August 14, Dear Ms. Gula:

Transcription

1 Department of Internal Audit North End Center, Suite 3200, Virginia Tech 300 Turner Street NW Blacksburg, Virginia Campus Mail Code: Fax: August 14, 2013 Debra S. Gula, CPA Executive Director of University Audit and Compliance University of South Florida System 3702 Spectrum Blvd. Suite 180 Tampa, FL Dear Ms. Gula: The Quality Assurance (QA) Team was engaged to conduct an independent validation of the University of South Florida System s Office of University Audit and Compliance (UAC) self- assessment. The primary objective of the validation was to verify the assertions made in the attached quality self- assessment report concerning adequate fulfillment of the University s basic expectations of UAC and its conformity to The Institute of Internal Auditors (The IIA s) International Standards for the Professional Practice of Internal Auditing (Standards). Other matters that might have been covered in a full independent assessment, such as an in- depth analysis of successful practices, governance, consulting services, and use of advanced technology, were excluded from the scope of this independent validation by agreement with the Executive Director. In acting as the QA Team, we are fully independent of the organization and have the necessary knowledge and skills to undertake this engagement. The validation, conducted during June 19 21, 2013, consisted primarily of a review and testing of the procedures and results of the self- assessment. In addition, interviews were conducted with the University s President, Board of Trustees Chair, Board of Trustees Audit Liaison, Provost, Chief Operating Officer, other senior members of management, and the UAC Executive Director. We concur fully with UAC s conclusions in the self- assessment report attached. While we concur with the report conclusions, we noted the following positive attributes and opportunities for improvement related to operations of UAC. Invent the Future VIRGINIA POLYTECHNIC INSTITUTE AND STATE UNIVERSITY An equal opportunity, affirmative action institution

2 Positive Attributes of University of South Florida System s Internal Audit Program: Audit Committee and Senior Management Support The interviews conveyed a high level of support from the Finance and Audit Workgroup and senior management. The Internal Audit Program is well respected, is involved in many University activities, and management feels comfortable seeking UAC s assistance for problematic situations. Communication and Approachability During the course of our on- site visit, management expressed that the entire internal audit team was very approachable, demonstrated effective communication skills, and was extremely responsive. UAC s prompt response to requests demonstrates highly effective and efficient use of limited staffing resources and strong project management skills. Additionally, executive management noted that the UAC Executive Director demonstrated strong leadership skills. Development of Staff The management team within UAC takes an interest and great care in the development of the staff including professional development related to specific knowledge, skills, and abilities needed to perform their job duties. Additionally, staff is encouraged to obtain professional certifications enhancing their individual skills and credentials. Staff is closely supervised to enable audit- related questions to be answered within a short period of time and to provide on- site mentoring. Comprehensive Risk Assessment The process that UAC has created to initiate, conduct, and complete their annual risk assessment utilizes many tools and processes and appears to be working well for the University of South Florida System. UAC management meets with key executives of all member institutions throughout the year to discuss risks, audit history, and trends within the system and the higher education industry to determine if there are emerging risks that may impact the system. Executives for each separately accredited institution of the University of South Florida System are able to provide input on the organization s risks and understand which internal audit projects will take place during the year within their organizations. Opportunities for Improvement Effectiveness and Efficiency: Auditor Position within Organization The IIA Practice Advisory recommends that to achieve organizational independence, the Chief Audit Executive should report functionally to the Audit Committee and administratively report directly to the chief executive officer of the organization. As of the time of this review, the UAC Executive Director functionally reports to the Audit Liaison who is a member of the Board of Trustees Finance and Audit Workgroup, and administratively reports to the Chief Operating Officer VIRGINIA POLYTECHNIC INSTITUTE AND STATE UNIVERSITY An equal opportunity, affirmative action institution

