UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT and
advertisement
UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT LONG - RANGE INTERNAL AUDIT PLAN and RISK ANALYSIS Fiscal Years 2016 - 2018 Included in Section 5 of the Audit Plan is a listing of brief audit objectives for each auditable area. These objectives relate to overall internal controls, efficiency of operations and compliance with laws and regulations, and Board of Regents and/or management policies and procedures. Recommendation: The Audit Plan should be flexible and periodically adjusted to adapt to changes in the audit environment. These changes include new or revised laws or regulations and changes in existing operations or activity levels. The Audit and Compliance Committee should approve these periodic changes to the Audit Plan. I recommend that the Board of Regents approve the attached Audit Plan, including the Internal Audit Resources, and delegate approval for periodic changes to the Audit Plan to the Audit and Compliance Committee. DFG:rh Attachment UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT LONG-RANGE INTERNAL AUDIT PLAN FY 2016-2018 Table of Contents Description Section Executive Summary 1 Summary of Man-Hours / Man-Hour Assumptions 2 Audit Team 3 Auditable Areas 4 Audit Objectives 5 Three-Year Audit Schedule 6 Frequency of Audit Activity 7 Risk Analysis 8 Executive Summary Section 1 University of Houston System Annual Long-Range Internal Audit Plan, FY 2016-2018 Executive Summary Background: The Texas Government Code, Board of Regents Audit and Compliance Committee Charter, and Board of Regents Audit Policy require the Internal Auditing Department to prepare a risk based audit plan and present it to the Board of Regents for approval. The methodology we use in preparing this analysis consists of the following phases: (1) identification of auditable areas, (2) input from management, and (3) a risk analysis. Matters that we consider in establishing audit work schedule priorities include (a) the date and results of the last audit; (b) financial exposure; (c) potential loss and risk; (d) requests by management; (e) major changes in operations, programs, systems, and controls; and (f) opportunities to achieve operating benefits. During the risk analysis, we assign numerical risk factors depending upon the following: (1) reason for the audit, (2) administrative oversight, and (3) date last audited. Identification of Auditable Areas: Auditable areas can be categorized in each of the following categories: 1. Annual Assistance to External Auditors • State Auditor’s Office (SAO): Projects included in the SAO’s annual audit plan and special projects upon request • External CPA firms: Audits of Houston Public Media, Endowment Fund, Athletics, Charter School, Cancer Prevention and Research Institute of Texas grants, and SACS accreditation reviews • Other State/Federal/External Sponsor Auditors 2. Annual Activities/Mandates • Follow-up activity required by the Institute of Internal Auditors (IIA) Standards • Chancellor/Board of Regents Travel and Entertainment reimbursements requested by Board of Regents/Chancellor • Special projects and police investigations required by institutional policy and IIA Standards • Texas Higher Education Coordinating Board: Facilities Audit (5 year cycle) • NCAA Rules-Compliance and football attendance audits required by NCAA rules • Construction: Construction procurement process, new construction (outsourced) • Contracts greater than $1 million requiring Board of Regents’ approval • Board of Regents Annual Procurement Report • Contract Administration 3. Departmental Reviews: These compliance reviews test 12 different areas of compliance for system and campus policies. These reviews are conducted every 5 years for all departments within the system. Many of the policies tested are directly related to internal controls. See Attachment A for a listing of all departmental reviews by college/division together with pertinent data on each college/division. 4. Functional Reviews: These engagements are operational reviews for efficiency/effectiveness and are conducted for all divisions and service organizations within the system. 1 5. Information Technology Reviews: The security reviews are required by Texas Administrative Code, and various other information technology areas are addressed based on risk. Resource Allocation: The Internal Audit Resources allocated to each of these areas for fiscal years FY 2016-2018 are as follows: Assistance to External Auditors Mandates Departmental Reviews Functional Reviews IT Reviews Total Hours FY 2016 FY 2017 FY 2018 300 5,900 3,828 3,659 1,400 300 4,900 3,278 5,112 1,800 300 5,500 3,989 4,301 1,300 15,087 15,390 15,390 Departmental Resources: The Texas Internal Auditing Act requires the Board of Regents to approve the Audit Plan and periodically review the resources dedicated to the Internal Audit program and determine if adequate resources exist to ensure that risks identified in the annual risk assessment are adequately covered within a reasonable time frame. The Internal Audit Team is comprised of a Chief Audit Executive, Director, Manager (new position), five Senior Auditors (one vacant position), Information Technology Auditor, three Staff Auditors, and an Executive Administrative Assistant. The estimated FY 2016 salary budget is $1,198,960 and the M&O budget is $52,539. In our opinion, the resources dedicated to the Internal Auditing program are adequate. Input from Management: A series of meetings are scheduled with key management personnel throughout the system and with the Chair of the Audit and Compliance Committee to identify sensitive or high exposure areas and to identify high risk functions, information technology, and compliance areas that are hot topics in the higher education industry that should be scheduled for review. Comments are also requested on the Internal Audit Plan and Risk Analysis from all Audit and Compliance Committee members at the August Audit and Compliance Committee meeting. See Attachment B for a schedule of these meetings. Risk Analysis: The risk analysis is used to develop an audit plan for performing audit projects in risk areas over a specified time to minimize the risk of losses to the University; to prioritize audit projects by the level of risk; to use our audit staff and time in an effective and efficient manner; and to determine the nature, timing, and extent of audit steps and procedures in direct relation to the amount and nature of the risk. 2 After performing the preliminary risk assessment, the following areas received the highest risk rank (25-20). Some of these areas are scheduled for review during FY 2016-2018, while some are not scheduled because of audit coverage in departmental reviews that addresses certain aspects of the area. Scheduled Unscheduled Budgeting (FY 2018) General Accounting (FY 2016) Human Resources (FY 2017) Payroll (FY 2017) Purchasing (FY 2018) Student Housing (FY 2016) Accounts Payable Property Management Conclusion: The Long Range Internal Audit Plan and Risk Analysis help provide the Audit and Compliance Committee with assurance that it is providing the necessary oversight over the quality and integrity of the accounting, financial reporting practices, system of internal controls, institutional management practices, and the direction of the internal auditing function. 3 ATTACHMENT A AUDIT COVERAGE MATRIX DEPARTMENTAL REVIEWS University UH UH UH UH UH UH UH UH UH UH UH UH UH UH UH UH UH UH UH UH UH UH College/Division Name Academic Affairs/Provost Administration & Finance Architecture Athletics Business Chancellor/President Education Engineering Graduate College of Social Work Honors Hotel & Restaurant Management Law Center Liberal Arts & Social Sciences Library Natural Sciences & Mathematics Optometry Pharmacy Research Student Affairs & Enrollment Services Technology University Advancement University Marketing, Comm, & Media FY 2015 BUDGET Operations Restricted Expenditures Expenditures 40,780,178 1,992,248 92,721,617 21,786,125 5,234,496 615,871 32,399,062 4,018,776 43,382,496 7,974,508 2,605,065 91,997 13,350,217 4,312,024 32,540,617 23,963,468 4,110,921 2,828,643 2,991,989 923,409 12,542,007 2,975,808 25,032,113 537,941 64,370,780 18,148,480 18,119,020 297,704 52,769,481 32,231,406 21,649,497 5,413,931 14,827,644 4,099,687 43,191,465 5,938,084 115,641,523 85,484,937 13,572,819 1,790,004 11,331,990 365,492 4,033,677 0 667,198,674 225,790,543 FTEs 203 1,365 66 152 342 21 253 450 76 45 100 297 1,096 115 577 196 120 295 732 152 92 38 6,783 UHCL UHCL UHCL UHCL UHCL UHCL UHCL Administration & Finance Business Education Human Sciences & Humanities President's Office Provost's Office Science and Computer Engineering 14,125,963 10,504,145 6,679,375 9,339,962 2,211,070 31,777,721 8,199,326 82,837,562 5,000 16,629 1,116,073 864,767 13,227 12,315,865 1,176,160 15,507,721 186 137 113 169 22 389 148 1,162 UHD UHD UHD UHD UHD UHD UHD UHD UHD UHD Academic & Student Affairs Administration & Finance Advancement & External Relations Business Employment Svc & Operations Humanities & Social Sciences President's Office Public Service Sciences & Technology University College 29,245,444 27,055,656 2,398,653 12,758,606 2,978,416 12,703,039 1,213,716 6,466,301 9,196,464 1,638,489 105,654,784 35,185,626 2,051 12,217 486,077 0 305,722 5,940 807,454 1,724,854 1,592,571 40,122,512 297 254 15 165 16 250 9 103 162 36 1,307 UHV UHV UHV UHV UHV UHV UHV Administration & Finance Arts & Sciences Business Administration Education President's Office Provost Enrollment Mgmt. & Student Affairs 6,100,775 4,947,827 7,064,261 3,404,626 3,881,636 3,878,676 5,941,996 35,219,797 0 15,705 293,643 0 62,521 32,786 6,635,165 7,039,820 83 78 83 42 33 66 85 470 4 FY 2016 FY 2017 FY 2018 FY 2019 FY 2020 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X ATTACHMENT B SCHEDULED MEETINGS WITH MANAGEMENT BOR Audit and Compliance Committee Roger Welder UHS/UH Chancellor/President Renu Khator UHS/UH Administration & Finance Jim McShan Raymond Bartlett Emily Messa General Counsel Dona Cornell UH Provost/Academic Affairs Paula Short Sabrina Hassumani UH Research Ramanan Krishnamoorti Cris Milligan Pam Muscarello Mary Ann Ottinger Kirstin Rochford Beverly Rymer UH Student Affairs Richard Walker Mara Affre Devi Bala Keith Kolwalka Dan Maxwell William Munson Floyd Robinson Don Yackley UHCL Senior Management William Staples Carl Stockton Michelle Dotter Usha Mathew UHD Senior Management William Flores David Bradley Ed Hugetz Ivonne Montalbano Johanna Wolfe Elaine Pearson UHV Senior Management Raymond V. Morgan Jeffrey Cass Wayne Beran Jay Lambert Val Walden UH Administration & Finance Raymond Bartlett Devi Bala Barbara Duarte David Ellis Mike Glisson Karin Livingston Joan Nelson Esmeralda Valdez UH Information Technology Dennis Fouty Summary of Man-Hours / Man-Hour Assumptions Section 2 University of Houston System Internal Auditing Department Long-Range Internal Audit Plan Summary of Man-Hours Activity Fiscal Year 2016 2017 2018 Scheduled Audits 6,359 6,812 6,601 IT Reviews/Monitoring 1,400 1,800 1,300 Special Projects 3,000 3,000 3,000 Departmental Reviews 3,828 3,278 3,989 500 500 500 15,087 15,390 15,390 Follow-up Reviews Total Direct Audit Hours 2-1 University of Houston System Internal Auditing Department Long-Range Internal Audit Plan Man-Hour Assumptions Available Man-Hours Chief Audit Executive Director Manager Senior Auditor Information Technology Auditor Staff Vacations Holidays (14 days) Sick Leave Professional Training In-house Training Professional Organizations Indirect Audit Hours: Administrative Direct Audit Hours 120 112 40 60 40 40 1,084 584 120 112 40 60 40 40 784 884 96 112 40 60 40 20 500 1,212 96 112 60 60 20 16 184 1,532 120 112 96 60 20 16 80 1,576 96 112 40 60 20 16 40 1,696 Total Hours Available 2,080 2,080 2,080 2,080 2,080 2,080 Direct Audit Hours By Position 584 884 1,212 1,532 1,576 1,696 Staff Size By Position Employee Turnover/Attrition Available Staff Size 1 1.0 1 1.0 1 0.25 0.75 5 0.5 4.5 1 1.0 3 0.5 2.5 Subtotal 584 884 909 6,894 1,576 4,240 Allocable Direct Audit Hours Total Direct Audit Hours 15,087 2-2 University of Houston System Internal Auditing Department Long-Range Internal Audit Plan Departmental Resources The Texas Internal Auditing Act requires the Board of Regents to approve the Audit Plan and periodically review the resources dedicated to the Internal Audit program and determine if adequate resources exist to ensure that risks identified in the annual risk assessment are adequately covered within a reasonable time frame. In our opinion, the resources dedicated to the Internal Auditing program are adequate. FY 2015 Departmental Resources: • Personnel: Chief Audit Executive, Director, five Audit Seniors (one vacant position), Information Technology Auditor, three Staff Auditors, and an Executive Administrative Assistant • Salary Budget: $1,021,936 • M&O Budget: $52,539 Estimated FY 2016 Departmental Resources: • Personnel: Chief Audit Executive, Director, Manager (new position), five Audit Seniors (one vacant position), Information Technology Auditor, three Staff Auditors, and an Executive Administrative Assistant • Salary Budget: $1,198,960 • M&O Budget: $52,539 Organization Chart: The departmental organization chart is attached. 