UNIVERSITY OF VIRGINIA BOARD OF VISITORS Complian… · benchmarking with R1 and Ivy Plus...
Transcript of UNIVERSITY OF VIRGINIA BOARD OF VISITORS Complian… · benchmarking with R1 and Ivy Plus...
UNIVERSITYOFVIRGINIABOARDOFVISITORS
MeetingoftheAudit,Compliance,
andRiskCommittee
June7,2018
AUDIT,COMPLIANCE,ANDRISKCOMMITTEE
Thursday,June7,201811:00a.m.–12:00p.m.
UpperWestOvalRoom,TheRotunda
CommitteeMembers:
BaburB.Lateef,M.D.,ChairRobertM.BlueMarkT.BowlesL.D.Britt,M.D.FrankM.ConnerIII,Ex‐officioMargaretF.RileyAdelaideWilcoxKing,FacultyConsultingMember
AGENDA PAGEI. REMARKSBYTHECOMMITTEECHAIR(Dr.Lateef) 1
II. ACTIONITEMSA. Risk‐BasedAuditPlanforFY2019–FY2020(Ms.Saint) 2B. RevisedAuditandComplianceCharters(Ms.SaintandMr.Nimax)4
III. COMMITTEEDISCUSSIONA. AuditorofPublicAccounts(APA)AuditEntranceMeetingforFiscalYear 16
2018(Ms.BianchettotointroduceMr.Sandridge,whowillreport)B. EnterpriseRiskManagement(ERM)Program:FY2018ReportandFY2019 17 ProgramGoals(Mr.Matteo)
IV. WRITTENREPORTSA. OfficeofAuditandComplianceandUVAHealthSystemCompliance 23
FY2018Reports B. FY2018FourthQuarterAuditFollowUpStatusReport 29C. UfirstStatusReport 31
1
UNIVERSITYOFVIRGINIABOARDOFVISITORSAGENDAITEMSUMMARY
BOARDMEETING: June7,2018COMMITTEE: Audit,Compliance,andRiskAGENDAITEM: I.RemarksbytheCommitteeChairACTIONREQUIRED: NoneBACKGROUND:Dr.BaburLateef,theCommitteeChair,willopenthemeetingandprovideanoverviewoftheagenda.
2
UNIVERSITYOFVIRGINIABOARDOFVISITORSAGENDAITEMSUMMARY
BOARDMEETING: June7,2018COMMITTEE: Audit,Compliance,andRiskAGENDAITEM: II.A.Risk‐BasedAuditPlanforFY2019–FY2020BACKGROUND:UVA’sinternalauditplanprovidesassuranceontheeffectivefunctioningoftheUniversity’ssignificantriskmitigationactivities,internalcontrols,andfoundationalprocesses.Theplanisriskbased,alignedwithstrategicinitiatives,andfocusedonwhatmattersmosttothecommunityofUVAstakeholders:theBoardofVisitors,executiveleaders,students,faculty,staff,regulators,awardsponsors,patients,parents,andalumni.
Tobuildtheplan,theAuditDepartmentreliesonriskassessmentsandmitigatingactionplansprovidedbyUVA’sEnterpriseRiskManagementprogram,InstitutionalCompliance,andHealthSystemCompliance.RiskassessmentsarefurtherinformedbybenchmarkingwithR1andIvyPlusinstitutions,inputandrequestsfrommanagementandtheBoardofVisitors,andprofessionalauditorjudgment.
AdynamicapproachtodeployingtheUniversity’sinternalauditresourcesallowstheAuditDepartmenttoremainflexibleandrelevanttochangingprioritiesandemergingrisks.TheAudit,Compliance,andRiskCommitteewillbebriefedonchangestotheapprovedplanasneededthroughouttheyear.
UVAAuditDepartmentFY2019‐FY20ProposedTwoYearPlan:
LeadAuditTeam
RiskPrioritizedAuditTopics
AuditTimingDeterminedbyAssessmentofCurrentInstitutionalPriorities;DetailedScopeDeterminedatTimeofAuditAuditCoverage:Pan‐University
IT&HealthSystem UfirstProjectHealthCheck:Providefeedbackonprojectriskmitigation(throughlaunchinJanuary2019)
HealthSystem ResearchComplianceAdministrationHealthSystem/Co‐Sourced
ConstructionContractAudits(SpecificCapitalProjectsToBeDetermined)
IT ResearchComputingSecurity(IvySecureComputingEnvironment)Academic&HealthSystem
COSOInternalControlsFrameworkPilots(PayrollandFinancialReportingProcesses)
Academic FinancialandBudgetaryManagementProcessesAcademic PresidentialTravelandExpenses(ConductedAnnually)
3
LeadAuditTeam
RiskPrioritizedAuditTopics
AuditTimingDeterminedbyAssessmentofCurrentInstitutionalPriorities;DetailedScopeDeterminedatTimeofAuditAuditCoverage:AcademicDivision
Academic InternationalStudentandScholarSupportAcademic DiningServicesAcademic StudentHealth&CounselingAcademic AthleticsDrugTestingProgram(ACCFollowUpRequest)IT SecurityandIntegrityofKeyInstructionalSystemsIT NetworkInfrastructure&Security:Vulnerability&PatchManagementIT ThirdPartyITVendorManagement;CloudSystemVendorRisksIT DisasterRecovery&BusinessContinuityPlanning
AuditCoverage:HealthSystemHealthSystem RevenueCycle:ChargeCapture(ProceduresandSurgeries)HealthSystem EpicasaPlatform:ManagingOngoingSystemUpgradesandNew
FunctionalityHealthSystem OutpatientClinicalSetUpHealthSystem PatientFriendlyAccess(PFA):RegistrationandSchedulingProcessesHealthSystem ClinicalTrialsBilling(Epic)IT NetworkInfrastructure&Security:Vulnerability&PatchManagementIT DisasterRecovery&BusinessContinuityPlanning
IT ThirdPartyITVendorManagement;CloudVendorRisksIT HIPAACompliance–EPHISecurity
AuditCoverage:UVA’sCollegeatWiseAcademic ComprehensiveRiskAssessmentwithSpecificAuditstoFollowIT GeneralComputerControlsforKeyLocalUVAWiseSystemsACTIONREQUIRED:ApprovalbytheAudit,Compliance,andRiskCommitteeandbytheBoardofVisitorsAUDITDEPARTMENTFY2019–FY2020AUDITPLAN
RESOLVED,theAuditDepartmentFY2019‐FY2020AuditPlanisapprovedasrecommendedbytheAudit,Compliance,andRiskCommittee.
