FROM HINDSIGHT TO FORESIGHT REPOSITIONING INTERNAL AUDIT TO DELIVER HIGHER VALUE

Similar documents
The Changing IT Risk Landscape Understanding and managing existing and emerging risks

How To Ensure Financial Compliance

Cybersecurity in the States 2012: Priorities, Issues and Trends

Governance, Risk, and Compliance (GRC) White Paper

Integrated Technology Plan (FY10 FY12)

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

Big Data, Big Risk, Big Rewards. Hussein Syed

Vendor Risk Management Financial Organizations

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Oracle ERP Support Benchmark Findings

Department of Human Resources

Bridging the HIPAA/HITECH Compliance Gap

The Role of Internal Audit in Risk Governance

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Importance of Compliance Training Al Josephs, Senior Director Policies and Training Ryan Whitehill, Manager Ethics and Compliance Training

STRATEGIC HUMAN RESOURCE MANAGEMENT IN MODERN TIMES. By Maryam Bayi

PCI Compliance for Cloud Applications

Cyber Risk Managemet Next? What Board Members, Shareholders, Government, Auditors and Others Will be Asking from the CIO Next:

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

3 rd Party Vendor Risk Management

How To Transform It Risk Management

Internal audit value optimization for insurance organizations

ISE Northeast Executive Forum and Awards

Certified Identity and Access Manager (CIAM) Overview & Curriculum

10 Best-Selling Modules For Home Information Technology Professionals

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

2015 List of Major Management Challenges for the CFPB

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Information security controls. Briefing for clients on Experian information security controls

Risk Considerations for Internal Audit

The University of Texas MD Anderson Cancer Center Internal Audit Annual Report for FY2015

Academic Division Enterprise Risk Management (ERM)

Performing a Compliance Risk Assessment for Compliance Auditing & Monitoring in Healthcare Organizations

FY15 Supplemental Information January 5, 2016

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Health Information Technology (HIT) Guide for the Delta Rural Hospital Performance Improvement (RHPI) Program

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors

Position Description Senior Associate Dean and Chief Operating Officer of the Darden Graduate School of Business Administration University of Virginia

Practical and ethical considerations on the use of cloud computing in accounting

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE

Microsoft s Compliance Framework for Online Services

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

Proposed Audit Plan for Fiscal Year and Preliminary Audit Plan for Fiscal Year

Test Content Outline Effective Date: January 12, Nurse Executive Board Certification Examination

Healthcare Internal Audit: In a Time of Transition

IT Compliance After Hours Seminar September 2007 Zurich. Improving IT Risk & Compliance Management (RCM)

Top Priorities for Internal Auditors in U.S. Healthcare Provider Organizations

Information Technology: This Year s Hot Issue - Cloud Computing

ERP Survey Questionnaire

Click to edit Master title style. How To Choose The Right MSSP

Next. CDS 2015 Survey Module 7 Information Security Survey Errata

Vendor Management Best Practices

Information Technology Strategic Plan

Vulnerability. Management

Next. CDS 2015 Survey Module 7 Information Security Survey Errata

Our Service Offering to SASOL

Internal Audit and Advisory Services DRAFT

Cybersecurity The role of Internal Audit

HIM Master s Degree Competencies* Domains, Subdomains, and Tasks 2007 and Beyond

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Maximizing Configuration Management IT Security Benefits with Puppet

Leveraging SANS and NIST to Evaluate New Security Tools

FY 2015 Annual Audit Report

Office of Internal Audit. Activity Report. For the period from March 16, 2014 to August 8, Internal Audit Team

Domain 1 The Process of Auditing Information Systems

DIGITAL STRATEGY SUMMARY

University Information Technology Security Program Standard

Audit Capabilities: Beyond the Checklist. Niall Haddow, Business Leader Philip Young, Sr. IT Auditor Professional Strategies - Session S32

BIG SHIFT TO CLOUD-BASED SECURITY

HUMAN RESOURCES IN PUBLIC EDUCATION Where are we? Where should we be? Where HR Divisions should be. Where most HR Divisions are

