The University of Texas at Austin. Office of Internal Audits

Transcription

1 The University of Texas at Austin Office of Internal Audits Annual Audit Report For the Fiscal Year Ended August 31, 2014

2 The University of Texas at Austin, Office of Internal Audits Annual Audit Report for Fiscal Year 2014 Table of Contents Page I. Compliance with House Bill 16: A Brief Description 3 II. Planned Work Related to the Proportionality of Higher Education Benefits 4 III. Internal Audit Plan for Fiscal Year This schedule shows: Project Status Recommendations Management Action Plans Implementation Status Explanation for Changes in the Audit Plan IV Consulting Engagements and Non-audit Services Completed 15 V. External Quality Assurance Review (Peer Review) 17 VI. Internal Audit Plan for Fiscal Year a. The Audit Plan b. Risks Ranked as High and Are Not on the FY 2015 Audit Plan c. Description of Risk Assessment or Methodology VII. External Audit Services Procured in Fiscal Year VIII. Reporting Suspected Fraud and Abuse 28 This report will be posted on the website: Annual Report Distribution: Governor's Office of Budget, Planning, and Policy State Auditor's Office Legislative Budget Board Sunset Advisory Commission Page 2

3 I. Compliance with Texas House Bill 16 House Bill 16 requires The University of Texas at Austin to post the Internal Audit Plan, Internal Audit Annual Report, and Other Audit Information on the Internet Web site. Office of Internal Audits Description of Plans to Comply: We plan to continue posting the Internal Audit Annual Report on the Office of Internal Audits internet Web site, We plan to include all required information in the report on that webpage. Page 3

4 II. Planned Work Related to the Proportionality of Higher Education Benefits At the request of the Governor, an internal audit of the proportionality of higher education benefits process is underway during the first quarter of fiscal year A consistent audit methodology has been deployed across the UT System that will assess the reporting process and accuracy of benefits funding information provided to the State Comptroller as applicable under the General Appropriations Act, Article IX, Sec. 6.08: Benefits Paid Proportional by Fund. The audit will be complete by November 30, Page 4

5 O F F I C E O F I N T E R N A L A U D I T S FY 2014 AUDIT PLAN Page 5

6 Internal Audit Plan for Fiscal Year 2014 FY 2014 Audit Plan Audit Report/Project Title Project Status* Report # Report Date High Level Objectives Recommendations/ Results Management Responses/ Action Plans Status of Implementing Action Plans** This schedule presents the FY 2014 Audit Plan, displays changes to the audit plan, and provides explanations for the changes (an explanation for changes is at the end of this schedule). This schedule also shows the status of each project. To comply with Texas House Bill 16, high level objectives, recommendations, management action plans, and status of implementing those action plans are provided. Financial Audits UT System Requested/Externally Required Audits FY 2013 Financial Statement Audit - Assistance to External Auditor FY 2014 Financial Statement Audit - Assistance to External Auditor (interim financial work and IT work) Operational Audits UT System Requested/Externally Required Audits Presidential Travel, Entertainment, and Housing Expenses - Assistance to UT System Executives' Travel, and Entertainment Expenses FY14 Risk-Based Tier Two Audits Change in Management Audits, FY14 Camps - Departmental Human Resources - General Controls UT Market Payroll - Overtime Hours Tuition and Fees Building Security Longhorn Foundation/Business Office completed for FY 14 no report not applicable (N/A) to provide assistance N/A N/A N/A completed for FY 14 no report N/A to provide assistance N/A N/A N/A completed for FY 14 no report N/A to assist UT System N/A N/A N/A Postponed*** Near Completion Cancelled*** Postponed*** Near Completion Postponed*** Postponed*** Postponed*** In Progress*** Carryforward - Risk-Based Tier Two Audits Change in Management Audits, FY13: Office of the Vice President for Student Affairs completed /28/2014 with certain UT policies and procedures Enhance compliance with policies regarding information systems security. Management agreed and plans to implement recommendations. fully implemented Page 6