4
UNIVERSITYOFVIRGINIABOARDOFVISITORSAGENDAITEMSUMMARY
BOARDMEETING: June7,2018COMMITTEE: Audit,Compliance,andRiskAGENDAITEM: II.B.RevisedAuditandComplianceChartersBACKGROUND:Theinternalauditdepartment(AuditDepartment)andtheinstitutionalcompliancefunction(InstitutionalCompliance)werecombinedinSeptember,2017toformtheOfficeofAuditandCompliance.Thenewstructureisintendedtoenablegreatercollaborationandcoordinationofeffortsrelatedtocompliancerisks.
Priortothecombination,InstitutionalCompliancereporteddirectlytotheExecutiveVicePresidentandChiefOperatingOfficer.Inthenewstructure,theAVPforCompliancereportsdirectlytotheChiefAuditExecutive.Thesestructuralchangesandadministrativeeditsneededtoalignthedocumentsnecessitatedrevisionstobothcharters.
Marked‐upversionsofthecurrentchartersprovidedonthefollowingpagesshowtheproposedchanges.ACTIONREQUIRED:ApprovalbytheAudit,Compliance,andRiskCommitteeandbytheBoardofVisitorsAUDITDEPARTMENTCHARTER
RESOLVED,theupdatedAuditDepartmentCharter,datedJune7,2018,isapprovedasrecommendedbytheAudit,Compliance,andRiskCommittee.INSTITUTIONALCOMPLIANCECHARTER
RESOLVED,theupdatedInstitutionalComplianceCharter,datedJune7,2018,isapprovedasrecommendedbytheAudit,Compliance,andRiskCommittee.
5
UNIVERSITYOFVIRGINIAINTERNALAUDITDEPARTMENTCHARTERPurpose:InternalAuditingisanindependent,objectiveassuranceandconsultingactivitydesignedtoaddvalueandimproveanorganization’soperations.Ithelpsanorganizationaccomplishitsobjectivesbybringingasystematic,disciplinedapproachtoevaluateandimprovetheeffectivenessofriskmanagement,control,andgovernanceprocesses.TheUVAOfficeofAuditandComplianceDepartmentassistsUVA’sBoardofVisitorsandUniversitymanagementinthedischargeoftheiroversight,management,andoperatingresponsibilitiesbyprovidingindependentassuranceandconsultingservicestotheUniversitycommunity.Ourservicesaddvaluebyimprovingthecontrol,riskmanagementandgovernanceprocessestohelptheUniversityachieveitsbusinessobjectives.
InternalAuditingPolicy:ItisthepolicyoftheoftheUniversitytoestablishandsupporttheOfficeofAuditandComplianceDepartmenttoassisttheUniversityinaccomplishingitsobjectivesbybringingasystematicanddisciplinedapproachtoevaluateandimprovetheeffectivenessoftheUniversity’sgovernance,riskmanagement,andinternalcontrols.Theinternalauditactivity’sresponsibilitiesaredefinedbytheAudit,Compliance,andRiskCommittee(ACRCommittee)oftheBoardofVisitors(Board)aspartofitsoversightrole.
Authority:Theinternalauditor,withstrictaccountabilityforconfidentialityandsafeguardingrecordsandinformation,isauthorizedtohavefull,free,andunrestrictedaccesstoanyandalloftheUniversity’srecords,physicalproperties,andpersonnelpertinenttocarryingoutanengagement.
AllemployeesarerequestedtoassisttheAuditDepartmentinfulfillingitsrolesandresponsibilities.TheinternalauditactivitywillalsohavefreeandunrestrictedaccesstotheACRCommitteeanditschairman.
Organization:TheChiefAuditExecutivewillreportfunctionallytotheACRCommitteechairman,andadministrativelytothePresidentoftheUniversity.
TheACRCommitteewill:
6
ApprovetheAuditDepartmentcharter. Approvetheriskbasedauditplan. Approvetheinternalauditbudgetandresourceplan. ReceivecommunicationsfromtheChiefAuditExecutive
ontheAuditDepartment’sperformancerelativetoitsplanandothermatters.
Approvedecisionsregardingtheperformanceevaluation,appointment,orremovaloftheChiefAuditExecutive
ApprovetheremunerationoftheChiefAuditExecutive MakeappropriateinquiriesofmanagementandtheChiefAudit
Executivetodeterminewhetherthereisinappropriatescopeorresourcelimitations.
TheChiefAuditExecutivewillcommunicateandinteractdirectlywiththeACRCommittee,includinginexecutivesessionsandbetweenACRCommitteemeetingsasappropriate.
ProfessionalStandardsUVA’sOfficeofAuditandComplianceDepartmentwillgovernitselfbyadherencetoTheInstituteofInternalAuditors’MandatoryGuidance,whichincludestheCorePrinciplesfortheProfessionalPracticeofInternalAuditing,theCodeofEthics,theInternationalStandardsfortheProfessionalPracticeofInternalAuditing,andtheDefinitionofInternalAuditing.
TheOfficeofAuditandComplianceDepartmentwilladheretotheUniversity’srelevantpoliciesandproceduresaswellastheGenerallyAcceptedGovernmentalAuditingStandardsoftheGovernmentAccountability Office.
CorePrinciplesfortheProfessionalPracticeofInternalAuditing:TheOfficeofAuditandComplianceDepartmentwillcontinuouslystrivetobeeffectivebyoperatinginamannerconsistentwiththeIIA’sCorePrinciples:
Demonstratesintegrity. Demonstratescompetenceanddueprofessionalcare. Isobjectiveandfreefromundueinfluence(independent). Alignswiththestrategies,objectives,andrisksoftheorganization. Isappropriatelypositionedandadequatelyresourced. Demonstratesqualityandcontinuousimprovement. Communicateseffectively.
