FISCAL YEAR 2014 INTERNAL AUDIT ANNUAL REPORT Andrew S. Groover, M.Ed., CPA, CIA, CICA, CISA, CFE Director of Internal Audits October 28, 2014 TEXAS WOMAN’S UNIVERSITY OFFICE OF INTERNAL AUDITS TEXAS WOMAN'S UNIVERSITY MEMBERS OF THE BOARD OF REGENTS Sue Schrier Bancroft, Chair and Presiding Officer Mary Pincoffs Wilson, Vice Chair and Assistant Presiding Officer Lola Chriss Anna Maria Farias, Esq. Debbie Gibson Ann Scanlon McGinity, Ph.D. Nancy Painter Paup George R. Schrader Melissa D. Tonn, M.D. Candace Henslee (Student Regent) OFFICERS OF THE UNIVERSITY Carine Feyten, Ph.D., Chancellor and President Robert Neely, Ph.D., Provost and Vice President for Academic Affairs Brenda Floyd, Ed.D., Vice President for Finance & Administration Monica Mendez-Grant, Ed.D., Vice President for Student Life Gary Ray, M.Ed., Vice President for Enrollment Services OFFICE OF INTERNAL AUDITS Andrew S. Groover, M.Ed., CPA, CIA, CICA, CISA, CFE Director of Internal Audits TEXAS WOMAN’S UNIVERSITY OFFICE OF INTERNAL AUDITS TABLE OF CONTENTS I. Compliance with House Bill 16: Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit information on Internet Web site ................... 1-9 II. Planned Work Related to the Proportionality of Higher Education Benefits ............ 9 III. Internal Audit Plan for Fiscal Year 2014 ............................................................. 9-10 IV. Consulting Services and Non-Audit Services Completed...................................... 10 V. External Quality Assurance Review ................................................................. 10-14 VI. Internal Audit Plan for Fiscal Year 2015 ........................................................... 15-16 VII. External Audit Services Procured in Fiscal Year 2014 .......................................... 16 VIII. Reporting Suspected Fraud and Abuse ................................................................ 17 October 28, 2014 Members of the Board of Regents, Texas Woman's University Dr. Carine Feyten, Chancellor and President, Texas Woman's University Ms. Kate McGrath, Governor’s Office of Budget, Planning, and Policy Mr. Ed Osner, Legislative Budget Board Internal Audit Coordinator, State Auditor’s Office Mr. Ken Levine, Sunset Advisory Commission A report on the activity of Texas Woman's University's Office of Internal Audits for fiscal year 2014 follows. This report fulfills the requirements of Texas Government Code (Texas Internal Auditing Act), Sections 2102.009 and 2102.0091. The report provides information on the audit plan, audits completed, external quality assurance review, and other internal auditing activities. For further information about the contents of this report, please contact our Office at 940-898-3260 or by email at agroover@twu.edu. Andrew S. Groover, M.Ed., CPA, CIA, CICA, CISA, CFE Director of Internal Audits Internal Audit Annual Report for Fiscal Year 2014 I. Compliance with House Bill 16: Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit information on Internet Web site The Office of Internal Audits has posted the Fiscal Year 2015 approved audit plan and the Fiscal Year 2014 Internal Audit Annual Report on the Office of Internal Audits website - http://www.twu.edu/internal-audits/. The following provides a detailed summary of deficiencies related to the Fiscal Year 2014 Audit Plan and the current implementation status of the recommendations. Audit Number 14-01 Audit Name Investments Audit Report Date 12/17/2013 Follow-up Audit Report Date* 8/18/2014 Recommendation(s) Status 1. Compliance with Section 2256.003 (b) of the PFIA should be improved. I 2. Compliance with Section 2256.005 (b) (3) of the PFIA should be improved. I 3. The Annual Tracking Report for Investment Reporting by Higher Education Institutions should be submitted to the State Auditor's Office by December 31 each year in compliance the requirements of the State Auditor’s Office. I 4. Management should ensure that question #2 (as required by the State Auditor’s Office) is updated to include whether or not the University uses directed brokerage or directed commission, commission recapture, or similar arrangements. I Page 1 Comments Follow-up completed. Responsible Party Dr. Brenda Floyd Kelly McCullar Internal Audit Annual Report for Fiscal Year 2014 1. Compliance with Code of Federal Regulations (CFR) Title 45 section 46.115 - IRB Records should be improved. 