Board of Trustees Audit & Compliance Committee. Tuesday, February 13, :30 2:30pm Gibbons Alumni Center Traditions Hall A G E N D A

Transcription

1 Board of Trustees Audit & Compliance Committee - Meeting Agenda Board of Trustees Audit & Compliance Committee Tuesday, February 13, :30 2:30pm Gibbons Alumni Center Traditions Hall Trustees: Nancy Watkins, Chair; Oscar Horton, Byron Shinn A G E N D A I. Call to Order and Comments Chair Nancy Watkins II. Public Comments Subject to USF Procedure Chair Watkins III. New Business Action Items a. Approval of November 2, 2017 Meeting Notes Chair Watkins b. Acceptance of Performance Based Funding Data Integrity Audit & Approval of Data Integrity Certification Exec Director Virginia Kalil IV. New Business Information Items a. Operational Audit Report Vice President/CFO Nick Trivunovich b. USF/DSO External Audit Findings University Treasurer Fell Stubbs c. USF System Compliance & Ethics Annual Report Chief Compliance Officer Jeff Muir d. USF System Audit Update Exec Director Virginia Kalil V. Adjournment Chair Watkins 1

2 Board of Trustees Audit & Compliance Committee - New Business - Action Items DRAFT USF Board of Trustees Audit & Compliance Committee NOTES Thursday, November 2, 2017 Tampa Campus - Marshall Student Center Room# 3707 I. Call to Order and Comments The meeting of the Audit & Compliance Committee was called to order by Chair Nancy Watkins at 11:10am. Committee members present: Nancy Watkins, Stephanie Goforth and Byron Shinn. A quorum was established. President Genshaft and Trustees Mike Carrere and James Garey were also present. II. Public Comments Subject to USF Procedure No requests for public comments were received. III. New Business Action Items a. Approval of May 18, 2017 Meeting Notes Upon request and receiving no changes to the draft meeting notes, Chair Watkins requested a motion for approval, it was seconded and the May 18 th meeting notes were unanimously approved as written. IV. New Business Information Items a. University Audit & Compliance Annual Report Virginia Kalil, Executive Director, USF System Audit, presented the USF System Audit Annual Report for The report covers internal audit and investigative activities for FY FY is year 1 of a 2-year work plan which was approved in August FY was a year of changes. Long-time Executive Director Debra Gula retired and Ms. Kalil came on board in February. The annual report has been prepared for the last ten years as a best practice, but was made a requirement by BOG regulation last year. BOG regulation also separated the audit and compliance functions. Compliance activities for FY will be reported separately to this committee at a later date. USF System Audit consists of 10 audit professionals, including the Executive Director, and one administrative position. The organizational chart has not changed since the prior year, except for the removal of the 2 compliance positions. Direct services include audits, consulting projects, investigations, and follow-up on management s corrective actions related to audit recommendations. In , USF System 2

3 Board of Trustees Audit & Compliance Committee - New Business - Action Items DRAFT Audit completed 12 audits, including 3 IT audits; 4 consulting projects; and 15 investigations. 7 audits were in core processes and Academic Affairs and 5 audits were in governance, research, and IT. Ms. Kalil briefly reviewed a few of the audits. The Accounts Payable Vendor Set-up and Maintenance audit was very timely due to the inherent nature of potential fraud risk that takes place in this area (i.e. vendor imposter fraud and unauthorized activity in the vendor file which could lead to inappropriate payments). The Research Laboratory Safety audit addressed biosafety and radiation safety in teaching and research activities. No high risks identified. Part of the audit process includes recommendations. In , recommendations were made in the following areas: assignment of responsibility; authorization (adequacy and timeliness); compliance with federal laws; IT (confidentiality, integrity, and availability of data); reporting: (accuracy, completeness, and timeliness); safeguarding of assets; separation of duties; training and guidance (accuracy, completeness, and timeliness); and workplace safety. 71% of open recommendations were completed a 9% increase over the prior year. This demonstrates a willingness and eagerness on management s part to build a strong internal control environment. V. Adjournment Trustee Goforth asked about Pcards. Ms. Kalil responded that prior risks have been addressed and we are taking very aggressive actions to keep risks down. Jennifer Condon, University Controller, added that 2016/17 will be our third Auditor General operational audit with no Pcard findings. Trustee Shinn stated that management in private industry does not always embrace the internal audit function, but USF does and this is great to see. Trustee Shinn asked how we (the Trustees) stay ahead of things like NCAA investigations (referring to the recently concluded NCAA investigation into men s basketball). President Genshaft explained that things happen and the important thing is how you deal with it. We reported the violations immediately and were very proactive in the investigation. Jeff Muir, Chief Compliance Officer, explained that one of the new changes from the President includes a new accountability structure/report relationship with institutional compliance and Athletics compliance so we have a safety valve for issues and we can be proactive. John Long, Sr. Vice President/COO, noted that March 1, 2018, is the due date to the BOG for the performance-based funding audit report. The report must be approved by the BOT. The regular BOT meeting is scheduled for March 8. Therefore it may be necessary to have a special meeting to approve the report prior to the due date. The Assistant Corporate Secretary confirmed that a conference call is already being scheduled prior to the March 1 due date. Chair Watkins acknowledged the great successes and improvements with the new Audit and Compliance structure and reminded everyone that Audit and Compliance is here to help. Having no further business, Chair Watkins adjourned the Audit & Compliance Committee meeting at 11:28am. 3

4 Board of Trustees Audit & Compliance Committee - New Business - Action Items Agenda Item: IIIb USF Board of Trustees February 13, 2018 Issue: Board of Governors Performance-Based Funding Data Integrity Audit and Certification Proposed action: Acceptance of Performance-Based Funding Data Integrity Audit and Approval of Data Integrity Certification. Executive Summary: Pursuant to Board of Govenors Chair Kuntz s letter to President Genshaft and Board of Trustees Chair Lamb dated June 30, 2017, USF System Audit (Audit) has conducted an internal audit of Performance-Based Funding (PBF) Data Integrity. Our primary audit objectives were to: Determine whether the processes and internal controls established by the university ensure the completeness, accuracy, and timeliness of data submissions to the BOG which support the PBF measures. Provide an objective basis of support for the President and Board of Trustees Chair to sign the representations included in the Performance- Based Funding Data Integrity Certification. The Board of Governors requires the acceptance of the Performance-Based Funding Data Integrity Audit results and the approval of the Data Integrity Certification by the Board of Trustees, with submittal to the Board of Govenors by March 1, The scope and objectives of the audit were set jointly by the University of South Florida Board of Trustees Chair, the Board of Trustees Audit and Compliance Committee Chair, and the university s Chief Audit Executive. Audit followed its standard risk assessment, audit program, and reporting protocols. Conclusion: Audit s overall conclusion was that there was an adequate system of internal controls in place to meet our audit objectives, assuming corrective actions are taken timely to address the two medium-priority risks communicated in the Management Letter. 4

5 Board of Trustees Audit & Compliance Committee - New Business - Action Items In response to the issues identified, management has developed an implementation plan for their corrective actions which is included in the Management Letter. As of the date of this report, corrective actions for both issues have begun. Financial Impact: The USF System received $84.6 million in PBF allocations in , including a return of the institutional investment of $39.2 million. Strategic Goal(s) Item Supports: Goal 4: Sound financial management to establish a strong and sustainable economic base in support of USF s continued academic advancement. BOT Committee Review Date: 02/13/2018 Supporting Documentation Online (please circle): Yes No Audit Report Performance-Based Funding Data Integrity Audit Management Letter Performance-Based Funding Data Integrity Audit Data Integrity Certification Form Presentation Slides USF System or Institution specific: USF System Prepared by: Virginia Kalil, Executive Director/Chief Internal Auditor 5

6 Board of Trustees Audit & Compliance Committee - New Business - Action Items MEMORANDUM TO: FROM: Dr. Ralph Wilcox, Provost & Executive Vice President of Academic Affairs Dr. Terry Chisolm, Vice Provost for Strategic Planning, Performance & Accountability Virginia Kalil, CIA, CISA, CFE, CRISC Executive Director/Chief Internal Auditor DATE: February 1, 2018 SUBJECT: Performance-Based Funding Data Integrity Audit USF System Audit (Audit) performed an audit of the internal controls that ensure the completeness, accuracy, and timeliness of data submissions to the Board of Governors (BOG). These data submissions are relied upon by the board in preparing the measures used in the performance-based funding process. This audit will also provide an objective basis of support for the President and Board of Trustees (BOT) Chair to sign the representations included in the Performance-Based Funding Data Integrity Certification to be filed with the BOG by March 1, This project is part of the approved Work Plan. Measures One through Nine were based on data submitted through the State University Database System (SUDS) utilizing a state-wide data submission process for BOG files. Measure Ten was based on data submitted to the National Science Foundation/National Institutes of Health through their annual survey of Graduate Students and Postdoctorates in Science and Engineering (GSS). This data is published annually by The National Center for Science and Engineering Statistics. For additional information on data files included in this audit, see Appendix A. Audit s overall conclusion was that there was an adequate system of internal controls in place to meet our audit objectives, assuming corrective actions are taken timely to address the two mediumpriority risks communicated separately in our management letter. No impact to the performance measures was identified. USF SYSTEM AUDIT 3702 Spectrum Blvd. Suite 180 Tampa, FL (813) FAX (813)

7 Board of Trustees Audit & Compliance Committee - New Business - Action Items AUDIT OVERALL CONCLUSION Adequate System of Internal Control Findings indicate that, as a whole, controls are adequate. Identified risks, if any, were low-priority requiring timely management attention within 90 days. Medium-priority risks are present requiring urgent management attention within 60 days. Adequate System of Internal Control with reservations Inadequate System of Internal Control High-priority risks are present requiring immediate management attention within 30 days. We received outstanding cooperation throughout this audit. Please contact us at if you have any questions. cc: President Judy Genshaft, USF System Chair Brian D. Lamb, USF Board of Trustees John Long, Senior Vice President, Business and Finance and Chief Operating Officer Dr. Charles Lockwood, Senior Vice President, USF Health Dr. Paul Sanberg, Senior Vice President, Research, Innovation & Knowledge Enterprise Dr. Martin Tadlock, Interim Regional Chancellor, USF St. Petersburg Dr. Karen Holbrook, Regional Chancellor, USF Sarasota-Manatee Dr. Paul Dosal, Vice President for Student Affairs and Student Success Nick Trivunovich, Vice President, Business and Finance and Chief Financial Officer Sidney Fernandes, Vice President, Information Technology and Chief Information Officer Dr. Paul Atchley, Dean, Undergraduate Studies 2 of 8 7

