Internal Audit Annual Report

Transcription

1 Internal Audit Annual Report For the Fiscal Year Ended August 31, 2017 Office of Internal Audit 800 West Campbell Rd., SPN 32 Richardson, TX

2 November 1, 2017 Dr. Richard Benson, President Ms. Lisa Choate, Chair of the Institutional Audit Committee: We are pleased to submit the annual report of the Office of Internal Audit for the fiscal year ended August 31, This report is required by the Texas Internal Auditing Act and provides information on the assurance services, consulting services, and other activities of the internal audit function. During fiscal year 2017, we issued 21 reports related to audits, consulting reviews, and investigations. We believe the work of our office has enhanced university operations and provided value to management with recommendations relating to governance, risk management, and control processes at the University of Texas at Dallas. If you have any questions about the contents of this report, please do not hesitate to contact me. Respectfully submitted, Toni Stephens, CPA, CIA, CRMA Chief Audit Executive Report Distribution: State Auditor s Office Governor s Office of Budget, Planning, and Policy Legislative Budget Board Sunset Advisory Commission Members of the UT Dallas Audit Committee UT System Audit Office 2

3 Table of Contents Purpose of the Annual Internal Audit Report... 4 I. Compliance with Texas Government Code, Section II. Internal Audit Plan for FY III. Consulting Services and Nonaudit Services d... 6 IV. External Quality Assurance Review... 7 V. Internal Audit Plan for FY VI. External Audit Services Procured in Fiscal Year VII. Reporting Suspect Fraud and Abuse... 7 A. Fraud Reporting... 7 B. Coordination of Investigations... 8 VIII. Office of Internal Audit... 9 A. Staff Size and Organization Chart... 9 B. Staff Experiences and Certifications C. Training D. Contributions to the Profession Appendix 1: FY17 Audit Plan Appendix 2: External Quality Assurance Review Appendix 3: FY18 Audit Plan Appendix 4: Status of FY17 Audit Recommendations

4 Purpose of the Annual Internal Audit Report The purpose of this annual report is to provide information on the assurance services, consulting services, and other activities of the internal audit function. In addition, the annual internal audit report assists oversight agencies in their planning and coordination efforts. The Texas Internal Auditing Act, Texas Government Code, Chapter 2102, requires that an annual report on internal audit activity be filed by November 1st of each year and submitted to the Governor, the Legislative Budget Board, the Sunset Advisory Commission, the State Auditor s Office (SAO), and the entities governing boards and chief executives. The SAO prescribes the form and content of the report. The annual report was prepared using the guidelines provided by the Texas State Auditor s Office. In addition to the minimum requirements, we also included other information we felt was important to the internal audit operations during fiscal year (FY) Additional information regarding the UT Dallas Office of Internal Audit can be found at the following website: 4

5 I. Compliance with Texas Government Code, Section Texas Government Code, Section , requires that the internal audit plan and the internal audit annual report be posted on the institution s website. Accordingly, the Office of Internal Audit has posted its and the approved FY18 Audit Plan at the following website: II. Internal Audit Plan for FY17 The UT Dallas 2017 Audit Plan outlined the internal audit activities to be performed by Internal Audit during FY 2017 in accordance with responsibilities established by the UT System, the Texas Internal Auditing Act, the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing, and Generally Accepted Government Auditing Standards, consistent with the UT Dallas Audit Charter. The plan is prepared using a risk-based approach to ensure that areas and activities specific to UT Dallas with the greatest risk are identified for consideration to be audited. The information on Appendix 1 contains the Internal Audit Plan for FY 2017, including the status of the plan at October 13, Audits that were postponed or deleted were approved by the UT Dallas Institutional Internal Audit Committee. As required by the State Auditor s Office FY 2017 guidelines for submitting this report, the following audits were performed: A compliance audit of Benefits Proportionality Funding (Report No. R1619) was completed on March 7, The audit resulted in no issues or significant recommendations. This was required by Rider 8 of the General Appropriations Act (85 th Legislature). An audit of FY15 17 will be conducted in FY18. An assessment regarding purchasing, required by the Texas Education Code, Section (h), was conducted, and a report was issued on October 26, Based on the results of our review, UT Dallas has generally adopted all of the policies and procedures outlined in Senate Bill 20 and TEC , and recommended enhancements were included in the report. These rules and policies will continue to be assessed annually to ensure continued compliance with TEC In addition, Internal Audit issued a report on Outside Contractors, dated January 23, 2017, to satisfy the requirements in the Code regarding risk-based audits. 5

