Annual Report on Internal Audit Activities 2007-08

Annual Report on Internal Audit

Activities2007-08

2

I. Executive Summary – Introduction

II. Internal Audit Program--Results & Analysis

A. Statistics

B. Systemwide and Significant Individual Audit Results

C. Significant and Recurrent Internal Control Issues

D. Statistical Information – Coverage and MCAs

III. Internal Audit Program—Benchmarks & Improvement Initiatives

Appendix 1 Internal Audit Organizational Chart

3

9

10

13

15

18

28

33

ANNUAL REPORT ON INTERNAL AUDIT ACTIVITIES 2007- 08

3

I. Executive Summary – Introduction

This Annual Report on Internal Audit Activities serves two purposes.

• Communicates outcomes of Internal Audit activities. The report conveys significant issues identified and addressed, progress toward ongoing improvement and corrective actions, and continuing challenges to the University’s control and compliance efforts. • Demonstrates the accountability of the Internal Audit Program. The report addresses utilization of our resources, performance metrics and benchmarks, and adherence to professional standards and The Regents Internal Audit Charter. In this regard, our report is consistent with and supportive of President Yudof’s accountability initiatives.

Through a program of planned audits, supplemental audits, advisory services, and investigations there were 652 reports issued containing 2,253 Management Corrective Actions which are summarized and analyzed in this report.

The Internal Audit Program became a part of the new Office of Ethics, Compliance and Audit Services during the year. The purpose and function of the Internal Audit Program remain essentially the same, however, this report and our future plans demonstrate substantial interaction between Audit and Compliance as many of the audit activities carried out or planned, support compliance initiatives.


4

Highlights

During FY08, the UC Internal Audit Program:

Rendered 652 audit, advisory services, and investigation reports resulting in 2,253 recommendations for improvements to internal controls that produced agreed upon Management Corrective Actions (MCAs)

Validated the closure of nearly 1,800 Management Corrective Actions that strengthened controls, as follows:

● Beginning MCA Number – 610● MCAs added – 2,253● MCAs closed – 1,790● Current open inventory of MCAs – 1,073

Met or exceeded benchmarks for:● Productivity--86% (goal 85%)● Completion of the Audit Plan--80% (goal > 70%)● Coverage of matters assessed as High Risk* (73%)● Coverage of Core* Audit areas--23% (target of 20-33% for a 3-5 year cycle)

* See definitions at Page 11


5


Highlights (cont’d)

Participated in a number of University initiatives related to:

Governance• Development of Policy on Educational Loan Practices• Establishment of Audit Committee processes for LANS and LLNS

Risk

• Enterprise Risk Management—KPMG Survey

• Enterprise Risk Management—Reporting Tool Initiative

Compliance

• HIPAA Strike Teams addressing training, monitoring and enforcement

• Conflict of Interest reporting Process Assessment

• Executive Compensation-Reporting and Control Recommendations

Control• Systemwide IT Security Self Assessment

against UC Policy IS 3• Special Review of Budgetary Funds Transfer Process• Willed Body Program Task Force Recommendations• Development of PI Fiscal Accountability

Training

Restructuring

• UCOP Business Restructuring—Formation of Business Resource Center

• Office of Research—Restructuring of Special Research Programs

6


Highlights (cont’d)

Continuous Improvement of the Internal Audit Program:

• Conducted a Quality Assurance Review pursuant to IIA professional standards.

• Launched a certification initiative to increase the number of UC auditors achieving the professional designation as Certified Internal Auditors.

• Sponsored and participated in academic-led research studying measures of staffing adequacy for internal audit in higher education (partnered with the Institute of Internal Auditors Research Foundation and the Association of College and University Auditors).

• Developed systemwide project management systems and tools

• Created a Task Force of internal IT subject matter experts to develop strengthened systemwide programs and capabilities

7

Summary and Conclusions

In conjunction with the over 650 completed Audit, Advisory Services and Investigation reports issued, we identified no conditions that we believed to represent material deficiencies in internal controls to the University system as a whole from a financial standpoint. In addition, while we acknowledge that management has ultimate responsibility for establishing internal controls to manage risks, we identified no circumstances in which we believe that management’s decisions resulted in the acceptance of unreasonable levels of risk.

Further, based on our FY08 work, we can assert the following as being generally true with no reportable exceptions:

1. Management of the University is cognizant of their responsibility for internal controls and takes seriously the need for controls and accountability.

2. There is respect for the objectives of the Internal Audit Program; a high level of cooperation is received, and there is no interference with either the accomplishment of our tasks or our responsibilities to report to The Regents.

3. Managers actively participate in the identification of risks and work collaboratively with Internal Auditors to address issues raised during Audits, Advisory Services engagements, and Investigations.


8

Summary and Conclusions (cont’d)

4. Management is comfortable seeking out Internal Audit for advice and consultation on matters with internal control implications.

5. Matters of importance are reported to The Regents.

Although we did not identify material control deficiencies, there are opportunities for the University to implement more effective controls in a number of areas and there are ongoing challenges to effective controls and compliance as indicated by the frequency of observations regarding:

• Information security • Information privacy• Supervision, monitoring and account reconciliations• Timely and accurate effort reporting• Conflict of Interest/Commitment reporting• Business continuity and disaster recovery planning• Adequate separation of duties

See Section II.C at pages 15-17 for a more detailed discussion of internal control challenges and opportunities.


