Annual Report on Internal Audit Activities 2007-08
ANNUAL REPORT ON INTERNAL AUDIT ACTIVITIES 2007- 08 • Executive Summary – Introduction • Internal Audit Program--Results & Analysis • Statistics • Systemwide and Significant Individual Audit Results • Significant and Recurrent Internal Control Issues • Statistical Information – Coverage and MCAs • Internal Audit Program—Benchmarks & Improvement Initiatives • Appendix 1 Internal Audit Organizational Chart 3 9 10 13 15 18 28 33
ANNUAL REPORT ON INTERNAL AUDIT ACTIVITIES 2007- 08 • I. Executive Summary – Introduction • This Annual Report on Internal Audit Activities serves two purposes. • Communicates outcomes of Internal Audit activities. The report conveys significant issues identified and addressed, progress toward ongoing improvement and corrective actions, and continuing challenges to the University’s control and compliance efforts. • Demonstrates the accountability of the Internal Audit Program. The report addresses utilization of our resources, performance metrics and benchmarks, and adherence to professional standards and The Regents Internal Audit Charter. In this regard, our report is consistent with and supportive of President Yudof’s accountability initiatives. • Through a program of planned audits, supplemental audits, advisory services, and investigations there were 652 reports issued containing 2,253 Management Corrective Actions which are summarized and analyzed in this report. • The Internal Audit Program became a part of the new Office of Ethics, Compliance and Audit Services during the year. The purpose and function of the Internal Audit Program remain essentially the same, however, this report and our future plans demonstrate substantial interaction between Audit and Compliance as many of the audit activities carried out or planned, support compliance initiatives.
ANNUAL REPORT ON INTERNAL AUDIT ACTIVITIES 2007- 08 Highlights During FY08, the UC Internal Audit Program: • Rendered 652 audit, advisory services, and investigation reports resulting in 2,253 recommendations for improvements to internal controls that produced agreed upon Management Corrective Actions (MCAs) • Validated the closure of nearly 1,800 Management Corrective Actions that strengthened controls, as follows: • Beginning MCA Number – 610 • MCAs added – 2,253 • MCAs closed – 1,790 • Current open inventory of MCAs – 1,073 • Met or exceeded benchmarks for: • Productivity--86% (goal 85%) • Completion of the Audit Plan--80% (goal > 70%) • Coverage of matters assessed as High Risk* (73%) • Coverage of Core* Audit areas--23% (target of 20-33% for a 3-5 year cycle) * See definitions at Page 11
ANNUAL REPORT ON INTERNAL AUDIT ACTIVITIES 2007- 08 Highlights (cont’d) • Participated in a number of University initiatives related to: • Control • Systemwide IT Security Self Assessment against UC Policy IS 3 • Special Review of Budgetary Funds Transfer Process • Willed Body Program Task Force Recommendations • Development of PI Fiscal Accountability Training • Governance • Development of Policy on Educational Loan Practices • Establishment of Audit Committee processes for LANS and LLNS • Risk • Enterprise Risk Management—KPMG Survey • Enterprise Risk Management— Reporting Tool Initiative • Compliance • HIPAA Strike Teams addressing training, monitoring and enforcement • Conflict of Interest reporting Process Assessment • Executive Compensation-Reporting and Control Recommendations • Restructuring • UCOP Business Restructuring—Formation of Business Resource Center • Office of Research—Restructuring of Special Research Programs
ANNUAL REPORT ON INTERNAL AUDIT ACTIVITIES 2007- 08 Highlights (cont’d) • Continuous Improvement of the Internal Audit Program: • Conducted a Quality Assurance Review pursuant to IIA professional standards. • Launched a certification initiative to increase the number of UC auditors achieving the professional designation as Certified Internal Auditors. • Sponsored and participated in academic-led research studying measures of staffing adequacy for internal audit in higher education (partnered with the Institute of Internal Auditors Research Foundation and the Association of College and University Auditors). • Developed systemwide project management systems and tools • Created a Task Force of internal IT subject matter experts to develop strengthened systemwide programs and capabilities
ANNUAL REPORT ON INTERNAL AUDIT ACTIVITIES 2007- 08 • Summary and Conclusions In conjunction with the over 650 completed Audit, Advisory Services and Investigation reports issued, we identified no conditions that we believed to represent material deficiencies in internal controls to the University system as a whole from a financial standpoint. In addition, while we acknowledge that management has ultimate responsibility for establishing internal controls to manage risks, we identified no circumstances in which we believe that management’s decisions resulted in the acceptance of unreasonable levels of risk. Further, based on our FY08 work, we can assert the following as being generally true with no reportable exceptions: • Management of the University is cognizant of their responsibility for internal controls and takes seriously the need for controls and accountability. • There is respect for the objectives of the Internal Audit Program; a high level of cooperation is received, and there is no interference with either the accomplishment of our tasks or our responsibilities to report to The Regents. • Managers actively participate in the identification of risks and work collaboratively with Internal Auditors to address issues raised during Audits, Advisory Services engagements, and Investigations.
