"Internal Audit Strategic Management Plan - PDF"
ANNUAL REPORT INTERNAL AUDIT PLAN 2001-02 May, 2001 Office of the University Auditor Office of the President University of California TABLE OF CONTENTS Page No. Executive Summary 1 I. Introduction 2 II. The Operating Plan 3 A. Planning Process 3 B. Plan Overview & Analysis 5 C. Distribution of Audit Effort 10 D. Core Business Activities 13 E. Specific Elements of the Audit Plan 15 III. The Strategic Plan 18 A. Overview 18 B. Current Year Initiatives 18 C. Summary 19 Appendix A Synopsis of High Level Issues and Risk Summary 1 EXECUTIVE SUMMARY This University of California Internal Audit Plan for fiscal year 2001-02 is designed to meet the objective of providing the most timely and comprehensive scope of audit coverage possible--deploying the resources of the Internal Audit Program in an effective and efficient manner. We believe this Plan achieves the objective. The Operating Plan Achieving the objective requires balance among our three areas of primary activity--Audits, Advisory Services and Investigations. Foremost among these is the program of regular audits of academic, laboratory, and health care programs as well as administrative functions. This is evidenced by the plan devoting nearly two-thirds of the available time to the Audit Program. By virtue of projected gains in average staffing levels maintained (offset in part by a reduction in utilization of outside resources), a 20,000 hour increase is projected in available resources. This increase allows us to budget at a higher level than the current year for both Audits and Advisory Services. Expanding Advisory Services is especially viewed as a proactive investment of the additional resources. At 21% of available time, Advisory Services is well within the University Auditor's planning guidelines, and represents reasonable balance among our activities. Investigation hours are projected to remain at approximately the current year level. In the current year, Investigation hours have returned to a more normal level after a year elevated by two significant events. The two most significant assumptions upon which the Plan is built are 1) staffing levels and 2) Investigation hours. During the current year, turnover has continued to be high, but recruitment efforts have been improving. This fact coupled with several additional authorized positions allows us to plan for an increase of ten auditors on average in FY 2001-02. However, this level only returns the Planned level of staffing to the same level as Planned for FY 2000-01, and so it is not viewed as overly aggressive. Utilizing a newly added dimension of our risk assessment and planning process, a number of core business activities have been identified for which periodic audit attention is being required. This feature, together with our usual attention to the areas assessed to be of relatively higher audit risk, provides a Plan that is balanced and assures audit coverage of both high risks and major business functions. The Strategic Plan The continuous improvement of the Internal Audit Program is accomplished through our strategic planning efforts. With the recently completed follow-up review by an External Review Team, our efforts will be refocused in the areas of knowledge sharing, risk assessment, and specialized skills. 2 I. INTRODUCTION The University of California Internal Audit Plan for the fiscal year 2001-02 presents the consolidated audit plans of the nine campuses, three national laboratories and the Office of the President. The objective of the Plan is to provide the most timely and comprehensive scope of audit coverage to the University possible, deploying the resources available to the Internal Audit Program in an effective and efficient manner. We believe the objective is reasonably achieved with this Plan. The mission of Internal Audit is "to assist The Board of Regents and University management in the discharge of their oversight and operating responsibilities through independent audits and consultations designed to evaluate and promote the system of internal controls, including effective and efficient operations." While acknowledging that Internal Audit's primary activity in fulfilling this mission is the conduct of a program of regular audits of the University's business operations, the Audit Plan recognizes that we are fundamentally engaged in three types of activities, as follows: Audits--The planned and supplemental program of regular audits of all units (including academic departments) and business processes that cut across all organizational units (e.g., purchasing, travel, etc.). The Audit Program focuses on operating units where activities are carried out but the selection of units for audit is largely driven by issues of importance— such as Outreach efforts, major construction programs and other ramifications of expected growth. Advisory Services--Representing those additional activities that a) promote the systems of internal controls through training of University personnel in concepts of internal control and consultation on their implementation; or b) promote effective and efficient operations through special management studies, advisory participation on business process and systems reengineering teams and consultation on business issues (e.g., regulatory compliance matters). In addition, at certain locations Internal Audit serves in additional capacities such as External Audit Coordinator (acting as liaison for campus visits by regulators and investigators), Information Practices Act Coordinator or Conflict of Interest Coordinator. Investigations--Pursuant to University policy, Internal Audit conducts investigations into suspected financial irregularities whether reported by whistleblowers, uncovered in the course of regular audits, or based upon concerns conveyed by management. In constructing the Annual Audit Plan, an objective is to assure an appropriate balance between the above three activities. While the program of regular audits is the first priority, it is also recognized that some issues are more effectively and efficiently dealt with through Advisory Services. We also believe that over time, investigation activity can be reduced through an active program of providing advice and consultation to business unit management and their staffs. We believe this Plan represents an appropriate balance among these activities. This Annual Audit Plan contains two sections--the Operating Plan and the Strategic Plan. The Operating Plan establishes the planned utilization of our human resources to address the areas of perceived highest risk and is essentially a budget expressed in hours rather than dollars. The Strategic Plan conveys the planned efforts designed to provide continuous improvement of the Internal Audit Program. 