FISCAL YEAR 2014 ANNUAL INTERNAL AUDIT REPORT AS REQUESTED BY THE STATE AUDITOR S OFFICE OCTO OBER 28, 2014 OFFICE OF INTERNALL AUDIT BOX 19112 ARLINGTON, TX 76019 0112 817 272 01500 www.uta.edu/internalaudit internalaudit@uta.edu Page 0
Table of Contents I. Compliance with House Bill 16... 2 II. III. Planned Work Related to the Proportionality of Higher Education Benefits. 2 Internal Audit Plan for Fiscal Year 2014... 2 Summary of FY 2014 Recommendations and Status 4 IV. Consulting Services and Nonaudit Services d. 27 V. External Quality Assurance Review (Peer Review).. 28.. VI. VII. VIII. Internal Audit Plan for Fiscal Year 2015.. 29 External Audit Services Provided in Fiscal Year 2014. 32 Reporting Suspected Fraud and Abuse.. 32 Page 1
I. Compliance with House Bill 16: Posting the Internal Audit Plan, Internal Audit Annual Report and Other Audit Information on the Web Site In accordance with House Bill 16, UT Arlington s Office of Internal Audit has posted its FY 2014 Annual Report and FY 2015 Work Plan on its web site: http://www.uta.edu/internalaudit/annualreports.php. II. Planned Work Related to the Proportionality of Higher Education Benefits At the request of the Governor, an internal audit of the proportionality off higher education benefits process is underway during the first quarter of fiscal year 2015. A consistent audit methodology has been deployed across the UT System thatt will assess the reporting process and accuracy of benefits funding information provided to the State Comptroller as applicable under the General Appropriations Act, Article IX, Sec. 6. 08: Benefits Paid Proportional by Fund. The audit will be complete by November 30, 2014. III. Internal Audit Plan for Fiscal Year 2014 Report Report Title (Audit) Number FINANCIAL AUDITS FY 2013 Annual Financial Report (AFR) Audit FY 2014 Annual Financial Report (AFR) Interim FY 2013 Financial Statement Certifications (UT System) President's Travel and Entertainment and University Residence Maintenance Expensess Audit (UT System) NCAA Financial Audit 14 08 Executive Travel and Entertainment Expenses Audit Spot Audits of Petty Cash Funds (Campus Wide) OPERATIONAL AUDITS 14 10 College Park Box Office Ticketing Audit 14 09 Procurement Card Audit FY 2013 Carried Forward Audits COMPLIANCE AUDITS 14 11 College Park Contractual Reviews and Oversight 14 05 Nursing Shortage Reduction Program Awards Auditt 14 02 NCAA Compliance Audit Athletic Student Financial Aid 14 01 Review of Chemical Safety Inventory System 14 03 Clery Act Compliance Review 14 04 Employee Tuition Assistance Program Audit CPRIT Awards Audit (State Federal Portion of the Statewide Single Audit (assistance to the Auditor s) SAO) INFORMATION TECHNOLOGY AUDITS 14 06 TAC 202 Biennial Requirement (Phase 4 Information Security Page 2 Report Date 1/13/14 1/13/14 1/15/14 10/11/13 4/4/14 2/18/14 8/27/14 2/21/14 Status as of 8/31/14 Reporting Stage Reporting Stage Planning Stage Fieldwork Stage Moved to FY 2015 (Outsourced) Reporting Stage Planning Stage
and Safeguards) PeopleSoft Implementation Application Testing and Other Reviews PeopleSoft (HR/Fin) Security settingss and Access Rights/Oracle Access rights 14 07 IT Security in Decentralized Environment FY 2013 Carried Forward Audits FOLLOW UP AUDITS Follow Up Audits (IT Related) Follow Up Audits (Non IT Related) PROJECTS UT System Reporting/Requests External Quality Assessment Internal Quality Assurance and Improvement Program activities, including workgroup initiatives FY 2015 Work Plan and Risk Assessment Process Committees (e.g. Institutional Audit Committee, Compliance, Council, and Professional organizations) participation Management of the audit activity TeamMate, IDEA, etc., development and maintenance RESERVE Management Requests, Investigations and Consulting Fieldwork Stage Deviations from the FY 2014 Work Plan were as follows: Re allocation to FY 2014 work plan hours were as follows: Audit Hours Adjusted Audit Clery Act Compliance Review Adjustment Totals (282.00) (282.00) Management Requests,, Investigations and Consulting NCAA Compliance Audit Athletic Student Financial Aid carried forward to the FY 2015 audit plan as area was not ready for review. TAC 202 Biennial Requirement (Phase 4 Information Security and Safeguards) audit carried forward to the FY 2015 audit plan. Hours Reason Adjusted 282.00 Clery Act audit was outsourced approved per 12/17/13 committee meeting 282.00 Page 3
Summary of FY 2014 Recommendations and Status Engagement Number & Finding Number Audit Report Date Recommendationn and Management Response Implementation Status [Fully Implemented, Substantially Implemented, Incomplete/, or Not Implemented] Page 4
