board of visitors audit, compliance, and risk committee ... · audit, compliance, and risk...
TRANSCRIPT
![Page 1: Board of Visitors Audit, Compliance, and Risk Committee ... · Audit, Compliance, and Risk Committee Agenda ... In-Flight as of June 30, 2016 . ... • Interview key stakeholders](https://reader034.vdocuments.net/reader034/viewer/2022042223/5eca120aa9bd6d2a2b2e6c5c/html5/thumbnails/1.jpg)
Board of Visitors Audit, Compliance, and Risk Committee
June 10, 2016
1
![Page 2: Board of Visitors Audit, Compliance, and Risk Committee ... · Audit, Compliance, and Risk Committee Agenda ... In-Flight as of June 30, 2016 . ... • Interview key stakeholders](https://reader034.vdocuments.net/reader034/viewer/2022042223/5eca120aa9bd6d2a2b2e6c5c/html5/thumbnails/2.jpg)
Audit, Compliance, and Risk Committee Agenda
I. Remarks by the Committee Chair II. Consent Agenda
• Corporate Compliance and Privacy Office Project Schedule for Fiscal Year 2017
III. Committee Discussion A. Auditor of Public Accounts (APA)
Audit Entrance Meeting for Fiscal Year 2016
B. Audit Department Activities Report
C. University Compliance: Medical Center Compliance and Privacy Office Staffing Report
D. Enterprise Risk Management (ERM) Program Report
IV. Closed Session 2
![Page 3: Board of Visitors Audit, Compliance, and Risk Committee ... · Audit, Compliance, and Risk Committee Agenda ... In-Flight as of June 30, 2016 . ... • Interview key stakeholders](https://reader034.vdocuments.net/reader034/viewer/2022042223/5eca120aa9bd6d2a2b2e6c5c/html5/thumbnails/3.jpg)
Corporate Compliance And Privacy Office Project Schedule For Fiscal Year 2017
RESOLVED, the Corporate Compliance and Privacy Office Project Schedule for the Medical Center for fiscal year 2017 is approved as recommended by the Audit, Compliance, and Risk Committee.
3
![Page 4: Board of Visitors Audit, Compliance, and Risk Committee ... · Audit, Compliance, and Risk Committee Agenda ... In-Flight as of June 30, 2016 . ... • Interview key stakeholders](https://reader034.vdocuments.net/reader034/viewer/2022042223/5eca120aa9bd6d2a2b2e6c5c/html5/thumbnails/4.jpg)
Auditor of Public Accounts FY2016 Audit Entrance Meeting
4
![Page 5: Board of Visitors Audit, Compliance, and Risk Committee ... · Audit, Compliance, and Risk Committee Agenda ... In-Flight as of June 30, 2016 . ... • Interview key stakeholders](https://reader034.vdocuments.net/reader034/viewer/2022042223/5eca120aa9bd6d2a2b2e6c5c/html5/thumbnails/5.jpg)
Audit Department FY 2016 Activities
5
![Page 6: Board of Visitors Audit, Compliance, and Risk Committee ... · Audit, Compliance, and Risk Committee Agenda ... In-Flight as of June 30, 2016 . ... • Interview key stakeholders](https://reader034.vdocuments.net/reader034/viewer/2022042223/5eca120aa9bd6d2a2b2e6c5c/html5/thumbnails/6.jpg)
FY2016 Highlights
Rebuilt and Stabilized Team Audit Team
• Hired and on-boarded 3 audit directors. • Hired and on-boarded seasoned IT security professional as Senior IT Auditor • Team completed skills self- assessment as foundation to training and development plan • Hosted the annual College and University Auditors of Virginia (CUAV) conference at the Darden
School of Business
Risk Based, Strategically Relevant Audit Approach
Audit Operations
• Created data-driven audit risk universe and plan, relevant to strategic objectives and ERM risks • In design phase of forward-thinking methodologies relevant to our decentralized environment,
including Fiscal Stewardship, a data-driven analysis of internal control risk indicators • Implemented new audit reporting template to include audit finding prioritization, improved
executive summaries, management’s responses • Using risk tags for enhanced reporting and tracking of audit findings and management action
plans
6
![Page 7: Board of Visitors Audit, Compliance, and Risk Committee ... · Audit, Compliance, and Risk Committee Agenda ... In-Flight as of June 30, 2016 . ... • Interview key stakeholders](https://reader034.vdocuments.net/reader034/viewer/2022042223/5eca120aa9bd6d2a2b2e6c5c/html5/thumbnails/7.jpg)
FY2016 Highlights
Completed Audit Projects • Procurement • Outpatient Charge Capture (University Medical Associates) • Presidential Travel & Entertainment Expenditures • General Ledger Transfers • OSIG hotline investigations • 10 follow up audits • FY15 year end inventory procedures
In-Flight as of June 30, 2016 Audit Projects
• Curry School of Education (finalizing management action plans for report issuance) • Distributed IT Systems Current State Assessment (draft report) • Epic Phase 2 Implementation Project Health Check (first checkpoint report issued; ongoing
assessment of project risks occurs throughout implementation) • Fiscal Stewardship: Refining metrics for key risk indicators; moving to proof of concept mid-
