Trusteeship, Governance, and Audit Committee FY2012 Risk Assessment and Audit Plan August 15, 2011.
-
Upload
julie-barton -
Category
Documents
-
view
217 -
download
4
Transcript of Trusteeship, Governance, and Audit Committee FY2012 Risk Assessment and Audit Plan August 15, 2011.
Trusteeship, Governance, and Audit Committee
FY2012 Risk Assessment and Audit Plan
August 15, 2011
2
FY2012 Audit Plan
KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY
INTERNAL AUDITS – ACADEMIC
ENTERPRISE
• Are faculty members utilized to their fullest potential, consistent with University policy and expectations? Are academic programs meeting the financial and societal goals established for them?
• Advise in the development of a methodology for confirming the achievement of faculty workload goals. Support the University-wide initiative for evaluating the viability of academic programs.
• Does the research and innovation division of the University conduct its financial business in a responsible and transparent manner, consistent with appropriate accounting principles?
• Review financial transactions of the University of Toledo Innovation Enterprises. Ensure that appropriated amounts were used for their intended purposes.
• Are internal processes and computer systems designed to facilitate the student processing experience?
• Support the University-wide initiative to improve student customer service through the implementation of system and process improvements that will minimize student wait time and complaints/concerns.
3
FY2012 Audit Plan
KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY
INTERNAL AUDITS – CLINICAL
ENTERPRISE
• Do construction and supply chain vendors doing business with the University comply with the provisions of their contracts?
• Review commercial contracts of selected vendors and projects. The Thermo Fisher Scientific supply chain contract has been selected for review thus far.
• Do the hospital and clinic computer systems under development promote a streamlined and secure process flow between the patient, Information Technology, and operating departments?
• Participate in the various “Meaningful Use” new clinical systems development projects as a controls consultant and identify opportunities for system and process integration between diverse stakeholder business functions.
• Is UTMC maximizing its potential with regard to customer satisfaction and nursing and physician productivity?
• Conduct a business process improvement review of nursing productivity. Perform a time-and-motion study of activities designed to prepare a room for an incoming patient in the most cost- and time-efficient manner possible.
4
FY2012 Audit Plan
KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY
SUPPORT FUNCTIONS
• Are payments made to employee medical benefit providers accurately, taking advantage of available discounts?
• Review medical benefit processing procedures, identifying and recovering erroneous and duplicate disbursements.
• Are the various methods for receiving and handling cash across the University known to management of the various operating departments? Does its processing comply with established financial procedures?
• Determine the sufficiency of cash management procedures across the University, including standardization between the academic and clinical enterprises. Conduct random cash handling audits across operating departments.
5
FY2012 Audit Plan
KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY
INFORMATION TECHNOLOGY
• Does the University comply with Payment Card Industry standards for network security when processing University credit card transactions at all locations?
• Self-Assess security and application controls over the computer networks that process student and patient credit card transactions. Independently evaluate compliance with these controls.
• Are issues identified during the testing of electronic transaction invoicing with vendors appropriately resolved prior to implementation?
• Review user testing of the Lawson system for Electronic Data Interchange invoicing transactions with various vendors.
• Have the system implications of the recent changes to the academic department organization been fully tested prior to implementation?
• Participate in the College Reorganization new systems development project as a controls consultant and review the nature and extent of user testing and acceptance.
• Is information and software processed in the data center environment secured and protected?
• Review IT “general controls”, such as information security and change control that impact numerous computer systems.
6
FY2012 Audit Plan
KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY
INTERCOLLEGIATE ATHLETICS
• Are revenues and expenses pertaining to intercollegiate athletics accounted for properly according to National Collegiate athletics Association (NCAA) rules and University policy?
• Evaluate the quality of financial controls over athletic student aid; guarantees; support staff/administrative salaries, benefits and bonuses paid by the University and related entities; severance payments; recruiting; equipment, uniforms, and supplies; game expenses; fundraising, marketing, and promotion; direct facilities, maintenance, and rental; spirit groups; indirect facilities and administrative support; medical expenses and medical insurance; and memberships and dues.
• Does the University appropriately record income from barter agreements, sports camps, and other athletics ventures?
• Review athletics revenue-generating agreements (“outside income”) and confirm that stated obligations have been met by all parties.
• Are football attendance statistics accurately recorded and reported in a timely manner to the NCAA?
• Review and certify attendance counts for all University home football games per NCAA regulations.
• Is University contact with prospective student-athletes in accordance with NCAA regulations, and is it being monitored accordingly and appropriately for all team sports?
• Review phone, email, Internet, and letter correspondence between coaches/administrators and prospective student-athletes on a surprise basis. Report results and monitor corrective action.
7
FY2012 Audit Plan
KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY
COMPLIANCE REVIEWS – ACADEMIC
ENTERPRISE
• Is financial aid awarded only to eligible students consistent with the terms of the various award programs?
• Review student financial aid procedures and test a sample of loans to ensure that eligibility requirements are met and financial aid is disbursed accurately.
• Are research and development expenses expended in accordance with the terms of individual grants and State, Federal, and University regulations?
• Review research grants procedures and test a sample of payroll expenses to ensure compliance with these procedures and external regulations.
• Are ethics issues reported by employees, students, and business partners resolved appropriately and in a timely manner?
• Update the Audit Committee on the nature and resolution of ethics reports made to the Anonymous Reporting Line.
• Are erroneous financial and operating transactions detected and acted upon in a timely manner?
• Develop and implement real-time exception reporting for audit follow-up purposes. Departmental “field” audits and ongoing purchase card (“p-card”) reviews will support execution of this objective..
8
FY2012 Audit Plan
KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY
COMPLIANCE REVIEWS – CLINICAL
ENTERPRISE
• Is UTMC taking appropriate steps to ensure compliance with Joint Commission accreditation standards on an ongoing basis?
• Review Joint Commission standards, determining whether effective UTMS problem identification/resolution procedures are in place relative to these standards.
• Is UTMC prepared for upcoming changes to coding of medical transactions?
• Review system and documentation requirements to ensure readiness for future ICD-10 coding classifications.
• Are all billable transactions captured at the time of inpatient diagnosis and fully reflected in customer bills?
• Review the accuracy and reliability of the charge master databases, the charge capture process, and procedures for maximizing inpatient margins.
• Does the compliance plan protect the academic and clinical enterprises from significant violations of the law and internal policies, as well as preserve the confidentiality of patient and student information?
• Update the Audit Committee on the nature and resolution of clinical and academic compliance and privacy events processed by the University (including HIPAA, FERPA, Stark Law, etc.)