FROM HINDSIGHT TO FORESIGHT REPOSITIONING INTERNAL AUDIT TO DELIVER HIGHER VALUE

Transcription

1 FROM HINDSIGHT TO FORESIGHT REPOSITIONING INTERNAL AUDIT TO DELIVER HIGHER VALUE Repositioning Internal Audit FY 2016-FY2017 Audit Resource Deployment Plan Resources and Staffing Supplemental Materials

2 Repositioning Internal Audit: Building Blocks of the New Internal Audit Function Our relationships embody respect, insight, balance, trust, and care. We value: Leadership development. Civility. The voices of our stakeholders. We operate transparently. We are aware of our impact. We have an enterprise view. We deliver insight and foresight to our colleagues and stakeholders through: Professional competence. Business acumen. Focus on Cornerstone Plan and Health System strategy. Data-driven analyses. Our network of colleagues and connections throughout the University and the profession. We serve the audit profession in the Commonwealth of Virginia, the higher education industry, and around the globe. We collaborate and share our knowledge generously. We set the bar for excellence and leading practice in internal auditing. 2

3 How we built the risk-based audit plan Audit Universe Academic Div: U.Va. s Budget System Hierarchical Org Data (Unit, Expenditure $, Grant $, FTEs) MC/Health System: May 2015 Operating Margin Report TO BUILD THE AUDIT PLAN WE ESTABLISHED AN AUDIT UNIVERSE AND ASSIGNED RISK WEIGHTINGS: Relevant UVA ERM Risks Regulatory Compliance Emerging practices (e.g. ACO, Value Based Care) Industry Risks: Higher Ed Healthcare Peer Benchmarking Hot Topics Enterprise Risks: 1. Funding to achieve goals 2. Management of human capital 3. Legal compliance 4. Keeping pace 5. Reputation w/key stakeholders 6. Geo-political and economic risks 7. Safety/security 8. Cybersecurity/leveraging IT 9. Org/operational efficiencies Strategic Objectives: Cornerstone Plan U.Va. Health System Strategy Stakeholder input including: ACR Chairman, MC Cabinet, EVP/COO, IT Leadership, Provost s Office 3

4 Audit Resources Deployment FY 16-FY 17 Academic Team Faculty Recruitment and Retention Research Expansion Initiative Med Center Team Clinical Engineering Charge Capture IT Team Cybersecurity IT Governance and Standards IT Asset Management Change Control and System Configuration Integrated Team Audits and Reviews Fiscal Stewardship (Pan-University) EPIC Phase 2 Implementation Managerial Reporting Implementation PeopleSoft Upgrade Physical Safety and Security Integrated Assurance: Compliance Oversight Verification Data Privacy Segregation of Duties (Oracle, PeopleSoft, EPIC) Audit Department Process Improvements 4

5 Audit Department Resources (future) Current vacancies in red Chief Audit Executive Redeployment of resources in green Maintains current 17 position headcount while increasing Managers span of control (3 rd Director role not replaced) Reporting location of Health System (HS) Auditors depends on skill sets of TBD Director Integrated Assurance Continuous Monitoring/Fraud Risk Hotline follow up Assoc Dir IT Director IT Audit Senior IT Auditor New Hire Senior IT Auditor Office Manager Special Projects (all areas) Manager Director HS and University Audits Senior Auditor Senior Auditor Manager HS Audits Senior HS Auditor New Hire HS Auditor Will need to evaluate where specialization of audit skills is required as we make new hires/shift current resources/cosource Audits will be conducted using pooled resource approach where possible. Administrative reporting would remain as shown. IT Auditor Staff Auditor New Hire HS Auditor 5

