OUR MISSION Our mission is to support the University s successful achievement of its strategic goals by serving as a partner in identifying and balancing risks through objective, flexible, and proactive audit and consultation services. OUR VALUES Teamwork: Integrity: Accountability: Service: We each view the University and Division s success as primary We hold ourselves to the same high standard to which we hold others We hold ourselves and others accountable and expect them to do the same We give back to the University and local community HIGHLIGHTS OF THE YEAR Partnered with the University s Compliance and Integrity Program to launch EthicsPoint, an online portal for anonymously reporting compliance and ethics concerns in April 2017. Provided advisory services to Office of Research, Innovation and Economic Development and Office of Finance and Administration on Sponsored Research Post-Award Processes where we identified University-wide issues and opportunities for improvement at the Colleges, Contracts and Grants, and SPARCS. In addition, IAD provided college specific business process maps that denoted internal control weaknesses, efficiencies and inefficiencies in the process, best practices, and suggested opportunities for improvement. Provided advisory services to the Office of Research, Innovation and Economic Development (ORIED), Office of Finance and Administration (OFA), OIT, and Office of General Counsel as they developed a collaborative compliance process to assist the University in achieving its research goals while maintaining compliance with National Institute of Standards and Technology (NIST) 800-171 "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations" and NIST 800-53 "Security and Privacy Controls for Federal Information Systems and Organizations". Conducted an audit of the User Controls Over Ultra-Sensitive Data to assess how current University users with access to ultra-sensitive data are protecting the data as it travels through their business processes. This resulted in 23 issues related to both University governance over sensitive data security and individual unit handling of this data. Audit recommendations have resulted in greater employee awareness and ongoing improvement to processes, governance activities, and security. The University Employee Time and Leave Management audit identified issues and inefficiencies with the University-wide manual processes used in timekeeping and processing payroll payments. This resulted in Human Resources implementing an electronic time-keeping system, WolfTime, to go-live in July 2017. Collaborated with the Poole College of Management Enterprise Risk Management Institute to evaluate strategic risks within the Division of Student Development, Health and Wellness. Results included response strategies for the risks identified. Partnered with the Office of Information Technology (OIT) in the Information Technology Risk Assessment for Power America to identify gaps between the current information processing Page 1 of 8
environment and the standards outlined in the Power America Information Security and Compliance Program. In addition, assisted in the identification of potential solutions and resources needed to address identified gaps and maintain ongoing compliance with the requirements. The results of this assessment will be leveraged to facilitate and inform similar improvements for the broader secure research IT environment and, especially, for those research projects that require more stringent information security. Processed 19 reports of waste, fraud, abuse of state assets, violations of Federal or State law, or non-compliance were reported in the fiscal year to the Internal Audit Hot Line. o 17 of the 19 allegations were from internal sources o 14 allegations became Investigations o 2 allegations became Audits o 1 allegation became a Consulting project o 2 allegations were either handled internally within the department or unsubstantiated Provided advisory services to ORIED and OFA in their replacement of custom-developed legacy software systems used for electronic Research Administration (era) activities with a new comprehensive and sustainable system. IAD assisted in identifying business processes and University-wide needs throughout the proposal and award lifecycle. This resulted in developing a Request for Proposal for vendors to submit bids for providing the new system. Fiscal Year 2017 Hotline Allegations Methods Received as of 6/30/17 In Person 10% Email 30% Phone Call 50% Mail 5% Delegated by Office of the State Auditor 5% Page 2 of 8