8 Board of Trustees Audit & Compliance Committee - New Business - Action Items AUDIT BACKGROUND In 2014, the Board of Governors (BOG) implemented the Performance-Based Funding (PBF) Model which includes 10 metrics intended to evaluate Florida institutions on a range of issues (e.g., graduation and retention rates, average student costs). Eight of the metrics are common to all institutions, while the remaining two vary by institution and focus on areas of improvement or the specific mission of the university. The metric calculation for Measures One through Nine are based on data submitted through the State University Database System (SUDS) utilizing a state-wide data submission process for BOG files. Measure Ten is based on data submitted to the National Science Foundation/National Institutes of Health through their annual survey of Graduate Students and Postdoctorates in Science and Engineering (GSS). In order to ensure the integrity of the data being submitted to the BOG to support the calculation of the metrics, USF has established specific file generation, review, certification, and submission processes. File Generation Process USF utilizes an automated process, Application Manager, to extract data files from the original systems of record and reformat and redefine data to meet the BOG data definition standards. The only data file that can be impacted outside the Application Manager process is the Hours to Degree submission. (See Hours to Degree Verification Process below.) This Application Manager process includes the following key controls: The Application Manager jobs can only be launched by authorized Data Stewards; however, individuals responsible for the collection and validation of the data have no ability to modify the Application Manager jobs. The Retention File generated by the BOG is downloaded from the BOG SUDS portal to HubMart by Resource Management & Analysis (RMA). The Data Stewards and Subcertifiers cannot change the files. Corrections are made to the original systems of record and the Application Manager job is re-run until the file is free of material errors. Any changes to the data derivations, data elements, or table layouts in the Application Manager jobs are tightly controlled by RMA and Information Technology (IT) utilizing a formal change management process. There are IT controls designed to ensure that changes to the Application Manager jobs are approved via the standard USF change management process and that access to BOG submission-related data at rest or in transit is appropriately controlled. Hours to Degree File Generation Process The Hours to Degree file submission has two primary tables: 1) Hours to Degree (HTD) that contains information regarding the students and the degrees issued and 2) Courses to Degree (CTD) that includes information regarding the courses taken and utilization of the courses to degree. The 3 of 8 8

9 Board of Trustees Audit & Compliance Committee - New Business - Action Items AUDIT HTD file is derived based on data in HubMart (Degrees_Submitted_Vw) and data from the Student Records System (OASIS, a Banner product). The CTD file is generated from a combination of OASIS data and data obtained from the degree certification and advising system (DegreeWorks). While an Application Manager process is used to create the HTD file, the process utilizes a series of complex scripts to select the population, normalize the data fields to meet BOG data definition standards, and populate course attributes used by the BOG to identify excess hours exemptions. This includes deriving whether courses are used to degree or not used to degree from DegreeWorks. The systematically-identified HTD population and CTD file are loaded into two custom Banner reporting tables for validation. Any necessary corrections are made manually by the Data Steward utilizing custom Banner forms. BOG File Review and Certification Process USF utilizes a formal review process for all BOG file submissions which is managed by RMA. The review and certification process includes the following key controls: Data Stewards, Sub-certifiers and Executive Reviewers who had operational and/or administrative responsibility for the institutional data are assigned key roles and responsibilities. The RMA website defines each of these roles. A central repository (DocMart) contains detailed information regarding data elements for each BOG SUDS file. A secured file storage location (HubMart) provides read-only access and functionality to the data collected and extracted into the Data Warehouse from transactional source systems in order to allow Data Stewards and Sub-certifiers to review and validate data. A formal sub-certification and executive review process is in place to ensure that institutional data submitted to the BOG accurately reflects the data contained in the primary systems of record. No BOG file is submitted to the BOG by the Data Administrator until the Executive Reviewer(s) approves the file. A formal process for requesting and approving resubmissions includes a second executive review process. BOG File Submission Process Once all data integrity steps are performed and the file is ready for upload to the SUDS portal, a secure transmission process is used by RMA to ensure data cannot be changed prior to submission. Key controls within this process include: A dedicated transfer server is used to transmit the BOG SUDS files. Only RMA and IT server administrators have access to the transfer server. Only RMA staff can upload a file from the transfer server to SUDS, edit submissions, generate available reports, or generate reports with re-editing. Only the Data Administrator and Back-up administrator can submit the final BOG file. 4 of 8 9

10 Board of Trustees Audit & Compliance Committee - New Business - Action Items AUDIT Measure Ten - Number of Postdoctoral Appointees Measure Ten is based on data submitted to the National Science Foundation/National Institutes of Health through their annual survey of Graduate Students and Postdoctorates in Science and Engineering (GSS). This data is published annually by The National Center for Science and Engineering Statistics. Aggregated data is collected via a web survey for each SEH (Science, Engineering, and selected health fields) unit within an institution. The individual responders from each SEH unit are responsible for the completeness and accuracy of the data they submitted in the survey. The SEH units submit rosters of reported postdocs to the primary Data Steward for verification. The primary Data Steward in the Office of Postdoctoral Affairs verifies the accuracy and completeness of the SEH-prepared rosters. Prior to final submission of the GSS survey, the data goes through a Sub-certifier review process. The Data Steward will provide a master roster of reported postdocs, along with a report of the aggregated data contained in the GSS system. The Sub-certifier will verify that the roster data conforms to the criteria for postdoctoral appointees listed in the Guidelines for Reporting Postdocs and Non-Faculty Researchers. Measure Ten utilizes the same Executive Review process as the other nine measures. SCOPE AND OBJECTIVES Our audit focused on the internal controls established by the USF System as of September 30, 2017 to ensure the completeness, accuracy, and timeliness of data submissions to the BOG, which support the PBF measures. The primary objectives of our audit were to: Determine whether the processes and internal controls established by the university ensure the completeness, accuracy, and timeliness of data submissions to the BOG which support the PBF measures. Provide an objective basis of support for the President and BOT Chair to sign the representations included in the Performance-Based Funding Data Integrity Certification, which will be submitted to the BOT and filed with the BOG by March 1, The scope and objectives of the audit were set jointly by the BOT Chair, the BOT Audit & Compliance Committee Chair, and the university s Chief Audit Executive. USF System Audit (Audit) followed its standard risk assessment, audit program, and reporting protocols. PROCEDURES PERFORMED We followed a disciplined, systematic approach using the International Standards for the Professional Practice of Internal Auditing. The information system components of the audit were performed in accordance with the ISACA (Information Systems Audit and Control Association) Standards and Guidelines. The COSO (Committee of Sponsoring Organizations of the Treadway Commission) and COBIT 5 of 8 10

11 Board of Trustees Audit & Compliance Committee - New Business - Action Items AUDIT (Control Objectives for Information and Related Technologies) Control Frameworks were used to assess control structure effectiveness. Testing of the control processes was performed on the most recent data file submissions as of September 30, 2017, for term-based submissions. For files submitted annually, the current year file was selected for testing if available by November 15, Our testing focused on the tables and data elements in the files which were utilized by the BOG to compute the performance measure. For additional information on the files included in this review see Appendix A. Minimum audit guidelines were established by the BOG in year one which outlined eight key objectives. These key audit objectives have been incorporated into our audit each subsequent year: 1. Verify the Data Administrator has been appointed by the university president and PBF responsibilities incorporated into their job duties. 2. Validate that processes and internal controls in place designed to ensure completeness, accuracy, and timeliness of data submissions. 3. Determine whether policies, procedures, and desk manuals are adequate to ensure integrity of submissions. 4. Evaluate the adequacy of system access controls. 5. Verify data accuracy through sample testing of key files and data elements. 6. Assess the consistency of Data Administrator s certification of data submissions. 7. Confirm the consistency of data submissions with the BOG data definitions (files and data elements). 8. Evaluate the necessity and authorization of data resubmissions. In year one, a comprehensive review (Audit ) of processes and controls was conducted followed by a risk assessment. In each subsequent year, system process documentation was updated to reflect any material changes that took place; a new risk assessment was performed based on the updated system documentation and processes; and a new work plan was developed based on the updated risk assessment. Fraud-related risks including the availability and appetite to manipulate data to produce more favorable results was included as part of the risk assessment. This year s audit included: 1. Identifying and evaluating any changes to key processes used by the data administrator and data owners/custodians to ensure the completeness, accuracy, and timely submission of data to the BOG. This included verification of the new controls put into place to resolve deficiencies identified in the prior year. 2. Reviewing 2017 BOG SUDS workshop proceedings to identify any changes to data definitions used for the BOG PBF metrics. 3. Reviewing all User Service Requests (USRs) to modify data elements and/or file submission processes to ensure they followed the standard change management process and are consistent with BOG expectations. 4. Reviewing the Data Administrator s data resubmissions to the BOG from January 1, 2017 to December 31, 2017 to ensure these resubmissions were both necessary and authorized, as well as evaluating that controls were in place to minimize the need for data resubmissions and were functioning as designed. 6 of 8 11

12 Board of Trustees Audit & Compliance Committee - New Business - Action Items AUDIT Updating the prior year Risk Assessment and Fraud Risk Assessment to reflect changes identified. 6. Verifying reasonableness of the retention cohort change file. 7. Verifying accuracy, completeness, and consistency with BOG expectations of the data submitted to the BOG for Measure Nine - Percent of Bachelor s Degrees without Excess Hours, via the Hours to Degree file. This included verifying script changes did not impact the integrity, accuracy, and completeness of the Hours to Degree submission. 8. Reviewing logical access and server management to verify security of data and data transmissions. 9. Reviewing the data requirements of Measure Three - Cost to Student to assess the impact the measure had on the BOG submissions. PRIOR AUDIT PROJECTS In FY an audit of the controls established by the university to ensure the completeness, accuracy, and timeliness of data submissions to the BOG which supported the PBF metrics (Audit , issued February 26, 2017) was performed. The two medium-priority risk recommendations were reported as implemented by management as of February 26, Audit reviewed the new controls in place to ensure they were effectively mitigating the risks identified. Further enhancement is advised related to one of the recommendations. See recommendation #1 of our Management Letter. 7 of 8 12

13 Board of Trustees Audit & Compliance Committee - New Business - Action Items AUDIT APPENDIX A PERFORMANCE MEASURES DATA SOURCES Measure Description BOG File Data Used/Created by the BOG One Percent of bachelor s graduates employed full-time in or continuing their education in the U.S. one year after graduation SIFD National Student Clearing house, Florida Education and Training Placement Information Program Two Median wages of bachelor s graduates SIFD Unemployment Insurance wage data employed full-time one year after graduation Three Cost to Student SIF, SFA Four Six year FTIC graduation rate SIFP, SIF, SIFD, Retention Cohort Change File BOG created Cohort and Retention File Five Academic progress rate SIF BOG created Cohort Six Bachelor s degrees awarded within programs SIFD of strategic emphasis Seven University access rate SFA, SIF Eight Graduate degrees awarded within programs SIFD of strategic emphasis Nine Percent of bachelor s degrees without excess hours HTD Ten Number of postdoctoral appointments in science and engineering None 1 1Data is submitted by USF directly to the NSF/NIH via the NSF GSS Survey. BOG FILES REVIEWED NSF/NIH Survey of Graduate Students and Postdoctorates in Science and Engineering Submission System of Record Table Submission Reviewed Hours to Degree OASIS, Hours to Degree (HTD) Degree Works Courses to Degree Student Financial OASIS Financial Aid Aid (SFA) Awards Student OASIS Degrees Awarded Spring 2017 Instructional File - Degree (SIFD) Student Instructional File (SIF) OASIS, GEMS Person Demographics Enrollments Spring 2017 Student Instructional File - Preliminary (SIFP) Retention File (RET) OASIS, GEMS BOG Person Demographics Enrollments Retention Cohort Change Fall of 8 13

