Carolyn Devine Saint, Chief Audit ExecutiveMarch 29, 2016

Game Change: Risk-Prioritized Internal Auditing

1. Role and purpose of the Audit

Department

2. Everyone’s Got a Role in The

Three Lines of Defense

3. How and Where We Engage

4. UVA FY18-FY19 Audit Plan topics

(draft)

5. High Level Flow: the Audit Process

3

Role and Purpose of the Audit Department

Definition of Internal Auditing: an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the University of Virginia and the University of Virginia Health System (the University). Its mission is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

Audit Department Scope: encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the University’s governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the University’s stated goals and objectives.

Source: UNIVERSITY OF VIRGINIA AUDIT DEPARTMENT CHARTER

THE THREE LINES OF DEFENSEEveryone’s Got a Role In

5

Functions that own and manage risks.

Functions that oversee risks. Functions that

provide independent assurance.

HOW AND WHERE AUDIT ENGAGESDynamic, Risk Based, Strategically Relevant

7

8

Internal Audit’s Lines of Business

• Evidence-based verification of effectiveness of internal controls, risk management, safeguarding of assets

Assurance:

• Systematic inquiry into allegations of fraud, waste, and abuse as mandated by the Commonwealth of Virginia and the University’s policies

Investigation:

• Advisory and related client service activities, the nature and scope of which are agreed upon with the client and which are intended to add value and improve UVA’s operations

Consultation and Advice:

Audit Plan

Complaint

Management or Board Request

Intake Mechanism

How We Engage in Consultation

• Engage Audit at the beginning of a project (if relevant) to advise on process, work flow, and controls

• Lead time improves our ability to say yes• We use engagement letters to define and document the nature and scope of work,

timeline, deliverables, roles, escalation process

UVA FY18-FY19 AUDIT PLAN TOPICS (DRAFT)Sneak Preview

Filtering risk information to a manageable plan

Draft Audit Plan

Significant Auditable

RisksAudit

UniverseUVA Audit’s audit plan development processfilters risk inputs downto auditable risks andconsiders them bydegree of assurance required,risk impact, and available hours.

Create Audit UniverseDetermine subset of the most significant

risks

Identify possible audit engagements

The following inputs are used togenerate the audit universe:1 UVA org charts 2 Higher Ed, healthcare, IT, and research process maps and frameworks3 Peer Benchmarks4 Risk Publications 5 Knowledge of the UVA environment

Audit topics are evaluated for inclusion in the plan considering:1 Inputs from ERM and compliance risk assessments 2 Existence of 2nd Line of Defense function (theoretically reduces risks)3 Input from process and risk owners, President and Cabinet, Audit Committee4 Is the topic auditable? Actionable?

Draft plan for discussion and approval by Audit, Compliance, and Risk Committee

Consider available Audit Department resources, degree of assurance required, and University’s competing priorities

11

Four Audit Universe “Swim Lanes” Cover UVA’s Most Significant Processes

Academic Division

Health System

IT (covering both Academic Division and Health System technology systems, risks, and controls)

Research Compliance

*Our audits are increasingly cross-disciplinary, requiring integration of business process and IT audit perspectives into many of our projects.

12

Academic Division FY18-FY19 Audit Plan Topics

Student Experience and Safety

Admissions Processes:

Communicating with Applicants

Instruction:Security, Data and

ID Integrity of Online Courses,

COLLAB, Blackboard

International Growth: Studies and Programs

Abroad

Safety: Labs, Food Safety (Dining),Housing, EH&S,

Emergency Preparedness, Student Health & Counseling

Hotline Management

University Operational Topics:• Ufirst HR Transformation Project w/

Workday implementation (integrated w/IT Audit)

• Annual Inventory (Bookstore)• UBI Data Integrity (integrated with IT

Audit) • Presidential & Executive Travel and

Expenses• UVA Travel and Expense Management• Fraud Risk Assessment• Donor Gift Management • PCI Compliance (integrated with IT

Audit)• Construction Management

Timing of audits dependent on risk prioritization, competing UVA management priorities, and Audit Department resources

13

AUDIT PROCESSHigh Level Flow

Audit Process

Stage Planning Fieldwork Reporting Follow Up

Time 45% 25% 20% 10%

Purpose Determine the audit purpose & scope; identify risks & objectives; develop audit plan

Perform testing;communicate, confirm, and document issues noted during testing

Finalize the report issues and corrective action plan(s), and issue the final report

Assess the execution of corrective action plan(s) performed

Inputs Meet with and gain insight to the client’s operations in order to understand the control environment, perform a risk assessment for audit scope determination

Obtain documentation to perform testing, vet any issue noted during testing, and discuss and develop potential corrective action plan(s)

Meet with client to review the draft audit report, obtain management’s response to the audit report, and finalize corrective action plan(s)

Documentary evidence of corrective action plan(s) implemented and operating effectiveness

Outputs Risk Assessment

Engagement/Commitment Meeting with audit client

Engagement Letter

Preliminary exit conference with client

Final audit report, with the client’s response and corrective action plan(s), is issued to the University President and Senior Leadership

Assessment of the effectiveness of the corrective action plan(s) implemented to mitigate the risks identified during the audit

Planning Fieldwork Report Writing Follow Up