6 III. Consulting Services and Nonaudit Services d The following is a list of consulting services completed in FY17, as defined in the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing. Consulting services are advisory in nature and are generally performed at the specific request of an engagement client. Date Issued Title High-Level Objectives 2/22/17 Environmental Health & Safety Governance Review To determine if effective governance processes existed within the department. 6/15/17 Faculty Start-ups To review faculty start-up funding commitments. 7/18/17 Texas Biomedical Device Center 7/25/17 University-wide Audit Recommendations To evaluate the Center s financial and accounting processes, internal control systems, and the effectiveness and efficiency of related operations and controls. To provide management with university-wide recommendations resulting from Texas Biomedical Device Center Review. Observations, Results, and Recommendations Opportunities existed to enhance governance in the areas of organizational culture and structure, mission and operating objectives, risk management and risk assessment, purchasing, and policies and procedures. Opportunities existed to consider streamlining and enhancing the processes surrounding budgeting and monitoring for faculty start-up funds. The Center should enhance processes to improve departmental operations in the areas of business planning, policies and procedures, risk assessment and monitoring, conflicts of interest, controlled substances, expenses, badge access, property, and business continuity planning. Opportunities to improve university-wide controls in the areas of programs for minors and summer camps, conflicts of interest, contracting, and catering and events. The Office of Internal Audit did not perform any non-audit services as defined in Government Auditing Standards during FY17. 6

7 IV. External Quality Assurance Review In accordance with IIA Standards and the Texas Internal Auditing Act, an external quality assurance review was conducted during FY17; however, the final report is currently in draft and will be released before the end of the calendar year. A copy of that report will be included in the FY18 Annual Internal Audit Report. A copy of the report from FY14 has been attached at Appendix 2. V. Internal Audit Plan for Fiscal Year 2018 The FY18 Internal Audit Plan was approved by the UT Dallas Institutional Audit Committee with final approval by the UT System Board of Regents Audit, Compliance, and Risk Management Committee on August 23, A copy of the plan, including budgeted hours, the risk assessment methodology, identified high risks not on the plan, and audits addressing certain State requirements, is attached at Appendix 3. VI. External Audit Services Procured in Fiscal Year 2017 The following external audit services, including financial and performance audits and attestation engagements, reviews, and agreed-upon procedures, were procured during FY17. External Auditor Weaver Deloitte Services Provided CPRIT audit SACSCOC financial statement review for FY17 VII. Reporting Suspected Fraud and Abuse The following actions were taken by The University of Texas at Dallas to implement the requirements of reporting suspect fraud and abuse by the General Appropriations Act: A. Fraud Reporting Section 7.09, Fraud Reporting, General Appropriations Act (85 th Legislature, Conference Committee Report), Article IX A state agency or institution of higher education appropriated funds by this Act, shall use appropriated funds to assist with the detection and reporting of fraud involving state funds by: 7

8 (1) providing information on the home page of the entity's website on how to report suspected fraud, waste, and abuse involving state resources directly to the State Auditor's Office. This shall include, at a minimum, the State Auditor's Office fraud hotline information and a link to the State Auditor's Office website for fraud reporting; and (2) including in the agency or institution's policies information on how to report suspected fraud involving state funds to the State Auditor's Office. The following actions have been taken by UT Dallas to ensure compliance with the fraud reporting requirements: UT Dallas has a link for fraud reporting under Required Links at the University s home page, which provides information about reporting fraud, waste and abuse to the State Auditor s office. UT Dallas has a hotline for reporting suspected noncompliance, ethics violations, and fraud at The Office of Internal Audit has a website for fraud at The Standards of Conduct Guide includes information on fraud, waste, and abuse. UT Dallas complies with this in conjunction with the UT System Policy UTS118, Statement of Operating Policy Pertaining to Dishonest or Fraudulent Activities, located at B. Coordination of Investigations Texas Government Code, Section , Coordination of Investigations a) If the administrative head of a department or entity that is subject to audit by the state auditor has reasonable cause to believe that money received from the state by the department or entity or by a client or contractor of the department or entity may have been lost, misappropriated, or misused, or that other fraudulent or unlawful conduct has occurred in relation to the operation of the department or entity, the administrative head shall report the reason and basis for the belief to the state auditor. The state auditor may investigate the report or may monitor any investigation conducted by the department or entity. b) The state auditor, in consultation with state agencies and institutions, shall prescribe the form, content, and timing of a report required by this section. c) All records of a communication by or to the state auditor relating to a report to the state auditor under Subsection (a) are audit working papers of the state auditor. The following actions have been taken by UT Dallas to ensure compliance with the Coordination of Investigations requirements: 8

9 The Office of Internal Audit reports the activities listed in (a) above to the State Auditor s Office via their website at: sao.fraud.texas.gov/reportfraud/. The Office of Internal Audit also reports the activities listed in (a) above to the UT System Audit Office. VIII. Office of Internal Audit A. Staff Size: The organization chart consists of the organization structure as of October

