UNIVERSITY OF VIRGINIA BOARD OF VISITORS Complian… · benchmarking with R1 and Ivy Plus institutions, input and requests from management and the Board of Visitors, and professional

UNIVERSITYOFVIRGINIABOARDOFVISITORS

MeetingoftheAudit,Compliance,

andRiskCommittee

June7,2018

AUDIT,COMPLIANCE,ANDRISKCOMMITTEE

Thursday,June7,201811:00a.m.–12:00p.m.

UpperWestOvalRoom,TheRotunda

CommitteeMembers:

BaburB.Lateef,M.D.,ChairRobertM.BlueMarkT.BowlesL.D.Britt,M.D.FrankM.ConnerIII,Ex‐officioMargaretF.RileyAdelaideWilcoxKing,FacultyConsultingMember

AGENDA PAGEI. REMARKSBYTHECOMMITTEECHAIR(Dr.Lateef) 1

II. ACTIONITEMSA. Risk‐BasedAuditPlanforFY2019–FY2020(Ms.Saint) 2B. RevisedAuditandComplianceCharters(Ms.SaintandMr.Nimax)4

III. COMMITTEEDISCUSSIONA. AuditorofPublicAccounts(APA)AuditEntranceMeetingforFiscalYear 16

2018(Ms.BianchettotointroduceMr.Sandridge,whowillreport)B. EnterpriseRiskManagement(ERM)Program:FY2018ReportandFY2019 17 ProgramGoals(Mr.Matteo)

IV. WRITTENREPORTSA. OfficeofAuditandComplianceandUVAHealthSystemCompliance 23

FY2018Reports B. FY2018FourthQuarterAuditFollowUpStatusReport 29C. UfirstStatusReport 31

1

UNIVERSITYOFVIRGINIABOARDOFVISITORSAGENDAITEMSUMMARY

BOARDMEETING: June7,2018COMMITTEE: Audit,Compliance,andRiskAGENDAITEM: I.RemarksbytheCommitteeChairACTIONREQUIRED: NoneBACKGROUND:Dr.BaburLateef,theCommitteeChair,willopenthemeetingandprovideanoverviewoftheagenda.

2


BOARDMEETING: June7,2018COMMITTEE: Audit,Compliance,andRiskAGENDAITEM: II.A.Risk‐BasedAuditPlanforFY2019–FY2020BACKGROUND:UVA’sinternalauditplanprovidesassuranceontheeffectivefunctioningoftheUniversity’ssignificantriskmitigationactivities,internalcontrols,andfoundationalprocesses.Theplanisriskbased,alignedwithstrategicinitiatives,andfocusedonwhatmattersmosttothecommunityofUVAstakeholders:theBoardofVisitors,executiveleaders,students,faculty,staff,regulators,awardsponsors,patients,parents,andalumni.

Tobuildtheplan,theAuditDepartmentreliesonriskassessmentsandmitigatingactionplansprovidedbyUVA’sEnterpriseRiskManagementprogram,InstitutionalCompliance,andHealthSystemCompliance.RiskassessmentsarefurtherinformedbybenchmarkingwithR1andIvyPlusinstitutions,inputandrequestsfrommanagementandtheBoardofVisitors,andprofessionalauditorjudgment.

AdynamicapproachtodeployingtheUniversity’sinternalauditresourcesallowstheAuditDepartmenttoremainflexibleandrelevanttochangingprioritiesandemergingrisks.TheAudit,Compliance,andRiskCommitteewillbebriefedonchangestotheapprovedplanasneededthroughouttheyear.

UVAAuditDepartmentFY2019‐FY20ProposedTwoYearPlan:

LeadAuditTeam

RiskPrioritizedAuditTopics

AuditTimingDeterminedbyAssessmentofCurrentInstitutionalPriorities;DetailedScopeDeterminedatTimeofAuditAuditCoverage:Pan‐University

IT&HealthSystem UfirstProjectHealthCheck:Providefeedbackonprojectriskmitigation(throughlaunchinJanuary2019)

HealthSystem ResearchComplianceAdministrationHealthSystem/Co‐Sourced

ConstructionContractAudits(SpecificCapitalProjectsToBeDetermined)

IT ResearchComputingSecurity(IvySecureComputingEnvironment)Academic&HealthSystem

COSOInternalControlsFrameworkPilots(PayrollandFinancialReportingProcesses)

Academic FinancialandBudgetaryManagementProcessesAcademic PresidentialTravelandExpenses(ConductedAnnually)

3

LeadAuditTeam

RiskPrioritizedAuditTopics

AuditTimingDeterminedbyAssessmentofCurrentInstitutionalPriorities;DetailedScopeDeterminedatTimeofAuditAuditCoverage:AcademicDivision

Academic InternationalStudentandScholarSupportAcademic DiningServicesAcademic StudentHealth&CounselingAcademic AthleticsDrugTestingProgram(ACCFollowUpRequest)IT SecurityandIntegrityofKeyInstructionalSystemsIT NetworkInfrastructure&Security:Vulnerability&PatchManagementIT ThirdPartyITVendorManagement;CloudSystemVendorRisksIT DisasterRecovery&BusinessContinuityPlanning

AuditCoverage:HealthSystemHealthSystem RevenueCycle:ChargeCapture(ProceduresandSurgeries)HealthSystem EpicasaPlatform:ManagingOngoingSystemUpgradesandNew

FunctionalityHealthSystem OutpatientClinicalSetUpHealthSystem PatientFriendlyAccess(PFA):RegistrationandSchedulingProcessesHealthSystem ClinicalTrialsBilling(Epic)IT NetworkInfrastructure&Security:Vulnerability&PatchManagementIT DisasterRecovery&BusinessContinuityPlanning

IT ThirdPartyITVendorManagement;CloudVendorRisksIT HIPAACompliance–EPHISecurity

AuditCoverage:UVA’sCollegeatWiseAcademic ComprehensiveRiskAssessmentwithSpecificAuditstoFollowIT GeneralComputerControlsforKeyLocalUVAWiseSystemsACTIONREQUIRED:ApprovalbytheAudit,Compliance,andRiskCommitteeandbytheBoardofVisitorsAUDITDEPARTMENTFY2019–FY2020AUDITPLAN

RESOLVED,theAuditDepartmentFY2019‐FY2020AuditPlanisapprovedasrecommendedbytheAudit,Compliance,andRiskCommittee.

