FROM HINDSIGHT TO FORESIGHT REPOSITIONING INTERNAL AUDIT TO DELIVER HIGHER VALUE Repositioning Internal Audit FY 2016-FY2017 Audit Resource Deployment Plan Resources and Staffing Supplemental Materials
Repositioning Internal Audit: Building Blocks of the New Internal Audit Function Our relationships embody We deliver insight and foresight We serve the audit profession respect, insight, balance, trust, to our colleagues and in the Commonwealth of and care. stakeholders through: Virginia, the higher education industry, and around the We value: Professional competence. globe. Leadership development. Business acumen. We collaborate and share our Focus on Cornerstone Plan and Civility. knowledge generously. Health System strategy. The voices of our stakeholders. Data-driven analyses. We set the bar for excellence We operate transparently. and leading practice in Our network of colleagues and We are aware of our impact. internal auditing. connections throughout the We have an enterprise view. University and the profession. 2
How we built the risk-based audit plan Audit Universe TO BUILD THE AUDIT PLAN WE ESTABLISHED AN “AUDIT Academic Div: UNIVERSE” AND ASSIGNED U.Va.’s Budget System RISK WEIGHTINGS: Hierarchical Org Data (Unit, Expenditure $, Grant $, FTEs) MC/Health System: May 2015 Operating Margin Report Strategic Objectives : Enterprise Risks : Cornerstone Plan U.Va. Health System Strategy 1 . Funding to achieve goals 2. Management of human capital 3. Legal compliance • Relevant UVA ERM 4. Keeping pace Risks Industry Risks : 5. Reputation w/key stakeholders • Regulatory Higher Ed 6. Geo-political and economic Compliance Healthcare • Emerging practices risks Peer Benchmarking (e.g. ACO, Value Based 7. Safety/security Hot Topics Care) 8. Cybersecurity/leveraging IT 9. Org/operational efficiencies Stakeholder input including: ACR Chairman, MC Cabinet, EVP/COO, IT Leadership, Provost’s Office 3
Audit Resources Deployment FY 16-FY 17 Academic Med Center IT Team Team Team Cybersecurity IT Governance and Standards Clinical Engineering Faculty Recruitment and IT Asset Management Charge Capture Retention Change Control and System Research Expansion Initiative Configuration Integrated Team Audits and Reviews Fiscal Stewardship (Pan-University) EPIC Phase 2 Implementation Managerial Reporting Implementation PeopleSoft Upgrade Physical Safety and Security Integrated Assurance: Compliance Oversight Verification Data Privacy Segregation of Duties (Oracle, PeopleSoft, EPIC) Audit Department Process Improvements 4
Audit Department Resources (future) Chief Audit Current vacancies in red Redeployment of resources in green Executive Office Manager • Maintains current 17 • Will need to evaluate position headcount while where specialization of increasing Managers’ span audit skills is required as Director HS and of control (3 rd Director role we make new hires/shift Director IT Audit University Audits not replaced) current resources/co- source • Reporting location of Special Projects Manager HS Health System (HS) Assoc Dir IT Manager (all areas) Audits Auditors depends on skill sets of TBD Director • Audits will be conducted using pooled resource Senior IT Auditor Senior Auditor Senior HS Auditor approach where possible. • Integrated Assurance Administrative reporting • Continuous would remain as shown. Monitoring/Fraud New Hire New Hire Risk Senior Auditor Senior IT Auditor HS Auditor • Hotline follow up New Hire IT Auditor Staff Auditor HS Auditor 5
Unpacking the Audit Plan: Potential Scope of Audit Plan Topics SUPPLEMENTARY MATERIALS 6
Unpacking the Plan: Potential Scope Areas Academic Team Audit Why Selected Potential Scope Curry School of Education In progress from prior year plan • Degree audit • Centers and Clinics: licensure, background checks, patient health data, revenue generation/charge capture • Academic Programming Faculty Recruitment and • Cornerstone Pillar IV: • Large program governance Retention Assemble and Support a Effectiveness of risk • Distinguishing Faculty management for strategically • ERM Risk: Management of critical program Human Capital Research Expansion Initiative • Cornerstone Pillar II: Advance • Large program governance Knowledge • Effectiveness of risk ERM Risks: Funding to Achieve management for strategically • Goals; Keeping Pace critical program 7