9

II. Audit Program Results & Analysis

Introduction

The data contained in the following section provides:

• Summary statistical information for the year;

• Systemwide and significant individual audit results; and

• Significant and recurrent control issues.

The data is summarized and analyzed by type of audit service and across functional areas of the University, demonstrating the breadth of coverage. Audit findings are analyzed by functional area, severity, and status of corrective actions.

10

Table 1 Table 2


Projects FY08 FY08 Prior

Plan Actual Year (2)

AuditsAudit Program Hours 104,159 100,049 107,576Percent of total effort 69% 67% 66%Number of Completed Projects 326 286 313Average hours per completed project(1) 274 355 319

Advisory ServicesAdvisory Service Hours 27,494 23,630 29,835Percent of total effort 18% 16% 18%Number of Distinct Projects 96 215 139Average hours per completed project(1) 109 97 92

InvestigationsInvestigation Hours 19,989 25,657 26,777Percent of total effort 13% 17% 16%Number of Completed Investigations N/A 151 142Average hours per completed project(1) N/A 197 166

TOTALAudit, Ad Serv., and Investigation hours 151,642 149,336 164,188Percent 100% 100% 100%Total Number of Completed Projects N/A 652 594

(1) Not calculated from the above due to projects in process at beginning and end of period.

(2) Includes LLNL data N/A - Not applicable to Plan Data

A. STATISTICS

See also information on staffing and turnover in Section III at pages 29 and 30.

People FY08 FY08 PriorPlan Actual Year

Authorized 117 117 126Average Actual Filled 105 102 114Percent Filled 90% 87% 90%Ending Head count 108 102 102Turnover N/A 15% 13%Training hours per auditor 74 74 94

Summary Information

Average hours - completed projects N/A 233 230

Number of projects per auditor N/A 6.4 5.2

Percent of Audit Plan Completed 100% 80% 79%

Other

Coverage of Core Audit Hours (3) (4) 20-33% 23% 26%Coverage of High Risk (4) 80% 73% 72%

(3) 3 to 5 year cycle

(4) see definitions on page 11

11


High Risk Audit Coverage

In conjunction with the audit planning risk assessment, the top ten risks are identified at each campus and medical center, LBNL and UCOP. Coverage statistics for High Risk items relates to completed audits and advisory service projects. All of the risks initially identified as high risks, are either subject to current audit work, reassessed based on later data at a lower risk level, or determined to be addressed through another process (e.g. compliance, management initiative) such that all risks initially identified as high are addressed in some fashion.

Coverage of Core Audit Areas

The audit program has identified a number of core business processes and functions (e.g. payroll, hospital receivables, procurement and disbursements) that are subjected to periodic auditing to ensure coverage over approximately a 3-5 year cycle. The result is an audit approach that is fundamentally risk based, but ensures attention to basic business processes and functions with reasonable frequency.

12

The chart below distributes effort by service type (7-Year Trend).

Hou

rs

Chart 1


This chart demonstrates that our continued primary emphasis is the program of regular audits.

The chart also depicts a leveling off of the advisory services and investigation activities. Our goal has been to increase the advisory service activity but special audit work has prevented us from achieving that goal.

Effort Distribution by Service Type (7 Year Trend)

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

2001-02 2002-03 2003-04 2004-05 2005-06 2006-07 2007-08

Planned Audit Program Advisory Services Investigations

13


B. SYSTEMWIDE AND SIGNIFICANT INDIVIDUAL AUDIT RESULTS

Executive Compensation—We continued to perform an annual review of Executive Compensation, verifying the accuracy of the Annual Report on Executive Compensation. While we found the processes for preparing the report to be generally adequate to ensure its completeness and accuracy, we continue to work with the SMG coordinators to strengthen the processes.

Health Sciences Compliance Programs—For year end 2007, we continued to perform an annual review of the Health Sciences Compliance Programs, reviewing their annual reports, program structure adequacy, and conformance to the commitments made to regulators for the conduct of the programs. We concluded that the programs continued to function effectively. For 2008 and beyond, the new Compliance Program under SVP Vacca assumes monitoring of these programs.

Willed Body Programs—We continued to assess the progress toward full implementation of corrective actions resulting from the report of the Task Force headed by former Governor Deukmajian. While progress in certain areas has been slow, the long-awaited system for tracking of all donations, utilization, allocations and disposition is in the process of implementation. We have reported to SVP for Health Sciences and Services Dr. Stobo, the continuing needs to complete the secondary phases of the system implementation, finalize the RFID system for material control, and establish a policy for procurement of anatomical material by all UC users.

IT Security—The audit plan for the year anticipated performing a validation of a self assessment carried out by the CIO’s at each UC location. While the self assessments were completed, we found that they lacked consistency in applying evaluation criteria that would allow internal auditors to perform uniform validation across the System. As a result, we have worked with UC’s new CIO, David Ernst on improvements to the process that will be carried out in the current year as a next iteration of the assessments of IT security.