14 Board of Trustees Audit & Compliance Committee - New Business - Action Items MEMORANDUM TO: FROM: Dr. Ralph Wilcox, Provost & Executive Vice President of Academic Affairs Dr. Terry Chisolm, Vice Provost for Strategic Planning, Performance & Accountability Virginia Kalil, CIA, CISA, CFE, CRISC Executive Director/Chief Internal Auditor DATE: February 1, 2018 SUBJECT: Management Letter Performance-Based Funding Data Integrity Audit USF System Audit (Audit) performed an audit of the university s processes and internal controls that ensure the completeness, accuracy, and timeliness of data submissions to the Board of Governors (BOG). These data submissions are relied upon by the board in preparing the measures used in the performance-based funding process. An audit report was issued on February 1, 2018, which defined the scope and results of our audit. Based on the review, Audit concluded that there was an adequate system of internal controls in place to meet the audit objectives, assuming timely corrective actions are taken for the two medium-priority risks included in this Management Letter. As audit reports are focused only on high-priority risks, these medium-priority risks were not addressed in our audit report. Urgent management attention is required within 60 days. The two mediumpriority risks identified for management attention are related to Measure Nine - Percent of Bachelor s Degrees without Excess Hours. The risks identified had no impact on performance metrics. Within ten business days, please provide your actions planned and expected implementation dates within the Team Central Follow-Up System for those recommendations not marked as resolved. Please contact us at if you have any questions. USF SYSTEM AUDIT 3702 Spectrum Blvd. Suite 180 Tampa, FL (813) FAX (813)

15 Board of Trustees Audit & Compliance Committee - New Business - Action Items AUDIT cc: President Judy Genshaft, USF System Chair Brian D. Lamb, USF Board of Trustees John Long, Senior Vice President, Business and Finance and Chief Operating Officer Dr. Charles Lockwood, Senior Vice President, USF Health Dr. Paul Sanberg, Senior Vice President, Research, Innovation & Knowledge Enterprise Dr. Martin Tadlock, Interim Regional Chancellor, USF St. Petersburg Dr. Karen Holbrook, Regional Chancellor, USF Sarasota-Manatee Dr. Paul Dosal, Vice President for Student Affairs and Student Success Nick Trivunovich, Vice President, Business and Finance and Chief Financial Officer Sidney Fernandes, Vice President and Chief Information Officer, Information Technology Dr. Paul Atchley, Dean, Undergraduate Studies 2 of 6 15

16 Board of Trustees Audit & Compliance Committee - New Business - Action Items AUDIT MEDIUM PRIORITY RISKS 1. Monitoring and oversight of manual changes to the Hours to Degree and Courses to Degree files need to be enhanced. STATUS In Progress Manual changes to critical data must be captured and monitored to ensure these changes are reasonable, appropriate, and consistent with the Board of Governors (BOG) definitions. These changes should be independently reviewed and the review should be documented. During testing, Audit noted the Data Steward and three direct reports were able to make manual changes to the Hours to Degree (HTD) and Courses to Degree (CTD) populations. During our review period, only the Data Custodian made manual changes to the files. HTD Population Manual Adjustments An Application Manager job was used to identify the HTD population. The systematically-identified population was loaded into a custom Banner table for validation (SWBHGRP). The table only reflects the latest record for the student. Audit reviewed the controls over changes to the HTD population and noted: The Data Steward authorized corrections to the initial population (recorded in SWBHGRP) via this Banner form (SWAHGRP). There was no independent review or approval of the manual changes. These manual changes were made to less than 1% of the population. When a student was deleted from the population by the Data Steward, the student was flagged as removed (activity indicator = R ) in the SWBHGRP table. The Activity indicator was then used by the Application Manager job to exclude the student from the HTD population. However, when a student was added, there was no flag in the SWBHGRP table to identify the manual addition. When a student s record was manually changed via SWAHGRP, there was no tracking of the change in the SWBHGRP table or via an audit log. Only the last individual or process who made a change to the student record was recorded as the Activity User in SWBHGRP. Despite these observations, Audit was able to reconcile the HTD population in SWAHGRP (utilizing the Hub Mart Degree Submitted file and Banner data) to the HTD population submitted to the BOG without exception. CTD Manual Adjustments An Application Manager job was also used to generate the CTD file, which includes all student coursework for the HTD population. The CTD file data elements were loaded into a second custom Banner table (SWRHCTD) for validation. The table only reflects the latest record for the student. 3 of 6 16

17 Board of Trustees Audit & Compliance Committee - New Business - Action Items AUDIT MEDIUM PRIORITY RISKS Audit reviewed the controls over manual changes to the file and noted: STATUS The Data Steward authorized corrections to the Course to Degree files (recorded in SWRHCTD) via the Banner forms SWAHCTD (HTD Coursework) and SWAHPBF (HTD Exemptions). There was no independent review or approval of the manual changes. These manual changes were made to less than 1% of the population. The Data Steward relies heavily upon exception/edit reports which are generated during the file generation process. These edit reports were in MS EXCEL format. While the edit reports were retained, there was no indication of the action taken to resolve the issue identified. Therefore, there was no documentation retained to support the change. When a data element was manually changed, there was no tracking of data elements changed on the SWRHCTD table. The logon identification of the individual who made the manual changes was entered as the Activity User. Since the SWRHCTD table was not effective-dated, multiple changes could have been made to the same student record and only the last user updating the record would have been captured. Audit reviewed a total 1,171 student course records which were flagged with the Data Stewards logon identification as being manually changed (latest change only). In addition, we reviewed all coursework added by the Application Manager process for students manually added to the HTD population. The purpose of this review was to assess the reasonableness of the data changed and the impact, if any, on the excess hour s computation. Our review indicated the manual changes made had no impact on the calculated metric: percentage of students without excess hours. In addition, Audit reviewed the process for logging changes to the SWBHGRP or SWRHCTD and identified the following: Traditional audit logging was not utilized on the SWBHGRP or SWRHCTD table due to the impact on system performance. While Oracle-level transaction logging occurred, these logs did not provide an efficient mechanism to allow an independent review and approval of the changes. Audit was unable to utilize the Oracle-level logs to identify all changes. Recommendation: The Office of Student Affairs and Student Success should ensure there is proper oversight over manual changes to HTD and CTD files. At a minimum: 1) Ensure all manual changes to the HTD and CTD tables (SWBHGRP, SWRHCTD) are tracked at the table level or through the use of audit logs. This tracking should record the change made and the individual responsible for the change. 4 of 6 17

18 Board of Trustees Audit & Compliance Committee - New Business - Action Items AUDIT MEDIUM PRIORITY RISKS 2) Establish procedures which ensure all manual changes are supported and that an independent review and approval of changes occur. 3) Cross train at least one other employee to serve as a Data Steward to ensure that the HTD and CTD files can be completed timely in the event the primary individual is not available. STATUS Management Attention Required: Immediate Urgent Timely Resources/Effort Required: Significant Moderate Minimal Management s Response: The Office of Student Affairs and Student Success concurs with the recommendations and is working with Information Technology, as appropriate, to ensure appropriate actions are taken. Estimated implementation dates: 1) 7/31/18, 2) 4/1/18, and 3) 4/1/18. Validation of correction actions will occur when the file creation process begins in Fall Controls over the Transfer Articulation needs to be enhanced. In Progress The Transfer Articulation form (SHATEAQ) is used by the Office of Admissions and the various decentralized advising areas to associate a specific student s transfer courses with a USF equivalent course or degree requirement. Course attributes are also used to exclude a course from being used towards a degree requirement. When student course information is transferred from Banner to DegreeWorks, the course attributes are transferred along with other course information and used by DegreeWorks in the degree certification process. USF utilizes the SHATEAQ course attribute XTRN to flag transfer courses which should not be used towards a degree in DegreeWorks, even though the course would meet the degree requirements. This is done to optimize use of coursework which meets multiple degree requirements and to optimize use of USF coursework. Courses with the XTRN attribute are reflected in the CTD file as not used toward degree, unless an advisor manually applied the course to a specific degree requirement. DegreeWorks is a real-time system and any changes to course attributes after the degree has been certified impacts the integrity of the CTD file. As a result, the XTRN element should only be used by trained advisors and certifiers. Of the 434,625 course records in the CTD file, only 19,150 courses (4.4%) had the XTRN course attribute applied. Audit reviewed the controls over the Transfer Articulation Form and noted: There were 313 Banner users who could enter or change course attributes using the SHATEAQ form; only 80 were also authorized to maintain advising records in DegreeWorks. The 313 employees with maintenance access included: 16 terminated employees, 41 student workers, 7 graduate assistants, and 11 temporary 5 of 6 18

19 Board of Trustees Audit & Compliance Committee - New Business - Action Items AUDIT MEDIUM PRIORITY RISKS employees. Additionally, the primary Data Steward responsible for the accuracy and completeness of the CTD table had maintenance access. As the students coursework is updated, only the user who last updated the students transfer courses was recorded within the Banner system s audit tables. STATUS Recommendation: The Office of Student Affairs and Student Success should ensure there is proper oversight over the use of the XTRN course attribute. 1) Review all 313 employees with access to the Transfer Articulation form to ensure access is appropriate and based on a business need. 2) Ensure the utilization of the XTRN course attribute is properly monitored and tracked. This tracking should record the change made, when the change was made, and the individual responsible for the change. Management Attention Required: Immediate Urgent Timely Resources/Effort Required: Significant Moderate Minimal Management s Response: The Office of Student Affairs and Student Success concurs with the recommendations and is working with Information Technology, as appropriate, to ensure appropriate actions are taken. Estimated implementation date for both actions is 4/1/18. Validation of the corrective actions will occur in Spring of 6 19

20 Board of Trustees Audit & Compliance Committee - New Business - Action Items Performance Based Funding March 2018 Data Integrity Certification Name of University: University of South Florida INSTRUCTIONS: Please respond Yes or No for each representation below. Explain any No responses to ensure clarity of the representation you are making to the Board of Governors. Modify representations to reflect any noted audit findings. Performance Based Funding Data Integrity Certification Representations Representations Yes No Comment / Reference 1. I am responsible for establishing and maintaining, and have established and maintained, effective internal controls and monitoring over my university s collection and reporting of data submitted to the Board of Governors Office which will be used by the Board of Governors in Performance Based Funding decision-making. 2. These internal controls and monitoring activities include, but are not limited to, reliable processes, controls, and procedures designed to ensure that data required in reports filed with my Board of Trustees and the Board of Governors are recorded, processed, summarized, and reported in a manner which ensures its accuracy and completeness. 3. In accordance with Board of Governors Regulation 1.001(3)(f), my Board of Trustees has required that I maintain an effective information system to provide accurate, timely, and cost-effective information about the university, and shall require that all data and reporting requirements of the Board of Governors are met. 4. In accordance with Board of Governors Regulation 3.007, my university shall provide accurate data to the Board of Governors Office. 5. In accordance with Board of Governors Regulation 3.007, I have appointed a Data Administrator to certify and manage the submission of data to the Board of Governors Office. Performance Based Funding Data Integrity Certification Form Page 1 20

