UNIVERSITY OF VIRGINIA
BOARD OF VISITORS
MEETING OF THE
AUDIT, COMPLIANCE, AND
RISK COMMITTEE
DECEMBER 9, 2016
AUDIT, COMPLIANCE, AND RISK COMMITTEE
(Open Session)
Friday, December 9, 2016
12:45 - 1:45 p.m.
Board Room, The Rotunda
Committee Members:
Frank E. Genovese, Chair
Mark T. Bowles
L. D. Britt, M.D.
Frank M. Conner III
Babur B. Lateef, M.D.
James B. Murray Jr.
William H. Goodwin Jr., Ex-officio
Adelaide Wilcox King, Faculty Consulting Member
AGENDA
PAGE
I.
REMARKS BY THE COMMITTEE CHAIR (Mr. Genovese)
II.
DISCUSSION
A. Auditor of Public Accounts Audit and Management Report
(Ms. Melody Bianchetto, VP Finance, to introduce Mr.
Eric Sandridge, Director of Higher Education Programs,
Auditor of Public Accounts; Mr. Sandridge to report)
B.
C.
D.
Audit Department Report (Mr. Genovese to introduce Ms.
Carolyn D. Saint; Ms. Saint to report)
• Summary of Audit Reports, Departmental Activities,
and Plan Status
University Compliance (Mr. Genovese to introduce
Mr. Gary S. Nimax; Mr. Nimax to report)
• Report on Medical Center Compliance and Privacy
Officer Search
1
2
3
8
Enterprise Risk Management (ERM) Report (Mr. Genovese
9
to introduce Mr. James S. Matteo; Mr. Matteo to report)
III. CLOSED SESSION
•
Discussion of IT security matters as provided for
in § 2.2-3711 (A)(19) of the Code of Virginia.
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM SUMMARY
BOARD MEETING:
December 9, 2016
COMMITTEE:
Audit, Compliance, and Risk
AGENDA ITEM:
I. Remarks by the Committee Chair
ACTION REQUIRED:
None
BACKGROUND: Mr. Frank Genovese, the Committee Chair, will open
the meeting and provide an overview of the agenda.
1
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM SUMMARY
BOARD MEETING:
December 9, 2016
COMMITTEE:
Audit, Compliance, and Risk
AGENDA ITEM:
II.A. Auditor of Public Accounts Audit and
Management Report
ACTION REQUIRED:
None
BACKGROUND AND DISCUSSION: The Auditor of Public Accounts of
the Commonwealth conducts an annual audit of the University and
the Medical Center and reports findings to the Board. Ms.
Bianchetto will introduce Mr. Eric M. Sandridge, who will
report on findings for the fiscal year 2015-2016 audit.
Mr. Sandridge is the Director of Higher Education Programs
for the Virginia Auditor of Public Accounts and has served in
that position since 2012. His responsibilities include
management of the office’s Higher Education Programs Specialty
Team and project management oversight for audits of various
agencies and institutions of the Commonwealth. Mr. Sandridge
has served as audit director for the Virginia Community College
System, Old Dominion University, Virginia Commonwealth
University, Norfolk State University, University of Virginia,
and the Department of Alcoholic Beverage Control annual audits.
Mr. Sandridge also coordinates required federal audits at
the Commonwealth’s institutions of higher education, which
support Virginia’s statewide Single Audit report. He received
his B.B.A. in Finance from the College of William and Mary and
is a Certified Public Accountant and a Certified Government
Financial Manager.
2
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM SUMMARY
BOARD MEETING:
December 9, 2016
COMMITTEE:
Audit, Compliance, and Risk
AGENDA ITEM:
II.B. Audit Department Report: Summary of
Audit Reports, Departmental Activities, and
Plan Status
ACTION REQUIRED:
None
DISCUSSION: For purposes of supporting the Committee’s
oversight of the Audit Department, Ms. Carolyn Devine Saint,
Chief Audit Executive, will summarize the Audit Department’s
activities for FY 2017 year to date.
3
Report to BOV ACR Committee:
December 2016 Audit Department Plan Status
Assurance and Advisory Projects: Completed FY 2017 To Date
Subject
Curry School of Education
Darden Fund Transfers
Distributed IT Systems Current State Assessment
UVA Division
Academic
Academic
Academic
FY2016 Inventories (UVA Bookstore, Pharmacy)
Action Plan Implementation Status—Follow Ups
Epic Phase 2 Implementation—Project Health Check
(2nd Report)
Integrated Assurance: Athletics Compliance
Security Enhancement Plan (SecureUVA) Project
Health Check (1st report)
Academic, Health System
Academic, Health System
Health System
Academic
Academic
Assurance and Advisory Projects: In Progress
Subject
UVA Division
Epic Phase 2 Implementation—Project Health Check
w/Clinical Readiness and Database Security Areas of
Focus
IT System Security: Privileged Access
Health System
Fiscal Stewardship (Data-driven Internal Controls
Analytics): Focus on Research Compliance
Integrated Assurance –Athletics (NCAA) Compliance
Assessment
NCAA Football Attendance Certification
Academic
Security Enhancement Plan (SecureUVA) Project
Health Check continues
SCADA 2 Consultation continues
Academic
Ufirst (HR Transformation)—Project Health Check
Pan-University
Office of the President: Travel and Expenses
Pan-University
Ivy Cloud — Project Health Check w/ Security and
Governance Focus
Pan-University
Subject
UVA Division
1
Health System
Academic
Academic
Academic
3
Current View of Risk- Prioritized Future Projects (Remainder of FY17)
340B Drug Discount Program
Health System
Epic Phase 2 Implementation—Project Health Check
Continues through Implementation (6/30/17)
Health System
Epic is UVA Health System’s Electronic Medical Records system. Phase 2 implements Epic’s scheduling and revenue cycle
modules, and certain clinical modules.
