View
1
Download
0
Category
Preview:
Citation preview
Board of Visitors Audit, Compliance, and Risk Committee
June 10, 2016
1
Audit, Compliance, and Risk Committee Agenda
I. Remarks by the Committee Chair II. Consent Agenda
• Corporate Compliance and Privacy Office Project Schedule for Fiscal Year 2017
III. Committee Discussion A. Auditor of Public Accounts (APA)
Audit Entrance Meeting for Fiscal Year 2016
B. Audit Department Activities Report
C. University Compliance: Medical Center Compliance and Privacy Office Staffing Report
D. Enterprise Risk Management (ERM) Program Report
IV. Closed Session 2
Corporate Compliance And Privacy Office Project Schedule For Fiscal Year 2017
RESOLVED, the Corporate Compliance and Privacy Office Project Schedule for the Medical Center for fiscal year 2017 is approved as recommended by the Audit, Compliance, and Risk Committee.
3
Auditor of Public Accounts FY2016 Audit Entrance Meeting
4
Audit Department FY 2016 Activities
5
FY2016 Highlights
Rebuilt and Stabilized Team Audit Team
• Hired and on-boarded 3 audit directors. • Hired and on-boarded seasoned IT security professional as Senior IT Auditor • Team completed skills self- assessment as foundation to training and development plan • Hosted the annual College and University Auditors of Virginia (CUAV) conference at the Darden
School of Business
Risk Based, Strategically Relevant Audit Approach
Audit Operations
• Created data-driven audit risk universe and plan, relevant to strategic objectives and ERM risks • In design phase of forward-thinking methodologies relevant to our decentralized environment,
including Fiscal Stewardship, a data-driven analysis of internal control risk indicators • Implemented new audit reporting template to include audit finding prioritization, improved
executive summaries, management’s responses • Using risk tags for enhanced reporting and tracking of audit findings and management action
plans
6
FY2016 Highlights
Completed Audit Projects • Procurement • Outpatient Charge Capture (University Medical Associates) • Presidential Travel & Entertainment Expenditures • General Ledger Transfers • OSIG hotline investigations • 10 follow up audits • FY15 year end inventory procedures
In-Flight as of June 30, 2016 Audit Projects
• Curry School of Education (finalizing management action plans for report issuance) • Distributed IT Systems Current State Assessment (draft report) • Epic Phase 2 Implementation Project Health Check (first checkpoint report issued; ongoing
assessment of project risks occurs throughout implementation) • Fiscal Stewardship: Refining metrics for key risk indicators; moving to proof of concept mid-
summer • System Security: Privileged Access—Health System (planning) • Ivy Cloud Security and Governance (planning)
7
University Compliance: Medical Center Compliance and Privacy Office Staffing Report
8
SECTION TITLE
ERM Program Update Jim Matteo Associate VP & Treasurer
9
ERM Priorities
ERM Priorities
Reposition & Enrich Program
Enhance Board
Reporting Onboard Health System
10
ERM Priorities Timeline Task Due Date Status
Reposition the ERM Program Adopt ERM Charter Feb. 19, 2016 X
Launch Risk Management Council Mar. 21, 2016 X
Update ERM Framework May 31, 2016 X
Update Key Risks (Identification & Assessment) Sep. 1, 2016
Enhance Board Reporting Sep. 1, 2016
Onboard Health System Q4 FY 2017
Assessment of Risk Structure
Formation of Health System Risk Management Network
Development of Key Risk List
11
BOV – Audit, Compliance, and
Risk
President and Cabinet
Risk Management
Council
Risk Management Network – Health
System
Risk Management Network– Academic
Division
ERM Governance Architecture
12
Strategic
Strategic Plan Execution
Industry Trends
Market Risk
Operational
Process
Compliance
Technology
Safety/ Security
Governance
Business Continuity
Controls
Stakeholder
UVa Brand
Positioning
Market Demand
Accreditation
Financial Ratings
Community Standing
Resources
Human
Financial
Physical
ERM Risk Universe
13
Risk Identification
Risk Assessment
Risk Response /Ownership
Risk Management (Controls,
Monitoring, Reporting)
ERM Process Framework
Source: Based on COSO and NCSU ERM Initiative Frameworks
Objective Setting
14
ERM Process – Next Steps
15
Risk Identification – • Interview key stakeholders to refresh current key risk list (last updated
in 2014) Risk Assessment – • Working with Internal Audit and Compliance to measure and prioritize
key risks.
• Assessment results to be reviewed by governance parties to develop composite ranking.
Risk Ownership – • Following Identification and Assessment, identify or re-identify owners
of Key Risks Risk Management – • Risk Owners are responsible to put in place Controls to manage each
risk, Monitoring to evaluate control effectiveness, and Communication of management activities.
16
Resume Open Session and Adjourn
Recommended