21 Board of Trustees Audit & Compliance Committee - New Business - Action Items Performance Based Funding Data Integrity Certification Performance Based Funding Data Integrity Certification Representations Representations Yes No Comment / Reference 6. In accordance with Board of Governors Regulation 3.007, I have tasked my Data Administrator to ensure the data file (prior to submission) is consistent with the criteria established by the Board of Governors Data Committee. The due diligence includes performing tests on the file using applications/processes provided by the Board Office. 7. When critical errors have been identified, through the processes identified in item #6, a written explanation of the critical errors was included with the file submission. 8. In accordance with Board of Governors Regulation 3.007, my Data Administrator has submitted data files to the Board of Governors Office in accordance with the specified schedule. 9. In accordance with Board of Governors Regulation 3.007, my Data Administrator electronically certifies data submissions in the State University Data System by acknowledging the following statement, Ready to submit: Pressing Submit for Approval represents electronic certification of this data per Board of Governors Regulation I am responsible for taking timely and appropriate preventive / corrective actions for deficiencies noted through reviews, audits, and investigations. 11. I recognize that the Board s Performance Based Funding initiative will drive university policy on a wide range of university operations from admissions through graduation. I certify that university policy changes and decisions impacting this initiative have been made to bring the university s operations and practices in line with State University System Strategic Plan goals and have not been made for the purposes of artificially inflating performance metrics. Performance Based Funding Data Integrity Certification Form Page 2 21

22 Board of Trustees Audit & Compliance Committee - New Business - Action Items Performance Based Funding Data Integrity Certification Performance Based Funding Data Integrity Certification Representations Representations Yes No Comment / Reference I certify that all information provided as part of the Board of Governors Performance Based Funding Data Integrity Certification is true and correct to the best of my knowledge; and I understand that any unsubstantiated, false, misleading, or withheld information relating to these statements render this certification void. My signature below acknowledges that I have read and understand these statements. I certify that this information will be reported to the board of trustees and the Board of Governors. Certification: Date President I certify that this Board of Governors Performance Based Funding Data Integrity Certification has been approved by the university board of trustees and is true and correct to the best of my knowledge. Certification: Date Board of Trustees Chair Performance Based Funding Data Integrity Certification Form Page 3 22

23 Board of Trustees Audit & Compliance Committee - New Business - Action Items Performance Based Funding Data Integrity Audit USF System Audit Audit and Compliance Committee February 13,

24 Board of Trustees Audit & Compliance Committee - New Business - Action Items Scope & Objectives Determine whether the processes and internal controls established by the university ensure the completeness, accuracy, and timeliness of data submissions to the BOG which support the PBF measures Provide an objective basis of support for the President and BOT Chair to sign the representations included in the Data Integrity Certification 2 24

25 Board of Trustees Audit & Compliance Committee - New Business - Action Items Scope & Objectives Identify and evaluate any material changes to the controls and processes in place during the prior audit period, including Prior year recommendations BOG data definition changes Data element and/or file submission changes Update PBF risk assessment, including fraud risks, to identify areas for detailed testing 3 25

26 Board of Trustees Audit & Compliance Committee - New Business - Action Items Procedures Performed Verified any data resubmissions to the BOG were necessary and authorized Verified security of data and data transmissions Performed detailed testing related to files submitted to the BOG for Measures

27 Board of Trustees Audit & Compliance Committee - New Business - Action Items Conclusion No high risks identified Adequate system of internal controls in place Two recommendations for improvement included in the Management Letter Recommendations for improvement did not have an impact on the performance measures 5 27

28 Board of Trustees Audit & Compliance Committee - New Business - Action Items Recommendations Monitoring and oversight of manual changes to the Hours to Degree and Courses to Degree files need to be enhanced Controls over Transfer Articulation need to be enhanced 6 28

29 Board of Trustees Audit & Compliance Committee - New Business - Action Items Closing Remarks Audit and Compliance Committee February 13,

30 USF Board of Trustees Audit and Compliance Committee February 13, 2018 Agenda Item: IVa Issue: Operational Audit Report Proposed action: Informational Executive Summary: The 2016 USF Operational Audit has been completed with the University receiving the Preliminary and Tentative audit recommendations on January 5, The audit period was calendar year 2016 (previously audit periods had been a fiscal year). There were 28 primary operational audit areas reviewed and the University received 6 recommendations to improve operations. Financial Impact: N/A Strategic Goal(s) Item Supports: Goal 4: Sound Financial Management Committee Review Date: February 13, 2018 Supporting Documentation Online (please circle): Yes No USF System or Institution specific: USF System Prepared by: Nick Trivunovich, Vice President/CFO (813)

31 Calendar Year 2016 Operational Audit Board of Trustees Audit & Compliance Committee Meeting February 13,

32 Calendar Year 2016 Operational Audit STATE OF FLORIDA OPERATIONAL AUDIT PROGRAM State Statute requires an operational audit at least every 3 years USF s regular schedule is every 2 years Normal audit covers fiscal year Current audit covered calendar year (resulting in shorter interim) Calendar Year 2016 Audit Timeline: Original fieldwork, January 2017 through May 2017 First exit conference, May 31, 2017 Two additional audit topics added Final field work, October 2017 Second exit conference, November 28, 2017 Preliminary and tentative recommendations received January 5, 2018 USF Response returned to Auditor General February 2,

33 Calendar Year 2016 Operational Audit HISTORICAL OPERATING AUDIT RECOMMENDATIONS Recommendations FY 2009 FY 2011 FY 2013 FY 2015 CY

34 Calendar Year 2016 Operational Audit STATE OF FLORIDA OPERATIONAL AUDIT AREAS 28 Primary Operational Audit Areas Examples of Major Areas of Review include: Information Technology Access & Control Direct Support Organizations Compensation P-Card and Travel Major Construction Projects Compliance with Statute 4 34

35 Calendar Year 2016 Operational Audit STATUS OF RECOMMENDATIONS Recommendation Responsible Area Correction Status Date Textbook Affordability Library Fully Corrected January 1, 2018 Severance Payments Human Resources Fully Corrected December 1, 2016 Student Receivables Controller s Office In Progress September 30, 2018 Direct Support Organizations Treasurer s Office In Progress May 31, 2018 IT User Application Privileges ERP System IT User Application Privileges - SSN IT Security In Progress March 15, 2018 IT & Student Affairs In Progress May 1,

36 UNIVERSITY OF SOUTH FLORIDA Calendar Year 2016 Operational Audit Findings Status Report to the BOT Audit & Compliance Committee February 13, 2018 NEW FINDINGS USF Entity and Audit Report Audit Finding Auditor Recommendations Management s Response to Auditor Current Status of Finding Target Completion Date UNIVERSITY OF SOUTH FLORIDA CY 2016 Operational Audit, Preliminary & Tentative Audit Finding No. 1 Finding Textbook Affordability The University should continue efforts to ensure that a hyperlink to lists of required and recommended textbooks and instructional materials for at least 95 percent of all courses and course sections offered at the University during the upcoming term is prominently posted in the course registration system and on its Web site, as early as feasible, but at least 45 days before the first day of class for each term. We also recommend that the University maintain records to support the courses and course sections reported to the SUS Chancellor and document confirmation of course instructor or academic department intent to use all items ordered. Management has implemented procedures to ensure compliance with State law. Prior to the Spring 2017 term, the University s bookstore reported compliance using projected sales activities compared against the previous term. Internal reviews of the process determined that this approach may have over-reported textbook adoptions. As a result of this review and beginning with the Spring 2017 term, USF Libraries personnel launched a protocol that compared actual adoption records against live data from the OASIS system to determine rates of compliance. At critical junctures during the lead up to the 45-day posting deadline, communications from the Office of the Provost to Department Chairs throughout the USF System prompted faculty who had not yet complied to do so by the deadline. In these communications, Department Chairs were strongly encouraged to ensure compliance and were presented with data files documenting their department s performance to date. CLOSED PER MANAGEMENT N/A - Closed To ensure intent to use all textbook and instructional materials posted for courses, the Office of the Provost requires Department Chairs to complete and sign a form stating that all materials ordered by department faculty will be used in instruction. Department Chairs are responsible for reviewing the faculty s compliance with this requirement. The completed forms are maintained on the textbook affordability Canvas site. Responsible Party: Todd Chavez, Dean of Libraries 1 36

37 UNIVERSITY OF SOUTH FLORIDA Calendar Year 2016 Operational Audit Findings Status Report to the BOT Audit & Compliance Committee February 13, 2018 NEW FINDINGS USF Entity and Audit Report Audit Finding Auditor Recommendations Management s Response to Auditor Current Status of Finding Target Completion Date UNIVERSITY OF SOUTH FLORIDA CY 2016 Operational Audit, Preliminary & Tentative Audit Finding No. 2 Finding THREE- PEAT FINDING Severance Payments The University should ensure that the severance pay provisions in University employment agreements are consistent with State law and that severance payments do not exceed the amounts established in State law. The University ceased contracting for post-employment payments via liquidated damages in the intercollegiate athletics context. Damages for loss of employment were liquidated in intercollegiate athletic contracts because the market reality for individuals in intercollegiate athletics is that the impact of a termination even without cause tends to create reputational loss and reduces future hiring prospects and earning potential. Therefore, until December 1, 2016, USF s athletics contracts included a pre-negotiated liquidated damages calculation intended to address damages that are difficult to quantify in amount or duration. USF s position is that liquidated damages are not covered by (4)(d). However, as of December 1, 2016, USF eliminated liquidated damages provisions in excess of the time periods provided in (4)2 (i.e. 6 week or 20 weeks). For example, the University contracts extended to USF s new head coaches for Football, Men s Basketball and Soccer, along with the assistants for each program, do not contain postemployment payment provision in excess of twenty weeks. Contracts entered into prior to December 1, 2016 that come up for renewal will have their severance provisions re-negotiated. For example, the 2018 contract extension completed for the University s head Women s Soccer Coach was renegotiated to conform to the twenty week period. CLOSED PER MANAGEMENT N/A - Closed Responsible Party: Gerard D. Solis, General Counsel 2 37

38 UNIVERSITY OF SOUTH FLORIDA Calendar Year 2016 Operational Audit Findings Status Report to the BOT Audit & Compliance Committee February 13, 2018 NEW FINDINGS USF Entity and Audit Report Audit Finding Auditor Recommendations Management s Response to Auditor Current Status of Finding Target Completion Date UNIVERSITY OF SOUTH FLORIDA CY 2016 Operational Audit, Preliminary & Tentative Audit Finding No. 3 Finding Student Receivables The University should improve efforts for collecting student accounts receivable by timely submitting delinquent student accounts to collection agencies, restricting the use of hold bypasses, and canceling class registrations for future semesters when previous tuition and fees remain unpaid. The University will improve efforts for collecting student accounts receivable by timely submitting delinquent student accounts to collection agencies, restricting the use of hold bypasses, and canceling class registrations for future semesters when previous tuition and fees remain unpaid. Responsible Party: Jennifer Condon, Associate Vice President and Controller PARTIALLY CORRECTED September 30,

