Internal Audit Services Report on Activities Fiscal Year 2014 September 2014 1
Table of Contents Executive Summary 3 Mission 4 Audit Program 5 Advisory Services 13 External Audits 16 Investigations 20 Management Corrective Actions 22 Local Program Initiatives 29 Client Satisfaction 30 Staffing /Resources 31 2
Executive Summary Our work this year strengthened controls to mitigate risks, improved process efficiency and effectiveness, and ensured compliance with University policy. Audit projects assessed many high risk areas such as development, expense controls, major unit leadership transition reviews, compliance reviews, revenue cycle and IT security. Internal Audit Services (IAS) continued its on-going practice of working collaboratively with management in determining the optimum action strategy for addressing internal control and operational issues identified during audit projects. In addition, we continue to successfully bring multiple departments/units together to develop and implement cost effective safeguards for, including Health System (UCDHS) operations. IAS completed 15 of our planned audits and 3 planned supplemental audits, for an overall completion rate of 90% of the amended audit plan. We also completed 3 planned and 7 supplemental advisory projects, providing professional guidance to various departments on a variety of topics. We participated in 22 committees. Investigative hours required only 2% of the available time, a historical low. In addition, we finalized 12 audit reports issued in draft last fiscal year and 1 carryforward advisory service from FY13. Our auditors with ACL expertise continued to work closely with other departments this year to familiarize them with the software capability and applications to improve their units. IAS maintained this level of productivity despite the loss of staffing resources due to the departure of an Associate Director in February, a Principal Auditor vacancy for most of the fiscal year and the Director being on a special assignment for over 3 months. In addition we also devoted 5 FTEs for a special supplemental review during the last two months of the fiscal year. Key initiatives as we move into FY15 are to continue to strengthen our University s systems of control and strive to have a positive impact on the University s financial performance whenever possible. As part of our reviews of organizational units we will also review efforts to improve the diversity of our campus. In addition, we will continue to strive to serve as a resource to educate faculty and staff on how to effectively manage risk and ensure the efficiency and effectiveness of systems of internal control. 3
Mission The mission of the University of California (UC) internal audit (IA) is to provide the Regents, President, and campus Chancellors and Laboratory Director independent and objective assurance and consulting services designed to add value and to improve operations. We do this through communication, monitoring and collaboration with management to assist the campus community in the discharge of their oversight, management, and operating responsibilities. IA brings a systematic and disciplined approach to evaluating and improving the effectiveness of risk management, control and governance processes. - Approved by The Regents in 2014 4
Audit Program~ Lines of Business Our primary activity is to conduct a program of regular audits of the University's business operations. However, the Internal Audit Program also includes providing advisory and investigative services that enhance the value of commitment to our customers. Audits Assurance Services defined as examinations of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. These can be reviews of units (including academic departments) and processes that cut across all organizational units (e.g., purchasing, travel, etc.). Advisory Services Proactive or preventive activities focused on Internal Control and Accountability, Special Projects and Consultations, and Systems Development and Reengineering. Investigations Inquiries into allegations generally focused on improper governmental activities including misuse of university resources, fraud, financial irregularities, significant control weaknesses and unethical behavior. 5
Overview of Internal Audit Services IAS Director reports administratively to the Chancellor and directly to the Regents Committee on Compliance and Audit through the Senior Vice President Chief Compliance and Audit Officer. IAS has 11.5 professional staff authorized FTEs and 1 FTE support staff. IAS, with input from management, develops an annual plan of audits, advisory services and investigation hours based on a risk assessment. The annual audit plan is reviewed and approved by the Internal Audit Services Work Group and the Chancellor prior to submission to the Office of the President and the Regents. 6