10 B. Staff Experiences and Certifications: The internal audit staff consists of highly qualified and skilled audit professionals with certifications including Certified Public Accountant (CPA), Certified Internal Auditor (CIA), Certified Information Systems Auditor (CISA), Certified Fraud Examiner (CFE), Certificate in Risk Management and Assurance (CRMA), GIAC Systems and Network Auditor (GSNA), and Certified IDEA Data Analyst (CIDA). A complete list of internal audit qualifications can be found at C. Training: Internal Audit staff received an average of 55 hours of continuing professional education during fiscal year Key areas of training included emerging audit issues, governance, risks and controls, information systems auditing, leadership, fraud, compliance, ethics. Most of the training was received by participating in conferences, seminars, and webinars offered by the Association of College and University Auditors (ACUA), the Dallas Chapter of the Institute of Internal Auditors (IIA), the Texas Association of College and University Auditors (TACUA), the Institute of Internal Auditors, ISACA, and the Association of Certified Fraud Examiners (ACFE). D. Contributions to the Profession: Members of the staff contributed to the profession in numerous ways: The Chief Audit Executive (CAE) participated on the Association of College and University Auditors (ACUA) faculty and served as the Chair of the Volunteer Appreciation Committee. The CAE served as a member of the Internal Auditing Education Partnership Program advisory board at the UT Dallas Naveen Jindal School of Management. The audit staff works with and mentors student interns in the Internal Auditing Education Partnership (IAEP) program as they participate in various audit projects as student auditors during the year. During fiscal year 2017, Internal Audit worked with 11 student interns. The CAE spoke at various professional conferences on the topic of internal auditing standards and audit committees and spoke to the IAEP fall 2016 and spring 2017 classes on risk assessment and audit planning. The CAE participated in peer reviews of two large universities. The IT Audit Manager was appointed as President-Elect of the Texas Association of College and University Auditors (TACUA) and managed the TACUA website. Two of the staff auditors served on committees for the Dallas IIA Chapter. 10

11 Appendix 1: FY17 Audit Plan Report # Report Date Academic Hiring and Compensation Campus Clinics Campus Construction Collaboration Tools Confidential Data Management Data Warehouse Reporting Decentralized Computing Disaster Recovery Process Ethics IT Governance IT Incident Response Plan Risk Based Audits Carryforward In Progress In Progress In Progress Carryforward Carryforward In Progress In Progress Carryforward Carryforward Cancelled R /23/2017 Lab Safety Report Issued Property Management In Progress Purchasing Process Cancelled R1712 2/13/2017 Research Units (Research Centers) Report Issued Research Expenditures In Progress R /6/2017 Tax Compliance Report Issued R1716 7/18/2017 Title IX Report Issued Travel and Reimbursements Reserve for FY 16 carryover audits R1801 9/5/2017 School of ATEC Report Issued R1715 6/21/2017 Hobson Wildenthal Honors College Report Issued R /4/2016 Naveen Jindal School of Management Report Issued Academic Advising In Progress R1714 2/28/2017 Technology Commercialization Report Issued R /12/2016 One Card Report Issued R1710 1/23/2017 Outside Contractors Report Issued R1709 1/10/2017 Gifts Report Issued CR1702 6/15/2017 Faculty Startups Memo Issued CR1701 2/22/2017 EHS Governance Review Memo Issued Networking Consulting Cancelled Financial Aid Eligibility Cancelled R1713 2/16/2017 Databases Report Issued R /12/2017 Unix Report Issued R /24/2016 Education Abroad Report Issued R1701 9/8/2016 Confucius Institute Report Issued R /25/2016 TouchNet Applications (Marketplace) Report Issued Required Audits (External and Internal) Assistance to External Auditors - Financial Statement Assistance to External Auditors - State or Federal Assistance to UT System Auditors - Presidential Audit R /23/2017 Emergency Management/Preparedness Report Issued R1717 8/1/2017 Executive Travel and Entertainment (UT System) Report Issued R1708 1/9/2017 Financial Statement Certifications (UTS 142.1) Report Issued R /11/2016 JAMP (UT System) Report Issued R1711 2/1/2017 Lena Callier Trust (UT Dallas Trust Agreement) Report Issued R /23/2017 Purchasing (Senate Bill 20) FY 2017 Audit Plan Current Status Report Issued Comments Combined with Report No. 1717, Executive Travel and Entertainment This audit satisfies requirements in Texas Education Code, Section This audit satisfies requirements in Texas Education Code, Section

12 Report # Report Date Fraud Training Initiative Logging Infrastructure Monthly Financial Reporting Change in Leadership Reviews Consulting Reserve for Consulting Project Requests In Progress Cancelled In Progress Not considered a project for reporting purposes Considered a reserve and not a project Considered a reserve and not a project Research Compliance Data Analytics No report issued Responding to Institutional Requests for Information and Advice No report issued CR1703 7/18/2017 Texas Biomedical Device Center Memo Issued Departmental Consulting Reviews Development No report issued Center for Lithospheric Studies School and Division Reviews Schools of Behavioral and Brain Sciences Postponed Carryforward Considered a reserve and not a project School of Natural Sciences and Mathematics Awaiting Provost review VP Administration Investigations Investigations Carryforward CR1704 7/25/2017 Investigation Memo Issued Follow Up Quarter 1 Quarter 2 Quarter 3 Quarter 4 Reserve FY 2017 Audit Plan Reserve Development - Operations Executive Management and Leadership of the IA Department Current Status Comments Considered a reserve and not a project External Quality Assurance Review FY 2018 Audit Plan Hotline Team Participation Internal Audit Annual Report Internal Audit Committee Internal Audit Monthly Staff Meetings Internal Quality Assurance and Improvement Plan Maintenance and Implementation of Audit Software and Technical Support Participation on UT Dallas Committees Reporting Requests Staff Recruiting Development - Initiatives & Education CPE Training CPE Travel Participation in Professional Organizations/Associations Participation in Quality Assurance Reviews for Other Organizations (University of Miami) Professional writing, publications, external presentations UT Dallas Initiatives UT Dallas SACSCOC Participation UT System Academic CAE Weekly Meetings UT System Initiatives TeamMate Project Data Analytics Projects Not considered a project for reporting purposes Not considered a project for reporting purposes 12