4


BOARDMEETING: June7,2018COMMITTEE: Audit,Compliance,andRiskAGENDAITEM: II.B.RevisedAuditandComplianceChartersBACKGROUND:Theinternalauditdepartment(AuditDepartment)andtheinstitutionalcompliancefunction(InstitutionalCompliance)werecombinedinSeptember,2017toformtheOfficeofAuditandCompliance.Thenewstructureisintendedtoenablegreatercollaborationandcoordinationofeffortsrelatedtocompliancerisks.

Priortothecombination,InstitutionalCompliancereporteddirectlytotheExecutiveVicePresidentandChiefOperatingOfficer.Inthenewstructure,theAVPforCompliancereportsdirectlytotheChiefAuditExecutive.Thesestructuralchangesandadministrativeeditsneededtoalignthedocumentsnecessitatedrevisionstobothcharters.

Marked‐upversionsofthecurrentchartersprovidedonthefollowingpagesshowtheproposedchanges.ACTIONREQUIRED:ApprovalbytheAudit,Compliance,andRiskCommitteeandbytheBoardofVisitorsAUDITDEPARTMENTCHARTER

RESOLVED,theupdatedAuditDepartmentCharter,datedJune7,2018,isapprovedasrecommendedbytheAudit,Compliance,andRiskCommittee.INSTITUTIONALCOMPLIANCECHARTER

RESOLVED,theupdatedInstitutionalComplianceCharter,datedJune7,2018,isapprovedasrecommendedbytheAudit,Compliance,andRiskCommittee.

5

UNIVERSITYOFVIRGINIAINTERNALAUDITDEPARTMENTCHARTERPurpose:InternalAuditingisanindependent,objectiveassuranceandconsultingactivitydesignedtoaddvalueandimproveanorganization’soperations.Ithelpsanorganizationaccomplishitsobjectivesbybringingasystematic,disciplinedapproachtoevaluateandimprovetheeffectivenessofriskmanagement,control,andgovernanceprocesses.TheUVAOfficeofAuditandComplianceDepartmentassistsUVA’sBoardofVisitorsandUniversitymanagementinthedischargeoftheiroversight,management,andoperatingresponsibilitiesbyprovidingindependentassuranceandconsultingservicestotheUniversitycommunity.Ourservicesaddvaluebyimprovingthecontrol,riskmanagementandgovernanceprocessestohelptheUniversityachieveitsbusinessobjectives.

InternalAuditingPolicy:ItisthepolicyoftheoftheUniversitytoestablishandsupporttheOfficeofAuditandComplianceDepartmenttoassisttheUniversityinaccomplishingitsobjectivesbybringingasystematicanddisciplinedapproachtoevaluateandimprovetheeffectivenessoftheUniversity’sgovernance,riskmanagement,andinternalcontrols.Theinternalauditactivity’sresponsibilitiesaredefinedbytheAudit,Compliance,andRiskCommittee(ACRCommittee)oftheBoardofVisitors(Board)aspartofitsoversightrole.

Authority:Theinternalauditor,withstrictaccountabilityforconfidentialityandsafeguardingrecordsandinformation,isauthorizedtohavefull,free,andunrestrictedaccesstoanyandalloftheUniversity’srecords,physicalproperties,andpersonnelpertinenttocarryingoutanengagement.

AllemployeesarerequestedtoassisttheAuditDepartmentinfulfillingitsrolesandresponsibilities.TheinternalauditactivitywillalsohavefreeandunrestrictedaccesstotheACRCommitteeanditschairman.

Organization:TheChiefAuditExecutivewillreportfunctionallytotheACRCommitteechairman,andadministrativelytothePresidentoftheUniversity.

TheACRCommitteewill:

6

ApprovetheAuditDepartmentcharter. Approvetheriskbasedauditplan. Approvetheinternalauditbudgetandresourceplan. ReceivecommunicationsfromtheChiefAuditExecutive

ontheAuditDepartment’sperformancerelativetoitsplanandothermatters.

Approvedecisionsregardingtheperformanceevaluation,appointment,orremovaloftheChiefAuditExecutive

ApprovetheremunerationoftheChiefAuditExecutive MakeappropriateinquiriesofmanagementandtheChiefAudit

Executivetodeterminewhetherthereisinappropriatescopeorresourcelimitations.

TheChiefAuditExecutivewillcommunicateandinteractdirectlywiththeACRCommittee,includinginexecutivesessionsandbetweenACRCommitteemeetingsasappropriate.

ProfessionalStandardsUVA’sOfficeofAuditandComplianceDepartmentwillgovernitselfbyadherencetoTheInstituteofInternalAuditors’MandatoryGuidance,whichincludestheCorePrinciplesfortheProfessionalPracticeofInternalAuditing,theCodeofEthics,theInternationalStandardsfortheProfessionalPracticeofInternalAuditing,andtheDefinitionofInternalAuditing.

TheOfficeofAuditandComplianceDepartmentwilladheretotheUniversity’srelevantpoliciesandproceduresaswellastheGenerallyAcceptedGovernmentalAuditingStandardsoftheGovernmentAccountability Office.

CorePrinciplesfortheProfessionalPracticeofInternalAuditing:TheOfficeofAuditandComplianceDepartmentwillcontinuouslystrivetobeeffectivebyoperatinginamannerconsistentwiththeIIA’sCorePrinciples:

Demonstratesintegrity. Demonstratescompetenceanddueprofessionalcare. Isobjectiveandfreefromundueinfluence(independent). Alignswiththestrategies,objectives,andrisksoftheorganization. Isappropriatelypositionedandadequatelyresourced. Demonstratesqualityandcontinuousimprovement. Communicateseffectively.

7

Providesrisk‐basedassurance. Isinsightful,proactive,andfuture‐focused.

