation with a continuous
improvement mentality. Minor systematic improvements were
identified during the audit and have been addressed by management.
FINANCIAL IMPACT
The improvements discussed and implemented during the audit will
strengthen Medical Center Procurement’s fiscal operations.
11
AUDIT DEPARTMENT
EXECUTIVE SUMMARY
GPS Technology Review
February 7, 2011
BACKGROUND
The University of Virginia utilizes hundreds of vehicles such as trucks
and buses across various departments including the University of
Virginia Police Department, Facilities Management, and Parking &
Transportation. These vehicles all serve critical roles within the
University including emergency services, mass transit, and maintenance
and grounds keeping. Emerging technologies in fleet management utilize
Global Positioning System (GPS) and other location-aware technologies
such as Radio Frequency transmission. These newer technologies are
designed to assist in vehicle positioning information, route planning,
and public services. High-technology systems should be secured and
risks considered prior to, during, and after deployment. It should be
noted that this audit reviewed, on existing and planned deployments,
the security and efficiency of GPS and similar systems. Security over
these systems makes up only a part of a multilayer defense. Other
controls such as network defenses (i.e. firewalls), applications and
database security were not reviewed at this time, but have been
reviewed in the past or will be in the future.
AUDIT OBJECTIVES
The Audit Department has completed an audit of GPS Technology for
fiscal year 2011. Audit objectives included a review of current and
potential future implementation. These reviews focused on all
aspects of the system including hardware, software, and security of
data storage and transmission. The GPS Technology audit program was
designed using the 27002 information security standard from the
International Organization for Standardization (ISO) as a basis for
test work.
OPINION ON AUDIT OBJECTIVES
Overall, the areas currently in use and slated for future deployment
appeared to be configured in a secure and effective manner.
IMPACT TO THE UNIVERSITY
The impact of security is always important in the University
environment because of the following concerns:



Public relations issues
FERPA/PCI non-compliance
Monetary loss as a result of server down time and hours spent
in repair/recovery
12
AUDIT DEPARTMENT
EXECUTIVE SUMMARY
School of Medicine Follow-up Audit
February 16, 2011
BACKGROUND
The Audit Department has completed a follow-up audit of the
implementation of suggested actions noted in School of Medicine (SOM)
audit reports and memoranda for which SOM management responded that
corrective action had been taken between July 1, 2009 and June 30,
2010. Based upon the results of a risk analysis, all six of the
previously identified issues included in two audit reports and
memoranda were selected for additional review. Status updates from
SOM management revealed that one issue (16.7%) was appropriately
addressed by the SOM, and management requested an extension of the
estimated completion date for three issues (50%). Therefore, followup testing during this audit was conducted on the remaining two issues
(33.3%)
AUDIT OBJECTIVES
The primary objectives of a follow-up audit are to ensure that the
suggested actions are addressed on a timely basis and that the
corrective action plan satisfactorily resolves the initial business
issues communicated to management.
OPINION ON AUDIT OBJECTIVES
Based on the follow-up testing results, the outstanding issues have
been satisfactorily addressed. Specifically, the Clinical Trials
Office has hired a Billing Coordinator who reviews consent, protocols
and contract documents for approved clinical trials for appropriate
and consistent financial language. In addition, this individual is
preparing coverage analyses on all new protocols, which are
subsequently reviewed and approved by the submitting Principal
Investigator.
FINANCIAL IMPACT
Suggested actions made by the Audit Department help improve controls
over the School of Medicine’s operations.
13
14