3 II. THE OPERATING PLAN A. Planning Process Any audit planning process begins with an understanding of the entity, activity or process to be audited and identification of the auditable elements, or components, of the entity. This is traditionally referred to as the audit universe. Annually, the planning process includes reconsideration of the audit universe as new activities, organizations and programs must be identified together with changes in the existing organization. In addition to changes within the operating units, changes in the overall environment within which the University exists must be considered. These "environmental" changes may include the regulatory climate, economic climate, and political sensitivity to certain issues. In recent years, for example, the regulatory climate in the health care arena has changed significantly focusing attention on compliance matters and prompting an aggressive response from the University in stepping up compliance initiatives. In the current year, increased expenditures for construction and outreach programs continue to represent areas for increased audit consideration. The audit risk of each component unit is assessed using a methodology traditionally utilized by auditors. Relative risk assessment is necessary to provide a means for rational deployment of limited resources across the audit universe. The Audit Plan strives to achieve the dual objectives of assuring audit coverage of the areas identified as representing the greatest current risk, while at the same time assuring broad coverage of the business operations of the University over time. It is important to note that "risk" for this purpose is not intended as a negative reflection on the manner in which the business unit conducts its affairs. There are different levels of inherent risk present in different business activities. Obviously, the risk of loss of University resources to theft is greater for some assets (cash) than others (buildings). Management of fiscal risk to an accepted level through the application of internal controls and other risk mitigation activities is a management function. It is the function of the auditors to both assess the appropriateness of the level of risk accepted and the effectiveness of the controls employed to mitigate risk. The risk assessment methodology utilized as the basis for the 2001-02 Audit Plan was fundamentally the same as in prior years, modified somewhat as described below. In assessing relative risk, auditors at each location gathered information from: ? Financial analyses ? Change analyses (management, systems, funding sources/levels, regulations, etc.) ? Interviews with management ? Consideration of external audit activities ? Audit issues identified and shared among UC Audit Directors, by the controllers and other universities In addition, a high level summary and analysis of issues and risks was prepared and shared among all Audit Directors. This analysis considered issues and risks on a systemwide level as 4 well as issues and risks unique to our individual lines of business at the campus, lab and health sciences level. Some of the issues more readily relate to auditable risks, while others represent broad issues facing the University of which auditors need to be aware whether or not they are engaged in directly related audit activities. A synopsis of this high level issues and risk summary is attached as Appendix A. With this as background information, each component of the audit universe was assessed for relative risk using factors that have been proven by audit studies to be the most predictive of financial reporting failures. They are: Management Control Environment--This factor assesses the adequacy of the existing control environment based on information from previous audit experience and the analyses referred to above. The time since the organization was last audited is also considered. This factor also considers the financial expertise of management, complexity of operations, and the overall effectiveness and efficiency of operations. Business Exposure--Both materiality and liquidity of resources under management are assessed relative to other organizational units. While size is not necessarily an indicator of greater inherent risk, greater financial exposure attracts greater audit interest if all other factors are equal. Public and Political Sensitivity--Certain activities by their nature tend to garner greater public interest than others and/or represent areas of high political sensitivity. There are greater than normal risks to the University's reputation and goodwill inherent in these activities which can result in diminished funding and loss of independence to greater oversight or scrutiny. This factor is somewhat of a counterbalance to the materiality factor as size of the business exposure is less relevant to the impact of an accountability failure. Compliance Requirements--This factor addresses all internal and external policy, procedure, regulatory and statutory matters affecting the operations of the auditable unit. The volume and complexity of rules and regulations generally increase the risk of non-compliance, which can create financial exposure as well as inefficient and ineffective operations. Financial and Administrative Reporting--Reliable information is needed at all levels of an organization to effectively run the business. Financial and operational data drive decision making and are essential to the processes of planning, budgeting and performance measurement among others. This factor considers the accuracy, integrity and availability of information for these purposes whether provided by a manual or automated system. Organizational Change and Growth--Change has been proven to be highly predictive of audit risk, whether the change is in people, systems or funding sources and levels. Organizational change frequently dictates the need for changes in procedures and controls that tend to lag behind. Information Technology Processing— In the current year, an additional risk factor was added to assure that adequate consideration is given to the impact of Information Technology 5 (IT) on all operations. Historically, application systems and centralized data centers have been independently evaluated. However today, it is critical that the use of technology within every activity be evaluated at the operating unit level and not just at the central data center level. These factors are weighted and scored to determine the relative risk ranking of each component of the audit universe. For risk assessment purposes separate weightings of the s above risk factors are assigned to the University’ three lines of business— campuses, labs, and health sciences. The results of the risk assessment of each campus, lab and medical enterprise are provided to the University Auditor for analysis and consolidation. Such analysis is shared with each location so that anomalies can be investigated and assessments of like activities by other locations can be factored into the local risk