Promotesorganizationalimprovement.

IndependenceandObjectivity:TheinternalauditactivitywillremainfreefrominterferencebyanyelementintheUniversity,includingmattersofauditselection,scope,procedures,frequency,timing,orreportcontenttopermitmaintenanceofanecessaryindependentandobjectivefunction.TheChiefAuditExecutivemustdisclosesuchinterferencetotheACRCommitteeanddiscusstheimplications.Internalauditorswillhavenodirectoperationalresponsibilityorauthorityoveranyoftheactivitiesaudited.Accordingly,theywillnotimplementinternalcontrols,developprocedures,installsystems,preparerecords,orengageinanyotheractivitythatmayimpairinternalauditors’independenceorjudgment.Internalauditorsmayprovideassuranceservicesforareaspreviouslyconsulted,providedtheconsultingservicesdidnotimpairobjectivity.

Internalauditorswillexhibitthehighestlevelofprofessionalobjectivityingathering,evaluating,andcommunicatinginformationabouttheactivityorprocessbeingexamined.Internalauditorswillmakeabalancedassessmentofalltherelevantcircumstancesandnotbeundulyinfluencedbytheirowninterestsorbyothersinformingjudgments.

TheChiefAuditExecutivewillannuallyevaluatereportinglinesandresponsibilitiesandconfirmtotheACRCommitteeannuallytheorganizationalindependenceoftheOfficeofAuditandComplianceDepartment.

Responsibility:Thescopeofinternalauditingencompasses,butisnotlimitedto,theexaminationandevaluationoftheadequacyandeffectivenessoftheUniversity’sgovernance,riskmanagement,andinternalcontrolsaswellasthequalityofperformanceincarryingoutassignedresponsibilitiestoachievetheUniversity’sstatedgoalsandobjectives.Thisincludes:

Evaluatingthedesign,implementation,andeffectivenessoftheorganization’sethics‐relatedobjectives,programs,andactivities.

EvaluatingriskexposurerelatingtoachievementoftheUniversity’sstrategicobjectives.

Assessingwhethertheinformationtechnologygovernanceoftheorganizationsupportstheorganization’sstrategiesand

8

objectives. Evaluatingthereliabilityandintegrityofinformationandthe

meansusedtoidentify,measure,classify,andreportsuchinformation.

o Inordertoenablethisresponsibility,theOfficeofAuditandComplianceDepartmentwillparticipateintheplanning,development,implementation,andmodificationofmajorcomputer‐basedandmanualsystemstoensurethat:

(a) adequatecontrolsareincorporatedintothesystem;

(b) thoroughsystemtestingisperformedatappropriatestages;

(c) systemdocumentationiscompleteandaccurate;and

(d) theresultantsystemisacompleteandaccurateimplementationofthesystemspecifications.

Evaluatingthesystemsestablishedtoensurecompliancewith

thosepolicies,plans,procedures,laws,andregulationswhichcouldhaveasignificantimpactontheUniversity.

Evaluatingthemeansofsafeguardingassetsand,asappropriate,verifyingtheexistenceofsuchassets.

Evaluatingtheeffectivenessandefficiencyofresourceutilization. Evaluatingoperationsorprogramstoascertainwhetherresultsare

consistent with established objectives and goals and whether theoperationsorprogramsarebeingcarriedoutasplanned.

Assessingandmakingappropriaterecommendationsforimprovingthegovernanceprocessinitsaccomplishmentofthefollowingobjectives:

o Promotingappropriateethicsandvalueswithintheorganizationo Ensuringeffectiveorganizationalperformance

managementandaccountabilityo Communicatingriskandcontrolinformationto

appropriateareasoftheorganizationo Coordinatingtheactivitiesofandcommunicating

informationamongtheboard,externalandinternalauditors,andmanagement.

Monitoringandevaluatingtheeffectivenessoftheorganization’sriskmanagement processes.

Performingconsultingservicesrelatedtogovernance,riskmanagement,andcontrol.

Reportingsignificantriskexposuresandcontrolissues,including

9

fraudrisks,governanceissues,andothermattersneededorrequestedbytheACRCommitteeormanagement.

EvaluatingspecificoperationsattherequestoftheACRCommitteeormanagement,as appropriate.

ReportingperiodicallyontheAuditDepartment’spurpose,authority,andresponsibilityoftheOfficeofAuditandComplianceandperformancerelativetoitsplan.

InternalAuditPlan:At leastannually, theChiefAuditExecutivewill submit toseniormanagementandtheACRaninternalauditplanforreviewandapproval.Theinternalauditplanwillconsistofaworkscheduleaswellasbudgetandresourcerequirementsfor the next year. The Chief Audit Executivewill communicate the impact ofresourcelimitationsandsignificantinterimchangestoseniormanagementandtheBoard.

Theinternalauditplanwillbedevelopedbasedonaprioritizationoftheaudituniverseusingarisk‐basedmethodology,includinginputofseniormanagement,theACR,andBoard.

TheChiefAuditExecutivewillreviewandadjusttheplan,asnecessary,inresponsetochangesintheorganization’sbusiness,risks,operations,programs,systems,andcontrols.AnysignificantdeviationfromtheapprovedinternalauditplanwillbecommunicatedtoseniormanagementandtheACRthroughperiodicactivityreports.

AuditDepartmentServices:TheChiefAuditExecutiveisempoweredtoconductassuranceservices,specialauditprojects,reviews,orinvestigationsattherequestoftheBoard,ACRCommittee,President,GeneralCounsel,EVPProvost,EVPChiefOperatingOfficer,EVPHealthAffairs,ortheirdesignee,toassistmanagementinmeetingitsobjectives,promotingeconomyandefficiencyintheadministrationof,orpreventinganddetectingfraudandabuseinitsprogramsandoperations.TheOfficeofAuditandComplianceDepartmentmayalsoprovideconsultingservices,beyondtheAuditDepartment’sassuranceservices,toassistmanagementinmeetingitsobjectives.Examplesmayincludefacilitation,processdesign,training,andadvisoryservices.