14

II. Audit Program Results & AnalysisB. SYSTEMWIDE AND SIGNIFICANT INDIVIDUAL AUDIT RESULTS (con’t.)

Office of the President, Special Research Programs—At the request of Vice President Beckwith, Internal Audit engaged in a study of organizational structure, compliance with enabling legislation, funding and business practices, and reasonableness of expenditures of the Special Research Programs administered by UC for the state of California. These are the programs related to Breast Cancer, Aids and Tobacco Related Diseases research. The purpose of the special project was to provide information to VP Beckwith to assist him in reorganization efforts for the research programs.

Education Loan Policy—Based on a systemwide audit assessment of UC’s student lending programs and practices late in the prior year, we were instrumental in the formulation of revised UC Presidential Policy on Education Loan Practices.

Professional School Admissions—At the request of then Provost Humes, and in response to the findings of a UCLA investigation, we performed a systemwide review of admissions practices for professional schools in the health sciences. While the review identified no improper practices, we made a number of recommendations to improve processes, documentation of admissions decision-making criteria and management of potential conflicts of interest that will aid clarity, consistency and transparency.

Major Investigations—Several notable investigations were concluded which have earlier been the subject of communications to The Regents and management. Those with the most significant outcomes and internal control implications include: UC Davis Food Stamp Nutrition Education Program fraudulent expenditures and unallowable costs, UCSD Preuss Charter School grade changes and related matters, UCI Communications payments to a non-existent vendor controlled by an employee, and the UCLA/UC Santa Barbara Electrical and Computer Engineering investigation of payments to a full time employee for services through a temporary services agency. For some of the cases, there remain pending criminal and administrative actions. Internal control contributing factors in the investigations and corrective actions are included in observations expressed in following sections of this report.

15


C. SIGNIFICANT AND RECURRENT INTERNAL CONTROL ISSUES

From the body of audit work performed during the year, including investigations, following are the most significant and recurrent control issues. Many of these are the subject of specific management corrective actions in the environment where the issues were identified, others are the subject of broader systemwide initiatives, while still others are endemic and require continual attention by management.

Information Security—Compliance with University policy (IS 10) is challenging because of the magnitude of electronic devices, their disparate locations, mobility and the frequency of change in users needing access to our networks. The CIO’s are engaging in self assessment efforts, but department management and employees need to be more vigilant and rigorous in protecting access and content.

Information Privacy—Continuous improvement is needed in assurance of adequate access controls, improved monitoring, frequently refreshed training and enforcement. Recommendations are due in January 2009 from several workgroups relative to HIPAA control improvements.

Effort Reporting—UC’s new effort reporting system provides for improved compliance monitoring. However while the system can help improve timeliness it cannot ensure the accuracy of data verified by people knowledgeable about the actual expenditure of effort. External reviews by regulatory agencies have confirmed the need for both improved compliance and cultural awareness of the need for rigorous accountability in reporting effort charged to sponsored projects. A 2008-09 systemwide audit is planned.

Conflict of Interest/Commitment Reporting– University policies and state laws are numerous, complex and subject to multiple reporting mechanisms. In addition to compliance efforts to ensure that reporting requirements are met, guidance on policy/law interpretation and application, and monitoring of reported information are in need of continuous improvement.

16

II. Audit Program Results & AnalysisC. SIGNIFICANT AND RECURRENT INTERNAL CONTROL ISSUES (con’t)

Supervision, Monitoring and Account Reconciliation—The causal assessment in many investigations identifies poor supervision, failed oversight, and the absence of monitoring activities as root causes. Significantly, Principal Investigators are frequently found wanting in the exercise of fiscal oversight of research funds. UCD is developing PI fiscal accountability training that would benefit other locations as well.

Separation of Duties—The University’s highly decentralized structure creates challenges for separation of duties at the departmental level. The antidote for inadequate separation of duties is usually increased oversight and supervision. Therefore, coupled with the previous observation about inadequate supervision, auditors encounter frequent situations in which employees’ responsibilities are incompatible and there is no mitigating control. As budget cuts result in reduced staffing the problem can be exacerbated. Guidelines for adequate separation of duties are offered by internal auditors throughout the system, and assistance in assessing the risk of excessive or incompatible duties is also available through training programs.

Business Continuity/Disaster Recovery Planning—While major systems and business processes are the subject of planning, many smaller departments lack plans for business continuity in the event of a disaster or other business interruption and would find themselves unprepared in the face of such an event. Where encountered, auditors make recommendations at the business unit level, however University leaders could support such efforts by incorporating increased expectations in unit leaders’ goals and evaluations.

17


C. SIGNIFICANT AND RECURRENT INTERNAL CONTROL ISSUES (con’t.)

The University’s control challenges are made more acute by the shortage of resources to address all issues with adequate solutions, especially technology solutions. UC has continued to experience substantial growth without comparable investment in administrative systems and infrastructure, including personnel. Historically, UC has relied on many people-based controls at the transaction or “event” level, together with trust and the goodwill of a committed workforce. With dated systems, and a diminishing capacity of people-based processes the reliability of controls becomes more and more suspect. As a result, the challenges to the control systems are chronic and require new and different approaches.

