board of trustees meeting mr. robert p....

MINUTES OF THE AUDIT COMMITTEE OF THE UNIVERSITY OF LOUISVILLE BOARD OF TRUSTEES MEETING

October 9, 2014

Members of the Audit Committee of the University of Louisville Board of Trustees met at 12:26 p.m. on October 9, 2014, in the Jefferson Room of Grawemeyer Hall, with members present and absent as follows: Present: Ms. Brucie Moore, Chairwoman Mr. Robert P. Benson, Vice Chair Mr. Jonathan Blue

Mr. Ron Butt Mr. Douglas Hall Dr. Jody Prather

Other Trustees Present: Mrs. Marie Abrams

Dr. Larry Benz Dr. Emily Bingham Mr. Steve Campbell

Dr. Kevin W. Cosby Dr. Pamela Feldhoff Mr. Craig Greenberg Ms. Monali Haldankar Mr. Bruce Henderson

Dr. Robert Curtis Hughes Ms. Angela Lewis-Klein

Mr. Robert W. Rounsavall, III Mr. Steve Wilson From the University: Dr. James R. Ramsey, President Dr. William Pierce, Executive Vice President for Research and Innovation Dr. David L. Dunn, Executive Vice President for Health Affairs Mr. Keith Inman, Vice President for University Advancement Ms. Susan Howarth, Assoc. Vice President for Finance and Budget Affairs Mr. Jason Tomlinson, Assoc. Vice President for Finance & Budget Affairs Ms. Becky Simpson, Sr. Assoc. VP for Communications and Marketing

Mr. Glenn Bossmeyer, University Counsel Mr. John Drees, Assoc. VP for Communications and Marketing Ms. Cindy Hess, Communications and Marketing Ms. Cheri Jones, Audit Services Mr. Dave Barker, Audit Services Ms. Terri Rutledge, Finance and Business Affairs

Mrs. Kathleen Smith, Assistant Secretary Ms. Trisha W. Smith, Director of Special Projects

Mr. Jake Beamer, Board Liaison

Guests: Mr. Bill Meyer, Strothman + Co. Mr. Lance Mann, Dean Dorton Allen Ford Ms. Melanie Franklin, BKD Ms. Jennifer Williams, BKD Ms. Mary McKinley, BKD

I. Call to Order

Having determined a quorum present, Chairwoman Moore called the meeting to order at 12:26 p.m.

Approval of Minutes, October 2, 2014

Dr. Prather made a motion, which Mr. Hall seconded, to approve the minutes of October 2, 2014. The motion passed.

II. Information Item: Update from Internal Auditor

Chairwoman Moore asked Mr. Barker and Ms. Jones to update the committee on theAudit Committee Report, the Issue History Report, and the UofL Quality AssessmentReview.

Mr. Barker showed a presentation with highlights from the attached Audit Services andInstitutional Compliance Report. It included: an external quality assurance review, byan outside accounting firm, that stated the office “generally conforms” in all respectsregarding the University’s internal auditing standards, the highest achievable opinion; theAudit Office has a 90% closure rate on a total of 241audit issues; and an update on theAudit Plan for FY 2014-15. Mr. Barker and Ms. Jones then fielded questions from theBoard.

Chairwoman Moore thanked Mr. Barker and Ms. Jones for their report. This item wasfor informational purposes only and no action was needed.

In response to an inquiry from Mr. Wilson, Chairwoman Moore noted on July 2, 2014 atthe Audit Committee meeting, the update regarding implementation of the StrothmanConsulting report was scheduled for October 2. Chairwoman Moore asked that a copy ofMs. Howarth’s presentation be sent to all board members for their information.

III. Adjournment

Mr. Benson made a motion, which Mr. Blue seconded, to adjourn the meeting at 1:09p.m.

The motion passed.

Approved by:

Assistant Secretary

Signature on file

Audit Services and Institutional Compliance

October 9, 2014 To: Board of Trustees Audit Committee Brucie Moore, Chair From: Dave Barker – Associate Vice President for Audit Services and Institutional Compliance Re: Audit Services and Institutional Compliance Activities Attached is the Audit Services and Institutional Compliance report of activities for the period of April 2013 through August 2014. The report includes an executive summary for each Audit Services report issued during the period. Each summary includes the overall project rating in addition to audit issues, priorities, and target implementation dates. Audit Services has implemented an on-going action plan status updating system, whereby all action plans must be updated by administration when the target implementation date is reached. The summaries in this report reflect revised target dates and implemented action plans. In addition, a formal audit follow-up project will be performed whenever an activity or department received an inadequate rating or involved monetary losses through fraud. Action plan implementation for any audit issues that were assigned a high priority will also be formally verified by audit staff. The follow-up and verification processes can result in action plans being re-opened because of incomplete or ineffective implementation. This report includes summaries of activities performed by the Institutional Compliance Office and the Office of Information Security. In order to facilitate independence, the Director of Audit Services has the authority to manage the resources of the Audit Services Department. Audit Services and Institutional Compliance has received excellent cooperation and support from all levels of administration. cc: Jim Ramsey Shirley Willihnganz Leadership Team

Audit Services and Institutional Compliance Activities April 2013 – August 2014

Contents AUDIT SERVICES ANNUAL REPORT ...................................................................................... 3

RISK ASSESSMENT AND AUDIT PLAN DEVELOPMENT .................................................. 3

2012-2013 and 2013-2014 AUDIT PLAN RESULTS .................................................................. 3

AUDIT ISSUE FOLLOW-UP PROCESS ...................................................................................... 5

AUDIT SERVICES BUDGET AND RESOURCES .................................................................... 6

EXTERNAL QUALITY ASSURANCE REVIEW – RESULTS ................................................ 7

AUDIT SERVICES PROJECTS ..................................................................................................... 8

Reports Issued ................................................................................................................................... 8

BA3 - Department Budgeting System SATISFACTORY ...................................................... 8

Development GOOD .................................................................................................................. 8

J B Speed School Of Engineering - Office Of The Dean SATISFACTORY ......................... 9

Genetics Of Alzheimer's Disease In Israeli Arabs NEEDS IMPROVEMENT .................... 10

Library Systems GOOD ........................................................................................................... 10

Unrelated Business Income Tax GOOD ................................................................................. 11

Athletics Financial Aid & Scholarships GOOD .................................................................... 11

Ticket Office Cash and Reconciliation Review EXCELLENT ............................................. 12

Payroll Taxes EXCELLENT ................................................................................................... 12

School of Dentistry – Credit Balances in Clinic Receivables NO RATING ASSIGNED .. 12

Executive Expenses GOOD ..................................................................................................... 13

Cloud Computing NEEDS IMPROVEMENT ....................................................................... 13

Graduate Student Stipends ADVISORY ................................................................................ 14

Capital Equipment Purchased on Federal Projects EXCELLENT ........................................ 14

Parking GOOD ..................................................................................................................... 14

Sponsored Programs Financial Administration GOOD ......................................................... 15

Oracle PeopleSoft HCM/CS Database Split ADVISORY .................................................... 15

It Disaster Recovery Test Review ADVISORY ..................................................................... 16

Projects In Progress ......................................................................................................................... 16

Department of Family and Geriatric Medicine .......................................................................... 16

Cash Control Assessment ............................................................................................................ 16

