Trusteeship, Governance, and Audit Committee

FY2012 Risk Assessment and Audit Plan

August 15, 2011

2

FY2012 Audit Plan

KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY

INTERNAL AUDITS – ACADEMIC

ENTERPRISE

• Are faculty members utilized to their fullest potential, consistent with University policy and expectations? Are academic programs meeting the financial and societal goals established for them?

• Advise in the development of a methodology for confirming the achievement of faculty workload goals. Support the University-wide initiative for evaluating the viability of academic programs.

• Does the research and innovation division of the University conduct its financial business in a responsible and transparent manner, consistent with appropriate accounting principles?

• Review financial transactions of the University of Toledo Innovation Enterprises. Ensure that appropriated amounts were used for their intended purposes.

• Are internal processes and computer systems designed to facilitate the student processing experience?

• Support the University-wide initiative to improve student customer service through the implementation of system and process improvements that will minimize student wait time and complaints/concerns.

3

FY2012 Audit Plan

KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY

INTERNAL AUDITS – CLINICAL

ENTERPRISE

• Do construction and supply chain vendors doing business with the University comply with the provisions of their contracts?

• Review commercial contracts of selected vendors and projects. The Thermo Fisher Scientific supply chain contract has been selected for review thus far.

• Do the hospital and clinic computer systems under development promote a streamlined and secure process flow between the patient, Information Technology, and operating departments?

• Participate in the various “Meaningful Use” new clinical systems development projects as a controls consultant and identify opportunities for system and process integration between diverse stakeholder business functions.

• Is UTMC maximizing its potential with regard to customer satisfaction and nursing and physician productivity?

• Conduct a business process improvement review of nursing productivity. Perform a time-and-motion study of activities designed to prepare a room for an incoming patient in the most cost- and time-efficient manner possible.

4

FY2012 Audit Plan

KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY

SUPPORT FUNCTIONS

• Are payments made to employee medical benefit providers accurately, taking advantage of available discounts?

• Review medical benefit processing procedures, identifying and recovering erroneous and duplicate disbursements.

• Are the various methods for receiving and handling cash across the University known to management of the various operating departments? Does its processing comply with established financial procedures?

• Determine the sufficiency of cash management procedures across the University, including standardization between the academic and clinical enterprises. Conduct random cash handling audits across operating departments.

5

FY2012 Audit Plan

KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY

INFORMATION TECHNOLOGY

• Does the University comply with Payment Card Industry standards for network security when processing University credit card transactions at all locations?

• Self-Assess security and application controls over the computer networks that process student and patient credit card transactions. Independently evaluate compliance with these controls.

• Are issues identified during the testing of electronic transaction invoicing with vendors appropriately resolved prior to implementation?

• Review user testing of the Lawson system for Electronic Data Interchange invoicing transactions with various vendors.

• Have the system implications of the recent changes to the academic department organization been fully tested prior to implementation?

• Participate in the College Reorganization new systems development project as a controls consultant and review the nature and extent of user testing and acceptance.

• Is information and software processed in the data center environment secured and protected?

• Review IT “general controls”, such as information security and change control that impact numerous computer systems.

6

FY2012 Audit Plan

KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY

INTERCOLLEGIATE ATHLETICS

• Are revenues and expenses pertaining to intercollegiate athletics accounted for properly according to National Collegiate athletics Association (NCAA) rules and University policy?

• Evaluate the quality of financial controls over athletic student aid; guarantees; support staff/administrative salaries, benefits and bonuses paid by the University and related entities; severance payments; recruiting; equipment, uniforms, and supplies; game expenses; fundraising, marketing, and promotion; direct facilities, maintenance, and rental; spirit groups; indirect facilities and administrative support; medical expenses and medical insurance; and memberships and dues.

• Does the University appropriately record income from barter agreements, sports camps, and other athletics ventures?

• Review athletics revenue-generating agreements (“outside income”) and confirm that stated obligations have been met by all parties.

• Are football attendance statistics accurately recorded and reported in a timely manner to the NCAA?

• Review and certify attendance counts for all University home football games per NCAA regulations.

• Is University contact with prospective student-athletes in accordance with NCAA regulations, and is it being monitored accordingly and appropriately for all team sports?

• Review phone, email, Internet, and letter correspondence between coaches/administrators and prospective student-athletes on a surprise basis. Report results and monitor corrective action.

7

FY2012 Audit Plan

KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY

COMPLIANCE REVIEWS – ACADEMIC

ENTERPRISE

• Is financial aid awarded only to eligible students consistent with the terms of the various award programs?

• Review student financial aid procedures and test a sample of loans to ensure that eligibility requirements are met and financial aid is disbursed accurately.

• Are research and development expenses expended in accordance with the terms of individual grants and State, Federal, and University regulations?

• Review research grants procedures and test a sample of payroll expenses to ensure compliance with these procedures and external regulations.

• Are ethics issues reported by employees, students, and business partners resolved appropriately and in a timely manner?

• Update the Audit Committee on the nature and resolution of ethics reports made to the Anonymous Reporting Line.

• Are erroneous financial and operating transactions detected and acted upon in a timely manner?

• Develop and implement real-time exception reporting for audit follow-up purposes. Departmental “field” audits and ongoing purchase card (“p-card”) reviews will support execution of this objective..

8

FY2012 Audit Plan

KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY

COMPLIANCE REVIEWS – CLINICAL

ENTERPRISE

• Is UTMC taking appropriate steps to ensure compliance with Joint Commission accreditation standards on an ongoing basis?

• Review Joint Commission standards, determining whether effective UTMS problem identification/resolution procedures are in place relative to these standards.

• Is UTMC prepared for upcoming changes to coding of medical transactions?

• Review system and documentation requirements to ensure readiness for future ICD-10 coding classifications.

• Are all billable transactions captured at the time of inpatient diagnosis and fully reflected in customer bills?

• Review the accuracy and reliability of the charge master databases, the charge capture process, and procedures for maximizing inpatient margins.

• Does the compliance plan protect the academic and clinical enterprises from significant violations of the law and internal policies, as well as preserve the confidentiality of patient and student information?

• Update the Audit Committee on the nature and resolution of clinical and academic compliance and privacy events processed by the University (including HIPAA, FERPA, Stark Law, etc.)