2-3 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING ORGANIZATION CHART Don Guyton CHIEF AUDIT EXECUTIVE Sandra Dahlke EXEC. ADMIN. ASSISTANT Russ Hoskens DIRECTOR MANAGER (New Position) VACANT SENIOR AUDITOR Tony Moreno SENIOR AUDITOR Brandee O’Neal SENIOR AUDITOR Lisa Berry SENIOR AUDITOR Scott Brown SENIOR AUDITOR Isimeme Emafor SENIOR AUDITOR Ray Hale INFORMATION TECHNOLOGY AUDITOR Eric Porter STAFF AUDITOR II Dia Martinez STAFF AUDITOR II 2-4 7/28/15 Audit Team Section 3 University of Houston System Internal Auditing Department Internal Audit Team Don F. Guyton, C.P.A., Chief Audit Executive, began working in the UHS Internal Auditing Department in his current position on October 1, 1987. Other experience includes: five years of Big Four public accounting experience, three years of controller experience in industry, and three years of experience as a commissioned officer in the U.S. Army. He received a M.B.A. degree from the University of New Orleans where he was a member of Beta Gamma Sigma. He is a member of the American Institute of Certified Public Accountants (AICPA), Texas Society of Certified Public Accountants (TSCPA), and the Institute of Internal Auditors (IIA). He is a past president of the Texas Association of College and University Auditors. Russell G. Hoskens, C.P.A., C.I.A., C.F.E., C.I.S.A., Director, began working in the UHS Internal Auditing Department in his current position on June 30, 1997. Other experience includes: eleven years of internal audit experience, including two years as an audit manager at the University of Texas Medical Branch at Galveston. He received a M.B.A. degree (concentration in Internal Auditing) from Louisiana State University. He is a member of the AICPA, the IIA, the Association of Certified Fraud Examiners (ACFE), and the Information Systems Audit and Control Association (ISACA). He is also a past president of the Texas Association of College and University Auditors. Tony Moreno, C.F.E., C.I.C.A, Senior Auditor, began working in the UHS Internal Auditing Department on October 10, 2005. Other experience includes nine years of internal audit experience and ten years of banking experience. He received B.S. degrees in Economics and Anthropology from the University of Houston. He is a member of the IIA and the ACFE. Brandee O’Neal, C.I.A., Senior Auditor, began working in the UHS Internal Auditing Department on July 11, 2011. Other experience includes ten years of internal audit and accounting experience at the Texas Department of Criminal Justice. She received a M.B.A. degree from Sam Houston State University. She is a member of the IIA. Lisa Berry, C.I.A., C.F.E., Senior Auditor, began working in the UHS Internal Auditing Department on September 8, 2008. Other experience includes two years of internal audit experience in industry. She received a M.S. degree in Accounting from the University of Houston. She is a member of the IIA and the ACFE. She is past president of the Internal Audit Student Association at the UH Bauer College of Business. She is also a lecturer at the UH Bauer College of Business. Scott Brown, C.P.A., Senior Auditor, began working in the UHS Internal Auditing Department on February 24, 2014. Other experience includes seven years of internal audit experience in industry, five years as a financial examiner, and six years of accounting experience. He received a B.S. degree in Finance and a M.S. degree in Accounting from the University of Houston-Clear Lake. He is a member of the IIA. 3-1 University of Houston System Internal Auditing Department Internal Audit Team Isimeme Emafor, C.P.A, Senior Auditor, began working in the UHS Internal Auditing Department on October 7, 2013. Other experience includes three years as a financial examiner and three years of banking experience. She received a B.S. degree in Biology from the University of Houston and a M.B.A. degree from DePaul University. She is a member of the IIA. Ray Hale, C.I.S.A, Information Technology Auditor, began working in the UHS Internal Auditing Department on November 15, 2010. Other experience includes eighteen years of internal audit experience, including ten years of information technology experience. He received a M.B.A. degree from Webster University. He is a member of the IIA and ISACA. Dia Martinez, Staff Auditor II, began working in the UHS Internal Auditing Department on February 18, 2013. Other experience includes two years of Medicare auditing. She received a B.B.A. degree in Accounting from the University of Texas at San Antonio. She is a member of the IIA. Eric Porter, Staff Auditor II, began working in the UHS Internal Auditing Department on February 17, 2014. Other experience includes two years of internal auditing experience at the Texas Department of Criminal Justice and twenty years of experience in the transportation, real estate, and energy industries. He received a B.B.A. degree in Finance, M.B.A. degree, and a M.S. degree in Accounting from the University of Houston. He is a member of the IIA. Sandra Dahlke, Executive Administrative Assistant, became a Certified Administrative Professional in 1978. She began working in the Internal Auditing Department on July 9, 2012, after working for the University of Houston Law Center for almost seven years as a Secretary. Other experience includes 28 years of secretarial experience. Vacant Positions – A new Manager position and one Senior Auditor position Professional Certifications: C.P.A. – Certified Public Accountant C.I.A. – Certified Internal Auditor C.I.S.A. – Certified Information Systems Auditor C.F.E. – Certified Fraud Examiner C.I.C.A. – Certified Internal Control Auditor 3-2 Auditable Areas / Audit Activities Section 4 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 AUDITABLE AREAS ANNUAL ASSISTANCE/MANDATES & SYSTEM-WIDE AUDITS ANNUAL ASSISTANCE / MANDATES Annual External Audits - Liaison Athletics – NCAA Cancer Prevention and Research Institute of Texas Grants Charter School Endowments Houston Public Media Regional Accreditation Reviews (SACS) Athletics Football Attendance Audit NCAA Rules-Compliance Contract Administration Follow-up Audit Procedures Special Projects Annual Audit Plan/Risk Analysis Annual Internal Audit Activity Report Annual Procurement Report Construction: Construction Procurement Process and New Construction (Outsourced) Contracts greater than $1 million requiring Board of Regents’ Approval Internal Audit Quality Assurance Management Requests Police Investigations State Auditor’s Office - Liaison State-wide and Other Audits Texas Higher Education Coordinating Board Facilities Audits Travel Expenditures Board of Regents’ Travel Chancellor/President’s Travel 4-1 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 AUDITABLE AREAS ANNUAL ASSISTANCE/MANDATES & SYSTEM-WIDE AUDITS SYSTEM-WIDE AUDITABLE AREAS Academic Fees Accounts Payable Athletics Auxiliary Contract Administration - Bookstore - Food Service - Licensing/Trademark - Pouring Rights Budgeting College / Division Departmental Reviews Continuing Education Endowments Facilities Management Facilities Planning & Construction Financial Reporting Formula Funding General Accounting Human Resources Information Technology Institutional Compliance Programs Investment Management Library Parking Payroll Police Departments Property Management (Fixed Assets) Student Accounting & Receivables Support Organizations Travel and Entertainment Expenditures University Advancement College Operations Hilton Hotel Optometry Clinic Small Business Development Center NSM Research Stores Enrollment Services Admissions Financial Aid Registrar Enrollment Mgmt & Production System Procurement Procurement Cards/Travel Cards Purchasing Contract Administration Research Business Operations Contracts & Grants Administration Intellectual Property Management Research Centers and Institutes - Advanced Superconductor Manufacturing Institute - Center for Advanced Computing & Data Systems - Center for Advanced Materials - Texas Center for Superconductivity - Texas Inst. For Measurement, Evaluation, and Statistics - Texas Obesity Research Center Research Information Center Research Oversight Committees Time and Effort Reporting Student Housing Student Services Campus Recreation Childcare Health Center Student Center Veterans Services 4-2 Audit Objectives Section 5 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 AUDIT OBJECTIVES ANNUAL ASSISTANCE / MANDATES: Annual External Audits (Athletics – NCAA, Endowments, Houston Public Media, Charter School, Cancer Prevention and Research Institute of Texas Grants, and Regional Accreditation Reviews (SACS)) To provide assistance, as requested, to external auditors to expedite the audit and reduce audit costs to the university. Annual Procurement Report To review the Annual Procurement Report to help ensure that the report preparation methodology appears to be reasonable and the report satisfies the Board of Regents annual reporting requirement for procurement activity. Athletics – Football Attendance Audit To verify attendance at football games to comply with NCAA legislation. Athletics – NCAA Rules-Compliance To determine the adequacy of the Athletic Department’s NCAA Rules-Compliance Program. Board of Regents’ Travel To determine whether expenditures for travel and entertainment for the members of the Board of Regents were appropriately documented and allowable under university/Board of Regents policies. Chancellor/President’s Travel To determine whether expenditures for travel and entertainment for the Chancellor/President were appropriately documented and allowable under university/Board of Regents policies. Construction Procurement Process To determine whether UHS is complying with its policies and procedures and the Texas Education Code in selecting its contractors for its major construction projects. Contract Administration To determine whether UHS is complying with state rules and regulations regarding the administration of contracts. 5-1 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 AUDIT OBJECTIVES Contracts Greater Than $1 million Requiring Board of Regents’ Approval To determine whether UHS is complying with its policies and procedures and other statutes and regulations in awarding revenue or expenditure contracts greater than $1 million. Follow-up Reviews To determine whether appropriate action is taken on reported audit findings. Special Projects Annual Audit Plan/Risk Analysis Annual analysis to determine the university's areas of risk and scheduling audits of these areas with the resources available to the Internal Auditing Department. Annual Internal Audit Activity Report Annual activity report provides a summary of internal audit activities performed during the fiscal year, including explanations for significant deviation from the approved audit plan. Internal Audit Quality Assurance Procedures performed to ensure that the Internal Auditing Department complies with The International Standards for the Professional Practice of Internal Auditing as promulgated by the Institute of Internal Auditors. Management Requests Projects requested by management that arise due to events within the university. Provide auditing expertise in review of systems and procedures and provide recommendations for improvements to internal controls. Police Investigations Projects assigned by the UH-System Chancellor or Board of Regents or that arise due to unexpected events within the university. Provide auditing expertise in review of systems and procedures and provide recommendations for improvements to internal controls related to police investigations such as theft or other fraud. 5-2 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 AUDIT OBJECTIVES State Auditor's Office Liaison – State-wide and Other Audits Provide assistance to the State Auditor’s Office to expedite the audit. Texas Higher Education Coordinating Board Facilities Audits To determine accurate reporting of space and space needs, including confirming the following: 1) data reported in the institution’s Facilities Inventory, 2) construction projects have received the necessary approvals, and 3) cost, funding, and space for all completed projects. SYSTEM-WIDE AUDITABLE AREAS: Academic Fees To determine whether procedures help ensure academic fees are properly recorded and expended appropriately and are in compliance with state laws and regulations. Accounts Payable To determine whether the accounts payable system has adequate internal controls to provide assurance that only bona fide university expenditures are paid, there is adequate documentation and proper approvals. To ascertain that procedures ensure accurate recording and reporting of liabilities. Athletics To determine that there are adequate internal controls to help ensure that departmental resources are being effectively and efficiently utilized and the department’s activities comply with statutes, regulations, and university policies. Auxiliary Contract Administration To determine whether all executed contracts are in accordance with university policies and that monitoring procedures are in place to help ensure compliance with contract obligations. 