The creation of the Compliance & Ethics programs are important new initiatives, as is the beginning of the establishment of an Enterprise Risk Management system. In addition, Internal Audit recommends a more aggressive use of continuous monitoring techniques—data mining, analytical and budgetary reviews, scanning for anomalies, etc. to identify possible aberrant events and to improve oversight as a deterrent to inappropriate behavior.

18


As previously indicated, our FY08 audit program work produced 652 audit, advisory service, and investigation reports resulting in 2,253 Management Corrective Actions (MCAs). The chart below depicts the breadth of coverage over the 13 major functional areas of the University. As shown in the table below, the distribution of MCAs correlates closely with the effort expended across the functional areas. This demonstrates that there are opportunities for control improvement wherever our attention is focused.

Chart 2

Distribution of FY08 Hours by Functional Area

Risk Management2%

Office of the President

3%

Development and External Relations

2%

Laboratories2%

Budget & Planning

1%

Human Resources2%

Facilities and Construction

5%Auxiliary, Bus and Employee Support

Services8%

Health Sciences

9%

Information and Technology

9%

Financial Management

27%Campus Dept and

Instruction17%

Research and Compliance

13%

Functional Area MCA % Hours %Financial Management 27% 27%Campus Departments and Instruction 14% 17%Information Technology 14% 9%Research & Compliance 9% 13%Health Sciences 8% 9%Auxiliary, Bus & Employee Support 6% 8%Facilities and Construction 5% 5%Human Resources & Benefits 5% 2%Risk Management 4% 2%Office of the President 4% 3%Laboratories 2% 2%Development & External Relations 1% 2%Budget & Planning 1% 1%

Comparison of MCAs and Hours

D. STATISTICAL INFORMATION – Coverage and MCAs

Table 3

19

Each audit finding and its associated MCA is given a rating of high, medium or low risk by the auditors. This judgment is made in a local context, and items identified as high do not necessarily convey material deficiencies or risks beyond the operating environment in which found. A primary objective of this classification is to drive a greater sense of urgency in completing the corrective action and completion of audit follow-up.

High risk MCAs would include those that are systemic or have a broad impact, have contributed to a significant investigation finding, are reportable conditions under our professional literature, create health or safety concerns, involve senior officials, create exposure to fines, penalties or refunds or are otherwise judged as significant control issues.

The chart below shows the risk rating of the 2,253 MCAs for FY08 by service type.

Chart 3


FY08 MCAs by Service Type and Rating

265 1171

347

1331 59152

1542

321 9 34 364

Audits (1,917)

Advisory Services (79)

Investigations (257)

Total (2,253)

Low

Medium

High

20

Status of Completion of Management Corrective Actions

MCAs are classified initially as open and are only moved to closed status after validation by auditors that the agreed upon corrective actions have been taken and sustainable improvement has been achieved.

The number of open MCAs increased from 610 to 1,073 at the end of the year because of the significant volume of new MCA’s resulting from current year audit activities. The overall churning of MCAs—with closures representing nearly three times the opening volume and nearly 80% of new MCAs—demonstrates that in general management completes the agreed upon corrective action in a timely fashion.

The following charts display the completion status for the entire population of MCAs with more detailed analysis of high risk past due items which are individually reported starting on page 23. We believe that reporting to the Audit Committee the unmitigated high risk audit findings fulfills a core professional obligation.


21

The chart below shows the status of all 11,782 MCAs

Chart 5Table 4

The 91% overall rate of closure of the MCAs to date reflects the success of audit follow-up efforts. The 93% rate of closure for high risk items reflects their appropriately greater attention.

The reasons for untimely completion are unique to each situation, however a common factor has been delays in systems’ solutions. Resource constraints is the other most commonly cited reason. For all high risk past due items auditors have determined that the matter is currently receiving attention needed to bring to closure in a reasonable time frame.


Status of All MCAs (11,782)as of October 2008

High (93% closed)

Low (90% closed)

Medium (90% closed)

693 open

182open

198 open

1,791 closed 2,326 closed

6,592 closed

MCA Rating Open Closed Total % closedHigh 182 2,326 2,508 93%Medium 693 6,592 7,285 90%Low 198 1791 1,989 90%

1,073 10,709 11,782 91%

22

The chart below shows the aging statistics of the inventory of 182 Open High Risk MCAs

Chart 6

The majority of the open items (163) are not yet due, however, 19 are past due.

These past due issues have been brought to the attention of senior management and active resolution plans are in process. The goal of reducing these items to zero (or a negligible number occasioned by highly unusual circumstances) is clearly understood and accepted by all responsible for addressing these items.

The 19 past due MCAs are listed on the following pages.


Aging of the 182 Open/High MCAsas of October 2008

Not Yet Due89%

0 - 90 days6%

366 - 730 days1% 181 - 365 days

3%

91 - 180 days1%

163

121 5 1

23


Table 5

Location Report Date

Report Title Audit Issue MCA Original Completion

Date

Revised Completion

Date

Current Status

UCB 1/17/2007 Helen Wills Neuroscience Institute

The review of the BIC recharge activities found that all billable MRI usage (note that non-billable usage includes pilot programs, calibration, computing, training, and maintenance) is not invoiced.