Fraud Assessment ........................................................................................................................ 17

Athletics Inventory Management ............................................................................................... 17

1


IT Governance ............................................................................................................................. 17

Special Projects ............................................................................................................................ 17

Clery Act ...................................................................................................................................... 17

Employee Tuition Remission ...................................................................................................... 18

AUDIT SERVICES ACTIVITIES ................................................................................................ 18

Information Technology Advisory Activities ................................................................................ 18

Payroll Timekeeping System ...................................................................................................... 18

Integrated Research Information System ................................................................................... 18

PeopleSoft Financials Upgrade ................................................................................................... 18

Audit Advisory Activities ............................................................................................................... 18

Internal Controls and Fraud Awareness Training ...................................................................... 18

Institutional Compliance Committee .......................................................................................... 19

Service Center Task Force Committee ....................................................................................... 19

Office of the President Strategic and Tactical Goals Verification (Scorecard) ........................ 19

OMB Uniform Guidance Work Group ...................................................................................... 19

INSTITUTIONAL COMPLIANCE OFFICE ............................................................................ 20

Compliance Hotline ..................................................................................................................... 20

Sanction Checks .......................................................................................................................... 20

Compliance Risk Assessment ..................................................................................................... 21

Fiscal Year 2014 Compliance Reviews and Follow-Ups .......................................................... 21

Other Institutional Compliance Activities .................................................................................. 23

CONFLICT OF INTEREST PROGRAM ................................................................................... 25

INFORMATION SECURITY OFFICE ...................................................................................... 26

AUDIT PLAN - 2013/2014 .............................................................................................................. 27

AUDIT PLAN – 2014/2015.............................................................................................................. 28

ORGANIZATIONAL CHART ..................................................................................................... 29

APPENDIX A - PROJECT RATING DEFINITIONS .............................................................. 30

APPENDIX B – ISSUE PRIORITY DEFINITIONS ................................................................. 31

2


AUDIT SERVICES ANNUAL REPORT

RISK ASSESSMENT AND AUDIT PLAN DEVELOPMENT

Audit Services performs an annual risk assessment to determine the best strategy for deployment of department resources. The assessment attempts to identify high risk activities using an evaluation of the following areas: Regulatory Exposure, Operational Risk (Complexity), Financial Exposure, Environmental Risk, and Strategic Risk. Interviews are conducted with administration, deans, vice presidents, and others in a position to help identify the evolving exposures. Based on the results of this evaluation and audit plan is created and audits scheduled for high risk areas. The audit plan is continuously evaluated and audits can be deferred, cancelled, or added because of changing conditions. Regulatory Exposure – The University is subjected to a myriad of federal, state, and local regulations that arise from the diverse mission of the institution. These include regulations over research, clinical activities, workplace rules, student activities and interactions, employment and tax laws, and environmental laws. In addition to using exposure to a regulatory scheme to evaluate the risk to a unit, each regulatory activity has an inherent risk that is evaluated.

Operational Risk – The inherent complexity of an activity increases the risk of an adverse event occurring. The university’s operational risk profile is relatively high as a whole because of the high degree of decentralization.

Financial Exposure – This addresses the amount of budget that the unit controls, in addition to the source of the funding, and whether the unit is actually involved in processing cash or cash like instruments (checks, credit cards, or gift cards).

Environmental Risk – This is the degree of external interest in the unit or activity being assessed. The interest could be from the community, for example Athletics has a high exposure in this area, from sponsors or from donors.

Strategic Risk – The impact an area has on meeting the goals set out in the university’s strategic plan. While all areas of the university have an impact, some areas will have more influence on the accomplishment of the university’s mission than others, or different goals will be impacted.

The result of the annual risk assessment is used for the development of the audit plan. The audit plan is a very flexible document which evolves as new risks emerge or exposure changes.

2012-2013 and 2013-2014 AUDIT PLAN RESULTS

In fiscal 2013 there were 24 audit projects completed, 5 of which were advisory projects with no rating assigned. This included projects on the 2011-2012 plan that were completed in 2013. In fiscal 2014, there were 14 audit projects completed, 8 of which were advisory reports with no project rating determined. The charts below contain information about the projects completed in fiscal 2012-2013 and in 2013-2014.

3


Refer to Appendix A for the Project Rating Definitions. The majority of the audit projects completed during the period were assigned a rating of Good or Excellent (58%). No Unsatisfactory ratings were assigned in 2013. In fiscal 2013-2014, only six projects were issued a project rating, two projects assigned a “needs improvement” rating.

Refer to Appendix B for Issue Priority definitions. The majority of identified issues in 2012-2013 were either moderate or low priority. Issues that are recurring from a project performed within the prior 5 years are automatically downgraded to the next highest priority. For example, an issue that would be normally assigned a low priority will be given a moderate priority if it is determined that the issue was identified during a prior audit and the agreed upon action plan was not implemented as

21%

12%

46%

13%

8%

2012 / 2013 PROJECT RATINGS

Advisory

Excellent

Good

NeedsImprovement

Satisfactory

57%29%

14%

2013 / 2014 PROJECT RATINGS

Advisory

Good

NeedsImprovement

56%8%

36%

Issue Priority 2013-2014

High

Low

Moderate

19%

36%39%

6%

Issue Priority 2012-2013

High

Low

Moderate

N/A

4


previously reported or the implemented corrective action was later discarded. In 2013-2014, there was a significant increase in the number of high priority issues identified at 56%.

In fiscal 2013 the most common issue identified was internal control weaknesses. In 2014, the most common issues were violations of internal university policy or regulatory compliance at 55%. The identification of internal control weakness was a distant third at 22%.

AUDIT ISSUE FOLLOW-UP PROCESS In July 2012, Audit Services began tracking all issues that remained open when the report was issued using an automated web based system. The issues given a high or moderate priority are not closed by Audit Services until the implementation has been verified by either:

• visiting the department to observe current procedures, • reviewing formal documentation, an adopted policy or procedure, or a system generated

report, or • testing a small sample of transactions.

Departments self-certify the implementation of action plans related to low priority issues. Formal follow-up audits are scheduled for all projects that are assessed a Needs Improvement or Unsatisfactory rating. A Pending Issue report that documents the status of high and moderate priority issues is distributed to Leadership in July and January.