5-3 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 AUDIT OBJECTIVES Budgeting To determine whether budget activities were being performed under an adequate system of internal controls to assure the reliability and integrity of the university’s budgetary data. College Operations To determine whether there are adequate internal controls to help ensure that departmental resources are being effectively and efficiently utilized and the department’s activities comply with statutes, regulations, and university policies. Continuing Education To determine whether there are adequate internal controls to help ensure that departmental resources are being effectively and efficiently utilized and the department’s activities comply with statutes, regulations, and university policies. Departmental Reviews To determine whether departments are conducting financial and administrative activities in compliance with university policies. Enrollment Services To determine whether the admissions and registration process is effective and efficient and meets the students’ and institution’s needs. Endowments To determine whether endowment income was expended in accordance with the terms of the endowment agreement. Facilities Management To determine whether there are adequate internal controls to help ensure that departmental and university resources are being effectively and efficiently utilized and activities comply with statutes, regulations, and university policies. Facilities Planning & Construction To determine whether there are adequate internal controls to help ensure that departmental and university resources for major and minor construction projects are being effectively and efficiently utilized and activities comply with statutes, regulations, and university policies. 5-4 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 AUDIT OBJECTIVES Financial Aid To determine whether the university is in compliance with federal and state regulations and university policy. Financial Reporting To determine whether activities are performed under an adequate system of internal controls to help ensure the reliability and integrity of the information contained in the university’s financial reports and that reports are prepared in accordance with statutes, regulations, and university policies. Formula Funding To determine whether procedures are in place to help ensure that the data provided to the Coordinating Board is accurate, complete and in the format prescribed. General Accounting To determine whether activities are performed under an adequate system of internal controls to help ensure that transactions are recorded in the general ledger in accordance with university policies. Human Resources To determine whether there are adequate internal controls to help ensure that departmental resources are being effectively and efficiently utilized and the department’s activities comply with statutes, regulations, and university policies. Information Technology To determine whether there are adequate internal controls to help ensure that departmental resources are being effectively and efficiently utilized and the department’s activities comply with statutes, regulations, and university policies. Institutional Compliance Programs (May be Conducted by External Peer Review Team) To determine whether programs are designed and functioning effectively. Investment Management To determine whether there are adequate internal controls over the investment of non-endowed funds to help ensure compliance with statutes, regulations, and university policies. 5-5 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 AUDIT OBJECTIVES Library To determine whether there are adequate internal controls to help ensure that departmental resources are being effectively and efficiently utilized and the department’s activities comply with statutes, regulations, and university policies. Parking To determine whether there are adequate internal controls to help ensure that departmental resources are being effectively and efficiently utilized and the department’s activities comply with statutes, regulations, and university policies. Payroll To determine whether only bona fide university employees are being paid their approved wages and that payroll procedures comply with Board and university policies and state and federal law. Police Department To determine whether there are adequate internal controls to help ensure that departmental resources are being effectively and efficiently utilized and the department’s activities comply with statutes, regulations, and university policies. Procurement/Travel Cards To determine whether procurement/travel cards are being used for University purchases and that reconciliations are being performed in a timely manner. Property Management (Fixed Assets) Review the Property Management System and make recommendations to improve the methods of recording, safeguarding, and accounting for fixed assets (including the Wortham House and other facilities owned/leased by the university). Purchasing To ascertain whether the purchasing system has adequate internal controls and procedures which result in obtaining the desired product at the optimum price, in the requested quantity, at the right time and place. 5-6 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 AUDIT OBJECTIVES Research To determine whether there are management practices in place to help ensure that contracts and grants are being managed in compliance with state and federal regulations and university policies and procedures. Student Accounting and Receivables To determine whether resources are being effectively and efficiently deployed under an adequate system of internal controls to help ensure student accounts are being billed, collected, and written off in compliance with statutes, regulations, and university policies. Student Housing To determine whether there are adequate internal controls to help ensure that departmental resources are being effectively and efficiently utilized and the department’s activities comply with statutes, regulations, and university policies. Student Services To determine whether there are adequate internal controls to help ensure that departmental resources are being effectively and efficiently utilized and the department’s activities comply with statutes, regulations, and university policies. Support Organizations To determine whether the amount recorded in the university’s books and records agree with the corresponding amounts included in the support organization’s audited financial statements and IRS Form 990 and to determine whether the foundations are complying with their agreements with the board of regents. Travel and Entertainment Expenditures To determine whether travel and entertainment expenditures comply with Board and university policies and state regulations. University Advancement To determine whether there are adequate internal controls to help ensure that departmental resources are being effectively and efficiently utilized and the department’s activities comply with statutes, regulations, and university policies. 5-7 Three-Year Audit Schedule, FY 2016 - 2018 Section 6 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 SCHEDULED AUDITS - FY 2016 BUDGET HOURS AUDIT ACTIVITY ANNUAL ASSISTANCE / MANDATES (5,000 hours) Annual External Audits - Liaison Annual Procurement Report Athletics - Football Attendance Audit Athletics - NCAA Rules-Compliance Board of Regents Travel, FY 2016 Chancellor/President's Travel, FY 2016 Construction and Other Contracts Requiring Board of Regents Approval Follow-up Reviews Special Projects/Police Investigations State Auditor's Office Liaison Audit Assistance - General Follow-up Reports SYSTEM-WIDE AUDITS (3,350) Benefits Proportionality Contract Administration Endowments - UH Liberal Arts and Social Sciences Endowments - UH University Advancement General Accounting JAMP Grants (UH & UHCL) Student Housing (UH & UHV) 100 100 100 400 200 200 200 500 3,000 100 100 600 300 350 400 1,200 200 1,200 DEPARTMENTAL REVIEWS (3,600 hours) UH Academic Affairs/Provost UH Education UH Graduate College of Social Work UH Hotel and Restaurant Management UHCL Provost's Office UHD Academic & Student Affairs UHD University College UHV President's Office 750 300 250 300 700 700 250 350 INFORMATION TECHNOLOGY (1,300 hours) Computer Assisted Auditing Techniques IT - Review and Monitor of IT Systems (High Priority Projects) TAC 202, Information Security Standards (UH) 500 400 400 RESEARCH CENTERS (300 hours) UH Center for Advanced Computing & Data Systems, Follow-up 300 INITIATED DURING FY 2015 - TO BE COMPLETED/REPORTED IN FY 2016 637 15,087 Total Hours Scheduled for Fiscal Year 2016 6-1-1 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 FY 2015 AUDITS IN PROGESS AT YEAR-END Budget Hours AUDIT ACTIVITY Projects Initiated During FY 2015, But Not Completed Board of Regents Travel, FY 2015 Chancellor/President's Travel, FY 2015 Departmental Reviews UH Administration & Finance UH Optometry UHCL Business UHCL Human Sciences & Humanities UHCL Science and Computer Engineering UHV Administration & Finance UHV Provost UHV Student Affairs & Enrollment Management Financial Aid, Designated Tuition Set Aside (UH) Formula Funding (UHD) TAC 202, Information Security Standards (UHCL, UHD, and UHV) External Assessment of Internal Auditing 6-1-2 637 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 SCHEDULED AUDITS - FY 2017 BUDGET HOURS AUDIT ACTIVITY ANNUAL ASSISTANCE / MANDATES (4,600 hours) Annual External Audits - Liaison Annual Procurement Report Athletics - Football Attendance Audit Board of Regents Travel, FY 2017 Chancellor/President's Travel, FY 2017 Construction and Other Contracts Requiring Board of Regents Approval Follow-up Reviews Special Projects/Police Investigations State Auditor's Office Liaison Audit Assistance - General Follow-up Reports SYSTEM-WIDE AUDITS (4,500) Contract Administration - Food Service Facilities Management Financial Aid, Non-Title IV Human Resources Payroll University Advancement 100 100 100 200 200 200 500 3,000 100 100 600 1,200 900 1,200 1,200 500 DEPARTMENTAL REVIEWS (3,150 hours) UH University Advancement UH University Marketing, Communications & Media Relations UHCL Education UHCL President's Office UHD Administration & Finance UHD Advancement & External Relations UHD Employment Services & Opearations UHD President's Office UHD Public Service UHV Arts & Sciences UHV Business Administration UHV Education 250 250 250 200 700 200 200 200 300 200 200 200 INFORMATION TECHNOLOGY (1,800 hours) Computer Assisted Auditing Techniques IT - Review and Monitor of IT Systems (High Priority Projects) TAC 202, Information Technology Standards (UHCL, UHD, and UHV) 500 400 900 INITIATED DURING FY 2016 - TO BE COMPLETED/REPORTED IN FY 2017 240 15,390 Total Hours Scheduled for Fiscal Year 2017 6-1-3 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 SCHEDULED AUDITS - FY 2018 BUDGET HOURS AUDIT ACTIVITY ANNUAL ASSISTANCE / MANDATES (5,000 hours) Annual External Audits - Liaison Annual Procurement Report Athletics - Football Attendance Audit Athletics - NCAA Rules-Compliance Board of Regents Travel, FY 2018 Chancellor/President's Travel, FY 2018 Construction and Other Contracts Requiring Board of Regents Approval Follow-up Reviews Special Projects/Police Investigations State Auditor's Office Liaison Audit Assistance - General Follow-up Reports SYSTEM-WIDE AUDITS (3,400) Budgeting Contract Administration - TBD Financial Aid, Title IV Purchasing TBD TBD 100 100 100 400 200 200 200 500 3,000 100 100 500 600 1,200 1,200 500 500 DEPARTMENTAL REVIEWS (3,700 hours) UH Business UH Engineering UH Library UH Natural Sciences & Mathematics UH Research UH Technology UHD Humanities & Social Sciences 700 700 200 700 700 350 350 INFORMATION TECHNOLOGY (1,300 hours) Computer Assisted Auditing Techniques IT - Review and Monitor of IT Systems (High Priority Projects) TAC 202, Information Technology Standards (UH) 500 400 400 QUALITY ASSURANCE REVIEWS (200 hours) Internal Quality Assurance Review External Quality Assurance Review 100 100 INITIATED DURING FY 2017 - TO BE COMPLETED/REPORTED IN FY 2018 690 15,390 Total Hours Scheduled for Fiscal Year 2018 6-1-4 FREQUENCY OF AUDIT ACTIVITY Frequency Analysis Fieldwork Scheduled, FY 2016 - 2018 Reports Issued, FY 2011 - 2015 Section 7 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT FREQUENCY OF AUDIT ACTIVITY INTERNAL AUDIT PLAN, FY 2016-2018 UNIVERSITY OF HOUSTON Auditable Area FY 2009 ANNUAL ASSISTANCE / MANDATES Annual External Audit Liaison - Athletics Annual External Audit Liaison - Charter School Annual External Audit