7 Internal Audit Plan for Fiscal Year 2014 FY 2014 Audit Plan Audit Report/Project Title Project Status* Report # Report Date High Level Objectives Recommendations/ Results Management Responses/ Action Plans Status of Implementing Action Plans** Nuclear Engineering Teaching Laboratory completed /18/2013 with certain UT policies and procedures Enhance compliance with policies regarding information systems security, inventory, and entertainment. Management agreed and plans to implement recommendations. substantially implemented Special Education completed /17/2013, 4/1/14 with certain UT policies and procedures Enhance compliance with policies regarding information systems security, travel, entertainment, employee time reporting, cash and cash equivalent handling, and procurement cards. Management agreed and plans to implement recommendations. substantially implemented Kinesiology and Health Education completed /18/2013, 4/1/14 Enhance compliance with policies regarding information systems security (policy changes), inventory, with certain UT policies and account reconciliations, procedures cash and cash equivalent handling, procurement cards, entertainment, and travel. Management agreed and plans to implement recommendations. substantially implemented University Health Services completed /17/2013 Enhance compliance with policies regarding with certain UT policies and information systems procedures security, procurement cards, and entertainment. Management agreed and plans to implement recommendations. fully implemented Art & Art History completed /13/2014 with certain UT policies and procedures Enhance compliance with policies regarding information systems security, inventory, purchasing, petty cash, procurement cards, travel, entertainment, and handling of cash and cash equivalents. Management agreed and plans to implement recommendations. fully implemented School of Law Near Completion Page 7

8 Internal Audit Plan for Fiscal Year 2014 FY 2014 Audit Plan Audit Report/Project Title Project Status* Report # Report Date High Level Objectives Recommendations/ Results Management Responses/ Action Plans Status of Implementing Action Plans** Marine Science Institute Completed /19/2014 Change in Management Audits, FY12 to evaluate the internal control environment to determine compliance with University policies 19 recommendations were made to improve internal controls and compliance in the areas of information systems security, cash handling, inventory, procurement cards, and travel. Management agreed and plans to implement recommendations. substantially implemented Anthropology completed /6/2013 with certain UT policies and procedures Enhance compliance with policies regarding information security, entertainment, handling of cash and cash equivalents, and purchasing. Management agreed. substantially implemented Department of Finance completed /6/2013 Enhance compliance with policies regarding with certain UT policies and information systems security procedures and cashier training. Management agreed. substantially implemented Department of Accounting (academic) completed /6/2013 with certain UT policies and procedures Enhance compliance with policies regarding information systems security. Management agreed. substantially implemented Department of Electrical & Computer Engineering completed /6/2013 with certain UT policies and procedures Enhance compliance with policies regarding information systems security and cash/cash equivalents. Management moved their IT operations to UT Austin's centralized IT services. substantially implemented Department of Middle Eastern Studies completed /6/2013 with certain UT policies and procedures Enhance compliance with policies regarding information systems security, inventory, entertainment, purchasing, and handling of cash and cash equivalents. Management agreed. substantially implemented Carryforward - Management Requests Frank Erwin Center - Box Office Operations Near Completion Page 8

9 Internal Audit Plan for Fiscal Year 2014 FY 2014 Audit Plan Audit Report/Project Title Project Status* Report # Report Date High Level Objectives Recommendations/ Results Management Responses/ Action Plans Status of Implementing Action Plans** Executive Travel and Entertainment Audit FY13 completed /12/2013 with University travel and entertainment rules Two campus-wide issues need to be addressed through revisions to the University policy: serving alcohol at off-campus university sponsored events and revising the process for approval of executive level entertainment expenses. Several recommendations were made at the individual executive level to improve compliance with University policy. Administration agrees that the policy needs to be revised. Individual executives agreed with the recommendations and plan to implement them. substantially implemented Compliance Audits UT System Requested/Externally Required Audits Cancer Prevention Research Institute of Texas (CPRIT) Grant Education Research Center FY 14 Cancelled*** Postponed*** NCAA Football Attendance completed /10/2014 to determine whether football attendance averaged 15,000 or more for all home games, as required by NCAA to qualify for Division I status in compliance none none Management Requests UT System Policy 175 Conflicts of Interest in Research cancelled*** Risk-Based Tier Two Audits Research - Export Controls University Health Services (UHS) and Forty Acres Pharmacy NCAA Bylaw 13 - Camps and Clinics NCAA Bylaw 15 - Financial Aid Postponed*** Postponed*** Near Completion In Progress Page 9