16%

57%

4%2%

13%

5% 3%

Types of Issues Identified2012-2013

Regulatory

Internal Control

Miscellaneous

WrittenProcedures

Policy &Procedures

Documentation

Financial

6%

22%

3%

19%

36%

14%

Types of Issues Identified2013-2014

Financial

Internal ControlWeakness

Miscellaneous

PolicyCompliance

RegulatoryCompliance

WrittenProcedures

5


AUDIT SERVICES BUDGET AND RESOURCES

Audit Services is staffed by five professionals, including the Director. Staff competencies include an information technology expert, and two certified fraud examiners. In addition, three staff members have obtained certification in risk management (CRMA). All staff is certified, with expertise in fraud examination, risk management, internal control assessment, and information technology. In addition, one staff member has significant experience in healthcare. The available resources and allocation for fiscal 2015 compared to fiscal years 2014 and 2013 is illustrated in the table below:

Resource Budget (in hours) 2015 Budget 2014 Actual 2013 Actual

Total Available Hours 9,880 100% 7,286 100% 8,746 100% Total Non-Work Hours 1,377 14% 1,132 16% 1,341 15% Total Administration 1,035 10% 791 11% 936 11%

Audit 4,625 47% 2,640 36% 5,590 64% Consulting 2,090 21% 666 9% 452 5% Investigation 753 8% 2,057 28% 427 5%

Total Audit, Consulting, Investigations

7,468 76% 5,363 73% 6,469 74%

In 2014, the majority of the time classified as Investigation was spent in Family and Geriatric Medicine. Consequently, there was a significant reduction in time available to perform audits in high risk areas. Consulting is primarily the time spent on information technology implementation projects. In addition, management can request a consulting project to obtain help in identifying solutions to known issues, to obtain advice in achieving operational efficiencies, or obtain advice on internal controls that can be built into new operations, policies, or procedures. Non-work hours are university provided benefits, such as holidays, vacation, and sick leave. The 2014-2015 risk assessment assigned a high or moderate risk to 61 areas. Assuming an average project budget of 350 hours, coverage of these areas would require an annual resource budget of 21,350 hours. The current resource availability of 7,500 hours allows the 2015 audit plan of 21 projects, plus a small contingency budget for investigations. Areas evaluated with a low risk will usually not be included in the audit plan. Audit Services is funded primarily through the state appropriations, with a small gift fund available for technology. The department budget is part of the larger university budget approved by the Board of Trustees in annually in June.

Continuing Allocation Funding

2013-2014 2014-2015

Salary $650,235 $676,110 Benefits $156,381 $175,317 Supplies and Expenses $43,318 $43,318 Total $849,934 $894,745

6


EXTERNAL QUALITY ASSURANCE REVIEW – RESULTS In order to comply with the International Standards for the Professional Practice of Internal Auditing, the department undergoes an external quality assurance review (EQAR) every 5 years. Audit Services engaged the firm of Honkamp Krueger & Co, P.C. through the request for proposal process. The review was performed in May 2013. The purpose of the review is to obtain reasonable assurance that the internal audit function is performing in conformity to the international standards. Three possible rating categories can be assigned: Generally Conforms, Partially Conforms, and Does Not Conform. Generally conforms is the best rating available. The rating assigned to Audit Services Department was:

GENERALLY CONFORMS.

Although the department generally conforms to the standards with no deficiencies, there were opportunities identified to improve the effectiveness of Audit Services including: 1. Consider enhanced reporting to the Audit Committee to include annual confirmation of

Independence and the safeguards in place to prevent the CAE’s multiple non-audit roles from jeopardizing that independence.

This recommendation has been implemented as illustrated by the information contained in this report. 2. Consider expanding reporting to the Audit Committee and senior management to include key

performance metrics, updates on pending issues, budget information and resource allocations/usage, etc.

This recommendation has been implemented as illustrated by the information contained in this report. 3. Periodically review and revise Audit Committee Charter.

Implementation of this recommendation is on-going. In addition, enhancements to the department’s internal policy and procedures manual and to the staff competency model were recommended. These enhancements are in process of implementation. A copy of the EQAR report is attached.

7


AUDIT SERVICES PROJECTS

Reports Issued BA3 - Department Budgeting System SATISFACTORY Date Issued: May 1, 2013

The BA3 system has been adopted by some departments on the Health Sciences Center campus. It is being used as a supplemental accounting system for reconciling the university’s accounting system, provides enhanced budgeting reports, and assists in the financial management of grants and contracts. The objectives of the audit were to:

• Assess system management and administration to verify the system has adequate technical support, and is effectively maintained and operated.

• Evaluate system logical security and physical access controls to verify that the system is secured against unauthorized access or modification.

• Assess the system's interface processes to verify that data is completely and accurately transferred from the PeopleSoft data warehouse system.

The following moderate priority issues were identified.

Issue Title Priority Issue Type Status as of 8/31/2014

Implementation Strategy and Project Plan

Moderate Internal Control Weakness Closed – Verified

Centralized Administration of BA3 Security


Security Groups Within the BA3 System

Moderate Internal Control Weakness Verified during fieldwork

Active Directory Authentication


Management and Administration of Data Upload to BA3


System Administration and Technical Support


One low priority issue has been closed. Audit Services does not verify implementation of low priority issues. Development GOOD Date Issued: May 15, 2013

The Development office in the division of University Advancement is responsible for fund-raising activities. A routine audit was performed to provide reasonable assurance that:

• Effective internal controls have been implemented.

8


• Activities are compliant with applicable laws, regulations, and university policies • Processes are efficient and effective in assisting Development achieve its goals and mission.

The following High and Moderate priority issues were identified.


Control Gift Agreement Templates and Document Review

High Internal Control Weakness Closed – Verified

Improve Controls Over Checks


In addition, two low priority issues have been corrected. Audit Services does not verify the implementation of low priority issues.

J B Speed School Of Engineering - Office Of The Dean SATISFACTORY Date Issued: June 27, 2013

Audit Services performed a routine financial audit of the J.B. Speed School of Engineering – Office of the Dean. The objectives of the audit were to obtain reasonable assurance that:

• The Dean’s office is compliant with applicable laws, regulations, and university policies. • Internal controls have been implemented and are effective. • Processes are efficient and effective in assisting the Dean’s office achieve its goals and mission.

The following high and moderate priority issues were identified

Issue Title Priority Issue Type Status as of 8/31/2014 Improve Grant Expenditure Oversight and Documentation

High Internal Control Weakness Implemented pending

audit verification

Apply Service Center Rates Consistently High Regulatory Compliance Implemented pending

audit verification Obtain Approval for Service Center Rates Moderate Policy & Procedures Implemented pending

audit verification Improve Expenditure and Payroll Controls Moderate Internal Control Weakness Verified during

fieldwork Ensure Current Conflict of Interest Forms are on File Moderate Regulatory Compliance In Process – Not yet

due Improve Effort Reporting Controls Moderate Policy & Procedures Implemented pending

audit verification Formal Approvals of Scholarship Awards Moderate Internal Control Weakness Closed - Verified

One low priority issue was corrected during the project.

9


Genetics Of Alzheimer's Disease In Israeli Arabs NEEDS IMPROVEMENT Date Issued: August 30, 2013

Audit Services performed a compliance audit of the Genetics of Alzheimer’s Disease in Israeli Arabs grant, which is housed in the Department of Neurology in the School of Medicine. The objectives of the audit are to obtain reasonable assurance that:

• Effective internal controls have been implemented. • Activities are compliant with applicable laws, regulations, and university policies. • Processes are efficient and effective to aid research activity achieve its mission and goals.


Improve Grant Expenditure Documentation

High Regulatory Compliance Closed –Verified

Develop Improved Sub-recipient Monitoring

High Regulatory Compliance Closed –Verified

Improve Effort Reporting Controls

High Regulatory Compliance Verified during fieldwork

Ensure Cost Share is Properly Funded

Moderate Policy & Procedures Closed - Verified

Library Systems GOOD Date Issued: 6/13/2013 Audit Services performed a routine information technology audit of the systems operated and maintained by the university libraries. The objectives of this audit were to:

• Assess system management and administration to verify that systems have adequate technical support and are effectively maintained and operated.

