Board of Visitors Audit, Compliance, and Risk Committee September 16, 2016

Transcription

1 Board of Visitors Audit, Compliance, and Risk Committee September 16,

2 Audit Department Activities 2

3 September 2016 Audit Department Status Assurance and Advisory Projects: Completed FY 2017 To Date Subject UVA Division Curry School of Education Academic Division Darden Fund Transfers Academic Distributed IT Systems Current Academic State Assessment FY2016 Inventories (UVA Academic, Health System Bookstore, Pharmacy) Action Plan Implementation Academic, Health System Status Follow Ups 3

4 September 2016 Audit Department Status Assurance and Advisory Projects: In Progress as of September 2016 BOV Meeting Subject Epic Phase 2 Implementation Project Health Check w/ IT Security Focus Fiscal Stewardship (Data-driven Internal Controls Analytics) Proof of Concept Integrated Assurance Compliance Assessment System Security: Privileged Access (Core Systems) Ivy Cloud Project Health Check w/ Security and Governance Focus Security Enhancement Plan (SEP) Project Health Check SCADA Consultation UVA Division Health System Academic Academic Health System Pan-University Academic Pan University 4

5 September 2016 Audit Department Status Current View of Risk Prioritized Future Projects (Remainder of FY17) Subject UVA Division 340B Drug Discount Program Health System Environmental Health & Safety Compliance Health System HIPAA Risk Assessment Academic Uniform Guidance Implementation: Consultation with Academic Office of Sponsored Programs ARMICS (Agency Risk Management and Internal Control Academic Standards) Consultation Epic Phase 2 Implementation Project Health Check w/ Health System Control Framework Focus Strategic Investment Fund Expenditures Monitoring Pan-University UFirst HR Transformation Project Health Check Pan-University IT Change Controls Health System Presidential Travel and Expenses Pan-University 5

6 By Priority Rating 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Action Plan Completion Status Priority 1 Priority 2 Legacy (Unrated) Closed Open By UVA Division Academic Division Health System College at Wise 2 Open Closed Closed Open 6

7 Compliance-Related Action Plans By Fiscal Year, By Compliance Subcategory FY 2016 Regulatory Compliance UVA Policies & Procedures FY2017 7

8 Operational Action Plans, By Fiscal Year, By Risk Subcategory Cybersecurity 4 Efficiency and Effectiveness 1 1 Key Financial Controls 2 Student Experience General IT Controls FY 2016 FY2017 8

9 University Compliance: Report on Medical Center Compliance and Privacy Officer Search 9

10 SECTION TITLE ERM Program Update 10

11 ERM Priorities Reposition & Enrich Program Enhance Board Reporting Onboard Health System ERM Priorities 11

12 ERM Process Flowchart 1. Clarify Major Objectives 2. Identify Risks to Major Objectives 3. Assessment of Identified Risks 4. Response and Management of Key Identified Risks 5. Reporting to University Leadership President/EVP s BOV President s Cabinet Risk Management Council/Networks Key Stakeholders Risk Management Council President/EVP s Risk Management Council Risk Owners Risk Management Council

13 ERM Governance Architecture BOV Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk Management Network Health System Risk Management Network Academic Division 13

14 Key Risk Dashboard September 2016 Does the risk present a material threat to the achievement of our objectives? INHERENT RISK TREND Yes Maybe No RISK 1! RISK OWNER Risk 1 Owner name here LAST REPORTED CURRENT 1-2 YEAR HORIZON MITIGATION CONFIDENCE Low High 2 Risk 2 Owner name here 3 Risk 3 Owner name here 4 Risk 4 Owner name here 5 Risk 5 Owner name here 6 Risk 6 Owner name here 7 Risk 7 Owner name here 8 Risk 8 Owner name here 9 Risk 9 Owner name here 10 Risk 10 Owner name here

15 Enterprise Risk Management (ERM) Updates September 2016 Key Risk Update: Change in the status of a key risk Mitigation Confidence Low High! Owner: Description: Mitigation (Actions to date and Future Actions): Emerging Risk Update: Risks on the horizon that have the potential to be significant Mitigation Confidence Low High! Owner: Description: Mitigation (Actions to date and Future Actions):

16 ERM Governance Architecture BOV Audit, Compliance, and Risk President and Cabinet Mike Marquardt (Chair) Sally Barber Larry Fitzgerald Kathy Peck Nick Mendyka Bill Fulkerson Rebecca Hill Michelle Hereford Brad Haws Rick Skinner Risk Management Network Health System Risk Management Council Jim Matteo (Chair) Gary Nimax Michael Marquardt Risk Management Network Academic Division Carolyn Saint Archie Holmes Jim Matteo (Chair) Nancy Rivers Carolyn Saint Pam Sellers Melody Bianchetto Virginia Evans Bryan Garey Gary Nimax Colette Sheehy Jeff Legro Dorrie Fontaine Josh Bowers Cindy Frederick Elisa Holquist Anthony De Bruyn Dave Hudson Craig Littlepaige Sim Ewing

17 Closed Session 17

18 Audit, Compliance, and Risk Committee Agenda CLOSED SESSION Discussion of Medical Center operations as provided for in Section (A) (22) of the Code of Virginia 18

19 Resume Open Session and Adjourn 19