10 Internal Audit Plan for Fiscal Year 2014 FY 2014 Audit Plan Audit Report/Project Title Project Status* Report # Report Date High Level Objectives Recommendations/ Results Management Responses/ Action Plans Status of Implementing Action Plans** Texas Relays NCAA Bylaw 10/14 - Academic Integrity/Eligibility Completed Postponed*** /26/2014 to evaluate controls related to the receiving, processing, and reconciling of participant entry fee proceeds and spectator ticket sales recommend enhancements to controls over participant entry fees management agrees and plans to implement recommendations incomplete - to be implemented for the 2015 Texas Relays Carryforward - Risk-Based Tier Two Audits Research - Technology Commercialization/ Intellectual Property Near Completion Clery Act Completed /3/2014 Research Compliance Completed /21/2014 Education Research Center, FY 13 Completed /27/2014 with the Clery Act regarding gathering and reporting crime and fire safety statistics and policies to evaluate whether UT Austin's research compliance program effectively manages high risks with a contract with Tx Education Agency and Tx Higher Education Coordinating Board Recommendations were made in the following areas: geography, daily crime log, emergency response and evaluation procedures, the Annual Security Report, missing student notification procedures and fire safety log. UT Austin's research compliance program effectively manages high risks in compliance, no recommendations More training will be offered, policies will be revised, more information will be included on the Fire Safety Log; communication to students and employees as to the location of the Daily Crime Log will be increased N/A N/A incomplete/ ongoing N/A N/A Page 10

11 Internal Audit Plan for Fiscal Year 2014 FY 2014 Audit Plan Audit Report/Project Title Project Status* Report # Report Date High Level Objectives Recommendations/ Results Management Responses/ Action Plans Status of Implementing Action Plans** Norman Hackerman Advanced Research Program (ARP) Grants Completed /19/2014 with grant conditions specified by the Texas Higher Education Coordinating Board Recommendations were made in the following areas: travel, reports, and published project material. The Office of Accounting reminded department staff about the travel rules; grant management will enhance monitoring the timeliness of issuing progress and technical reports; researchers will be reminded with each new grant that the Coordinating Board needs to be acknowledged on all publications from the grant research fully implemented Research - Scientific Misconduct Complete /26/2014 with University policies and federal regulations on investigating and reporting scientific misconduct enhance investigation procedures by interviewing complainants and providing them an opportunity to review their interview transcripts and providing respondents an opportunity to review draft inquiry and investigation reports Management agrees to implement recommendations. incomplete/ ongoing Page 11

12 Internal Audit Plan for Fiscal Year 2014 FY 2014 Audit Plan Audit Report/Project Title Project Status* Report # Report Date High Level Objectives Recommendations/ Results Management Responses/ Action Plans Status of Implementing Action Plans** Information Technology Audits UT System Requested/Externally Required Audits Institute for Public School Initiatives (IPSI), TEA Grant National Automated Clearinghouse Association (NACHA) FY14 Near Completion In Progress Risk-Based Tier Two Audits IT General Controls FY14 Change in Management Audits, FY14 - IT portion Sensitive Data Control Plans Payment Card Industry (PCI) Data Security Standards (DSS) In Progress In Progress In Progress Postponed*** Commodity IT Services Postponed*** Health Insurance Portability and Accountability Act (HIPAA) In Progress Centralized Authentication System Postponed*** Carryforward Audits IT General Controls FY13 Change in Management Audits, FY13 - IT portion In Progress Near Completion Laptop Encryption and IT Inventory Completed /1/2014 to determine whether laptop inventory was properly controlled and all laptops were either encrypted or exempt from the exemption requirement recommend improvements to controls over recording and tracking IT inventory and properly encrypting all laptops Management agreed and is taking correction actions. substantially implemented Texas Administrative Code 202 Completed /25/2013 to determine whether the UT Austin information security program comply with Texas Administrative Code 202 generally complies; 5 recommendations to improve controls related to information resources security safeguards, Security Standards Policy, and Business Continuity Planning. Management agreed and is taking correction actions. substantially implemented Page 12

13 Internal Audit Plan for Fiscal Year 2014 FY 2014 Audit Plan Audit Report/Project Title Project Status* Report # Report Date High Level Objectives Recommendations/ Results Management Responses/ Action Plans Status of Implementing Action Plans** National Automated Clearinghouse Association (NCAA), FY13 Completed /31/2014 with NACHA 2013 Operating Rules for Internet- Initiated/Mobile Entries in compliance, no recommendations N/A N/A Reserves Reserve for Investigations completed for FY 14 no report Reserve for Management Requested Projects completed for FY 14 no report Reserve for Consulting Projects completed for FY 14 no report Follow-up Audits completed for FY 14 no report Projects Quality Assurance Review, internal completed for FY 14 no report Quality Assurance Review, external completed for FY 14 no report Internal Audit Committee completed for FY 14 no report Technical Support for Internal Audit Office and Staff completed for FY 14 no report TeamMate Support and Maintenance completed for FY 14 no report Annual Audit Plan and Risk Assessment Process completed for FY 14 no report Annual Internal Audit Report completed for FY 14 no report Office Manual/Website Updates completed for FY 14 no report UT System Issues and Assistance completed for FY 14 no report SAO Issues and Assistance completed for FY 14 no report Professional Organizations and University Committees completed for FY 14 no report Annual Financial Report - Monitoring Plan completed for FY 14 no report Data Mining completed for FY 14 no report Project Update/ Status Meetings completed for FY 14 no report *Project Status Definitions: Near Completion means reporting stage. In Progress means field work stage. **Status of Implementing Action Plans N/A - not applicable because there is no report or there are no recommendations fully implemented - all action plans have been implemented substantially implemented - most of the recommendations have been implemented incomplete/ongoing - management is working on it Page 13