7
Providesrisk‐basedassurance. Isinsightful,proactive,andfuture‐focused.
Promotesorganizationalimprovement.
IndependenceandObjectivity:TheinternalauditactivitywillremainfreefrominterferencebyanyelementintheUniversity,includingmattersofauditselection,scope,procedures,frequency,timing,orreportcontenttopermitmaintenanceofanecessaryindependentandobjectivefunction.TheChiefAuditExecutivemustdisclosesuchinterferencetotheACRCommitteeanddiscusstheimplications.Internalauditorswillhavenodirectoperationalresponsibilityorauthorityoveranyoftheactivitiesaudited.Accordingly,theywillnotimplementinternalcontrols,developprocedures,installsystems,preparerecords,orengageinanyotheractivitythatmayimpairinternalauditors’independenceorjudgment.Internalauditorsmayprovideassuranceservicesforareaspreviouslyconsulted,providedtheconsultingservicesdidnotimpairobjectivity.
Internalauditorswillexhibitthehighestlevelofprofessionalobjectivityingathering,evaluating,andcommunicatinginformationabouttheactivityorprocessbeingexamined.Internalauditorswillmakeabalancedassessmentofalltherelevantcircumstancesandnotbeundulyinfluencedbytheirowninterestsorbyothersinformingjudgments.
TheChiefAuditExecutivewillannuallyevaluatereportinglinesandresponsibilitiesandconfirmtotheACRCommitteeannuallytheorganizationalindependenceoftheOfficeofAuditandComplianceDepartment.
Responsibility:Thescopeofinternalauditingencompasses,butisnotlimitedto,theexaminationandevaluationoftheadequacyandeffectivenessoftheUniversity’sgovernance,riskmanagement,andinternalcontrolsaswellasthequalityofperformanceincarryingoutassignedresponsibilitiestoachievetheUniversity’sstatedgoalsandobjectives.Thisincludes:
Evaluatingthedesign,implementation,andeffectivenessoftheorganization’sethics‐relatedobjectives,programs,andactivities.
EvaluatingriskexposurerelatingtoachievementoftheUniversity’sstrategicobjectives.
Assessingwhethertheinformationtechnologygovernanceoftheorganizationsupportstheorganization’sstrategiesand
8
objectives. Evaluatingthereliabilityandintegrityofinformationandthe
meansusedtoidentify,measure,classify,andreportsuchinformation.
o Inordertoenablethisresponsibility,theOfficeofAuditandComplianceDepartmentwillparticipateintheplanning,development,implementation,andmodificationofmajorcomputer‐basedandmanualsystemstoensurethat:
(a) adequatecontrolsareincorporatedintothesystem;
(b) thoroughsystemtestingisperformedatappropriatestages;
(c) systemdocumentationiscompleteandaccurate;and
(d) theresultantsystemisacompleteandaccurateimplementationofthesystemspecifications.
Evaluatingthesystemsestablishedtoensurecompliancewith
thosepolicies,plans,procedures,laws,andregulationswhichcouldhaveasignificantimpactontheUniversity.
Evaluatingthemeansofsafeguardingassetsand,asappropriate,verifyingtheexistenceofsuchassets.
Evaluatingtheeffectivenessandefficiencyofresourceutilization. Evaluatingoperationsorprogramstoascertainwhetherresultsare
consistent with established objectives and goals and whether theoperationsorprogramsarebeingcarriedoutasplanned.
Assessingandmakingappropriaterecommendationsforimprovingthegovernanceprocessinitsaccomplishmentofthefollowingobjectives:
o Promotingappropriateethicsandvalueswithintheorganizationo Ensuringeffectiveorganizationalperformance
managementandaccountabilityo Communicatingriskandcontrolinformationto
appropriateareasoftheorganizationo Coordinatingtheactivitiesofandcommunicating
informationamongtheboard,externalandinternalauditors,andmanagement.
Monitoringandevaluatingtheeffectivenessoftheorganization’sriskmanagement processes.
Performingconsultingservicesrelatedtogovernance,riskmanagement,andcontrol.
Reportingsignificantriskexposuresandcontrolissues,including
9
fraudrisks,governanceissues,andothermattersneededorrequestedbytheACRCommitteeormanagement.
EvaluatingspecificoperationsattherequestoftheACRCommitteeormanagement,as appropriate.
ReportingperiodicallyontheAuditDepartment’spurpose,authority,andresponsibilityoftheOfficeofAuditandComplianceandperformancerelativetoitsplan.
InternalAuditPlan:At leastannually, theChiefAuditExecutivewill submit toseniormanagementandtheACRaninternalauditplanforreviewandapproval.Theinternalauditplanwillconsistofaworkscheduleaswellasbudgetandresourcerequirementsfor the next year. The Chief Audit Executivewill communicate the impact ofresourcelimitationsandsignificantinterimchangestoseniormanagementandtheBoard.
Theinternalauditplanwillbedevelopedbasedonaprioritizationoftheaudituniverseusingarisk‐basedmethodology,includinginputofseniormanagement,theACR,andBoard.
TheChiefAuditExecutivewillreviewandadjusttheplan,asnecessary,inresponsetochangesintheorganization’sbusiness,risks,operations,programs,systems,andcontrols.AnysignificantdeviationfromtheapprovedinternalauditplanwillbecommunicatedtoseniormanagementandtheACRthroughperiodicactivityreports.
AuditDepartmentServices:TheChiefAuditExecutiveisempoweredtoconductassuranceservices,specialauditprojects,reviews,orinvestigationsattherequestoftheBoard,ACRCommittee,President,GeneralCounsel,EVPProvost,EVPChiefOperatingOfficer,EVPHealthAffairs,ortheirdesignee,toassistmanagementinmeetingitsobjectives,promotingeconomyandefficiencyintheadministrationof,orpreventinganddetectingfraudandabuseinitsprogramsandoperations.TheOfficeofAuditandComplianceDepartmentmayalsoprovideconsultingservices,beyondtheAuditDepartment’sassuranceservices,toassistmanagementinmeetingitsobjectives.Examplesmayincludefacilitation,processdesign,training,andadvisoryservices.