3 as depicted on the university system's organization chart. However, with regard to administrative reporting lines, the 2006 UAC Audit Charter reflects that UAC reports to the President with day- to- day oversight by the university s Executive Vice President. We recommend that the USF Board of Trustees and the President discuss the appropriate reporting line to ensure ideal organizational independence for UAC. The UAC Charter and the university system organization chart should be modified accordingly. Retention of Staff UAC employees are well qualified with relevant levels of experience, highly credentialed, and marketable. However, salaries are lagging behind when compared to state peers. With concerns for retention, we recommend that USF consider adequate compensation commensurate with UAC staff experience and accomplishments. Furthermore, adequate professional development opportunities should be made available for staff to ensure maintenance of knowledge, skills, and abilities necessary to serve USF and to satisfy professional certification requirements. Implementation of all the recommendations contained in the self- assessment report will improve the effectiveness and enhance the value of UAC and ensure its full conformity to the Standards. We appreciate the courtesy and cooperation received from management and staff during our independent validation. Sincerely, Sharon M. Kurek, CPA, CFE Director of Internal Audit at Virginia Tech Independent Validator and QA Team Lead Brian D. Mikell, CPA Chief Audit Executive at University of Florida Independent Validator and QA Team Member cc: Dr. Judy L. Genshaft, Chief Executive Officer, USF System John W. Long, Chief Operating Officer and Sr. Vice President, Business and Finance Stephanie E. Goforth, Audit Liaison, Board of Trustees Finance & Audit Workgroup John B. Ramil, Chair, Board of Trustees Finance & Audit Workgroup V I R G I N I A P O L Y T E C H N I C I N S T I T U T E A N D S T A T E U N I V E R S I T Y A n e qua l op portu ni ty, a ffi rma ti ve act io n i nsti tu tio n

4 MEMORANDUM TO: DATE: July 26, 2013 President Judy Genshaft USF Board of Trustees Finance and Audit Workgroup SUBJECT: UAC Self-Assessment with Independent Validation The University of South Florida Audit & Compliance (UAC) department conducted a selfassessment of its Internal Audit (IA) services. The principal objectives of the assessment were to assess UAC s conformity to the IIA s Standards for the Professional Practice of Internal Auditing (Standards), evaluate IA s effectiveness in carrying out its mission (as set forth in its charter and expressed in the expectations of management), and identify opportunities to enhance management and work processes, as well as UAC s value to the university. Our review included the preparation of the Self-Assessment Guide provided by the IIA (Tool 2), evaluation of UAC s conformity to the IIA standards (Tool 19) and other supporting documents. In addition, the independent QA review team collected responses from management, auditees, and UAC team member surveys, and interviewed university leadership. Part of UAC s review included an evaluation of UAC s risk assessment and audit planning processes, audit tools and methodologies utilized, and engagement and staff management processes. UAC also provided the independent review team with a representative sample of UAC s working papers and reports. Based on our review, UAC generally conforms to the IIA Attribute and Performance Standards, and the Code of Ethics. Generally conforms means that there is a general conformity to a majority of the individual standards and partial conformity to the others, within the section/category. Contained within this report is a recommendation to ensure that UAC fully complies with the standard related to maintaining an internal quality assurance program. This area was assessed as partially conforms during our review. In addition, UAC has made three recommendations based upon the IIA Practice Advisories and other best practice guidance to improve the effectiveness of the IA program at USF. Debra Gula, CPA Executive Director cc: John Long, Chief Operating Officer and Sr. Vice President, Business and Finance UNIVERSITY AUDIT AND COMPLIANCE 3702 Spectrum Blvd. Suite 180 Tampa, FL (813) FAX (813)

5 OPINION AS TO CONFORMITY TO STANDARDS Our evaluation of UAC s conformity with the IIA standards indicates that UAC complies with the requirements of the individual elements of the Code of Ethics in all material respects. In addition, it is our opinion that UAC generally conforms with the IIA standards, when applied to the entire category of standards. The standards are divided into two areas: Attribute Standards and Performance Standards. Attribute standards address the attributes of the IA organization and the individuals performing IA services. Performance standards describe the nature of IA services and provide quality criteria against which the performance of these services is measured. Practice advisories provide guidance on how to implement the standards. See Exhibit A for a list of the standards and UAC s opinion on conformance. OPINION AS TO EFFECTIVENESS AND EFFICIENCY OF IA FUNCTION Our completion of the Self-Assessment Guide and other supporting documentation and review of client surveys indicated that the IIA function is effectively positioned within the organization to enable UAC to effectively discharge its responsibilities as defined by the UAC Charter. The UAC Charter needs to be expanded to accurately reflect functional versus administrative reporting as well as the current IT audit responsibilities. The established reporting relationship with executive management and the USF Board of Trustees Finance and Audit Workgroup ensures UAC s independence and adequate consideration of audit recommendations. The USF Board of Trustees Finance and Audit Workgroup serves as the Audit Committee. We have also concluded that the IA environment is well structured and utilizes a structured, disciplined approach to evaluating and improving risk management, control, compliance, and governance processes. The IIA standards, and other relevant standards, are well understood by the UAC team, who receive ongoing professional training. UAC team members are highly credentialed, with over half of the audit team possessing a master s degree, 80% are CPAs, and all staff possess at least one professional certification (CPA, CIA, CFE, or CISA). UAC continues to review and work on improving its IA processes to identify and document fraud risks, minimize the time from project initiation to reporting, and to ensure all audit processes are focused on risk and aligned with both the IIA standards and the university s strategic goals and plans. Consequently, our comments and recommendations are intended to build on the foundation put in place over the last several years. ISSUES AND RECOMMENDATIONS The issues and recommendations that follow originated from UAC s completion of the Self- Assessment Guide and other supporting documentation and our evaluation of UAC s conformity with the IIA standards. Our Self-Assessment was performed in accordance with the IIA Quality Assessment Manual 6 th Edition. In addition, external input was obtained through surveys, interviews, and the participation of a two-member independent validation team. 2 of 10