• Evaluate logical security and physical access controls to verify that systems are secured against unauthorized access or modification.

The high and moderate priority issues identified during the project are: Issue Title Priority Issue Type Status as of

8/31/2014 Business Continuity and Disaster Recovery Planning

High Internal Control Weakness Closed –Verified

Service Level Agreements with Contracted System Vendors

Moderate Documentation Closed - Verified

One low priority issue has been implemented. Audit Services does not verify the action plan implementation for low priority issues.

10


Unrelated Business Income Tax GOOD Date Issued: 9/16/2013 The IRS assesses income tax on any revenue earned from an activity that is unrelated to the non-profit mission of the university or when there is a for-profit purpose of the activity. Tax returns must be filed annually, whether or not any tax is owned. Audit Services performed a routine compliance audit to obtain reasonable assurance that:

• The processes for identifying sources of unrelated business income and expenses within the university are efficient and effective.

• High risk areas are being properly evaluated in an ongoing manner. • Policies and processes are efficient and effective in assisting the Controller’s Office achieve its

goals and mission.

The following moderate priority issues were identified.


Document Profit Motive for Unrelated Business Activities

Moderate Regulatory Compliance Closed – Verified

Evaluate Commercial Research for Potential Unrelated Business Income Tax

Moderate Regulatory Compliance Implemented pending audit verification

Improve the Effectiveness of the UBIT Data Collection Process

Moderate Policy & Procedures Open – not yet due

One low priority issue has been addressed. Athletics Financial Aid & Scholarships GOOD Date Issued: April 16, 2013 Audit Services performed a compliance audit of Athletics Financial Aid & Scholarships. The objectives of the audit are to obtain reasonable assurance that:

• The Athletics Department is compliant with NCAA regulations and university policies regarding scholarships and financial aid awards.

• Internal controls have been implemented and are effective. • Processes are efficient and effective in assisting the Athletics Department achieve its goals and

mission.

No high or moderate priority issues were identified. There were 6 low priority issues identified, which have been addressed. Audit Services does not verify implementation of action plans for low priority issues.

11


Ticket Office Cash and Reconciliation Review EXCELLENT Date Issued: April 16, 2013 In the summer of 2011 the Athletics Business Office discovered the theft of approximately $100,000. The fraud was investigated by the University Department of Public Safety and by Athletics Business Office staff. It resulted in the termination and successful prosecution of a ticket office employee. As a result of the investigation Athletics made changes to staff, the cash reconciliation processes, and to the reports generated by the ticket office information system. This review was requested by Athletics to assess the effectiveness of the new system of controls. One low priority issue was identified and corrective action has been implemented. Although the implementation of low priority action plans is not normally performed by Audit Services, this implementation was verified during an on-site visit to the department. Payroll Taxes EXCELLENT Date Issued: June 4, 2013 Audit Services performed an advisory review of the controls over the prompt and accurate remittance of Payroll Taxes. The objectives of the review were to obtain reasonable assurance that federal payroll taxes are being paid timely and federal payroll tax returns are being filed accurately. The scope of this audit was limited to July 1, 2012 through January 31, 2013. No high or moderate priority issues were identified during this project. One low priority issue was identified and corrected during the review. School of Dentistry – Credit Balances in Clinic Receivables NO RATING ASSIGNED Date Issued: September 19, 2013 Audit Services began planning a routine compliance audit of Medicare and Medicaid credit balances in the School of Dentistry in May 2013. The School of Dentistry has various clinics that receive approximately $83,000 in Medicare and $403,000 in Medicaid revenues annually. The objective of the audit was to determine whether controls for monitoring Medicare and Medicaid credit balances ensure compliance with federal regulation. While planning the audit it was determined that a lack of verifiable documentation prevented fieldwork from being conducted. Consequently, compliance cannot be validated and there is an increased risk of fines and penalties.


Establish Control to Ensure Compliance for Medicare and Medicaid Overpayments

High Regulatory Compliance Closed

A follow-up audit has been scheduled in the 2014-2015 audit plan.

12


Executive Expenses GOOD Date Issued: February 7, 2014 Audit Services has completed a compliance audit of executive expenses. The objective of the audit was to obtain reasonable assurance that executive expenses were properly authorized and compliant with university policies, applicable laws, regulations, or contractual arrangements. Executives were defined as members of the Board of Trustees for the university, members of the Leadership Team, vice presidents, and deans. The scope of the project included transactions processed between July 1, 2010 and April 30, 2013.


Review Related Entertainment Policies

Moderate Policy & Procedures Open

ProCard Transactions Should Comply with Policy

Moderate Policy Compliance Closed - Verified

One low priority issue remains outstanding

Cloud Computing NEEDS IMPROVEMENT Date Issued: November 20, 2013 Audit Services has performed an information technology audit of the use of cloud computing services at the university. Cloud computing refers to the use of computing resources (hardware and software) which are available in a remote location, usually hosted and supported by a third party, and accessible over a network (typically the Internet). The objectives of the audit were to obtain reasonable assurance that:

• Cloud computing services are appropriately implemented and managed in accordance with established guidelines and standards.

• Use of cloud computing services complies with applicable laws, regulations, and university policies.

• University data processed and stored via cloud computing services is properly secured against unauthorized access, modification, or disclosure.


Cloud Computing Policies High Written Procedures Open Data Classification Standards

High Written Procedures Closed – Verified

Monitoring, Assessing, and Managing Cloud Computing Use

Moderate Written Procedures Closed – Verified

The Information Security Office (ISO) has developed cloud computing policies. These policies, currently in draft form, are under review by the ISO and IT.

13


Graduate Student Stipends ADVISORY Date Issued: January 8, 2014 Audit Services performed a consulting service engagement for the Vice Provost and Dean for the School of Graduate and Interdisciplinary Studies related to Graduate Student Stipends. The objective of the engagement was to provide information concerning academic unit use of general funds budgeted for graduate student stipends. No issues were identified.

Capital Equipment Purchased on Federal Projects EXCELLENT Date Issued: August 22, 2014

Audit Services performed a compliance audit of capital equipment purchased on federally sponsored projects. The objective was to obtain reasonable assurance that capital equipment purchases, which exceeded $5000 on federally sponsored projects, were compliant with federal regulations and sponsor agreements. The audit reviewed 16 capital equipment purchases and identified no significant issues.

Parking GOOD Date Issued: May 21, 2014

An operational audit in Parking as performed. The objectives of the audit were to obtain reasonable assurance that:

• University parking was compliant with applicable laws, regulations, and university policies, • Internal controls were implemented and are effective • Processes are efficient and effective in assisting University Parking achieve its goals and

mission. The scope of the audit included interviews with staff to identify current processes and possible improvements. The audit period was from July 1, 2012 through December 18, 2013. Access for parking software were tested and assessed. Cash handling and reconciliation procedures were observed and evaluated. A sample of refunds were selected and tested. University parking issues refunds for permits, citations, vouchers, and gate cards. Surprise cash counts were performed. Contracts for third party vendors to provide remote host services were reviewed and assessed. Processes to set and approve changes in permit rates, and parking garage bonds, were reviewed and assessed. In addition, US Bank (formerly Elavon) accounts and university parking deficit was investigated and assessed.