assessments. This process also assists in identifying broad risks that exist across the University and are worthy of collective consideration in the planning process. The finalized risk assessments drive the preparation of local audit plans that are subjected to review by local audit committees, management, and Chancellors or Laboratory Directors before being submitted to the University Auditor for approval and submission to The Regents' Committee on Audit on a consolidated basis. In reviewing the plans, consideration is given to both of the objectives enumerated above. That is, the plans must demonstrate that the highest identified risk areas are being subjected to audit while at the same time assuring reasonable breadth of coverage across the audit universe. In addition, the local plans are reviewed for consistency with the planning guidelines distributed by the Office of the University Auditor at the beginning of the planning process. B. Plan Overview & Analysis Available Resources & Distribution The Audit Plan is essentially an allocation of human resources. The ability to maintain the planned staffing level is critical to the accomplishment of the Annual Plan. For the last several years the Internal Audit Program, like the University in general, has experienced relatively high turnover and increased cycle time for hiring new employees. This has led to staffing shortfalls as compared to our Plans. In the current year through March 31, 2001, our average staffing level of 101 Full Time Equivalent (FTE) auditors is below the Planned level of 111 auditors. Several locations have received an increase in the number of authorized auditor positions for the coming year. All locations are actively recruiting for any open positions and alternative temporary and specialized resources are aggressively sought to augment resources especially when vacancies occur. These factors allow us to Plan for FY 2001-02 at a higher level of available resources than experienced in the current year but only in an amount that approximates the plan for the current year. In other words, the Plan for FY 2001-02 is to return to the planned staffing levels of the current year. 6 Following are the planned available resources on a gross basis and a tabulation of the resulting hours available on a net basis to devote to Direct Audit activities. PLAN OVERVIEW Table 1 2001-02 Plan 3/31/01 Annualized Average FTEs 111 101 Hours % Hours % Gross Available Hours 237,069 100.0% 216,388 100.0% Non-Controllable Hours 36,365 15.3% 34,515 15.9% Net Available Hours 200,704 84.7% 181,873 84.1% FY 2001-2002 Distribution of Net Available Hours Administration 17,251 8.6% 15,760 8.7% Professional Development 8,463 4.2% 12,229 6.7% Other 2,327 1.2% 1,951 1.1% Direct Audit Hours (to Table 2) 172,663 86.0% 151,933 83.5% Total Net Available Hours 200,704 100.0% 181,873 100.0% FY 2001-2002 Distribution of Net Available Hours Administration Professional 8.6% Development 4.2% Other 1.2% Total Direct Audit Hours 86.0% 7 The Plan is based on sustaining an average of 111 auditors throughout the year, which produces approximately 231,000 hours of available resources. Nearly 6,000 hours of resources from other than regular audit staff, including interns, contract auditors, and consultants with specialized skills, bring the Planned Gross Available Hours to 237,000. The mix of permanent and temporary staff, including the use of specialists, is always a consideration when planning for the appropriate magnitude and skill level of resources. In general, the use of outside resources is considered appropriate when specialized skills are needed or to augment the staff so as to complete critical elements of the Audit Plan. At the same time, our incentive to carry out as much of the Audit Program as possible with permanent staff is driven by many factors, including cost. Auditors hired on a contract basis to perform routine audit work that would otherwise be completed by our staff cost on average two to two and one-half times the “fully loaded” cost of a staff auditor on an hourly basis. Therefore, we try to utilize other resources principally when they can bring expertise to bear not otherwise possessed by the Audit Staff. The use of interns, on the other hand, is very cost effective and provides an added work experience for selected students as well. Non-controllable hours represent official leave, such as vacations, holidays and illness as provided by University personnel policies. This level is fairly predictable based on historical experience and represents less than the fully accrued leave. The Distribution of Net Available Hours table accounts for those available hours spent in other than Direct Audit activities. A planning guideline of approximately 10% was established for Administration, and the consolidated Plan projects 8.6% for administration of the Internal Audit Program, approximating the current year level. Professional Development hours at 4.2% of available resources is a normally expected level. The current year data reflecting 6.7% appears high in part because it is annualized based on year to date data through March 31 and professional development efforts tend to occur earlier in the year. Little training is actually scheduled in the fourth fiscal quarter. In addition, the current year experienced both a biennial All Auditors Conference and mandated IT training for all professionals. Professional Development time averaging 76 hours per professional in the 2001-02 Plan represents a historically normal level and represents an investment in the quality of the audit staff. The resulting 172,700 hours of Direct Audit activity represents 86% of the available resources which is an increased level of productivity compared to the rate experienced in 2000-01 year- to-date, and slightly in excess of the planning guideline of 85%. Allocation of Direct Audit Hours Once the net available resources are tabulated, the Audit Plans are prepared to address the multiple services provided with a primary emphasis on addressing the areas identified in the risk assessment process. Following is a summary tabulation of the planned deployment of Direct Audit Hours. 