Audit Program Highlights Completed 90% of the revised audit plan (two audits not completed.) Throughout the year, changes were made to the approved audit plan in order to align the plan with campus priorities and perceived risks. Eleven audits were dropped from the original plan to allow for an unplanned reduction in available FTEs and the addition of four supplemental audits and four advisory services. Conducted eight administrative reviews in conjunction with college, school and administration leadership transitions or appointment renewals. Continued to develop new applications for IAS and other departments to use ACL (data analysis software) to improve reporting and reconciliation processes. Continued to provide the How to Survive an Audit course that focuses on working with external auditors as part of the Research Associate Certificate Series. 7
Completion of Revised Audit Plan FY14 Audit Completion Statistics Original Planned Audits 28 Dropped /Deferred Audits 11 Supplemental Audits Completed 3 Amended Audit Plan 20 Planned Audits Not Completed 2 Total Amended Audit Plan Completed 18 Percentage of Revised Plan Completed (18/20) 90% FY13 Audits Issued in FY14 12 8
Completion of Audits on Annual Plan 90% 100% 96% 95% 90% FY10 FY11 FY12 FY13 FY14 9
Direct hours, which is available time excluding administration and personal leave time, was 88%, which is on target with the plan. Actual hours devoted to the Audits were 10,860. Audit Program Advisory Service hours were slightly higher than planned due to more requests from management and more available time because of historically low time on investigations. Investigation hours were significantly lower than planned; IAS worked on and completed 4 investigations this year, and 4 in FY13. Plan Actual Hours Percent Hours Percent Total Direct Hours 17,920 88% 17,406 88% Audit Projects 11,154 55% 10,860 55% Advisory Service 3,167 16% 4,563 23% Investigation 2,400 12% 330 2% Audit Support 1,200 6% 1653 8% 10
Audits 16 Completed Planned and Supplemental Audits 20 15 15 16 Completed Audits and Investigations 13 23 20 18 0 3 5 3 7 4 4 FY11 FY12 FY13 FY14 FY11 FY12 FY13 FY14 Planned Supplemental Audits Investigations 11
Audits Completed in FY14 Campus Donor Restrictions on Gift Expenditures FY13 DNF G-45 Chancellor s Expenses College of Agriculture and Environmental Services Transition Review College of Engineering Administrative Review Information & Educational Technology IT Virtualization Service College of Letters and Science-Social Sciences Administrative Review* Export Controls* Critical Infrastructure IT Systems* Transportation Analysis IET Transition Review* Graduate School of Management Administrative Review* Health System Capitation Revenue Distribution School of Nursing Administrative Review Sales, Use and Unrelated Business Income Tax Blood Products Management Department of Dermatology Stores and Distribution* Database Security* *In Draft at FYE 12
Advisory Service Highlights Completed 11 advisory service and 25 small consultation projects. Participated in a wide variety of key committees including ECRC, Investigation Coordination Work Group, three UCDHS Compliance Committees, Council of Deans and Vice Chancellors, and Technology Infrastructure Forum. Provided information and advice on a variety of topics: Unit operations, data analysis, compliance with internal policies, accounts receivable valuation, IT implementations, and policy revisions. Our auditors with ACL expertise worked closely with two departments to familiarize them with ACL software capability and applications for continuous controls monitoring and to meet Homeland Security requirements. 13
Advisory Services 22 22 16 18 17 19 17 9 10 7 7 3 Planned Supplemental Committees FY10 FY11 FY12 FY13 FY14 **Committees shown separately for FY13 & FY14 only 14
Advisory Services Completed in FY14 Campus UC Path* Student Affairs Administrative Review* How to Survive an Audit UCOP ANR Data Analysis Vet Med Compliance Consultation Engineering Compliance Consultation Health System Retail Pharmacy Accounts Receivable* EPIC Implementation* Travel Consultation Advisory Primate Center Advisory Separated Principal Investigators * = Planned 15
External Audit Highlights The External Audit Coordinator actively coordinated 13 new external audits in FY14 encompassing 55 awards. Continued coordination and oversight of two National Science Foundation audit activities including the system wide audit covering 785 awards and related expenditures during FY08, 09, and 10 as well as a focused investigation of 3 awards. Both audits will continue into FY15. There have been no significant negative findings to date on reviews or awards where the External Audit Coordinator has been involved. The demand for the External Audit Coordinator's input and valued expertise continues to expand through increased visibility and word of mouth. Presented "How to Survive an Audit" three times during FY14 as part of the Research Administrators Certificate Series. 16