ANNUAL REPORT ON INTERNAL AUDIT ACTIVITIES 2007- 08 • Summary and Conclusions (cont’d) • Management is comfortable seeking out Internal Audit for advice and consultation on matters with internal control implications. • Matters of importance are reported to The Regents. Although we did not identify material control deficiencies, there are opportunities for the University to implement more effective controls in a number of areas and there are ongoing challenges to effective controls and compliance as indicated by the frequency of observations regarding: • Information security • Information privacy • Supervision, monitoring and account reconciliations • Timely and accurate effort reporting • Conflict of Interest/Commitment reporting • Business continuity and disaster recovery planning • Adequate separation of duties See Section II.C at pages 15-17 for a more detailed discussion of internal control challenges and opportunities.
II. Audit Program Results & Analysis • Introduction • The data contained in the following section provides: • Summary statistical informationfor the year; • Systemwide and significant individual audit results; and • Significant and recurrent control issues. • The data is summarized and analyzed by type of audit service and across functional areas of the University, demonstrating the breadth of coverage. Audit findings are analyzed by functional area, severity, and status of corrective actions.
II. Audit Program Results & Analysis A. STATISTICS See also information on staffing and turnover in Section III at pages 29 and 30. Table 2 Table 1
II. Audit Program Results & Analysis High Risk Audit Coverage In conjunction with the audit planning risk assessment, the top ten risks are identified at each campus and medical center, LBNL and UCOP. Coverage statistics for High Risk items relates to completed audits and advisory service projects. All of the risks initially identified as high risks, are either subject to current audit work, reassessed based on later data at a lower risk level, or determined to be addressed through another process (e.g. compliance, management initiative) such that all risks initially identified as high are addressed in some fashion. Coverage of Core Audit Areas The audit program has identified a number of core business processes and functions (e.g. payroll, hospital receivables, procurement and disbursements) that are subjected to periodic auditing to ensure coverage over approximately a 3-5 year cycle. The result is an audit approach that is fundamentally risk based, but ensures attention to basic business processes and functions with reasonable frequency.
II. Audit Program Results & Analysis The chart below distributes effort by service type (7-Year Trend). This chart demonstrates that our continued primary emphasis is the program of regular audits. The chart also depicts a leveling off of the advisory services and investigation activities. Our goal has been to increase the advisory service activity but special audit work has prevented us from achieving that goal. Hours Chart 1
II. Audit Program Results & Analysis B. SYSTEMWIDE AND SIGNIFICANT INDIVIDUAL AUDIT RESULTS Executive Compensation—We continued to perform an annual review of Executive Compensation, verifying the accuracy of the Annual Report on Executive Compensation. While we found the processes for preparing the report to be generally adequate to ensure its completeness and accuracy, we continue to work with the SMG coordinators to strengthen the processes. Health Sciences Compliance Programs—For year end 2007, we continued to perform an annual review of the Health Sciences Compliance Programs, reviewing their annual reports, program structure adequacy, and conformance to the commitments made to regulators for the conduct of the programs. We concluded that the programs continued to function effectively. For 2008 and beyond, the new Compliance Program under SVP Vacca assumes monitoring of these programs. Willed Body Programs—We continued to assess the progress toward full implementation of corrective actions resulting from the report of the Task Force headed by former Governor Deukmajian. While progress in certain areas has been slow, the long-awaited system for tracking of all donations, utilization, allocations and disposition is in the process of implementation. We have reported to SVP for Health Sciences and Services Dr. Stobo, the continuing needs to complete the secondary phases of the system implementation, finalize the RFID system for material control, and establish a policy for procurement of anatomical material by all UC users. IT Security—The audit plan for the year anticipated performing a validation of a self assessment carried out by the CIO’s at each UC location. While the self assessments were completed, we found that they lacked consistency in applying evaluation criteria that would allow internal auditors to perform uniform validation across the System. As a result, we have worked with UC’s new CIO, David Ernst on improvements to the process that will be carried out in the current year as a next iteration of the assessments of IT security.