8 ALLOCATION OF DIRECT AUDIT HOURS Table 2 2001-02 Plan 3/31/01 Annualized Hours % Hours % Audit Program Planned Audits (to Tables 3 and 4) 89,839 52.0% 74,014 48.7% Supplemental Audits 12,246 7.1% 18,159 12.0% Total Audit Program 102,085 59.1% 92,173 60.7% Advisory Services Consultations/Spec. Projects 21,954 12.7% 13,532 8.9% Systems Dev., Reengineering Teams, Etc. 6,703 3.9% 5,309 3.5% Internal Control & Accountability 3,102 1.8% 4,199 2.8% External Audit Coordination 3,922 2.3% 236 .2% IPA, COI & Other 160 0.1% 1,729 1.1% Total Advisory Services 35,841 20.8% 25,005 16.5% Investigations 20,525 11.9% 19,916 13.1% Audit Support Activities Audit Planning 3,186 1.9% 4,025 2.6% Audit Committee Support 1,791 1.0% 849 0.6% Systemwide Audit Support 4,559 2.6% 4,986 3.3% Computer Support 2,622 1.5% 3,855 2.5% Quality Assurance 2,054 1.2% 1,124 0.7% Total Audit Support 14,212 8.2% 14,839 9.7% Total Direct Audit Hours 172,663 100.0% 151,933 100.0% FY 2001-2002 Direct Audit Hours Audit Support 8.2% Investigations 11.9% Planned Audits 52.0% Advisory Services Supplemental Audits 20.8% 7.1% 9 Audit Program--The Audit Program constitutes the program of regular audits and is comprised of both Planned Audits and an allocation for Supplemental Audits that arise during the course of the year. The latter recognizes that we exist in a dynamic environment and the Audit Plan established annually requires some margin for flexibility. At 102,100 hours, the Plan projects approximately 9,900 additional audit hours compared to the level of regular audit activity expected to be provided in the current year (92,200). The program of regular audits is intended to represent our primary means of providing audit coverage to the areas identified as the highest business risks in our risk assessment process as well as providing broad coverage to the various components of the audit universe over time. Tables 3 and 4 display the broad coverage of the components of the audit universe. The attention to the highest risk areas is assessed by asking each location to identify audit or other coverage of the top ten risk areas identified in their risk assessment scoring process. That analysis indicates that 90% of the areas identified as high risk are planned to receive attention during the coming year. Almost universally, the items identified as high risk that are not in next year's plan are items currently under audit or recently audited with substantive corrective action pending. Accordingly, the area cannot yet be assessed at a lower risk level, but will not be re-audited next year. Tracking completion of corrective action is accomplished through a program of regular follow-up. Approximately 62% of the Planned Audit hours are devoted to the areas of highest identified risk. While that represents good concentration in the high risk areas it is low enough to provide adequate time for broader coverage of the University over time as well. Approximately 18% of the auditable component units are included in the audit plan with 310 Planned Audits. Most academic units are addressed through local programs of departmental surveys that are less than full scope audits, but as a minimum are diagnostic for departments without significant research expenditures. See sections C, D, and E for a discussion of specific elements of the Audit Plan and the attention devoted to “core” business activities. Advisory Services--This category encompasses a broad array of audit-related activities beyond regular audits. It is the most proactive of our three major areas of activity and one that we believe can have far reaching impact on a number of business units. At 35,800 hours Planned (21%), it represents a substantial increase from the anticipated 25,000 hours (16.5%) for the current year. However, the current year hours are significantly below the 2000-01 Plan of 29,300 hours. The Planning Guideline established by the University Auditor's office for this category is 15%--25%. Therefore, the Planned hours are well within the range of what is considered appropriate for an optimal mix of services. The further enhancement of our Advisory Services capabilities and customer awareness continues to be a key element of our Strategic Plan. 10 Within this category, Internal Control & Accountability includes our contribution to the Business Officers Institute (BOI), which will train approximately 400 additional departmental business officers in fiscal year 2001-02. Well over 1,200 employees have attended BOI to date. It also includes our efforts to support the Controllers' accountability initiatives, including Control Self Assessment, to the extent appropriate depending on individual campus implementation plans, as well as the independent control self assessment effort at the laboratories. Special Projects and Consultations are projected to increase from 13,500 hours to 21,900 hours as we actively seek opportunities to help department and program managers deal with issues before they become audit or investigation problems. Systems Development, Business Process Review Team and other task force or committee participation reflects our involvement in the continued efforts of campuses and laboratories to develop and implement new systems, improve their business processes to be more effective and efficient and deal with other campus or lab business issues. Involvement of auditors in a consultative manner during the design and development phase helps to ensure that sound business practices, including effective internal controls, are built into the systems and processes. And lastly, a nominal number of hours are budgeted to reflect the activities of two of our campuses at which Internal Audit has expanded roles in Information Practices Act and Conflict of Interest matters. Investigations--The planned hours for Investigations are expected to continue at approximately the level of the current year. As hoped for in the 2000-01 Plan, we are experiencing a return to what is considered a fairly normal level of investigation hours in the current year after a significant increase in FY 1999-00 caused principally by two major investigations. Hours for Investigations are projected to consume just under 20,000 hours in FY 2000-01 and are planned at slightly over 20,000 hours in FY 2001-02. Should this estimate prove overly optimistic, other planned audit activities will have to be curtailed or additional resources will have to be garnered. Within reason, this can be accommodated without sacrificing essential elements of the Audit Program. In any given year, a particular location can experience significant investigation activity that threatens the conduct of critical audits. Whenever this risk occurs, the local Audit Committee assesses the impact on the Audit Plan and the need for additional resources either to assist in the investigations or to carry out portions of the Audit Plan. Audit Support Activities--This category represents various activities that benefit the overall program but do not result in the delivery of a service to a business unit of the University. At 14,200 hours, this category is consistent with the current and prior year hours. C. Distribution of Audit Effort As stated earlier, the Audit Plan strives to achieve the dual objective of assuring audit coverage of areas identified as representing the highest relative risk, while at the same time 11 assuring broad coverage of the business operations of the University. The previous analyses dealt principally with coverage of the highest risk areas. The following analyses provide information about the relative audit coverage by component units of the University and by functional areas, demonstrating