Fiscal Year 2014 FISCAL YEAR OCTO OBER 28, 2014 OFFICE BOX 19112

Transcription

1 FISCAL YEAR 2014 ANNUAL INTERNAL AUDIT REPORT AS REQUESTED BY THE STATE AUDITOR S OFFICE OCTO OBER 28, 2014 OFFICE OF INTERNALL AUDIT BOX ARLINGTON, TX internalaudit@uta.edu Page 0

2 Table of Contents I. Compliance with House Bill II. III. Planned Work Related to the Proportionality of Higher Education Benefits. 2 Internal Audit Plan for Fiscal Year Summary of FY 2014 Recommendations and Status 4 IV. Consulting Services and Nonaudit Services d. 27 V. External Quality Assurance Review (Peer Review) VI. VII. VIII. Internal Audit Plan for Fiscal Year External Audit Services Provided in Fiscal Year Reporting Suspected Fraud and Abuse.. 32 Page 1

3 I. Compliance with House Bill 16: Posting the Internal Audit Plan, Internal Audit Annual Report and Other Audit Information on the Web Site In accordance with House Bill 16, UT Arlington s Office of Internal Audit has posted its FY 2014 Annual Report and FY 2015 Work Plan on its web site: II. Planned Work Related to the Proportionality of Higher Education Benefits At the request of the Governor, an internal audit of the proportionality off higher education benefits process is underway during the first quarter of fiscal year A consistent audit methodology has been deployed across the UT System thatt will assess the reporting process and accuracy of benefits funding information provided to the State Comptroller as applicable under the General Appropriations Act, Article IX, Sec : Benefits Paid Proportional by Fund. The audit will be complete by November 30, III. Internal Audit Plan for Fiscal Year 2014 Report Report Title (Audit) Number FINANCIAL AUDITS FY 2013 Annual Financial Report (AFR) Audit FY 2014 Annual Financial Report (AFR) Interim FY 2013 Financial Statement Certifications (UT System) President's Travel and Entertainment and University Residence Maintenance Expensess Audit (UT System) NCAA Financial Audit Executive Travel and Entertainment Expenses Audit Spot Audits of Petty Cash Funds (Campus Wide) OPERATIONAL AUDITS College Park Box Office Ticketing Audit Procurement Card Audit FY 2013 Carried Forward Audits COMPLIANCE AUDITS College Park Contractual Reviews and Oversight Nursing Shortage Reduction Program Awards Auditt NCAA Compliance Audit Athletic Student Financial Aid Review of Chemical Safety Inventory System Clery Act Compliance Review Employee Tuition Assistance Program Audit CPRIT Awards Audit (State Federal Portion of the Statewide Single Audit (assistance to the Auditor s) SAO) INFORMATION TECHNOLOGY AUDITS TAC 202 Biennial Requirement (Phase 4 Information Security Page 2 Report Date 1/13/14 1/13/14 1/15/14 10/11/13 4/4/14 2/18/14 8/27/14 2/21/14 Status as of 8/31/14 Reporting Stage Reporting Stage Planning Stage Fieldwork Stage Moved to FY 2015 (Outsourced) Reporting Stage Planning Stage

4 and Safeguards) PeopleSoft Implementation Application Testing and Other Reviews PeopleSoft (HR/Fin) Security settingss and Access Rights/Oracle Access rights IT Security in Decentralized Environment FY 2013 Carried Forward Audits FOLLOW UP AUDITS Follow Up Audits (IT Related) Follow Up Audits (Non IT Related) PROJECTS UT System Reporting/Requests External Quality Assessment Internal Quality Assurance and Improvement Program activities, including workgroup initiatives FY 2015 Work Plan and Risk Assessment Process Committees (e.g. Institutional Audit Committee, Compliance, Council, and Professional organizations) participation Management of the audit activity TeamMate, IDEA, etc., development and maintenance RESERVE Management Requests, Investigations and Consulting Fieldwork Stage Deviations from the FY 2014 Work Plan were as follows: Re allocation to FY 2014 work plan hours were as follows: Audit Hours Adjusted Audit Clery Act Compliance Review Adjustment Totals (282.00) (282.00) Management Requests,, Investigations and Consulting NCAA Compliance Audit Athletic Student Financial Aid carried forward to the FY 2015 audit plan as area was not ready for review. TAC 202 Biennial Requirement (Phase 4 Information Security and Safeguards) audit carried forward to the FY 2015 audit plan. Hours Reason Adjusted Clery Act audit was outsourced approved per 12/17/13 committee meeting Page 3