CoordinationwithExternalAuditingAgencies:TheChiefAuditExecutive,withthegoalofavoidingduplicationofwork,will

10

coordinatethedepartmentoffice’sauditeffortswiththoseoftheCommonwealthofVirginia’sAuditorofPublicAccounts,orotherexternalauditingagenciesasapplicable,byparticipatingintheplanninganddefinitionofthescopeofproposedauditssotheworkofallauditinggroupsiscomplementaryandtheircombinedeffortsprovidecomprehensive,cost‐effectiveauditcoveragefortheUniversity.

ReportingandMonitoring:AwrittenreportwillbepreparedandissuedbytheChiefAuditExecutiveordesigneefollowing theconclusionofeachinternalauditengagementandwillbedistributedasappropriate.InternalauditresultswillbeavailableforreviewbytheACRandBoardofVisitors.

Theinternalauditreportwillincludemanagement’sresponseandcorrectiveactiontakenortobetakeninregardtothespecificfindingsandrecommendations.Management'sresponsetoauditfindingsandrecommendationsshouldincludeatimetableforanticipatedcompletionofactiontobetakenandanexplanationforanycorrectiveactionthatwillnotbeimplemented.

TheOfficeofAuditandComplianceDepartmentwillberesponsibleforappropriatefollow‐uponitsengagementfindingsandrecommendations.Allsignificantfindingswillremaininanopenissuesfileuntilcleared.TheACRwillreceiveperiodicreportingfromtheChiefAuditExecutiveonthestatusofmanagement’sactionplanimplementation.

TheChiefAuditExecutivewillperiodicallyreporttoseniormanagementandtheACRontheinternalauditactivity’spurpose,authority,andresponsibility,aswellasperformancerelativetoitsplan.Reportingwillalsoincludesignificantriskexposuresandcontrolissues,includingfraudrisks,governanceissues,andothermattersneededorrequestedbyseniormanagement,ACR,ortheBoard.

QualityAssuranceandImprovementProgram:TheChiefAuditExecutivemustdevelopandmaintainaqualityassuranceandimprovementprogramthatcoversallaspectsoftheinternalauditactivity.Theprogrammustincludebothinternalandexternalassessmentstoevaluatetheinternalauditactivity’sconformancewiththeStandardsandanevaluationofwhetherinternalauditorsabidebytheCodeofEthics.

Externalassessmentsmustbeconductedatleastonceeveryfiveyearsbyaqualifiedindependentassessororassessmentteamfromoutsidetheorganization.

11

TheChiefAuditExecutivemustdiscusswiththeACRCommittee:

Theformandfrequencyofexternalassessment; Thequalificationsandindependenceoftheexternalassessoror

assessmentteam,includinganypotentialconflictofinterest.

Theprogramwillalsoassesstheefficiencyandeffectivenessoftheinternalauditactivityandidentifyopportunitiesforimprovement.

TheChiefAuditExecutivemustcommunicateresultsofthequalityassuranceandimprovementprogramtoseniormanagementandtheACRCommittee.

UpdatedonJune8X,20178

12

UNIVERSITYOFVIRGINIACOMPLIANCECHARTER

MissionandPurpose:

TheUniversityofVirginia'scompliancefunctionsupportstheUniversity’sfundamentalcommitmenttothehigheststandardsofethics,integrity,andlawfulconductbypromotingadherencetoallapplicablefederal,state,andlocallaws,regulations,aswellasstandardsandinternalpoliciesandprotocols.

InstitutionalcompliancepromotesgreatercoordinationofandconsistencyamongindividualUniversitycomplianceprograms,coveringawidevarietyofrequirementsrelatedtoacademics,athletics,humanresources,research,healthcare,informationtechnology,andnumerousadministrativefunctions.TheUniversityestablishedacomplianceprogramtoprevent,detect,andrespondappropriatelytopotentialviolationsoflawandtofosteracorporateculturethatpromotesintegrityandethicalbehaviorsinallmattersrelatingtocompliance.

Authority:

TheAssistantVicePresidentforCompliance,withstrictaccountabilityforconfidentialityandsafeguardingofrecordsandinformation,isauthorizedtohavefull,free,andunrestrictedaccesstoanyandalloftheUniversity’srecords,physicalproperties,andpersonnelpertinenttocarryingoutcomplianceinvestigationsandtoreviewandmonitorcomplianceissues.Allemployeesarerequestedtoassistthecompliancefunctioninfulfillingitsrolesandresponsibilities.

Organization:

TheAssistantVicePresidentforComplianceoverseesinstitutionalcomplianceactivitiesandprogramstoconfirmtheyarereasonablydesigned,implemented,communicated,andenforced.Tofacilitateeffectiveoversight,theAssistantVicePresidentforCompliancecoordinatesandchairstheComplianceNetwork,aUniversity‐widenetworkoffunctionalcomplianceofficers.

13

TheAssistantVicePresidentforCompliancereportstotheChiefAuditExecutiveExecutiveVicePresidentandChiefOperatingOfficer.TheChiefAuditExecutivereportsfunctionallytotheACRCommitteechairman,andadministrativelytothePresidentoftheUniversity.TheAudit,Compliance,andRisk(ACR)Committeewill:

• ApprovetheComplianceCharterandperiodicallyreassessitforcontinuedrelevance.

• ReceivecommunicationsfromtheAssistantVicePresidentforComplianceregardingcompliancestrategies,plans,andotherrelevantmatters.

• MakeappropriateinquiriesofmanagementandtheAssistantVicePresidentforCompliancetodeterminewhetherallcomplianceeffortshavethenecessaryresourcesandscope.

• SupportleadershipforthecomplianceprogrambypromotingandsupportingaUniversity‐widecultureofethicalandlawfulconduct.

TheAssistantVicePresidentforCompliancewillcommunicateandinteractdirectlywiththeChairoftheACRCommittee,includinginexecutivesessionsandbetweencommitteemeetingsasappropriatetoensuredirectaccesstotheboard.

ProfessionalStandards

Thecompliancefunction’sobjectiveistoestablishandpromotestandardsthatmeettheU.S.FederalSentencingGuidelines'criteriaforaneffectivecomplianceprogram.

