FROM HINDSIGHT TO FORESIGHT
REPOSITIONING INTERNAL AUDIT TO
DELIVER HIGHER VALUE
Repositioning Internal Audit
FY 2016-FY2017 Audit Resource
Deployment Plan
Resources and Staffing
Repositioning Internal Audit: Building Blocks
of the New Internal Audit Function
We deliver insight and foresight to our colleagues and
stakeholders through: Professional competence. Business acumen.
Focus on Cornerstone Plan and Health System strategy. Data-driven analyses.
Our network of colleagues and connections throughout the University and the
profession.
We serve the audit profession in the Commonwealth of Virginia, the higher education industry, and around the globe.
We collaborate and share our knowledge generously.
We set the bar for excellence and leading practice in
internal auditing.
Our relationships embody respect, insight, balance, trust, and care.
We value:
Leadership development. Civility.
The voices of our stakeholders. We operate transparently.
We are aware of our impact. We have an enterprise view.
How we built the risk-based audit plan
Industry Risks: Higher Ed Healthcare Peer Benchmarking Hot Topics Enterprise Risks:1. Funding to achieve goals 2. Management of human capital 3. Legal compliance
4. Keeping pace
5. Reputation w/key stakeholders 6. Geo-political and economic risks 7. Safety/security 8. Cybersecurity/leveraging IT 9. Org/operational efficiencies Strategic Objectives: Cornerstone Plan
U.Va. Health System Strategy
TO BUILD THE AUDIT PLAN WE ESTABLISHED AN “AUDIT UNIVERSE” AND ASSIGNED RISK WEIGHTINGS:
Stakeholder input including: ACR Chairman, MC Cabinet, EVP/COO, IT Leadership, Provost’s Office
Academic Div:
U.Va.’s Budget System Hierarchical Org Data (Unit, Expenditure $, Grant
$, FTEs)
MC/Health System:
May 2015 Operating Margin Report
Audit Universe
3
• Relevant UVA ERM Risks
• Regulatory Compliance • Emerging practices
(e.g. ACO, Value Based Care)
Audit Resources Deployment
FY 16-FY 17
Med Center
Team
Clinical Engineering Charge CaptureIT Team
CybersecurityIT Governance and Standards IT Asset Management Change Control and System
Configuration
Academic
Team
Faculty Recruitment and Retention
Research Expansion Initiative
Integrated Team Audits and Reviews
Fiscal Stewardship (Pan-University) EPIC Phase 2 Implementation Managerial Reporting Implementation
PeopleSoft Upgrade Physical Safety and Security
Integrated Assurance: Compliance Oversight Verification Data Privacy
Segregation of Duties (Oracle, PeopleSoft, EPIC)
Audit Department Process Improvements
Audit Department Resources (future)
Chief Audit Executive Director IT Audit Assoc Dir IT Senior IT Auditor New Hire Senior IT Auditor IT Auditor Special Projects (all areas) Director HS and University Audits Manager Senior Auditor Senior Auditor Staff Auditor Manager HS Audits Senior HS Auditor New Hire HS Auditor New Hire HS Auditor Office ManagerCurrent vacancies in red
Redeployment of resources in green
• Reporting location of Health System (HS) Auditors depends on skill sets of TBD Director • Maintains current 17
position headcount while
increasing Managers’ span of control (3rd Director role
not replaced)
• Will need to evaluate where specialization of audit skills is required as we make new hires/shift current resources/co-source • Integrated Assurance • Continuous Monitoring/Fraud Risk • Hotline follow up
• Audits will be conducted using pooled resource approach where possible. Administrative reporting would remain as shown.
