2011 ANNUAL REPORT Adding Value to the UK Community
Table of Contents Director s Message 1 In-House Quality Initiatives 2-3 Governance 4 Metric Scorecard 5-7 UKIA Staff 8-9 Internal Audit assists the University management, administration and the Board of Trustees in the effective discharge of their fiduciary and administrative responsibility by providing independent, objective assurance and consulting services with respect to evaluating risk management, control and governance processes. (Internal Audit Charter, 2011)
Message from the Director To provide the UK community with exemplary internal audit services that add value and give reasonable assurance regarding the achievement of management objectives Vision Statement, University of Kentucky Internal Audit (UKIA) 2009 2014 UKIA Strategic Plan On behalf of UKIA, I am pleased to present our fiscal year 2011 (FY 2011) Annual Report, Adding Value to the UK Community. In keeping with our vision statement noted above, throughout the report are highlighted ways in which UKIA continues to improve and give quality output to our clients throughout the UK Community. For UKIA, adding value means helping our audit clients to operate from a position of strength. The first section of the report highlights three major UKIA projects that are under way: ARUBA, ACL and the Work Paper Project. We have embarked on these projects with the understanding that enhancing our infrastructure allows UKIA to operate more effectively and efficiently. These initiatives represent the continuous-improvement paradigm of UKIA, which enables us to provide ongoing exemplary internal audit services to our clients. The second section of the report describes the five metrics used by UKIA to gauge our performance for FY 2011, namely productivity, actual versus budgeted audit hours, recommendations accepted, client satisfaction and audit duration. While our productivity, recommendations accepted and client satisfaction goals were achieved, we continue to focus on our audit hours and duration as areas for refinement. FY 2011 represents a change to the way in which we define audit duration. UKIA is now focused on the length of time the client is engaged (from the audit Announcement Letter date to the Closing Meeting date) rather than the length of time of the audit (from the preliminary audit research to the issuance of the Final Report). Our goal is to continue to reduce the audit duration, recognizing that an internal audit requires time, attention and energy from the audit client. The third section details the UKIA work performed in FY 2011. Listed are five Core Reviews, three Follow-Up Reviews and 17 Consultations/Inquiries. This list represents audit coverage across the University, including Campus Operations, Academic Units, Finance and Administration, UK Affiliates and UK HealthCare. The final section focuses on the UKIA staff. The staff comprises seven audit professionals (five business auditors and two IT auditors), two administrative support staff and the Senior Director. Each auditor is either certified or has an advanced degree, or both, bringing a wealth of business experience to the internal audit arena. In closing, I would like to invite you to visit the UKIA website, uky.edu/internalaudit, which was completely revised in May of 2011 with you in mind. There you will find our quarterly newsletters, frequently asked questions and other services provided by UKIA. You will also find a section regarding UKIA governance and information about the University Comply Line. Again, it was designed to add value. We look forward to continuing to serve the UK Community and thank the Administration for their support. Sincerely, Joe Reed, Senior Director, UKIA 1
UKIA In-House Quality Initiatives At the top of our agenda, UKIA is endeavoring to enhance and streamline our processes to be more effective and efficient. The next several pages will highlight a few of the significant projects under way as we seek to improve quality and customer service, and add value to the University. The ARUBA Project (Accessible Repository of University Business Activities) UKIA is in the midst of developing ARUBA, an in-house database that will be used in three ways: (1) Information Repository, (2) Risk Prioritization, and (3) Risk Profile Heat Map Formulation for the UKIA Annual Audit Work Plan. Information Repository This project came about as UKIA recognized the need for housing the continual stream of data compiled for future audit use. The data comes to UKIA from various sources, including risk assessment interviews, previous audit work, unsolicited information from emails, phone calls, newspaper articles, and UKIA training seminars and workshops. The data will be stored by auditable department for information