Liaison - Endowments Annual External Audit Liaison - Houston Public Media Athletics - Football Attendance Audit Athletics - NCAA Rules-Compliance SAO Liaison - State-wide & Other Audits SAO - Regional Accreditation Reviews (SACS) THECB - ARP/ATP Grants THECB - Facilities Audits THECB - Techonology Workforce Development FY 2010 Financial Aid Financial Reporting Formula Funding General Accounting Human Resources Information Technology (See Information Technology below) Institutional Compliance Programs Investment Management Library (see College Audits below) Parking Payroll Police Department Procurement Cards/Travel Cards FY 2014 FY 2015 09-14 09-13 09-25 10-12 10-26 11-10 12-13 12-25 13-13 13-31 14-14 15-15 15-25 WORK SCHEDULED FY 2016 FY 2017 FY 2018 X X X X X X X X X X X X X LATER X X X X X X X X 10-19, 10-28 X X 15-24 09-16 SYSTEM-WIDE AUDITS Academic Fees Accounts Payable Athletics (See Mandates above and Division Audits below) Auxiliary Contract Administration Budgeting College/Division (See College & Division Audits below) Continuing Education Contracts & Grants Administration (See Research below) Endowments Enrollment Management Facilities Management Facilities Planning & Construction WORK PERFORMED Audit Rpt. No./Special Project Rpt. No. X = Work In-Progress/Scheduled FY 2011 FY 2012 FY 2013 X X X X X 13-19 X X X X X 11-25, 11-26 11-29, 11-32 11-34 SP11-03 SP09-05 09-22 12-03, 12-12 12-18, 12-23 12-33 SP11-06 SP12-04 11-20 SP12-09 12-36 13-05, 13-06 13-11, 13-24 13-25 SP13-03 15-14, 15-29 15-30 X X SP15-05 15-28 SP15-07 X X X X X X X X 09-26 10-24 11-33 12-38 13-36 14-27 15-33 X X X X X X X X X 14-26 7-1-1 X X UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT FREQUENCY OF AUDIT ACTIVITY INTERNAL AUDIT PLAN, FY 2016-2018 UNIVERSITY OF HOUSTON Auditable Area FY 2009 Property Management (Fixed Assets) Purchasing Student Accounting & Receivables Student Housing Student Services (See Student Services below) Support Organizations FY 2010 SP14-02 15-07 LATER X X X 10-10 10-11 X 11-23 13-32 X X 10-18 SP14-09 SP14-04 14-10 15-17 X 13-30 SP15-09 12-07 14-11 X 12-04, 12-19 X 10-17 10-07 14-23 13-35 SP13-05 X X 14-16 11-11 SP11-08 09-18 Athletics Chancellor/President Research X SP12-02 12-14 SP12-06 11-02 11-05 SP09-02 X X SP14-05 SP-01, SP-02 SP-03, SP-04 15-32 15-31 SP13-12 SP13-10 SP12-03 SP12-10 SP12-07 X 14-22 14-07 10-27 SP09-03 X X 15-10 SP09-01 09-12 DIVISION AUDITS Academic Affairs/Provost Administration & Finance X X 10-09 09-23 09-02 X X 11-31 Pharmacy Technology INFORMATION TECHNOLOGY Office of the Chief Information Officer FY 2015 SP11-04 COLLEGE AUDITS Architecture Business Student Affairs & Enrollment Services University Advancement University Marketing, Communications, & Media Relations FY 2014 WORK SCHEDULED FY 2016 FY 2017 FY 2018 X SP13-07 Travel and Entertainment Expenditures University Advancement (Also see Division Audits below) Education Engineering Graduate College of Social Work Honors College Hotel & Restaurant Management Law Center Liberal Arts & Social Sciences Library Natural Sciences & Mathematics Optometry WORK PERFORMED Audit Rpt. No./Special Project Rpt. No. X = Work In-Progress/Scheduled FY 2011 FY 2012 FY 2013 SP13-04 SP13-09 13-26 X X X X X 14-05 X 15-12 X X X X 7-1-2 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT FREQUENCY OF AUDIT ACTIVITY INTERNAL AUDIT PLAN, FY 2016-2018 UNIVERSITY OF HOUSTON Auditable Area FY 2009 Network Administration Data Center Enterprise Computing Microsoft Services (E-mail, File Shares, Lync, etc.) Database Administration PeopleSoft Finance PeopleSoft Human Resources PeopleSoft Campus Solutions Document Imaging System University Advancement System Data Warehouse Blackboard University Services (other applications) Customer Service Web and Communication Technologies Classroom Support Wired Network Wireless Network Information Technology Security Operations Texas Administrative Code 202 Tier 1 Projects (High Priority) Tier 2 Projects (Medium Priority) Tier 3 Projects (Low Priority) RESEARCH Business Operations Contract and Grants Administration Intellectual Property Management Research Centers and Institutes (See Research Centers below) Research Information Center Research Oversight Committees Time and Effort Reporting FY 2010 WORK PERFORMED Audit Rpt. No./Special Project Rpt. No. X = Work In-Progress/Scheduled FY 2011 FY 2012 FY 2013 FY 2014 SP14-08 14-28 10-03 FY 2015 WORK SCHEDULED FY 2016 FY 2017 FY 2018 X X X LATER X X X X X X X X X X X X X X X X X X X X X X X 11-24 X X X SP14-06 X X X RESEARCH CENTERS Advanced Superconductor Manufacturing Institute Center for Advanced Computing & Data Systems Center for Advanced Materials Texas Center for Superconductivity Texas Institute for Measurement, Evaluation, and Statistics Texas Obesity Research Center X 12-17 SP13-08 13-04 13-03 SP14-03 12-32 14-05 STUDENT SERVICES 7-1-3 X X X X X UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT FREQUENCY OF AUDIT ACTIVITY INTERNAL AUDIT PLAN, FY 2016-2018 UNIVERSITY OF HOUSTON Auditable Area FY 2009 FY 2010 09-24 10-20 WORK PERFORMED Audit Rpt. No./Special Project Rpt. No. X = Work In-Progress/Scheduled FY 2011 FY 2012 FY 2013 FY 2014 FY 2015 WORK SCHEDULED FY 2016 FY 2017 FY 2018 Campus Recreation Childcare Center Health Center University Center OTHER AUDITS: Cash Handling Reviews IT - PeopleSoft Student Acad. & Admin., Data Conversion Medical Billings National Research University Fund Privacy/Information Security Research - JAMP Research - CPRIT 10-22 12-24 09-05 11-30 11-08 13-07 X 14-20 7-1-4 LATER X X X X UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT FREQUENCY OF AUDIT ACTIVITY INTERNAL AUDIT PLAN, FY 2016-2018 UNIVERSITY OF HOUSTON-CLEAR LAKE Auditable Area FY 2009 ANNUAL ASSISTANCE / MANDATES SAO Liaison - State-wide and Other Audits SAO - Regional Accreditation Reviews (SACS) THECB - ARP/ATP Grants THECB - Facilities Audits THECB - Techonology Workforce Development SYSTEM-WIDE AUDITS Academic Fees Accounts Payable Athletics (N/A) Auxiliary Contract Administration Budgeting College/Division (See School & Division Audits below) Continuing Education Contracts & Grants Administration (Sponsored Programs) Endowments Enrollment Management Facilities Management Facilities Planning & Construction Financial Aid Financial Reporting Formula Funding General Accounting Human Resources Information Technology (UCT) Institutional Compliance Programs Investment Management (N/A) Library Parking Payroll Police Department Procurement Cards/Travel Cards Property Management (Fixed Assets) Purchasing Student Accounting & Receivables Student Housing (N/A) Student Services FY 2010 WORK PERFORMED Audit Rpt. No./Special Project Rpt. No. X = Work In-Progress/Scheduled FY 2011 FY 2012 FY 2013 FY 2014 FY 2015 WORK SCHEDULED FY 2016 FY 2017 FY 2018 LATER X X X X 10-19 X 09-16 X X 13-18 X X X X X X X X 13-34 14-17 X X 11-18 13-33 X X 12-36 X X 15-18 X 10-02 12-21 X X X X SP12-05 X X X X X X X 15-11 X X 7-1-5 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT FREQUENCY OF AUDIT ACTIVITY INTERNAL AUDIT PLAN, FY 2016-2018 UNIVERSITY OF HOUSTON-CLEAR LAKE Auditable Area FY 2009 FY 2010 Support Organizations (N/A) Travel and Entertainment Expenditures University Advancement WORK PERFORMED Audit Rpt. No./Special Project Rpt. No. X = Work In-Progress/Scheduled FY 2011 FY 2012 FY 2013 FY 2015 11-23 LATER X X SCHOOLS Business Education Human Sciences and Humanities Science & Computer Engineering 10-13 X 13-21 X X 10-25 X X 15-27 13-14 SP13-13 11-22 REARCH CENTER Environment Institute of Houston X X X 13-29 09-24 X X 10-21 10-14 DIVISIONS Administration & Finance President's Office Provost's Office OTHER AUDITS Cash Handling Reviews Research - JAMP FY 2014 WORK SCHEDULED FY 2016 FY 2017 FY 2018 X 10-20 X 7-1-6 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT FREQUENCY OF AUDIT ACTIVITY INTERNAL AUDIT PLAN, FY 2016-2018 UNIVERSITY OF HOUSTON-DOWNTOWN Auditable Area FY 2009 ANNUAL ASSISTANCE / MANDATES SAO Liaison - State-wide & Other Audits SAO - Regional Accreditation Reviews (SACS) THECB - ARP/ATP Grants THECB - Facility Audits SYSTEM-WIDE AUDITS Academic Fees Accounts Payable Athletics (N/A) Auxiliary Contract Administration Budgeting College/Division (See College & Division Audits below) Continuing Education Contract and Grants Administration Endowments Enrollment Management Facilities Management Facilities Planning & Construction Financial Aid Financial Reporting Formula Funding General Accounting Human Resources Information Technology Institutional Compliance Programs Investment Management (N/A) Library Parking Payroll Police Department Procurement Cards/Travel Cards Property Management (Fixed Assets) Purchasing Student Accounting & Receivables Student Housing (N/A) Student Services Support Organizations (N/A) FY 2010 WORK PERFORMED Audit Rpt. No./Special Project Rpt. No. X = Work In-Progress/Scheduled FY 2011 FY 2012 FY 2013 FY 2014 FY 2015 WORK SCHEDULED FY 2016 FY 2017 FY 2018 LATER X X 10-28 X X X X 13-17 X X X X X X X X X 14-25 SP10-01 X X 11-19 SP12-01 12-36 13-23 SP15-08 X X X X X X 09-20 12-11 SP13-11 X X X X X X X X X X X 15-20 X X 7-1-7 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT FREQUENCY OF AUDIT ACTIVITY INTERNAL AUDIT PLAN, FY 2016-2018 UNIVERSITY OF HOUSTON-DOWNTOWN Auditable Area FY 2009 FY 2010 Travel and Entertainment Expenditures University Advancement COLLEGES Business Humanities and Social Sciences Public Service Sciences and Technology University College FY 2014 FY 2015 WORK SCHEDULED FY 2016 FY 2017 FY 2018 LATER X X 09-03 SP09-04 X 14-24 14-15 X 12-37 09-17 DIVISIONS Academic & Student Affairs Administration & Finance Advancement & External Affairs Employment Services & Operations President's Office OTHER AUDITS Cash Handling Reviews Contracts and Grants - JAMP WORK PERFORMED Audit Rpt. No./Special Project Rpt. No. X = Work In-Progress/Scheduled FY 2011 FY 2012 FY 2013 11-23 10-15 X SP11-02 11-15 14-21 11-16 13-12 13-22 X X X X X 12-34 12-39 12-35 09-24 09-04 X X 11-07 14-06 7-1-8 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT FREQUENCY OF AUDIT ACTIVITY INTERNAL AUDIT PLAN, FY 2016-2018 UNIVERSITY OF HOUSTON-VICTORIA Auditable Area FY 2009 FY 2010 WORK PERFORMED Audit Rpt. No./Special Project Rpt. No. X = Work In-Progress/Scheduled FY 2011 FY 2012 FY 2013 FY 2014 FY 2015 WORK SCHEDULED FY 2016 FY 2017 FY 2018 ANNUAL ASSISTANCE / MANDATES SAO Liaison - State-wide and Other Audits SAO - Regional Accreditation Reviews (SACS) THECB - Facility Audits SYSTEM-WIDE AUDITS Academic Fees Accounts Payable Athletics Auxiliary Contract Administration Budgeting College/Division (See School & Division Audits below) Continuing Education (N/A) Contract and Grants Administration Endowments Enrollment Management Facilities Management Facilities Planning & Construction Financial Aid Financial Reporting Formula Funding General Accounting Human Resources Information Technology (Computing Services) Institutional Compliance Programs Investment Management (N/A) Library Parking Payroll Police Department Procurement Cards/Travel Cards Property Management (Fixed Assets) Purchasing Student Accounting & Receivables Student Housing Student Services Support Organizations (N/A) LATER X X X X X X 13-20 X X X 14-04 X 15-26 X X X 11-17 X X 12-36 X X 15-19 X 09-19 12-20 X X X X X X X X X X X 15-16 SP15-06 X X X 7-1-9 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT FREQUENCY OF AUDIT ACTIVITY INTERNAL AUDIT PLAN, FY 2016-2018 UNIVERSITY OF HOUSTON-VICTORIA Auditable Area FY 2009 Travel and Entertainment Expenditures University Advancement SCHOOLS Arts & Sciences Business Administration FY 2010 WORK PERFORMED Audit Rpt. No./Special Project Rpt. No. X = Work In-Progress/Scheduled FY 2011 FY 2012 FY 2013 11-23 DIVISIONS Administration & Finance President's Office Provost Student Affairs & Enrollment Management FY 2015 LATER X X SP11-01 SP11-07 Education Nursing FY 2014 WORK SCHEDULED FY 2016 FY 2017 FY 2018 12-26 12-28 SP12-11 X X SP13-01 SP13-02 SP13-06 X 12-27 SP12-08 11-14 11-12 12-22 11-13 7-1-10 X X X X X X X UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT FREQUENCY OF AUDIT ACTIVITY INTERNAL AUDIT PLAN, FY 2016-2018 UNIVERSITY OF HOUSTON-SYSTEM Auditable Area Annual Procurement Report Board of Regents' Travel Chancellor/President's Travel Construction Procurement Process/Contracts > $1 Million Contract Administration Consumable/Resale Inventory Follow-up Audit Procedures Internal Auditing Quality Assurance/Peer Review Non-Compliance Report SAO Liaison State Benefits Proportionality Wortham House - Fixed Asset Inventory FY 2009 FY 2010 09-10 09-09 10-05 10-04 09-06 09-01, 09-11, 10-01, 10-08 09-15, 09-21 10-16, 10-23 09-08 09-07 10-06 WORK PERFORMED Audit Rpt. No./Special Project Rpt. No. X = Work In-Progress/Scheduled FY 2011 FY 2012 FY 2013 11-03 11-04 11-28 11-01, 11-09 11-21, 11-27 12-05 12-06 12-02, 12-10 12-16, 12-31 12-01, 12-09 12-15, 12-30 12-29 11-06 12-08 13-08 13-09 13-02, 13-16 13-28 13-01, 13-15 13-27 13-10 FY 2014 FY 2015 14-09 14-08 14-02, 14-13 14-19 15-05 15-04 15-02, 