CoordinationwithExternalAuditingAgencies:TheChiefAuditExecutive,withthegoalofavoidingduplicationofwork,will
10
coordinatethedepartmentoffice’sauditeffortswiththoseoftheCommonwealthofVirginia’sAuditorofPublicAccounts,orotherexternalauditingagenciesasapplicable,byparticipatingintheplanninganddefinitionofthescopeofproposedauditssotheworkofallauditinggroupsiscomplementaryandtheircombinedeffortsprovidecomprehensive,cost‐effectiveauditcoveragefortheUniversity.
ReportingandMonitoring:AwrittenreportwillbepreparedandissuedbytheChiefAuditExecutiveordesigneefollowing theconclusionofeachinternalauditengagementandwillbedistributedasappropriate.InternalauditresultswillbeavailableforreviewbytheACRandBoardofVisitors.
Theinternalauditreportwillincludemanagement’sresponseandcorrectiveactiontakenortobetakeninregardtothespecificfindingsandrecommendations.Management'sresponsetoauditfindingsandrecommendationsshouldincludeatimetableforanticipatedcompletionofactiontobetakenandanexplanationforanycorrectiveactionthatwillnotbeimplemented.
TheOfficeofAuditandComplianceDepartmentwillberesponsibleforappropriatefollow‐uponitsengagementfindingsandrecommendations.Allsignificantfindingswillremaininanopenissuesfileuntilcleared.TheACRwillreceiveperiodicreportingfromtheChiefAuditExecutiveonthestatusofmanagement’sactionplanimplementation.
TheChiefAuditExecutivewillperiodicallyreporttoseniormanagementandtheACRontheinternalauditactivity’spurpose,authority,andresponsibility,aswellasperformancerelativetoitsplan.Reportingwillalsoincludesignificantriskexposuresandcontrolissues,includingfraudrisks,governanceissues,andothermattersneededorrequestedbyseniormanagement,ACR,ortheBoard.
QualityAssuranceandImprovementProgram:TheChiefAuditExecutivemustdevelopandmaintainaqualityassuranceandimprovementprogramthatcoversallaspectsoftheinternalauditactivity.Theprogrammustincludebothinternalandexternalassessmentstoevaluatetheinternalauditactivity’sconformancewiththeStandardsandanevaluationofwhetherinternalauditorsabidebytheCodeofEthics.
Externalassessmentsmustbeconductedatleastonceeveryfiveyearsbyaqualifiedindependentassessororassessmentteamfromoutsidetheorganization.
11
TheChiefAuditExecutivemustdiscusswiththeACRCommittee:
Theformandfrequencyofexternalassessment; Thequalificationsandindependenceoftheexternalassessoror
assessmentteam,includinganypotentialconflictofinterest.
Theprogramwillalsoassesstheefficiencyandeffectivenessoftheinternalauditactivityandidentifyopportunitiesforimprovement.
TheChiefAuditExecutivemustcommunicateresultsofthequalityassuranceandimprovementprogramtoseniormanagementandtheACRCommittee.
UpdatedonJune8X,20178
12
UNIVERSITYOFVIRGINIACOMPLIANCECHARTER
MissionandPurpose:
TheUniversityofVirginia'scompliancefunctionsupportstheUniversity’sfundamentalcommitmenttothehigheststandardsofethics,integrity,andlawfulconductbypromotingadherencetoallapplicablefederal,state,andlocallaws,regulations,aswellasstandardsandinternalpoliciesandprotocols.
InstitutionalcompliancepromotesgreatercoordinationofandconsistencyamongindividualUniversitycomplianceprograms,coveringawidevarietyofrequirementsrelatedtoacademics,athletics,humanresources,research,healthcare,informationtechnology,andnumerousadministrativefunctions.TheUniversityestablishedacomplianceprogramtoprevent,detect,andrespondappropriatelytopotentialviolationsoflawandtofosteracorporateculturethatpromotesintegrityandethicalbehaviorsinallmattersrelatingtocompliance.
Authority:
TheAssistantVicePresidentforCompliance,withstrictaccountabilityforconfidentialityandsafeguardingofrecordsandinformation,isauthorizedtohavefull,free,andunrestrictedaccesstoanyandalloftheUniversity’srecords,physicalproperties,andpersonnelpertinenttocarryingoutcomplianceinvestigationsandtoreviewandmonitorcomplianceissues.Allemployeesarerequestedtoassistthecompliancefunctioninfulfillingitsrolesandresponsibilities.
Organization:
TheAssistantVicePresidentforComplianceoverseesinstitutionalcomplianceactivitiesandprogramstoconfirmtheyarereasonablydesigned,implemented,communicated,andenforced.Tofacilitateeffectiveoversight,theAssistantVicePresidentforCompliancecoordinatesandchairstheComplianceNetwork,aUniversity‐widenetworkoffunctionalcomplianceofficers.
13
TheAssistantVicePresidentforCompliancereportstotheChiefAuditExecutiveExecutiveVicePresidentandChiefOperatingOfficer.TheChiefAuditExecutivereportsfunctionallytotheACRCommitteechairman,andadministrativelytothePresidentoftheUniversity.TheAudit,Compliance,andRisk(ACR)Committeewill:
• ApprovetheComplianceCharterandperiodicallyreassessitforcontinuedrelevance.
• ReceivecommunicationsfromtheAssistantVicePresidentforComplianceregardingcompliancestrategies,plans,andotherrelevantmatters.
• MakeappropriateinquiriesofmanagementandtheAssistantVicePresidentforCompliancetodeterminewhetherallcomplianceeffortshavethenecessaryresourcesandscope.
• SupportleadershipforthecomplianceprogrambypromotingandsupportingaUniversity‐widecultureofethicalandlawfulconduct.
TheAssistantVicePresidentforCompliancewillcommunicateandinteractdirectlywiththeChairoftheACRCommittee,includinginexecutivesessionsandbetweencommitteemeetingsasappropriatetoensuredirectaccesstotheboard.
ProfessionalStandards
Thecompliancefunction’sobjectiveistoestablishandpromotestandardsthatmeettheU.S.FederalSentencingGuidelines'criteriaforaneffectivecomplianceprogram.