14-02 Institutional Review Board 1/22/2014 7/9/2014 I Dr. Robert Neely Dr. Jennifer Martin 2. Consent forms should meet the minimum standards required by the Guide to Writing a Consent Form. I 3. Management should consider backing up IRB documents in an electronic format. S Follow-up completed. Dr. Chandad Prasad Tracy Lindsay 1. Management should improve compliance with section 7 A of the Aramark contract related to mandatory ID photo badging and background checks conducted by TWU's Department of Public Safety. 14-03 Contracted Services 5/6/2014 2. Management should improve compliance with section 11 of the Aramark contract related to Licenses, Permits, and Taxes. 3. The Aramark contract should specifically include a requirement that Aramark provide evidence to TWU that Aramark employees have taken and passed the ServSafe Food Handler Program within their first week of employment. Page 2 Follow-up in progress. Dr. Monica MendezGrant Beth Lewis Internal Audit Annual Report for Fiscal Year 2014 1. Management should comply with TWU’s Discretionary Funds Guidelines or expand the Guidelines to include additional expenditure categories. 14-04 Discretionary Funds 2/24/2014 8/27/2014 2. Management should annually review the utilization of Discretionary Funds to make budget adjustments where necessary. Management should also consider implementing a maximum carryover percentage to allow flexibility, but also to ensure carryover amounts are minimal in relation to budgeted amounts. S Dr. Brenda Floyd Follow-up completed. Pam Wilson Vanna Parr I 1. The OFA should improve the feedback process by providing an automated feedback mechanism on the OFA website. 14-05 Financial Aid 4/24/2014 2. The OFA should periodically review access listings to web based applications to ensure that access is appropriate. 3. Management should comply with TWU Policy 3.30 - Staff Employee Performance Management and Evaluations. Page 3 Follow-up in progress. Gary Ray Governor Jackson Internal Audit Annual Report for Fiscal Year 2014 4. Compliance with Code of Federal Regulations (CFR) Title 34 section 668.43(a)(11)(ii) – Institutional Information, section 668.41(c)(2)(ii) – Reporting and Disclosure of Information, and section 668.42(c)(3) – Financial Assistance Information should be improved. 5. The OFA should work with the Office of Technology to improve the Colleague access listing by providing a detail description of the functions of the mnemonics specific to Financial Aid as well as deactivating mnemonics that are no longer being utilized. 6. The OFA should work with Human Resources to develop a solution to reduce employee turnover and improve retention. 7. The OFA should comply with TWU Policy 3.45 - Training and Development. 14-06 Department of Communication Sciences and Disorders 6/23/2014 1. The SpeechLanguage & Hearing Clinic should ensure that all client files contain the required clinic forms. Page 4 Estimated follow-up start date January 2015. Dr. Robert Neely Dr. Gay James Internal Audit Annual Report for Fiscal Year 2014 2. Communication Sciences and Disorders should comply with the TWU Cash Receipts Policy. 3. Management should develop a process to ensure former employees assignments are terminated timely. 4. Management should develop a process to ensure that access to Anatomy.TV is terminated when students graduate or are no longer in the program. 5. Communication Sciences and Disorders should comply with the minimum syllabi requirements. 6. Management should consider backing up client files in an electronic format. 7. Communication Sciences and Disorders should ensure all hyperlinks and information on the website are kept current. 8. Management should comply with TWU Policy 3.45 – Training and Development. 9. Management should comply with TWU Policy 9.09 Authentication. Page 5 Dr. Erika Armstrong Internal Audit Annual Report for Fiscal Year 2014 10. Data should be backed up on the network drive to ensure continuity. Also, the Department of Communication Sciences and Disorders network drive access listing should be periodically reviewed to ensure appropriate access. 11. Management should formalize the reconciliation process for Communication Sciences and Disorders budget accounts. 12. Clinic fees assessed should agree to the SpeechLanguage & Hearing Clinic Fee Appeal Notice approved by the Dean of Health Sciences. Also, all discounts offered to clients should be documented and approved by the Dean of Health Sciences. 1. Conference Services should ensure that Release Forms are obtained from persons who agree to be included in marketing materials. 