1. Compliancestandardsandprocedurestopreventanddetectcriminalactivity;

2. Oversightbyhigh‐levelpersonnel,withperiodicreportingtotheboardfromindividualswithoperationalresponsibility;

3. Duecareindelegatingsubstantialdiscretionaryauthority;

4. Effectivecommunicationandtrainingtoalllevelsofemployees;

5. Systemsformonitoring,auditingandreportingsuspectedwrong‐doingwithoutfearofreprisalandforperiodicallyevaluatingtheeffectivenessofthecomplianceandethicsprograms;

6. Consistentenforcementofcompliancestandardsincludingdisciplinarymechanismsandappropriateincentivestoperforminaccordancewiththecomplianceandethicsprogram;and

7. Reasonablestepstorespondtoandpreventfurthersimilaroffensesupon

14

detectionofaviolation.

Inaddition,theMedicalCenter’scomplianceprogramalsofollowstheprogramelementsdefinedintheDepartmentofHealthandHumanServices’OfficeoftheInspectorGeneral’s“ComplianceProgramGuidanceforHospitals”.

Responsibilities:

MembersoftheUniversitycommunityhavingresponsibilityforaspecificareaofcompliancemustensurethefollowing:

• Oversightofcomplianceintheirspecificfunctionalareas;

• AdherencetotheUniversity’scompliancepolicies;

• Implementationofcorrectiveactionasnecessary,arisingfromcompliancereviewsand/orinvestigations.

TheroleoftheAssistantVicePresidentforComplianceistoremainwell‐informedonthecontentandoperationoftheUniversity’scomplianceandethicsprograminordertoexercisereasonableoversightoftheeffectivenessoftheprogram,including:

1. StandardsofConduct/PoliciesandProcedures:confirmingthattheUniversityimplementspolicies,procedures,trainingprograms,andinternalcontrolsystemsthatarereasonablycapableofreducingmisconductandthatcomplywithrelevantregulatoryrequirements.

2. ComplianceRolesandResponsibilities:establishingclearrolesandresponsibilitiesacrosstheUniversity.

3. ComplianceOversight:exercisingreasonableoversightovercomplianceactivitiesbyrequestingandreceivingupdatesfromcomplianceofficers.

4. ReportingandInvestigativeMechanisms:confirmingthattheUniversitymaintainsaneffectivemechanismforstakeholderstoreportorseekguidanceregardingpotentialoractualwrongdoing.

5. CorrectionandPrevention:workingwiththeUniversity’sseniorleadershiptopromoteandenforcecompliancethroughappropriateincentivesanddisciplinarymeasures.

6. CultureofIntegrityandCompliance:promotingtheUniversity’scultureofintegrityandcompliance,throughcommunicationofcompliancestandardsandpolicies.

InteractionwithAuditandEnterpriseRiskManagement:

15

TheAssistantVicePresidentforCompliancewillworkcloselywithcolleaguesintheOfficeofAuditandComplianceInternalAuditDepartmenttoassessandprioritizewhichcomplianceareaspresentthegreatestriskandneedforattention,basedonregulatoryenvironmentandcomplexity,overlapwithUniversitystrategicplans,andconsequencesofnon‐compliance.Managerswithresponsibilityforspecificareasofcompliancewillevaluatetheirindividualcomplianceeffortsagainstalistofcriterianecessarytohaveaneffectivecomplianceprogram.

TheEnterpriseRiskManagement(ERM)programisdesignedtoidentifyandmitigatekeyinstitutionalrisks.Forexample,onetypecategoryofrisktobeconsideredislegalandregulatorycompliancerisk.Theregularreviewofcompliancerequirementsmayhighlightanemerginginstitutionalrisk.Conversely,theidentificationofkeyinstitutionalrisksmayguidetheworkofthecompliancefunctionandinitiateamitigationstrategythattheUniversitymayusetoaddressagivenrisk.

UpdatedonJune7,2018

16


BOARDMEETING: June7,2018COMMITTEE: Audit,Compliance,andRiskAGENDAITEM: III.A.AuditorofPublicAccounts(APA)AuditEntrance

MeetingforFiscalYear2018ACTIONREQUIRED: NoneBACKGROUND:TheAuditorofPublicAccountsoftheCommonwealthconductsanannualauditoftheUniversityandtheMedicalCenterandreportsfindingstotheBoardofVisitors.Ms.Bianchetto,VicePresidentforFinance,willintroduceMr.EricM.Sandridge,whowilldiscusswiththecommitteethefiscalyear2017‐2018audit.

EricM.SandridgeistheDirectorofHigherEducationProgramsfortheVirginiaAuditorofPublicAccounts.Hiscurrentresponsibilitiesincludemanagementoftheoffice’sHigherEducationProgramsSpecialtyTeamandprojectmanagementoversightforvariousagenciesandinstitutionsoftheCommonwealth.HealsocoordinatesrequiredfederalauditsattheCommonwealth’sinstitutionsofhighereducationandNCAAAgreedUponProceduresengagements.HeisamemberoftheNationalStateAuditorsAssociation(NSAA)AuditStandardsandReportingcommitteeandNSAASingleAuditcommittee.HeisagraduateoftheCollegeofWilliamandMaryandisaCPA,CISA,andCGFM.

17


BOARDMEETING: June7,2018COMMITTEE: Audit,Compliance,andRiskAGENDAITEM: III.B.EnterpriseRiskManagement(ERM)Program:FY2018

ReportandFY2019ProgramGoalsACTIONREQUIRED: NoneBACKGROUNDANDDISCUSSION:Mr.JamesMatteo,AssociateVicePresidentandTreasurer,willreportontheERMprogramandwillreviewtheattainmentoftheFY2018goals,discussprogramgoalsforFY2019,andsharetheFY2018ERMAnnualReport.TheERMGoalsforFY2018included:

1. Enhancingcommunicationanddiscussionamongexecutivesandboardmembersrelatedtokeyriskmanagement‐Overthepastyear,BOVcommitteechairswereintroducedintoERMriskmitigationdiscussions.ERMkeyriskswereassignedtoappropriateBOVcommitteesandcommitteechairswereengagedindiscussionswithriskleadsandexecutiveowners.ThiseffortengagedBOVmembersintheriskmanagementprocessandhelpedtheUniversitygainadditionalperspectivesonmitigationplansandmitigationconfidence.