Obtain a Third-Party Provider Host

Moderate Policy Compliance Open

Develop a Disaster Recovery and Business Continuity Plan

Moderate Written Procedures Open - Not yet due

14


Sponsored Programs Financial Administration GOOD Date Issued: June 13, 2014

This project was performed in follow-up to the previous project, issued April 30, 2012. The 2012 report include inadequate controls over some of the activities for which Sponsored Programs Financial Administration was responsible. The objective of this project was to verify corrective actions implemented in response to the prior audit. The issues listed below were originally identified in the 2012 project.


Properly Approve and document adjustments – recurring issue

Internal Controls Closed – Verified

Apply payments timely Regulatory Compliance Closed – Verified Improve controls over the billing system

Internal control weakness Closed – Verified

Promptly Process Effort Certification Reports and Escalate Reports Not Received

Regulatory Compliance Open

Close Grants Promptly and Include Required Documentation

Internal Control Weakness Closed – Verified

File Required Financial Reports Timely

Regulatory Compliance Closed – Verified

Activate Sponsored Programs Timely

Internal Controls Weakness Closed – Verified

Ensure System Information is Accurate

Internal Control Weakness Closed – Verified

Bill Contracts Timely Internal Control Weakness Closed – Verified The original project was conducted before the policy of assigning issue priorities was adopted. Consequently, the issues above have not been prioritized for this report.

Oracle PeopleSoft HCM/CS Database Split ADVISORY

Information Technology implemented a project to segment the Oracle PeopleSoft human resources and student administration database into two distinct instances in preparation for the separation of the current combined system into the PeopleSoft Human Capital Management system and the PeopleSoft Campus Solutions (CS) system. This project, which also included an upgrade of the Human Capital Management system, was completed in October, 2013. Audit Services participated in this project in advisory capacity, and performed a review and analysis of the security structure of each database.

The following issue was identified.

15


Issue Title Priority Issue Type Status as of

8/31/2014 Redesign the PeopleSoft Campus Solutions Security Structure and Administration – Recurring Issue

High Written Procedures Closed - Verified

A process has been implemented for ongoing review and evaluation of the CS system security structure. Resource and funding limitations have precluded the centralization of the CS security administration function. It Disaster Recovery Test Review ADVISORY Date Issued: March 7, 2014 In November 2013, Information Technology conducted a 48-hour disaster recovery test at the IBM recovery site in Sterling Forest, NY. Audit Services performed a review of the disaster recovery test results, disaster recovery plan, and the contract with IBM Business Continuity and Resiliency Services. The review constituted an advisory review and a project rating was not assigned. However, significant issues were identified during the review.


Disaster Recovery Plan Update – Recurring Issue

High Written Procedures Closed – Verified

Disaster Recovery Test Strategy

High Miscellaneous Closed – Verified

Projects In Progress Department of Family and Geriatric Medicine

During the financial audit of the Department of Family and Geriatric Medicine it was determined that a significant amount of funds were missing. The scope of the original project was expanded to cover the period from the prior audit in 2007 to August 2013. The investigation is completed and a draft report has been provided to administration, law enforcement, and the insurance carriers.

Cash Control Assessment Audit Services is completing a cash control assessment to obtain reasonable assurance that currency and checks are reasonably controlled. The scope of the review included in-depth review of internal controls over currency and checks in 15 departments and units. A draft report is in process.

16


Fraud Assessment Audit Services is planning a fraud risk assessment using the tools available through the Association of Certified Fraud Examiners. Preliminary planning is on-going.

Athletics Inventory Management In 2014 the University of Louisville Athletics Association (ULAA) entered into a new contract with Adidas for sports equipment and apparel. ULAA administration requested this project to obtain advice on inventory control methodologies and to identify improvements in the equipment management control environment. Fieldwork for this project is nearing completion.

IT Governance An emerging risk area is the effectiveness of the governance structures over information technology. This project will use the COBIT (Control Objectives for Information and Related Technology) control framework to assess the current IT governance structure at the University of Louisville and give recommendations as necessary on how to improve.

Special Projects There are currently four special projects underway. These projects were requested by management in response to unforeseen problems or events. Two projects are related to sponsored research programs and involve a 100% financial review covering a span of 3 to 5 years. These projects are in the draft report phase. An IT security project will identify areas that store sensitive personal information, either electronic or paper-based, and develop guidance on the security over this information. The project is in the draft report phase.

A review of the procurement and administration of certain IT computer equipment was requested by IT management. The fieldwork portion of this project is nearing completion.

Clery Act The Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act is a federal law that required colleges and universities to disclose information about crime on and around campus. The Michael Minger Act is a related state law. The objective of this audit was to obtain reasonable assurance that the university was compliant in the reporting of crime statistics and the disclosure of other security and safety related information required by the acts. In addition, the university’s Institutional Compliance Office completed a “gap” analysis in 2012 that used to Freeh Report, prepared in response to the Penn State child abuse case, to determine if appropriate controls and policies had been implemented at the University of Louisville. This project included a review of the status of the recommendations in the gap analysis.

17


Employee Tuition Remission The university provides all employees with the opportunity to take tuition-free classes and offers tuition free classes to dependents. Audit Services is in the planning phase of a compliance audit of this benefit.

AUDIT SERVICES ACTIVITIES

Information Technology Advisory Activities

Payroll Timekeeping System

The university investigated an electronic time and attendance system that would automate the employee timekeeping process. Audit Services was involved in this project in an advisory capacity in the areas of system operational controls and security. In October, 2013, university management postponed the pilot project and delayed further implementation of system due to the organization and implementation of the new business service center model. In February 2014, Audit Services issued a project completion memo agreeing the system implementation delay. We noted that the pilot had disclosed variances in timekeeping procedures and processes across university departments and recommended that an analysis and evaluation of policies be completed prior to the renewed implemented of any automated timekeeping system Integrated Research Information System

The university has initiated a project to implement the Integrated Research Information System (iRIS), a vendor supplied system from iMedRIS Data Corporation, to replace the Biomedical Research and Assurance Network (BRAAN) research protocol submission and routing system. This project is being directed by the Office of the Executive Vice President of Research and Innovation. The BRAAN system was retired in September, 2013, with the implementation of the Institutional Review Board (IRB) module. Additionally, the Conflict of Interest (COI) module was implemented in the summer of 2013. Audit Services will perform an application audit of iRIS focusing on system controls and security.

PeopleSoft Financials Upgrade

The university is upgrading the PeopleSoft Financials system to version 9.2 with implementation scheduled for October 2014. Audit Services is participating in this project in an advisory capacity in the areas of system operational controls and security. Subsequent to the completion of the upgrade, Audit Services will issue a project evaluation memorandum.

Audit Advisory Activities Internal Controls and Fraud Awareness Training

Audit Services staff is continuing to participate in class room training components of the University Business Training (UBT) addressing internal controls and fraud.

18


Institutional Compliance Committee

The Director of Audit Services has been appointed an ad hoc member of the Institutional Compliance Committee. Service Center Task Force Committee

The Director of Audit Services is serving as a member of the Service Center task force appointed by the Provost to recommend a service center policy and address issues related to the formation of new service centers, questions on rate development, and identification of existing service centers.