Billing and collecting problems have resulted in the Center not operating at a breakeven basis. The Institute agreed to collaborate with the appropriate campus personnel to develop a business model that would sustain the Center and provide for equipment upgrades necessary for maintaining its value to the campus research community.

5/31/2007 1/15/2009 The Institute initiated actions to address the Center’s financial issues, but was unable to develop a business model that would sustain the Center. As of May 2008, the $772,500 deficit from the initial acquisition has been reduced to $285,000 and management expected that the remainder of this deficit will be cleared with the receipt of the final payment of the original gift. However, the operating deficit has grown to over $827,000. In June 2008, the Institute’s research related administrative responsibilities, including the recharge activities, were transferred to a new campus unit called Research Enterprise Services who are aware of the Center’s recharge issues and plan to have them addressed by January 15, 2009.

UCB 1/29/2008 IT Unit Survey--Office of the Registrar

Network devices were scanned for vulnerabilities and one high risk and several low risk network vulnerabilities were noted.

OR will establish a regular schedule for scanning for vulnerabilities and remediation no later than February 29, 2008.

2/29/2008 10/31/2008 Since the audit, the Office of the Registrar has experienced turnover in IT staff, has replaced the device with the high-risk vulnerability and other older devices that are more susceptible to vulnerabilities, and implemented a new firewall solution. However, the Office of the Register still needs to obtain their own instance of the campus approved vulnerability scanning software, configure their new firewall to permit the scans, and commence scanning and remediation of potential vulnerabilities. They plan to work with Information Services & Technology and System & Network Security to configure their firewall and implement their own instance of the campus’ vulnerability scanning software by the end of October 2008.

UCD 10/24/2007 FSNEP The FSNEP PI delegated administrative and fiscal responsibility to the Administrative Coordinator without ensuring that an appropriate internal control structure was in place over the related activities.

A training program will be developed in for P.I.s to review their responsibilities for administrative and financial management of contracts and grants. It will address cost sharing and the responsibility of the PI in the certification process.

6/30/2008 3/31/2009 The draft content of the the Principal Investigator training has been completed. In the next few months, the campus will be soliciting input on the draft training materials from faculty reseachers and others. Concurrently, the campus will be working to develop a web-based module for deploying the training. UCD now expects to have the training program implemented by March 31, 2009.

UNIVERSITY AUDITOR'S NOTE: The UCD developed PI fiscal and administrative responsibilities training will be shared across the System when completed. Compliance and Audit will work with Research VC's, Sponsored Project Offices and others to leverage this resource.

Past Due High Rated MCAs

24

II. Audit Program Results & AnalysisLocation Report

DateReport Title Audit Issue MCA Original

Completion Date

Revised Completion

Date

Current Status

UCD 10/24/2007 FSNEP The "FSNEP Plan Guidance" requires that weekly time keeping records be maintained by all staff devoting less than 100 percent of their effort to FSNEP. The investigation found a significant number of employees were not maintaining the required time keeping.

The FSNEP PI created a new timesheet form implemented in February 2007 and provided training on the use and requirement of the FSNEP Plan Guidance. In future training, the PI will continue to highlight time reporting requirements.

10/31/2007 6/30/2009 Partially completed. FSNEP has provided and continues to provide training to faculty and staff on the required time records needed to support payroll costs claimed on the grant. FSNEP has been working to established an effective system for ensuring required time records are prepared and retained to support payroll costs. Campus efforts to establish an effective time records system have been delayed partially by on-going negotation with the State on time record requirements. It is expected that all actions on this item will be completed by June 30, 2009.

UCLA 12/20/2007 Arthur Ashe Student Health and Wellness Center

A process has not been developed to formally review and assess P’N’C user access levels.

A process will be developed to periodically formally review and assess the user access levels for the Student Health and Wellness Center. It is planned the Pharmacy and Laboratory managers will responsible for this review for their respective systems.

6/20/2008 10/31/2008 The IT department is currently defining all of the permissions available in P'N'C in non-technical terms. There are a high volume of permissions so additional time is needed.


Some P’N’C patient account balances are not accurate or up to date.

To correct problems with patient account balances, the department will implement an automated billing system. This will include work flow and work load monitoring. A procedure will be developed to ensure insurance disallowances are posted.

6/20/2008 1/31/2009 There was a high volume of accounts that needed to be cleaned up. Eighty percent have been completed and staff need additional time to work the remaining accounts.


A process has not been established to ensure that product prices loaded in the pharmaceutical vendor’s database are in accordance with UC Novation contracts or the best available price.

A process will be established to ensure that product prices are properly loaded into the pharmaceutical database in accordance with UC Novation contracts or the best available price.

6/20/2008 1/31/2009 Due to staffing constraints in the pharmacy, Student Health is in the process of evaluating whether non-pharmacy staff would be able to assist with reviewing accuracy of prices.

UCLA 10/24/2007 Oral and Maxillofacial Surgery Subgroup Clinic

Follow-up efforts to collect outstanding patient accounts receivable balances need improvement.