summer • System Security: Privileged Access—Health System (planning) • Ivy Cloud Security and Governance (planning)
7
![Page 8: Board of Visitors Audit, Compliance, and Risk Committee ... · Audit, Compliance, and Risk Committee Agenda ... In-Flight as of June 30, 2016 . ... • Interview key stakeholders](https://reader034.vdocuments.net/reader034/viewer/2022042223/5eca120aa9bd6d2a2b2e6c5c/html5/thumbnails/8.jpg)
University Compliance: Medical Center Compliance and Privacy Office Staffing Report
8
![Page 9: Board of Visitors Audit, Compliance, and Risk Committee ... · Audit, Compliance, and Risk Committee Agenda ... In-Flight as of June 30, 2016 . ... • Interview key stakeholders](https://reader034.vdocuments.net/reader034/viewer/2022042223/5eca120aa9bd6d2a2b2e6c5c/html5/thumbnails/9.jpg)
SECTION TITLE
ERM Program Update Jim Matteo Associate VP & Treasurer
9
![Page 10: Board of Visitors Audit, Compliance, and Risk Committee ... · Audit, Compliance, and Risk Committee Agenda ... In-Flight as of June 30, 2016 . ... • Interview key stakeholders](https://reader034.vdocuments.net/reader034/viewer/2022042223/5eca120aa9bd6d2a2b2e6c5c/html5/thumbnails/10.jpg)
ERM Priorities
ERM Priorities
Reposition & Enrich Program
Enhance Board
Reporting Onboard Health System
10
![Page 11: Board of Visitors Audit, Compliance, and Risk Committee ... · Audit, Compliance, and Risk Committee Agenda ... In-Flight as of June 30, 2016 . ... • Interview key stakeholders](https://reader034.vdocuments.net/reader034/viewer/2022042223/5eca120aa9bd6d2a2b2e6c5c/html5/thumbnails/11.jpg)
ERM Priorities Timeline Task Due Date Status
Reposition the ERM Program Adopt ERM Charter Feb. 19, 2016 X
Launch Risk Management Council Mar. 21, 2016 X
Update ERM Framework May 31, 2016 X
Update Key Risks (Identification & Assessment) Sep. 1, 2016
Enhance Board Reporting Sep. 1, 2016
Onboard Health System Q4 FY 2017
Assessment of Risk Structure
Formation of Health System Risk Management Network
Development of Key Risk List
11
![Page 12: Board of Visitors Audit, Compliance, and Risk Committee ... · Audit, Compliance, and Risk Committee Agenda ... In-Flight as of June 30, 2016 . ... • Interview key stakeholders](https://reader034.vdocuments.net/reader034/viewer/2022042223/5eca120aa9bd6d2a2b2e6c5c/html5/thumbnails/12.jpg)
BOV – Audit, Compliance, and
Risk
President and Cabinet
Risk Management
Council
Risk Management Network – Health
System
Risk Management Network– Academic
Division
ERM Governance Architecture
12
![Page 13: Board of Visitors Audit, Compliance, and Risk Committee ... · Audit, Compliance, and Risk Committee Agenda ... In-Flight as of June 30, 2016 . ... • Interview key stakeholders](https://reader034.vdocuments.net/reader034/viewer/2022042223/5eca120aa9bd6d2a2b2e6c5c/html5/thumbnails/13.jpg)
Strategic
Strategic Plan Execution
Industry Trends
Market Risk
Operational
Process
Compliance
Technology
Safety/ Security
Governance
Business Continuity
Controls
Stakeholder
UVa Brand
Positioning
Market Demand
Accreditation
Financial Ratings
Community Standing
Resources
Human
Financial
Physical
ERM Risk Universe
13
![Page 14: Board of Visitors Audit, Compliance, and Risk Committee ... · Audit, Compliance, and Risk Committee Agenda ... In-Flight as of June 30, 2016 . ... • Interview key stakeholders](https://reader034.vdocuments.net/reader034/viewer/2022042223/5eca120aa9bd6d2a2b2e6c5c/html5/thumbnails/14.jpg)
Risk Identification
Risk Assessment
Risk Response /Ownership
Risk Management (Controls,
Monitoring, Reporting)
ERM Process Framework
Source: Based on COSO and NCSU ERM Initiative Frameworks
Objective Setting
14
![Page 15: Board of Visitors Audit, Compliance, and Risk Committee ... · Audit, Compliance, and Risk Committee Agenda ... In-Flight as of June 30, 2016 . ... • Interview key stakeholders](https://reader034.vdocuments.net/reader034/viewer/2022042223/5eca120aa9bd6d2a2b2e6c5c/html5/thumbnails/15.jpg)
ERM Process – Next Steps
15
Risk Identification – • Interview key stakeholders to refresh current key risk list (last updated
in 2014) Risk Assessment – • Working with Internal Audit and Compliance to measure and prioritize
key risks.
• Assessment results to be reviewed by governance parties to develop composite ranking.
Risk Ownership – • Following Identification and Assessment, identify or re-identify owners
of Key Risks Risk Management – • Risk Owners are responsible to put in place Controls to manage each
risk, Monitoring to evaluate control effectiveness, and Communication of management activities.
![Page 16: Board of Visitors Audit, Compliance, and Risk Committee ... · Audit, Compliance, and Risk Committee Agenda ... In-Flight as of June 30, 2016 . ... • Interview key stakeholders](https://reader034.vdocuments.net/reader034/viewer/2022042223/5eca120aa9bd6d2a2b2e6c5c/html5/thumbnails/16.jpg)
16
Resume Open Session and Adjourn