trending and retrieval by the lead auditor based on audit assignment. ARUBA will be used beginning with new FY 2012 reviews. Heat Maps Lastly, risk profile heat maps, which are pictorial representations of University areas, are developed by considering the impact and likelihood of weaknesses associated with a University unit or process. UKIA will be prioritizing the audit work plan based on the auditable unit/process ranking above and also other pertinent information to ensure adequate audit coverage across the University. This database will be used to proactively assess units and processes based on current information for timely engagement. UKIA considers ARUBA to be a risk assessment initiative that will impact future internal auditing processes. Risk Prioritization ARUBA has also been developed as a means of scoring and prioritizing the risks associated with the various cash handling units across the University. UKIA will be increasing the number of cash handling audits performed in FY 2012 as a part of its continuous auditing program. A number of surprise cash audits are projected for FY 2012. UKIA s goals are to improve cash handling processes across the University and raise awareness. Furthermore, ARUBA will be used to prioritize University audits for UKIA s Annual Audit Work Plan. Each University unit and process contained in the repository will be scored based on relevant business risk criteria. The units and processes will be ranked from highest to lowest risk score. 2
The ACL Project In an ever-changing and increasingly complex audit environment, coupled with state appropriation funding cuts for universities, UKIA recognizes the need to improve our audit processes and leverage our audit resources using computer-assisted auditing techniques. ACL is a data analysis software that UKIA is in the process of implementing as part of our continuous auditing service. UKIA will utilize the data mining features of ACL in an effort to reduce audit cycle time and expand audit testing to entire University-wide populations. The results will be more information in less time and increased audit coverage across the University. UKIA is very excited to use this highly-regarded audit tool as we continue our efforts to add value to the University. The Work Paper Project UKIA embarked on this initiative in response to our 2009 Quality Assessment Review (QAR) performed by a peer review team from the Institute of Internal Auditors (IIA). One of the QAR recommendations noted that UKIA needs to adopt a working paper approach which properly documents the work that is performed. When completed, the working papers need to stand on their own when presented for review. Thus, UKIA is currently analyzing the process/methodology we use in preparing our work papers. The goals of this project include increased adherence to the IIA Professional Standards, the attainment of consistency among the audit staff regarding work paper preparation and the resulting work paper product, and the production of the most effective work papers in the most efficient manner, thus reducing audit duration. UKIA plans to implement the new work paper process in October of 2011. It will be documented in UKIA s Process Manual. UKIA will continue to revise and update our work paper process as necessary to appropriately document our audit work performed. 3
UKIA Governance Who audits the auditors? is a question that is frequently asked of UKIA. Per the Standards of the Institute of Internal Auditors (IIA), peer reviews are required every five years. The peer review is conducted by an external committee assessing the effectiveness of the Internal Audit function. In August of 2009, UKIA completed a Quality Assessment Review performed by the IIA. UKIA received the highest rating of Generally Conforms. UK Ethical Principles and Code of Conduct UKIA staff are required to abide by the University of Kentucky Ethical Principles and Code of Conduct which document expectations of responsibility and integrity for every UK employee. IIA Code of Ethics As members of the internal auditing profession, UKIA staff are required to abide by the IIA Code of Ethics which includes Principles and Rules of Conduct regarding integrity, objectivity, confidentiality and competency of internal auditors. The UKIA staff are University of Kentucky employees reporting administratively to the Executive Vice President for Finance and Administration and functionally to the Audit Subcommittee of the Finance Committee of the UK Board of Trustees. UKIA has no authority over, nor direct responsibility for, any of the activities reviewed thereby maintaining independence and objectivity. Responsibility Agreement The intent of this document is to acknowledge UKIA s professional obligation to