IV. Consulting Services and Nonaudit Services d The Office of Internal Audit had no consulting engagements in FY 2014 as defined by the IPPF. Additionally, it conducted no non audit services as defined byy sections 3.33 3.58 of the Government Auditing Standards. Page 27
V. External Quality Assurance (Peer Review) Page 28
VI. Internal Audit Plan for Fiscal Year 2015 The FY 2015 Audit Work Plan and budgeted hours are as follows. Detailed schedules, risk assessments and analysis for preparation of the FY 2015 Audit Work Plan may be requested by calling UT Arlington s Office of Internal Audit at 817 272 0150, or emailing internalaudit@ @uta.edu. FINANCIAL AUDITS FY 2014 Annual Financial Report (AFR) Audit 100.00 FY 2015 Annual Financial Report (AFR) Interim 75.00 FY 2014 Financial Statement Certifications 25.00 President's Travel and Entertainment and University Residence Maintenances Expenses Audit 30.00 Executivee Travel and Entertainment Expenses Audit 250.00 NCAA Financial Audit 50.00 Spot Audits of Petty Cash Funds (Campus Wide) 20.00 Financial Audits Subtotal 550.00 OPERATIONAL AUDITS Proportional Funding of Benefits 200.00 Campus Recreation Liability Waivers 20.00 Post Implementation Review of Payroll in UTShare 400.00 Change in Management Review Audit of the Office of the Vice President for Student Affairs 400.00 FY 2014 Carried Forwar rd Audit (Procurement Card audit) 50.00 Operational Audits Subtotal 1,070.00 COMPLIANCE AUDITS NCAA Compliance Audit Athletic Student Financial Aid Scholarship Compliance Review 225.00 Norman Hackerman Advanced Research Program 150.00 Student Financial Aid Return of Funds; Cost of Attendance Payroll Tax Reporting Compliance Nursing Shortage Reduction Program Awards Audit 200.00 I 9 Compliance Review 50.00 Federal Portion of the Statewide Single Audit (assistance to the SAO) 75.00 FY 2014 Carried Forwar rd Audit (College Park Box Office Ticketing Audit) 50.00 Compliance Audits Subtotal 1,650.00 INFORMATION TECHNOLOGY AUDITS Review of Software/Application Maintenance Payments Review of Accuracy of Feeder Systems 225.00 PeopleSoft Post Implementation Reviews Data Analytic Reviews 530.00 FY 2014 Carried Forwar rd Audit (TAC 202 Phase 4: Information Security and Safeguards) 70.00 Information Technology Audits Subtotal 1,425.00 FOLLOW UP AUDITS Follow Up Audits (IT Related) 150.00 Follow Up Audits (Non IT Related) 150.00 Follow Up Audits Subtotal PROJECTS UT System Reporting/Requests 200.00 Internal Quality Assurance and Improvement Program activities, ncluding workgroup initiatives 80.00 FY 2016 Work Plan Preparation and Risk Assessment Process 200.00 Page 29
25.00 Committees (e.g. Institutional Audit Committee, Compliance, Council, and Professional organizations) participation Management of the audit activity 350.00 TeamMate, IDEA, etc., development and maintenance 200.00 Projects Subtotal 1,355.00 RESERVE Management Requests, Investigations and Consulting 550.00 TOTAL AUDIT HOURS 6,900.00 Risk Assessments Admissions, Records and Registration Environmental Health and Safety Facilities Management Health Services Housing Information Security Intercollegiatee Athletics International Office To prepare the Fiscal Year (FY) 2015 plan, the Office of Internal Audit followed the UT System s Annual Audit Plan Guidelines. The guidelines categorizee audits in thee following areas: Financial, Operational, Compliance and Information Technology. Additionally, the Enterprise Risk Management (ERM) model is primarily used as a basis for risk assessment and audit selection. ERM is a continuous, pro active and systematic process to understand, manage and communicate e risk from a University wide perspective. The process identifies riskss for the core business processes withinn the University at the executive (Tier 1), mid of management (Tier 2), and department/operation levels (Tier 3) and it also allows for the development risk responses to manage the risks. University Compliance Services, through their facilitation processes, worked with the University s President and executive management to generate an Executive Level Risk Assessment of the institution as a whole. Additionally, University Compliance Services facilitated mid management risk assessments using the ERM model in the following areas: The Office of Internal Audit utilized the results of these reviews to focus the audit plan in high risk areas. In developing the FY 2015 Audit Work Plan, the Office of Internal Audit used the ERM as the primary risk assessment methodology. Risk assessments were used in identifying audits, considering such factors as degree of risk, management input, time since the last audit for the high risk activity, and availability of audit resources. Input on the Audit Plan was received from executive management and members of the UT Arlington Institutional Audit Committee, which members consist of executive management and three members outside the University. Mav Express Office off Development Office off Informationn Technology Police Department Special Event Venues Student Affairs Student Financial Aid University Center Page 30