14 Internal Audit Plan for Fiscal Year 2014 FY 2014 Audit Plan Audit Report/Project Title Project Status* Report # Report Date High Level Objectives Recommendations/ Results Management Responses/ Action Plans Status of Implementing Action Plans** *** Explanation for Differences in the Audit Plan All changes to the Audit Plan were approved by the Internal Audit Committee at UT Austin. Intercollegiate Athletics projects: Internal Audit (IA) management agreed to provide audit services to Intercollegiate Athletics; Athletics management decided which areas they wanted audited after the FY14 Audit Plan had become final. These projects were added after the Audit Plan was approved: NCAA Bylaws, Texas Relays, Longhorn Foundation. Cancer Prevention Research Institute of Texas (CPRIT) Grant, cancelled: UT System Audit Office engaged Deloitte LLP to conduct this audit for the period through FY13. Projects were postponed or cancelled to provide more time for: one departmental management request of high IT risk the Laptop Encryption project requested by UT System two investigations audits on the Audit Plan that required more time than planned three consulting projects that addressed new high risks UT Austin's closure for weather Page 14

15 Consulting and Non-Audit Services Completed, FY 2014 Central Business Office Chemistry/Biochemistry Project High-level Objective or Allegation Report # Report Date to provide advice regarding procedures, policies, and processes - this is a new office to determine whether a professor received appropriate approval of his work outside UT and whether he was misusing university funds Observations, Results, and Recommendations, if applicable not applicable not applicable Advice was provided throughout the year not applicable not applicable The professor had not received appropriate approval for outside employment. No evidence was found to support the allegation of misuse of funds. Office of Student Financial Services Semester in Los Angeles Texas Box Office, Frank Erwin Center Tuition Exemption Investigation UT Austin User Accounts UT Power Plant Store Vice President for Research to determine whether procedures for securing social security numbers are adequate and in compliance with relevant policies The Director of the Semester in Los Angeles Program is alleged to be engaged in (a) financial mismanagement regarding the use/control of University resources and noncompliance with University policies & procedures, (b) misrepresentations of former students as current students for purposes of eligibility for internships in Los Angeles, and (c) a tolerance for alcohol at offcampus student events. An hourly employee purchased athletics tickets and event tickets and then allocated them using his code in the Paciolan Ticketing System. Some of these tickets were allocated to prime seats for disabled patrons. Most were resold for profit. A graduate student misused her former spouse's military status to gain a tuition exemption for in-state tuition over six semesters. User accounts of former employees were noted to have access to University computing resources, e.g. and file storage. An assistant plant maintenance supervisor has a store where he sells perishables such as candy, drinks, and chips, to subordinates for cash. The business is located in a storeroom in the UT Power Plant. In addition, UT vehicles are used to purchase goods needed to restock the store. An anonymous caller made an allegation through the University Compliance Services hotline stating that the Vice President for Research (VPR) routinely overrides university policies in a way that has the potential to cause financial harm, create a substantial audit risk, and undermine the ability of staff who is supposed to ensure compliance; the VPR overrides in direct violation of university policy and federal regulations. not applicable not applicable Department management is in the process of enhancing security over social security numbers. not applicable not applicable Rules were not followed. not applicable not applicable Rules were not followed. not applicable not applicable Rules were not followed. not applicable not applicable This was included in TAC 202 audit. not applicable not applicable Department management has discontinued the operation of the Power Plant Store. not applicable not applicable Based on information provided, the VPR has authority to approve a rate other than the negotiated rate. Internal Audits concludes that the VPR is not violating policies regarding reduced indirect costs; therefore the allegation does not appear to be valid. Page 15

