FY17-FY18 Audit Plan

Office of Internal Auditing

-Page Intentionally Blank-

TABLE OF CONTENTS

Executive Summary ................................................................................... 4

Audit Plan Details ..................................................................................... 6

Budgeted Hours ......................................................................................... 7

Risk Assessment ........................................................................................ 8

Allocation of Resources ............................................................................ 9

Audit Plan Schedule ................................................................................ 10

Goals & Performance Measurements ...................................................... 11

4 University of North Florida | Office of Internal Auditing

EXECUTIVE SUMMARY

The Office of Internal Auditing (OIA) supports

and assists the Board of Trustees and Executive

Management in the accomplishment of

University goals and objectives by providing:

Insight into operations,

Reasonable assurance regarding the

effectiveness and efficiency of activities,

and

Independent and objective evaluations.

Generally Accepted Government Auditing

Standards and The Institute of Internal Auditors’

Standards require a risk based audit plan with

review and approval from the governing

authority. This report represents the Office of

Internal Auditing’s proposal for a two year audit

plan for the fiscal years 2017 and 2018.

Developing the audit plan requires that we

assess risks and prioritize resources to manage

projects effectively. Our focus this year will be

to invest in our staff so that we can deliver

valuable audit services to stakeholders

throughout campus.

In doing such, the office is currently devoting

direct audit hours in completing its Quality

Assurance Review (QAR). Through the QAR

process, the OIA has taken opportunities to

improve its audit and consulting practices and

conformance to the Standards. In addition to the

QAR, the office has dedicated hours to review

data controls over the performance based funding

file submissions. The Board of Governors have

continued to request Internal Audit’s assistance

in validating data integrity controls. Lastly, we

will begin introducing a series of departmental

audits and compliance audits. The OIA

respectfully submits the following audit plan

proposal, to the Board of Trustees. We

appreciate your time in reviewing the proposed

plan and welcome your feedback, comments, and

requests.

University of North Florida | Office of Internal Auditing 5

Proposed FY17-FY18 Audit Plan The proposed audit plan i s displayed to the

right. The prior audit plan, approved from 2015,

included two audits which were not started,

Library and Firewalls. We respectfully request

not to carry these forward.

Direct Resource Allocation There are currently three professional audit staff

and one support staff contributing

approximately 10,610 direct hours to perform

internal audits, consulting, investigations, and

follow-up activities in a two year period. The

department has one Director with over 16 years

of audit experience and two auditors with up to

three years of audit experience.

It is important to allocate resources in a manner

that addresses University risks. The proposed

audit plan was developed utilizing information

obtained from senior management judgement,

requests, financial analysis, and risk assessment

knowledge in the industry. With over 200

departments and other critical areas on campus,

it is important to prioritize audit activities to

strategically align with UNF’s priorities. In

addition, it is important to have a balance of

departmental reviews, information technology,

and compliance audits within the plan.

Performance Measurements OIA performance measurements are designed to

measure personnel, productivity,

communications, and quality of service. These

are important metrics to determine in

preparation for completing the work plan.

*Note: Third Party Request

Proposed FY17-FY18 Audit Plan:

1 Distance Learning Fee

2 Quality Assurance Review, OIA

3 FY17 Performance Based Funding*

4 Driver and Vehicle Information Database

(DAVID)*

5 College of Education and Human Services,

Dean's Office

6 Brooks College of Health, Dean's Office

7 College of Arts and Sciences, Dean's Office

8 Jeanne Clery Act

9 Title IX

10 Personal Identifiable Information (PII)

11 Student Health Services

12 FY18 Performance Based Funding*

Direct Resource Stats Percentage Internal Audits (areas listed above) 58% Consulting Hours 20%

Investigations 9%

Follow Up 5%

Other Direct Hours 8%

Total 100%

Performance Measurements

Personnel Measurements

Number of Staff Certifications

Professional Development, Trainings

Productivity Measurements

Number of Audits completed per year

Percentage of Budget Reviewed

Communications

Quarterly Audit and Compliance

Reporting

Number of Monthly VP Meetings

Quality of Service

Client Satisfaction Score

6 University of North Florida | Office of Internal Auditing

Audit Plan Details

It is our goal to provide a balanced and diverse

audit plan that addresses core university

functions. This year, the risk assessment process

emphasis weighed heavily on management input,

requested audits, and areas that have had limited

prior reviews.