Office of the President Strategic and Tactical Goals Verification (Scorecard) Audit Services performs an annual verification of the Score Card status report presented to the Board of Trustees each July and September. The scope of the verification is to review the documentation that supports the result reported on the Score Card. OMB Uniform Guidance Work Group The Director of Audit Services is a member of the OMB Uniform Guidance Work Group. This task force was appointed by the EVPRI to evaluate the steps the university needs to take to be compliant with new federal regulations over federally sponsored projects. This significant regulation is replacing three regulations currently governing federal projects.

19


INSTITUTIONAL COMPLIANCE OFFICE

The University of Louisville’s compliance program provides an infrastructure that facilitates on-going assurance that the institution is complying with internal and external compliance requirements and UofL policies and procedures. This infrastructure is outlined in the Institutional Compliance Plan (ICP) available at http://louisville.edu/compliance. Compliance Hotline The ICO maintains the University-wide “Compliance Hotline.” The scope of the Hotline system includes, but is not limited to, Research, Medical, Privacy, Information Security, Conflict of Interest, Environmental Health and Safety, Financial, Human Resources, and Athletics compliance issues. The Hotline’s toll free number provides a confidential, anonymous, mechanism for University faculty and staff to report compliance concerns to the Institutional Compliance Office (ICO) for follow-up and resolution with University officials. University employees may also access the vendor’s web-based system to report a compliance concern to the ICO. The ICO is responsible for ensuring University compliance officials follow up all issues reported and that appropriate resolutions are provided to complainants in a timely manner. The following statistics identify the number of reports by concern category to the Hotline for the fiscal years ended June 30, 2014 and 2013:

Fiscal Year

Ended 6/30/14 Fiscal Year

Ended 6/30/13 Conflict of Interest - 2 Financial Matters 1 1 Human Resources 2 1 Other - 3 Privacy/Records 1 1 Research – Animal Care & Use - 1 Research – Human Subjects 2 -

Total 6 9 A report of Hotline activity is provided at each Compliance Oversight Council (COC) meeting. Sanction Checks The University of Louisville must exercise due diligence in hiring/screening employees, vendors, and affiliates. Many federal and state sponsors and payors require the University to administer a sanction check program. The ICO is responsible for oversight of University sanction check program. As part of this program, University employees, vendors, and appropriate affiliated individuals are checked against appropriate governmental exclusion, debarment, and suspension lists prior to hire or contract award to ensure eligibility for hire and/or to participate in University programs. In addition, the ICO performs annual oversight of all University employees and all University vendors with annual expenditures over $1,000. The ICO also completes a bi-annual oversight check of all Health Sciences Campus employees. The ICO completed its annual check of 10,263 employees in September 2013 and 3,832 HSC employees in April 2014 with all noted

20

http://louisville.edu/compliance


as eligible to participate in University programs. The ICO’s annual oversight check of 7,638 vendors as of June 30, 2014 is currently in-progress. The ICO will be conducting an annual oversight check of University employees as of 09/17/14. Compliance Risk Assessment Over 400 federal, state, local, and other regulations for which the University must comply were identified as part of the University-wide compliance risk assessment completed by the ICO for fiscal year 2014. A report noting the risk exposure and likelihood of non-compliance by compliance area/issue was provided to the COC at the September 22, 2014 meeting. Fraud, Grant Expenditures, and Information/Data Security remain identified as High Exposure and High Likelihood areas for non-compliance on the current compliance risk assessment. Fiscal Year 2014 Compliance Reviews and Follow-Ups

The ICO takes into consideration high risk areas identified in the annual fiscal year 2013 compliance risk assessment and significant events and activities that may impact the University when determining fiscal year 2014 compliance reviews and special projects. The CCO provides regular status reports of ICO compliance reviews and special projects to the Compliance Oversight Council. The following are significant fiscal year 2014 reviews/projects completed to date:

Timeline of Implementation Guidance of Minors on Campus Recommendations

In relation to the ICO Gap Analysis of the Freeh Report Recommendations that identified “Management of University Programs for Children and Access to University Facilities” as a key potential area in which additional actions may be considered necessary, the Vice President for Business Affairs established a work group to address how the University can better manage risks related to minors on campus. The ICO served on this work group in an advisory role to assist with the development and review of policies, procedures and guidelines regarding minors on campus. A “Minors on Campus Executive Summary” of recommendations was provided to the Vice President of Business Affairs on February 27, 2013. In response to the Minors on Campus final report issued to the Vice President of Business Affairs on February 27, 2013, the Institutional Compliance Office (ICO) was requested by the Executive Vice President and University Provost to provide a recommended implementation timeline including costs and a delineation between preventative and responsive actions. The ICO completed this review and issued a final draft report dated April 22, 2013 to the CCO for delivery to the Executive Vice President and University Provost. As a result of this review, it is the ICO’s opinion that implementation of the Minors on Campus report recommendations should be completed in three phases. Phase I is to develop and implement the structure of the Minors on Campus Programs. The first step of Phase I is to hire a Minors on Campus Program Coordinator, who will report to the Assistant Director of Risk Management. The remaining steps of Phase I are for the program coordinator to help develop and implement the Minors on Campus repository for maintaining program registration documents, help create training content, help

21


design a system to track annual mandatory training and required criminal background checks and help revise policy and guidelines. Phase II is for the program directors to develop and implement departmental procedures that are specific to their program and within the standards of the approved university policy and guidelines. Phase III includes for Risk Management to provide oversight and monitoring of Minors on Campus programs.

Research of Affordable Care Act Compliance Requirements The Patient Protection and Affordable Care Act (PPACA), also known as the Affordable Care Act, was signed into law on March 23, 2010 with the goals to improve the quality of healthcare and the affordability of health insurance. With this law, there are additional provisions that apply to large employers (50 or more employees), specifically employer shared responsibility payment and reporting requirements. The ICO was requested by the CCO to research Affordable Care Act compliance requirements and the applicability to the University. In response to this request, the ICO reviewed the Affordable Care Act’s compliance reporting requirements specifically relating to Reporting Employer Provided Health Coverage and the Employer Shared Responsibility Payment Provisions and prepared a gap analysis as of March 28, 2013 that was provided to the CCO. The ICO gap analysis of the Affordable Care Act was also shared with Human Resources on April 25, 2013 for consideration. The gap analysis identified three of four compliance requirements with employer responsibilities:

1. Employers with 50 or more full-time equivalents to offer health insurance coverage to full-time employees and their dependents (the coverage offered must be minimal essential coverage and meet the affordability and minimum value standards)

2. Employer to provide communication to employees regarding employee coverage and availability of Exchange program

3. Employer information to be reported to the Internal Revenue Service (IRS) regarding employer coverage

University Best Practices of Reporting Non-Compliance via Hotline

In response to a COC meeting discussion on September 16, 2013, the Institutional Compliance Office (ICO) reviewed 20 universities (including 17 benchmark universities) to determine current and best practices for providing a hotline reporting system to staff and faculty to report compliance concerns and applicable regulatory requirements. Specific criteria considered during this review were the hotline name, website location, number of clicks to report, and the office with oversight and operational responsibility of the reporting system. The ICO completed this review and issued a draft report and University Hotline Reporting Systems Comparison Chart dated October 29, 2013 to the CCO. The ICO also provided the comparison chart to the Compliance Oversight Council on November 18, 2013. As a result of this review, the ICO found that the University is compliant with the regulatory requirements of providing a system for