16 Consulting and Non-Audit Services Completed, FY 2014 Project High-level Objective or Allegation Report # Report Date Workday Implementation, Consulting Internal Audits is providing consulting assistance to the team implementing Workday, the new enterprise resource planning (ERP) solution for UT Austin. A work plan and deliverables will be finalized soon. Observations, Results, and Recommendations, if applicable not applicable not applicable Advice was provided throughout the year. Page 16

17 External Quality Assessment Executive Summary Performed by PricewaterhouseCoopers, LLP June 30, 2014 Page 17

18 June 30, 2014 Mr. Mike Vandervort Director of Internal Audit The University of Texas at Austin 1616 Guadalupe Street, UTA Suite Austin, TX We have completed an External Quality Assessment ( EQA ) of The University of Texas at Austin ( UT Austin ) Office of Internal Audit ( IA ). The EQA included an assessment of the level of conformance with the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing ( the IIA Standards ), the Generally Accepted Government Auditing Standards ( GAGAS ) as well as the relevant requirements of the Texas Internal Auditing Act ( TIAA ). Listed below is our overall assessment of IA s adherence with these Standards and requirements: IIA Standards - Based on our work, IA generally conforms. However, we did identify process enhancement opportunities. GAGAS - No conformance observations were identified. TIAA requirements Other than the observations related to IIA Standards, no other observations were identified during our work. Our Services were performed and this report was developed in accordance with our contract dated February 18, 2014 and are subject to the terms and conditions included therein. Our Services were performed in accordance with the Standards for Consulting Services established by the American Institute of Certified Public Accountants ("AICPA"). Accordingly, we are providing no opinion, attestation or other form of assurance with respect to our work and we did not verify or audit any information provided to us. Our work was limited to the specific procedures and analysis described herein and was based only on the information made available through April 11, 2014, when field work was substantially completed. Accordingly, changes in circumstances after this date could affect the findings outlined in this report. This information has been prepared solely for the use and benefit of, and pursuant to a client relationship exclusively with The University of Texas System Administration. PwC disclaims any contractual or other responsibility to others based on its use and, accordingly, this information may not be relied upon by anyone other than The University of Texas System Administration and UT Austin. We would like to offer a sincere thank you to you and your staff, and the Internal Audit Committee and management of UT Austin, for the time and attention they provided during this assessment. We appreciate the opportunity to serve The University of Texas System Administration on this important engagement. Very truly yours, PricewaterhouseCoopers, LLP PricewaterhouseCoopers LLP, 1201 Louisiana, Suite 2900, Houston, TX T: (713) , F: (713) , Information contained herein is for the sole benefit and use of UT Austin Page 18

19 O F F I C E O F I N T E R N A L A U D I T S FY 2015 AUDIT PLAN Page 19

20 Audit/Project Budgeted Hours Description Financial UT System Requested/Externally Required Audits FY 2015 Financial Statement Audit - Assistance to External Auditor (interim financial work and IT work) FY 2015 Audit Plan 20 Required by UT System - Assistance to the external auditor for audit of FY14 Financial Statements; to include IT audit work prior to year-end Financial Subtotal 20 Operational UT System Requested/Externally Required Audits Presidential Travel, Entertainment, and Housing 20 Required by Regents Rule Assist UT System Audit with review of travel, entertainment, Expenses - Assistance to UT System and housing expenses for the president and spouse Executives' Travel and Entertainment Expenses 400 Required by UT System Annually. All sources of funds, including funds from the General FY2014/2015 Appropriations Act, may be selected for review.* Risk-Based Audits Departmental Change in Management Audits, FY15 Human Resources - General Controls 1,000 Review and evaluate departmental internal controls and compliance with UT rules. All sources of funds, including funds from the General Appropriations Act, may be selected for review.* 600 Review general controls associated with the Human Resources Department, according to high level of risk within the area (including overtime hours). All sources of funds, including funds from the General Appropriations Act, may be affected by this project.* Bursar - Cash Management Donor Scholarships University Health Services - Billing and Operations 300 Conduct cash counts using a sample of departments who receive and maintain funds in their area 500 Determine whether donor scholarships are used for intended purpose 500 Review and evaluate student health center for compliance with applicable federal, state, and University rules regarding billing and operations 40 Acres Pharmacy 500 Review and evaluate the 40 Acres Pharmacy for compliance with applicable federal, state, and University rules regarding billing and operations Carryforward - Risk-Based Audits Departmental Change in Management Audits, FY14 Longhorn Foundation/Business Office 150 Review and evaluate departmental internal controls and compliance with UT rules. All sources of funds, including funds from the General Appropriations Act, may be selected for review.* 425 Business Office (Transactional and Financial), Contracts (TBD), Longhorn Foundation Ticket Sample Page 20