15-09 15-21, 15-23 14-01, 14-12 14-18 14-03 WORK SCHEDULED FY 2016 FY 2017 FY 2018 X X X X X X X X X X X X X X X 15-01, 15-08 15-13, 15-22 15-34 X X X 15-03 X X X 15-06 LATER X X X X X X 7-1-11 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITNG DEPARTMENT AUDIT REPORTS ISSUED REGULAR REPORTS REPORT # AR2015-01 AR2015-02 AR2015-03 AR2015-04 AR2015-05 AR2015-06 AR2015-07 AR2015-08 AR2015-09 AR2015-10 AR2015-11 AR2015-12 AR2015-13 AR2015-14 AR2015-15 AR2015-16 AR2015-17 AR2015-18 AR2015-19 AR2015-20 AR2015-21 AR2015-22 AR2015-23 AR2015-24 AR2015-25 AR2015-26 AR2015-27 AR2015-28 AR2015-29 AR2015-30 AR2015-31 AR2015-32 AR2015-33 AR2015-34 TITLE Follow-up Status Report - Actions Scheduled for Implementation from 7/1/14 to 9/30/14 Construction Award Status Report Annual Non-Compliance Report, FY 2014 Chancellor/President's Travel & Entertainment Expenditures, FY 2014 Board of Regents' Travel & Entertainment Expenditures, FY 2014 UHS State Benefits Proportionality UH Student Accounting and Receivables Follow-up Status Report - Actions Scheduled for Implementation from 10/1/14 to 12/31/14 Construction Award Status Report UH College of Liberal Arts & Social Sciences, Departmental Reviews UHCL Student Accounting and Receivables UH Division of Student Affairs and Enrollment Services, Departmental Reviews Follow-up Status Report - Actions Scheduled for Implementation from 1/1/15 to 3/31/15 UH College of Technology, Endowments UH Athletics, Football Attendance - 2014 Season UHV Student Accounting and Receivables UH College of Architecture, Departmental Review UHCL Formula Funding UHV Formula Funding UHD Student Accounting and Receivables Construction and Other Projects Requiring BOR Approval Follow-up Status Report - Actions Scheduled for Implementation from 4/1/15 to 6/30/15 Construction and Other Projects Requiring BOR Approval THECB/UHS Facilities Development Projects Review UH Athletics, NCAA Rules-Compliance UHV Endowments UHCL Administration and Finance, Departmental Reviews UH Facilities Planning and Construction UH Honors College, Endowments UH College of Pharmacy, Endowments UHS/UH Chancellor/President, Departmental Review UH Athletics, Departmental Review Information Technology Audit Activity Report, FY 2015 UHS Internal Assessment of Internal Auditing AR2014-01 AR2014-02 AR2014-03 Follow-up Status Report - Actions Scheduled for Implementation from 7/1/13 to 12/30/13 Construction Award Status Report Annual Non-Compliance Report, FY 2013 7-2-1 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITNG DEPARTMENT AUDIT REPORTS ISSUED REGULAR REPORTS REPORT # AR2014-04 AR2014-05 AR2014-06 AR2014-07 AR2014-08 AR2014-09 AR2014-10 AR2014-11 AR2014-12 AR2014-13 AR2014-14 AR2014-15 AR2014-16 AR2014-17 AR2014-18 AR2014-19 AR2014-20 AR2014-21 AR2014-22 AR2014-23 AR2014-24 AR2014-25 AR2014-26 AR2014-27 AR2014-28 TITLE UHV Research Administration UH Division of Research, Departmental Reviews UHD Joint Admissions Medical Program, FY 2013 UH College of Technology, Departmental Reviews Chancellor/President's Travel & Entertainment Expenditures, FY 2013 Board of Regents' Travel & Entertainment Expenditures, FY 2013 UH College of Business, Departmental Reviews UH Honors College, Departmental Review Follow-up Status Report - Actions Scheduled for Implementation from 1/1/14 to 3/31/14 Construction Award Status Report UH Athletics, Football Attendance - 2013 Season UHD College of Humanities and Social Sciences, Departmental Reviews UH College of Natural Sciences and Mathematics, Departmental Reviews UHCL Endowments Follow-up Status Report - Actions Scheduled for Implementation from 4/1/14 to 6/30/14 Construction Award Status Report UH Cancer Prevention and Research Institution of Texas, Grant Awards UHD College of Sciences and Technology, Departmental Reviews UH College of Pharmacy, Departmental Review UH Law Center, Departmental Reviews UHD College of Business, Departmental Reviews UHD Endowments UH Procurement Cards Information Technology Audit Activity Report, FY 2014 UH Information Security Standards AR2013-01 AR2013-02 AR2013-03 AR2013-04 AR2013-05 AR2013-06 AR2013-07 AR2013-08 AR2013-09 AR2013-10 AR2013-11 AR2013-12 Follow-up Status Report - Actions Scheduled for Implementation from 7/1/12 to 12/31/12 Construction Award Status Report UH Texas Center for Superconductivity UH Center for Advanced Materials UH Law Center, Endowments UH College of Architecture, Endowments UH JAMP, FY 2011-2012 Board of Regents' Travel, FY 2012 Chancellor/President's Travel, FY 2012 Annual Non-Compliance Report, FY 2012 UH Graduate College of Social Work, Endowments UHD Student Success and Enrollment Management, Departmental Reviews 7-2-2 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITNG DEPARTMENT AUDIT REPORTS ISSUED REGULAR REPORTS REPORT # AR2013-13 AR2013-14 AR2013-15 AR2013-16 AR2013-17 AR2013-18 AR2013-19 AR2013-20 AR2013-21 AR2013-22 AR2013-23 AR2013-24 AR2013-25 AR2013-26 AR2013-27 AR2013-28 AR2013-29 AR2013-30 AR2013-31 AR2013-32 AR2013-33 AR2013-34 AR2013-35 AR2013-36 TITLE UH Football Attendance, 2012 Season UHCL President's Office, Departmental Review Follow-up Status Report - Actions Scheduled for Implementation from 1/1/13 to 3/30/13 Construction Award Status Report UHD Auxiliary Contract Administration UHCL Auxiliary Contract Administration UH Auxiliary Contract Administration UHV Auxiliary Contract Administration UHCL School of Education, Departmental Review UHD Division of Administration & Finance, Departmental Reviews UHD Financial Aid - Direct Loans, Work Study, SEOG UH College of Hotel and Restaurant Management, Endowments UH College of Business, Endowments UH University Advancement, Departmental Review Follow-up Status Report - Actions Scheduled for Implementation from 4/1/13 to 6/30/13 Construction Award Status Report UHCL Environmental Institute of Houston UH College of Engineering, Departmental Reviews UH Athletics, NCAA Rules-Compliance UH Frequent Traveler Audit UHCL Financial Aid, Title IV UHCL Research Administration UH University Libraries, Departmental Review Information Technology Audit Activity Report, FY 2013 AR2012-01 AR2012-02 AR2012-03 AR2012-04 AR2012-05 AR2012-06 AR2012-07 AR2012-08 AR2012-09 AR2012-10 AR2012-11 AR2012-12 AR2012-13 Follow-up Status Report - Actions Scheduled for Implementation from 7/1/11 to 9/30/11 Construction Awards UH College of Engineering, Endowments UH College of Hotel & Restaurant Management, Departmental Review Board of Regents' Travel, FY 2011 Chancellor/President's Travel, FY 2011 UH Graduate College of Social Work, Departmental Review Annual Non-Compliance Report, FY 2011 Follow-up Status Report - Actions Scheduled for Implementation from 10/1/11 to 12/31/11 Construction Awards UHD Information Security Standards UH Provost Office, Endowments UH Athletics, Football Attendance - 2011 Season 7-2-3 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITNG DEPARTMENT AUDIT REPORTS ISSUED REGULAR REPORTS REPORT # AR2012-14 AR2012-15 AR2012-16 AR2012-17 AR2012-18 AR2012-19 AR2012-20 AR2012-21 AR2012-22 AR2012-23 AR2012-24 AR2012-25 AR2012-26 AR2012-27 AR2012-28 AR2012-29 AR2012-30 AR2012-31 AR2012-32 AR2012-33 AR2012-34 AR2012-35 AR2012-36 AR2012-37 AR2012-38 AR2012-39 TITLE UH Office of Academic Affairs and Provost, Departmental Reviews Follow-up Status Report - Actions Scheduled for Implementation from 1/1/12 to 3/31/12 Construction Awards UH Texas Learning and Computation Center UH Non-College, Specific Endowments UH Hilton Hotel UHV Information Security Standards UHCL Information Security Standards UHV President's Office, Departmental Reviews UH System Administration, Endowments UH National Research University Fund UH Athletics, NCAA Rules-Compliance UHV School of Arts and Sciences, Departmental Review UHV School of Education and Human Development, Departmental Review UHV School of Business Administration, Departmental Review Internal Quality Assurance Review of Internal Auditing Follow-up Status Report - Actions Scheduled for Implementation from 4/1/12 to 6/30/12 Construction Awards UH Texas Institute for Measurement, Evaluation, and Statistics UH Texas Center for Superconductivity, Endowments UHD Advancement & External Relations, Departmental Review UHD President's Office, Departmental Review UHS Financial Reporting UHD College of Public Service, Departmental Review Information Technology Audit Activity Report, FY 2012 UHD Employment Services and Operations, Departmental Review AR2011-01 AR2011-02 AR2011-03 AR2011-04 AR2011-05 AR2011-06 AR2011-07 AR2011-08 AR2011-09 AR2011-10 AR2011-11 Follow-up Status Report - Actions Scheduled for Implementation from 7/1/10 to 9/30/10 UH Athletics, Departmental Review Board of Regents Travel, FY 2010 Chancellor/President's Travel, FY 2010 UH Division of Student Affairs, Departmental Reviews Annual Non-Compliance Report UHD JAMP, FY 2009 - FY 2010 UH JAMP, FY 2009 - FY 2010 Follow-up Status Report - Actions Scheduled for Implementation from 10/1/10 to 12/31/10 UH Athletics, Football Attendance - 2010 Season UH College of Optometry, Departmental Review 7-2-4 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITNG DEPARTMENT AUDIT REPORTS ISSUED REGULAR REPORTS REPORT # AR2011-12 AR2011-13 AR2011-14 AR2011-15 AR2011-16 AR2011-17 AR2011-18 AR2011-19 AR2011-20 AR2011-21 AR2011-22 AR2011-23 AR2011-24 AR2011-25 AR2011-26 AR2011-27 AR2011-28 AR2011-29 AR2011-30 AR2011-31 AR2011-32 AR2011-33 AR2011-34 TITLE UHV Administration & Finance, Departmental Reviews UHV Office of the Provost, Departmental Reviews UHV School of Nursing, Departmental Review UHD University College, Departmental Reviews UHD Office of Academic Affairs & Provost, Departmental Reviews UHV Financial Aid, Pell Grants UHCL Financial Aid, Pell Grants UHD Financial Aid, Pell Grants UH Financial Aid, Scholarships Follow-up Status Report - Actions Scheduled for Implementation from 1/1/11 to 3/31/11 UHCL Office of Academic Affairs & Provost, Departmental Reviews Executive and Foreign Travel, All Components UH Research Administration UH Athletics, Endowments UH College of Education, Endowments Follow-up Status Report - Actions Scheduled for Implementation from 4/1/11 to 6/30/11 Construction Award Status Report UH Library, Endowments UHS Privacy UH College of Education, Departmental Reviews UH College of Optometry, Endowments Information Technology Audit Activity Report, FY 2011 UH College of Natural Sciences & Mathematics, Endowments 7-2-5 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT AUDIT REPORTS ISSUED SPECIAL PROJECT REPORTS REPORT # SP2015-01 SP2005-02 SP2015-03 SP2015-04 SP2015-05 SP2015-06 SP2015-07 SP2015-08 SP2015-09 TITLE UH Stadium HEAF Expenditures UH Facilities and Event Management Services UH Facilities Management Costs UH Student Issues - SFAC/MOU UH Facilities - SAO Hotline Complaint No. 15-0996 UHV Housing Development UH Facilities - SAO Hotline Complaint No. 15-1532 UHD Financial Aid - SAO Hotline Complaint No. 15-1957 UH College of Engineering - SAO Hotline Complaint No. 15-1756 SP2014-01 SP2014-02 SP2014-03 SP2014-04 SP2014-05 SP2014-06 SP2014-07 SP2014-08 SP2014-09 SP2014-10 SP2014-11 Review of Proposals for External Audits UH Cashier's Office Missing Deposits UH Texas Learning & Computation Center - SAO Hotline Complaint No. 14-0591 UH Small Business Development Center UH Faculty Addresses UH Division of Research - SAO Hotline Complaint No. 14-0588 University of Pittsburgh Peer Review UH Internet Security - SAO Hotline Complaint No. 14-3046 UH Sasakawa International Center for Space Architecture UH Financial Aid - SAO Hotline Complaint No. 14-3466 UH College of Natural Sciences & Mathematics - SAO Hotline Complaint No. 14-3592 SP2013-01 SP2013-02 SP2013-03 SP2013-04 SP2013-05 SP2013-06 SP2013-07 SP2013-08 SP2013-09 SP2013-10 SP2013-11 SP2013-12 SP2013-13 SP2013-14 SP2013-15 SP2013-16 UHV School of Business - SAO Hotline Complaint UHV School of Business, Travel - SAO Hotline Complaint UH Grade Changes UH F&A Rate Computation - SAO Hotline Complaint SAO NRUF - Travel Vouchers UHV School of Business, Travel - SAO Hotline Complaint UH Collection Fees - SAO Hotline Complaint TLC2 Payroll Issues UH Forensic Society, Fund Raising UH Athletics Facilities / Venue Management - SAO Hotline Complaint UHD Website Vulnerability - SAO Hotline Complaint UH Credit Card Handling - SAO Hotline Compliant UHCL Travel & Hiring Practices - SAO Hotline Compliant Welch Foundation Analysis - Assurance UH NSM, Earth and Atmospheric Sciences Assertions Welch Foundation Letter - Unexpended Balances 7-2-6 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT AUDIT REPORTS ISSUED SPECIAL PROJECT REPORTS REPORT # SP2012-02 SP2012-03 SP2012-04 SP2012-05 SP2012-06 SP2012-07 SP2012-08 SP2012-09 SP2012-10 SP2012-11 SP2012-12 SP2012-13 TITLE UH Pharmacy, Graduate Assertions UH VC/VP Credentials - SAO Hotline Compliant UHV Jaquar Hall - SAO Hotline Compliant UHCL Personal Information - SAO Hotline Compliant UHS Bond Issue Proceeds - SAO Hotline Compliant UH Moving Expenses - SAO Hotline Compliant UHV Teacher Certifications - SAO Hotline