1. Compliancestandardsandprocedurestopreventanddetectcriminalactivity;
2. Oversightbyhigh‐levelpersonnel,withperiodicreportingtotheboardfromindividualswithoperationalresponsibility;
3. Duecareindelegatingsubstantialdiscretionaryauthority;
4. Effectivecommunicationandtrainingtoalllevelsofemployees;
5. Systemsformonitoring,auditingandreportingsuspectedwrong‐doingwithoutfearofreprisalandforperiodicallyevaluatingtheeffectivenessofthecomplianceandethicsprograms;
6. Consistentenforcementofcompliancestandardsincludingdisciplinarymechanismsandappropriateincentivestoperforminaccordancewiththecomplianceandethicsprogram;and
7. Reasonablestepstorespondtoandpreventfurthersimilaroffensesupon
14
detectionofaviolation.
Inaddition,theMedicalCenter’scomplianceprogramalsofollowstheprogramelementsdefinedintheDepartmentofHealthandHumanServices’OfficeoftheInspectorGeneral’s“ComplianceProgramGuidanceforHospitals”.
Responsibilities:
MembersoftheUniversitycommunityhavingresponsibilityforaspecificareaofcompliancemustensurethefollowing:
• Oversightofcomplianceintheirspecificfunctionalareas;
• AdherencetotheUniversity’scompliancepolicies;
• Implementationofcorrectiveactionasnecessary,arisingfromcompliancereviewsand/orinvestigations.
TheroleoftheAssistantVicePresidentforComplianceistoremainwell‐informedonthecontentandoperationoftheUniversity’scomplianceandethicsprograminordertoexercisereasonableoversightoftheeffectivenessoftheprogram,including:
1. StandardsofConduct/PoliciesandProcedures:confirmingthattheUniversityimplementspolicies,procedures,trainingprograms,andinternalcontrolsystemsthatarereasonablycapableofreducingmisconductandthatcomplywithrelevantregulatoryrequirements.
2. ComplianceRolesandResponsibilities:establishingclearrolesandresponsibilitiesacrosstheUniversity.
3. ComplianceOversight:exercisingreasonableoversightovercomplianceactivitiesbyrequestingandreceivingupdatesfromcomplianceofficers.
4. ReportingandInvestigativeMechanisms:confirmingthattheUniversitymaintainsaneffectivemechanismforstakeholderstoreportorseekguidanceregardingpotentialoractualwrongdoing.
5. CorrectionandPrevention:workingwiththeUniversity’sseniorleadershiptopromoteandenforcecompliancethroughappropriateincentivesanddisciplinarymeasures.
6. CultureofIntegrityandCompliance:promotingtheUniversity’scultureofintegrityandcompliance,throughcommunicationofcompliancestandardsandpolicies.
InteractionwithAuditandEnterpriseRiskManagement:
15
TheAssistantVicePresidentforCompliancewillworkcloselywithcolleaguesintheOfficeofAuditandComplianceInternalAuditDepartmenttoassessandprioritizewhichcomplianceareaspresentthegreatestriskandneedforattention,basedonregulatoryenvironmentandcomplexity,overlapwithUniversitystrategicplans,andconsequencesofnon‐compliance.Managerswithresponsibilityforspecificareasofcompliancewillevaluatetheirindividualcomplianceeffortsagainstalistofcriterianecessarytohaveaneffectivecomplianceprogram.
TheEnterpriseRiskManagement(ERM)programisdesignedtoidentifyandmitigatekeyinstitutionalrisks.Forexample,onetypecategoryofrisktobeconsideredislegalandregulatorycompliancerisk.Theregularreviewofcompliancerequirementsmayhighlightanemerginginstitutionalrisk.Conversely,theidentificationofkeyinstitutionalrisksmayguidetheworkofthecompliancefunctionandinitiateamitigationstrategythattheUniversitymayusetoaddressagivenrisk.
UpdatedonJune7,2018
16
UNIVERSITYOFVIRGINIABOARDOFVISITORSAGENDAITEMSUMMARY
BOARDMEETING: June7,2018COMMITTEE: Audit,Compliance,andRiskAGENDAITEM: III.A.AuditorofPublicAccounts(APA)AuditEntrance
MeetingforFiscalYear2018ACTIONREQUIRED: NoneBACKGROUND:TheAuditorofPublicAccountsoftheCommonwealthconductsanannualauditoftheUniversityandtheMedicalCenterandreportsfindingstotheBoardofVisitors.Ms.Bianchetto,VicePresidentforFinance,willintroduceMr.EricM.Sandridge,whowilldiscusswiththecommitteethefiscalyear2017‐2018audit.
EricM.SandridgeistheDirectorofHigherEducationProgramsfortheVirginiaAuditorofPublicAccounts.Hiscurrentresponsibilitiesincludemanagementoftheoffice’sHigherEducationProgramsSpecialtyTeamandprojectmanagementoversightforvariousagenciesandinstitutionsoftheCommonwealth.HealsocoordinatesrequiredfederalauditsattheCommonwealth’sinstitutionsofhighereducationandNCAAAgreedUponProceduresengagements.HeisamemberoftheNationalStateAuditorsAssociation(NSAA)AuditStandardsandReportingcommitteeandNSAASingleAuditcommittee.HeisagraduateoftheCollegeofWilliamandMaryandisaCPA,CISA,andCGFM.
17
UNIVERSITYOFVIRGINIABOARDOFVISITORSAGENDAITEMSUMMARY
BOARDMEETING: June7,2018COMMITTEE: Audit,Compliance,andRiskAGENDAITEM: III.B.EnterpriseRiskManagement(ERM)Program:FY2018
ReportandFY2019ProgramGoalsACTIONREQUIRED: NoneBACKGROUNDANDDISCUSSION:Mr.JamesMatteo,AssociateVicePresidentandTreasurer,willreportontheERMprogramandwillreviewtheattainmentoftheFY2018goals,discussprogramgoalsforFY2019,andsharetheFY2018ERMAnnualReport.TheERMGoalsforFY2018included:
1. Enhancingcommunicationanddiscussionamongexecutivesandboardmembersrelatedtokeyriskmanagement‐Overthepastyear,BOVcommitteechairswereintroducedintoERMriskmitigationdiscussions.ERMkeyriskswereassignedtoappropriateBOVcommitteesandcommitteechairswereengagedindiscussionswithriskleadsandexecutiveowners.ThiseffortengagedBOVmembersintheriskmanagementprocessandhelpedtheUniversitygainadditionalperspectivesonmitigationplansandmitigationconfidence.