21 FY 2015 Audit Plan Audit/Project Budgeted Hours Description Consulting Workday Implementation and Shared Services 500 Provide assistance regarding implementation of new Workday ERP solution. All sources of funds, including funds from the General Appropriations Act, may be affected by this project.* Compliance UT System Requested/Externally Required Audits Proportionality Funding of Benefits Education Research Center FY2014/2015 NCAA Football Attendance Operational Subtotal 4, Per request from the Governor; addresses the proportionality of benefits and related risks. All sources of funds, including funds from the General Appropriations Act, may be affected by this project.* 400 Required by contract - Certify that the research center is in full compliance with all terms of the contract and all applicable state and federal laws 50 Required by NCAA - Review to verify football game attendance Risk-Based Audits NCAA Bylaw 10/14 - Academic Integrity/Eligibility NCAA Bylaw 12 - Amateurism NCAA Bylaw 16 - Awards and Benefits NCAA Bylaws 18/20 - Post Season Events/Division Membership Research - Export Controls UT System Policy 175 Conflicts of Interest in Research Environmental Health & Safety Data Analytics Minors on Campus 800 Academic Integrity - Tutors/ Mentor Program; Class auditing; Eligibility Certification 600 Review amateurism (NCAA Bylaw 12) related to Intercollegiate Athletics 600 Review awards and benefits (NCAA Bylaw 16) related to Intercollegiate Athletics 400 Review post season events/division membership (NCAA Bylaws 18 & 20) related to Intercollegiate Athletics 500 Review and evaluate export controls and compliance with federal, state, and University rules 600 Disclosure of significant financial interests and management and reporting of financial conflicts of interest in research - Requested by Dr. Juan Sanchez 500 Evaluate compliance with UT Austin/UT System policies, state/federal rules regarding environmental health and safety procedures 250 Data analysis to locate inappropriate transactions in various areas 500 Evaluate compliance with UT Austin/UT System policies, state/federal rules regarding minors on campus Carryforward - Risk-Based Audits NCAA Bylaw 13 - Camps and Clinics 250 Camps/ Operational/ Financial MBB/ WBB/ BA - Fall FB/VB - Spring 2014 NCAA Bylaw 15 - Financial Aid 425 Equivalency Calculations & Outside Scholarships Compliance Subtotal 6,075 Page 21

22 FY 2015 Audit Plan Audit/Project Budgeted Hours Description Information Technology UT System Requested/Externally Required Audits Institute for Public School Initiatives (IPSI), TEA Grant National Automated Clearinghouse Association (NACHA) FY2015 Texas Administrative Code (TAC) 202 Risk-Based Audits Departmantal Change in Management Audits, FY15 - IT portion UT Facilities Network (FACnet) Incident Handling Health Insurance Portability and Accountability Act (HIPAA) Sensitive Data Control Plans 150 Required annually by TEA - Assess security of electronically stored data. Annual audit requirement specified in grant conditions 125 Required annually by NACHA - Review controls over web-based check transactions 600 Required every two years by TAC Review compliance with TAC 202 (Information Security Standards) 400 Review and test IT controls as part of Departmental Change in Management Audits 800 Review sufficiency of controls in the university's network of facilites controllers and systems 400 Review processes in place for monitoring, investigating, and responding to system breaches 400 Review HIPAA covered entities for compliance with HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act 400 Assess security procedures utilized to protect confidential data used in research or other projects. IT Audit Assistance for Non-IT Projects 400 Centralized Authentication System 400 Review related IT controls in the university's authentication system Payment Card Industry (PCI) Data Security Standards (DSS) 400 Review controls to ensure compliance with credit card industry standards (PCI DSS) Carryforward - Risk-Based Audits Departmental Change in Management Audits, FY14 - IT Portion 100 Review and test IT controls as part of Departmental Change in Management Audits Information Technology Subtotal 4,575 Follow-up General Follow-up 150 Follow-up on Level-1 IT Recommendations 150 Follow-up Subtotal 300 Page 22

