Washington State University Office of Internal Audit FY 2015 Audit Plan The purpose of the Audit Plan is to outline audits and other activities the WSU Office of Internal Audit will conduct during fiscal year 2015. The types of audits listed in the plan demonstrate the variety of approaches Internal Audit takes to address its mission of assisting the University achieve its goals and objectives in an efficient and effective manner. Deliverables for audits and projects may include audit reports, technical assistance, data analysis, and other written and oral communications. Audits and projects in the plan were primarily identified through a University-wide risk assessment process. This process includes surveys, interviews, data analysis, and research of audit issues and trends. From this process, 36 unique areas/issues were identified. An independent IT risk assessment was also performed to apply ranking to the 18 Control Family Categories defined by NIST (National Institute of Standards and Technology). Note, issues common to both the general assessment and the IT specific process were the areas of IT Security and IT Contingency Planning. Because not all issues identified during the assessment process are auditable and, audit resources limit the number of projects to engage, further assessment is performed to evaluate and rank the identified concerns based on: likelihood of the risk concern occurring, potential impact to the University if the risk event occurred, and, auditor judgment. As a result, we identified to engage eight audits, two consulting engagements that will include technical advice, and, continuous auditing in the areas of travel, cash and time reporting. Further description of the audits is provided on the next page. The specific scope of each audit in the plan will be determined once the audit team has completed its audit planning process for each engagement. The audit planning process includes consideration of the risk management, control and governance processes in place to provide reasonable assurance that: Information is accurate, reliable and timely. Employee actions are in compliance with policies, standards, procedures and applicable laws and regulations. Operations are efficient and effective. Resources are acquired economically, used efficiently, and adequately protected. Page 1
The planned audits and projects for FY 2015 are as follows: Project Purpose IT Contingency Planning Cybersecurity Insurance Athletics Physical Security FISMA Grant reporting Human Subject Research Select Agents Department Review Service Centers Assurance audit - per NIST standards, perform procedures to ensure continuity of IT operations/data recovery in the event of loss, breach or other impact to services. Advisory - provide analysis and recommendation pertaining to insurance coverage in the event of a cybersecurity incident occurring. Risk assessment will be performed at engagement of audit to define scope. Assurance audit to assess controls over keys. Advisory - provide assessment of ability to comply with FISMA (Federal Information Security Management Act of 2002) related to IT infrastructure and systems. Assurance audit - assess controls to ensure timely, accurate and reliable reporting. Grants to be selected based on further risk assessment at project engagement. Assurance audit - evaluate program for compliance with federal requirements. Assurance audit - ensure adequate controls are in place to provide security and safeguarding of biological agents used in research. Assurance audit review of controls over general fiscal processes including payroll, purchasing, revenue and assets. Specific department to be identified by audit team as further planning procedures engaged. Assurance audit evaluate operations and controls over operational, financial and compliance requirements. Service centers for review to be selected as a result of further risk assessment at engagement planning. Page 2
Other Types of Audits/Activities Continuous Audits Continuous auditing is the application of computer assisted audit tools and techniques on organizational processes, transactions, systems and/or controls to provide greater audit coverage. Benefits of continuous auditing include the review of 100% of auditable transactions/data in a scope period versus a sampling, the identification of errors or other issues through frequent monitoring and review, and the facilitation of trend analysis to identify problems and/or other concerns. In prior years, an approach to continuous auditing has been performed in the areas of cash receipting, purchasing cards, time and leave reporting and travel. As a result of risk assessment, areas for consideration of continuous auditing include cash handling, travel expenses and time reporting. Follow up Audits Audits and formal investigations yielding a report with actionable recommendations will have a follow-up review conducted 6-12 months after audit report is issued to evaluate management response and corrective action. Advisory Assistance/Consulting Internal audit staff may participate and/or assist University members in developing and maintaining strong governance, risk management, and control processes and systems. Activities may include serving as a member of a work group or committee, and providing consultative advice on financial, operational and compliance issues. Auditors also assist as audit liaison between the University and external audit groups. Ethics Advisor The Director of Internal Audit is the University s Ethics Advisor. In this role, she serves as liaison between the University and the Washington State Executive Ethics Board, providing to University members guidance on ethics rules and advising on policy statements. Internal Audit Major Goals for FY 2015 Complete at least 80% of audit projects listed; Page 3