Program Overview and 2015 Outlook

THE STRATEGIC PLAN OF THE INDIANA PUBLIC RETIREMENT SYSTEM FOR THE PERIOD OF FISCAL YEARS

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director

Auditing Cloud Computing and Outsourced Operations

Chairman Johnson, Ranking Member Carper, and Members of the committee:

Transcription:

FROM HINDSIGHT TO FORESIGHT REPOSITIONING INTERNAL AUDIT TO DELIVER HIGHER VALUE Repositioning Internal Audit FY 2016-FY2017 Audit Resource Deployment Plan Resources and Staffing Supplemental Materials

Repositioning Internal Audit: Building Blocks of the New Internal Audit Function Our relationships embody respect, insight, balance, trust, and care. We value: Leadership development. Civility. The voices of our stakeholders. We operate transparently. We are aware of our impact. We have an enterprise view. We deliver insight and foresight to our colleagues and stakeholders through: Professional competence. Business acumen. Focus on Cornerstone Plan and Health System strategy. Data-driven analyses. Our network of colleagues and connections throughout the University and the profession. We serve the audit profession in the Commonwealth of Virginia, the higher education industry, and around the globe. We collaborate and share our knowledge generously. We set the bar for excellence and leading practice in internal auditing. 2

How we built the risk-based audit plan Audit Universe Academic Div: U.Va. s Budget System Hierarchical Org Data (Unit, Expenditure $, Grant $, FTEs) MC/Health System: May 2015 Operating Margin Report TO BUILD THE AUDIT PLAN WE ESTABLISHED AN AUDIT UNIVERSE AND ASSIGNED RISK WEIGHTINGS: Relevant UVA ERM Risks Regulatory Compliance Emerging practices (e.g. ACO, Value Based Care) Industry Risks: Higher Ed Healthcare Peer Benchmarking Hot Topics Enterprise Risks: 1. Funding to achieve goals 2. Management of human capital 3. Legal compliance 4. Keeping pace 5. Reputation w/key stakeholders 6. Geo-political and economic risks 7. Safety/security 8. Cybersecurity/leveraging IT 9. Org/operational efficiencies Strategic Objectives: Cornerstone Plan U.Va. Health System Strategy Stakeholder input including: ACR Chairman, MC Cabinet, EVP/COO, IT Leadership, Provost s Office 3

Audit Resources Deployment FY 16-FY 17 Academic Team Faculty Recruitment and Retention Research Expansion Initiative Med Center Team Clinical Engineering Charge Capture IT Team Cybersecurity IT Governance and Standards IT Asset Management Change Control and System Configuration Integrated Team Audits and Reviews Fiscal Stewardship (Pan-University) EPIC Phase 2 Implementation Managerial Reporting Implementation PeopleSoft Upgrade Physical Safety and Security Integrated Assurance: Compliance Oversight Verification Data Privacy Segregation of Duties (Oracle, PeopleSoft, EPIC) Audit Department Process Improvements 4

Audit Department Resources (future) Current vacancies in red Chief Audit Executive Redeployment of resources in green Maintains current 17 position headcount while increasing Managers span of control (3 rd Director role not replaced) Reporting location of Health System (HS) Auditors depends on skill sets of TBD Director Integrated Assurance Continuous Monitoring/Fraud Risk Hotline follow up Assoc Dir IT Director IT Audit Senior IT Auditor New Hire Senior IT Auditor Office Manager Special Projects (all areas) Manager Director HS and University Audits Senior Auditor Senior Auditor Manager HS Audits Senior HS Auditor New Hire HS Auditor Will need to evaluate where specialization of audit skills is required as we make new hires/shift current resources/cosource Audits will be conducted using pooled resource approach where possible. Administrative reporting would remain as shown. IT Auditor Staff Auditor New Hire HS Auditor 5

Unpacking the Audit Plan: Potential Scope of Audit Plan Topics SUPPLEMENTARY MATERIALS 6