23 FY 2015 Audit Plan Audit/Project Budgeted Hours Description Projects Quality Assurance Review, internal 100 Internal quality assurance reviews Internal Audit Committee 400 Preparation and support for Internal Audit Committee meetings Technical Support for Internal Audit Office and Staff 400 Internal support for office technology and software TeamMate Support and Maintenance Annual Audit Plan and Risk Assessment Process Annual Internal Audit Report Office Manual/Website Updates UT System Issues and Assistance SAO Issues and Assistance Professional Organizations and University Committees 125 Maintenance and support of electronic audit management system 500 Preparation of annual audit plan and risk assessment 40 Preparation of annual report required by the Texas Government Code, Chapter 2102 (The Internal Auditing Act) 130 Updates to IA's office manual, standard forms/reports, processes, and website 100 Miscellaneous assistance provided to UT System Audit Office 35 Miscellaneous assistance provided to the State Auditor 200 Support and participation in profession audit organizations Annual Financial Report - Monitoring Plan 100 Required by UT System; UTS142.1 requires annual testing of the monitoring plan for the segregation of duties and reconciliation of accounts. Project Update/Status Meetings 300 Staff meetings regarding updates and status of audits and projects Training for Dell Medical School 300 Reserve Projects Subtotal 2,730 Reserve for Management Requests 500 Reserve for Investigations 1,238 Reserve for Consulting 500 Reserve Subtotal 2,238 Total Hours 20,833 All sources of funds, including funds from the General Appropriations Act, may be affected by projects using hours reserved for unplanned projects.* *Instructions for this schedule require identifying projects in these categories: Projects with blue font address the proportionality of benefits or related risks. Projects with fushia font may relate to expenditure transfers or any other limitations or restriction in the General Appropriations Act. Page 23

24 High Level Risks NOT Covered in Audit Plan for FY 2015 Risk Compliance - Capturing All Investigations - Incl Hotline Calls Lack of effort reporting &/or noncompliance with OMB Circular A-21 Non-compliance with federal purchasing requirements Lack of license compliance monitoring & enforcement Consent process with human subjects Lack of or inadeqate reporting of Scientific Misconduct Inaccurate reporting on lobbying Facilities, Athletics IT Services, Athletics Servers/ Virtual Machines Building Access Control System Information Mgmt. - Development Phishing Attacks - Financial Services Failure to manage contracts, ITS Administration Explanation/Mitigation This area is currently in transition and controls are being reviewed for future best practices. Internal Audits will consider this area for the FY 2016 audit plan. Internal Audits is planning to conduct two audits in the area of research for the FY2015 audit plan. This risk will be considered for the FY2016 audit plan. Self Assessment Review Audited FY2014 Human Subjects Research is externally accredited. Internal Audits reviewed this accreditation as an audit step in FY2014. Audited FY2014 Internal Audits is planning to conduct two audits in the area of research for the FY2015 audit plan. This risk will be considered for the FY2016 audit plan. Audited FY2014 This area was reviewed in the FY2014 audit of Texas Box Office (Paciolan system). Internal Audits will consider a more thorough review of this risk for the FY2016 audit plan. Services are currently being expanded in this area; IA will consider auditing this risk in future years. The UT Information Security Office recently performed a security review of BACS, and BACS is currently being reviewed by a 3rd party; IA will consider auditing this risk in future years. An audit of information management in the Development Office was performed by IA in FY09. Time constraints do not allow for this risk to be audited this year; IA will consider auditing this risk in future years. Two-factor authentication is currently being implemented for payroll and additional areas are being implemented in future phases; IA will consider auditing this risk in future years. Time constraints do not allow for this risk to be audited this year; IA will consider auditing this risk in future years. Page 24

25 The Process for Developing Risk Assessments for the Audit Plan As part of preparing the annual audit plan, Internal Audit (IA) management and staff met with the President s Office, each vice president, the Director of University Compliance Services, and the Director of Information Technology Services/Chief Information Officer to review his/her risk assessments. Discussions included IA s prior year s risk assessment, changes in the executive s portfolio, changes and expected changes in the environment and/or industry, and changes in how risks may be evaluated. Then the updated risk assessments are used for the annual audit plan. The University of Texas System Audit Office (UTS) provides a spreadsheet identifying the audit universe in different levels (Tier One, Two, and Three). IA matches the universe to the prepared risk assessments to be sure all risks are evaluated. UTS requires the following selected risk assessments to be exhibited with the Audit Plan: Overall Risk Assessment (Tier One Level) Institutional Risk Assessment The risk rankings are a weighted average of the detailed risk assessments. Detailed Risk Assessments (Tier Two Level) - selected Research Risk Assessment Information Technology Risk Assessment, all IT risk assessments considered Texas Administrative Code 202 Institutional Tier 2 Risk Assessment Evaluating Risks (Guidelines from UTS) Risk Assessments The vertical axis of the risk assessment represents the applicable business processes. The horizontal axis of the risk assessment represents business risks identified for each process or sub-process. All types of business risks were included: strategic, financial, operational, and compliance. Each individual risk identified was ranked for impact and probability. Determination of Impact Impact of a risk is the effect a single occurrence of that risk will have upon the achievement of UT Austin s goals and objectives. There are three values: High The effect will cause the institution not to achieve its goals and objectives: show stopper Medium The effect will cause the institution to operate inefficiently and/or expend unplanned resources to meet goals and objectives Low There will be no measurable effect upon the achievement of institutional goals and objectives Methodology to determine the Impact Value: Identify consequences to the organization if a risk were to become a reality Value the effect on the organization for each consequence (high, medium, or low) Assign Impact value of an identified risk based upon the value of its highest potential consequence Page 25