In the Oral and Maxillofacial Surgery Subgroup Clinic, the collection of outstanding patient accounts needed improvement. The clinical manager will develop and implement an improved process will be implemented to collect outstanding patient accounts.

4/24/2008 12/31/2008 The clinic manager is working on improving the process. However follow up sampling indicated that further improvements are needed. The implementation has been delayed due to unplanned compliance issues, on which legal counsel has been advising.

25



Completion Date

Revised Completion

Date

Current Status

UCLA 10/24/2007 Oral and Maxillofacial Surgery Subgroup Clinic

Duties are inadequately separated for some Subgroup employees. These combinations of duties could allow employees to misappropriate payments and conceal the loss.

The Director of Clinical Affairs and Clinic Manager will continue to work to develop a series of policies and procedures that will facilitate work flow, as well as security, in the financial management of the clinic.

4/24/2008 12/31/2008 There are now two cashiers that collect cash, with separate receipts, cash drawers, and lockboxes. The two cashiers complete two separate reconciliations, which are given to a third employee who verifies. However, improvements can be made to better segregate duties. The employee that opens mailed-in payments posts payments. The clinic is continuing to work on further refinements to the process.

UCOP 9/27/2007 UC Merced Information Technology Strategy

UC Merced IT needs to clarify roles and responsibilities consistent with campus expectations.

In response to an observations that UC Merced IT needs to clarify its roles and responsibilities, UC Merced IT will inform the campus of its scope of responsibility and related metrics .

12/31/2007 12/1/2008 Management developed a series of actions in response to this finding. This action was dependent on the completion of other actions, including the establishment of a governance committee. The governance committee first meeting is scheduled on October 30, 2008 and information related to the UC Merced IT scope of responsibility will follow. Management was unable to implement all the corrective actions associated with this finding as quickly as originally anticipated due to limited resources and shifting priorities, underestimating the extensiveness of activities associated with the growing campus, and difficulties coordinating the time required of the appropriate individuals.

UCOP 9/27/2007 UC Merced Information Technology Strategy

UC Merced IT needs to clarify roles and responsibilities consistent with campus expectations.

In response to an observations that UC Merced IT needs to clarify its roles and responsibilities, UC Merced IT will establish a governance committee with the charge to provide guidance and priorities.

12/31/2007 11/30/2008 Management developed a series of actions in response to this finding. This action was dependent on the completion of other actions. The members of the governance committee have been appointed and the first meeting is scheduled on October 30, 2008. Management was unable to implement all the corrective actions associated with this finding as quickly as originally anticipated due to limited resources and shifting priorities, underestimating the extensiveness of activities associated with the growing campus, and difficulties coordinating the time required of the appropriate individuals.

UCOP 11/14/2007 Administrative Computing- General Controls

Separation of duties is compromised by Database Administrators and System Administrators having access to production data.

A system will be developed and implemented that will monitor the activity of Database Administrators and System Administrators since their current access level compromises separation of duties.

6/30/2008 12/31/2008 Manager of Mainframe Support has implemented new software which now allows him to monitor the Systems Administrators activity on a regular basis. However, he needs to install additional software to review the DataBase Administrators. That Software will not be implemented until December 2008.

26



Completion Date

Revised Completion

Date

Current Status

UCSB 2/12/2007 Office of Information Technology

OIT had not developed formal Business Continuity Plans for dept. operations, including a disaster recovery plan for minimizing interruptions to mission-critical backbone network services to campus in event of major business disruption.

The OIT will develop and document a formal business continuity plan for the resumption of campus network services (provided by the OIT) and OIT departmental operations by July 2007. This plan should be reviewed on an annual basis beginning July 2008.

7/1/2007 12/1/2008 Delayed CIO appointment (August 2007) extended time frame for implementation. Retired IT Analyst rehired February 1, 2008 and tasked with completing business continuity plan by November 1, 2008, with subsequent approval by the Chief Information Officer. Audit and Advisory Services to verify completion of business continuity plan in order to close management correct action.

UCSB 2/12/2007 Office of Information Technology

Campus is in process of creating sensitive data inventory in compliance w/UC policy & State law. Target date not established for completion of survey effort; formalized plan for completeness verification of inventory not in place; no risk assessments.

The next campus call for updates to the data inventory will occur in Winter 2007. This call will include the use of a web-based positive response system where all University employees (LDAP affiliations of employee) will need to log into the system and indicate whether they have repositories with sensitive data or not. Upon indicating that they have such a data repository, one will need to provide additional information for the data inventory. The OIT will initiate discussion with campus technical committees (Security Working Group and Information Technology Planning Group) to determine the most effective follow-up.

7/1/2007 1/1/2009 Delayed CIO appointment (August 2007) extended time frame for implementation. CIO taking new approach in addressing sensitive data inventory and campus compliance with UC IT policy. Hiring of CISO and IS Analyst in process and to be tasked with identifying critical systems, tracking sensitive data, implementing campus security training, and continuing existing security efforts currently performed by IS&C/OIT. It is expected the new CISO & IS Analyst will complete sensitive data inventory and risk assessment by January 1, 2009. Audit and Advisory Services to verify substantial completion of inventory efforts/plans in order to close management corrective action.

