UNIVERSITY OF VIRGINIA BOARD OF VISITORS MEETING OF THE AUDIT, COMPLIANCE, AND RISK COMMITTEE DECEMBER 9, 2016

Transcription

1 UNIVERSITY OF VIRGINIA BOARD OF VISITORS MEETING OF THE AUDIT, COMPLIANCE, AND RISK COMMITTEE DECEMBER 9, 2016

2 AUDIT, COMPLIANCE, AND RISK COMMITTEE (Open Session) Friday, December 9, :45-1:45 p.m. Board Room, The Rotunda Committee Members: Frank E. Genovese, Chair Mark T. Bowles L. D. Britt, M.D. Frank M. Conner III Babur B. Lateef, M.D. James B. Murray Jr. William H. Goodwin Jr., Ex-officio Adelaide Wilcox King, Faculty Consulting Member AGENDA PAGE I. REMARKS BY THE COMMITTEE CHAIR (Mr. Genovese) 1 II. DISCUSSION A. Auditor of Public Accounts Audit and Management Report 2 (Ms. Melody Bianchetto, VP Finance, to introduce Mr. Eric Sandridge, Director of Higher Education Programs, Auditor of Public Accounts; Mr. Sandridge to report) B. Audit Department Report (Mr. Genovese to introduce Ms. Carolyn D. Saint; Ms. Saint to report) Summary of Audit Reports, Departmental Activities, 3 and Plan Status C. University Compliance (Mr. Genovese to introduce Mr. Gary S. Nimax; Mr. Nimax to report) Report on Medical Center Compliance and Privacy 8 Officer Search D. Enterprise Risk Management (ERM) Report (Mr. Genovese 9 to introduce Mr. James S. Matteo; Mr. Matteo to report) III. CLOSED SESSION Discussion of IT security matters as provided for in (A)(19) of the Code of Virginia.

3 UNIVERSITY OF VIRGINIA BOARD OF VISITORS AGENDA ITEM SUMMARY BOARD MEETING: December 9, 2016 COMMITTEE: AGENDA ITEM: ACTION REQUIRED: Audit, Compliance, and Risk I. Remarks by the Committee Chair None BACKGROUND: Mr. Frank Genovese, the Committee Chair, will open the meeting and provide an overview of the agenda. 1

4 UNIVERSITY OF VIRGINIA BOARD OF VISITORS AGENDA ITEM SUMMARY BOARD MEETING: December 9, 2016 COMMITTEE: AGENDA ITEM: ACTION REQUIRED: Audit, Compliance, and Risk II.A. Auditor of Public Accounts Audit and Management Report None BACKGROUND AND DISCUSSION: The Auditor of Public Accounts of the Commonwealth conducts an annual audit of the University and the Medical Center and reports findings to the Board. Ms. Bianchetto will introduce Mr. Eric M. Sandridge, who will report on findings for the fiscal year audit. Mr. Sandridge is the Director of Higher Education Programs for the Virginia Auditor of Public Accounts and has served in that position since His responsibilities include management of the office s Higher Education Programs Specialty Team and project management oversight for audits of various agencies and institutions of the Commonwealth. Mr. Sandridge has served as audit director for the Virginia Community College System, Old Dominion University, Virginia Commonwealth University, Norfolk State University, University of Virginia, and the Department of Alcoholic Beverage Control annual audits. Mr. Sandridge also coordinates required federal audits at the Commonwealth s institutions of higher education, which support Virginia s statewide Single Audit report. He received his B.B.A. in Finance from the College of William and Mary and is a Certified Public Accountant and a Certified Government Financial Manager. 2

5 UNIVERSITY OF VIRGINIA BOARD OF VISITORS AGENDA ITEM SUMMARY BOARD MEETING: December 9, 2016 COMMITTEE: AGENDA ITEM: ACTION REQUIRED: Audit, Compliance, and Risk II.B. Audit Department Report: Summary of Audit Reports, Departmental Activities, and Plan Status None DISCUSSION: For purposes of supporting the Committee s oversight of the Audit Department, Ms. Carolyn Devine Saint, Chief Audit Executive, will summarize the Audit Department s activities for FY 2017 year to date. 3

6 Assurance and Advisory Projects: Completed FY 2017 To Date Subject Curry School of Education Darden Fund Transfers Distributed IT Systems Current State Assessment FY2016 Inventories (UVA Bookstore, Pharmacy) Action Plan Implementation Status Follow Ups Epic Phase 2 Implementation Project Health Check (2 nd Report) Integrated Assurance: Athletics Compliance Security Enhancement Plan (SecureUVA) Project Health Check (1 st report) Subject Epic 1 Phase 2 Implementation Project Health Check w/clinical Readiness and Database Security Areas of Focus IT System Security: Privileged Access Fiscal Stewardship (Data-driven Internal Controls Analytics): Focus on Research Compliance Integrated Assurance Athletics (NCAA) Compliance Assessment NCAA Football Attendance Certification Security Enhancement Plan (SecureUVA) Project Health Check continues SCADA 2 Consultation continues Ufirst (HR Transformation) Project Health Check Office of the President: Travel and Expenses Ivy Cloud 3 Project Health Check w/ Security and Governance Focus Subject Report to BOV ACR Committee: December 2016 Audit Department Plan Status UVA Division, Health System, Health System Health System Assurance and Advisory Projects: In Progress 4 UVA Division Health System Health System Pan-University Pan-University Pan-University Current View of Risk- Prioritized Future Projects (Remainder of FY17) 340B Drug Discount Program Epic Phase 2 Implementation Project Health Check Continues through Implementation (6/30/17) UVA Division Health System Health System 1 Epic is UVA Health System s Electronic Medical Records system. Phase 2 implements Epic s scheduling and revenue cycle modules, and certain clinical modules. 2 SCADA=Supervisory Control and Data Access. SCADA is a system for remote monitoring and control that operates with coded signals over communication channels. 3 UVA Data Science Institute s cloud computing environment for highly sensitive, secure data for researchers