2
SCADA=Supervisory Control and Data Access. SCADA is a system for remote monitoring and control that operates with
coded signals over communication channels.
3
UVA Data Science Institute’s cloud computing environment for highly sensitive, secure data for researchers
1
4
Current View of Risk- Prioritized Future Projects Cont’d (Remainder of FY17)
Subject
UVA Division
IT Change Controls
Health System
Special Collections Library Procedures and Controls
Academic
Integrated Assurance: Environmental Health & Safety
Compliance
Strategic Investment Fund Expenditures Monitoring
Pan-University
UFirst HR Transformation—Project Health Check
Continues through Implementation
Pan-University
Pan-University
5
Audit Department Dashboards:
Types of Audit Projects Performed
Through November 30, 2016
Agreed Upon Procedures
17%
29%
Audit
Consultation
Follow Ups
Pilot Audit
33%
13%
Project Health Check
4%
4%
Action Plan Completion Status Through November 30, 2016
by Priority Rating
0
Priority 1
Priority 2
Legacy (Unrated)
5
2
10
15
20
25
30
2
3
2
25
2
Closed
Open
Details of Open Priority 1 and 2 Action Plans:
Priority 1 Action Plan 1: Financial Outreach and Compliance Department’s reassessment of Internal
Controls Questionnaire and review of significant fiscal processes and associated key controls has been pushed
back until new University Comptroller is hired and on boarded. Due Date Extended Until Onboarding of New
Comptroller.
Priority 1 Action Plan 2: University Registrar’s office is evaluating completeness and accuracy of all
schools’ undergraduate and graudate requirements. Due Date to Complete the Review Extended Until
12/31/2016.
Two Priority 2 Open Action Plans relate to administrative/fiscal matters in the Curry School’s Sheila
Johnson Center. A third Priority 2 Open Action Plan relates to a recommendation to ensure Curry School
adopts consistent practices for requiring background checks for students in unpaid positions throughout the
school, including those involving students interacting with minors as part of their core function.
6
Audit Department Value Scorecard: Data as of November 30, 2016
Measures
People: Leadership & Relationship Acumen
Internal Team
Team Participation in Introduction to Transactional Competence (ITC) Program
Target: 100% participation
Training hours per audit in non-technical “differentiator” competencies
Target: 20 Hours
External Stakeholders
Audit Satisfaction Scores
Target: Above Average
Collaboration on Cross Functional Projects and Committees
Target: 3/year
People: Industry & Technical Competence
CPE Hours Earned on Priority Skills
Target: 20 Hours
Certifications Held by Each Auditor
Target: 1/auditor
Active Participation in Professional Associations
Target: 1/auditor
Audit Process: Efficient & Effective Audit Process
Staff Utilization
Target: 80%
Individual audit project actual to budget hours variance
Target: 10% or less
Completion of Lean Project on Audit Processes
Target: 1/year
Costs contained/recovered and revenue enhancements identified ($);
Target: Establish baseline in 2016/17
Plan: Relevance to Risks that Matter Most
Audit resources dedicated to higher or emerging risk areas
Target: 75%
Recommendations Made
Target: Establish baseline in 2016/2017
7
Year to Date Metric
Achievement Status
Developing Survey
Tool
74%
$0 to date
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM SUMMARY
BOARD MEETING:
December 9, 2016
COMMITTEE:
Audit, Compliance, and Risk
AGENDA ITEM:
II.C. University Compliance: Report on
Medical Center Compliance and Privacy
Officer Search
ACTION REQUIRED:
None
DISCUSSION: Mr. Gary Nimax, Assistant Vice President for
Compliance, will report on the search for the Medical Center’s
new Compliance and Privacy Officer.
A national search is underway to fill the vacant position
on a permanent basis. Mr. Nimax will provide a report on the
status of the search and a timeline for completion.
8
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM SUMMARY
BOARD MEETING:
December 9, 2016
COMMITTEE:
Audit, Compliance, and Risk
AGENDA ITEM:
II.D. Enterprise Risk Management (ERM) Report
ACTION REQUIRED:
None
BACKGROUND AND DISCUSSION: Mr. James Matteo, Associate Vice
President and Treasurer, will report on actions taken toward
accomplishing the three key priorities for the ERM program, as
first identified at the Committee’s February 2016 meeting. The
effort consists of three near-term priorities designed to: (1)
reposition and enrich the program; (2) enhance board reporting;
and (3) onboard ERM at the Health System.
The University has taken several significant steps to
reposition the program including the adoption of an Enterprise
Risk Management Charter and the establishment of a network of
individuals to advance risk management efforts at the Academic
Division and Health System. A Risk Management Council was
formed to provide guidance in support of the global ERM effort
and Risk Management Networks, comprised of representatives from
major business units, in both the Academic Division and Health
System. These networks help identify inherent and emerging
risks, serve as a connection between executive-level and
department risk management activities, and seek to raise risk
awareness among units across the University.
At the Academic Division, we have completed a risk
identification effort designed to gather risks and update the
University’s existing risk list. From the risks identified, we
worked with executive leadership to create a new key risk list
for the Academic Division.
We will report on the Academic Division’s key risks using
an updated risk reporting format. Reporting will be presented
in two parts: 1) a key risk dashboard to provide a high-level
risk overview; and 2) a key risk update intended to provide a
more detailed discussion on a key risk or risks. At this
meeting, we will present a key risk update on the SecureUVA
program designed to enhance information technology security for
the Academic Division.
9
Additionally, significant progress has been made to onboard the
Health System. We have completed the risk identification
effort for the Health System and are working with executive
leadership to finalize the Health System’s key risk list.
10