To ensure diverse coverage, we have divided the

plan into four segments:

1. Departmental Checkups:

College of Education and Human

Services, Dean’s Office

Brooks College of Health, Dean’s Office

College of Arts and Sciences, Dean’s

Office

Student Health Services

2. Compliance:

Quality Assurance Review, OIA

Jeanne Clery Act

Title IX

3. Information Technology

Personal Identifiable Information (PII)

4. Third Party Requests:

Board of Governors, Performance Based

Funding Data Integrity Audit

Driver and Vehicle Information

Database (DAVID)

The purpose for developing a process for

departmental audits (also known as department

checkups), will help develop our relationships

across campus while providing feedback to areas

on their overall conformance to various UNF

standards. The scope of a departmental audit

may include travel, payroll, expenditure and

purchasing analysis, safety, inventory,

information technology, and other items

unique to that unit. Compliance audits

were added to the audit plan, as well. We

will provide critical feedback to senior

leaders in the university’s overall

performance to comply with a set of

standards or regulations. Information

technology audits will give more insight

to the university’s information technology

infrastructure. Lastly, there will be

periodic times when an external request is

made to OIA to assist in performing an

audit. The Board of Governors will most

likely continue to request audits within

the Performance Based Funding controls.

In addition, the university has received a

request for an attestation audit of the

Driver and Vehicle Information Database

by the Florida Department of Highway

Safety and Motor Vehicles.

All final audit reports will be dispersed to

the Board of Trustees Chair, and the

Audit and Compliance Committee, in

addition to the university president and

applicable departments. Once accepted

by the UNF Board of Trustees Audit and

Compliance Committee, the report will be

submitted to the Board of Governors,

Office of Inspector General.

University of North Florida | Office of Internal Auditing 7

Budgeted Hours

The Office of Internal Auditing (OIA) has three audit professionals and one administrative support. The

department structure provides approximately 16,640 of total available hours. After allocating indirect time for

paid leave and administration, 10,610 of net direct hours are available for a two year period. The OIA allocates

64% of the available hours to direct audit services. Specific direct audit services include internal audits,

consulting, investigations, and follow-up on outstanding audit issues. Ideally, a majority of the direct time

allocation should be to internal audit engagements. Therefore, we have developed a time allocation strategy that

dedicates 58% of direct time to internal audit engagements while allowing sufficient time for follow-up,

investigations, and consulting services.

Two Year Audit Plan Detail – Direct Resources

Budgeted Hours

Direct Hours - Non-Audits:

Follow-up Reviews 520

Investigations 960

Consulting Services 2,110

Direct Hours Non-Audit Total: 3,590

Direct Hours - Planned Audits:

1 Distance Learning Fee 400

2 Quality Assurance Review 550

3 FY17 Performance Based Funding 550

4 DAVID 380

5 College of Education and Human Services, Dean's Office 500

6 Brooks College of Health, Dean's Office 500

7 College of Arts and Sciences, Dean's Office 450

8 Jeanne Clery Act 550

9 Title IX 600

10 Personal Identifiable Information (PII) 700

11 Student Health Services 400

12 FY18 Performance Based Funding 600

Direct Hours - Planned Audits: 6,180

Other Direct Support:

Risk Assessment, Work Plans 450

Audit System Development 230

Hotline Support Activities 160

Other Direct Support Activities Total: 840

Total Direct Hours 10,610

8 University of North Florida | Office of Internal Auditing

Risk Assessment

In partnering with management to create a risk conscious climate, the Office of Internal Auditing (OIA)

performs a risk based audit plan. This allows us to focus audit priorities on areas where risk exposure is

potentially the greatest. Assessing risk is an essential component of risk based audit planning. The risk

assessment serves as a means to:

Identify the population of activities performed in fulfilling and/or affecting the

university’s mission,

Measure the “riskiness” of activities, and

Develop an audit plan based on “riskiness” and resource availability.