the breadth of coverage of the various elements of the audit universe. The distribution of planned audit hours among major business units is reflected in the table and chart below. The distribution of audit hours to the Labs and Office of the President is driven by the staffing of those Internal Audit Departments. The distribution between campus and health sciences is measured by the relative effort (measured in hours of planned audits) for those campuses with health sciences clinical enterprises. For the purposes of this chart, the Schools of Medicine are included in Health Sciences and not Campus totals. DISTRIBUTION OF PLANNED AUDITS Table 3 Hours % Campus 48,832 54.4% Health Sciences 19,850 22.1% Labs 15,342 17.1% Office of the President 5,815 6.4% Total 89,839 100.0% FY 2001-2002 Distribution of Planned Audits Office of the President 6.4% Labs Campus 17.1% 54.4% Health Sciences 22.1% 12 The following table demonstrates the breadth of coverage across functional areas of the University. DISTRIBUTION OF PLANNED AUDITS (Functional Areas) Table 4 Hours % Financial Management 23,334 26.0% Health Sciences Research, Instruction & Clinical Services 16,377 18.2% Campus Departments, Research & Instruction 14,535 16.2% Facilities, Construction & Maintenance 7,419 8.3% Auxiliary, Business, & Employee Support Services 6,653 7.4% Information & Communications 5,677 6.3% Lab Research Programs & Processes 5,386 6.0% Office of the President 3,230 3.6% Human Resources & Benefits 2,955 3.3% Environmental Safety and Security 2,277 2.5% Development & External Relations 1,996 2.2% Total 89,839 100.0% FY 2001-2002 Distribution of Planned Audits (Functional Areas) Human Resources & Environmental Safety Office of the President Benefits Development & and Security 3.6% 3.3% External Relations 2.5% 2.2% Lab Research Programs & Processes 6.0% Financial Management Information & 26.0% Communications 6.3% Health Sciences Research, Instruction & Clinical Services Auxiliary, Business, & 18.2% Employee Support Services Facilities, Construction Campus Departments, 7.4% & Maintenance Research & Instruction 8.3% 16.2% 13 As can be seen, the largest commitment of time is to broad financial management activities, many of which cut across departmental lines. This area includes general accounting, payroll, contracts and grants accounting, procurement, cash and bank accounts, travel and entertainment, and risk management among others. This area historically has received the largest portion of audit work, and it includes work in these functional areas whether carried out at a campus, lab or in the health sciences. See section I for a discussion of “core” business activities. Campus Departments, both instructional and research activities, reflect a slight decrease as compared to the current year plan while Health Sciences Research, Instruction and Clinical Services is Planned at a slight increase. Combined, they traditionally represent approximately one-third of Planned Audit effort and represent substantial attention to the academic and research units where the business of the University is conducted. Facilities, Construction & Maintenance at nearly 7,500 hours is appropriately the next largest category reflecting the s audit effort in response to the University’ major capital programs. Auxiliary, Business, & Employee Support Services is a broad category encompassing athletics, bookstores, housing and dining operations, libraries, parking, etc., which are activities carried out by numerous enterprises many of which operate in a manner similar to an independent business. Information & Communications is planned to receive 6.3% of our audit attention or 5,700 hours. This data actually understates our total attention to Information Technology as it represents our effort only in relation to the information infrastructure and the central computing operations whether administrative, scientific or academic. IT auditing occurs within all of our audit activities depending on the automated nature of the area under review. As business processes become increasingly automated it is imperative that our IT audit efforts be integrated into our routine business auditing and not dealt with as a separate effort. The captions for Lab Research Programs & Processes and Office of the President cover topics unique to their environments, for example, DOE contract administration at the labs and the s Treasurer’ Office at OP. We believe that these statistics demonstrate reasonable distribution of effort and appropriate coverage of the elements of the audit universe in relation to their relative risk. In total, there are 310 new audits included in the FY 2001-02 Audit Plan with an average of approximately 290 hours budgeted per audit. D. Core Business Activities Risk assessment is a fundamental auditing concept premised on the need to prioritize our efforts in the areas of greatest relative risk. This need stems from the impracticality of providing regular audit coverage to the entire University on a cyclical basis. Again, “risk” for this purpose does not imply any unwarranted business strategy or lack of management oversight. Most risk is inherent in the business activity. Each year when we perform our risk assessments, there are a number of contemporary issues that justifiably attract special attention, frequently due to change, growth or shifting perspectives. There is a risk that these 14 contemporary issues will distract attention from the fundamental business activities that regularly represent the majority of the University business. If this occurs repeatedly, we can find that too much time has passed without adequate audit attention to these fundamental business activities. s To address this risk, a new concept has been employed in the current year’ risk assessment. We have identified a select number of “core” business activities within each line of business that we believe are deserving of audit attention on a periodic basis, normally approximately every three years. This approach is intended to balance the tendency to focus on the “new and different” in our risk assessment at least for those activities for which our confidence in the management and control structures need to be reaffirmed at regular intervals. The core business activities identified are as follows: For All Locations ? Cash Management (including cashiering and bank accounts) ? Payroll Processing ? Procurement ? Disbursements ? Contract & Grant Administration (Work For Others at Labs) ? Central Administrative Computing ? Major Construction Program Additional For All Campuses ? Financial Aid ? Student Fees & Receivables ? Fund Raising & Gift Processing Additional For All Health Sciences Campuses ? Medical Billings & Receivables ? Regulatory Compliance Program Additional For National Labs ? DOE Contract Cost Allowability Clauses Additional For the Office of the President ? Treasury— Investments Many of these