II. Audit Program Results & Analysis B. SYSTEMWIDE AND SIGNIFICANT INDIVIDUAL AUDIT RESULTS (con’t.) Office of the President, Special Research Programs—At the request of Vice President Beckwith, Internal Audit engaged in a study of organizational structure, compliance with enabling legislation, funding and business practices, and reasonableness of expenditures of the Special Research Programs administered by UC for the state of California. These are the programs related to Breast Cancer, Aids and Tobacco Related Diseases research. The purpose of the special project was to provide information to VP Beckwith to assist him in reorganization efforts for the research programs. Education Loan Policy—Based on a systemwide audit assessment of UC’s student lending programs and practices late in the prior year, we were instrumental in the formulation of revised UC Presidential Policy on Education Loan Practices. Professional School Admissions—At the request of then Provost Humes, and in response to the findings of a UCLA investigation, we performed a systemwide review of admissions practices for professional schools in the health sciences. While the review identified no improper practices, we made a number of recommendations to improve processes, documentation of admissions decision-making criteria and management of potential conflicts of interest that will aid clarity, consistency and transparency. Major Investigations—Several notable investigations were concluded which have earlier been the subject of communications to The Regents and management. Those with the most significant outcomes and internal control implications include: UC Davis Food Stamp Nutrition Education Program fraudulent expenditures and unallowable costs, UCSD Preuss Charter School grade changes and related matters, UCI Communications payments to a non-existent vendor controlled by an employee, and the UCLA/UC Santa Barbara Electrical and Computer Engineering investigation of payments to a full time employee for services through a temporary services agency. For some of the cases, there remain pending criminal and administrative actions. Internal control contributing factors in the investigations and corrective actions are included in observations expressed in following sections of this report.
II. Audit Program Results & Analysis • C. SIGNIFICANT AND RECURRENT INTERNAL CONTROL ISSUES • From the body of audit work performed during the year, including investigations, following are the most significant and recurrent control issues. Many of these are the subject of specific management corrective actions in the environment where the issues were identified, others are the subject of broader systemwide initiatives, while still others are endemic and require continual attention by management. • Information Security—Compliance with University policy (IS 10) is challenging because of the magnitude of electronic devices, their disparate locations, mobility and the frequency of change in users needing access to our networks. The CIO’s are engaging in self assessment efforts, but department management and employees need to be more vigilant and rigorous in protecting access and content. • Information Privacy—Continuous improvement is needed in assurance of adequate access controls, improved monitoring, frequently refreshed training and enforcement. Recommendations are due in January 2009 from several workgroups relative to HIPAA control improvements. • Effort Reporting—UC’s new effort reporting system provides for improved compliance monitoring. However while the system can help improve timeliness it cannot ensure the accuracy of data verified by people knowledgeable about the actual expenditure of effort. External reviews by regulatory agencies have confirmed the need for both improved compliance and cultural awareness of the need for rigorous accountability in reporting effort charged to sponsored projects. A 2008-09 systemwide audit is planned. • Conflict of Interest/Commitment Reporting– University policies and state laws are numerous, complex and subject to multiple reporting mechanisms. In addition to compliance efforts to ensure that reporting requirements are met, guidance on policy/law interpretation and application, and monitoring of reported information are in need of continuous improvement.
II. Audit Program Results & Analysis • C. SIGNIFICANT AND RECURRENT INTERNAL CONTROL ISSUES (con’t) • Supervision, Monitoring and Account Reconciliation—The causal assessment in many investigations identifies poor supervision, failed oversight, and the absence of monitoring activities as root causes. Significantly, Principal Investigators are frequently found wanting in the exercise of fiscal oversight of research funds. UCD is developing PI fiscal accountability training that would benefit other locations as well. • Separation of Duties—The University’s highly decentralized structure creates challenges for separation of duties at the departmental level. The antidote for inadequate separation of duties is usually increased oversight and supervision. Therefore, coupled with the previous observation about inadequate supervision, auditors encounter frequent situations in which employees’ responsibilities are incompatible and there is no mitigating control. As budget cuts result in reduced staffing the problem can be exacerbated. Guidelines for adequate separation of duties are offered by internal auditors throughout the system, and assistance in assessing the risk of excessive or incompatible duties is also available through training programs. • Business Continuity/Disaster Recovery Planning—While major systems and business processes are the subject of planning, many smaller departments lack plans for business continuity in the event of a disaster or other business interruption and would find themselves unprepared in the face of such an event. Where encountered, auditors make recommendations at the business unit level, however University leaders could support such efforts by incorporating increased expectations in unit leaders’ goals and evaluations.
