FROM HINDSIGHT TO FORESIGHT REPOSITIONING INTERNAL AUDIT TO DELIVER - - PowerPoint PPT Presentation

from hindsight to foresight repositioning internal audit
SMART_READER_LITE
LIVE PREVIEW

FROM HINDSIGHT TO FORESIGHT REPOSITIONING INTERNAL AUDIT TO DELIVER - - PowerPoint PPT Presentation

Jan 10, 2024 319 likes •445 views

FROM HINDSIGHT TO FORESIGHT REPOSITIONING INTERNAL AUDIT TO DELIVER HIGHER VALUE Repositioning Internal Audit FY 2016-FY2017 Audit Resource Deployment Plan Resources and Staffing Supplemental Materials Repositioning

slide-1
SLIDE 1

FROM HINDSIGHT TO FORESIGHT REPOSITIONING INTERNAL AUDIT TO DELIVER HIGHER VALUE

  • Repositioning Internal Audit
  • FY 2016-FY2017 Audit Resource

Deployment Plan

  • Resources and Staffing
  • Supplemental Materials
slide-2
SLIDE 2

Repositioning Internal Audit: Building Blocks

  • f the New Internal Audit Function

We deliver insight and foresight to our colleagues and stakeholders through: Professional competence. Business acumen. Focus on Cornerstone Plan and Health System strategy. Data-driven analyses. Our network of colleagues and connections throughout the University and the profession. We serve the audit profession in the Commonwealth of Virginia, the higher education industry, and around the globe. We collaborate and share our knowledge generously. We set the bar for excellence and leading practice in internal auditing. Our relationships embody respect, insight, balance, trust, and care. We value: Leadership development. Civility. The voices of our stakeholders. We operate transparently. We are aware of our impact. We have an enterprise view.

2

slide-3
SLIDE 3

How we built the risk-based audit plan

Industry Risks:

Higher Ed Healthcare Peer Benchmarking Hot Topics

Enterprise Risks:

  • 1. Funding to achieve goals
  • 2. Management of human capital
  • 3. Legal compliance
  • 4. Keeping pace
  • 5. Reputation w/key stakeholders
  • 6. Geo-political and economic

risks

  • 7. Safety/security
  • 8. Cybersecurity/leveraging IT
  • 9. Org/operational efficiencies

Strategic Objectives:

Cornerstone Plan U.Va. Health System Strategy

TO BUILD THE AUDIT PLAN WE ESTABLISHED AN “AUDIT UNIVERSE” AND ASSIGNED RISK WEIGHTINGS:

Stakeholder input including: ACR Chairman, MC Cabinet, EVP/COO, IT Leadership, Provost’s Office

Academic Div: U.Va.’s Budget System Hierarchical Org Data (Unit, Expenditure $, Grant $, FTEs) MC/Health System: May 2015 Operating Margin Report

Audit Universe

3

  • Relevant UVA ERM

Risks

  • Regulatory

Compliance

  • Emerging practices

(e.g. ACO, Value Based Care)

slide-4
SLIDE 4

Audit Resources Deployment FY 16-FY 17

Med Center Team

Clinical Engineering Charge Capture

IT Team

Cybersecurity IT Governance and Standards IT Asset Management Change Control and System Configuration

Academic Team

Faculty Recruitment and Retention Research Expansion Initiative

Integrated Team Audits and Reviews

Fiscal Stewardship (Pan-University) EPIC Phase 2 Implementation Managerial Reporting Implementation PeopleSoft Upgrade Physical Safety and Security Integrated Assurance: Compliance Oversight Verification Data Privacy Segregation of Duties (Oracle, PeopleSoft, EPIC)

Audit Department Process Improvements

4

slide-5
SLIDE 5

Audit Department Resources (future)

Chief Audit Executive Director IT Audit Assoc Dir IT Senior IT Auditor New Hire Senior IT Auditor IT Auditor Special Projects (all areas) Director HS and University Audits Manager Senior Auditor Senior Auditor Staff Auditor Manager HS Audits Senior HS Auditor New Hire HS Auditor New Hire HS Auditor Office Manager

Current vacancies in red Redeployment of resources in green

  • Reporting location of

Health System (HS) Auditors depends on skill sets of TBD Director

  • Maintains current 17

position headcount while increasing Managers’ span

  • f control (3rd Director role

not replaced)

  • Will need to evaluate

where specialization of audit skills is required as we make new hires/shift current resources/co- source

  • Integrated Assurance
  • Continuous

Monitoring/Fraud Risk

  • Hotline follow up
  • Audits will be conducted

using pooled resource approach where possible. Administrative reporting would remain as shown. 5

slide-6
SLIDE 6

SUPPLEMENTARY MATERIALS

Unpacking the Audit Plan: Potential Scope of Audit Plan Topics

6

slide-7
SLIDE 7

Unpacking the Plan: Potential Scope Areas

Audit Why Selected Potential Scope

Curry School of Education In progress from prior year plan

  • Degree audit
  • Centers and Clinics: licensure,

background checks, patient health data, revenue generation/charge capture

  • Academic Programming

Faculty Recruitment and Retention

  • Cornerstone Pillar IV:

Assemble and Support a Distinguishing Faculty

  • ERM Risk: Management of

Human Capital

  • Large program governance
  • Effectiveness of risk

management for strategically critical program Research Expansion Initiative

  • Cornerstone Pillar II: Advance

Knowledge

  • ERM Risks: Funding to Achieve

Goals; Keeping Pace

  • Large program governance
  • Effectiveness of risk

management for strategically critical program

Academic Team

7

slide-8
SLIDE 8

Unpacking the Plan: Potential Scope Areas

Audit Why Selected Potential Scope

Pyxis Medstation Access Review In progress from prior year plan

  • User provisioning
  • Evaluation of biometric access

usage Clinical Engineering

  • Cyber/ Data Security of Patient

Information

  • Patient Care/Safety & Quality
  • f Patient Care
  • ERM Risk: Legal and

Compliance

  • Staff Productivity
  • Data security and privacy

practices

  • Device maintenance

scheduling and equipment monitoring procedures

  • Useful life monitoring and

evaluation Charge Capture

  • OIG Workplan
  • Margin Management
  • ICD-10 Implementation
  • EMR/Medical Documentation
  • Regulatory Billing Compliance
  • Evaluation of facility/technical

fee billing by the MC for nurse

  • nly and procedure visits
  • Billing of Medications and Med

Administration Value Based Care

  • Healthcare Industry Major

Trend

  • TBD in partnership with MC

leadership

Med Center Team

8

slide-9
SLIDE 9

Unpacking the Plan: Potential Scope Areas

Audit Why Selected Potential Scope

Information Security, Policy, and Records Office

  • KPMG 2015 IT Security

Assessment

  • CEB 2015 Audit Plan Hotspots
  • PCI Compliance
  • Governance/Standards
  • Information Security Policy
  • Monitoring Procedures
  • Data Loss Prevention
  • Malware Prevention

Cybersecurity

  • ERM Risk: Cybersecurity/

Leveraging IT

  • CEB 2015 Audit Plan Hotspots
  • KPMG 2015 IT Security

Assessment

  • Incident response
  • Network
  • Operating Systems
  • Databases (data-at-rest)
  • BYOD (Bring Your Own Device)

Change Control and System Configuration

  • Key general computing

controls

  • KPMG 2015 IT Security

Assessment

  • Student Information System

(SIS)

  • Oracle & PS HR and FIN

modules

  • EPIC

IT

9

slide-10
SLIDE 10

Unpacking the Plan: Potential Scope Areas

Audit Why Selected Potential Scope

PeopleSoft

  • Significant Upgrade
  • Data Privacy
  • Privileged User Access
  • SOD
  • Service/Generic Accounts
  • Patching Procedures
  • Database Security

IT Asset Management KPMG 2015 IT Security Assessment

  • IT Inventory Management:

Central and Non-Central Assets and Systems

  • Termination Handling
  • Disposal Procedures

Disaster Recovery

  • Key general computing

controls

  • Changing Technology
  • Replication Process
  • Testing
  • Key Metrics and SLAs

IT (Cont.)

10

slide-11
SLIDE 11

Unpacking the Plan: Potential Scope Areas

Audit Why Selected Potential Scope

Fiscal Stewardship Cornerstone Pillar V: Steward the University's Resources to Promote Academic Excellence and Affordable Access

  • Key internal financial controls
  • Unit-level fiscal discipline
  • Application of University

Financial Model EPIC Phase 2 Implementation (HS Revenue Module)

  • Significant financial

application

  • Significant capital expenditure
  • Program governance
  • Access/data security
  • Configuration settings
  • Segregation of duties

Managerial Reporting Implementation

  • Significant financial application
  • Significant capital expenditure
  • Data security
  • Data integrity

Physical Safety and Security ERM Risk: Safety/security of students, faculty and staff

  • Clery audit follow up
  • Police training
  • Physical security
  • Building access

Integrated Team Audits and Reviews

11

slide-12
SLIDE 12

Unpacking the Plan: Potential Scope Areas

Audit Why Selected Potential Scope

Integrated Assurance

  • ERM Risk: Legal and

Compliance

  • Higher Education Industry risks
  • Reputational risks
  • CEB 2015 Audit Plan Hotspots

Effectiveness of 2nd line of defense compliance functions:

  • NCAA
  • Environmental Health & Safety
  • Research-related (OSP, IRB)
  • Corp Compliance (Med Ctr)
  • Title IX
  • Clery Act
  • ARMICS (“Government SOX”)

Privacy

  • ERM Risk: Legal and

Compliance

  • CEB 2015 Audit Plan Hotspots
  • PII (Personally Identifiable

Data)

  • Student Data
  • HIPAA compliance
  • Cloud and mobile

environments Segregation of Duties

  • Foundational fraud risk control
  • Data security and integrity
  • Reporting accuracy
  • Oracle
  • PeopleSoft
  • EPIC

Integrated Team Audits and Reviews (Cont’d)

12