A list of additional riskss ranked as high that were identified yet have nott included in the fiscal year 2015 audit plan are as follows: Risks ranked as high not covered in the FY 2015 Audit Work Plan Governance and Leadership: Inability to adjust tuition while state revenues are declining Information Technology: Impact of shared services on campus (e.g. HR/FIN and TXSIS) Information Technology: Inadequate resourcess to support information technology infrastructure Information Technology: Inadequate security of information resources in decentralized departments Research: Inadequate resources to support the expanding research mission of the institution Facilities Operations: Inability to fund the campus master plan (new construction, capital renewal and campus edge development) Facilities Operations: Inadequate security staffing levels Non Audit Explanation/Mitigation There is a process in place that determines tuition rates. An audit was recently conducted by the State Auditor's Office on enrollment reporting that encompassed some of the elements of the tuition setting process. Currently, there are discussions between UT Arlington's Office of Information Technology and UT System on the disposition of Shared Services at the ARDC. Thus, it is not warrantedd to audit at this time. IT Management has received additional funding and now believes that there is enough funding for infrastructure upgrades, etc. The Office of Research is concerned with people resources. Theree is a process in place to fund research projects, including acquisition of research personnel through Human Resources. Other risks were determined to be moree critical and audit effort will be focused there. This pertains to not being able to provide adequatee security at venues when the facilities are rented out. A project like this would be better served by consulting with industry experts and not Internal Audit. Internal Audit Action Audit conducted in FY 2014 concerning servers in decentralized areas. The THECB Peer Review (review of facility additions during the past five years required to be submitted to the Coordinating Board) conducted in FY 2013 covered this area. Page 31
Student Services: Student Conduct (e.g. sexual assaults, harassment, hazing, etc.) Student Services: Inability to predict and/or prevent studentt crisis situations Academicc Support: Inadequate resourcess to support instructional mission state funds The Office of Student Conduct is responsible for the implementation of the Student Conduct & Discipline Handbook of Operating Procedures. Other risks were determined to be moree critical and audit effort will be focused there. Predicting a crisis is nonn auditable. The University has processes in place to monitor activity. This includes training programs and the Behavior Intervention Team. State appropriations aree determined by legislativee processes and are an inherent risk. University management has limited direct influence over state funds received. Academicc Support: Disaster Recovery Planning/ /Business Continuity Plan The TAC 202 Audit includes a review of the Disaster Recovery and Business Continuity Planning. VII. External Audit Services Procured in Fiscal Year 2014 SAO Conducts A 133: for Research and Student Financial Aid Deloitte & Touche LLP: Annual Financial Statement Report audits D. Stafford & Associates: Clery Act, Title IX Review VIII. Reporting Suspected Fraud and Abuse In accordance with Section 7.09 Fraud Reporting, General Appropriations Act (83 rd Legislature, Conference Committeee Report), Article IX, and with Texas Government Code, Section 321.022, Coordination of Investigations, UT Arlington has implementedd the following: The fraud reporting direct link to the state is maintained on the Reports to State (Resources Section bottom of page) link on the University s home page: www.uta.edu. UT Arlington policies have been updatedd to provide information on reporting fraud involving State Funds to the SAO. Policies and Procedures have been updated for the requirement that the Chief Administrative Officer shall report suspected fraud to the State Auditor s Office. Page 32