2. Strengtheningriskmanagementeffortsthroughbetterunderstandinganduse

ofriskappetiteandkeyriskindicators‐Thispastyear,theUniversityheldthefirstmeetingofriskleadsfromtheAcademicDivisionandHealthSystem.Thegoalofthemeetingwastostrengthenandstandardizeriskledgers,provideaforumtoshareexperience,andintroduceriskappetitesintotheriskmanagementdiscussion.

3. UpdatingtheERMcharter‐TheERMcharterwasupdatedinSeptember2017,

primarilytomakethefollowingchanges: RedefiningthemissionoftheERMeffort Clarifyingtheobjectivesoftheprogram Moreclearlydefiningtherolessupportingtheprogram RecognizingthecreationofRiskManagementNetworksattheAcademic

DivisionandHealthSystem

4. BetteraligningandintegratingERMeffortswithUniversityplanningandauditcycles‐ThetimingoftheERMcyclehasbeenrealignedtocoincidewiththeUniversity’sannualgoalsettingandauditplanningprocesses.AsERMisinformedbytheUniversitygoalsandhelpsinformtheauditplan,thisrealignmenthashelpedtheprogramfinditsfitwithinexistingplanningactivities.

18

TheERMGoalsforFY2019include:

FullyonboardingtheCollegeatWise–WhiletheCollegeatWisehasbeenincludedintheAcademicDivision’sERMeffort,theUniversitywouldliketoexpandtheprogramtospecificallyaddressWise’suniqueenvironmentandrisks.

Buildingariskinteractionmap–ManyofthekeyrisksoftheAcademicDivisionandHealthSystemoverlap(e.g.,research,IT).ManyrisksandtheirmitigationplansaffectdepartmentsacrosstheUniversity.Thegoalistobuildamapthatcapturestheseinteractionsandidentifiesrisksthatmayfallbetweenorspanorganizationalareas.

MigratingERMdataintoanewGovernance,Risk,andCompliance(“GRC”)system–TheOfficeofAuditandComplianceisplanningtoimplementanewGRCsystem.WeareplanningatthistimetomigrateERMdataintothissystem.ThesecondannualERMexecutivereportfollows.Itincludesthekeyrisksofthe

AcademicDivisionandHealthSystem,aheatmapofthekeyrisks,andabriefsynopsisofthepastandfutureyears’activities.

19

20

21

22

23


BOARDMEETING: June7,2018COMMITTEE: Audit,Compliance,andRiskAGENDAITEM: IV.A.OfficeofAuditandComplianceandUVAHealthSystem

ComplianceFY2018Reports(WrittenReports)ACTIONREQUIRED: NoneBACKGROUND:TheOfficeofAuditandComplianceandtheUVAHealthSystemComplianceOffice’sreportssummarizingFY2018accomplishmentsfollow.

24

FY2018 AuditDepartmentYearinReview

HighlightsofWorkPerformed,InsightsDelivered,andContinuousImprovementsMade

Throughouttheyear,theAuditDepartmentworkedalongsidemanagementtoprovidereal‐timeassuranceoncontrolsandriskmitigationeffectivenessfortheUniversity’smostimportantinitiatives.Signatureprojectsfortheyearincluded:MinorsProtectionsandTitleIXComplaintManagement AssembledateamofexpertstoevaluateUVA’spolicies

andproceduresforensuringthesafetyofminorsinprogramsacrossGroundsandattheCollegeatWise.Workwrappingupatthetimeofthisreport.

UVAArchivesandSpecialCollections

AuditreportequippedDeanofLibrariesandUVAleadershipwithdetailedrecommendationsforsecurityimprovementstosafeguardUVA’spricelesstreasuresforfuturegenerationsofscholars.

UndergraduateSafetyinLabs,Shops,andStudios

TheauditundertookacomprehensiveanalysisoftheEnvironmentalHealth&SafetyDepartment’sprocessesforensuringUVAstudentshaveasafeenvironmentinwhichtolearn.

Outsideconsultantswereabletorelyontheauditreporttopartiallyreducetheirprojectscope,avoidingassociatedcosts.

SafetyandSecurityReview:MargolisHealy

TheAuditDepartment,togetherwiththeAVPforCleryCompliance,providedprogrammanagementtocoordinateandtracktheeffortsofoutsideconsultants

IntroducingtheOfficeofAuditand

Compliance

InSeptember,2017,InstitutionalCompliancejoinedtheAuditDepartmenttocreatetheOfficeofAuditandCompliance.

Thisneworganizationalassurancemodelputskeyelementsofcorporategovernance—assuranceandinstitutionalcompliance—underoneumbrella.

InFY2019,wewillcontinuetoleveragethebenefitsofthecombination:

Improvedcommunicationandcoordination

Alignmentofpriorities Jointparticipationon

relevantprojects Reducedcomplexityfor

stakeholders Effectivesharingof

informationanddataforimprovedrisk

25

MargolisandHealytoassesssafetyandsecuritypoliciesandproceduresfollowingtheeventsofAugust11and12.

TravelandExpenseManagement

FollowingtheUniversity’simplementationofnewpoliciesandsystemsfortravel(TravelUVA)andexpensemanagement(ExpenseUVA)in2017,theaudithighlightedtheneedtoimprovecontrolsandoversightfor$70millioninannualexpenditures.

OtherProjectsDelivered

UfirstHRTransformationProject—projecthealthcheckscommunicatedlessonslearnedfromtransitionbetweenproject’sphasesandemphasizedtheneedtoimprovealignmentonobjectivesbetweenAcademicDivision,HealthSystem,andUPG.

InstitutionalBaseSalary—indepthanalysisofUVA’sinstitutionalbasesalarycomputations—thefoundationofcostingforsponsoredresearch—resultinginrecommendationsforWorkdayimplementation.