39 UNIVERSITY OF SOUTH FLORIDA Calendar Year 2016 Operational Audit Findings Status Report to the BOT Audit & Compliance Committee February 13, 2018 NEW FINDINGS USF Entity and Audit Report Audit Finding Auditor Recommendations Management s Response to Auditor Current Status of Finding Target Completion Date UNIVERSITY OF SOUTH FLORIDA CY 2016 Operational Audit, Preliminary & Tentative Audit Finding No. 4 Finding Direct Support Organizations We recommend that: The Trustees prescribe by rule any conditions with which a DSO must comply in order to use University property, facilities, and personal services and the University monitor and document DSO compliance with such conditions. The University document the Trustees consideration and approval of DSO anticipated use of University resources, at least on an annual basis, before the use occurs. To enhance government transparency, the Trustees approval documentation should identify the positions of the employees who will provide the personal services that will be provided to the DSOs and the value of such services. The University document University employee actual time and effort provided to the DSO to support the purpose for and the value of those services and the distribution of applicable personal service costs among specific University and DSO activities for employees who work on more than one activity. The University has a formal, well-documented and longestablished process whereby the DSOs annually present their fiscal year financial plans to the Trustees for consideration and approval in advance of the anticipated provision of personal services or use of University property and facilities. The Trustees review and approval of the financial plans for the next fiscal year also includes a review of the DSO s anticipated value associated with the use of University personal services or property and facilities and actual value associated with the use of University personal services or property and facilities for the prior two fiscal years. The Trustees review and approval of the DSO financial plans is documented in the minutes of the meeting. The University process includes a mid-year report to the Trustees on the DSO use and value of University personal services or property and facilities comparing actual and forecasted usage to the anticipated use in the financial plan. DSO financial plans include disclosures of strategic initiatives to enhance the mission, vision and values of the University. Additionally, any change to the DSO bylaws and mission must be approved by the Trustees. Formal agreements approved by the University are in place with the DSOs that prescribe the conditions with which the DSOs must comply in order to use University property and facilities, which agreements require related financial reports, budgets and audit reports. PARTIALLY CORRECTED May 31, 2018 Annually, the DSO chief executive officer, chair of the board of directors and chief financial officer formally certify and submit to the Trustees compliance with federal and state laws and regulations and compliance with all applicable University 4 39

40 UNIVERSITY OF SOUTH FLORIDA Calendar Year 2016 Operational Audit Findings Status Report to the BOT Audit & Compliance Committee February 13, 2018 NEW FINDINGS USF Entity and Audit Report Audit Finding Auditor Recommendations Management s Response to Auditor Current Status of Finding Target Completion Date policies, rules and regulations. The DSOs also certify that a system of internal controls is in place and effective to ensure compliance, and must disclose any instances of noncompliance. Time and effort of University employees assigned to DSOs is reviewed and certified on a biweekly basis through established payroll processes. Responsible Party: Fell Stubbs, University Treasurer UNIVERSITY OF SOUTH FLORIDA CY 2016 Operational Audit, Preliminary & Tentative Audit Finding No. 5 Finding REPEAT FINDING Information Technology User Access Privileges ERP System The University should continue efforts to appropriately separate incompatible duties associated with the HR application, perform documented periodic reviews of IT user access privileges to the ERP system based on a demonstrated need for such access, and remove any inappropriate or unnecessary access privileges detected. The University will continue to improve our efforts to ensure that employees only have access to parts of the HR application necessary for performing their job duties by enhancing our entitlement reviews (in progress), appropriately documenting these reviews, and taking prompt action based on the needed access privileges. Responsible Party: Alex Campoe, Assistant Vice President, Information Technology PARTIALLY CORRECTED March 15,

41 UNIVERSITY OF SOUTH FLORIDA Calendar Year 2016 Operational Audit Findings Status Report to the BOT Audit & Compliance Committee February 13, 2018 NEW FINDINGS USF Entity and Audit Report Audit Finding Auditor Recommendations Management s Response to Auditor Current Status of Finding Target Completion Date UNIVERSITY OF SOUTH FLORIDA CY 2016 Operational Audit, Preliminary & Tentative Audit Finding No. 6 Finding Information Technology User Access Privileges Social Security Numbers To ensure access to sensitive student information is properly safeguarded, the University should: Document the public purpose served by indefinitely maintaining the SSNs for individuals who did not enroll in the University or establish a reasonable time period for maintaining prospective student SSNs. Upgrade the University IT system to include a mechanism to differentiate IT user access privileges to current student information from access privileges to former and prospective student information. Continue efforts to ensure that only those employees who have a demonstrated need to access sensitive student information have such access. The University will conduct annual entitlement reviews of employees with access to SSNs to confirm a business need for the access. As part of the review, we will determine if employees needing access require the access for both current and former students. The University will also develop and implement a policy that will address the appropriate length of time to retain SSNs for prospective students who do not enroll in the semester in which they were admitted. Responsible Party: Billie Jo Hamilton, Associate Vice President, Enrollment Planning & Management PARTIALLY CORRECTED May 1,

42 State of Florida Operational Audit Areas Information Technology Control Security, Systems development & maintenance, Systems settings, Disaster recovery Information Technology Access Employees with add/update, Administrator, Former employee Activity monitoring (procedures & logging) Student social security number access Board of Trustee Policy Approval & Compliance with Sunshine Notification through Orientation of Sexual Predator/Offender Registry Internal Audit Compliance Anti-Fraud Policy and Compliance Direct Support Organizations Payment compliance to Florida Statute BOT approval for personal and facilities services Student Receivables Deferral compliance Adequacy of collection efforts Record and registration restriction compliance Tuition Differential Compliance Florida Residency Compliance Distance Learning Fees Auxiliary Contracting (revenue compliance monitoring) Textbook Affordability Compensation Rate of pay accuracy, validity of employment contracts, completion of performance evaluation, and accuracy of leave tracking Terminal leave payments 42

43 Severance payments State funded compensation Background Screenings General Expenses President, Administrative positions University purpose, properly authorized and approved, compliance with vendor selection, applicable laws, regulations, contract terms, and University policies Procurement Card Compliance Travel Statute Compliance (General employee test + Executive travel) Major Construction Projects Compliance with contract terms and conditions, University policies and procedures, and provisions of applicable state laws and rules One design build project audited separately for additional compliance 43

44 Agenda Item: IVb USF Board of Trustees Audit & Compliance Committee February 13, 2018 Issue: University and DSO External Audit Findings Report Proposed action: Informational Executive Summary: The External Audit Findings Report describes audit findings and auditor recommendations, and management s responses and correction status. The University and DSOs will receive 16 audits from independent external auditors for the fiscal year ended June 30, Since June 30, 2017, 15 audits have been received: No Findings in the 6 University June 30, 2017 Audited Financial Statements 6 Findings in the University s Preliminary and Tentative Findings of the Calendar Year 2016 Operational Audit (Note: these are disclosed in a separate report) No Findings in the 7 DSO June 30, 2017 Audited Financial Statements 5 Findings in the USF Health and Education International Foundation s (Related Party of HPCC DSO) June 30, 2017 Audited Financial Statements One audit report has not yet been issued: State of Florida Federal Circular A-133 for fiscal year Financial Impact: N/A Strategic Goal(s) Item Supports: Goal 4: Sound Financial Management Workgroup Review Date: February 13, 2018 Supporting Documentation Online (please circle): Yes No USF System or Institution specific: USF System Prepared by: Fell L. Stubbs, University Treasurer, (813)

45 UNIVERSITY OF SOUTH FLORIDA and RELATED ENTITIES External Audit Findings Status Report to the BOT Audit & Compliance Committee February 13, 2018 NEW FINDINGS USF Entity and Audit Report Audit Finding Auditor Recommendations Management s Response to Auditor Current Status of Finding Target Completion Date USF HEALTH & EDUCATION INTERNATIONAL FOUNDATION FY 2017 Financial Statement Audit, Finding No. 1 Finding Cash on Hand Reconciliation The entity should ensure cash on hand is reconciled between cash held for program expenses and cash held for operating expenses which corresponds to the projects. Management agrees that regular reconciliation and segregation of cash on hand between project expenses and operating expenses further strengthens the final reconciliation of each Project and ensures cash for project expenses is not used for operating expenses. Responsible Party: Roberta Burford, President of HEIF PARTIALLY CORRECTED June 30, 2018 USF HEALTH & EDUCATION INTERNATIONAL FOUNDATION FY 2017 Financial Statement Audit, Finding No. 2 Finding Income Recognition It is important for the entity to only record the income from the quotas earned by the administration of projects. Revenues are reported in total for project and operating expenses. The entity utilizes a cost allocation method to charge contracted management fees to programs as expense and corresponding revenue to the entity s operating account. These fees are eliminated for financial statement reporting to avoid duplicate reporting of revenue and expense. Reporting the administrative fee revenue separate from project expense revenue is also an acceptable presentation. PARTIALLY CORRECTED June 30, 2018 Responsible Party: Roberta Burford, President of HEIF USF HEALTH & EDUCATION INTERNATIONAL FOUNDATION FY 2017 Financial Statement Audit, Finding No. 3 Finding Presentation of Operating Expenses Operating expenses of the entity should not be presented in the amounts that come from project expenditures. Rather, all operating expenses should be shown as part of the entity s operations. Staffing and other operating expenses are allocated between project expenses, administration and program development. Reporting all operating expenses as operating expenses and eliminating the allocation of operating expenses by effort is also an acceptable presentation. Responsible Party: Roberta Burford, President of HEIF PARTIALLY CORRECTED June 30,

46 UNIVERSITY OF SOUTH FLORIDA and RELATED ENTITIES External Audit Findings Status Report to the BOT Audit & Compliance Committee February 13, 2018 NEW FINDINGS USF Entity and Audit Report Audit Finding Auditor Recommendations Management s Response to Auditor Current Status of Finding Target Completion Date USF HEALTH & EDUCATION INTERNATIONAL FOUNDATION Finding Project Contracts The entity should review the contracts and place the percentage attributable to the entity for the management of projects to avoid any type of lawsuit or litigation by donors. Management agrees. Based on previous contracts with SENACYT the percent attributable to management of the project has been a part of contract budget but was not detailed in the Education Cooperation Agreement. CLOSED PER MANAGEMENT N/A - Closed FY 2017 Financial Statement Audit, Finding No. 4 Responsible Party: Roberta Burford, President of HEIF USF HEALTH & EDUCATION INTERNATIONAL FOUNDATION Finding Income Policy The entity should establish a defined policy in relation to income records. Although the entity s income is properly and consistently accounted for, these methods will also be memorialized in policy. PARTIALLY CORRECTED June 30, 2018 FY 2017 Financial Statement Audit, Finding No. 5 Responsible Party: Roberta Burford, President of HEIF 2 46