ENGAGEMENT STATISTICS IAD closed 39 engagements this year as noted in the chart below. This represents an increase of 30% over Fiscal Year 2016. Fiscal Year 2017 Engagements Status as of 6/30/17 Closed/Completed (39) 9 7 11 7 5 Special Assignments (11) In Process (20) 2 4 8 6 Consulting (12) Returned to Risk Inventory (3) 1 2 Investigations (19) Not Started/On Hold (0) Follow-Up (7) Canceled (2) 2 Audits (15) Our success this year was due to a dedicated staff, full time and temporary, who devoted 80% of their time directly to these engagements as illustrated in the chart below. Fiscal Year 2017 Effort Expended as % of Total as of 6/30/17 80% Effort on Engagements Investigations 13% Assurance Audits 10% Follow-Up Audits 8% Information System Audits 10% Ad Hoc and Minor Advisory 3% Consulting/Special Assignments 33% Non-Engagement Effort 20% Professional Development 3% Page 3 of 8
This year extra attention was placed on ensuring the timely closure of reported audit issues and we are very proud to note that University management achieved a 90% audit issue closure rate for FY17. Fiscal Year 2017 Audit Issue Resolution as of 6/30/17 Corrective Action Not Started, 4 Corrective Action in Follow-Up 6 Corrective Action In Process 1 53 Issues Reported Resolved 42 90% Completion Rate IAD engagement activities covering the University s Strategic Risk Areas are noted in the chart below. Fiscal Year 2017 Engagement Coverage of Top 10 University Strategic Risk Areas as of 6/30/17 Research Scandal 6 Loss of Research Grants 8 Faculty Loss (Infrastructure) 2 Technology Disruption 11 Regulatory Non- Compliance 17 Employee Misconduct 23 Other 53 Effectiveness and Efficiency of Process 12 Internal Controls 22 Data Breach 19 Governance 2 Page 4 of 8
AUDIT PLAN Each year in April, the Board of Trustees (Board) reviews and approves a new Audit Plan (Plan) for the coming fiscal year. That Plan is a snapshot in time of the current risks identified as of February 1 (the end of our planning year) and selected to be addressed through audit, consultative, or special project engagements during the following fiscal year. It is subject to change as we use on-going analysis throughout the year to weigh emerging areas of risk, management requests, and potential investigations received against the engagements on the original approved Plan. The impact of this is that some engagements on the Plan will be replaced by or postponed for new ones that carry higher or more immediate risk. All planned engagements that are not completed during the fiscal year are returned to our Continuous Risk Assessment process for on-going monitoring and potential inclusion in a later plan. If an engagement has been canceled, the risk has been addressed by management or is no longer applicable. This results in a more responsive, comprehensive audit process. Fiscal Year 2017 Audit Plan as of 6/30/17 9 19 6 Special Assignments Investigations 12 Consulting 3 1 5 18 9 Follow-Up Audits Audits 9 7 8 7 15 Planned Engagements 25 Added Engagements 39 Total Engagements 64 Page 5 of 8
RISK ASSESSMENT All team members visit faculty and staff across the University throughout the year to discuss their unit s strategic plans, goals, and risk posture. This includes new and on-going activities related to their academic, research, and outreach missions and potential concerns or emerging risks to both strategic and tactical goals at the unit and University level. This process supports the identification of potential audit and consulting engagements and is used as an objective tool in the development of our Annual Audit Plan. The charts below show the team s risk assessment meetings by unit. Fiscal Year 2017 Risk Assessments by Unit as of 6/30/17 Advancement 4 General Counsel 1 Fin & Admin 5 Provost 52 81 Risk Assessments Performed ORIED 5 DASA 4 OIT 8 Athletics 2 STAFF NEWS Staff New Appointment Anthony V. Workman, is joining IAD in July 2017 as an Information Technology Auditor. He will be coming to IAD from the Office of Information Technology Security and Compliance Division. Anthony has over 14 years of information technology experience in the military, public, and private sectors beginning his career in the US Navy as a Computer Network Defense Specialist. After relocating to North Carolina, he worked for the City of Henderson and the State of North Carolina Judicial Branch prior to starting at NC State University. Anthony has a MS in Information Assurance and a BS in Liberal Studies with a focus in Computer Information Science. He is also certified as a Certified Information Systems Security Professional. Page 6 of 8