13 Appendix 2: External Quality Assurance Review 13

14 14

15 15

16 16

17 17

18 18

19 19

20 20

21 Appendix 3: FY18 Audit Plan (Note: items shaded in light green were performed based on State requirements) FY 2018 Audit Plan Original Budget General Objective/Description Risk Based Audits Audits of operations/processes with the highest number of critical risks Academic Hiring and Compensation Audit of the hiring process for faculty (carried forward 500 from FY17) Admissions and Recruiting Process Review admissions and recruiting process, including IT 500 tools, for effectiveness and efficiency Brain Performance Institute The BPI is a new institute. To evaluate financial and 300 accounting processes, internal controls systems, and the effectiveness and efficiency of related operations and controls. Conflicts of Interest 400 Audit of university-wide conflicts of interest. Data Warehouse Reporting Audit of university-wide data warehouse reporting and 400 accuracy of financial information (carried forward from FY17) Departmental Reviews (School of BBS; School of EPPS; Callier Center; Parking & Transportation; Material Science; Athletics) Requested by President and executive management. Risk-based departmental reviews of schools, divisions, departments. COSO-based reviews will focus on internal controls and will include high risks such as purchasing cards, financial controls, time reporting for non-exempt employees, receipting, and use of student fees. Overall objective: to evaluate financial and accounting processes, internal controls systems, and the effectiveness and efficiency of related operations and controls. Departmental Review School of BBS 150 " Departmental Review School of EPPS 150 " Departmental Review Callier Center 125 " Departmental Review Parking & Transportation 125 " Departmental Review Material Science 125 " Departmental Review Athletics 125 " Ethics Determine if UT Dallas has an effective ethics program 200 in place (carried forward from FY17) HIPAA 400 Audit of HIPAA compliance (privacy and security) Institutional Compliance Program IT Governance Library Operations Payroll Confirmation (time and effort reporting) PeopleSoft Infrastructure Review Policy and Procedure Governance Programs for Minors Audit of the effectiveness of the institutional 300 compliance program. Assess whether the IT governance supports UT Dallas' 300 strategies and objectives; new leadership in OIT (carried forward from FY17) Audit of library operations related to information 400 technology. Audit to ensure compliance with new Uniform 300 Guidance regarding time and effort reporting To provide assurance that outdated instances of PeopleSoft are not being maintained on servers, 500 reducing the risks of data compromise, by obtaining an inventory on number of instances of PeopleSoft that are utilized by the institution Audit of university-wide policy and procedure 200 governance Audit to determine if the new Programs for Minors program is effective and complies with applicable 300 policies, laws, and procedures related to minors on campus 21

22 Purchasing Process Research Participants Restricted Research Expenditures Scholarships FY 2018 Audit Plan Original Budget General Objective/Description Audit to ensure the bidding process is effective to ensure compliance with applicable regulations (carried forward from FY17) - Audit satisfies requirements in Texas Education Code, Section Audit of human subjects for compliance with federal regulations, including review of the clincard system Audit of FY 17 restricted research expenditure reporting process to ensure reliability of information 500 Audit to ensure effectiveness of scholarship process Social Media Audit to ensure that social media is being effectively 400 managed Texas Administrative Code (TAC) 202 Provide assurance on compliance with TAC 202, including patching and two factor authentication 400 review. Audit satisfies risk-based audit requirements relating to TAC 202, Informaiton Security Standards. Texas Analog Center of Excellence (TxACE) To evaluate research center financial and accounting processes, internal controls systems, and the 300 effectiveness and efficiency of related operations and controls. University Reserves Audit to ensure the accuracy and management of the 300 University's financial reserves Risk Based Audits Subtotal 8,900 Required Audits (External and/or Internal) Audits required externally by entity, statute, etc. or internally by policy, UT System, etc. Benefits Proportionality Conduct an internal audit of benefits proportional by fund as required by the General Appropriations Act B00001F.pdf Federal Portion of the Statewide Single Audit Assistance to SAO Assistance provided and/or meetings attended for 20 external auditors for state or federal agencies, including the State Auditor's Office. Financial Statement Audit Assistance The external auditor will conduct this audit and related hours to budget will be separately distributed. 250 Assistance provided and meetings attended included in this budget. 200 hours for FY17 fieldwork; 50 hours for FY18 interim Lena Callier Trust Annual audit, required by the Trust Agreement, to 80 ensure compliance with the terms of the agreement. Purchasing (Senate Bill 20) Internal Audit shall annually assess whether UT Dallas has adopted the rules and policies required by Senate 20 Bill 20. Audit satisfies requirements in Texas Education Code, Section UTS Assurance Work The institutional Chief Audit Executive shall perform annual testing, within 60 days of the fiscal year end, of 100 the Monitoring Plan and the subcertifications, and validate the assertions on segregation of duties and account reconciliations. Due October 30, Required Audits Subtotal