14-07 Conference Services 6/9/2014 2. Conference Services should ensure all information on the website is current. Also, Conference Services should work with the Office of Technology to implement online Page 6 Estimated follow-up start date December 2014. Dr. Monica MendezGrant David Sweeten Internal Audit Annual Report for Fiscal Year 2014 reservation forms. 3. Management should comply with TWU Policy 7.01 – Access Key Control. 4. Conference Services should comply with the TWU Cash Receipts Policy and the TWU Credit Card Acceptance and Security Policy. 1. Client Services should ensure swipe card access listings are periodically reviewed to ensure appropriate access. 2. Client Services should comply with TWU Policy 9.01 Computer & Software Acceptable Use. 14-09 Client Services 7/14/2014 3. Client Services should comply with the TWU Policy 3.45 – Training and Development. 4. The Client Services network drive access listing should be periodically reviewed to ensure appropriate access. 5. Client Services should ensure hyperlinks and information on the website is kept current. 6. Client Services should comply with TWU Policy 7.01 – Access Key Control. Page 7 Estimated follow-up start date January 2015 Dr. Robert Neely Robert Placido Dennis Hoebee Internal Audit Annual Report for Fiscal Year 2014 7. Client Services should ensure that New Equipment Sheets are completed properly and maintained or discontinue use of the form. 14-10 Family Educational Rights and Privacy Act (FERPA) 8/22/2014 1. Management should mandate that FERPA training be completed by all faculty members including adjunct faculty. Estimated follow-up start date February 2015 Gary Ray Robert Lothringer 1. Management should comply with the TWU Cash Receipts Policy. 2. Management should ensure that data is backed up on the network drive to ensure continuity. 14-11 Printing and Mailing Services 9/11/2014 3. Management should comply with TWU Policy 3.45 – Training and Development. 4. Management should comply with TWU Policy 3.30 - Staff Employee Performance Management and Evaluations. 5. Management should formalize the reconciliation process for Printing and Mailing Services budget accounts. Page 8 Estimated follow-up start date March 2015 Dr. Brenda Floyd Pam Wilson Carrie Gartman Internal Audit Annual Report for Fiscal Year 2014 6. Management should recycle, sell or dispose of equipment, machinery and supplies that are obsolete or not being utilized. 7. Management should comply with the TWU Procurement Card Guidelines. 8. Management should comply with TWU Policy 7.01 – Access Key Control. I - Implemented - Recommendation is implemented and in place. S- Substantially Implemented - Recommendation is near completion with most aspects in place. P - Partially Implemented - Recommendation is in the initial stages with some aspects in place. N - Not Implemented - No action taken by management. II. Planned Work Related to the Proportionality of Higher Education Benefits An audit of Benefits Paid Proportional By Fund has been conducted and is currently in the draft report stage. III. Internal Audit Plan for Fiscal Year 2014 Report Number 14-01 14-02 14-03 14-04 14-05 Report Date 12/17/2013 1/22/2014 5/6/2014 2/24/2014 4/24/2014 14-06 6/23/2014 14-07 6/9/2014 14-08 N/A 14-09 14-10 14-11 7/14/2014 8/22/2014 9/11/2014 14-12 N/A Report Title Complete Investments Institutional Review Board Contracted Services Discretionary Funds Financial Aid Department of Communication Sciences and Disorders Conference Services PCI/DSS (Payment Card Industry/Data Security Standard) Client Services FERPA Printing & Mailing Services Benefits Paid Proportional By Fund Page 9 Y Y Y Y Y Y Y Draft Report Stage Y Y Y Draft Report Stage Internal Audit Annual Report for Fiscal Year 2014 The following are deviations from the FY 2014 audit plan. Life Safety Code – This audit was not conducted as there were recent prior reviews and re-inspections conducted by the State Fire Marshall. Tuition and Fees – Not completed due to time constraints and turnover in the Bursar’s Office. This audit will be included on the FY 2015 audit plan. Information Technology Governance – Development and implementation of the new IT Governance structure and policy was not completed until June 2014. Now that the structure and policy are in place, the audit will be completed as part of the FY 2015 audit plan. Benefits Paid Proportional By Fund – Added