47 USF Entity University of South Florida System USF Operational Audit (Issued every 2 years) USF Sarasota-Manatee USF St. Petersburg State of Florida Federal Circular A-133 UNIVERSITY OF SOUTH FLORIDA and RELATED ENTITIES External Audit Findings Status Report to the BOT Audit & Compliance Committee February 13, 2018 SUMMARY OF ENTITIES REVIEWED FOR AUDIT FINDINGS Audit Due Date (Month and Day) Determined by Auditor General Determined by Auditor General Determined by Auditor General Determined by Auditor General Determined by Auditor General Current Audit Findings Previous Audit Findings Audit Firm No Findings No Findings State of Florida Auditor General 6 Findings 2 REPEAT (Disclosed in separate report) 5 Findings 2 REPEAT State of Florida Auditor General No Report in 2017 No Report in 2016 State of Florida Auditor General No Report in 2017 No Report in 2016 State of Florida Auditor General Report Not Yet Issued No Findings State of Florida Auditor General USF Health Sciences Center Self-Insurance Program (SIP) December 15 No Findings No Findings Crowe Horwath LLP USF Health Sciences Center Insurance Co., Inc. (CIC) December 15 No Findings No Findings Crowe Horwath LLP USF Intercollegiate Athletics Program January 15 No Findings No Findings James Moore & Co., P.L. WUSF FM, A Public Telecommunications Entity Operated by USF January 15 No Findings No Findings James Moore & Co., P.L. WUSF TV, A Public Telecommunications Entity Operated by USF January 15 No Findings No Findings James Moore & Co., P.L. DSO - USF Foundation, Inc. October 15 No Findings No Findings Cherry Bekaert LLP DSO - USF Alumni Association, Inc. October 15 No Findings No Findings Cherry Bekaert LLP DSO - USF Financing Corporation and USF Property Corporation October 15 No Findings No Findings KPMG LLP DSO - University Medical Service Association, Inc. (UMSA) and USF Medical Services Support Corporation (MSSC) October 15 No Findings No Findings Grant Thornton LLP DSO - USF Health Professions Conferencing Corporation (HPCC) October 15 No Findings No Findings Mayer Hoffman McCann P.C. DSO - USF Research Foundation, Inc. October 15 No Findings No Findings Cherry Bekaert LLP DSO - USF Sun Dome, Inc. October 15 No Findings No Findings James Moore & Co., P.L. USF Health and Education International Foundation (HEIF) Related Party of HPCC (DSO) October 15 5 Findings No Findings Grant Thornton LLP 3 47

48 Annual Compliance Certifications of Direct Support Organizations Executive Summary: Each Direct Support Organization ( DSO ) and related entity under the control and direction of the Board of Trustees of the University of South Florida ( USF ) is expected to implement an internal control, reporting and governance structure consistent with best practices of USF, the DSO or related entity, as well as those detailed within National Association of College and University Business Officer s Advisory Report on the Sarbanes-Oxley Act of To document this structure, DSOs and entities under the control and direction of the USF Board of Trustees must certify annually that such a structure is in place. This certification must be completed by (1) the Chair of the Board or like position, (2) the Chief Executive Officer or President, and (3) the Chief Financial Officer or individual with overall responsibility for financial operations. All nine DSOs provided their Annual Compliance Certification Statements for the fiscal year ended June 30, There were no instances of non-compliance with the 19 requirements from five categories of compliance cited in the Annual Compliance Certification Statement. 48

49 UNIVERSITY OF SOUTH FLORIDA BOARD OF TRUSTEES Annual Compliance Certifications of Direct Support Organizations For the fiscal year ending June 30, 2017 NEW FINDINGS Direct Support Organization Compliance Requirement Finding Management s Response Current Status of Finding Target Completion Date No certified non-compliance with the following compliance categories: (a) Compliance with Laws, Regulations, Policies and Professional Standards (b) System of Internal Controls (c) External Audit (d) Internal Audit (e) Governance 1 49

50 Agenda Item: IVc USF Board of Trustees Audit & Compliance Committee February 13, 2018 Issue: USF System Compliance & Ethics Program 2017 Annual Report Proposed action: Informational Executive Summary: The USF System Compliance & Ethics Program 2017 Annual Report summarizes the activities of the program from July 1, 2016 to December 31, This extended reporting period is due to the program s transition from a fiscal to calendar year for annual reporting to the Board of Trustees and Board of Governors. This report is organized under the essential elements of an effective compliance program as prescribed by Federal Sentencing Guidelines and fulfills annual reporting requirements contained in BOG Regulation and the USF System Compliance & Ethics Program Plan. Financial Impact: N/A Strategic Goal(s) Item Supports: N/A BOT Committee Review Date: 2/13/2018 Supporting Documentation Online (please circle): Yes No USF System or Institution specific: USF System Prepared by: Jeff Muir, Chief Compliance Officer 50

51 2017 ANNUAL REPORT USF System Compliance & Ethics Program BOT Audit & Compliance Committee February 13,

52 USF SYSTEM COMPLIANCE & ETHICS Board of Trustees Audit & Compliance Committee USF System President Senior Vice President & Chief Operating Officer Administrative Specialist Jolanda Thompson BSBA Management Northwood University Chief Compliance Officer Jeffrey Muir JD, Stetson Univ. College of Law MPA Public Administration, USF BA Political Science, USF Associate Compliance Officer Caroline Fultz-Carver Certified Compliance & Ethics Professional PhD Medical Sciences, USF MHA Health Policy & Management, USF MS Medical Sciences, USF BS Biology, USF Senior Associate Director & SWA Intercollegiate Athletics Director Research Integrity & Compliance Associate Director of Compliance Division of Human Resources Director, Professional Integrity Program, USF Health Assistant Vice President Information Security Director Equal Opportunity & Compliance Director Environmental Health & Safety 2 52

53 HIGHLIGHTS Implementation of BOG Regulation First SUS University to complete Created: BOT Audit & Compliance Committee Charter USF System Compliance & Ethics Program Charter USF System Compliance & Ethics Program Plan Compliance Officers Workgroup 3 53

54 PROGRAM STATUS 4 54

55 HIGHLIGHTS Summer Program Background Screening Project Export Control/OFAC Compliance Project Compliance & Ethics Training for 958 new employees system wide Higher Education Opportunity Act Oversight Florida Code of Ethics (edisclose) System-wide ERM Assessment EthicsPoint ERM Process ID d as Best Practice by the BOG 5 55

56 ETHICSPOINT (July 1, 2016 December 31, 2017) Number of EthicsPoint reports received and percentage substantiated consistent with prior reporting period. Substantiated Unsubstantiated Referred/ Transferred Open Total HR DIEO USFH Financial Research EH&S 1 1 Athletics 1 1 Total

57 2017 ANNUAL REPORT USF SYSTEM COMPLIANCE & ETHICS PROGRAM 57

58 TABLE OF CONTENTS USF System Compliance & Ethics Program ORGANIZATIONAL CHART... 3 ELEMENT 1: GOVERNANCE & HIGH-LEVEL OVERSIGHT... 4 A. Board of Trustees Audit and Compliance Committee... 4 B. USF System Compliance & Ethics Program... 5 C. (High Risk) Compliance Officers Workgroup... 7 ELEMENT 2: ESTABLISH STANDARDS OF CONDUCT, POLICIES, & PROCEDURES 10 A. Internal Control Policy B. Protection of Minors Policy C. Florida Code of Ethics Policy D. Higher Education Opportunity Act ELEMENTS 3 & 4: CREATE A FAIR AND ETHICAL CULTURE & OPEN LINES OF COMMUNICATION EthicsPoint ELEMENT 5: EDUCATION AND TRAINING A. Compliance & Ethics Training for New Employees B. Compliance & Ethics Training for Current Employees ELEMENT 6: DETECTION, REMEDIATION, AND ENFORCEMENT A. Protection of Minors on Campus/Summer Programs B. Export Controls/Office of Foreign Assets Control (OFAC) Compliance ELEMENT 7: RISK ASSESSMENT, AUDIT, AND MONITORING A. USF System Enterprise-Wide Risk Assessments B. Audit & Monitoring Risks ELEMENT 8: ASSESSMENT OF EFFECTIVENESS USF System CEP 2017 Annual Report 2 58

59 USF System Compliance and Ethics Program Organizational Chart Board of Trustees Audit & Compliance Committee USF System President Senior Vice President & Chief Operating Officer Administrative Specialist Jolanda Thompson BSBA Management Northwood University Chief Compliance Officer Jeffrey Muir JD, Stetson Univ. College of Law MPA Public Administration, USF BA Political Science, USF Associate Compliance Officer Caroline Fultz-Carver Certified Compliance & Ethics Professional PhD Medical Sciences, USF MHA Health Policy & Management, USF MS Medical Sciences, USF BS Biology, USF Senior Associate Director & SWA Intercollegiate Athletics Director Research Integrity & Compliance Associate Director of Compliance Division of Human Resources Director, Professional Integrity Program, USF Health Assistant Vice President Information Security Director Equal Opportunity & Compliance Director Environmental Health & Safety USF System CEP 2017 Annual Report 3 59

60 2017 ANNUAL REPORT USF System Compliance & Ethics Program The USF Compliance & Ethics Program was created in 2007 as a component of University Audit & Compliance (UAC), with the appointment of a Chief Compliance Officer (CCO) charged by President Genshaft and the USF Board of Trustees (BOT); to create and maintain an effective compliance and ethics program based on best-practices; to prevent, monitor, detect, and respond to non-compliance; and recommend corrective actions to fully meet regulatory requirements. In 2017, UAC separated into two entities: USF System Audit and the USF System Compliance & Ethics Program (the Program ). This separation was in accordance with Board of Governors (BOG) Regulation 4.003, a regulation based on Chapter 8, Part B, Section 2(b) of the Federal Sentencing Guidelines, the Florida Code of Ethics for Public Officers and Employees, and industry best practices. While our reporting relationship and responsibilities have changed under this new regulation, our mission of creating, supporting, and promoting a system-wide culture of compliance, ethics, and accountability remains the same. The Program continues to provide assurance to the BOT that the compliance and ethics activities of the USF System are reasonably designed, implemented, enforced, and effective in preventing and detecting violations of law, regulations, and policies, as well as violations of ethical principles of conduct. This annual report summarizes the activities of our Program from July 1, 2016, to December 31, 2017, unless otherwise indicated. This extended reporting period is due to our transition from fiscal to calendar year for annual reporting to the BOT. This report is organized by the essential elements for an effective compliance and ethics program as prescribed by the Federal Sentencing Guidelines and fulfills our annual reporting requirements in accordance with BOG Regulation and the USF System Compliance & Ethics Program Plan. Element 1: Governance & High-Level Oversight The USF System addresses this element through the BOT Audit and Compliance Committee, the USF System Compliance & Ethics Program, and the (High-Risk) Compliance Officers Workgroup. A. Board of Trustees Audit and Compliance Committee BOG Regulation required creation of a BOT committee solely focused on audit and compliance oversight. The BOT Finance and Audit Workgroup was separated into two committees: the BOT Finance Committee and the BOT Audit and Compliance Committee. The financial oversight responsibilities of the BOT Finance and Audit Workgroup were retained by the BOT Finance Committee; whereas its audit and compliance oversight responsibilities were transferred to the newly-created BOT Audit and Compliance Committee (the Committee ). USF System CEP 2017 Annual Report 4 60