Compliant Student Asserts Unauthorized Financial Aid UH Researchers / Laboratories - SAO Hotline Compliant UHV School of Business - SAO Hotline Compliant UH Texas Learning & Computation Center, Travel Reimbursements Texas Tech Peer Review SP2011-01 SP2011-02 SP2011-03 SP2011-04 SP2100-05 SP2011-06 SP2011-07 SP2011-08 UHV School of Business - SAO Hotline Complaint UHD College of Sciences and Technology - MySafeCampus Report UH Student Enrollment Issue - SAO Hotline Complaint UH Cougar Village/Capital One Bank - SAO Hotline Complaint UTEP Peer Review UH Facilities, Planning & Construction - MySafeCampus Report UHV School of Business - SAO Hotline Complaint UH College of Optometry - SAO Hotline Compliant 7-2-7 INTERNAL AUDIT RISK ANALYSIS 8-1 Risk Analysis Methodology 8-2 Risk Analysis 8-3 Audit Coverage Matrices 8-4 Information Technology Risk Assessment Section 8 RISK ANALYSIS METHODOLOGY Section 8-1 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT RISK ANALYSIS METHODOLOGY Each year, the Internal Auditing Department prepares a risk analysis, as required by The International Standards for the Professional Practice of Internal Auditing which states that its plan of engagements should be based on a risk assessment, undertaken at least annually, and that the input of senior management and the board should be considered in this process. Risk is defined as the probability that an event or action may adversely affect the organization or activity under audit. The purpose of our risk analysis is to develop an audit plan for performing audit projects in risk areas over a specified time to minimize the risk of losses to the University; to prioritize audit projects by the level of risk; to use our audit staff and time in an effective and efficient manner; and to determine the nature, timing, and extent of audit steps and procedures in direct relation to the amount and nature of the risk. The risk methodology we use consists of three phases: (1) identification of auditable areas; (2) input from management; and (3) a risk analysis. We also considered an auditable area's impact on the accomplishment of the University's goals and objectives during our risk analysis. Matters that we consider in establishing audit work schedule priorities include: (a) the date and results of the last audit; (b) financial exposure; (c) potential loss and risk; (d) requests by management; (e) major changes in operations, programs, systems, and controls and (f) opportunities to achieve operating benefits. The auditable areas audit cycle is as follows: SACS Accreditation Reviews every 10 years (see 8-3-1); and NCAA Rules-Compliance (see 8-3-2), Financial Aid (see 8-3-3 and 8-3-4), College/Division, Departmental Reviews (see 8-3-5), Endowments (8-3-6), and UH Information Technology (see 8-4) receive an annual audit for a portion of the coverage areas . The College/Division, Departmental Reviews are scheduled at least once every 5 years. These reviews test compliance with the universities’ policies and procedures for the following 12 areas noted below. • • • • • • • • • • • • management oversight policies, procedures, required training, and reporting cost center management payroll human resources change funds and cash receipts procurement and travel cards departmental expenses contract administration property management scholarships research 8-1-1 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT RISK ANALYSIS METHODOLOGY RISK ANALYSIS: In the attached Risk Analysis, we assigned levels of risk by use of a number rating system. The first step was to define the risk factors. We decided on the following risk factors: (1) reason for the audit, (2) administrative oversight, and (3) date last audited. These risk factors were assessed as follows: (1) Reason for the Audit: Each auditable area was assigned a value of 5 for one of the following reasons: auditor preference (the complexity of information systems, the impact of compliance issues, knowledge of management practices, results of last audit, and public relations exposure) or management request. (2) Administrative Oversight: We decided on the following factors to assess oversight risk: (1) budgeted sources of funds, (2) budgeted uses of funds, (3) total expenditures, (4) total income, and (5) total asset values. Values were assigned from 0 to 10 (0 - < $10,000,000; 1 to 9 – increments of $10,000,000; 10 - > $100,000,000). (3) Date Last Audited: Values assigned for date last audited were from 0 to 10. A value of 10 was assigned for an auditable area that has not been audited or was audited 10 or more years ago. Values below 10 were assigned based on how many years since the last audit. All risk factors for each auditable area were combined resulting in a total risk factor. After performing the preliminary risk assessment, the following areas received the highest risk rank (25-20). Some of these areas are scheduled for review during FY 2016-2018, while some are not scheduled because of audit coverage in departmental reviews that addresses certain aspects of the area. Scheduled Budgeting (FY 2018) General Accounting (FY 2016) Human Resources (FY 2017) Payroll (FY 2017) Purchasing (FY 2018) Student Housing (FY 2016) Unscheduled Accounts Payable Property Management 8-1-2 RISK ANALYSIS Section 8-2 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 UNIVERSITY OF HOUSTON SYSTEM SYSTEM-WIDE AUDITS RISK ASSESSMENT Auditable Area Payroll General Accounting Budgeting Property Management (Fixed Assets) Accounts Payable Purchasing Human Resources Facilities Management Student Housing Enrollment Management Academic Fees Parking Financial Aid Formula Funding Facilities Planning & Construction Investment Management Financial Reporting University Advancement Student Services Contract & Grants Administration Library Police Departments College/Division Departmental Reviews Student Accounting & Receivables Information Technology Institutional Compliance Programs Continuing Education Auxiliary Contract Administration College Operations Support Organizations Athletics Procurement Cards / Travel Cards Endowments Travel and Entertainment Expenditures Total Risk Rank 25 20 20 20 20 20 20 20 20 18 16 16 15 15 15 14 13 13 13 12 12 11 10 10 10 10 8 7 6 5 3 3 2 2 FY2016-2018 Reason For Audit Administrative Administrative Auditor Management Oversight Oversight Preference Request Risk Level Dollars 5 5 10 10 10 10 10 10 10 5 3 10 6 1 10 10 10 4 10 3 3 10 2 1 10 10 5 0 0 0 3 0 3 2 2 0 5 5 5 5 5 5 5 5 8-2-1 568,937,279 1,714,657,305 1,562,700,000 1,027,958,012 301,279,316 301,279,316 134,894,733 55,500,921 37,796,288 534,279,701 68,450,189 16,044,134 357,690,139 191,061,027 110,671,234 48,630,460 1,584,074,583 36,300,275 32,201,973 101,473,175 29,251,882 12,316,215 1,181,992,168 534,279,701 51,377,224 0 2,975,654 9,564,689 31,700,947 0 31,865,419 29,974,902 23,931,570 6,218,549 Years Since Last Audit 10 10 10 10 10 10 10 10 7 8 10 10 0 0 0 10 3 10 10 2 10 10 0 0 0 10 8 2 3 5 0 1 0 2 FY 2016 FY 2017 FY 2018 Later X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 UNIVERSITY OF HOUSTON SYSTEM-WIDE AUDITS RISK ASSESSMENT Auditable Area Payroll General Accounting Budgeting Property Management (Fixed Assets) Accounts Payable Purchasing Student Housing Human Resources Facilities Management Enrollment Management Formula Funding Parking Financial Aid Facilities Planning & Construction Academic Fees Financial Reporting University Advancement College Operations Continuing Education Investment Management Student Services Contract & Grants Administration Library College/Division Departmental Reviews Student Accounting & Receivables Police Departments Institutional Compliance Programs Information Technology Auxiliary Contract Administration Support Organizations Procurement Cards / Travel Cards Athletics Travel and Entertainment Expenditures Endowments Total Risk Rank 25 20 20 20 20 20 20 19 19 18 16 16 15 15 14 13 13 13 13 12 12 11 11 10 10 10 10 8 7 5 3 2 2 1 FY2016-2018 Total UHS UH Reason For Audit Administrative Administrative Administrative Administrative Auditor Management Oversight Oversight Oversight Oversight Preference Request Risk Level Dollars Dollars Dollars 5 5 5 5 5 5 5 5 5 5 5 10 10 10 10 10 10 3 9 4 10 10 1 10 10 4 10 3 10 0 2 2 9 1 10 10 0 0 2 0 0 2 2 0 1 419,053,111 1,295,910,588 1,197,200,000 857,993,707 243,623,830 243,623,830 35,005,015 96,107,198 40,486,174 383,186,223 131,494,911 13,761,711 214,033,869 100,775,130 46,655,180 1,336,929,348 34,928,575 31,700,947 2,103,807 43,171,821 21,160,398 92,710,220 18,416,724 892,989,217 383,186,223 8,444,156 0 30,430,265 4,706,154 0 23,959,606 30,448,741 5,189,866 21,907,697 8-2-2 7,129,637 411,923,474 260,263,508 1,035,647,080 34,100,000 1,163,100,000 31,546,821 826,446,886 2,858,838 240,764,992 2,858,838 240,764,992 0 35,005,015 1,646,590 94,460,608 0 40,486,174 0 383,186,223 1,425,000 130,069,911 0 13,761,711 0 214,033,869 0 100,775,130 0 46,655,180 136,390,350 1,200,538,998 0 34,928,575 0 31,700,947 0 2,103,807 9,981,407 33,190,414 0 21,160,398 0 92,710,220 0 18,416,724 0 892,989,217 0 383,186,223 0 8,444,156 0 0 0 30,430,265 0 4,706,154 0 0 193,536 23,766,070 0 30,448,741 14,047 5,175,819 1,583,238 20,324,459 Years Since Last Audit 10 10 10 10 10 10 7 10 10 8 1 10 0 0 10 3 10 3 8 10 10 2 10 0 0 10 10 1 2 5 1 0 2 0 FY 2016 FY 2017 FY 2018 Later X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 UNIVERSITY OF HOUSTON-CLEAR LAKE SYSTEM-WIDE AUDITS RISK ASSESSMENT Auditable Area Budgeting General Accounting Payroll Property Management (Fixed Assets) Enrollment Management Parking Financial Reporting Accounts Payable Purchasing Human Resources Financial Aid Facilities Management Academic Fees Student Services Library Investment Management Police Departments Procurement Cards / Travel Cards University Advancement Continuing Education Institutional Compliance Programs College/Division Departmental Reviews Formula Funding Auxiliary Contract Administration Student Accounting & Receivables Information Technology Facilities Planning & Construction Travel and Entertainment Expenditures Contract & Grants Administration Endowments Athletics College Operations Student Housing Support Organizations Total Risk Rank 20 20 20 16 15 15 12 11 11 11 10 10 10 10 10 10 10 10 10 10 10 9 7 7 5 5 5 4 2 1 0 0 0 0 FY2016-2018 Reason For Audit Administrative Administrative Auditor Management Oversight Oversight Preference Request Risk Level Dollars 10 10 5 6 5 0 9 1 1 1 3 0 0 0 0 0 0 0 0 0 0 9 2 0 5 0 0 0 0 0 0 0 0 0 5 5 5 5 5 5 5 8-2-3 116,800,000 109,882,792 56,808,938 60,997,326 54,493,791 822,597 94,608,129 18,852,645 18,852,645 15,610,145 37,965,021 7,766,587 7,322,713 3,969,179 3,839,466 2,010,163 1,690,048 995,021 154,700 0 0 98,345,283 23,938,659 300,665 54,493,791 6,044,949 1,600,000 478,227 4,340,272 795,673 0 0 0 0 Years Since Last Audit 10 10 10 10 10 10 3 10 10 10 2 10 10 10 10 10 10 10 10 10 10 0 0 2 0 0 0 4 2 1 0 0 0 0 FY 2016 FY 2017 FY 2018 Later X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 UNIVERSITY OF HOUSTON-DOWNTOWN SYSTEM-WIDE AUDITS RISK ASSESSMENT Auditable Area Payroll General Accounting Budgeting Property Management (Fixed Assets) Enrollment Management Financial Aid Parking Financial Reporting Accounts Payable Purchasing College/Division Departmental Reviews Human Resources Academic Fees Contract & Grants Administration Facilities Management Student Services Library Procurement Cards / Travel Cards Investment Management Police Departments University Advancement Continuing Education Institutional Compliance Programs Student Accounting & Receivables Formula Funding Auxiliary Contract Administration Information Technology Facilities Planning & Construction Travel and Entertainment Expenditures Endowments Athletics College Operations Student Housing Support Organizations Total Risk Rank 21 20 20 17 17 15 15 13 12 12 11 11 11 11 10 10 10 10 10 10 10 10 10 7 7 7 6 5 4 1 0 0 0 0 FY2016-2018 Reason For Audit Administrative Administrative Auditor Management Oversight Oversight Preference Request Risk Level Dollars 5 6 10 10 7 7 8 0 10 2 2 10 1 1 3 0 0 0 0 0 0 0 0 0 7 2 0 1 0 0 0 0 0 0 0 5 5 5 5 5 5 8-2-4 66,867,948 287,435,574 177,400,000 76,855,497 71,641,871 80,266,301 1,459,826 127,590,471 24,666,304 24,666,304 145,777,296 15,742,966 11,988,651 3,954,274 5,552,473 4,595,138 4,435,987 2,948,132 2,509,729 2,182,011 1,217,000 871,847 0 71,641,871 21,401,337 796,586 13,639,485 0 283,394 983,910 0 0 0 0 Years Since Last Audit 10 10 10 10 10 2 10 3 10 10 1 10 10 8 10 10 10 10 10 10 10 10 10 0 0 2 0 0 4 1 0 0 0 0 FY 2016 FY 2017 FY 2018 Later X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT AUDIT PLAN, FY 2016-2018 UNIVERSITY OF HOUSTON-VICTORIA SYSTEM-WIDE AUDITS RISK ASSESSMENT Auditable Area Budgeting Payroll Student Housing Parking Property Management (Fixed Assets) Enrollment Management General Accounting Financial Aid Accounts Payable Purchasing Human Resources Library Academic Fees Student Services Procurement Cards / Travel Cards Facilities Management Investment Management Continuing Education Institutional Compliance Programs Police Departments University Advancement Information Technology Auxiliary Contract Administration Formula Funding Financial Reporting Facilities Planning & Construction College/Division Departmental Reviews Travel and Entertainment Expenditures Athletics Student Accounting & Receivables Contract & Grants Administration Endowments College Operations Support Organizations Total Risk Rank 17 17 15 15 13 12 12 11 11 11 10 10 10 10 10 10 10 10 10 10 10 8 7 6 5 5 4 4 3 2 1 0 0 0 FY2016-2018 Reason For Audit Administrative Administrative Auditor Management Oversight Oversight Preference Request Risk Level Dollars 5 5 5 7 2 0 0 3 2 2 2 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 2 0 4 0 0 2 0 0 0 0 5 5 5 5 5 5 8-2-5 71,300,000 26,207,282 2,791,273 0 32,111,483 24,957,816 21,428,351 25,424,948 14,136,537 14,136,537 7,434,424 2,559,705 2,483,645 2,477,258 2,072,143 1,695,687 938,747 0 0 0 0 1,262,525 3,761,284 14,226,120 24,946,635 8,296,104 44,880,372 267,062 1,416,678 24,957,816 468,409 244,290 0 0 Years Since Last Audit 10 10 5 10 10 10 10 4 10 10 10 10 10 10 10 10 10 10 10 10 10 3 2 0 3 0 0 4 3 0 1 0 0 0 FY 2016 FY 2017 FY 2018 Later X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT AUDIT COVERAGE MATRICES INDEX 1. SACS Accreditation Reviews 2. NCAA Rules-Compliance 3. Financial Aid – Schedule 4. Financial Aid – Award Amounts 5. Departmental Reviews 6. Endowments Section 8-3 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 AUDIT COVERAGE MATRIX SACS 10 YEAR ACCREDITATION REVIEWS Year 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028 2029 UH 10 Year CAMPUS UHCL UHD 10 Year 10 Year UHV 10 Year X X X X X X Note: SACS Regional Accreditation Reviews are required every 10 years. The reviews are performed by external auditors. 