23 Risk-Based Consulting Change in Leadership Reviews FY 2018 Audit Plan Original Budget General Objective/Description Consulting with Housing on Transition from Management Company 20 Data Analytics Projects Participation in SACSCOC Participation on University Committees and UT Dallas Initiatives Advisory and related client service activities, the nature and scope of which are agreed with the client, intended to add value and improvement governance, risk management, and control processes. Examples include counsel, advice, facilitation, and training. Meetings with new leaders to discuss departmental controls. May result in consulting review. Meetings with housing to discuss transition from the management company to ensure appropriate internal controls are in place. Time spent conducting data analytics projects for campus departments as requested by management Meetings and committee work. CAE is on the following SACSCOC Committees: Steering Committee, Institutional Effectiveness Committee, and Financial and Physical Resources and IT Committee. Site visit FY18. Participation on various IT, finance, and other committees, not including the SACSCOC committees. Current committees include Finance/Budget; Cabinet; Business Management Council; Compliance Advisory Committee; Executive Compliance Committee; Endowment Team; Information Security; OnBase Users Physical Access Controls - Smart Card implementation 20 Meetings for implementation of new smart card system Providing Advice to University Employees 30 Training Provided by Internal Audit to UT Dallas 40 Vulnerability Assessment 80 Reserve for Consulting Reviews 200 Risk-Based Consulting Subtotal 670 Investigations Reserve for Investigations 200 Investigations Subtotal 200 Follow Up Documented in the consulting matrix, advice given to university employees requesting information, seeking advice, etc. Training initiatives - including fraud training project (carried forward from FY17) Project with CISO Office to conduct vulnerability assessments on the network Reserve for consulting reviews requested during the year Investigations from hotline calls, management requests, etc. Follow-up procedures conducted to verify the implementation status of past recommendations made Quarter 1 40 Quarter 2 40 Quarter 3 40 Quarter 4 40 Follow Up Subtotal

24 FY 2018 Audit Plan Original Budget General Objective/Description Risk-Based Reserve Hours reserved for unanticipated audits (risk-based or required), or other activities that may arise. Reserve for FY17 Carryover Audits 500 Audits expected to be in process at 8/31/17 Decentralized Computing AU17-07 Disaster Recovery AU17-08 Collaboration Tools AU17-04 Confidential Data Management AU17-05 Property AU17-13 Campus Clinics AU17-02 VP Administration C17-11 Campus Construction AU17-03 Restricted Research AU17-16 Emergency Management Academic Advising Lab Safety Purchasing (Senate Bill 20) Internal QAR Tax Compliance Monthly Financial Reporting Total FY17 Carried Forward 500 Reserve for Unanticipated Audits or Other Activities 426 Reserve for unanticipated audits or other activities Development - Operations Risk-Based Reserve Subtotal 926 Activities necessary to execute the audit function. Annual Internal Audit Report Required report of Internal Audit Activity - Texas 20 Internal Auditing Act. Report due 11/1/17 to State Auditor's Office CAE Weekly Meetings with UT System Meetings with Executive Director and academic Chief 50 Audit Executives Executive Management and Leadership of the IA Department Includes hiring, development, budgeting, performance appraisals, administrative duties, leadership, promoting the internal audit department, executive 500 meetings, and all other responsibilities of the CAE and/or IT Audit Manager that are not directly attributable to a specific audit project. External Quality Assurance Review External QAR planned for first quarter of FY18. Hours 50 allocated for preparation, meetings, interviews, etc. FY 19 Audit Plan Development of the FY19 Audit Plan, including risk 120 assessments Hotline Participation Participation on the hotline team and reporting. 20 Investigations to be tracked separately as needed. Internal Audit Committee Internal Audit Committee preparation and 120 participation Internal Quality Assurance and Improvement Program Internal Quality Assurance and Improvement Program 40 activities or other quality processes Monthly Staff Meetings Staff meetings are held once a month for approximately two hours. During the meetings, a representative from 250 campus may come to talk about their area to educate the staff on their operations. Reporting and Requests for Information Requests for information and reports from UT System, 20 SAO, and other external organizations. TeamMate Maintenance TeamMate implementation and other responsibilities 100 of the TeamMate Champion Technical Support Work and assistance provided to audit staff related to 80 IDEA and other technical support issues Website Maintenance 30 Updating and maintaining website Development - Operations Subtotal 1,400 24