Unpacking the Plan: Potential Scope Areas Academic Team Audit Why Selected Potential Scope Curry School of Education In progress from prior year plan Degree audit Centers and Clinics: licensure, background checks, patient health data, revenue generation/charge capture Academic Programming Faculty Recruitment and Retention Cornerstone Pillar IV: Assemble and Support a Distinguishing Faculty ERM Risk: Management of Human Capital Research Expansion Initiative Cornerstone Pillar II: Advance Knowledge ERM Risks: Funding to Achieve Goals; Keeping Pace Large program governance Effectiveness of risk management for strategically critical program Large program governance Effectiveness of risk management for strategically critical program 7

Unpacking the Plan: Potential Scope Areas Med Center Team Audit Why Selected Potential Scope Pyxis Medstation Access Review In progress from prior year plan User provisioning Evaluation of biometric access usage Clinical Engineering Cyber/ Data Security of Patient Information Patient Care/Safety & Quality of Patient Care ERM Risk: Legal and Compliance Staff Productivity Charge Capture OIG Workplan Margin Management ICD-10 Implementation EMR/Medical Documentation Regulatory Billing Compliance Value Based Care Healthcare Industry Major Trend Data security and privacy practices Device maintenance scheduling and equipment monitoring procedures Useful life monitoring and evaluation Evaluation of facility/technical fee billing by the MC for nurse only and procedure visits Billing of Medications and Med Administration TBD in partnership with MC leadership 8

Unpacking the Plan: Potential Scope Areas Audit Why Selected Potential Scope Information Security, Policy, and Records Office IT KPMG 2015 IT Security Assessment CEB 2015 Audit Plan Hotspots PCI Compliance Governance/Standards Information Security Policy Monitoring Procedures Data Loss Prevention Malware Prevention Cybersecurity ERM Risk: Cybersecurity/ Leveraging IT CEB 2015 Audit Plan Hotspots KPMG 2015 IT Security Assessment Incident response Network Operating Systems Databases (data-at-rest) BYOD (Bring Your Own Device) Change Control and System Configuration Key general computing controls KPMG 2015 IT Security Assessment Student Information System (SIS) Oracle & PS HR and FIN modules EPIC 9

Unpacking the Plan: Potential Scope Areas Audit Why Selected Potential Scope PeopleSoft Significant Upgrade Data Privacy IT Asset Management IT (Cont.) KPMG 2015 IT Security Assessment Privileged User Access SOD Service/Generic Accounts Patching Procedures Database Security IT Inventory Management: Central and Non-Central Assets and Systems Termination Handling Disposal Procedures Disaster Recovery Key general computing controls Changing Technology Replication Process Testing Key Metrics and SLAs 10

Fiscal Stewardship Unpacking the Plan: Potential Scope Areas Audit Why Selected Potential Scope EPIC Phase 2 Implementation (HS Revenue Module) Managerial Reporting Implementation Physical Safety and Security Integrated Team Audits and Reviews Cornerstone Pillar V: Steward the University's Resources to Promote Academic Excellence and Affordable Access Significant financial application Significant capital expenditure Significant financial application Significant capital expenditure ERM Risk: Safety/security of students, faculty and staff Key internal financial controls Unit-level fiscal discipline Application of University Financial Model Program governance Access/data security Configuration settings Segregation of duties Data security Data integrity Clery audit follow up Police training Physical security Building access 11

Unpacking the Plan: Potential Scope Areas Integrated Team Audits and Reviews (Cont d) Audit Why Selected Potential Scope Integrated Assurance ERM Risk: Legal and Compliance Higher Education Industry risks Reputational risks CEB 2015 Audit Plan Hotspots Privacy ERM Risk: Legal and Compliance CEB 2015 Audit Plan Hotspots Segregation of Duties Foundational fraud risk control Data security and integrity Reporting accuracy Effectiveness of 2 nd line of defense compliance functions: NCAA Environmental Health & Safety Research-related (OSP, IRB) Corp Compliance (Med Ctr) Title IX Clery Act ARMICS ( Government SOX ) PII (Personally Identifiable Data) Student Data HIPAA compliance Cloud and mobile environments Oracle PeopleSoft EPIC 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information