61 To facilitate this modification in BOT committee structure, USF System Audit and the USF System Compliance & Ethics Program jointly drafted a BOT Audit & Compliance Committee Charter ( Committee Charter ). The Committee Charter was approved by the Committee at their May 2017 meeting and moved to the BOT (the Board ) with a recommendation for approval. The Board approved the Committee Charter at their June 2017 meeting and a copy was submitted to the BOG pursuant to BOG Regulation requirements. B. USF System Compliance & Ethics Program Implementation of BOG Regulation and 4.002, required separation of UAC into two units: USF System Audit and the USF System Compliance & Ethics Program, each reporting directly to the BOT Audit & Compliance Committee and administratively to the USF System President. Prior to this reporting period, our Program reported to the BOT and President through the Executive Director of UAC. To implement this reorganization, USF System Audit and our Program jointly updated existing policies or drafted new USF System policies; and our Program drafted a program charter and plan as described below: Updated USF System Policy 0-025: USF System Audit, to include new BOG Regulation requirements. This policy addresses the authority of USF System Audit for the direction of a broad, comprehensive program of internal audit for the University of South Florida System. These policy updates were implemented in July Drafted new USF System Policy 0-026: USF System Compliance & Ethics Program to address the authority of the Program for the coordination and management of all USF System compliance and ethics activities under BOG Regulation This newly drafted policy was successfully promulgated and implemented in August Drafted new USF System Compliance & Ethics Program Charter ( Program Charter ) to identify the purpose, authority, and responsibilities of the USF System Compliance & Ethics Program in accordance with BOG Regulation The Program Charter was reviewed by the Committee at their February 2017 meeting and moved to the Board with a recommendation for approval. The Board approved the Program Charter at their March 2017 meeting and a copy was submitted to the BOG pursuant to BOG Regulation USF System CEP 2017 Annual Report 5 61

62 Drafted new USF System Compliance & Ethics Program Plan ( Program Plan ) to summarize the current status of the USF System Compliance & Ethics Program in accordance with BOG Regulation The Program Plan was reviewed by the Committee at their May 2017 meeting and moved to the Board with a recommendation for approval. The Board approved the Program Plan at their June 2017 meeting and a copy was submitted to the BOG pursuant to BOG Regulation During this reporting period, the BOG, through their Inspector General and Director of Compliance, periodically checked with all State University System (SUS) institutions regarding their progress towards implementing BOG Regulation Each SUS institution completed a BOG-provided SUS Compliance Program Status Checklist indicating the status of their implementation the BOG regulation. The completed checklist was submitted to the BOG Inspector General and Director of Compliance and was summarized for presentation to the BOG. Our Program completed and submitted a baseline checklist in January 2017 and an updated checklist to the BOG in September 2017, as requested. Below is a summary of our institution s implementation of BOG Regulation relative to all other SUS institutions, as summarized by the BOG Office of the Inspector General. COMPLIANCE AND ETHICS PROGRAM STATUS 18 Regulatory Elements At least half: FAMU, FAU, FGCU, FL POLY, NCF, UF Less than half: FSU, UWF Implemented: FIU, UCF, UNF, USF USF System CEP 2017 Annual Report 6 62

63 C. (High Risk) Compliance Officers Workgroup The Compliance Officers Workgroup assists the CCO in maintaining an effective and broad-based program designed to prevent, monitor, and detect areas of non-compliance and, when necessary, to fully meet compliance requirements and recommend corrective actions. This workgroup is comprised of senior compliance officers in the following high-risk compliance units within the USF System, all of whom have an accountable reporting relationship to the CCO: Athletics Compliance Environmental Health & Safety Research Integrity & Compliance Diversity and Equal Opportunity (including Title IX and ADA compliance) Human Resources Compliance Professional Integrity Program, USF Health Information Security Brief descriptions of several of the above-listed high-risk compliance units and highlights from this reporting period are provided below. Athletics Compliance The USF Athletics Compliance Office (Athletics Compliance) ensures compliance with National Collegiate Athletic Association (NCAA) and American Athletic Conference rules and associated USF System regulations and policies through its education, monitoring, and enforcement efforts. During the academic year, Athletics Compliance provided 209 in-person educational sessions. These sessions provided athletics compliance education to 745 athletic employees, studentathletes, on-campus constituents, and external constituents (e.g., local establishments, friends of the program, etc.). Environmental Health & Safety USF Environmental Health & Safety (EH&S), a department within the Division of Facilities Management, ensures potential environmental hazards are properly remediated in accordance with applicable federal, state, and local requirements; USF System policies, procedures, guidelines; and industry best practices. EH&S serves as the liaison between the USF System and external agencies and provides environmental health and safety awareness and compliance training. EH&S administers multiple programs to achieve this end. Some highlights from FY include: USF System CEP 2017 Annual Report 7 63

64 Provided safety and compliance training to 9,080 faculty, staff, students, and affiliates via its 27 different classroom-based and online training courses. Conducted 198 emergency evacuation drills as well as 4 Fire Safety Education and Training sessions for approximately 350 individuals. Performed 1522 laboratory safety inspections in research and teaching laboratories, studios, and shops. Performed 33 laboratory chemical cleanouts involving the removal of approximately 5,503 individual items of unwanted, expired, and/or unused chemicals. Performed 60 inspections of construction/development contractors Stormwater Pollution Prevention Plans and completed 5 stormwater compliance audits of grounds and vehicle maintenance areas. Facilitated the following external inspections: 22 inspections by the Florida Department of Health. 9 inspections by the Environmental Protection Commission. 270 fire and safety code inspections by the Office of the State Fire Marshall. Performed 100 Indoor Environmental Quality (IEQ) assessments at USF Tampa and USF St Petersburg and 20 asbestos sampling assessments. Provided permitting and code/safety related inspection support for approximately $175 million of USF System construction-related costs. Research Integrity and Compliance Research Integrity and Compliance, a division within USF Research & Innovation, ensures research performed within the USF System is safe, ethical, and complies with all applicable regulations, laws, and institutional policies. Some highlights from FY include: Provided export control training to 461 faculty, administration, and staff employees. Co-hosted the Association of University Export Control Officer s 5th Annual Meeting in May 2017 with 5 other SUS institutions. Implemented new processes with USF World to streamline and ensure export control and immigration compliance for international students from comprehensively sanctioned countries, from initial application to travel (while enrolled as USF students) to separation from our institution. Reviewed or provided services to ensure compliance with export control laws for over 754 items (e.g., research contracts, biosafety protocols, H1-B visas, J- 1 visas, NASA attestation reviews, special projects, research proposals, and foreign travel). Provided live and online human subject research-related training to more than 8,000 people through its education program. Audited 29 human subject research sites of which 2 (7%) were audited for cause. USF System CEP 2017 Annual Report 8 64

65 Developed and implemented a human subject research self-audit process. Began ClinicalTrials.gov monitoring activities. Participated in community and on-campus outreach events for human subject research, reaching more than 2,000 people. Reviewed 190 project-specific disclosures for financial conflicts of interest in research with 136 (72%) requiring a management plan. Performed 150 IACUC (Institutional Animal Care and Use Committee) laboratory inspections and responded to 8 reports of alleged noncompliance. Provided 13 boating safety classes resulting in 31 trained individuals. Offered first aid, CPR/AED, oxygen provider, and nitrox classes for a total of 28 classes taken by 182 scientific diving researchers. Performed 56 inspections laboratories using biohazardous agents. Provided biosafety trainings to 1,348 individuals. Responded to 7 biosafety incident reports. Coordinated a site visit from the National Institutes of Health. Developed and implemented an online submission system for Institutional Biosafety Committee protocols (BiosafetyNet). Diversity Inclusion & Equal Opportunity The Office of Diversity, Inclusion & Equal Opportunity (DIEO) ensures the USF System workplace and academic environments are free from discrimination, harassment, and retaliation based on protected categories of race, color, sex (including sexual harassment), national origin, sexual orientation, religion, age, disability, marital status, gender identity and expression, and veteran s status, as provided by law. Some highlights from this reporting period include: Equal Opportunity (EO) Section received 169 reports of which 53 were investigated. Of those investigated, 5 (9%) were substantiated based on the preponderance of evidence standard. EO provided 34 harassment prevention and sexual harassment prevention trainings to USF System students and employees resulting in 1,473 people trained. The Office of Title IX (Title IX) received 313 reports of which 268 were determined to fall under the provisions of Title IX. Of these, 12 (4%) were substantiated based on the preponderance of evidence standard. Title IX provided 71 live training sessions resulting in 4,269 USF System employees trained. USF System CEP 2017 Annual Report 9 65

66 Element 2: Establish Standards of Conduct, Policies, & Procedures Throughout this reporting period, the USF System Compliance & Ethics Program reviewed new USF System policies and revisions to existing USF System policies issued by the Office of the General Counsel for comment. The Program provided the Office of the General Counsel, whenever possible, with draft language aimed at harmonizing language with existing policies; reducing or eliminating redundant policy statements with existing policies; and clarifying language to facilitate understanding. Below are highlights from this reporting period: A. Internal Control Policy The USF System Compliance & Ethics Program assisted USF System Audit with drafting, promulgating, and implementing a new USF System Internal Control Policy This policy communicates internal control objectives as set forth by the BOT and establishes standards in the design and implementation of the system of internal controls for the USF System. This policy was successfully promulgated and implemented in August B. Protection of Minors Policy In response to recommendations from USF System Audit, the CCO created a USF System-wide working group to devise a plan for ensuring compliance with background screenings for employees of summer camps/programs either utilizing USF property or conducted by USF units. This effort resulted in the creation and implementation of USF System Policy 0-029: Background Screenings for Summer Programs Involving Children in May The working group also drafted and implemented procedures for USF Summer Programs and Third-Party Summer Programs to follow to ensure their personnel obtained the appropriate background screenings in conjunction with the requirement set forth in USF System Policy C. Florida Code of Ethics Policy During this reporting period, the USF System Compliance & Ethics Program updated USF System Policy 0-027: Florida Code of Ethics for Public Officers and Employees: Compliance and Disclosure. This policy states the foundational standards of conduct for all USF System employees as the Florida Code of Ethics for Public Officers and Employees (FCOE), Section of the Florida statutes. Policy updates were designed to clarify discloser and reviewer responsibilities. These updates also included the addition of customer service standards for reviewers of FCOE, nepotism, or outside activity disclosures. These policy updates were based on frequently asked questions and comments from USF System employees and their management teams, which were received either directly or via the edisclose Help Desk. USF System CEP 2017 Annual Report 10 66