II. Audit Program Results & Analysis C. SIGNIFICANT AND RECURRENT INTERNAL CONTROL ISSUES (con’t.) The University’s control challenges are made more acute by the shortage of resources to address all issues with adequate solutions, especially technology solutions. UC has continued to experience substantial growth without comparable investment in administrative systems and infrastructure, including personnel. Historically, UC has relied on many people-based controls at the transaction or “event” level, together with trust and the goodwill of a committed workforce. With dated systems, and a diminishing capacity of people-based processes the reliability of controls becomes more and more suspect. As a result, the challenges to the control systems are chronic and require new and different approaches. The creation of the Compliance & Ethics programs are important new initiatives, as is the beginning of the establishment of an Enterprise Risk Management system. In addition, Internal Audit recommends a more aggressive use of continuous monitoring techniques—data mining, analytical and budgetary reviews, scanning for anomalies, etc. to identify possible aberrant events and to improve oversight as a deterrent to inappropriate behavior.
II. Audit Program Results & Analysis D. STATISTICAL INFORMATION – Coverage and MCAs As previously indicated, our FY08 audit program work produced 652 audit, advisory service, and investigation reports resulting in 2,253 Management Corrective Actions (MCAs). The chart below depicts the breadth of coverage over the 13 major functional areas of the University. As shown in the table below, the distribution of MCAs correlates closely with the effort expended across the functional areas. This demonstrates that there are opportunities for control improvement wherever our attention is focused. Table 3 Chart 2
II. Audit Program Results & Analysis The chart below shows the risk rating of the 2,253 MCAs for FY08 by service type. Each audit finding and its associated MCA is given a rating of high, medium or low risk by the auditors. This judgment is made in a local context, and items identified as high do not necessarily convey material deficiencies or risks beyond the operating environment in which found. A primary objective of this classification is to drive a greater sense of urgency in completing the corrective action and completion of audit follow-up. High risk MCAs would include those that are systemic or have a broad impact, have contributed to a significant investigation finding, are reportable conditions under our professional literature, create health or safety concerns, involve senior officials, create exposure to fines, penalties or refunds or are otherwise judged as significant control issues. Chart 3
II. Audit Program Results & Analysis Status of Completion of Management Corrective Actions MCAs are classified initially as open and are only moved to closed status after validation by auditors that the agreed upon corrective actions have been taken and sustainable improvement has been achieved. The number of open MCAs increased from 610 to 1,073 at the end of the year because of the significant volume of new MCA’s resulting from current year audit activities. The overall churning of MCAs—with closures representing nearly three times the opening volume and nearly 80% of new MCAs—demonstrates that in general management completes the agreed upon corrective action in a timely fashion. The following charts display the completion status for the entire population of MCAs with more detailed analysis of high risk past due items which are individually reported starting on page 23. We believe that reporting to the Audit Committee the unmitigated high risk audit findings fulfills a core professional obligation.
II. Audit Program Results & Analysis The chart below shows the status of all 11,782 MCAs The 91% overall rate of closure of the MCAs to date reflects the success of audit follow-up efforts. The 93% rate of closure for high risk items reflects their appropriately greater attention. The reasons for untimely completion are unique to each situation, however a common factor has been delays in systems’ solutions. Resource constraints is the other most commonly cited reason. For all high risk past due items auditors have determined that the matter is currently receiving attention needed to bring to closure in a reasonable time frame. Table 4 Chart 5
II. Audit Program Results & Analysis The chart below shows the aging statistics of the inventory of 182 Open High Risk MCAs The majority of the open items (163) are not yet due, however, 19 are past due. These past due issues have been brought to the attention of senior management and active resolution plans are in process. The goal of reducing these items to zero (or a negligible number occasioned by highly unusual circumstances) is clearly understood and accepted by all responsible for addressing these items. The 19 past due MCAs are listed on the following pages. Chart 6
II. Audit Program Results & Analysis Past Due High Rated MCAs Table 5
III. Internal Audit Program—Benchmarks & Improvement Initiatives This section contains an analysis of staffing levels by location compared to UC and industry benchmarks. The analysis is based on the authorized staffing levels rather than the number of positions actually filled at any moment in time. For FY08, the Internal Audit Program operated at approximately 89% of authorized capacity due to turnover, and positions left open because of budget constraints. This section also contains a table of miscellaneous statistical information for the University Audit Program. And lastly, this section chronicles change initiatives and program improvements currently underway.