to the FY 2014 audit plan per directive from Governor Rick Perry. IV. Consulting Services and Non-audit Services Completed No consulting services or non-audit services were performed or completed during fiscal year 2014. V. External Quality Assurance Review (Peer Review) SEE PAGES BELOW Page 10 Internal Audit Annual Report for Fiscal Year 2014 Page 11 Internal Audit Annual Report for Fiscal Year 2014 Page 12 Internal Audit Annual Report for Fiscal Year 2014 Page 13 Internal Audit Annual Report for Fiscal Year 2014 Page 14 Internal Audit Annual Report for Fiscal Year 2014 VI. Internal Audit Plan for Fiscal Year 2015 The fiscal year 2015 audit plan was prepared using risk assessment techniques that identify the individual audits to be conducted during the year. The risk factors included: - Years since last audit - Statutory Requirements/Government Regulations - Loss/Litigation potential - Materiality/Size - Cost savings/Revenue potential - Prior recommendations - Multiple campus locations - Complexity/Changes/Technology - Visibility/Public Image - Other concerns The audits were chosen from high, medium and low risk areas, with greater emphasis given to the higher risk areas. This allows for broad audit coverage of campus areas, while concentrating on areas of higher risk. As a result, the following 13 areas were chosen for audit and approved by the TWU Board of Regents on August 15, 2014. Assistant Director Director Auditor I 30 325 0 300 5 0 30 0 350 30 325 0 30 300 0 300 5 0 300 5 0 20 200 0 25 0 250 20 200 0 25 0 250 10 0 150 25 0 250 Audit Colleague Information Technology Governance Research Grants Tuition and Fees Texas Adminitrative Code 202 Clery Act College of Nursing Institutional Research and Data Management Fitness & Recreation Marketing & Communication Graduate School JAMP (Joint Admissions Medical Program). Intercultural Services Annual internal audit report Internal quality assurance Follow-up audits Investment Reports Review Special Projects Administrative Professional Development Holidays Vacation Sick Leave TOTAL Page 15 Total 355 305 380 355 330 305 305 220 275 220 275 160 275 1145 1365 1250 3760 40 120 150 5 120 100 40 128 132 100 0 5 150 0 120 40 40 128 132 100 0 5 150 35 120 156 40 128 96 100 40 130 450 40 360 296 120 384 360 300 935 715 830 2480 2080 2080 2080 6240 Internal Audit Annual Report for Fiscal Year 2014 There are no audits in the Fiscal Year 2015 Audit Plan that relate to proportionality of benefits. This audit was commenced during Fiscal Year 2014 and is currently in the draft report stage. The audit of Texas Administrative Code 202 is included in the Fiscal Year 2015 Audit Plan above. Risk areas ranked as “high” but not scheduled to be audited during fiscal year 2015. VII. Property and Surplus Oracle – Human Resources module Cash & Cash Receipts Construction Oracle – Financial module Teaching & Learning with Technology Athletics Environmental Safety & Health Travel Bonds Public Safety (Police) Procurement Cards Red Flags Rule (FTC) Time and Effort Reporting Vehicles PCI/DSS Building Maintenance Scholarships Accounts Receivable Admissions Admissions Processing Payroll Purchasing/Cash Disbursements/Accounts Payable Telecommunications Lab Safety External Audit Services Procured in Fiscal Year 2014 No external audit services were procured during fiscal year 2014. Page 16 Internal Audit Annual Report for Fiscal Year 2014 VIII. Reporting Suspected Fraud and Abuse Actions taken to implement the requirements of: Fraud Reporting. Article IX, Section 7.09. Fraud Reporting, General Appropriations Act (83rd Legislature, Conference Committee Report). TWU has placed a link on the TWU homepage that states “Report Fraud, Waste, or Abuse in Texas”. This link takes the user directly to the State Auditor’s Office webpage for reporting fraud, waste, and abuse. The Office of Internal Audits has also paced the same link on its webpage. TWU has also incorporated into its “Fraud and Fraudulent Activities” policy information on how to report suspected fraud involving state funds to the State Auditor’s Office. This information includes a link to the State Auditor’s Office website http://sao.fraud.state.tx.us. Texas Government Code, Section 321.022, Coordination of Investigations. TWU has procedures incorporated into its “Fraud and Fraudulent Activities” policy to ensure that the State Auditor’s Office is notified of any fraud, waste, or abuse of state funds received by the University. Page 17