67 D. Higher Education Opportunity Act The Higher Education Act of 1965 (HEA) governs the administration of federal funding for higher education programs. The USF System must comply with HEA in order to remain eligible for Title IV funding from the U.S. Department of Education and for funding from other federal agencies sponsoring USF System Research Projects. The Higher Education Opportunity Act of 2008 (HEOA) amended HEA and includes compliance with the following federal laws: Jeanne Clery Disclosure of Campus Security Policy and Crime Statistics Act (Clery Act); Violence Against Women Act (VAWA) amendments to the Clery Act; Equity in Athletics Disclosure Act (EADA); Student Right to Know Act; and The Drug Free Schools and Communities Act (DFSCA). For the purposes of this report, the term HEOA refers collectively to the above-listed federal laws and their associated regulations. HEOA requirements are complicated and often involve cross-jurisdictional compliance risks, e.g., regulatory risks affecting more than one university leadership area or more than one USF System institution. During this reporting period, our Program continued to assist each institution within the USF System to meet their HEOA compliance responsibilities in accordance with USF System Policy 0-233: Higher Education Opportunity Act Initiative: USF System, Portal, and Security & Fire Safety Reporting Compliance (the HEOA Initiative ) as follows: Coordinated with over 26 units to design and implement a procedure coordinating the creation of an HEOA-compliant Annual Security and Fire Safety Report for each institution in the USF System, which complies with the Clery Act and VAWA, including distribution of these reports to the U.S. Department of Education and all current USF System students and employees. Reviewed written disclosures of rights, options, and services for victims of VAWA crimes for compliance with VAWA regulations and provided harmonizing language with VAWA regulations to the Office of Title IX. Confirmed HEOA Portal complied with HEOA disclosure requirements for this reporting period. Reviewed HEOA-required annual notices to students and employees summarized in the below table by notice type, federal law, and required recipient for compliance with federal law. Created templated language for each notice listed below to be used by each institution within the USF System to ensure compliance: USF System CEP 2017 Annual Report 11 67

68 Notice Type Federal Student Financial Aid Penalties for Drug Law Violations Voter Registration Information Institutional and Financial Aid Information Drugs and Alcohol Abuse Prevention Programs Availability of the Annual Security and Fire Safety Report (ASR) Federal Law HEOA HEOA HEOA DFSCA Clery VAWA Required Recipient under Federal Law All Current Students All Current Students and Employees All Current Student and Employees Our intent is to transition from the oversight and consulting activities of the HEOA Initiative to a USF System HEOA policy, which assigns responsibility to the appropriate USF System position, unit, and university leadership for ensuring HEOA compliance and mitigating cross-jurisdictional HEOA compliance risks. The draft policy assigns these responsibilities in accordance with best practices as set forth by the U.S. Department of Education and has been harmonized with USF System Policy 0-023: Internal Control. Elements 3 & 4: Create a Fair and Ethical Culture & Open Lines of Communication Under the provisions of USF System Regulation 5.001: Waste, Fraud, or Financial Mismanagement Prevention and Detection, all USF System managers and their employees are responsible for preventing, detecting, and reporting waste, fraud, financial mismanagement, or other violations of USF System policy or regulation. EthicsPoint EthicsPoint, our anonymous reporting hotline, serves as one of the primary tools assisting the USF System in this effort. In 2017 we upgraded EthicsPoint. The upgrade included several improvements and included consolidation of our hotline with the USF Foundation EthicsPoint Hotline into one, central USF System EthicsPoint Hotline. For the period 7/1/16 to 12/31/17, we received 132 unduplicated reports, which is consistent with the number of reports from the FY 2015/16 reporting period. The proportion of human resources-related reports is also consistent at 63% of the total (note that these are now reported both in the HR and USFH categories). Thirty-three percent of all reports were found to be substantiated, consistent with past reporting periods. Ten reports were referred, typically to the student code of conduct process or transferred to the Title IX process. USF System CEP 2017 Annual Report 12 68

69 ETHICSPOINT REPORTS USFH 31 Financial 11 Research 6 EH&S 1 Athletics 1 DIEO 30 HR 52 Referred/ Substantiated Unsubstantiated Transferred Open Total HR DIEO USFH Financial Research EH&S 1 1 Athletics 1 1 Total During this reporting period, our Program publicized EthicsPoint via the following mechanisms: Included EthicsPoint, USF Regulation USF5.001, and USF System Policy education in our Compliance & Ethics sessions during new employee orientation; Provided EthicsPoint posters to departments and encouraged their prominent display throughout our campuses; and Included EthicsPoint information in the training component of the Florida Code of Ethics (FCOE) form in the edisclose System. USF System CEP 2017 Annual Report 13 69

70 Element 5: Education and Training A. Compliance & Ethics Training for New Employees Our Program provided compliance and ethics training to 958 new USF System employees as follows: Live trainings provided every two weeks to new USF Tampa administration and staff employees attending Welcome to USF, a program administered by the Division of Human Resources (DHR). Live trainings provided periodically throughout the year, based on hiring volume, to new USF St. Petersburg (USFSP) faculty, administration, and staff employees attending orientation, a program administered by USFSP Human Resources. One-on-one orientation sessions with new USF Sarasota-Manatee (USFSM) faculty, administration, and employees provided by USFSM Human Resources using materials provided by our Program. Our Program provided compliance and ethics content and review for the new online compliance and ethics training developed by the DHR. This new online training was implemented in December 2017 and replaces our live compliance and ethics training sessions for new USF Tampa administration and staff employees going forward. B. Compliance & Ethics Training for Current Employees Certain USF System employees are required to complete an annual Florida Code of Ethics (FCOE) disclosure in edisclose, our online disclosure and review system. This disclosure includes education on current FCOE, nepotism, and outside activity prohibitions and restrictions under the FCOE and USF System Policy The following employee position types must annually complete this disclosure: All current faculty. All current administration employees. All current staff employees issued a procurement card (PCard) or FAST (Financial Accounting System) role. All current temporary employees issued a PCard or FAST role. During this reporting period, 9,757 FCOE disclosures were submitted by current USF System faculty, administration, staff, and temporary employees in edisclose. This translates to 6,455 USF System employees receiving FCOE, nepotism, and outside training during our reporting period. Our program also provided additional live, department- level FCOE, nepotism, and outside activity training to several operating units, including Intercollegiate Athletics. USF System CEP 2017 Annual Report 14 70

71 Element 6: Detection, Remediation, and Enforcement The USF Compliance and Ethics Program continues to work with compliance units to detect compliance gaps. When such gaps are identified, our program convenes multidisciplinary teams to develop and implement cross-jurisdictional policies and procedures aimed at addressing compliance gaps, including enforcement. A. Protection of Minors on Campus/Summer Programs (see also Element 2) The new process for ensuring background screenings for summer camps/programs that was contained in the new USF System Policy and its attendant procedures implemented a coordinated approach that proved to be highly effective during the summer of Units involved included the DHR, who bear the heaviest load in the program, as well as the Office of the General Counsel, the Phyllis P. Marshall Student Center, Housing & Residential Education, Campus Recreation, USF Athletics, USF Health, and Innovative Education. Over 35 USF programs and a like amount of non- USF camps utilizing our facilities were successfully processed through the DHR during summer USF System Compliance & Ethics will continue to monitor the background clearance process and we are beginning work on a more comprehensive protection of minors program to address non-summer programs as well. B. Export Controls/Office of Foreign Assets Control (OFAC) Compliance At the request of President Genshaft, the CCO led a working group of the Export Controls Advisory Committee to conduct a comprehensive review of the compliance control structure regarding potential violations of sanctioned programs administered by the federal OFAC. The review identified several compliance gaps and new procedures were put in place in Information Security, Export Controls, and USF World. Immediate departmental and focused training programs were implemented as well. (See also, Element 7B.) Element 7: Risk Assessment, Audit, and Monitoring A. USF System Enterprise-Wide Risk Assessments Every three years since 2011, the USF System Compliance & Ethics Program has coordinated and facilitated an enterprise-wide risk assessment for the USF System as part of the Enterprise Risk Management (ERM) program. ERM is an institution-wide or holistic approach to risk management. Risk Management is a process that defines how our organization does the following: USF System CEP 2017 Annual Report 15 71

72 Identifies risks to the achievement of goals and objectives; Measures the significance of each identified risk; Determines the most appropriate business response to each risk; and Evaluates and reports on how well the chosen responses are carried out. For the 2017 risk assessment, the CCO conducted workshops with each Vice President/Regional Chancellor direct-reports to identify function and process risks in each unit and rank each risk with respect to its impact on the achievement of USF System goals and objectives and the probability that the function or process will fail to contribute to that achievement. The results of the workshops were then shared with executive management and priority risks were identified. General risk categories that emerged included: Performance Metrics/Student Success Cybersecurity Infrastructure Student/Employee Safety Student/Employee Health and Wellness Talent Management Years two and three of the ERM process will include monitoring of mitigation efforts to address specific risks and identification of any emerging risks in year three. B. Audit & Monitoring Risks The USF System Compliance & Ethics Program is available to perform compliance reviews, risk assessments, and other consulting projects when compliance gaps are known or suspected. Compliance gaps can arise when the USF System has no known internal controls or the existing controls are not consistent with the law or industry best practices. Such reviews, assessments, and projects performed by the Program aim to bring the process or unit into compliance and, thereby mitigate risk to the institution. Below is a discussion of compliance reviews, risk assessments, and other consulting projects performed by our Program this reporting period: Annual FCOE Disclosure Compliance Monitoring Our Program continues to monitor USF System employee compliance with the annual FCOE disclosure requirements set forth in USF System Policy On the second Tuesday of every month, our Program sends senior managers an FCOE Disclosure Compliance Report (FCOE Report) identifying all USF System employees under their purview who are required to complete an annual FCOE disclosure and whether or not they have done so within the past 12 months. Senior managers and their designees then follow up with noncompliant employees to ensure they complete their annual FCOE disclosure in edisclose. During 2017, this monitoring by our Program and subsequent follow up by senior managers resulted in an overall FCOE USF System CEP 2017 Annual Report 16 72

73 disclosure compliance rate of 90% for the USF System. The percentage of USF System employees who met their annual FCOE disclosure requirement in the edisclose system is provided below, by institution: International Student Immigration & Export Controls Consulting Project Our Program assisted USF World and USF System Export Controls in developing a cross-jurisdictional process for ensuring international students comply with immigration and export control laws. Our program convened and chaired a workgroup comprised of the Director of USF World and the USF System Export Control Officer. This workgroup flowcharted how admissions, USF World, and export control processes work together across the life-cycle of international students attending USF, from pre-arrival to separation. The workgroup adjusted the process to eliminate process redundancies; streamlined communication between USF World and USF System Export Controls; and ensured compliance requirements for their respective areas were appropriately documented and met. The workgroup issued a final procedure in December The final procedure included a review and version control process and assigned the responsibility for records retention and version control to USF System Export Controls. NCAA Compliance Review Our Program was tasked with assessing the USF System s readiness for an Institutional Compliance Review by the American Athletics Conference ( The American ). Our program and USF Athletics Compliance co-developed a NCAA Documentation Analysis tool. This tool identifies key documents the USF System would be expected to provide to a site reviewer from The American. Our Program convened a cross-jurisdictional NCAA workgroup to assess the USF System s preparedness for an NCAA documentation review using the tool. The workgroup was charged with addressing any identified gaps by bringing documents identified on the USF System CEP 2017 Annual Report 17 73