25 FY 2018 Audit Plan Original Budget General Objective/Description Development - Initiatives and Education Activities that improve the internal audit function's capacity. CPE & related travel Continuing Professional Education for credit and noncredit, including compliance training and travel 650 associated with CPE Participation in Professional Organizations Participation on committees for professional 100 organizations, including TACUA Board, IIA Board, and ACUA Participation in Quality Assurance Reviews for Other Participation on quality assurance reviews for another 80 Organizations organization. Professional writing, publications, external presentations Speaking and writing/publications for audit-related 150 organizations. Student Internship Program Time spent by internal audit staff recruiting and 40 mentoring student interns System Audit Office Initiatives Participation in UT System Audit initiatives, such as 100 committees, calls, etc. Development - Initiatives and Education Subtotal 1,120 Total Budgeted Hours 13,966 Methodology The UT Dallas 2018 Audit Plan outlines the internal audit activities that will be performed by Internal Audit during FY 2018 in accordance with responsibilities established by the UT System, the Texas Internal Auditing Act, The Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing, and Government Auditing Standards. The plan is prepared using a riskbased approach to ensure that areas and activities specific to UT Dallas with the greatest risk are identified for consideration to be audited. As part of the FY 2018 Audit Plan process, the UT System Audit Office risk assessment methodology was used. The goals for this common risk assessment approach were to start at the top with an awareness of critical initiatives and objectives to ensure the risks assessed were the most relevant. The assessment process was standardized by creating common terms and criteria, enabling trending of risk and Systemwide comparisons. An emphasis was placed on collaboration with other functions that assess, handle, or manage risk. The risk assessment approach was based on a top-down process that included conversations and requests for input with risk collaborators, executives, and managers from the various operating areas on campus, including considerations for the risk of fraud. The graph below depicts the institution risks. 25

26 Critical and High Risks Not Included in FY18 Audit Plan Risk Current strategic plan is outdated and many of the goals have already been accomplished - risk of not achieving the right strategic goals Campus Growth Management - Growth too high to which could and has resulted in inadequate space Enrollment Management - Growth of the student population and how to sustain it while still providing adequate services to students Failure to document institutional IT infrastructure architecture and to implement change-control processes (including creating, maintaining, and revising baseline IT system configurations) Risk of emergency response system not working in the event of a true emergency Risk Mitigation - Other Assurance Provided for Risk Strategic Plan being updated. Attendance at cabinet meetings. Plan audit in FY19. Campus Master Plan being updated and Strategic Plan being updated. Attendance at cabinet meetings. Plan audit in FY19. Strategic Plan being updated. Attendance at cabinet meetings. Plan audit in FY19. Deloitte financial audit will include change management procedures Emergency Management audit performed FY17 Noncompliance with fire and life safety regulations. Included with Emergency Management audit FY17 Noncompliance with waste management regulations could impact safety and result in fines and penalties FY17 Audit of Lab Safety Lack of appropriate oversight over Financial Aid could result in noncompliance and loss of funding FY17 Audit by State Auditor's Office of Financial Aid Clery and VAWA - noncompliance could result in losses in funding, reputational harm, and inability to attract faculty, staff, and students Compliance Review of Clery Act FY17 UT Dallas taking over housing management after having contracted services for many years, which could result in Propose for FY19 as will not starting until FY18. Hours reserved for noncompliance and inefficiencies if not properly planned consulting with Housing on transition. 26

27 Risk Risk Mitigation - Other Assurance Provided for Risk Lack of successful fundraising could affect budget needs of the university FY17 audit of Gifts Noncompliance with donor wishes could result in lost revenues from gifts and endowments FY17 audit of Gifts Lack of donor cultivation could result in loss of gifts and endowments FY17 audit of Gifts Student Counseling - risks of not providing effective services could lead to student safety issues as well as inability to attract students External review of operations conducted; Campus Clinics FY17 audit Noncompliance with tax provisions (UBIT, NRA, etc.) resulting in fines and penalties and noncompliance Audit of Tax Compliance completed in FY17 Risks of fraud, error, noncompliance, and inefficiencies in travel FY17 audit of Executive Travel and Entertainment. Will audit travel reimbursement process and entertainment during departmental reviews. Risks of fraud, error, noncompliance, and inefficiencies in FY17 audit of Executive Travel and Entertainment. Will audit travel business expenses reimbursement process and entertainment during departmental reviews. Cash flows not sufficient enough resulting in need for short-term financing FY17 Audit of Budget Process Inaccurate revenue and expense projections could lead to budget shortfalls during the fiscal year. FY17 Audit of Budget Process Periodic consistent backups that provide stakeholders the capability to recover from incidents are not being performed FY17 audit of disaster recovery. Lack of a comprehensive inventory of technology assets that are connected to the university network Document Imaging application does not have adequate controls in place which impacts availability and security Failure to follow organized life-cycle management practices (development, acquisition, use, transfer, repair, replacement, destruction) for institutional IT resources and systems Inability to recover mission critical ERP/Centralized computing systems in a timely manner in the event of a widespread disaster Adequate Controls are not implemented within the identity management system Inadequate process for reacting to a cyber security incident or event Reliance on CISO. They plan to improve their Governance, Risk, and Control module to improve the current inventory of assets. Suggest review by Internal Audit in FY19. FY16 audit of Onbase, and follow-up procedures on open audit recommendations External financial audit will include change management procedures FY17 audit of disaster recovery In process of implementing a new Identity Management System. Suggest audit in FY19. Reliance on CISO's monitoring processes which will be reviewed during TAC 202 audit. Data breach or leak of sensitive information (e.g., academic, business, or research data) Reliance on CISO's monitoring processes which will be reviewed during TAC 202 audit. 27