22


reporting non-compliance or suspected wrongdoing to faculty and staff. The University’s reporting system is administered and monitored by the ICO and is easily accessible within two clicks from the University home page. However, in order to improve compliance awareness and accessibility of the reporting mechanism, the ICO made the following recommendations for COC consideration:

• Retitle reporting system from “Compliance Helpline” to “Compliance Hotline” • Redistribute new posters and brochures to all UofL schools and departments • Mass mail compliance postcards to all faculty and staff • Provide a quarterly reminder message via UofL Today of the reporting system

The ICO presented a draft postcard to the AVP Audit Services and Institutional Compliance on August 28, 2014 to distribute to the COC for consideration as an additional awareness effort for mailing to University employees homes. This recommendation was provided to COC for consideration at their November 18, 2013 meeting. Furthermore, recommendation 14 in the Strothman and Company report to the Audit Committee issued July 1, 2014 states “The University's ethics/whistleblower hotline should be better communicated to University personnel, vendors, donors and other stakeholders.” The AVP Audit Services and Institutional Compliance Dave Barker is working with the COC to approve and finalize a postcard for distribution to University employees, in addition to the above noted awareness efforts.

Other Institutional Compliance Activities Compliance Awareness The ICO and ICC’s Compliance Awareness Subcommittee, in conjunction with the ICC, continue to provide a University-wide compliance awareness and training program that effectively educates employees of the importance of general compliance and the institutional compliance program, including an emphasis on the Code of Conduct. Existing institutional compliance awareness efforts include the following:

• University of Louisville Institutional Compliance website at http://louisville.edu/compliance • Display of Compliance Hotline posters to all university facilities of the Belknap, Health

Sciences Center, and Shelby Campuses • New Employee Orientation held at Human Resources weekly • Unit Business Training Compliance Module provided online via Blackboard and through live

presentation in the spring and fall. • Quarterly UofL Today Announcement

Compliance Training Work Group The Institutional Compliance Officer serves as Chair of the Compliance Training Work Group (CTWG) that was established in February 2014 to address the need for a more centralized training

23

http://louisville.edu/compliance


system for subject matter mandated by federal and state laws and regulations. The CTWG is in the process of finalizing Institutional Compliance additions (Code of Conduct Awareness, Fraud/Waste and Abuse – Healthcare Programs) to the current online training offerings available through the Collaborative Institutional Training Initiative at the University of Miami (CITI) Platform. The CTWG is a joint project of the Institutional Compliance Office, Research Integrity Program and University of Louisville Physicians, Inc. (ULP) Administration to utilize the existing CITI Training platform (currently providing Human Subjects, Good Clinical Practice, Responsible Conduct of Research, and Conflict of Interest) that has been used in the U of L research arena since 2003. This initiative will also include the addition of Export Control and elements of the Animal Use and Care training, as well as relocate the existing HIPAA Privacy and Information Security offerings to CITI from Blackboard. Following implementation, at least nine of the current compliance training requirements for U of L employees will be co-located on one platform which will provide the institution the opportunity to leverage the existing interface between CITI and iRIS (integrated Research Information System) for tracking, reporting and notification purposes. Based upon current knowledge and understanding of the systems, this effort will not result in the need for any additional resources (funds, personnel) to implement, nor maintain. The target implementation date is set for November 1, 2014.

Code of Conduct Attestation

The ICO is responsible for maintenance, distribution, and promotion of the University’s Code of Conduct, including a current posting of the Code on the ICO’s website with links to related University policies. In addition, the ICO is in the process of implementing an attestation process as required by the Board of Trustee’s. The attestation is executed via annual completion of the electronic “Attestation and Disclosure Form” that was implemented on October 1, 2013 (See Conflict of Interest Program section of report below).

24


CONFLICT OF INTEREST PROGRAM

The Conflict of Interest (COI) Program provides oversight of institution and covered individual activities to help preserve the integrity of the academic, business, clinical, and research missions of the University. The Program publishes and maintains the University COI policies, implements automated report tracking procedures, administers the annual Covered Individual submission of the Attestation and Disclosure Form (ADF), institutes standard operating procedures, and develops COI training. The Director for Research Integrity manages the day-to-day operations of the COI Program, including administration of the on-line ADF submission system. The Institutional Compliance Officer chairs the Conflict Review Board, which evaluates annual disclosures of interest, considers possible COI cases, and determines management plans. In addition, COI Program staff implemented an on-line system to process ADF submissions on October 1, 2013. This process utilizes a third-party vendor COI module as part of the “iRIS” research management system. Approximately 5,000 ADF’s have been submitted to-date. Covered Individuals (who are Faculty, Institutional Officials, or individuals conducting research under the auspices of the University of Louisville) are required to complete the ADF annually. Under certain circumstances, they also must file an additional ADF if a change in external or professional occurs. COI disclosures have been required from individuals engaged in research activities since August 2000 for compliance with NIH regulatory requirements. The scope of individuals required to submit an annual ADF was expanded by the Compliance Oversight Council in September 2013 to include additional individuals and to ensure compliance with regulatory requirements with the inclusion of all "Faculty" and "Institutional Officials." This approach was deemed consistent with peer institutions. Two specific high risk populations, Department Chairs and Unit Business Managers, were discussed with University Management during the development of recommendation 9 in the Strothman and Company report to the Audit Committee issued July 1, 2014. All Department Chairs are members of the University Faculty; thus, are currently included within this population. The following individuals are currently included with the definition of “Institutional Official:” Persons holding administrator positions, including those holding these positions in a temporary capacity. This term includes, but is not limited to individuals serving as: Deans, Associate Deans, and Assistant Deans; Institute and Center Directors; General Counsel; University Compliance Officers; Director of Audit Services; Provost, Vice Provosts, Associate Vice Provosts, and Assistant Vice Provosts; President, Executive Vice Presidents, Senior Vice Presidents, Vice Presidents, Associate Vice Presidents, and Assistant Vice Presidents; and chairs of the Institutional Review Board, Institutional Biosafety Committee, Institutional Animal Care and Use Committee, and the Conflict Review Board. The AVP Audit Services and Institutional Compliance is working with the Compliance Oversight Council to require ADFs from "Unit Business Managers" by December 31, 2014.

25


INFORMATION SECURITY OFFICE

Information Security compliance and governance is critical to the continued success of the University’s research and academic missions. The Information Security Office (ISO) has been managing projects, including: Risk Assessment The ISO conducts reviews of processes and controls as they relate to information security risk. The assessment evaluates risk taking into consideration potential impact, likelihood and existing controls and provides recommendations for mitigation of identified risks. Previous and current assessment priorities have included PCI SAQ D merchants and HIPAA regulated departments. Incident Response Program The ISO evaluates all information security events reported within the University to determine if an incident occurred and appropriate mitigation steps. A total of 29 events were worked in 2013 and 15 to-date for 2014. External breach notification services have also been confirmed in the event of a reportable incident. Payment Card Industry (PCI) Compliance The ISO continues to work in conjunction with the Controller’s Office and Enterprise Security assisting to bring the University in compliance with regards to the acceptance process of credit cards. The PCI-DSS Committee is currently working with one of the University’s more complex merchants to evaluate and implement a secure external hosting solution and recently participated in a 3rd party assessment of our PCI-DSS program. Policy, Training and Awareness The ISO continues to educate users about the importance of Information Security and University policies by presenting to various groups and departments, including new employee orientation and the formal UBM training sessions. The ISO website has been enhanced to include awareness materials, tips and tools for the University community. Annual review of the existing University Information Security Policies has been completed and the ISO is working on the development and publication of Mobile Usage and Cloud Storage guidance. Reference documents were developed and distributed as part of a University sensitive data working group aimed at raising user awareness and the appropriate securing of all forms of sensitive data. The ISO continues work with IT and the PCI, HIPAA and FERPA areas regarding security compliance.