Provide value added recommendations to improve controls, mitigate identified risks and increase efficiency and effectiveness within operations; Improve efficiency of audit activities and audit reporting resulting in quicker turnaround of audit results without compromising quality; Continue to develop data mining tools and processes to effect more timely and complete review of the selected functions and share these processes with management for their use as related to their ongoing management and oversight responsibilities; Continue to engage in opportunities to develop the skills and expertise of auditors, including active participation in peer conferences by attendance, organization and serving as conference faculty; and, Achieve positive recommendations for improvement as a result of Quality Assurance Review, to be engaged in FY 2015, in accordance with Institute of Internal Audit Standards. Audit Resources The audit plan for FY 2015 is based on a professional staffing complement of six auditors: three staff auditors, an IT auditor, an audit manager, and the director. In addition, each academic semester a student intern is recruited for a.5 FTE appointment. Approximately 70% of Internal Audit s available resources are committed to the completion of planned audit projects and follow-up audit procedures. The remaining 30% is held as contingency for unplanned activities such as consulting, liaison activities and investigations. Available resources include all workable hours per FTE less a 20% reserve for employee professional development, administrative projects (e.g. internal quality improvement projects) and, internal administration including issues pertaining to personnel. We have a number of audit projects from prior year audit plans initiated but not yet completed. The amount of carryover work into FY 2015 is greater than normal due in part to staffing fluctuations. It is normal audit process to have a few audits begun in the last few months of the year completed and issued in the following year. The audit plan was submitted for review by the Audit Steering Committee on November 26, 2015. Page 4
Office of Internal Audit Status Update Reporting period: July 1 September 30, 2014 Internal Audit engages in three primary activities audits, advisory services and investigations. Our focus is to assist management to understand financial and compliance risk and exposures. Audit activities completed during the reporting period and included within this status report demonstrate the variety of approaches Internal Audit takes to address its mission of assisting the University achieve its goals and objectives in an efficient and effective manner. This status report includes the results of one investigation and one follow up review completed in the reporting period: Project Audit/Project Name Status I 15-01 Conference Conflict Investigation P 12-04F VTH Accounts Receivable follow up 12 of 19 prior issues resolved Planned audits in progress Consulting: Policy Manual Continuous Audit: Pcards Continuous Audit: Travel Research Lab Safety Grant Administration Compliance Risk Assessment Accounts Receivable IT Contingency Planning (FY 2015) Other Audit Activity During this reporting period, IA was also involved in the following projects: Consulting to operating units and University members as requested: 16 advisories on topics of internal controls, ethics, policy review and system reviews. Auditor time invested in consulting/advisories range from 15 minutes to six hours each. Facilitate education: training (four sessions) for the University community on internal controls, audit and fraud. Professional engagement: o WSU IA team hosted Pacific Northwest Higher Ed Internal Audit conference in August, 30 attendees from 10 institutions WSU Internal Audit Status Report FY 2015, Q1 December 11, 2014 Page 1
o IA Director served as faculty for one session at annual conference Association of College and University Auditors (ACUA) and continues in third year on ACUA Membership committee As audit liaison, provided ongoing support for external, o One active SAO Whistleblower investigation, closed post quarter 10/14/14 o One referred SAO Whistleblower IA designated to perform investigation, in progress The audit team includes three staff auditors, IT auditor, audit manager, director and audit intern. Audit resources are sufficient to ensure minimum continued professional education and support for the audit team. Provisions are made for equipment and audit-related travel expenses as needed. COMPLETED REPORTS SUMMARY Report #I 15-01, Conference Conflict Summary Our office was contacted to review assertions of conflict of interest and misuse of resources. We found sufficient evidence to substantiate the assertions and provided recommendations to the unit, Global Campus, accordingly. In addition, opportunities for improvement to controls in the areas of personnel and time management were noted and communicated with unit. WSU Internal Audit Status Report FY 2015, Q1 December 11, 2014 Page 2