Unpacking the Plan: Potential Scope Areas Med Center Team Audit Why Selected Potential Scope Pyxis Medstation Access Review In progress from prior year plan • User provisioning • Evaluation of biometric access usage Clinical Engineering • Cyber/ Data Security of Patient • Data security and privacy Information practices Patient Care/Safety & Quality Device maintenance • • of Patient Care scheduling and equipment • ERM Risk: Legal and monitoring procedures Compliance • Useful life monitoring and • Staff Productivity evaluation Charge Capture • OIG Workplan • Evaluation of facility/technical Margin Management • fee billing by the MC for nurse • ICD-10 Implementation only and procedure visits • EMR/Medical Documentation • Billing of Medications and Med • Regulatory Billing Compliance Administration Value Based Care • Healthcare Industry Major • TBD in partnership with MC Trend leadership 8
Unpacking the Plan: Potential Scope Areas IT Audit Why Selected Potential Scope Information Security, Policy, and • KPMG 2015 IT Security • Governance/Standards Records Office Assessment • Information Security Policy • CEB 2015 Audit Plan Hotspots • Monitoring Procedures PCI Compliance Data Loss Prevention • • • Malware Prevention Cybersecurity ERM Risk: Cybersecurity/ Incident response • • Leveraging IT • Network • CEB 2015 Audit Plan Hotspots • Operating Systems • KPMG 2015 IT Security • Databases (data-at-rest) Assessment • BYOD (Bring Your Own Device) Change Control and System Key general computing Student Information System • • Configuration controls (SIS) • KPMG 2015 IT Security • Oracle & PS HR and FIN Assessment modules • EPIC 9
Unpacking the Plan: Potential Scope Areas IT (Cont.) Audit Why Selected Potential Scope PeopleSoft Significant Upgrade Privileged User Access • • • Data Privacy • SOD • Service/Generic Accounts • Patching Procedures • Database Security IT Asset Management KPMG 2015 IT Security • IT Inventory Management: Assessment Central and Non-Central Assets and Systems • Termination Handling • Disposal Procedures Disaster Recovery Key general computing Replication Process • • controls • Testing • Changing Technology • Key Metrics and SLAs 10
Unpacking the Plan: Potential Scope Areas Integrated Team Audits and Reviews Audit Why Selected Potential Scope Fiscal Stewardship Cornerstone Pillar V: Steward the • Key internal financial controls University's Resources to Promote • Unit-level fiscal discipline Academic Excellence and • Application of University Affordable Access Financial Model EPIC Phase 2 Implementation (HS • Significant financial • Program governance Revenue Module) application • Access/data security • Significant capital expenditure • Configuration settings • Segregation of duties Managerial Reporting • Significant financial application • Data security Implementation • Significant capital expenditure • Data integrity Physical Safety and Security ERM Risk: Safety/security of • Clery audit follow up students, faculty and staff • Police training • Physical security • Building access 11
Unpacking the Plan: Potential Scope Areas Integrated Team Audits and Reviews (Cont’d) Audit Why Selected Potential Scope Integrated Assurance • ERM Risk: Legal and Effectiveness of 2 nd line of defense Compliance compliance functions: • Higher Education Industry risks • NCAA • Reputational risks • Environmental Health & Safety • CEB 2015 Audit Plan Hotspots • Research-related (OSP, IRB) • Corp Compliance (Med Ctr) • Title IX • Clery Act • ARMICS (“Government SOX”) Privacy • ERM Risk: Legal and • PII (Personally Identifiable Compliance Data) • CEB 2015 Audit Plan Hotspots • Student Data • HIPAA compliance • Cloud and mobile environments Segregation of Duties • Foundational fraud risk control • Oracle • Data security and integrity • PeopleSoft • Reporting accuracy • EPIC 12
Recommend
More recommend