University of Louisville Facility Clearance Clearance has been obtained by the Facility Security Officer (FSO). The ISO continues to provide training, authorization assistance and monitoring of the program in compliance with the National Industrial Security Program Operating Manual (NISPOM) requirements.

26


AUDIT PLAN - 2013/2014 Status Update

Audits Cash Handling Review Parking

Bond Accounting & Covenants – Cancelled due to BKD covering subject Sponsored Programs Financial Administration

IT Governance Clery Act – Compliance

Internal Quality Assurance Review – Cancelled due to Strothman review Scorecard Verification

Investigations/Special Projects Harter Endowment Security over Personal Information

Employee Tuition Remission

iMedris Implementation – Deferred to 2014-2015

Disaster Recovery Site Vendor Contract and Test

PeopleSoft Payroll and Student Accounting System Upgrade PeopleSoft Financials 9.2 Upgrade

Time & Attendance System Cloud Computing

Graduate Student Stipends Family and Geriatric Medicine

Executive Expenses Dental School - Medicare and Medicaid Credit Balances

Green – In Process Red – Complete Blue – Report has been drafted

27


AUDIT PLAN – 2014/2015

Status Update

University Firewall OnBase Upgrade

COSO Gap Analysis Accounts Payable

SharePoint Procurement Cards

PeopleSoft Financials Upgrade Internal Quality Assurance Review

School of Dentistry – Prior Audit Follow-Up President’s Scorecard – Results Verification

Department of Surgery integrated Research Information System (iRIS)

University Fraud Risk Assessment A&S Biology

Research Administration Financial Aid – Federal Work Study Program

Sponsored Programs Compliance – One project to be determined Athletics Equipment Inventory

Endowment Stewardship Department of Environmental Health and Safety

Clinical/Research Billing Compliance Special Projects/Investigations IT Equipment Procurement

Green – In Process Blue – Report Drafted Red – Complete

28


ORGANIZATIONAL CHART

Audit CommitteeBoard of Trustees

James R. RamseyPresident

Shirley WillihnganzExecutive Vice President and University Provost

David F. BarkerAssociate Vice President

Stephanie PetersenUnit Business

Manager

Cheri J. JonesDirector

Audit ServicesRobin WilcoxInstitutional

Compliance Officer

Kim AdamsInformation

Security Officer

Barry ScottSenior IS Auditor

Scott SheltonSenior Auditor

Clayton Raymer

Senior Auditor

Judy Martin,Senior Auditor

Jennifer MuddCompliance

Manager

Lisa CooperIS Compliance

AnalystGwen HollandInterim Privacy

Officer

Professional Designations

Dave Barker – CIA, CISA, CRMA

Cheri Jones – CPA, CIA, CRMA, JD

Robin Wilcox – CPA, CHC, CCEP

Barry Scott – CIA, CISA

Judy Martin – CIA, CICA

Clayton Raymer – CPA, CIA, CGAP, CFE, CRMA

Scott Shelton – CIA, CRMA, CFE

Gwen Holland – CHC, CHRC

Jennifer Mudd – CPA, CCEP

CCEP – Certified Compliance and Ethics ProfessionalCFE – Certified Fraud ExaminerCGAP – Certified Government Auditing ProfessionalCHC – Certified Healthcare ComplianceCHPC – Certified Healthcare Privacy ComplianceCHRC – Certified Healthcare Research ComplianceCIA – Certified Internal AuditorCICA – Certified Internal Control AuditorCISA – Certified Information Systems AuditorCPA – Certified Public AccountantCRMA – Certified Risk Management AssuranceJD – Juris Doctor

Marilyn GreenwellProgram

Coordinator, Sr.

Conflict of Interest Program

Institutional Compliance Committee

29


APPENDIX A - PROJECT RATING DEFINITIONS

Audit Services developed a project rating and issue prioritization system which was implemented in July 2012. This process assigns one of five ratings to audit projects. Report issues are assigned a priority based on the nature and significance of the issue. The ratings are related to the objectives of the individual audit projects only. They are not intended to provide assurances as to the state of risk at the university as a whole. Rating definitions are: RATING CONDITION Excellent Overall performance exceeds the expected level No report comments combined with very few technical exceptions or verbal

comments

Good Overall performance meets the expected level 1. Few moderate priority report comments which are minor in nature 2. One or two high priority comments which were corrected during the audit 3. Relatively few technical exceptions or verbal comments which were easily

corrected in a short period, combined with a few moderate priority report comments

Satisfactory Overall performance does not consistently meet the expected level 1. Several moderate priority report comments 2. Average number of technical exceptions or verbal issues 3. Two or more high priority report comments 4. Report comments that require routine efforts (reorganization, time, or

resources) to correct in the normal course of business

Needs Improvement Overall performance is weak and frequently falls below expected levels 1. Numerous moderate priority report comments 2. Three or more high priority report comments 3. Internal control weaknesses that create above average exposures 4. Report comments that require substantial effort (reorganization, time, or

resources) to correct 5. Reoccurring report comment(s)

Unsatisfactory Overall performance is unacceptable 1. Excessive number of report comments 2. Several major report comments (High priority) 3. Unreasonable deadlines for correction of report comments 4. Previously reported, unresolved report comments 5. Significant violations of law, regulations, or established policies 6. Internal control weaknesses that create substantial or material exposures 7. Fraud, embezzlement, or misappropriation of funds occurred because of failure

to maintain controls or follow established policies or procedures

30


APPENDIX B – ISSUE PRIORITY DEFINITIONS

Issue Priority definitions given below. Low priority issues are not included in this report. PRIORITY CONDITION High

Management should initiate immediate action to address the issue

1. Major internal control weakness 2. Major policy or procedure exceptions 3. Significant unmitigated risk exposures 4. Major financial impact – loss, misstatement, errors, fraud (regardless of amount) 5. Non-compliance with significant laws or regulations 6. Significant potential opportunity for revenue enhancement, cost savings,

efficiencies, and improvements

Moderate Management should initiate timely action to address the comment 1. Substantial internal control weakness 2. Substantial policy or procedure exceptions 3. Substantial unmitigated risk exposure 4. Substantial financial exceptions 5. Substantial non-compliance with laws and regulations 6. Substantial opportunities to enhance revenue, reduce costs, or realize efficiencies

Low Management should initiate reasonable action to incorporate a plan to address the comment

in the normal course of business 1. Minor internal control weaknesses 2. Minor policy or procedure exceptions 3. Limited unmitigated risk exposure 4. Minor financial errors 5. Limited potential opportunities to enhance revenue, reduce costs, or realize

efficiencies

31

board of trustees meeting mr. robert p....

Documents