8-3-1 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 AUDIT COVERAGE MATRIX NCAA RULES-COMPLIANCE Audit Areas Major Areas Eligibility - Initial-Eligibility Certification - Continuing-Eligibility Certification - Transfer-Eligibility Certification Financial Aid Administration Recruiting FY 2016 FY 2017 FY 2018 FY 2019 FY 2020 X X X X X X X X Other Areas Governance & Organization Academic Performance Program Camps and Clinics Investigations and Self-Reporting Rules Violations Rules Education Extra Benefits - Athletic Equipment and Apparel - Complimentary Admissions - Student-Athlete Vehicles - Team Travel - Representatives of Athletics Interests Playing and Practice Seasons Student-Athlete Employment Amateurism Commitment of Personnel to Rules-Compliance Activities X X X X X X X X X X X X X X X X X Note: NCAA Bylaw 22.2.1.2.(e) - …the institution shall demonstrate that: … at least once every four years, its rules-compliance program is the subject of evaluation by an authority outside of the athletics department. This bylaw was rescinded as of February 2013. However, the Athletics Compliance Department continues to follow the remaining NCAA bylaws as part of their compliance operations. 8-3-2 X X X UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 AUDIT COVERAGE MATRIX FINANCIAL AID FY 2016 FY 2017 FY 2018 FY 2019 FY 2019 FY 2020 Title IV Pell Grants Federal Direct Loan Program Perkins Loans College Work-Study Supplemental Education Opportunity Grants TEACH Grant X X X X X X Non-Title IV Scholarships Designated Tuition (20%) - Set Aside Other Non-Title IV X X X 8-3-3 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 FINANCIAL AID PROGRAMS TOTAL AWARDS Entity/ Year Supplemental Education Opportunity Grants Academic Competitiveness Grant National SMART Grant $ Awards $ Awards $ Awards Federal Family Education Loan Program Federal Direct Loan Program Pell Grants $ Awards $ Awards $ Awards $136,105,908 $143,760,077 N/A N/A N/A N/A N/A N/A $8,244,959 $172,662,435 $181,547,103 $172,531,087 $162,259,752 $164,372,615 $28,767,072 $42,684,559 $51,004,966 $54,577,436 $53,526,012 $51,490,996 $54,845,843 $3,634,942 $3,353,817 $1,126,019 $2,118,694 $1,456,759 $63,768 $79,962 $1,578,869 $1,797,976 $1,295,837 $1,617,134 $1,328,953 $1,329,684 $1,333,329 $2,126,386 $1,650,000 $1,165,849 $1,000,000 $1,000,000 $1,055,234 $1,127,654 $32,791,171 $35,468,523 $36,553,539 $37,401,756 $35,416,173 $31,621,768 $30,918,906 $3,613,283 $5,736,855 $7,223,187 $7,705,328 $7,867,066 $7,657,532 $8,529,625 $70,951 $57,897 $64,042 $53,111 $67,000 $52,000 $20,000 $84,664 $101,697 $123,044 $124,471 $111,587 $143,815 $154,122 College Perkins Loans Work-Study $ Awards $ Awards TEACH Grant Total Title IV Financial Aid $ Awards UH 2009 2010 2011 2012 2013 2014 2015 UHCL 2009 2010 2011 2012 2013 2014 2015 N/A N/A N/A N/A N/A N/A N/A $598,830 $846,978 $852,945 N/A N/A N/A N/A $380,984 $628,217 $601,449 N/A N/A N/A N/A $31,500 $50,000 $96,500 $77,500 $51,000 $32,977 $34,476 $173,224,491 $203,016,583 $228,806,000 $240,937,867 $229,893,811 $216,232,411 $221,793,879 $204,009 $197,656 $205,036 $190,449 $197,915 $118,766 $138,500 N/A N/A N/A N/A N/A N/A N/A $26,000 $228,658 $315,573 N/A N/A N/A N/A $176,636 $287,239 $358,038 $297,458 $247,651 $228,374 $174,995 $36,966,714 $42,078,525 $44,842,459 $45,772,573 $43,907,392 $39,822,255 $39,936,148 UHD 2009 2010 2011 2012 2013 2014 2015 $40,766,446 $47,148,593 N/A N/A N/A N/A N/A N/A $22,552 $49,650,902 $53,723,163 $52,876,329 $49,973,546 $57,591,886 $14,767,738 $22,748,948 $26,792,564 $26,751,083 $26,294,178 $26,465,051 $27,206,868 N/A N/A N/A N/A N/A N/A N/A $271,371 $398,079 $409,926 $285,343 $306,207 $310,022 $313,512 $522,948 $508,825 $420,590 $421,385 $465,399 $376,525 $452,579 $251,462 $372,035 $451,165 N/A N/A N/A N/A $11,000 $41,400 $155,095 N/A N/A N/A N/A 2009 2010 2011 2012 2013 2014 2015 $11,110,936 N/A N/A N/A N/A N/A N/A N/A $14,876,155 $18,997,187 $21,534,532 $21,082,561 $21,217,151 $21,069,202 $1,599,942 $2,936,721 $4,561,797 $4,771,457 $5,028,439 $5,457,117 $5,939,504 N/A N/A N/A N/A N/A N/A N/A $34,984 $45,397 $72,920 $92,906 $120,131 $113,279 $110,380 $74,092 $61,425 $76,385 $57,068 $93,726 $78,840 $120,375 N/A N/A $51,750 N/A N/A N/A N/A $16,000 $27,500 $28,000 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A $56,590,965 $71,240,432 $77,880,242 $81,180,974 $79,942,113 $77,125,144 $85,564,845 UHV NOTE 1: Award amounts were provided by Financial Aid Directors. 8-3-4 $32,000 $29,000 $26,000 $26,000 $18,322 $20,078 $26,871 $12,867,954 $17,976,198 $23,814,039 $26,481,963 $26,343,179 $26,886,465 $27,266,332 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 AUDIT COVERAGE MATRIX DEPARTMENTAL REVIEWS University UH UH UH UH UH UH UH UH UH UH UH UH UH UH UH UH UH UH UH UH UH UH College/Division Name Academic Affairs/Provost Administration & Finance Architecture Athletics Business Chancellor/President Education Engineering Graduate College of Social Work Honors Hotel & Restaurant Management Law Center Liberal Arts & Social Sciences Library Natural Sciences & Mathematics Optometry Pharmacy Research Student Affairs & Enrollment Services Technology University Advancement University Marketing, Comm, & Media FY 2015 BUDGET Operations Restricted Expenditures Expenditures 40,780,178 1,992,248 92,721,617 21,786,125 5,234,496 615,871 32,399,062 4,018,776 43,382,496 7,974,508 2,605,065 91,997 13,350,217 4,312,024 32,540,617 23,963,468 4,110,921 2,828,643 2,991,989 923,409 12,542,007 2,975,808 25,032,113 537,941 64,370,780 18,148,480 18,119,020 297,704 52,769,481 32,231,406 21,649,497 5,413,931 14,827,644 4,099,687 43,191,465 5,938,084 115,641,523 85,484,937 13,572,819 1,790,004 11,331,990 365,492 4,033,677 0 667,198,674 225,790,543 FTEs 203 1,365 66 152 342 21 253 450 76 45 100 297 1,096 115 577 196 120 295 732 152 92 38 6,783 UHCL UHCL UHCL UHCL UHCL UHCL UHCL Administration & Finance Business Education Human Sciences & Humanities President's Office Provost's Office Science and Computer Engineering 14,125,963 10,504,145 6,679,375 9,339,962 2,211,070 31,777,721 8,199,326 82,837,562 5,000 16,629 1,116,073 864,767 13,227 12,315,865 1,176,160 15,507,721 186 137 113 169 22 389 148 1,162 UHD UHD UHD UHD UHD UHD UHD UHD UHD UHD Academic & Student Affairs Administration & Finance Advancement & External Relations Business Employment Svc & Operations Humanities & Social Sciences President's Office Public Service Sciences & Technology University College 29,245,444 27,055,656 2,398,653 12,758,606 2,978,416 12,703,039 1,213,716 6,466,301 9,196,464 1,638,489 105,654,784 35,185,626 2,051 12,217 486,077 0 305,722 5,940 807,454 1,724,854 1,592,571 40,122,512 297 254 15 165 16 250 9 103 162 36 1,307 UHV UHV UHV UHV UHV UHV UHV Administration & Finance Arts & Sciences Business Administration Education President's Office Provost Enrollment Manag. & Student Affairs 6,100,775 4,947,827 7,064,261 3,404,626 3,881,636 3,878,676 5,941,996 35,219,797 0 15,705 293,643 0 62,521 32,786 6,635,165 7,039,820 83 78 83 42 33 66 85 470 8-3-5 FY 2016 FY 2017 FY 2018 FY 2019 FY 2020 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 UNIVERSITY OF HOUSTON SYSTEM AUDIT COVERAGE MATRIX ENDOWMENTS Endowment Category University of Houston: Administration & Finance Advancement College of Architecture Athletics C. T. Bauer College of Business College of Education Cullen College of Engineering Graduate College of Social Work Honors College Hilton College of Hotel Restaurant Mgmt College of Liberal Arts & Social Sciences College of Law Library Non College Specific College of Natural Sciences & Mathematics College of Optometry College of Pharmacy President Provost Research Student Affaris College of Technology Total - University of Houston No. of Market Value Endowments as of 8/31/14 Income Distributed FY 2014 FY 2011 FY 2012 FY 2013 FY 2014 1 1 16 42 108 61 87 26 48 53 267 11 60 191 52 34 84 5 21 12 6 30 1,216 1,486 3,385,497 10,977,074 6,367,131 67,956,627 2,762,963 17,305,404 6,253,543 8,253,254 4,352,268 84,304,349 1,740,786 8,744,007 88,168,116 12,895,465 5,284,116 2,677,140 2,540,591 52,712,768 24,226,660 695,776 1,853,982 413,459,003 (165,492) (367,862) (218,776) (2,257,020) (92,199) (590,212) (106,781) (283,682) (146,732) (2,888,790) (60,232) (290,481) (2,848,095) (430,080) (155,432) (79,573) (90,937) (1,888,569) (844,568) (21,820) (59,279) (13,886,612) University of Houston-Clear Lake 148 23,343,082 (795,673) X University of Houston-Downtown 85 29,052,014 (983,910) X University of Houston-Victoria 87 12,177,864 (417,726) System Administration 21 122,040,871 (4,313,287) 1,557 600,072,834 (20,397,208) TOTAL - UH SYSTEM ENDOWMENT FUND 8-3-6 FY 2015 FY 2016 X X X X X X X X X X X X X X X X X X X X X X X X INFORMATION TECHNOLOGY RISK ASSESSEMENT UNIVERSITY OF HOUSTON University of Houston Information Technology Department prepared a risk assessment based on its service domains using the Institute of Internal Auditors Global Technology Audit Guide. For each service domain, a risk assessment was performed using the following risks: university dependency, quality of internal controls, changes in service domain, availability, integrity, and confidentiality. After rating likelihood and impact of each risk, the overall risk score was tabulated for each service domain. Included in the risk assessment are the following: • Information Technology Risk Assessment, • Risk Assessment Methodology, and • Service Domains and Sub-Programs. Section 8-4 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT INTERNAL AUDIT PLAN, FY 2016-2018 Impact ∑LxI Composite Risk Level Likelihood Budget Total Impact Capital Projects Likelihood M&O Impact Salaries / Benefits Likelihood Budgeted FTE Total Risk Score Confidentiality Impact Integrity Availability Likelihood Changes in Service Domain Impact Quality of Internal Controls Likelihood 1a. A&F Business Services 1. Administration and Management of IT 2. Information Technology Support Systems Impact IT Audit Universe Categories – UIT Service Domains Likelihood IT Risk Assessment FY15: The Impact of Risk Areas on UIT Service Domains University Dependency UNIVERSITY OF HOUSTON INFORMATION TECHNOLOGY RISK ASSESSMENT 1 2 1 1 1 1 1 1 1 2 1 2 9 229 6 8 1 3 1 1 1 2 1 3 1 3 1 3 15 65 $3,426,620 $671,383 $4,098,003 Low 1 3 1 1 1 2 1 3 1 2 1 1 12 6 $620,453 $264,650 $885,103 Low 1 3 1 1 1 1 1 2 1 3 1 2 12 5 $350,450 $131,200 $481,650 Low 1 2 1 3 3 3 1 2 1 1 1 1 1 2 1 1 3 2 1 2 1 3 3 3 1 1 1 1 3 3 1 1 1 1 2 3 10 25 15 1 47 50 $79,000 $2,714,073 $4,367,955 $1,663,884 $3,813,422 $707,561 $450,000 $190,000 $1,742,884 $6,977,495 $5,265,516 Medium Low 1 3 1 1 1 2 1 2 1 2 1 3 13 9 $768,256 $329,290 $43,500 $1,141,046 Low 1 1 3 3 1 1 1 1 1 1 2 2 1 1 2 3 1 1 2 3 1 1 3 3 13 15 3 32 $100,000 $2,679,979 $5,000 $2,099,373 $105,000 $4,779,352 Low Low $16,302,870 $548,619 $647,465 $11,226,079 $62,007 $1,478,309 $730,000 $500 $46,000 $28,258,949 $611,126 $2,171,774 3. Educational Technology Services 4. Research Computing Services 5. Data Centers 6. Communication Infrastructure Services 7. Enterprise Infrastructure and Services 8. Information Security Low 9. Identity Management 10. Information Systems and Applications Composite Risk Level Range: High=35-54; Medium=20-34; Low=6-19 Lowest possible score = 6 Highest possible score = 54 Midpoint = 30 Source: Adapted from The Institute of Internal Auditors Global Technology Audit Guide (GTAG) 2005 Note: The Information Technology Risk Assessment was prepared by the University of Houston Information Technology Department. 