Finance and Audit Committee

FY2014 Risk Assessment and Internal Audit and Compliance Plan

August 12, 2013

2

FY2014 Risk Assessment

KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY

ACADEMIC ENTRPRISE:

STUDENT- AND FACULTY-BASED

PROCESSES

• Are internal processes and computer systems designed to facilitate the student experience?

• Support the University-wide initiative to improve student customer service through the implementation of system and process improvements that will minimize student wait time and complaints/concerns.

• Is the student and employee community aware of and abiding by their obligations to report on-campus crimes, and is the University’s reporting of these incidents accurate and complete?

• Review the completeness, accuracy, and timeliness of campus police’s gathering and reporting of crime statistics pursuant to the Jeanne Clery Act.

• Is financial aid awarded only to eligible students consistent with the terms of the various award programs?

• Review student financial aid procedures and test a sample of loans to ensure that eligibility requirements are met and financial aid is disbursed accurately.

• Does the research and innovation division of the University conduct its financial business in a responsible and transparent manner, consistent with appropriate accounting principles?

• Review financial transactions of the University of Toledo Innovation Enterprises. Ensure that appropriated amounts were used for their intended purposes.

3

FY2014 Risk Assessment

KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY

ACADEMIC ENTERPRISE:

BUSINESS SUPPORT FUNCTIONS

• Is the University’s cost base aligned with trends and projects for student enrollment and retention, patient registrations, and projected support from the State and Federal Government?

•Support the Redesign Coordination Group and the University President in implementing business process improvements intended to appropriately position the University to meet future business realities.

• Is information and software processed in the data center environment secured and protected?

• Review IT “general controls”, such as information security and change control that impact numerous computer systems.

• Does The University provide reasonable accommodations to students, patients, and staff that have a form of disability.

• Progress the University’s Americans with Disabilities Act compliance program, which includes a comprehensive series of audits in the following areas …

Academic Accommodations Distance Learning Facilities Web Accessibility

4

FY2014 Risk Assessment

KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY

ACADEMIC ENTERPRISE:

INTERCOLLEGIATE ATHLETICS

• Does the University appropriately record income from barter agreements, sports camps, and other athletics ventures?

• Review athletics revenue-generating agreements (“outside income”) and confirm that stated obligations have been met by all parties.

• Does The University limit its organized practice activities, the length of its playing seasons and number of its regular-season contests and/or dates of competition in all sports, as well as the extent of its participation in non-collegiate sponsored athletics activities, to minimize interference with the academic programs of its student-athletes.

• Determine the level of compliance with NCAA regulations pertaining to playing and practice sessions. These include general playing-season regulations, foreign tours, and playing rules.

• Is University contact with prospective student-athletes in accordance with NCAA regulations, and is it being monitored accordingly and appropriately for all team sports?

• Review phone, email, Internet, and letter correspondence between coaches/administrators and prospective student-athletes on a surprise basis. Report results and monitor corrective action.

• Are revenues and expenses pertaining to intercollegiate athletics accounted for properly according to National Collegiate Athletics Association (NCAA) rules and University policy?

• Evaluate the quality of financial controls over athletic student aid; guarantees; support staff/administrative salaries, benefits and bonuses paid by the University and related entities; and recruiting.

5

FY2014 Risk Assessment

KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY

CLINICAL ENTERPRISE:

BUSINESS PROCESS REVIEWS

• Are all billable transactions captured at the time of inpatient diagnosis and fully reflected in customer bills?

• Review the accuracy and reliability of the charge master databases, the charge capture process, and procedures for maximizing inpatient margins.

• Do construction and supply chain vendors doing business with the University comply with the provisions of their contracts?

• Review commercial contracts of selected vendors and projects.

• Are policies and procedures currently in place at UTMC clinics effective in managing business risks?

• Assess whether adequate internal controls existed in the areas of IT, personnel, registration, charge capture and recording, billing, cash collections and drug storage and dispensing. 

• Are UTMC business units effective in managing customer wait times, operating expenses, and patient satisfaction?

• Collaborating with the Redesign Coordination Group, benchmark UTMC operating departments with Lean Six Sigma and other process engineering principles.

• Is UTMC prepared for upcoming changes to coding of medical transactions?

• Review system and documentation requirements to ensure readiness for future ICD-10 coding classifications.

• Do the hospital and clinic computer systems under development promote a streamlined and secure process flow between the patient, Information Technology, and operating departments?

• Participate in the various “Meaningful Use” new clinical systems development projects as a controls consultant and identify opportunities for system and process integration.

6

FY2014 Risk Assessment

KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY

CLINICAL ENTERPRISE:

CLINICAL COMPLIANCE

• Does the compliance plan protect the academic and clinical enterprises from significant violations of the law and internal policies, as well as preserve the confidentiality of patient and student information?

• Update the Finance and Audit Committee on the nature and resolution of clinical and academic compliance and privacy events processed by the University, including …

Claim Development and Submission Confidentiality Policy Emergency Patients Handling of Government Inquiries, Etc. Patient Resident Stay Medical Documentation Patient Resident Intake Quality of Care HIPAA FERPA Stark Law Other aspects of clinical compliance