handle all information with professional care and avoid potential conflicts. Each UKIA auditor is required to sign this agreement upon joining the staff. Following is a list of the seven governing documents that comprise UKIA Governance. These regulations establish how we conduct the internal audit function at the University of Kentucky. The documents are reviewed, on a rotating basis, during UKIA staff meetings throughout the year. Auditor Independence Statement This document is used to assist in recognizing potential or perceived areas of conflict of interest. Annually, each UKIA auditor completes and signs this document noting relationships with the UK Community (e.g., a relative working in a particular UK unit). Audit Subcommittee Charter This document defines the purpose, structure, meetings, functions and responsibilities of the Audit Subcommittee. There is a section specifically related to the oversight of UKIA by the Audit Subcommittee. Internal Audit Charter This document defines the purpose, standards, authority and responsibilities of Internal Audit. It is signed by the University President and the Chair of the Audit Subcommittee. Professional Summary In this document, the UKIA Senior Director sets forth his expectation regarding professionalism of the UKIA staff. Respectful and courteous communication with our clients and with one another is a prerequisite for a professional staff. It determines the culture and the conduct expectation. UKIA employees are expected to encourage and cultivate an atmosphere conducive for teamwork and creative sharing. Professional Summary UKIA Governing Document 4
UKIA Metric Scorecard UK s Internal Audit Department measures itself within five metrics that assess the productivity, actual versus budgeted hours, recommendations accepted, client satisfaction and audit duration. The metrics are compiled and reported on a weekly basis to the Senior Director and audit staff, and reported annually to the Audit Subcommittee, EVP of Healthcare, EVP of Finance and Administration, Provost, and on the UKIA s website via our Annual Report. The assessment of these metrics is just one venue to show UKIA s transparency and progress to UK. Metric #1: Productivity Departmental Goal of 75% Productivity A productivity goal of 75% translates to actual hours of production. The hours are calculated from the total amount of work hours per professional employee multiplied by 75% to compute the total available hours for audit projects. FY 2011 productivity exceeded this goal with an actual rate of 82%, as shown to the right. This calculation is used to forecast individual audit assignments for the Annual Work Plan. Actual hours in FY 2011 are shown below. The tables present the breakdown of audit project hours and non-audit project hours. 2011 Productivity Rate 82% Audit Project Hours 18% Non-Audit Project Hours 11,990 Hours 2,722 Hours Audit Project Hours Hours Percentage These categories represent the cumulative number of hours that were charged to each major service area. The percentages show actual time spent in each service area to total audit project hours. Audit Activity 8,090 67% UKIA Infrastructure Projects 1,261 11% IT 2,639 22% Total 11,990 100% Non-Audit Project Hours These categories represent the cumulative number of hours that were charged to each area for non-audit project time. The percentages show actual time spent in each area to total non-audit project hours. Hours Percentage Approved Leave Time 1,251 46% General Administrative 663 24% Training 479 18% Staff Meeting 329 12% Total 2,722 100% 5
Metric #2: Forecast Hours UKIA will perform each review within the respective budgeted plan hours Budgeted vs. Actual The Senior Director will determine the forecast hours for each audit project upon assignment. The actual audit duration will be recorded at the conclusion of each audit. These two areas are important to the audit process as they directly affect the completion of the work plan and accuracy of the risk assessment process. This metric is calculated by using forecasted hours by service area versus actual hours to be in an acceptable range for each Work Plan assignment. Generally, UKIA will allot approximately 600 hours for Core Reviews and 70 to 100 hours for Follow-Up Reviews. A majority of the FY 2011 Core Reviews were performed within the budgeted hours. All of the Follow-up Reviews exceeded budgeted hours. The table above shows the actual hours worked in FY 2011 for Core Reviews and Follow-up Reviews. Karen Michaels Metric #3: Recommendations Accepted Goal of 75% Recommendations are categorized as those that are accepted, those that are not accepted, and those that do not require a management response. UKIA s goal is to have 3 out of every 4 recommendations requiring a response from management to be accepted. The goal was achieved, as 100% of the recommendations requiring a response from management were accepted for FY 2011. Karen was great to work with. I felt she made every effort to understand, in detail, the job requirements of each of our employees. We were very pleased with the recommendations and information provided to implement the recommendations. We have already started to work on implementation of several of the recommendations. This was a very positive experience for our office. Client Satisfaction Survey Kathy Farrah 6