MedicalCenterProcurement—confirmedeffectivefunctioningofcontrolsoverpurchasesofgoodsandservicesattheMedicalCenter.

MedicalDeviceProcurementandSecurity—collaboratedwithHealthSystemITandClinicalEngineeringtoestablishabaselineforsecurityofnetworksrunningsensitivemedicaldevicesintheMedicalCenter.

StrategicInvestmentFund—recommendationsforcontinuedstrengtheningofproceduresandcontrolsoverSIFwerepresentedtotheBOV’sSIFAdministrativeCommittee.

PresidentialTravelandCarr’sHillExpenses—performedannuallyatPresidentSullivan’srequest.

NCAAFootballAttendance—annualanalysisperformedasNCAAFBSrequirement. FoundationRelationshipAssessment—providedadviceandassistanceto

Treasury’sriskassessment.

SupportProvidedtoUniversityInitiatives

TheAuditDepartmentparticipatedinavarietyofsteeringcommitteesandworkgroupsacrossFY2018.InadditiontoongoingrolesontheFinanceProjectsAdvisoryCouncil,ERMRiskNetwork,PolicyReviewCommittee,andtheITSecurityAdvisoryCommittee,wehelpedUVAtacklespecificprojectsincluding:

NIST800‐171ControlledUnclassifiedInformation(CUI)Compliance—participatedonacross‐functionalteamtodefinecontrolsoverUVA’sCUI‐designatedsecureITenvironmentforresearchers.WealsoparticipatedontheCUIforStudentFinancialDataworkgroup.

26

AdvisoryCommitteeontheFutureoftheHistoricLandscape—providedadministrativesupporttothisDean’sWorkingGroupsubcommittee.

FinanceTransformation—helpedevaluateRFPsreceivedfrompotentialFinanceTransformationconsultingpartners.

27

UniversityandUVAHealthSystemCompliance:AccomplishmentsFY2018

UniversityComplianceGoals‐FiscalYear2017‐18

1. Reviewedandupdatedtheuniversity’sCodeofEthicsforreviewwithnewseniorleadersinFY18‐19,priortoseekingapprovalbytheBoardofVisitors.

2. Completedtheonboardingofthemedicalcenter’snewComplianceandPrivacyOfficer,includingtheoperationalchangesnecessarytoconverttoamedicalcenterposition.

3. Completedcompliancereviewsrelatedtodigitalaccessibilityprojectonamulti‐yearprojectplan.Newpolicywascompletedandpostedregardingbackgroundchecksandon‐goingresponsibilityforemployeestodisclosecriminalconvictions.ContinuedtoreviewUFirstcompliance,includingadiscussionofrelatedcomplianceconcernsandademonstrationofthenewlearningmanagementsystemwiththeComplianceNetwork.

4. ReviewedandupdatedthecomplianceriskassessmentconductedinpartnershipwithInternalAuditandGeneralCounseltoconfirmthestrengthoftheuniversity’scomplianceefforts.Thisassessmentevaluatedwhichcomplianceareaspresentthegreatestrisks,basedontheconsequencesofnon‐compliance,levelsofeffortnecessarytoaddressregulatorychanges,regulatoryscrutiny,andcross‐functionalcoordination.

5. Obtainedadditionalsoftwarelicensesofourincidentmanagementsystemandcompletedtrainingforstafftoexpandthemarketinganduseofthehelpline.

UVAHealthSystemComplianceFY2018SummaryReport

1. RestructuredtheMedicalCenterCompliance&PrivacyOfficetocreateacompleteteam;establisheddevelopmentalgoalsandactivelymentoredteammembersinaccomplishing;createdawarenesswithinthehealthsystemthroughtargetedcomplianceandprivacycommunicationandtraining;providedroutineinteractionandsupporttomanagersandtheirteamsinissueresolution,aswellasthestandardfunctionsofauditingandcomplianceinvestigationanddocumentation.

28

UVAHealthSystemComplianceFY2018SummaryReport(continued)

2. ReviewedthefindingsofthepriorcomplianceriskassessmentconductedbyformerMedicalCentercomplianceleadersinpartnershipwithUniversityCompliance,InternalAuditandGeneralCounsel;updatedthetoolinpreparationforredeploymenttoexaminethecomplianceareasofgreatestriskbasedontheconsequencesofnon‐compliance(legal,operational,andreputational),levelsofeffortnecessarytoaddressregulatorychanges,regulatoryscrutiny,andcross‐functionaleffort.

3. Performedaseriesofcodingauditstoexaminecompliancewithregulatoryrequirementsfordocumentationofmedicalnecessityforappropriateadmissions,accuratecoding,billingandreimbursementfromMedicareforspecificservices;alsoinsupportofRevenueCycleprocessesanddataintegritypost‐EpicPhaseII.

29


BOARDMEETING: June7,2018COMMITTEE: Audit,Compliance,andRiskAGENDAITEM: IV.B.FY2018FourthQuarterAuditFollowUpStatusReportACTIONREQUIRED: NoneBACKGROUND:IIAStandard2500:MonitoringProgressrequiresthechiefauditexecutivetoestablishandmaintainasystemtomonitorthedispositionofresultscommunicatedtomanagement.Thechartbelowdisplaysthestatusofmanagement’sactionplansthroughMay31,2018.