6 COMPLIANCE WITH IIA STANDARDS 1. Internal quality assurance programs were not formally communicated to senior management and the board. IIA Standard 1320 states, The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board. The IIA s interpretation states, To demonstrate conformance with the definition of internal auditing, the Code of Ethics, and the standards, the results of external and periodic internal assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually. The results include the assessor s or assessment team s evaluation with respect to the degree of conformance. UAC has integrated compliance monitoring for IIA standards into the day-to-day operations of the activity using TeamMate templates and control checkpoints. In addition, UAC continuously reviews its processes to identify areas where process improvement can occur. Each Spring, internal goals are set for the coming fiscal year. During this goal-setting process, one or more performance areas are selected for process reengineering. Some areas that have been revised in the last five years include: redesigning the report and report-writing process, redesigning the follow-up system to improve management reporting, integrating access control reviews into all projects, and redesigning internal management reports to more effectively monitor UAC projects. UAC also solicits verbal feedback from auditees throughout the engagements. UAC partially conforms with this standard because while the department reviews compliance with standards on an ongoing basis and practices continuous process improvement, the detail of these self-assessment activities are not formally communicated to senior management or the board on an annual basis. Recommendation: UAC should formally communicate the annual internal assessment of the department s quality assurance and improvement program to senior management and the board in UAC s Annual Report. 3 of 10

7 EFFICIENCY AND EFFECTIVENESS 1. The Finance & Audit Workgroup s roles and responsibilities do not include all of the functional responsibilities outlined in the IIA Practice Advisory. PA : Organizational Independence states, Functional reporting to the board typically involves the board:... Approving all decisions regarding the performance evaluation, appointment, or removal of the CAE and approving the annual compensation and salary adjustment of the CAE. Recommendation: In order to enhance the organizational independence of the internal audit activity, the Finance & Audit Workgroup s roles and responsibilities should be modified to include the following responsibilities: 1. Review with management and the Executive Director the charter, activities, staffing, and organizational structure of the internal audit function. 2. Approve all decisions regarding the performance evaluation, appointment, or removal of the Executive Director. 3. Approve the annual compensation and salary adjustments of the Executive Director. 2. UAC s charter does not accurately reflect IT audit responsibilities. IIA Standard 2120.A.1 states, The internal audit activity must evaluate the risk exposures related to the organization s governance, operations, and information systems regarding the achievement of the organization s strategic objectives, reliability and integrity of financial and operational information, effectiveness and efficiency of operations and programs; safeguarding of assets, and compliance with laws, regulations, policies, procedures, and contracts. Since the promulgation of the current charter in 2006, UAC has adopted an integrated audit approach, which involves incorporating reviews of controls imbedded in information systems (IS) into all audits. IS controls designed to ensure the confidentiality, integrity, and availability of financial and operational data, critical to meet USF strategic goals, are reviewed. For audits and consulting projects with emphasis in information technology, UAC utilizes ISACA standards, which are mapped to the COBIT Framework for IT Governance and Control. UAC relies on the expertise of their IT audit team, who have obtained certifications in risk and information system controls (CRISC) and/or information systems auditing (CISA). The IT audit team, which includes the Associate Director, Assistant Director, and Sr. IT Auditor, perform IT systems reviews such as review of IT Governance, Data Center Operations, Change Management, and Security Administration. 4 of 10