2. Strengtheningriskmanagementeffortsthroughbetterunderstandinganduse
ofriskappetiteandkeyriskindicators‐Thispastyear,theUniversityheldthefirstmeetingofriskleadsfromtheAcademicDivisionandHealthSystem.Thegoalofthemeetingwastostrengthenandstandardizeriskledgers,provideaforumtoshareexperience,andintroduceriskappetitesintotheriskmanagementdiscussion.
3. UpdatingtheERMcharter‐TheERMcharterwasupdatedinSeptember2017,
primarilytomakethefollowingchanges: RedefiningthemissionoftheERMeffort Clarifyingtheobjectivesoftheprogram Moreclearlydefiningtherolessupportingtheprogram RecognizingthecreationofRiskManagementNetworksattheAcademic
DivisionandHealthSystem
4. BetteraligningandintegratingERMeffortswithUniversityplanningandauditcycles‐ThetimingoftheERMcyclehasbeenrealignedtocoincidewiththeUniversity’sannualgoalsettingandauditplanningprocesses.AsERMisinformedbytheUniversitygoalsandhelpsinformtheauditplan,thisrealignmenthashelpedtheprogramfinditsfitwithinexistingplanningactivities.
18
TheERMGoalsforFY2019include:
FullyonboardingtheCollegeatWise–WhiletheCollegeatWisehasbeenincludedintheAcademicDivision’sERMeffort,theUniversitywouldliketoexpandtheprogramtospecificallyaddressWise’suniqueenvironmentandrisks.
Buildingariskinteractionmap–ManyofthekeyrisksoftheAcademicDivisionandHealthSystemoverlap(e.g.,research,IT).ManyrisksandtheirmitigationplansaffectdepartmentsacrosstheUniversity.Thegoalistobuildamapthatcapturestheseinteractionsandidentifiesrisksthatmayfallbetweenorspanorganizationalareas.
MigratingERMdataintoanewGovernance,Risk,andCompliance(“GRC”)system–TheOfficeofAuditandComplianceisplanningtoimplementanewGRCsystem.WeareplanningatthistimetomigrateERMdataintothissystem.ThesecondannualERMexecutivereportfollows.Itincludesthekeyrisksofthe
AcademicDivisionandHealthSystem,aheatmapofthekeyrisks,andabriefsynopsisofthepastandfutureyears’activities.
19
20
21
22
23
UNIVERSITYOFVIRGINIABOARDOFVISITORSAGENDAITEMSUMMARY
BOARDMEETING: June7,2018COMMITTEE: Audit,Compliance,andRiskAGENDAITEM: IV.A.OfficeofAuditandComplianceandUVAHealthSystem
ComplianceFY2018Reports(WrittenReports)ACTIONREQUIRED: NoneBACKGROUND:TheOfficeofAuditandComplianceandtheUVAHealthSystemComplianceOffice’sreportssummarizingFY2018accomplishmentsfollow.
24
FY2018 AuditDepartmentYearinReview
HighlightsofWorkPerformed,InsightsDelivered,andContinuousImprovementsMade
Throughouttheyear,theAuditDepartmentworkedalongsidemanagementtoprovidereal‐timeassuranceoncontrolsandriskmitigationeffectivenessfortheUniversity’smostimportantinitiatives.Signatureprojectsfortheyearincluded:MinorsProtectionsandTitleIXComplaintManagement AssembledateamofexpertstoevaluateUVA’spolicies
andproceduresforensuringthesafetyofminorsinprogramsacrossGroundsandattheCollegeatWise.Workwrappingupatthetimeofthisreport.
UVAArchivesandSpecialCollections
AuditreportequippedDeanofLibrariesandUVAleadershipwithdetailedrecommendationsforsecurityimprovementstosafeguardUVA’spricelesstreasuresforfuturegenerationsofscholars.
UndergraduateSafetyinLabs,Shops,andStudios
TheauditundertookacomprehensiveanalysisoftheEnvironmentalHealth&SafetyDepartment’sprocessesforensuringUVAstudentshaveasafeenvironmentinwhichtolearn.
Outsideconsultantswereabletorelyontheauditreporttopartiallyreducetheirprojectscope,avoidingassociatedcosts.
SafetyandSecurityReview:MargolisHealy
TheAuditDepartment,togetherwiththeAVPforCleryCompliance,providedprogrammanagementtocoordinateandtracktheeffortsofoutsideconsultants
IntroducingtheOfficeofAuditand
Compliance
InSeptember,2017,InstitutionalCompliancejoinedtheAuditDepartmenttocreatetheOfficeofAuditandCompliance.
Thisneworganizationalassurancemodelputskeyelementsofcorporategovernance—assuranceandinstitutionalcompliance—underoneumbrella.
InFY2019,wewillcontinuetoleveragethebenefitsofthecombination:
Improvedcommunicationandcoordination
Alignmentofpriorities Jointparticipationon
relevantprojects Reducedcomplexityfor
stakeholders Effectivesharingof
informationanddataforimprovedrisk
25
MargolisandHealytoassesssafetyandsecuritypoliciesandproceduresfollowingtheeventsofAugust11and12.
TravelandExpenseManagement
FollowingtheUniversity’simplementationofnewpoliciesandsystemsfortravel(TravelUVA)andexpensemanagement(ExpenseUVA)in2017,theaudithighlightedtheneedtoimprovecontrolsandoversightfor$70millioninannualexpenditures.
OtherProjectsDelivered
UfirstHRTransformationProject—projecthealthcheckscommunicatedlessonslearnedfromtransitionbetweenproject’sphasesandemphasizedtheneedtoimprovealignmentonobjectivesbetweenAcademicDivision,HealthSystem,andUPG.