UCSC 6/3/2008 New Teacher Center Controls

During FY 2006 NTC’s accumulated surplus was consumed and NTC began to borrow cash to finance its operations. During FY 2008, the amount of cash NTC operations owed to UCSC increased to a high of $3.7 million.

Utilize a budgeting process to plan and control investment and related borrowing. Accumulate a working capital reserve to finance business expansion and collect outstanding accounts receivable rather than borrow from the University.

6/30/2008 November 2008, 1st quarter review; February 1, 2009 2nd quarter review; May 1, 2009 3rd quarter review; August 1, 2009 FY 2009 final review and management reports.

NTC is working with the Assistant Dean of Social Sciences to refine their budgeting process and to construct a comprehensive budget for all NTC funding sources. The FY 2009 budget was delayed by the decision by NTC management to incorporate as a 501(c)(3) non-profit organization, while at the same make plans to pay back its deficit to UCSC before splitting off operations from the university (by approximately June 30,2009). Contractual details such as redelegation of contracts and use of the "NTC" name remain to be worked out. Tasks that remain to be completed include providing each quarter a budget versus actual report for review and approval by the Assistant Dean and the Dean of Social Sciences. These reviews will provide NTC with 2 types of feedback: the adequacy of the reports and directives to adjust operations/ or budget plans.

27



Completion Date

Revised Completion

Date

Current Status

UCSC 6/3/2008 New Teacher Center Controls

During FY 2006 NTC’s accumulated surplus was consumed and NTC began borrowing cash to finance operations. During FY08, the amount of cash NTC operations owed to UCSC increased to a high of $3.7 million.

Establish contracts that require customers to prepay for printed materials for providing customers with NTC's updated publication and manuals electronically, and have the customer incur the cost to print their own materials.

6/30/2008 6/30/2009 This recommendation has been partially completed. NTC has commenced efforts to include prepayment for materials or payment for materials upon receipt. NTC has started several initiatives that result in materials now delivered electronically. NTC plans to reduce its inventory to items immediately needed by June 30, 2009.

UCSD 1/10/2008 Radiology Billing Process Review

Radiology did not employ a staff member with coding expertise to assist with exam code table updates in the RIS, perform continuous monitoring of charges billed, and provide periodic training on billing issues to Radiology staff.

Radiology management will consider hiring a certified coder to provide coding and billing process expertise.

5/1/2008 11/15/2008 Imaging Services management has determined that an automated coding solution (versus hiring additional staff) would be an effective solution to help ensure correct coding. A Request for Proposal for the automated solution has been distributed. In addition, Audit & Management Advisory Services (AMAS) has confirmed that the UCSD Medical Group has revised its process for supporting Radiology diagnostic coding. The Medical Group now compares the radiology exam results to the submitted charges for each service, which results in Common Procedural Terminology (CPT) code corrections as needed. Additional follow-up with Imaging Services and Medical Group managements will be completed by November 15, 2008 to assess the progress with the coding application purchase and to validate the Medical Group monitoring process.

UCSD 1/10/2008 Radiology Billing Process Review

Exams may be scheduled before the order is reviewed by the Radiologist or Technologist and descriptions of the patient’s condition were not always comprehensive and could not be converted to an ICD-9 diagnosis code for billing purposes.

Radiology management will require that a Resident or faculty member review physician orders and associated patient medical information prior to scheduling the exam for selected non-routine exams.

6/1/2008 11/15/2008 Reconciliation of billed codes to the dictated result has been included in Radiology training rounds and staff meetings. The Magnetic Resonance Imaging (MRI) division has incorporated pre-exam reviews into its scheduling process, but this has not yet been adopted in other key areas such as Computed Tomography (CT). The automated coding solution currently being evaluated could also improve controls related to pre-exam reviews. Additional follow-up with Imaging Services and Medical Group managements will be conducted by November 15. 2008.

UCSD 10/30/2007 Business Contracts CORE (Purchasing)

Controls designed to assure that accuracy of contract payments to traveling agencies needed improvement.

MCNA will require that traveling nurses enter work hours directly into the new Medical Center time and attendance system when it is fully implemented.

5/15/2008 2/1/2009 Implementation of this corrective action has not been implemented due to a delay in the "go live" date for the new time and attendance system. Nursing Administration is in the Phase III implementation group, scheduled to convert to the new system on November 2, 2008. The expected management completion date has been revised. Subsequent follow-up will be completed in January 2009.

28

This section contains an analysis of staffing levels by location compared to UC and industry benchmarks. The analysis is based on the authorized staffing levels rather than the number of positions actually filled at any moment in time. For FY08, the Internal Audit Program operated at approximately 89% of authorized capacity due to turnover, and positions left open because of budget constraints.

This section also contains a table of miscellaneous statistical information for the University Audit Program.

And lastly, this section chronicles change initiatives and program improvements currently underway.


29

The charts below display staffing benchmarks for the campuses and Office of the President.