28 Risk Failure to control physical access to data centers/facilities and areas housing critical IT resources (e.g., hardware, devices, data, and software) and systems Risk Mitigation - Other Assurance Provided for Risk Reliance on CISO walk-throughs. Consulting on physical access controls smart card project. Inability to adequately manage personal owned mobile devices that are regularly utilized to connect to university infrastructure and access confidential data could allow malware to easily spread FY17 audit of mobile assets by UT System. Inadequate utilization of datacenters that are currently utilized leading to wasted resources, security issues, and disaster recovery risks FY17 audit of decentralized computing Noncompliance with federal regulations over contracts and grants, Uniform Guidance could result in loss of funding FY17 audit of Contracts and Grants Growth of campus and faculty will bring more risks with select agents, biosafety hazards, federal oversight FY17 Audit of Lab Safety Affordable Care Act is a manual process and risks of miscalculation may be increased Changes in federal government may make changes. Consider in FY19 Title IX and EEO - noncompliance could result in losses in funding, reputational harm, and inability to attract faculty, staff, and students Title IX audit FY17 Increasing incidents reported to Title IX could result in inefficiency and noncompliance Title IX audit FY17 Lack of Affirmative Action Plan could increase risks of not having a diverse environment Affirmative Action Plan in process Campus large project construction - could result in risks associated UT System manages large construction projects; FY17 audit of Campus with financial accuracy; planning; efficiency Construction Minor construction at campus level (Facilities Management) resulting in risks associated with cost of repairs; inefficiencies Campus Construction audit FY17 plan FY17 audit of One Cards. Changes in One Card operations to be more Procurement cards are misused resulting in fraud, error, and decentralized; therefore, looking at One Cards during departmental abuse reviews. Lack of records retention compliance and noncompliance with Texas Public Information Act resulting in unauthorized access to confidential and sensitive information, inefficiencies, keeping documentation outside regulatory requirements Included with VP Administration FY17 audit Appendix 4: Status of FY17 Audit Recommendations Texas Government Code, Section , also requires entities to include the following on their website: A detailed summary of the weaknesses, deficiencies, wrongdoings, or other concerns, if any, raised by the audit plan or annual report. A summary of the action taken by the agency to address the concerns, if any, that are raised by the audit plan or annual report. 28

29 To address these requirements, an entity can summarize fiscal year 2017 internal audit recommendations and report on its action and progress toward implementing those recommendations. Suggested progress classifications include: fully implemented, substantially implemented, incomplete/ongoing, or not implemented. Note that substantially implemented indicates that management has stated that the recommendation has been implemented, but Internal Audit has not tested implementation. The following represents the status of implementation on the FY17 audit recommendations as well as any outstanding prior audit recommendations from previous fiscal years. Report Date Report # and Title Recommendation Status FY13-15 Audit Recommendations In Process 8/5/13 R1326, TAC 202 Improve Tools Used to Identify Confidential Information 5/27/14 R1414, Active Directory Review Personal Network Drive Access Permissions Substantially d 5/27/14 R1414, Active Directory Develop Policy Guidelines Specific to Active Director and Monitor User Access Rights for Elevated Privileges 9/12/14 R1501, Onbase Improve Data Management 1/29/15 R1509, Databases Enhance Data Center Management 1/29/15 R1509, Databases Enhance Emergency Program Procedures 1/29/15 R1509, Databases Monitor Asset Useful Life 4/22/15 R1514, Comet Card Develop Policy for Unused UT Dollars Application Security 5/1/15 R1515, Work Order System Implement Validation of Fund Availability Not Implemented 5/28/15 R1516, Lab Safety Update Policies and Procedures 5/28/15 R1516, Lab Safety Enhance Safety Compliance within Labs 7/20/15 R1517, Center for Brain Develop Memoranda of Understanding Health 7/20/15 R1517, Center for Brain Enhance Information Security Controls Health 8/6/15 R1519, Follow-up of Prior Implement Identity Management Audit Recommendations Processes and Tools 8/6/15 R1519, Follow-up of Prior Develop Written Policies for Audit Recommendations Terminating Employee Access 8/6/15 R1519, Follow-up of Prior Continue Monitoring Logs at Education Audit Recommendations Resource Center 8/6/15 R1519, Follow-up of Prior Monitor and Track Contributions to Audit Recommendations Tax Deferred Retirement Plans 8/27/15 Memo, PeopleSoft Access PeopleSoft Access Management Controls Should Improve Audit Logging 8/27/15 Memo, PeopleSoft Access Enhance Utilization of Functionality Controls Offered by the ERP Firewall 29