InstitutionalBaseSalary—indepthanalysisofUVA’sinstitutionalbasesalarycomputations—thefoundationofcostingforsponsoredresearch—resultinginrecommendationsforWorkdayimplementation.
MedicalCenterProcurement—confirmedeffectivefunctioningofcontrolsoverpurchasesofgoodsandservicesattheMedicalCenter.
MedicalDeviceProcurementandSecurity—collaboratedwithHealthSystemITandClinicalEngineeringtoestablishabaselineforsecurityofnetworksrunningsensitivemedicaldevicesintheMedicalCenter.
StrategicInvestmentFund—recommendationsforcontinuedstrengtheningofproceduresandcontrolsoverSIFwerepresentedtotheBOV’sSIFAdministrativeCommittee.
PresidentialTravelandCarr’sHillExpenses—performedannuallyatPresidentSullivan’srequest.
NCAAFootballAttendance—annualanalysisperformedasNCAAFBSrequirement. FoundationRelationshipAssessment—providedadviceandassistanceto
Treasury’sriskassessment.
SupportProvidedtoUniversityInitiatives
TheAuditDepartmentparticipatedinavarietyofsteeringcommitteesandworkgroupsacrossFY2018.InadditiontoongoingrolesontheFinanceProjectsAdvisoryCouncil,ERMRiskNetwork,PolicyReviewCommittee,andtheITSecurityAdvisoryCommittee,wehelpedUVAtacklespecificprojectsincluding:
NIST800‐171ControlledUnclassifiedInformation(CUI)Compliance—participatedonacross‐functionalteamtodefinecontrolsoverUVA’sCUI‐designatedsecureITenvironmentforresearchers.WealsoparticipatedontheCUIforStudentFinancialDataworkgroup.
26
AdvisoryCommitteeontheFutureoftheHistoricLandscape—providedadministrativesupporttothisDean’sWorkingGroupsubcommittee.
FinanceTransformation—helpedevaluateRFPsreceivedfrompotentialFinanceTransformationconsultingpartners.
27
UniversityandUVAHealthSystemCompliance:AccomplishmentsFY2018
UniversityComplianceGoals‐FiscalYear2017‐18
1. Reviewedandupdatedtheuniversity’sCodeofEthicsforreviewwithnewseniorleadersinFY18‐19,priortoseekingapprovalbytheBoardofVisitors.
2. Completedtheonboardingofthemedicalcenter’snewComplianceandPrivacyOfficer,includingtheoperationalchangesnecessarytoconverttoamedicalcenterposition.
3. Completedcompliancereviewsrelatedtodigitalaccessibilityprojectonamulti‐yearprojectplan.Newpolicywascompletedandpostedregardingbackgroundchecksandon‐goingresponsibilityforemployeestodisclosecriminalconvictions.ContinuedtoreviewUFirstcompliance,includingadiscussionofrelatedcomplianceconcernsandademonstrationofthenewlearningmanagementsystemwiththeComplianceNetwork.
4. ReviewedandupdatedthecomplianceriskassessmentconductedinpartnershipwithInternalAuditandGeneralCounseltoconfirmthestrengthoftheuniversity’scomplianceefforts.Thisassessmentevaluatedwhichcomplianceareaspresentthegreatestrisks,basedontheconsequencesofnon‐compliance,levelsofeffortnecessarytoaddressregulatorychanges,regulatoryscrutiny,andcross‐functionalcoordination.
5. Obtainedadditionalsoftwarelicensesofourincidentmanagementsystemandcompletedtrainingforstafftoexpandthemarketinganduseofthehelpline.
UVAHealthSystemComplianceFY2018SummaryReport
1. RestructuredtheMedicalCenterCompliance&PrivacyOfficetocreateacompleteteam;establisheddevelopmentalgoalsandactivelymentoredteammembersinaccomplishing;createdawarenesswithinthehealthsystemthroughtargetedcomplianceandprivacycommunicationandtraining;providedroutineinteractionandsupporttomanagersandtheirteamsinissueresolution,aswellasthestandardfunctionsofauditingandcomplianceinvestigationanddocumentation.
28
UVAHealthSystemComplianceFY2018SummaryReport(continued)
2. ReviewedthefindingsofthepriorcomplianceriskassessmentconductedbyformerMedicalCentercomplianceleadersinpartnershipwithUniversityCompliance,InternalAuditandGeneralCounsel;updatedthetoolinpreparationforredeploymenttoexaminethecomplianceareasofgreatestriskbasedontheconsequencesofnon‐compliance(legal,operational,andreputational),levelsofeffortnecessarytoaddressregulatorychanges,regulatoryscrutiny,andcross‐functionaleffort.
3. Performedaseriesofcodingauditstoexaminecompliancewithregulatoryrequirementsfordocumentationofmedicalnecessityforappropriateadmissions,accuratecoding,billingandreimbursementfromMedicareforspecificservices;alsoinsupportofRevenueCycleprocessesanddataintegritypost‐EpicPhaseII.
29
UNIVERSITYOFVIRGINIABOARDOFVISITORSAGENDAITEMSUMMARY
BOARDMEETING: June7,2018COMMITTEE: Audit,Compliance,andRiskAGENDAITEM: IV.B.FY2018FourthQuarterAuditFollowUpStatusReportACTIONREQUIRED: NoneBACKGROUND:IIAStandard2500:MonitoringProgressrequiresthechiefauditexecutivetoestablishandmaintainasystemtomonitorthedispositionofresultscommunicatedtomanagement.Thechartbelowdisplaysthestatusofmanagement’sactionplansthroughMay31,2018.