SUPPLEMENTARY MATERIALS
Unpacking the Audit Plan: Potential Scope of Audit Plan Topics
Unpacking the Plan:
Potential Scope Areas
Audit
Why Selected
Potential Scope
Curry School of Education In progress from prior year plan • Degree audit
• Centers and Clinics: licensure, background checks, patient health data, revenue
generation/charge capture
• Academic Programming
Faculty Recruitment and Retention
• Cornerstone Pillar IV:
Assemble and Support a Distinguishing Faculty
• ERM Risk: Management of
Human Capital
• Large program governance • Effectiveness of risk
management for strategically critical program
Research Expansion Initiative • Cornerstone Pillar II: Advance
Knowledge
• ERM Risks: Funding to Achieve Goals; Keeping Pace
• Large program governance
• Effectiveness of risk
management for strategically critical program
Academic Team
Unpacking the Plan:
Potential Scope Areas
Audit
Why Selected
Potential Scope
Pyxis Medstation Access Review In progress from prior year plan • User provisioning
• Evaluation of biometric access usage
Clinical Engineering • Cyber/ Data Security of Patient
Information
• Patient Care/Safety & Quality of Patient Care
• ERM Risk: Legal and
Compliance • Staff Productivity
• Data security and privacy practices
• Device maintenance
scheduling and equipment monitoring procedures • Useful life monitoring and
evaluation
Charge Capture • OIG Workplan
• Margin Management
• ICD-10 Implementation
• EMR/Medical Documentation
• Regulatory Billing Compliance
• Evaluation of facility/technical fee billing by the MC for nurse only and procedure visits
• Billing of Medications and Med Administration
Value Based Care • Healthcare Industry Major
Trend
• TBD in partnership with MC
leadership
Med Center Team
Unpacking the Plan:
Potential Scope Areas
Audit
Why Selected
Potential Scope
Information Security, Policy, and Records Office
• KPMG 2015 IT Security
Assessment
• CEB 2015 Audit Plan Hotspots • PCI Compliance
• Governance/Standards • Information Security Policy • Monitoring Procedures • Data Loss Prevention • Malware Prevention
Cybersecurity • ERM Risk: Cybersecurity/
Leveraging IT
• CEB 2015 Audit Plan Hotspots
• KPMG 2015 IT Security Assessment • Incident response • Network • Operating Systems • Databases (data-at-rest)
• BYOD (Bring Your Own Device)
Change Control and System Configuration
• Key general computing
controls
• KPMG 2015 IT Security
Assessment
• Student Information System
(SIS)
• Oracle & PS HR and FIN modules
• EPIC
IT
Unpacking the Plan:
Potential Scope Areas
Audit
Why Selected
Potential Scope
PeopleSoft • Significant Upgrade
• Data Privacy
• Privileged User Access
• SOD
• Service/Generic Accounts
• Patching Procedures
• Database Security
IT Asset Management KPMG 2015 IT Security Assessment
• IT Inventory Management:
Central and Non-Central Assets and Systems
• Termination Handling • Disposal Procedures
Disaster Recovery • Key general computing
controls
• Changing Technology
• Replication Process
• Testing
• Key Metrics and SLAs
IT (Cont.)
Unpacking the Plan:
Potential Scope Areas
Audit
Why Selected
Potential Scope
Fiscal Stewardship Cornerstone Pillar V: Steward the
University's Resources to Promote Academic Excellence and
Affordable Access
• Key internal financial controls • Unit-level fiscal discipline • Application of University
Financial Model
EPIC Phase 2 Implementation (HS Revenue Module)
• Significant financial
application
• Significant capital expenditure
• Program governance • Access/data security • Configuration settings • Segregation of duties Managerial Reporting Implementation
• Significant financial application • Significant capital expenditure
• Data security • Data integrity
Physical Safety and Security ERM Risk: Safety/security of
students, faculty and staff
• Clery audit follow up • Police training
• Physical security • Building access
Integrated Team Audits and Reviews
Unpacking the Plan:
Potential Scope Areas
Audit
Why Selected
Potential Scope
Integrated Assurance • ERM Risk: Legal and
Compliance
• Higher Education Industry risks • Reputational risks
• CEB 2015 Audit Plan Hotspots
Effectiveness of 2nd line of defense
compliance functions:
• NCAA
• Environmental Health & Safety • Research-related (OSP, IRB)
• Corp Compliance (Med Ctr)
• Title IX • Clery Act
• ARMICS (“Government SOX”)
Privacy • ERM Risk: Legal and
Compliance
• CEB 2015 Audit Plan Hotspots
• PII (Personally Identifiable
Data)
• Student Data • HIPAA compliance • Cloud and mobile
environments
Segregation of Duties • Foundational fraud risk control
• Data security and integrity
• Reporting accuracy
• Oracle
• PeopleSoft
• EPIC