The risk assessment process involves measuring risk factors to derive a risk score. As mentioned earlier,

we have divided the audit plan into segments, below. Our methods to provide a risk label of high,

moderate, or low includes a review of many areas and processes across the university and their financial,

compliance, stakeholder impact, public sensitivity, complexity of operations, and environmental change

and growth. Below, includes additional areas which were considered in OIA’s risk assessment but given

a lower priority due to limited available resources to review at this time. We recommend to continue

monitoring these areas for our rolling audit plan.

Departmental

Checkup

Campus-wide

Compliance

Information

Technology

Library Employee

Separation

Process

IT

Governance

International

Center

Camps Network

Security

Chemistry Athletics NCAA Data Security

Housing HIPAA Data Integrity

Biology Minors on

Campus,

User Access

Controls

Civil Engineering Chemical

Handling, Lab

Safety

Firewalls

Music Cash Handling PCI DSS

University of North Florida | Office of Internal Auditing 9

Allocation of Resources

Direct Assurance Hours

Assurance Services Time Allocation

The Office of Internal Auditing has three audit professionals within which effort must be effectively

and efficiently allocated to deliver services. Specific services include internal audits, consulting,

investigations, and follow-up on outstanding audit issues. Ideally, a majority of the direct time

allocation should be to internal audit engagements. Therefore, we have developed a time allocation

strategy that dedicates over 58% of direct time to these engagements.

10 University of North Florida | Office of Internal Auditing

Audit Plan Schedule

Two Year Audit Plan Schedule There are seven (7) audits scheduled for the 2017 fiscal year and five (5) audits scheduled in fiscal year 2018. Benchmarking statistics indicate that a

department of our size should perform between 3 to 7 audit engagements in a given fiscal year and the average audit ranges between 300 and 600

hours. Projects not completed in FY17 will carry forward to FY18. We would like to anticipate to complete, on average, two audits per quarter.

Scheduling

Hours Q1 Q2 Q3 Q4

FY Budget Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun

2017 Distance Learning Fee 400

2017 Quality Assurance Review 550

2017 Performance Based Funding 550

2017 DAVID 380

2017 COEHS 500

2017 Personal Identifiable Information (PII) 700

2017 Jeanne Cleary Act 550

2018 Student Health Services 400

2018 Brooks College of Health 500

2018 Performance Based Funding 600

2018 COAS 450

2018 Title IX 600

University of North Florida | Office of Internal Auditing 11

Goals & Performance Measurements

Standards for the Professional Practice of Internal Auditing, promulgated by the Institute of Internal

Auditors, state that, “The chief audit executive must develop and maintain a quality assurance and

improvement program.” Overall, the program should be designed to enable an evaluation of the internal

audit activity’s conformance to standards and allow an assessment of the efficiency and effectiveness of

the internal audit activity.

In response to this requirement, we developed performance measurements designed as a basis for

evaluating the department’s performance. The measurements, presented below, include goals for

personnel, productivity, communication, quality and effectiveness.

Performance Measurement Summary

# Measurement Goal/Criteria

Personnel Measurements Target Range

1 Number of Staff Certifications / department 3 or more

2 Professional Development Hours/ department 120 hours or more

Productivity Measurements

3 Number of Audits completed per year 5 to 7 audits

4 Percentage of University Budget Reviewed 5% or more

5 Number of Departments Engaged 10 or more

Communications

6 Audit Status Updates with Board of Trustees 4 to 6 per year

7 Number of VP Updates Meetings / year 40 or more

Quality and Effectiveness

8 Client Satisfaction Score, % Agree with Services 75% or more

University of North Florida | Error! Reference source not found. 16

Contact the Office of Internal Auditing

WEBSITE http://www.unf.edu/internal_auditing/

MAIL 1 UNF Drive Jacksonville, Florida 32224

PHONE 904.620.2851

UNF HOTLINE Via the reporting tool on the website