8 EFFICIENCY AND EFFECTIVENESS ISACA Guideline G5 states, The IS auditor should have a clear mandate to perform the IS audit function. This mandate is ordinarily documented in an audit charter that should be formally accepted. Where an audit charter exists for the audit function as a whole, the IS audit mandate should be incorporated. Although the Finance and Audit Workgroup s responsibilities address information technology security and control, UAC does not currently have a specific mandate included in its charter regarding information systems auditing. Recommendation: UAC s CAE should work with the Board of Trustees Audit Liaison to revise the UAC charter to ensure UAC s responsibilities regarding information systems auditing are included. The revised charter should be presented to and approved by the President and the Finance and Audit Workgroup. 3. Fraud risk assessment is not formally documented. IIA Standard 2120 Risk Management states, The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. In June 2009, the Executive Director promulgated USF Policy 0-024, Fraud Prevention and Detection, which addresses the responsibility of USF system employees as it relates to fraud. The state Auditor General sends a fraud questionnaire annually to senior management and the Executive Director. Fraud risks are considered during ERM activities, but are not assessed separately. IIA Standard 2210 A.2. Audit Engagement Objectives states, Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives. UAC has two Certified Fraud Examiners, the Associate Director and an Assistant Director. UAC uses the expertise of these individuals to ensure fraud risk is identified and utilizes the Association of Certified Fraud Examiners Fraud Risk Assessment tools to assist in the identification and assessment of fraud risks. During the performance of preliminary risk assessments, they work to ensure fraud risk is adequately incorporated into audit programs. When appropriate, specific fraud detection tests are performed. 5 of 10

9 Recommendation: EFFICIENCY AND EFFECTIVENESS UAC should develop a formal methodology for assessing and documenting fraud risk. This methodology should be used to perform a fraud risk assessment which identifies potential fraud schemes and prioritizes them based on risk. Key fraud prevention and detection controls will be mapped to the fraud risks and tested for effectiveness during the performance of UAC audit projects. 6 of 10

10 EXHIBIT A UAC s Conformity to the IIA Standards Generally Partially Does Not Conforms Conforms Conform OVERALL EVALUATION ATTRIBUTE STANDARDS 1000 Purpose, Authority, and Responsibility (Charter) 1100 Independence and Objectivity 1110 Organizational Independence 1120 Individual Objectivity 1130 Impairments to Independence or Objectivity 1200 Proficiency and Due Professional Care 1210 Proficiency 1220 Due Professional Care 1230 Continuing Professional Development 1300 Quality Assurance/Improvement Program 1310 Quality Program Assessments 1311 Internal Assessments 1312 External Assessments 1320 Reporting on the Quality Program 1330 Use of Conducted in Accordance with the Standards 1340 Disclosure of Noncompliance 7 of 10

11 Generally Partially Does Not Conforms Conforms Conform PERFORMANCE STANDARDS 2000 Managing the Internal Audit Activity 2010 Planning 2020 Communication and Approval 2030 Resource Management 2040 Policies and Procedures 2050 Coordination 2060 Reporting to the Board and Senior Management 2100 Nature of Work 2110 Governance 2120 Risk Management 2130 Control 2200 Engagement Planning 2201 Planning Considerations 2210 Engagement Objectives 2220 Engagement Scope 2230 Engagement Resource Allocation 2240 Engagement Work Program 2300 Performing the Engagement 2310 Identifying Information 2320 Analysis and Evaluation 8 of 10

12 Generally Partially Does Not Conforms Conforms Conform 2330 Recording Information 2340 Engagement Supervision 2400 Communicating Results 2410 Criteria for Communicating 2420 Quality of Communications 2421 Errors and Omissions 2430 Engagement Disclosure of Noncompliance with Standards 2440 Disseminating Results 2500 Monitoring Progress 2600 Management s Acceptance of Risks IIA CODE OF ETHICS Legend: Generally Conforms: The evaluator has concluded that the relevant structures, policies, and procedures of the activity, as well as the processes by which they are applied, comply with the requirements of the individual Standard or element of the Code of Ethics in all material respects. For the sections and major categories, this means that there is general conformity to a majority of the individual Standards or elements of the Code of Ethics, and partial conformity to the others, within the section/category. There may be significant opportunities for improvement, but these should not represent situations where the activity has not implemented the Standards or the Code of Ethics, is not applying them effectively, or is not achieving their stated objectives. Partially Conforms: The evaluator has concluded that the activity is making good faith efforts to comply with the requirements of the individual Standard or element of the Code of Ethics, section, or major category, but has fallen short of achieving some of their major objectives. These will usually represent some significant opportunities for improvement in effectively applying the Standards or Code of Ethics and/or achieving their objectives. Some of the deficiencies may be beyond the control of the activity and may result in recommendations to senior management or the board of the organization. 9 of 10

13 Does Not Conform: The evaluator has concluded that the activity is not aware of, is not making good-faith efforts to comply with, or is failing to achieve many/all of the objectives of the individual Standard or element of the Code of Ethics, section, or major category. These deficiencies will usually have a significant negative impact on the activity s effectiveness and its potential to add value to the organization. They may also represent significant opportunities for improvement, including actions by senior management or the board. 10 of 10