DetailsofOpenPastDueActionPlans:

Audit PastDueActionItemPriorityRating ActionPlanOwner

ArchivesandSpecialCollections

SecuritySystemAdministration:Generalsystempoliciesandproceduresunderdevelopmentintandemwithsecuritysystemupgrade–projectcompletionexpectedAugust2018(Due1/1/18)

P1 GuyMengel,DirectorLibraryFacilitiesandSecurity

30

Audit PastDueActionItemPriorityRating ActionPlanOwner


SecuritySystemAdministration:Routinemaintenanceplansandregulartestingschedulealsobeingdevelopedintandemwithsecuritysystemupgrade(Due1/1/18)

P1 GuyMengel,DirectorLibraryFacilitiesandSecurity


Training:Establishandimplementformaltrainingprograms(securityandfraudawareness)forASCstaff(Due2/1/18)

P1 HeatherRiser,Harrison‐SmallDirectorofOperations,andASCStandingSecurityCommittee

ArchivesandSpecialCollections(ASC)continuestopursuesolutionsandfundingforthefollowingpastdueactionplans,whichwereallclassifiedwithPriority2ratings.EnvironmentalConditions:ThefiresuppressionsysteminHarrison‐Smallstillhasthepotentialtodamagethecollectionifused(initialdischargeofdiscoloredwater).WhileaNovec1230orInergensystemcouldbeinstalledtolimitdamagetocollectionmaterials,astudywouldneedtobecompletedtodeterminecoststosupplementorreplacethecurrentwater‐basedsystem.Thelibrarywillcontinuetopursuewaystomitigaterisk,includingidentifyingfundingforsystemsupplementation/replacement.(Due9/1/17)SecurityCameras:Installationofcamerasintheprocessingroomwerenotpartofthecurrentsecurityandcameraupgrades.Whilesomeriskisacceptedasaresultofthatdecision,ASCwillpursueadesignfortheinstallationandimplementationofprocessingroomcamerasinthefuture.(Due9/1/17)TheftRisk–Internal:Consistentwiththedecisiontonotcheckbelongingsofemployeeswhenexitingareaswherecollectionsitemsarestored,apolicyrequiringinspectionswasnotdeveloped.Thoughpersonalitemsareprohibitedfromstorage/stackareas,collectionitemsaretemporarilystoredinstaffareaswhilebeingprocessedandconsulted.Atthistime,ASCwillnotcheckpersonalbelongingsofemployeeswhenexitingstaffareas,andwillpursuewaystorestructurestaffspacetoaccommodatelockersandtoidentifyfundingforthistypeofrenovation.(Due3/1/18)

31


BOARDMEETING: June7,2018COMMITTEE: Audit,Compliance,andRiskAGENDAITEM: IV.C.UfirstStatusReportACTIONREQUIRED: NoneBACKGROUND:Ms.KelleyStuck,VicePresidentandChiefHumanResourcesOfficer,preparedthefollowingreportonthestatusoftheHRtransformationprojectcalledUfirst.DecisiontoRescheduleSoftwareLaunchInlateMarch,theUniversityannouncedthedecisiontoreschedulethelaunchofthesupportingtechnologyfortheHRTransformation,Workday,fromJuly2018toJanuary2019.ThisdecisionwasrecommendedbyVicePresidentforHumanResourcesKelleyStuckandUfirstProjectExecutiveDirectorSeanJackson,andwassupportedbytheorganization.Wehaveemphasizedfromthebeginningofthisprojectthatserviceandqualityareourmostimportantobjectives.Weknewthiswouldbeaparticularlychallengingproject,givenouraggressivetimelineandthecomplexitiesofintegratingdataandfunctionalityacrosstheAcademicDivisionandHealthSystem.TherescheduledlaunchdateofJanuary2019willallowtheteamtofinalizethenecessarychanges,completetesting,andbeconfidentintheaccuracyofthepayrollandbenefitsdeductions,thetwomostcriticalareasfromourcustomer’spointofview.SincetheDecisionTheUfirstprojectteamhasupdatedthepublishedcommunicationsandtrainingschedulesforWorkdayandwillcontinuetoengageandeducateUniversityfaculty,staff,andteammembersthroughoutthecomingmonths.OtherimportantelementsoftheHRandPayrolltransformationwillcontinuetomoveforwardasplanned.OperatingundertheneworganizationalmodelwithoutthebenefitoftheWorkdaysoftwareischallengingandwilllikelybefrustratingattimesforbothHRandtheircustomers.However,thelongertransitionperiodwillalsoallowforfurtheralignmentandcleanupofprocessesandpracticesacrossGrounds.

32

TheUfirstProjectteamshavecreatedaseriesofsevenqualitygatesfromnowthroughNovemberthatmustbemettoachieveourgoalofasuccessfulJanuaryWorkdaylaunch.EachoftheQualityGatesissupportedbyadetailedprojectplan.Toensurethatweremainawareofandrespondenttothenumerousrisksthatconfrontaprojectofthismagnitudeandcomplexity,wewillcontinuetotakeadvantageofthird‐partyguidancethroughtheGartner’sIndependentVerificationandValidationandUVAInternalAudit’sProjectHealthCheckprocesses.ProgresstoDateOurprogresstodatehasbeensubstantial:

ThenewHROrganization(UVAHR)isstaffedandcontinuingtotransitionworkfromtheSchools/Unitsanddeliverservicesbothinthenewmodelduringthisperiodoftransition.

HRBusinessPartnershavebeenselected,trainedandhavetransitionedtoschoolsandunits,supportinghumanresourceprioritiesandensuringthatHRserviceexpectationsarebeingmet.

TheHRSolutionCenter,launchedinDecember2017,isachievingandmaintainingextraordinarilyhighsatisfactionratings(4.5+outof5).

ThePayrolltransformationisproceedingwithnewstreamlinedprocessesdesignedandconfiguredinWorkdaytosupportthenewPayrollorganization.

Wehavebuiltover300HRandPayrollprocessesandanewHRservicedeliverystructuretowhichresourcesarenowaligned.

Employeedatahasbeenintegratedintoasingledatasourcetosupportthenewservicedeliverymodel.

Wehavesuccessfullytestedtheprocessesforrecruitment,hiring,setupofcompensation,andlearningprogramenrollmentintheWorkdayenvironment.

TheUfirstprojectrepresentsasignificantstepforwardfortheUniversityandplaysacriticalroleinourabilitytoattractandretainexceptionalfaculty,staff,andteammemberscommittedtoteaching,research,andpatientcare.Weareconfidentthattherevisedscheduleprovidesuswiththetimenecessarytodeliveronthispromise.

Documents

UNIVERSITY OF VIRGINIA BOARD OF VISITORS Complian… · benchmarking with R1 and Ivy Plus institutions, input and requests from management and the Board of Visitors, and professional