5 Summary of FY 2014 Recommendations and Status Engagement Number & Finding Number Audit Report Date Recommendationn and Management Response Implementation Status [Fully Implemented, Substantially Implemented, Incomplete/, or Not Implemented] Page 4

6 IV. Consulting Services and Nonaudit Services d The Office of Internal Audit had no consulting engagements in FY 2014 as defined by the IPPF. Additionally, it conducted no non audit services as defined byy sections of the Government Auditing Standards. Page 27

7 V. External Quality Assurance (Peer Review) Page 28

8 VI. Internal Audit Plan for Fiscal Year 2015 The FY 2015 Audit Work Plan and budgeted hours are as follows. Detailed schedules, risk assessments and analysis for preparation of the FY 2015 Audit Work Plan may be requested by calling UT Arlington s Office of Internal Audit at , or ing FINANCIAL AUDITS FY 2014 Annual Financial Report (AFR) Audit FY 2015 Annual Financial Report (AFR) Interim FY 2014 Financial Statement Certifications President's Travel and Entertainment and University Residence Maintenances Expenses Audit Executivee Travel and Entertainment Expenses Audit NCAA Financial Audit Spot Audits of Petty Cash Funds (Campus Wide) Financial Audits Subtotal OPERATIONAL AUDITS Proportional Funding of Benefits Campus Recreation Liability Waivers Post Implementation Review of Payroll in UTShare Change in Management Review Audit of the Office of the Vice President for Student Affairs FY 2014 Carried Forwar rd Audit (Procurement Card audit) Operational Audits Subtotal 1, COMPLIANCE AUDITS NCAA Compliance Audit Athletic Student Financial Aid Scholarship Compliance Review Norman Hackerman Advanced Research Program Student Financial Aid Return of Funds; Cost of Attendance Payroll Tax Reporting Compliance Nursing Shortage Reduction Program Awards Audit I 9 Compliance Review Federal Portion of the Statewide Single Audit (assistance to the SAO) FY 2014 Carried Forwar rd Audit (College Park Box Office Ticketing Audit) Compliance Audits Subtotal 1, INFORMATION TECHNOLOGY AUDITS Review of Software/Application Maintenance Payments Review of Accuracy of Feeder Systems PeopleSoft Post Implementation Reviews Data Analytic Reviews FY 2014 Carried Forwar rd Audit (TAC 202 Phase 4: Information Security and Safeguards) Information Technology Audits Subtotal 1, FOLLOW UP AUDITS Follow Up Audits (IT Related) Follow Up Audits (Non IT Related) Follow Up Audits Subtotal PROJECTS UT System Reporting/Requests Internal Quality Assurance and Improvement Program activities, ncluding workgroup initiatives FY 2016 Work Plan Preparation and Risk Assessment Process Page 29

9 25.00 Committees (e.g. Institutional Audit Committee, Compliance, Council, and Professional organizations) participation Management of the audit activity TeamMate, IDEA, etc., development and maintenance Projects Subtotal 1, RESERVE Management Requests, Investigations and Consulting TOTAL AUDIT HOURS 6, Risk Assessments Admissions, Records and Registration Environmental Health and Safety Facilities Management Health Services Housing Information Security Intercollegiatee Athletics International Office To prepare the Fiscal Year (FY) 2015 plan, the Office of Internal Audit followed the UT System s Annual Audit Plan Guidelines. The guidelines categorizee audits in thee following areas: Financial, Operational, Compliance and Information Technology. Additionally, the Enterprise Risk Management (ERM) model is primarily used as a basis for risk assessment and audit selection. ERM is a continuous, pro active and systematic process to understand, manage and communicate e risk from a University wide perspective. The process identifies riskss for the core business processes withinn the University at the executive (Tier 1), mid of management (Tier 2), and department/operation levels (Tier 3) and it also allows for the development risk responses to manage the risks. University Compliance Services, through their facilitation processes, worked with the University s President and executive management to generate an Executive Level Risk Assessment of the institution as a whole. Additionally, University Compliance Services facilitated mid management risk assessments using the ERM model in the following areas: The Office of Internal Audit utilized the results of these reviews to focus the audit plan in high risk areas. In developing the FY 2015 Audit Work Plan, the Office of Internal Audit used the ERM as the primary risk assessment methodology. Risk assessments were used in identifying audits, considering such factors as degree of risk, management input, time since the last audit for the high risk activity, and availability of audit resources. Input on the Audit Plan was received from executive management and members of the UT Arlington Institutional Audit Committee, which members consist of executive management and three members outside the University. Mav Express Office off Development Office off Informationn Technology Police Department Special Event Venues Student Affairs Student Financial Aid University Center Page 30