areas lend themselves to multiple audits in order to be of a more manageable size. For example, in procurement, one audit may be looking into competitive bidding requirements, while another may look into low value purchasing procedures through the use 15 of procurement cards. Therefore, it is not as simple as determining that a location with ten core business areas should audit approximately three areas each year. What is important is that regular attention is given to elements within each of these areas that when viewed in total, would constitute substantive coverage of the area with appropriate frequency. Each location has begun tracking their audit coverage of core business activities and the University s Auditor’ Office is monitoring the coverage. In addition, these broad audit topics that apply to each (or many) of our locations lend themselves to the development of common audit programs and shared approaches. This is an element of our strategic plan. Under certain circumstances, it is even appropriate to commit to collective audit program development and common audit timing and reporting. Such an approach is being employed in the current year for auditing the Healthcare Corporate Compliance Program in cooperation with the Compliance Officers. E. Specific Elements of the Audit Plan This section discusses in somewhat greater detail the correlation of the Audit Plan to certain areas identified as constituting relatively higher audit risk. Approximately 54,000 hours of Planned Audit effort and over 11,000 hours of Advisory Services time are planned in areas identified as high risk. A tabulation by functional area of the audit universe follows: 2001-02 PLANNED AUDITS AND ADVISORY SERVICES HIGHER RISK AREAS Table 5 Functional Areas Planned Advisory Audits Services Total Auxiliary, Business, & Employee Support Serv. 2,600 280 2,880 Development & External Relations 1,700 - 1,700 Environmental Safety and Security 2,171 300 2,471 Facilities, Construction & Maintenance 6,035 340 6,375 Financial Management 13,170 3,655 16,825 Human Resources & Benefits 2,631 - 2,631 Information & Communications 2,413 3,220 5,633 Campus Departments, Research & Instruction 8,140 850 8,990 Health Sciences Research, Instr. & Clin. Serv. 9,755 2,680 12,435 Lab Research Programs & Processes 4,024 - 4,024 Office of the President 1,400 190 1,590 Total 54,039 11,515 65,554 Specific high risk audit topics and a summary description of audit activities in selected areas follows. These represent topics being addressed by all or nearly all locations in the FY 2001- 02 Plan. In most cases, where audit attention is not planned in FY 2001-02 it is because of work undertaken in the current year. 16 Outreach— At the Office of the President, a review of overall Outreach funding and accountability requirements will be conducted to gain perspective of the dynamics of the various programs. In addition, specific audits of selected programs including Teacher Training Institutes, School University Partnerships and the Puente programs are planned. Certain campuses plan to review Outreach programs at their locations, and all have been alerted to the high level of sensitivity and need for awareness of campus programs and initiatives. Major Construction Programs— Each of the three national labs and nearly every campus has Planned Audit activity in major construction programs. Specific construction projects s selected for review include UC Davis Medical Center, UCSF Mission Bay, LLNL’ National s Ignition Facility (NIF) and LBNL’ National Energy Research Scientific Computer Center (NERSC). In addition, most locations’Planned Audits will also address broader facilities administration practices such as capital planning, construction bidding, planning and site development and deferred maintenance. Regulatory Compliance ? Health Sciences— Each of the five health sciences campuses will conduct specific audits of the Corporate Compliance Program with a focus on Professional Fee billings under a common approach developed in conjunction with the Compliance Officers and the Office of the President. In addition, each campus will review selected aspects of health care compliance in areas such as pharmacies, labs and home health programs, as well as perform financial audits such as a Medicare costs reporting review. ? Research— Numerous audits of academic departments, programs and organized research units are scheduled with a concentration of effort on research matters. In the health science enterprises, several locations have specific audits of clinical trials planned while others have completed work in this area recently. In addition, each location is prepared to assist their campus in an Advisory Service capacity as they deal with regulatory change and more specifically, the anticipated recommendations of the high level review of the s University’ research compliance efforts being conducted currently. ? Health Insurance Accountability & Portability Act— A systemwide HIPAA steering s committee has been formed to guide and monitor the University’ efforts to come into compliance with the significant regulations governing the protection of personal health information. The University Auditor serves on this committee. Each health science campus has formed a local implementation committee as well. Auditors at each of these locations plan to assess the appropriateness of the preparedness efforts as they proceed over the next two years. Joint Ventures/Partnerships— A variety of audit activities are planned reflecting the breadth of relationships that exist. UCLA plans to review the new Global Film School. UC Davis will review the MIND Institute. The Office of the President will gain an understanding of and review the governance and oversight mechanism being put in place for the Governor’ Sciences Institutes. UC Berkeley plans to audit two Science Institutes. Several locations plan to perform a high level review of all joint ventures/partnerships/affiliations. In addition, several 17 other locations plan to audit their technology transfer and licensing programs with special attention paid to any new relationships formed. Laboratory Safeguards and Security Programs— Two of the national labs have specific audits scheduled to review their safeguards and security programs. At the other national lab, a separate unit of assessors within the Audits & Assessments Office routinely is involved in evaluation of these efforts. Gift Processing/Donor Restrictions— Because of concern for the appropriate use of donated funds, various aspects of development efforts are selected for audit at each location in any given year. In the current year, planned audits include Development Office audits at several campuses, implementation assistance at the Office of the President in regard to a new endowment accounting system, review of fundraising and gift processing, audits of several campus foundations and selected