External Audits FY14 External Audits FY14 External Audits 30 25 Other and FFT State and FFT Federal * National Science Foundation ** CA Department of Food & Agriculture CA Horse Racing Board 20 7 CA Employment Development Department 15 10 5 7 10 6 8 6 1 1 1 1 2 1 1 1 1 Los Alamos National Laboratory ** Lawrence Livermore National Laboratories Sandia National Laboratory W.K. Kellogg Foundations 0 FY13 2 FY14 CA Citrus Research Board Publice Health Foundation, Enterprise 17
External Audits State Funding Other Los Alamos National Laboratory (FFT) ** 6 1 1 1 1 1 1 Lawrence Livermore National Laboratories (FFT) Sandia National Laboratory (FFT) CA Horse Racing Board 1 1 W.K. Kellogg Foundations CA Employment Development Department CA Department of Food & Agriculture (FFT) CA Citrus Research Board Publice Health Foundation, Enterprise 18
External Audit Activity in FY14 Completed in FY14 National Institute of Food & Ag-USDA YEAR 2 CDFA Select 2010 Specialty Crop Block Grants YEAR 2 California Department of Food & Agriculture Award #SCB11018 YEAR 2 California Department of Food & Agriculture-Center for Produce Safety YEAR 2 Public Health Foundation Enterprises FY11/12 Awards YEAR 2 USDA-APHIS-Vet Med YEAR 2 Carried to FY15 NSF Systemwide YEAR 5 (aka NIH Systemwide) NSF Office of Inspector General Specific Review YEAR 3 Los Alamos National Laboratory (LANL) YEAR 3 Sandia National Laboratories Contract Audit YEAR 2 Public Health Foundation Enterprises FY12 Awards California Department of Food & Agriculture Select 2011 Specialty Crop Block Grants Employment Development Department - Betty Irene Moore School of Nursing - Nurses Education Initiative II Project California Department of Food & Agriculture- Agricultural & Resource Economics CA Dept of Food & Agriculture Desk Reviews 2011 Specialty Crop Block Awards CAHFS-CHRB Inquiry Lawrence Livermore National Laboratories FY14 Annual Subcontract Incurred Cost Audit CA Citrus Research Board 19
Investigation Highlights Actual investigation hours (330) were much lower than planned (2,400). Only 2% of the audit program hours were devoted to investigations; the lowest ever at UCD. 1 investigation was continued from FY13 and 3 investigations were added. Four investigations were completed at fiscal year end. 20
Investigations 330 Fy09 FY10 FY11 FY12 FY13 FY14 Percent of Total Effort 30% 20% 8% 13% 5% 3% 2% Hours 5,245 3,639 Number Worked in Year 30 30 Number Started in Year 20 23 Number Completed in Year 23 23 Average Hours per Project 332 168 Average Hours per Allegation (1) 147 82 Average Allegations per Project (1) 2.3 2 1,473 2,141 1,035 543 330 10 14 7 4 4 6 9 6 4 3 7 13 7 4 4 172 153 148 136 83 80 89 94 136 83 3 1.7 1.6 1 1 (1) Includes completed projects only 21
Management Corrective Actions (MCAs) Internal Audit Services monitors the progress in completing management corrective actions that address internal control deficiencies identified during audit and investigation projects. The follow-up process on action items is critical as it assists University leadership in ensuring appropriate changes are implemented to mitigate risks. 22
FY14 MCA Activity Activity Summary Open, Past Due, High Risk MCAs open as of July 1st FY13 FY14 111 86 As of 06/30/2013 06/30/2014 Open 86 45 MCAs added 209 127 MCAs closed 234 168 MCAs as of June 30th 86 45 Past Due 10 10 High Risk 7 8 Past Due - High Risk 3 3 23
Summary of Corrective Action Implemented in FY14 IAS worked with management to facilitate closure of 168 MCAs in the following categories during FY14 Information Security Total of 54 MCAs MCAs relating to information security were closed for audits related to central IT systems including Banner and Kuali. In addition, MCAs were closed related to cyber safety in UNEX, Office of Research, Radiology, UCDMC clinical devices, and elevated rights in UCDHS IT data center. MCAs were also closed related to key infrastructure systems such as IET's virtualization service, Facilities and Utilities critical infrastructure systems and UCDHS IT building management systems. The latter MCAs included addressing vulnerabilities identified that could have resulted in disruption to building alarms, warning systems, utilities or patient services and/or access to otherwise protected information systems on the same shared network. Information Systems Strategy and Oversight- Total of 4 MCAs MCAs relating to the management oversight and strategy of delivering IT services at both the Davis campus and Health System were closed this past year. These MCAs included actions taken to better understand the IT staffing job functions across the enterprise and make more informed strategic decisions in how to manage and oversee these resources. Corrective actions taken at UCDHS focused on the oversight of IT functions within units outside of the central IT organization as well as improvements to the overall governance of IT at UCDHS. 24