DetailsofOpenPastDueActionPlans:
Audit PastDueActionItemPriorityRating ActionPlanOwner
ArchivesandSpecialCollections
SecuritySystemAdministration:Generalsystempoliciesandproceduresunderdevelopmentintandemwithsecuritysystemupgrade–projectcompletionexpectedAugust2018(Due1/1/18)
P1 GuyMengel,DirectorLibraryFacilitiesandSecurity
30
Audit PastDueActionItemPriorityRating ActionPlanOwner
ArchivesandSpecialCollections
SecuritySystemAdministration:Routinemaintenanceplansandregulartestingschedulealsobeingdevelopedintandemwithsecuritysystemupgrade(Due1/1/18)
P1 GuyMengel,DirectorLibraryFacilitiesandSecurity
ArchivesandSpecialCollections
Training:Establishandimplementformaltrainingprograms(securityandfraudawareness)forASCstaff(Due2/1/18)
P1 HeatherRiser,Harrison‐SmallDirectorofOperations,andASCStandingSecurityCommittee
ArchivesandSpecialCollections(ASC)continuestopursuesolutionsandfundingforthefollowingpastdueactionplans,whichwereallclassifiedwithPriority2ratings.EnvironmentalConditions:ThefiresuppressionsysteminHarrison‐Smallstillhasthepotentialtodamagethecollectionifused(initialdischargeofdiscoloredwater).WhileaNovec1230orInergensystemcouldbeinstalledtolimitdamagetocollectionmaterials,astudywouldneedtobecompletedtodeterminecoststosupplementorreplacethecurrentwater‐basedsystem.Thelibrarywillcontinuetopursuewaystomitigaterisk,includingidentifyingfundingforsystemsupplementation/replacement.(Due9/1/17)SecurityCameras:Installationofcamerasintheprocessingroomwerenotpartofthecurrentsecurityandcameraupgrades.Whilesomeriskisacceptedasaresultofthatdecision,ASCwillpursueadesignfortheinstallationandimplementationofprocessingroomcamerasinthefuture.(Due9/1/17)TheftRisk–Internal:Consistentwiththedecisiontonotcheckbelongingsofemployeeswhenexitingareaswherecollectionsitemsarestored,apolicyrequiringinspectionswasnotdeveloped.Thoughpersonalitemsareprohibitedfromstorage/stackareas,collectionitemsaretemporarilystoredinstaffareaswhilebeingprocessedandconsulted.Atthistime,ASCwillnotcheckpersonalbelongingsofemployeeswhenexitingstaffareas,andwillpursuewaystorestructurestaffspacetoaccommodatelockersandtoidentifyfundingforthistypeofrenovation.(Due3/1/18)
31
UNIVERSITYOFVIRGINIABOARDOFVISITORSAGENDAITEMSUMMARY
BOARDMEETING: June7,2018COMMITTEE: Audit,Compliance,andRiskAGENDAITEM: IV.C.UfirstStatusReportACTIONREQUIRED: NoneBACKGROUND:Ms.KelleyStuck,VicePresidentandChiefHumanResourcesOfficer,preparedthefollowingreportonthestatusoftheHRtransformationprojectcalledUfirst.DecisiontoRescheduleSoftwareLaunchInlateMarch,theUniversityannouncedthedecisiontoreschedulethelaunchofthesupportingtechnologyfortheHRTransformation,Workday,fromJuly2018toJanuary2019.ThisdecisionwasrecommendedbyVicePresidentforHumanResourcesKelleyStuckandUfirstProjectExecutiveDirectorSeanJackson,andwassupportedbytheorganization.Wehaveemphasizedfromthebeginningofthisprojectthatserviceandqualityareourmostimportantobjectives.Weknewthiswouldbeaparticularlychallengingproject,givenouraggressivetimelineandthecomplexitiesofintegratingdataandfunctionalityacrosstheAcademicDivisionandHealthSystem.TherescheduledlaunchdateofJanuary2019willallowtheteamtofinalizethenecessarychanges,completetesting,andbeconfidentintheaccuracyofthepayrollandbenefitsdeductions,thetwomostcriticalareasfromourcustomer’spointofview.SincetheDecisionTheUfirstprojectteamhasupdatedthepublishedcommunicationsandtrainingschedulesforWorkdayandwillcontinuetoengageandeducateUniversityfaculty,staff,andteammembersthroughoutthecomingmonths.OtherimportantelementsoftheHRandPayrolltransformationwillcontinuetomoveforwardasplanned.OperatingundertheneworganizationalmodelwithoutthebenefitoftheWorkdaysoftwareischallengingandwilllikelybefrustratingattimesforbothHRandtheircustomers.However,thelongertransitionperiodwillalsoallowforfurtheralignmentandcleanupofprocessesandpracticesacrossGrounds.
32
TheUfirstProjectteamshavecreatedaseriesofsevenqualitygatesfromnowthroughNovemberthatmustbemettoachieveourgoalofasuccessfulJanuaryWorkdaylaunch.EachoftheQualityGatesissupportedbyadetailedprojectplan.Toensurethatweremainawareofandrespondenttothenumerousrisksthatconfrontaprojectofthismagnitudeandcomplexity,wewillcontinuetotakeadvantageofthird‐partyguidancethroughtheGartner’sIndependentVerificationandValidationandUVAInternalAudit’sProjectHealthCheckprocesses.ProgresstoDateOurprogresstodatehasbeensubstantial:
ThenewHROrganization(UVAHR)isstaffedandcontinuingtotransitionworkfromtheSchools/Unitsanddeliverservicesbothinthenewmodelduringthisperiodoftransition.
HRBusinessPartnershavebeenselected,trainedandhavetransitionedtoschoolsandunits,supportinghumanresourceprioritiesandensuringthatHRserviceexpectationsarebeingmet.
TheHRSolutionCenter,launchedinDecember2017,isachievingandmaintainingextraordinarilyhighsatisfactionratings(4.5+outof5).
ThePayrolltransformationisproceedingwithnewstreamlinedprocessesdesignedandconfiguredinWorkdaytosupportthenewPayrollorganization.
Wehavebuiltover300HRandPayrollprocessesandanewHRservicedeliverystructuretowhichresourcesarenowaligned.
Employeedatahasbeenintegratedintoasingledatasourcetosupportthenewservicedeliverymodel.
Wehavesuccessfullytestedtheprocessesforrecruitment,hiring,setupofcompensation,andlearningprogramenrollmentintheWorkdayenvironment.
TheUfirstprojectrepresentsasignificantstepforwardfortheUniversityandplaysacriticalroleinourabilitytoattractandretainexceptionalfaculty,staff,andteammemberscommittedtoteaching,research,andpatientcare.Weareconfidentthattherevisedscheduleprovidesuswiththetimenecessarytodeliveronthispromise.