support groups. The following Planned Audit activities are less widespread and result from location specific risk assessment. Investments— The Office of the President has a Planned Audit to review application of investment policy, including a review of the asset allocation plan implementation. Limited Term Appointments— Implementation of the new policy replacing casual appointments will be reviewed by the Office of the President, and on a sample basis, campuses will likely be asked to perform selected local procedures to test implementation. Student Admissions— Several locations plan to conduct reviews of student admissions processes as well as fiscal operations reviews of Admissions Offices, and related topics such as student fees. Additional Location Specific Topics— These include many other audit areas and topics, among the more noteworthy being, managed care contracts, affiliation agreements with other hospitals, intercollegiate athletics, hospital billing systems and receivables, and programs in health sciences for blood and tissue banks and transplant programs. 18 III. THE STRATEGIC PLAN A. Overview s The continuous improvement of the University’ Internal Audit Program demands that we devote a portion of our effort to developing and executing a strategic plan as well as an s operating plan. The strategic plan’ objectives are driven by several factors including: ? Recommendations from our quality assurance reviews, ? Changes within our profession, and ? The changing role of internal auditors within the University. s A follow-up review of the University’ Internal Audit Program by an External Review Team was recently completed. Their report has been separately communicated to The Regents’ Committee on Audit. It recommends continued development of our risk assessment processes and abilities to share knowledge and resources, and recognition of the benefits of specialized skills, whether internally developed or externally acquired. The changes occurring within the internal audit profession are in part based on the report of an Institute of Internal Auditors' Guidance Task Force. Even the definition of internal auditing has been revised. The still relatively new definition for the profession is as follows: Internal auditing is an independent, objective assurance and consulting activity s designed to add value and improve an organization’ operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The recognition that internal auditors provide both assurance and consulting services while retaining their independence and objectivity is a cornerstone of the new definition. Its reality is demonstrated by our own changing role in the University. Increasingly, our customers, principally line operating managers, seek our assistance and counsel as they address their business issues rather than wait for a “post audit” process to validate or critique their efforts. This practice is consistent with the current management philosophy of “designing” in quality rather than “inspecting” in quality. B. Current Year Initiatives We continue to execute our strategic improvement initiatives through workgroups of Audit Directors and managers from throughout the system. We continually reassess the composition and functioning of these groups and will again realign them with specific initiatives. Consistent with the recommendations of the External Review Team and our own recognized needs to better serve the University, our major strategies for the current year include: 19 Knowledge Sharing & Teamwork— We will expand our data warehouse that compiles audit reports for sharing purposes to encompass more common audit programs, techniques and results, especially in audits of core business activities. We will also begin the development of a database of auditors in the system to include their areas of specialized skills to better identify internal expertise that might be shared. We will expand upon current year efforts to promote more sharing and exchange between internal auditors addressing common issues by line of business, such as health care compliance auditing. And we will explore the establishment of web sites and other mechanisms for readily sharing information. Risk Assessment— The risk assessment process we employ is annually updated and will s always be evolving, as evidenced by the current year’ addition of a mechanism to more adequately address IT risks and drive audit coverage towards core business activities. In addition, the Internal Audit Program will continue to explore opportunities for partnering with the controllers or others in management to create a Universitywide perspective on risk and risk mitigation strategies. Skill Development and Sourcing— The continued development of both technical and generalized skills is a principal thrust of our current initiatives. In 2000-01, special IT training was provided to all auditors and general skills assessment was performed. In 2001-02, we will begin offering training designed to accommodate the changing skills needed by our auditors to provide more effective advisory services through training programs such as creative problem solving and strategic thinking. In addition, we will build on our 2000-01 efforts to share knowledge in the health care area by conducting joint training in health care regulatory compliance matters. Through these efforts, we recognize the benefit of developing common skill sets and are exploring the possibilities for shared training in areas such as use of electronic audit support tools, University financial management practices and research compliance. However, increasing our awareness that these are areas requiring more expertise than we can possess, and retaining outside expertise for certain risks is also a part of this strategy. This is especially critical at certain of our smaller locations and for certain risks, such as IT. In addition to these broad goals, other supporting initiatives will be at work, including development of advisory services standards to provide professional guidance on the delivery of these services, conducting a revised Quality Assurance Review Program at four locations, and expanding our customer satisfaction feedback mechanisms. C. Summary We believe the Strategic Plan, its goals and the mechanisms established for accomplishing the goals, will provide for the continued strengthening of the Internal Audit Program in a manner supportive of the needs of the University and consistent with the positive changes occurring in the internal audit profession. We will continue to report progress against the Strategic Plan in the quarterly report to The Regents’Committee on Audit. 