Audit Committee Presentation FY2011 Audit Plan (annual risk assessment) August 16, 2010
INTERNAL AUDITS ACADEMIC ENTERPRISE Are research and development expenses expended in accordance with the terms of individual grants and State, Federal, and University regulations? Review research grants procedures and test a sample of payroll expenses to ensure compliance with these procedures and external regulations. Is financial aid awarded only to eligible students consistent with the terms of the various award programs? Review student financial aid procedures and test a sample of loans to ensure that eligibility requirements are met and financial aid is disbursed accurately. Do construction and supply chain vendors doing business with the University comply with the provisions of their contracts? Review commercial contracts of selected vendors and projects. The Ottawa House construction project has been selected for review thus far. Are operating departments across the University accountable for the business management responsibilities assigned to them? Review the operating practices of staff departments, determining conformance with purchase card, procurement, record management, and other administrative policies. 2
INTERNAL AUDITS CLINICAL ENTERPRISE Are there appropriate separation of duties between employees receiving customer payments and preparing accounting records for UTMC and its business partners? Review procedures for accounting for patient payments and recognition of billable revenue between UTMC and University of Toledo Physicians. Do the pharmacies accurately record the receipt and disbursement of drugs and supplies? Review the quality of perpetual inventory management procedures at the UTMC inpatient pharmacy. Are all billable transactions captured at the time of patient diagnosis and fully reflected in customer bills? Review the accuracy and reliability of the charge master databases, the charge capture process, and procedures for maximizing patient margins. Is UTMC maximizing its potential with regard to customer satisfaction and nursing and physician productivity? Participate in UTMC various strategic programs, assisting in identifying and evaluating best practices and performance metrics. 3
SUPPORT FUNCTIONS Are accounting transactions captured, classified, and properly reported in the financial statements? Conduct a Control Self-Assessment of finance and accounting procedures and controls. Test the roll-up of accounting transactions into the financial statements. Do recent changes in purchase card and procurement operating practices result in an increased level of internal control and employee accountability? Review recently-drafted policies and procedures in these areas. Benchmark these procedures with peer organizations, and determine departmental compliance with these procedures. Are payments made to suppliers accurately, taking advantage of available discounts? Review accounts payable procedures, identifying and recovering erroneous and duplicate disbursements. Do the systems that accept the entry of employee time minimize the likelihood of errors and abuse and promote the accuracy of employee pay? Review business processes and system controls over the API timekeeping system that reduce the incidence of edits, corrections, and adjustments. 4
INFORMATION TECHNOLOGY Has the upgrade of the Enterprise Resource Planning computer system been fully tested prior to implementation? Participate in the Banner 8 new systems development project as a controls consultant and review the nature and extent of user testing and acceptance. Does the human resource management computer system under development promote a streamlined and secure process flow between Human Resources, Payroll, and operating departments? Participate in the People-Admin new systems development project as a controls consultant and identify opportunities for system and process integration between diverse stakeholder business functions. Do application development and consulting vendors doing business with the University comply with the provisions of their contracts Review commercial contracts of selected vendors and projects. The Digital Campus IT project has been selected for review thus far. Is information and software processed in the data center environment secured and protected? Review IT general controls, such as information security and change control that impact numerous computer systems. 5
INTERCOLLEGIATE ATHLETICS Does the University appropriately record income from barter agreements, sports camps, and other athletics ventures? Review athletics revenue-generating agreements ( outside income ) and confirm that stated obligations have been met by all parties. Are football attendance statistics accurately recorded and reported in a timely manner to the National Collegiate Athletics Association (NCAA)? Review and certify attendance counts for all University home football games per NCAA regulations. Does the multimedia rights holder and sports marketing arm of the University comply with its financial and operating agreements with the University? Review financial and operating procedures at Rocket Sports Properties (a property of Learfield Sports). Rocket Sports Properties is a recently-contracted relationship with the University. Do travel expenses incurred by student-athletes and athletics administrators comply with NCAA rules? Review team travel expenses processed by the agency used exclusively by the Athletics Department. Determine compliance with NCAA rules on team travel. 6
COMPLIANCE REVIEWS ACADEMIC ENTERPRISE Are ethics issues reported by employees, students, and business partners resolved appropriately and in a timely manner? Are erroneous financial and operating transactions detected and acted upon in a timely manner? Is the University operationally prepared for full compliance with the Higher Learning Commission and other accrediting bodies? Update the Audit Committee on the nature and resolution of ethics reports made to the Anonymous Reporting Line. Develop and implement real-time exception reporting for audit follow-up purposes. Verify the submission of curriculum self-assessments by academic departments. Advise the Provost s Office on ways to ensure compliance and internal consistency. Does the University comply with Federal requirements pertaining to the minimization of identity theft? Accumulate, review, implement, and audit compliance with Red Flags procedures focused on preventing identity theft and promoting security of consumer credit. 7
COMPLIANCE REVIEWS CLINICAL ENTERPRISE Is access to hospital computer information systems restricted to a need to know basis, as determined by the employees role within the organization? Review access privileges to all clinical informatics systems, including the ability to readily determine the access levels of all employees. Is UTMC prepared for upcoming changes to coding of medical transactions? Review system and documentation requirements to ensure readiness for future ICD-10 coding classifications. Is UTMC taking appropriate steps to ensure compliance with Joint Commission accreditation standards on an ongoing basis? Review Joint Commission standards, determining whether effective UTMS problem identification/resolution procedures are in place relative to these standards. Does the compliance plan protect the academic and clinical enterprises from significant violations of the law and internal policies, as well as preserve the confidentiality of patient and student information? Update the Audit Committee on the nature and resolution of clinical and academic compliance and privacy events processed by the University (including HIPAA, FERPA, Stark Law, etc.) 8