7 Current View of Risk- Prioritized Future Projects Cont d (Remainder of FY17) Subject UVA Division IT Change Controls Special Collections Library Procedures and Controls Integrated Assurance: Environmental Health & Safety Compliance Strategic Investment Fund Expenditures Monitoring UFirst HR Transformation Project Health Check Continues through Implementation Health System Pan-University Pan-University Pan-University 5

8 Audit Department Dashboards: Types of Audit Projects Performed Through November 30, % 13% 4% 4% 17% 33% Agreed Upon Procedures Audit Consultation Follow Ups Pilot Audit Project Health Check Action Plan Completion Status Through November 30, 2016 by Priority Rating Priority Priority Legacy (Unrated) 25 2 Closed Open Details of Open Priority 1 and 2 Action Plans: Priority 1 Action Plan 1: Financial Outreach and Compliance Department s reassessment of Internal Controls Questionnaire and review of significant fiscal processes and associated key controls has been pushed back until new University Comptroller is hired and on boarded. Due Date Extended Until Onboarding of New Comptroller. Priority 1 Action Plan 2: University Registrar s office is evaluating completeness and accuracy of all schools undergraduate and graudate requirements. Due Date to Complete the Review Extended Until 12/31/2016. Two Priority 2 Open Action Plans relate to administrative/fiscal matters in the Curry School s Sheila Johnson Center. A third Priority 2 Open Action Plan relates to a recommendation to ensure Curry School adopts consistent practices for requiring background checks for students in unpaid positions throughout the school, including those involving students interacting with minors as part of their core function. 6

9 Audit Department Value Scorecard: Data as of November 30, 2016 Measures People: Leadership & Relationship Acumen Internal Team Team Participation in Introduction to Transactional Competence (ITC) Program Target: 100% participation Year to Date Metric Achievement Status Training hours per audit in non-technical differentiator competencies Target: 20 Hours External Stakeholders Audit Satisfaction Scores Target: Above Average Developing Survey Tool Collaboration on Cross Functional Projects and Committees Target: 3/year People: Industry & Technical Competence CPE Hours Earned on Priority Skills Target: 20 Hours Certifications Held by Each Auditor Target: 1/auditor Active Participation in Professional Associations Target: 1/auditor Audit Process: Efficient & Effective Audit Process Staff Utilization Target: 80% 74% Individual audit project actual to budget hours variance Target: 10% or less Completion of Lean Project on Audit Processes Target: 1/year Costs contained/recovered and revenue enhancements identified ($); Target: Establish baseline in 2016/17 Plan: Relevance to Risks that Matter Most Audit resources dedicated to higher or emerging risk areas Target: 75% Recommendations Made Target: Establish baseline in 2016/2017 $0 to date 7

10 UNIVERSITY OF VIRGINIA BOARD OF VISITORS AGENDA ITEM SUMMARY BOARD MEETING: December 9, 2016 COMMITTEE: AGENDA ITEM: ACTION REQUIRED: Audit, Compliance, and Risk II.C. University Compliance: Report on Medical Center Compliance and Privacy Officer Search None DISCUSSION: Mr. Gary Nimax, Assistant Vice President for Compliance, will report on the search for the Medical Center s new Compliance and Privacy Officer. A national search is underway to fill the vacant position on a permanent basis. Mr. Nimax will provide a report on the status of the search and a timeline for completion. 8

11 UNIVERSITY OF VIRGINIA BOARD OF VISITORS AGENDA ITEM SUMMARY BOARD MEETING: December 9, 2016 COMMITTEE: AGENDA ITEM: ACTION REQUIRED: Audit, Compliance, and Risk II.D. Enterprise Risk Management (ERM) Report None BACKGROUND AND DISCUSSION: Mr. James Matteo, Associate Vice President and Treasurer, will report on actions taken toward accomplishing the three key priorities for the ERM program, as first identified at the Committee s February 2016 meeting. The effort consists of three near-term priorities designed to: (1) reposition and enrich the program; (2) enhance board reporting; and (3) onboard ERM at the Health System. The University has taken several significant steps to reposition the program including the adoption of an Enterprise Risk Management Charter and the establishment of a network of individuals to advance risk management efforts at the Division and Health System. A Risk Management Council was formed to provide guidance in support of the global ERM effort and Risk Management Networks, comprised of representatives from major business units, in both the Division and Health System. These networks help identify inherent and emerging risks, serve as a connection between executive-level and department risk management activities, and seek to raise risk awareness among units across the University. At the Division, we have completed a risk identification effort designed to gather risks and update the University s existing risk list. From the risks identified, we worked with executive leadership to create a new key risk list for the Division. We will report on the Division s key risks using an updated risk reporting format. Reporting will be presented in two parts: 1) a key risk dashboard to provide a high-level risk overview; and 2) a key risk update intended to provide a more detailed discussion on a key risk or risks. At this meeting, we will present a key risk update on the SecureUVA program designed to enhance information technology security for the Division. 9

12 Additionally, significant progress has been made to onboard the Health System. We have completed the risk identification effort for the Health System and are working with executive leadership to finalize the Health System s key risk list. 10