Staff Kudos, Professional Activities, and Recognition Cecile M. Hinson, Director, celebrated 15 years with the University in February 2017. Nancy L. Burgart, became the Assistant Director in October 2016. She has been with IAD for over 12 years and with the University for 20 years. Prior to becoming the Assistant Director, Nancy held several positions within IAD: Auditor, Investigative Auditor, IT Auditor, and Interim Operational Audit Manager. S. Neil Holloway, Advanced Auditor, was nominated for the Chancellor s Unit Awards for Excellence for customer service. Frank J. Dziepak, Investigative Auditor, celebrated 1 year with IAD in April 2017. M Shiela R. Hawthorne, Auditor, is serving as Treasurer for the UNC Auditor Association for fiscal year 2018. Gail J. Kashulon, part-time Information Technology Auditor, returned to IAD from retirement to assist with information technology engagements. Denise W. Hall, University Program Specialist, celebrated 15 years with the University in December 2016. ENHANCING THE STUDENT EXPERIENCE Jennifer Corey joined our audit team as our student intern from the Poole College of Management s (PCOM) Internal Auditing concentration program. An internship experience in the NC State University Internal Audit Division provides a student with total immersion in the "real world" of the internal auditing profession. The student is assigned to audit projects and, with the coaching and mentorship of a senior auditor, performs all aspects of a typical project from risk assessment and planning to developing audit findings and writing the report. This is more exposure to the full audit project life-cycle than many auditors receive in their first two years of corporate or public experience. The students also have the opportunity to obtain experience on consulting projects. This experience positions the student ahead of many new graduates and even some experienced junior auditors; thus, improving their ability to compete for jobs in the market place. It also connects Internal Audit staff to the student body and gives them an appreciation for the skills and knowledge of NCSU s students. Through the PCOM Audit Intern program, the Internal Audit Division has been able to play a small part in contributing to one of the PCOM s key metrics related to the percent of students who had at least one internship at any time during their college years (10 percent). This is the ninth internship opportunity IAD has provided through the PCOM Audit Intern program. Where Are They Now? Jennifer (Jenna) Corey will be graduating in December 2017 when she ll receive a Bachelor s of Science in Accounting with a concentration in Internal Auditing. She is working in IAD as a temporary part-time auditor during Summer 2017. COMMUNITY OUTREACH Throughout the year, the Internal Audit Division participates in opportunities to give back to both our local and global communities. Each year the team spends 8-12 hours in community service by volunteering for unanimously selected activities in the community. These activities not only benefit our communities but also Page 7 of 8
provide a valuable opportunity for strengthening our team bonds. This year the IAD staff: Sponsored and coordinated a 3 hour project for University faculty and staff volunteers to prepare food boxes for victims of Hurricane Matthew at the Food Bank of Central and Eastern North Carolina. Participating volunteers were from the Office of General Counsel, the College of Textiles, and Finance and Administration. We set a new Food Bank record by packing 591 bags and boxes with 10,800 pounds of food in just 3 hours. That equates to 9,094 meals! Way to go Wolf Pack! Donated lunch hours this spring to participate in the Wolfpack Citizen Science Challenge, a collaboration between the University and the NC Museum of Natural Sciences to place outdoor cameras in designated areas to document local biodiversity. Our cameras recorded wildlife of the winged, four-legged, and two-legged varieties all coexisting within the urban areas of the campus. Resulting photos were uploaded to a national website and added to the Museum s Natural North Carolina project. Adopted 4 senior citizens for the holidays through the Be a Santa to a Senior program and put together large holiday gift bags filled with both practical and fun gifts for each of them. Participated in Wake County SPCA s new program, Love on a Leash, which allows volunteers to walk and play with homeless dogs housed at the SPCA s Holding Center to help better assess the dog s potential for adoption. Joined the Special Olympics Delegation Greeters and Porters to welcome the athletes to campus. We unloaded the athlete s luggage, showed them to their assigned dorm rooms, and provided refreshments to the athletes and their families. Achieved a 100% participation rate in the State Employees Combined Campaign (SECC) with Frank Dziepak as the Internal Audit Division s Team Captain. Page 8 of 8