RATIO OF EXPENDITURES TO AUDITORS -- CAMPUS & OP(in thousands)

0

50000

100000

150000

200000

250000

UCB UCD UCI UCLA UCR UCSB UCSC UCSD UCSF UCOP

2007/08 2006/07 GAIN = 136,000 UC Average = 198,566

Dol

lars

Per

Aud

itor

RATIO OF EMPLOYEES TO AUDITORS -- CAMPUS & OP

0

500

1000

1500

2000

2500

UCB UCD UCI UCLA UCR UCSB UCSC UCSD UCSF UCOP

Em

ploy

ees

Per

Aud

itor

2007/08 2006/07 GAIN = 1,224 UC Average = 1,211

Chart 7

Chart 8


UC in general varies from the higher education benchmark average for expenditures per auditor by a substantial margin, and this gap has widened in recent years. However, when combined with the employee ratio data you can see that UC employees in general are more highly leveraged than our average counterparts. As a result, at only four campuses, UCB, UCD, UCI and UCSF, is there some concern regarding staffing adequacy.

In general, the smaller institutions appear to be more well staffed. However, this is due to the fact that certain audit activities are not directly impacted by size.

We share this information with management at each location for the purpose of assessing the adequacy of the audit program staffing.

30

Professional Staff:

Average Years Total Audit Experience 17 years

Average UC Audit Experience 10 years

Average Years Audit Director Experience 13 years

Percent of Audit Staff with Bachelors Degree 99 %

Percent of Audit Staff with Advanced Degrees 30 %

Percent of Staff holding Professional Certifications 83 %

Staff Turnover* 15%

2007-08 Average Training Hours Per Auditor 74 hours • Staff turnover included 6 departures for positions within UC, which is generally viewed

positively, 10 departures outside of UC and 3 retirements. Historically, most turnover has occurred at the lower staff levels with a very stable director and manager group. In 2007-08, however, two directors left for positions outside UC, one retired and one is currently preparing for retirement. Recruitments are under way for all open leadership positions.

Staffing Statistics

Chart 10


31


Quality Assurance Review (QAR)In June 2008, Protiviti reported on their Quality Assurance Review of the UC Internal Audit Program. While the results were generally favorable, confirming a program that meets all professional standards, Protiviti provided a number of recommendations for further improvement of the Program most notably in the IT audit program. Since receiving the report, a workgroup of UC Audit Directors has redefined the expectations of the UC IT audit program, and under a new systemwide IT audit leadership structure, is addressing the issue of skills, resources and programs to meet the revised expectations for each UC audit location.

CIA Designation Initiative

The Certified Internal Auditor (CIA) designation is the only globally accepted certification for internal auditors and remains the standard by which individuals demonstrate their competency and professionalism in the internal auditing field. At present, the University of California has 100 auditors at 11 locations, of whom 33 hold the CIA designation. In an effort to increase the number of UC auditors holding this designation, the Office of Ethics, Compliance, and Audit Services has sponsored a CIA designation drive. At present 25 auditors from 9 locations have signed up to participate in this effort.

32


CARTSThe systemwide audit program is in the midst of a project to improve our internal project management and reporting capabilities through development of web based modules for time reporting, project management, quarterly reporting to the University Auditor and management of MCA’s. The initial module is in use at several locations and all of the system’s capabilities are expected to be rolled-out during the current year for full utilization by the beginning of the next fiscal year.

IIA Research ProjectThe auditing profession has long struggled with the question of how to determine the appropriate staffing level for an audit program. The existing benchmark data tends to consider organization size as the only driver. There is an increasing awareness that risk varies considerably within comparably sized organizations and that audit staff size should be related more to risk than size. In addition, the creation of compliance and ethics programs have served to somewhat change the role of internal audit for many institutions. UC, in partnership with the Institute of Internal Auditors Research Foundation and the Association of College and University Auditors is sponsoring an academic–led research project to identify improved measures of staffing adequacy factoring in more variables than organization size. The results are expected in the winter of 2009.

33

UCB UCD UCI UCLA UCR UCSB UCSC UCSD UCSF LBNL

Chancellor Birgeneau Interim Provost and Executive VC Horwitz Vice Chancellor Brase Vice Chancellor Olsen Vice Chancellor Bolar Vice Chancellor CarpenterVice Chancellor Vani Vice Chancellor Matthews Interim Vice Chancellor Lopez Laboratory Director Chu

The Regents’ Committee on Audit

EVP, Business Operations K. Lapp

University Auditor P.V. Reed

(2.5)

UCB W.L. Riley

(8.5)

UCD R. Catalano

(12)

UCSF A. Zubov

(12)

UCSC G. Gail

(6)

UCR M.

Jenson (6)

UCI P.Reed (acting)

(9)

UCLA E. Pierce

(27)

UCSB C.

Whitebirch (6)

LBNL T.

Hamilton (6)

UCSD S. Burke

(16.2)

UCOP P. Reed

(6.5)

Total Professional Staff, including the Director, is in parentheses. Total Authorized Professional Positions = 117.7

(LANL& LLNL Audit Departments not reflected in UC Audit Program)

SVP, Chief Compliance and Audit Officer, S. Vacca

Appendix 1 – University of California Internal Audit Program

UC President M. G. Yudof

Documents

Annual Report on Internal Audit Activities 2007-08