Metric #4: Communication Departmental Goal of 3.0 for Client Satisfaction Rating Scale of 1.0 4.0 UKIA prides itself in maintaining a high level of customer satisfaction. The quality of work UKIA maintains is in direct correlation with the level of client satisfaction. UKIA is improving customer interaction and feedback to immediately capture and compile results. The UKIA Quality Assurance (QA) support staff sends a confidential survey to audit client personnel selected by the Senior Director on the day following the final Audit Report distribution. The results are sent to UKIA QA support staff to be recorded and analyzed. At the discretion of the Senior Director, follow-up phone interviews may be conducted. Other Communication Activities (Newsletters and Website) UKIA publishes quarterly newsletters for the University Community. We use the newsletters as a means of communicating current trends at the University and hot topics in the internal auditing profession. UKIA is continually looking for ways to communicate with our clients to ensure working with our team is a pleasant learning experience. Please visit our website at uky.edu/internalaudit. It was completely revised in May of 2011 to add value to the UK Community. FY 2011 Survey Results Client feedback is focused in three areas: Interaction with UKIA, UKIA Communication and UKIA Effectiveness. Internal Audit s cumulative rating was well above satisfactory for clients who submitted feedback using the following rating scale: 1.0 Not satisfied; 2.0 Somewhat satisfied; 3.0- Satisifed; 4.0 Very satisfied. The feedback we receive is vital in helping us improve our service and structure additional services to benefit the entire UK Community. Metric #5 Audit Duration Total Time UKIA Interacts with the Client Cathy Miller Cathy Miller did a thorough and timely review. She was careful with sensitive information and responded to all questions. Client Satisfaction Survey Penny Cox This chart shows the average number of calendar days and audit hours to conduct a review in FY 2011 for Core Reviews and Follow-Up Reviews. UKIA is looking to improve this metric overall in an effort to reduce the total time that the client is engaged during the audit. 7
Core Review Team UKIA Staff Bruce Arseneau Anastasia Myers-Wilson Karen Michaels Gretchen Wagner I cannot speak highly enough of the professionalism of the auditing team. This was the University Press first audit in many years, and everyone from UKIA was courteous, articulate, and patient. Client Satisfaction Survey Steve Wrinn IT Team Ramona Veen-Sial Martin Anibaba Internal Auditors apply the knowledge, skills, and experience needed in the performance of internal audit services. IIA Code of Ethics Operations and Administration Team Shirley Rozeboom Tamara Mundy Cathy Miller Integrity, Excellence, Innovation, Collaboration, Mutual Respect UKIA Values 2009-2014 UKIA Strategic Plan 8
UKIA Staff Continued Master's Degree Business Auditor Qualifications CPA CPIM CIA 0 1 2 3 CPA Certified Public Accountant CPIM Certified in Production and Inventory Management CIA Certified Internal Auditor SCP (JZEE) CCNA CISA Master's Degree IT Auditor Qualifications 0 1 2 3 SCP (JZEE) Sun Certified Professional CCNA Cisco Certified Network Associate CISA Certified Information Systems Auditor UKIA staff comprises seven audit professionals (five business auditors and two IT auditors), two administrative support staff and the Senior Director. Each auditor is either certified or has an advanced degree, or both, bringing a wealth of business experience to the internal audit arena. Auditor Training UKIA professional audit staff received 479 hours of training in 2011. Training Provided By: ACL (Audit Analysis Software) American College and University Auditors (ACUA) Central Kentucky Institute of Internal Auditors (CKIIA) College Business Management Institute (CBMI) Institute of Internal Auditors (IIA) Internal Audit UK SAP/IRIS Training UK Training Internal Auditors shall continually improve their proficiency and the effectiveness and quality of their services. IIA Code of Ethics 9
2333 Alumni Park Plaza Suite 330 Lexington, KY 40517 859.257.3126 uky.edu/internalaudit