20 Appendix A Synopsis of High Level Issues and Risk Summary The following synopsizes a document prepared for Audit Directors to consider as they began the risk assessment process. Not all of these issues represent apparent auditable risks, but they may lend themselves to an advisory service or, at a minimum, represent issues facing the University to which all auditors should be alert. Systemwide Issues Outreach Programs/ Student Admissions— There are many new programs, rapid growth and high visibility in the Outreach Programs. While the Office of the President has the principal accountability requirements, many programs are run through individual campuses and expenditures have increased dramatically. In addition to assuring fiscal responsibility, there are performance measures in some areas that are potentially auditable. Recruitment/Retention of Faculty and Staff— Growth and economic factors, especially in certain labor markets, cause staffing level issues to be present in some operations as well as pressure on managers to recruit and retain existing staff. All of these factors can increase s audit risk. At the same time, the University’ labor relations efforts are difficult and complex, but critical to the maintenance of the workforce. Administrative Infrastructure— The New Business Architecture program led by the Vice s Chancellors for Business Affairs represents the administration’ effort to both accommodate the projected growth of the University and modernize certain business processes. The New Business Architecture is premised on an integrated approach to systems, people, policies and procedures while reassessing the level of appropriate controls and accountability measures. Opportunities for auditors to contribute to these efforts may be present. Major Construction Programs— The construction program now has over $4.5 billion in the pipeline, much of it fueled by projected growth and the need for future student housing. This tremendous push will likely put pressure on the construction administration program and test people and systems, increasing audit risk. Technology Transfer/Commercialization— Technology transfer activity continues to grow and new relationships with the private sector to fund research are changing the landscape of public/private partnerships. Auditable issues include conflicts of interest, business structure, reporting and accountability issues, and ownership of intellectual property. Contract, Grant and Gift Oversight— Compliance with the terms of contracts and grants is a constant audit concern. In addition, we are frequently faced with issues of proper accounting for a transaction as a contract or gift, depending on the terms and conditions of the underlying documentation. At stake are matters such as proper overhead recovery and ownership of intellectual property. 21 Information Technology Infrastructure— The University faces challenges to support the infrastructure needed to bring Internet technology to the classroom as well as the business processes of the University. Funding is an issue as are technology issues, such as access and security. Regulatory Environment— Current issues in this area include: ? HIPAA— The Health Insurance Portability and Accountability Act places a tremendous responsibility on our health sciences campuses to protect the confidentiality of patient protected health information. There are potentially significant impacts as well in the research arena. Task Forces have been formed at the campus and systemwide level, and auditors need to be aware of and prepared at the right time to assess the preparedness efforts. ? Research compliance— In the fall of 2000, a high level review of research compliance efforts was initiated which will result in recommendations for the s President’ consideration in the summer of 2001. Auditors will likely have opportunities to assist each location assess its compliance programs and advise on new efforts as they are formulated. ? Environmental Health & Safety— While not as visible as certain other regulatory compliance areas, the University is subject to a tremendous number of EH&S requirements. Auditors should consider auditing these risks by assessing their locations’programs against internally created standards. ? Regulatory Reporting— The issues raised with respect to Clery Act reporting by our campus police departments was a reminder that the University has numerous reporting obligations to a wide variety of regulatory stakeholders. For many of these areas, there is little visibility to the reporting and auditors have no special technical expertise to provide. However, auditors do have expertise in assessing the mechanisms by which data is accumulated and reported to insure its accuracy and integrity. Utility Planning and Conservation— While mainly an operating and budgetary concern, auditors should be aware of risks of business interruption and loss of critical data in the event of power interruptions. In addition, auditors need to be aware of the impacts on budgets as well as facilities administration and design and construction programs. Campus Specific Issues Summer Academic Program— UC Berkeley, UCLA and UC Santa Barbara are preparing to be the first campuses to offer a regular course of instruction in the summer. A number of risks are associated with this new delivery option, such as faculty and staffing availability, funding from the legislature, and interruption of normal summer activities including campus renewal and revenue enhancing programs. 22 Health Science Specific Issues Competitive Health Care Market/Hospital Profitability/School of Medicine Funding— The health care market continues its adjustment to a variety of competitive forces while scientific breakthroughs make patients evermore demanding of sophisticated services. For academic medical centers, the impacts of the Balanced Budget Act have still not been completely reversed, and various funding mechanisms are always in question or at risk. In addition, The Regents took a keen interest in a January 2001 discussion that grew out of the PricewaterhouseCoopers management letter about the sustainability of the funding model for the Schools of Medicine given the impact of these other matters on the hospitals’profitability. Management is addressing these issues in a variety of ways. Auditors should be aware of these efforts and prepared to review auditable actions. Compliance Programs— The PATH Audit process is complete and the settlement agreement did not require the University to enter into a corporate integrity agreement. Nevertheless, the University is committed to a robust compliance program at each health sciences campus and Internal Audit is committed to assessing the adequacy of the programs and their execution. Laboratory Specific Issues Integrated Laboratory Safeguards and Security Program— The two UC/DOE national labs have established a comprehensive safeguard and security program to support the laboratories’mission and create and maintain a secure environment that protects personnel, s information, property and nuclear materials. Internal Audit’ role in assessing or validating these program efforts should be addressed at each lab.