30 Report Date Report # and Title Recommendation Status 8/27/15 Memo, PeopleSoft Access Develop Role Privilege Catalog Controls 8/27/15 Memo, PeopleSoft Access Restrict Availability and Accessibility of Controls Environments 8/27/15 Memo, PeopleSoft Access Continue to Formalize Segregation of Substantially Controls Duties Requirements Implemented 8/31/15 R1520, Athletics and NCAA Improve Compliance with NCAA Compliance Regulations FY16 Audit Recommendations In Process 9/8/15 R1601, Receivables Update Policies and Procedures 9/10/15 Memo Confidential Data Management and Loss Prevention 12/15/15 R1608, Contracts and Ensure Documentation Is Maintained Grants for Contracts and Grants 1/5/16 R1609, Physical Access Strengthen Controls around the C-Cure Controls Application 1/5/16 R1609, Physical Access Enhance Emergency Lockdown Process Controls 1/5/16 R1611, Career Center Develop a Process for Ensuring Hiring Records Are Retained 1/8/16 R1612, Dining Meal Plans Reconcile Declining Balance Sheet Account 1/12/16 R1613, Business Continuity Ensure Business Continuity Plans Are Planning Tested 2/22/16 R1617, Scholarships Implement Budgetary Controls 2/22/16 R1617, Scholarships Develop Uniform Methodology for Awarding Scholarships 7/14/16 R1621, Hiring and Formalize epar Workflow Request Compensation Process Process 7/14/16 R1621, Hiring and Integrate PA7and epar Compensation Process 7/14/16 R1621, Hiring and Adhere to and Update Policies and Compensation Process Procedures 7/14/16 R1621, Hiring and Mandate and Track Training on Best Compensation Process Practices 7/14/16 R1621, Hiring and Document RA and TA Hiring Process Compensation Process 8/17/16 R1623, Budget Process Document Policies and Procedures FY17 Audit Recommendations 9/8/16 R1701, Confucius Institute Improve Contract Administration Fully Implemented Comply with Background Check Policy Fully Implemented Enhance Receipting Procedures Fully Implemented 10/25/16 R1703, TouchNet Centralize Responsibility for Applications Application Security Administration Strengthen User Management Practices Substantially Implemented 30

31 Report Date 11/11/16 Report # and Title Recommendation Status R1705, Joint Admission Medical Program (JAMP) 12/12/16 R1706, Unix Environment 12/12/16 R1707, One Cards 1/9/17 R1708, Financial Statement Certifications 1/10/17 R1709, Gifts Enhance Governance of TouchNet Applications Improve Controls over Expenditures Improve Budgeting Process The report contains confidential information that relates to information security and is not subject the disclosure requirements of the Texas Public Information Act, based on the exception found in Government Code Specific results were made to the appropriate management members. Enhance One Card Program Guidelines Implement Functionality to Restrict Card Usage at High Risk Merchants Consider Cost Savings Opportunity for Enhanced Monitoring In-House Reduce Default Monthly Transaction Limit Implement Review of Cardholders After Initial Setup Strengthen Controls around the One Card Program Consider Viability of Implementing a New Service for Taxi/Limousine Charges Improve Processes over Balance Sheet Reconciliations Ensure Material Pledges Are Properly Reported Ensure Compliance with GASB 33 Ensure Compliance with TRIP Gift Restrictions Enhance Gift Reconciliation Process Ensure Compliance with CASE Standards Strengthen Raiser s Edge User Access Boost Interdepartmental Communication Enhance Gift Documentation Enhance Gifts Training Substantially Implemented Substantially Implemented Substantially Implemented All recommendations are Substantially Implemented Fully Implemented Not Implemented Fully Implemented Fully Implemented Substantially Implemented Fully Implemented Fully Implemented Fully Implemented Substantially Implemented Fully Implemented Fully Implemented Substantially Implemented 31

32 Report Date 1/23/17 Report # and Title Recommendation Status R1710, Outside Contractors 2/1/17 R1712, Research Units 2/16/17 R1713, Databases 2/22/17 CR1701, Consulting Review: EHS Governance 6/15/17 CR1702, Faculty Start-ups 6/21/17 7/18/17 7/25/17 R1715, Hobson Wildenthal Honors College CR1703, Texas Biomedical Device Center CR1704, University-Wide Audit Recommendations 7/26/17 R1716, Title IX Centralize Maintenance of Existing Agreements Enhance Monitoring Procedures for Active Agreements Establish Process to Identify High-Risk Contracts Develop Complaint and Termination Procedures Revise Research Unit Policy UTDPP1010 Establish a Comprehensive Listing of Research Units The report contains confidential information that relates to information security and is not subject the disclosure requirements of the Texas Public Information Act, based on the exception found in Government Code Specific results were made to the appropriate management members. Consulting review recommended various enhancements to internal controls. Consulting review recommended enhancing processes surround budgeting and monitoring of faculty start-ups. Comply with Camp Policies and Procedures Consulting review recommended various enhancements to internal controls. Consulting review recommendations made to improve programs for minors and summer camps, conflicts of interest, contracting, and catering and events. The report contains confidential information that relates to information security and is not subject the disclosure requirements of the Texas Public Information Act, based on the exception found in the Texas Education Code, section Specific results were made to the appropriate management members. Substantially Implemented Substantially Implemented Substantially Implemented All recommendations are Recommendations are both incomplete/ongoing and substantially implemented. Incomplete/ongoing Fully Implemented Fully Implemented All recommendations are and will be followed up during planned FY18 audits in these areas. All recommendations are 32

33 Report Date 8/1/17 Report # and Title Recommendation Status R1717, University-wide Travel and Entertainment Enhance University Guidelines to Strengthen Compliance 33