6 Unpacking the Audit Plan: Potential Scope of Audit Plan Topics SUPPLEMENTARY MATERIALS 6

7 Unpacking the Plan: Potential Scope Areas Academic Team Audit Why Selected Potential Scope Curry School of Education In progress from prior year plan Degree audit Centers and Clinics: licensure, background checks, patient health data, revenue generation/charge capture Academic Programming Faculty Recruitment and Retention Cornerstone Pillar IV: Assemble and Support a Distinguishing Faculty ERM Risk: Management of Human Capital Research Expansion Initiative Cornerstone Pillar II: Advance Knowledge ERM Risks: Funding to Achieve Goals; Keeping Pace Large program governance Effectiveness of risk management for strategically critical program Large program governance Effectiveness of risk management for strategically critical program 7

8 Unpacking the Plan: Potential Scope Areas Med Center Team Audit Why Selected Potential Scope Pyxis Medstation Access Review In progress from prior year plan User provisioning Evaluation of biometric access usage Clinical Engineering Cyber/ Data Security of Patient Information Patient Care/Safety & Quality of Patient Care ERM Risk: Legal and Compliance Staff Productivity Charge Capture OIG Workplan Margin Management ICD-10 Implementation EMR/Medical Documentation Regulatory Billing Compliance Value Based Care Healthcare Industry Major Trend Data security and privacy practices Device maintenance scheduling and equipment monitoring procedures Useful life monitoring and evaluation Evaluation of facility/technical fee billing by the MC for nurse only and procedure visits Billing of Medications and Med Administration TBD in partnership with MC leadership 8

9 Unpacking the Plan: Potential Scope Areas Audit Why Selected Potential Scope Information Security, Policy, and Records Office IT KPMG 2015 IT Security Assessment CEB 2015 Audit Plan Hotspots PCI Compliance Governance/Standards Information Security Policy Monitoring Procedures Data Loss Prevention Malware Prevention Cybersecurity ERM Risk: Cybersecurity/ Leveraging IT CEB 2015 Audit Plan Hotspots KPMG 2015 IT Security Assessment Incident response Network Operating Systems Databases (data-at-rest) BYOD (Bring Your Own Device) Change Control and System Configuration Key general computing controls KPMG 2015 IT Security Assessment Student Information System (SIS) Oracle & PS HR and FIN modules EPIC 9

10 Unpacking the Plan: Potential Scope Areas Audit Why Selected Potential Scope PeopleSoft Significant Upgrade Data Privacy IT Asset Management IT (Cont.) KPMG 2015 IT Security Assessment Privileged User Access SOD Service/Generic Accounts Patching Procedures Database Security IT Inventory Management: Central and Non-Central Assets and Systems Termination Handling Disposal Procedures Disaster Recovery Key general computing controls Changing Technology Replication Process Testing Key Metrics and SLAs 10

11 Fiscal Stewardship Unpacking the Plan: Potential Scope Areas Audit Why Selected Potential Scope EPIC Phase 2 Implementation (HS Revenue Module) Managerial Reporting Implementation Physical Safety and Security Integrated Team Audits and Reviews Cornerstone Pillar V: Steward the University's Resources to Promote Academic Excellence and Affordable Access Significant financial application Significant capital expenditure Significant financial application Significant capital expenditure ERM Risk: Safety/security of students, faculty and staff Key internal financial controls Unit-level fiscal discipline Application of University Financial Model Program governance Access/data security Configuration settings Segregation of duties Data security Data integrity Clery audit follow up Police training Physical security Building access 11

12 Unpacking the Plan: Potential Scope Areas Integrated Team Audits and Reviews (Cont d) Audit Why Selected Potential Scope Integrated Assurance ERM Risk: Legal and Compliance Higher Education Industry risks Reputational risks CEB 2015 Audit Plan Hotspots Privacy ERM Risk: Legal and Compliance CEB 2015 Audit Plan Hotspots Segregation of Duties Foundational fraud risk control Data security and integrity Reporting accuracy Effectiveness of 2 nd line of defense compliance functions: NCAA Environmental Health & Safety Research-related (OSP, IRB) Corp Compliance (Med Ctr) Title IX Clery Act ARMICS ( Government SOX ) PII (Personally Identifiable Data) Student Data HIPAA compliance Cloud and mobile environments Oracle PeopleSoft EPIC 12