10 A list of additional riskss ranked as high that were identified yet have nott included in the fiscal year 2015 audit plan are as follows: Risks ranked as high not covered in the FY 2015 Audit Work Plan Governance and Leadership: Inability to adjust tuition while state revenues are declining Information Technology: Impact of shared services on campus (e.g. HR/FIN and TXSIS) Information Technology: Inadequate resourcess to support information technology infrastructure Information Technology: Inadequate security of information resources in decentralized departments Research: Inadequate resources to support the expanding research mission of the institution Facilities Operations: Inability to fund the campus master plan (new construction, capital renewal and campus edge development) Facilities Operations: Inadequate security staffing levels Non Audit Explanation/Mitigation There is a process in place that determines tuition rates. An audit was recently conducted by the State Auditor's Office on enrollment reporting that encompassed some of the elements of the tuition setting process. Currently, there are discussions between UT Arlington's Office of Information Technology and UT System on the disposition of Shared Services at the ARDC. Thus, it is not warrantedd to audit at this time. IT Management has received additional funding and now believes that there is enough funding for infrastructure upgrades, etc. The Office of Research is concerned with people resources. Theree is a process in place to fund research projects, including acquisition of research personnel through Human Resources. Other risks were determined to be moree critical and audit effort will be focused there. This pertains to not being able to provide adequatee security at venues when the facilities are rented out. A project like this would be better served by consulting with industry experts and not Internal Audit. Internal Audit Action Audit conducted in FY 2014 concerning servers in decentralized areas. The THECB Peer Review (review of facility additions during the past five years required to be submitted to the Coordinating Board) conducted in FY 2013 covered this area. Page 31

11 Student Services: Student Conduct (e.g. sexual assaults, harassment, hazing, etc.) Student Services: Inability to predict and/or prevent studentt crisis situations Academicc Support: Inadequate resourcess to support instructional mission state funds The Office of Student Conduct is responsible for the implementation of the Student Conduct & Discipline Handbook of Operating Procedures. Other risks were determined to be moree critical and audit effort will be focused there. Predicting a crisis is nonn auditable. The University has processes in place to monitor activity. This includes training programs and the Behavior Intervention Team. State appropriations aree determined by legislativee processes and are an inherent risk. University management has limited direct influence over state funds received. Academicc Support: Disaster Recovery Planning/ /Business Continuity Plan The TAC 202 Audit includes a review of the Disaster Recovery and Business Continuity Planning. VII. External Audit Services Procured in Fiscal Year 2014 SAO Conducts A 133: for Research and Student Financial Aid Deloitte & Touche LLP: Annual Financial Statement Report audits D. Stafford & Associates: Clery Act, Title IX Review VIII. Reporting Suspected Fraud and Abuse In accordance with Section 7.09 Fraud Reporting, General Appropriations Act (83 rd Legislature, Conference Committeee Report), Article IX, and with Texas Government Code, Section , Coordination of Investigations, UT Arlington has implementedd the following: The fraud reporting direct link to the state is maintained on the Reports to State (Resources Section bottom of page) link on the University s home page: UT Arlington policies have been updatedd to provide information on reporting fraud involving State Funds to the SAO. Policies and Procedures have been updated for the requirement that the Chief Administrative Officer shall report suspected fraud to the State Auditor s Office. Page 32