III. Internal Audit Program—Benchmarks & Improvement Initiatives The charts below display staffing benchmarks for the campuses and Office of the President. UC in general varies from the higher education benchmark average for expenditures per auditor by a substantial margin, and this gap has widened in recent years. However, when combined with the employee ratio data you can see that UC employees in general are more highly leveraged than our average counterparts. As a result, at only four campuses, UCB, UCD, UCI and UCSF, is there some concern regarding staffing adequacy. In general, the smaller institutions appear to be more well staffed. However, this is due to the fact that certain audit activities are not directly impacted by size. We share this information with management at each location for the purpose of assessing the adequacy of the audit program staffing. Chart 7 Chart 8
III. Internal Audit Program—Benchmarks & Improvement Initiatives Staffing Statistics • Professional Staff: • Average Years Total Audit Experience 17 years • Average UC Audit Experience 10 years • Average Years Audit Director Experience 13 years • Percent of Audit Staff with Bachelors Degree 99 % • Percent of Audit Staff with Advanced Degrees 30 % • Percent of Staff holding Professional Certifications 83 % • Staff Turnover* 15% • 2007-08 Average Training Hours Per Auditor 74 hours • Staff turnover included 6 departures for positions within UC, which is generally viewed positively, 10 departures outside of UC and 3 retirements. Historically, most turnover has occurred at the lower staff levels with a very stable director and manager group. In 2007-08, however, two directors left for positions outside UC, one retired and one is currently preparing for retirement. Recruitments are under way for all open leadership positions. Chart 10
III. Internal Audit Program—Benchmarks & Improvement Initiatives • Quality Assurance Review (QAR) In June 2008, Protiviti reported on their Quality Assurance Review of the UC Internal Audit Program. While the results were generally favorable, confirming a program that meets all professional standards, Protiviti provided a number of recommendations for further improvement of the Program most notably in the IT audit program. Since receiving the report, a workgroup of UC Audit Directors has redefined the expectations of the UC IT audit program, and under a new systemwide IT audit leadership structure, is addressing the issue of skills, resources and programs to meet the revised expectations for each UC audit location. • CIA Designation Initiative The Certified Internal Auditor (CIA) designation is the only globally accepted certification for internal auditors and remains the standard by which individuals demonstrate their competency and professionalism in the internal auditing field. At present, the University of California has 100 auditors at 11 locations, of whom 33 hold the CIA designation. In an effort to increase the number of UC auditors holding this designation, the Office of Ethics, Compliance, and Audit Services has sponsored a CIA designation drive. At present 25 auditors from 9 locations have signed up to participate in this effort.
III. Internal Audit Program—Benchmarks & Improvement Initiatives • CARTS The systemwide audit program is in the midst of a project to improve our internal project management and reporting capabilities through development of web based modules for time reporting, project management, quarterly reporting to the University Auditor and management of MCA’s. The initial module is in use at several locations and all of the system’s capabilities are expected to be rolled-out during the current year for full utilization by the beginning of the next fiscal year. • IIA Research Project The auditing profession has long struggled with the question of how to determine the appropriate staffing level for an audit program. The existing benchmark data tends to consider organization size as the only driver. There is an increasing awareness that risk varies considerably within comparably sized organizations and that audit staff size should be related more to risk than size. In addition, the creation of compliance and ethics programs have served to somewhat change the role of internal audit for many institutions. UC, in partnership with the Institute of Internal Auditors Research Foundation and the Association of College and University Auditors is sponsoring an academic–led research project to identify improved measures of staffing adequacy factoring in more variables than organization size. The results are expected in the winter of 2009.
Appendix 1 – University of California Internal Audit Program The Regents’ Committee on Audit UCB UCD UCI UCLA UCR UCSB UCSC UCSD UCSF LBNL Chancellor Birgeneau Interim Provost and Executive VC Horwitz Vice Chancellor Brase Vice Chancellor Olsen Vice Chancellor Bolar Vice Chancellor Carpenter Vice Chancellor Vani Vice Chancellor Matthews Interim Vice Chancellor Lopez Laboratory Director Chu UC President M. G. Yudof SVP, Chief Compliance and Audit Officer, S. Vacca EVP, Business Operations K. Lapp University Auditor P.V. Reed (2.5) UCI P.Reed (acting) (9) UCR M. Jenson (6) UCSC G. Gail (6) UCSF A. Zubov (12) UCLA E. Pierce (27) UCSB C. Whitebirch (6) UCSD S. Burke (16.2) UCOP P. Reed (6.5) UCD R. Catalano (12) UCB W.L. Riley (8.5) LBNL T. Hamilton (6) Total Professional Staff, including the Director, is in parentheses. Total Authorized Professional Positions = 117.7 (LANL& LLNL Audit Departments not reflected in UC Audit Program)