Summary of Corrective Action Implemented in FY14 Revenue Capture and Cash Collections Total of 19 MCAs MCAs closed in this group provided for improved controls over non resident tuition and cash collections in Parking & Transportation Services and PCN Clinics. Operating Expenses Total of 22 MCAs Management reporting at the health system has been improved to facilitate department monitoring of utilization and expense of cell phones, pagers and other residential telecom services. Also closed MCAs will improve expense monitoring by reengineering the general ledger review system. Research Awards - Total of 24 MCAs Actual staffing for a particular award reviewed has been corrected to match expectations by the awarding agency or the award terms and conditions have been amended. The associated PI agreed to review and certify PI Ledger Reports on a monthly basis and make adjustments tor expenses charged to the award if necessary. The PI also agreed to file appropriate progress reports and adjust records of actual personnel working on the award as appropriate. The responsible department will play an active role in monitoring expenses to ensure they are allowable and allocable and ensure the timely transfer of any expenses as necessary. Improvements to sub-recipient monitoring to ensure appropriate payments and compliance with awarding agency requirements have been put in place at both the campus and health system. Other Total of 45 MCAs These MCAs improved recharge rate oversight, accounting accuracy and other administrative controls over areas such as Donor Restrictions and Blood Products Management. 25
Open MCAs by Functional FY13 Area FY14 86 Open 31% 1% 4% 1% 1% 5% a Campus Dept & Instruction (1) b Healthsciences Ops (4) g IT & Communications (49) 45 Open 27% 2% 11% 27% a Campus Dept & Instruction (12) b Healthsciences Ops (12) f Budget & Planning(3) 57% h Financial Management (27) j HR & Benefits (1) l Dev & External Relations (3) m Aux, Bus & Empl Supp Services (1) 6% 27% g IT & Communications (12) h Financial Management (1) l Dev & External Relations (5) 26
Corrective Actions Open MCAs by Priority Aging Report Open MCAs by Priority As of June 30, 2014 Past Due MCA's As of June 30, 2014 26 10 5 3 4 4 3 High Medium Low Past Due Current 0 0 0 1-6 7-12 13-18 Over 18 Months Past 27
FY14 MCA Assessment Past due MCAs were significantly lower than in previous years. At the end of FY14, 10 of the 45 open MCAs were past due, as compared to 10 of 86 open MCAs being past due at the end of FY13. Of those past due MCAs, only 3 were considered to be high risk at the end of FY14. MCAs in the Health Sciences Operations, Campus Departments and Instruction (due to transition reviews), and IT & Communication groups comprise the largest categories of outstanding MCAs at year end. MCAs in these categories represented 81% of total MCAs at the end of FY14. 28
ACL Local Program Initiatives Our ongoing program of developing ACL routines for analyzing data and increasing access to Campus and Health System data sources continues to amplify the effectiveness and efficiency of our Internal Audit program. Integrated IT Projects We capitalized on the skills of our IT specialists to augment the scope of several projects when our risk identification process defined a need for an integrated approach. Our IT resources were also utilized when findings necessitated action that was enhanced by their expertise. 29
Client Satisfaction IAS serves distinct customers. The clients who directly receive our services are: University of California Office of the President, Management, and The Regents. IAS surveys clients upon completion of each project to obtain feedback on services provided. In FY14, 49 surveys were distributed and 20 completed surveys were returned. Feedback remains consistently positive, with comments that support the quality of our work and the benefits provided to the campus: I found the audit to have been thorough and thoughtful. It was a value-added for the University. The audit team is fantastic. 30
Staffing /Resources In June 2014 we filled a Principal Auditor position at the Health System, to replace a vacant position. Tony Firpo was promoted to Manager IAS. First Year hosting a Law Fellow was mutually beneficial. Turnover in 2 positions. Greg Loge has continued as the System-wide IT Audit Manager for 50% of his time. In FY14, staff members were able to take advantage of continuing professional development sessions outside the department including valuable sessions provided by the UC Office of the President. 31
Staffing /Resources FTE Summary Professional 5.0 Health System 6.50 Campus Administrative 1.0 Analyst Staff Changes 1 Principal Auditor hired effective: 06/02/2014 Experience 6.5 Average years UC audit experience 5 Average years outside audit experience 11 Average total years audit experience Certifications 6 Certified Public Accountants (CPA) 1 Certified Technical Specialist (CTS) 8 Certified Internal Auditors (CIA) 3 Certified Information System Auditors (CISA) 2 Certified Fraud Examiners (CFE) 1 Certified Risk Management Assurance (CRMA) 2 Information Security Certifications (CISSP, GIAC: GSNA, GSEC, GPEN) 1 ACL Certified Data Analyst (ACDA) 32