8-4-1 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT AUDIT PLAN, FY 2016 - 2018 IT Risk Assessment Methodology 2015* *Adapted from The Institute of Internal Auditors Global Technology Audit Guide (GTAG) 2005 Risk – Definition – The probability of an event occurring that will have an impact on the achievement of university objectives. Risk = Likelihood (probability) of event x Impact IT Audit Universe Categories – Defined by Educause Service Domains, further broken down by UIT into sub-programs. These service domains map to the UIT Line Item Budget and are reflected in UIT Performance Metrics. Likelihood – High probability that the risk will occur (H – 3), medium probability that the risk will occur (M – 2), low probability that the risk will occur (L – 1). Impact – There is a potential for material impact on the institution’s earnings, assets or reputation (H – 3). The potential impact may be significant to IT, but moderate in terms to the total institution (M – 2). The potential impact on the institution is minor in size or limited in scope (L – 1). Risks Assessed – Each UIT Service Domain (IT Audit Universe Category) is assessed according to the following risks: • University Dependency – Describe the number of University organization units supported by the service domain. (L) The service domain does not serve other organizational units, or at most one other organization unit. Service domain is mostly self-contained. (M) Service domain serves limited informational needs of several dependent organizations within the University. (H) Service domain meets full and very complex informational needs of numerous dependent organizations within the University. • Impact of Quality of Internal Controls (robustness of environment) - Factors: Hardware: Standalone vs. Multiple systems; Software: Redundancy/Robustness of applications/failover capabilities; Physical: Data Center location – Access and environmental controls, Secondary DC; Participant in Change Management Control Process; Monitoring – 24/7/365 Policies; Human Resources/Staffing 8-4-2 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT AUDIT PLAN, FY 2016 - 2018 (L) The service domain is robust and incorporates multiple levels of internal controls. Issues have low impact on delivery of services affecting university operations. (M) The service domain employs limited internal controls. Some redundancies are in place, but disruptions in services affecting university operations are still possible. (H) The service domain contains single points of failure and lacks resiliency. Minor system disruptions can have a significant impact on the delivery of services affecting University operations. • Changes in Service Domain/Audit Area – How dynamic is the service domain? Are there typically significant changes in staff size, funding, functions, systems, key positions and/or responsibilities of the area? (L) The service domain is typically static. There are not frequent changes in staff size, funding, functions, responsibilities of the area. systems, key positions and/or (M) It is not infrequent that changes to the service domain occur. However, these changes to staff size, funding, functions, systems, key positions and/or responsibilities of the area do not result in significant impact to the operations of the university. (H) Changes to the service domain frequently occur and result in serious impact on the operations of the University. • Availability – What is the relative effect of the service domain being unavailable to the operations of the university? (L) Unavailability of the service domain would have little or no impact on the operations of the University. (M) Unavailability of the service domain has a moderate impact on the operations of the University. (H) Unavailability of the service domain has a serious impact on the operations of the University. • Integrity – What is the relative effect of inaccurate data to the service domain’s capability to support university operations? 8-4-3 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT AUDIT PLAN, FY 2016 - 2018 (L) Incorrect or inaccurate information generated by the service domain would have little or no impact on the operations of the University. (M) Incorrect or inaccurate information generated by the service domain has a moderate impact on the operations of the University. (H) Incorrect or inaccurate information generated by the service domain has a serious impact on the operations of the University. • Confidentiality - What is the degree of confidentiality of the information produced or handled by the service domain? (L) Information produced by the service domain is not confidential and is generally available to the public, the release of which would not result in any potential loss or embarrassment to the University. (M) Information produced by the service domain is available to designated employees of the University in connection with their jobs. Release to the public or to an unauthorized entity could result in minor financial loss or moderate embarrassment or violation of an individual’s privacy. (H) Information produced by the service domain requires protection against unauthorized or premature disclosure. Such disclosure could result in serious loss or embarrassment or could adversely affect the University or the subject of the information. Reso urce Allocatio ns: Budgeted FTEs employed in the service domain Financial Budget Amounts – Salaries/Benefits, M&O, Capital Projects Composite Risk Level - Ranges: H = 35-54 M = 20-34 L = 6-19 Midpoint= 30 8-4-4 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT AUDIT PLAN, FY 2016 - 2018 UNIVERSITY OF HOUSTON INFORMATION TECHNOLOGY SERVICE DOMAINS AND SUB-PROGRAMS 1. Administration and Management of IT 1.1 Administration of central IT organization 1.2 CIO or CTO position 1.3 Institutional IT planning 1.4 Financial planning and management for IT 1.5 Human resources management for the IT organization 1.6 Facilities management for the IT organization 1.7 Software sit licenses 1.8 Emergency preparedness 1.9 IT policy development, dissemination, and education 1.10 Information usage/management policy development and education 1.11 Interpretation of current policy related to specific issues, situations, and incidents 1.12 Program, project and/or service management 1.13 Business process/systems analysis 1.14 Advanced technology 1.15 Technology Research and Development 1.16 Staff, hardware, and software affiliated with these functions 2. Information Technology (IT) Support Services 2.1 Desktop computing including: 2.1.1 Technicians and technical support for desktop computing 2.1.2 Desktop computer technical analysis and consulting staff 2.1.3 Hardware and software to support desktop computing 2.2 Executive IT support 2.3 Computer installation, maintenance, and repair 2.4 Computer repair staff 2.5 User support services including: 2.5.1 Support center and/or help desk 2.5.2 Walk-in support for students, faculty, and staff 2.5.3 Call-in support for students, faculty, and staff 2.5.4 Call centers 2.5.5 Self-help services 2.5.6 Support for knowledge bases, self-help tools 2.5.7 Specialized support centers 2.5.8 Reference desk and staff 2.5.9 Staff who support these functions 2.6 Departmental computing support 2.7 Computer store including computer resale activities and staff 2.8 IT communications and publications, user documentation and general informational publications 2.9 IT Training and education including general user training and education and related staff 2.10 Collaborative technologies 2.11 Multimedia services 2.12 Staff, hardware, and software affiliated with these functions 3. Educational Technology Services 3.1 Instructional technology support including: 3.2 Instructional support staff 3.3 Faculty instructional technology/LMS support 3.4 Teaching and technology center staff 3.5 Classroom technology 8-4-5 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT AUDIT PLAN, FY 2016 - 2018 UNIVERSITY OF HOUSTON INFORMATION TECHNOLOGY SERVICE DOMAINS AND SUB-PROGRAMS 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 Classroom and learning space support Student technology centers Student computing Distance education Online learning technology Specialized training for faculty Specialized training for students Learning Technology systems to support student success Staff, hardware, and software affiliated with these functions 4. Research Computing Services 4.1 Research storage 4.2 High-performance computing 4.3 High-performance research network 4.4 Grid and data-centric computing 4.5 Advanced visualization 4.6 Electronic research administration 4.7 Discipline-specific applications development, programming, and support not related to instruction 4.8 Academic hardware and software that does not relate to instruction 4.9 General statistical support 4.10 Grant support 4.11 Research technology services from remote sites 4.12 Staff for research computing operations, consulting, and technical assistance 4.13 Other staff, hardware, and software affiliated with these functions 5. Data Centers 5.1 Data center operations 5.2 Data center environmental support systems 5.3 Disaster recovery planning and implementation 5.4 Staff, hardware, and software affiliated with these functions 6. Communications Infrastructure Services 6.1 Data networks including: 6.1.1 Wire and cable infrastructure for data and video networks 6.1.2 Campus data network 6.1.3 Wireless network 6.1.4 Remote access 6.1.5 Video network 6.1.6 Commodity Internet 6.1.7 Converged network 6.1.8 Cable TV 6.1.9 Staff, hardware, and software for network infrastructure 6.2 Voice networks including: 6.2.1 Dial tone 6.2.2 Telephone Services including telephony staff, hardware, software, etc. 6.2.3 Voice mail 6.2.4 Cellular and paging services 6.2.5 Long distance resale 6.2.6 Telecommunications 8-4-6 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT AUDIT PLAN, FY 2016 - 2018 UNIVERSITY OF HOUSTON INFORMATION TECHNOLOGY SERVICE DOMAINS AND SUB-PROGRAMS 6.2.7 6.2.8 6.2.9 Wire and cable infrastructure for voice network Network, phone, and cable TV deliver and operations in residence halls Staff, hardware, and software affiliated with these functions 7. Enterprise Infrastructure and Services 7.1 Web support services including: 7.2 Content design and web-based publication 7.3 Content management support 7.4 Web server support 7.5 Web support staff, hardware, and software 7.6 Web-based applications development or interface 7.7 E-mail and messaging including: 7.7.1 E-mail for faculty and/or staff 7.7.2 E-mail for students 7.7.3 Messaging and related infrastructure 7.8 Calendar 7.9 Portal development and support 7.10 Mobile application design and development 7.11 Enterprise Infrastructure 7.12 System backups 7.13 Systems administration and operation 7.14 Enterprise service integration 7.15 Service-oriented architecture 7.16 Middleware development and support 7.17 Security infrastructure development and support 7.18 Virtual desktop infrastructure 7.19 Infrastructure support for departmental IT support providers 7.20 Staff, hardware, and software affiliated with these functions 8. Information Security 8.1 Security planning and design and implementation 8.2 Security policy and process development 8.3 Coordinating response to incidents of inappropriate use of information or information technology 8.4 Vulnerability analysis 8.5 User education and guidance programs 8.6 Staff, hardware and software affiliated with these functions 9. Identity Management 9.1 Identity management systems 9.2 Authentication services 9.3 Account administration 9.4 Authorization services 9.5 Staff, hardware and software affiliated with these functions 10. Information Systems and Applications 10.1 Administrative/enterprise information systems including: 10.2 Business intelligences/data administration/data warehouse application systems 10.3 Human resources management application systems 10.4 Payroll systems 10.5 Student information application systems 8-4-7 UNIVERSITY OF HOUSTON SYSTEM INTERNAL AUDITING DEPARTMENT AUDIT PLAN, FY 2016 - 2018 UNIVERSITY OF HOUSTON INFORMATION TECHNOLOGY SERVICE DOMAINS AND SUB-PROGRAMS 10.6 10.7 10.8 10.9 10.10 10.11 10.12 10.13 10.13.1 10.13.2 10.13.3 10.13.4 10.13.5 10.13.6 Alumni/advancement/fundraising application systems Fiscal and procurement application systems Financial management systems Grants management applications Lifetime engagement application systems Library systems Enterprise decision support Administrative system support including: Development and implementation of these systems Maintenance of these systems Training of users of these systems Programming support related to these systems Database administration Hardware, software, staff and other infrastructure needed to support theses systems 8-4-8