26 Determination of Probability Probability of a risk is the likelihood the risk will become reality. There are three values: High The risk will become a reality frequently Medium The risk will become a reality infrequently Low The risk will rarely become a reality Page 26

27 External Audit Services, FY14 Scope Type Frequency External Auditors Audit Required By: UT Austin Department of Intercollegiate Athletics Statement of Revenues and Expenses For The Year Ended August 31, 2013 and Independent Accountants'' Report on Applying Agreed-upon Procedures Agreed-Upon Procedures Annual Maxwell Locke & Ritter, LLP NCAA Bylaw KUT Radio of The University of Texas at Austin Financial Statements and Independent Auditor's Report Years Ended August 31, 2013 and 2012 Financial Annual Gindler, Chappell, Morrison, and Co. P.C. The Corporation for Public Broadcasting University of Texas University Charter School Annual Financial Report For The Year Ended August 31, 2013 Financial Annual West, Davis & Company, LLP Texas Education Code, Section University of Texas Elementary School Annual Financial Report For the Year Ended August 31, 2013 Financial Annual Belt Harris Pechacek, LLLP Texas Education Code, Section State of Texas Compliance with Federal Portion of the Statewide Single Audit Report For The Fiscal Year Ended August 31, 2013, Report # State of Texas Financial Portion of the Statewide Single Audit Report For The Year Ended August 31, 2013, Report # University Interscholastic League Annual Financial Report For The Year Ended August 31, 2012 Financial Financial Financial Annual Annual Annual John Keel, CPA State Auditor and KPMG, LLP John Keel, CPA State Auditor West, Davis & Company, LLP Single Audit Act Amendments of 1996 and OMB Circular A-133, Audits of States, Local Governments, and Non- Profit Organizations Single Audit Act Amendments of 1996 Texas Education Code, Section Page 27

28 Reporting Suspected Fraud and Abuse Requirement #1: General Appropriations Act Sec Fraud Reporting. A state agency or institution of higher education appropriated funds by this Act, shall use appropriated funds to assist with the detection and reporting of fraud involving state funds, including funds received pursuant to the American Recovery and Reinvestment Act, as follows: (a) By providing information on the home page of the entity's website on how to report suspected fraud, waste, and abuse involving state resources directly to the State Auditor's Office. This shall include, at a minimum, the State Auditor's fraud hotline information and a link to the State Auditor's website for fraud reporting; and (b) By including in the agency or institution's policies information on how to report suspected fraud involving state funds to the state auditor. Description of How The University of Texas at Austin complies: The University has a link for reporting fraud on the home page of its website. Please see This link includes information on how and where to report fraud, including the following statement: You may also report suspected fraud, waste, and abuse to the State Auditor s Office Hotline at TX-AUDIT ( ). The State Auditor s Office provides additional information at its website, The University of Texas at Austin s Suspected Dishonest or Fraudulent Activities policy is now on-line: Requirement #2: Texas Government Code, Section Coordination of Investigations (a) If the administrative head of a department or entity that is subject to audit by the state auditor has reasonable cause to believe that money received from the state by the department or entity or by a client or contractor of the department or entity may have been lost, misappropriated, or misused, or that other fraudulent or unlawful conduct has occurred in relation to the operation of the department or entity, the administrative head shall report the reason and basis for the belief to the state auditor. The state auditor may investigate the report or may monitor any investigation conducted by the department or entity. (b) The state auditor, in consultation with state agencies and institutions, shall prescribe the form, content, and timing of a report required by this section. (c) All records of a communication by or to the state auditor relating to a report to the state auditor under Subsection (a) are audit working papers of the state auditor. Description of How The University of Texas at Austin complies: The Office of Internal Audits at The University of Texas at Austin reports all suspected fraud and abuse to the State Auditor s Office through their Website: Page 28