FY2013 Internal Audit Risk Assessment

advertisement
Finance and Audit Committee
FY2013 Risk Assessment and
Internal Audit and Compliance Plan
August 27, 2012
FY2013 Internal Audit Risk Assessment
KEY RISK AREAS
ACADEMIC
ENTERPRISE:
STUDENT- AND
FACULTY-BASED
PROCESSES
BUSINESS RISK
PLANNED ACTIVITY
• Does the research and innovation division of the
University conduct its financial business in a
responsible and transparent manner, consistent
with appropriate accounting principles?
• Review financial transactions of the University of Toledo
Innovation Enterprises. Ensure that appropriated
amounts were used for their intended purposes.
• Is financial aid awarded only to eligible students
consistent with the terms of the various award
programs?
• Review student financial aid procedures and test a
sample of loans to ensure that eligibility requirements are
met and financial aid is disbursed accurately.
• Are faculty members utilized to their fullest
potential, consistent with University policy and
expectations? Are academic programs meeting
the financial and societal goals established for
them?
• Advise in the development of a methodology for
confirming the achievement of faculty workload goals.
Support the University-wide initiative for evaluating the
viability of academic programs.
2
FY2013 Internal Audit Risk Assessment
KEY RISK AREAS
ACADEMIC
ENTRPRISE:
INFORMATION
TECHNOLOGY
BUSINESS RISK
PLANNED ACTIVITY
•
Is access to Electronic Protected Health
Information restricted only to employees and
clinical business partners on a “need to know”
basis ?
•
Evaluate procedures and controls over information
security administered by the Information Technology
Department. Evaluate the effectiveness of provisioning
and de-provisioning access privileges to the various
clinical systems.
•
Are The University’s operating practices wellaligned regarding recent changes to information
security and privacy regulations?
•
Collaborate with the IT Department to identify areas of
required federal or state compliance across functional
and administrative boundaries, such as:
 HIPAA Privacy and Security Rules
 FERPA
 Identity Theft Red Flags
 Records Retention
 Use of Electronic Signatures and Records
 Gramm–Leach–Bliley Act
 Authenticating Health Care Records
• Does the University comply with Payment Card
Industry standards for network security when
processing University credit card transactions at
all locations?
• Self-Assess security and application controls over the
computer networks that process student and patient
credit card transactions. Independently evaluate
compliance with these controls.
• Have the system implications of the recent
changes to the academic advising process been
fully tested prior to implementation?
• Participate in the student advising new systems
development project as a controls consultant and review
the nature and extent of user testing and acceptance.
3
FY2013 Internal Audit Risk Assessment
KEY RISK AREAS
ACADEMIC
ENTERPRISE:
INTERCOLLEGIATE
ATHLETICS
BUSINESS RISK
PLANNED ACTIVITY
• Are revenues and expenses pertaining to
intercollegiate athletics accounted for properly
according to National Collegiate athletics
Association (NCAA) rules and University policy?
•
Evaluate the quality of financial controls over athletic
student aid; guarantees; support staff/administrative
salaries, benefits and bonuses paid by the University
and related entities; and recruiting.
• Do student-athletes meet all applicable academic
eligibility requirements, and if the student does not,
are they prohibited from representing The
University in intercollegiate athletics competition?
•
Determine the level of compliance with NCAA
regulations pertaining to academic and general
requirements. These include general eligibility
requirements, seasons of competition, freshmen
academic requirements, progress-toward-degree
requirements, transfer regulations, high school all-star
games, and outside competition.
• Does The University limit its organized practice
activities, the length of its playing seasons and
number of its regular-season contests and/or dates
of competition in all sports, as well as the extent of
its participation in non-collegiate sponsored
athletics activities, to minimize interference with the
academic programs of its student-athletes.
•
Determine the level of compliance with NCAA
regulations pertaining to playing and practice sessions.
These include general playing-season regulations,
foreign tours, and playing rules.
• Are football attendance statistics accurately
recorded and reported in a timely manner to the
NCAA?
• Review and certify attendance counts for all University
home football games per NCAA regulations.
4
FY2013 Internal Audit Risk Assessment
KEY RISK AREAS
ACADEMIC
ENTERPRISE:
CROSS-FUNCTIONAL
ACTIVITIES
BUSINESS RISK
PLANNED ACTIVITY
• Does The University provide reasonable
accommodations to students, patients, and staff
that have a form of disability.
• Establish a comprehensive Americans with Disabilities
Act compliance program, which includes a
comprehensive series of audits in the following areas …
 Employment
 Public Accommodations (and commercial
facilities)
 Public Entities (and public transportation)
 Telecommunications
• Do campus-wide enterprises such as meal plans,
parking permits, Rocket ID cards, campus
bookstore, Rocket Wireless, vending/copy
machines, UT Medical Center gift shop, on-campus
banking, and affiliate UTAD creation capture the
revenue they receive in a controlled manner?
•
Assess the accuracy and integrity of the components of
miscellaneous income as reported in The University of
Toledo financial statements. Review compliance with
key terms of various services contracts in this area.
• Are employees paid only for time worked, and are
the associated expenses accurately recorded in the
general ledger.
•
Comprehensively evaluate procedures and controls
pertaining to payroll processing, including reporting and
monitoring procedures. Develop a risk and controls
assessment for payroll processing.
5
FY2013 Internal Audit Risk Assessment
KEY RISK AREAS
CLINICAL
ENTERPRISE:
UNIVERSITY OF
TOLEDO MEDICAL
CENTER
BUSINESS RISK
PLANNED ACTIVITY
• Are all billable transactions captured at the time of
inpatient diagnosis and fully reflected in customer
bills?
• Review the accuracy and reliability of the charge master
databases, the charge capture process, and procedures
for maximizing inpatient margins.
• Do construction and supply chain vendors doing
business with the University comply with the
provisions of their contracts?
• Review commercial contracts of selected vendors and
projects at The University of Toledo Medical Center.
• Is UTMC taking appropriate steps to ensure
compliance with Joint Commission accreditation
standards as they pertain to human resource
support on an ongoing basis?
• Review Joint Commission standards pertaining to human
resource support, determining whether effective UTMC
problem identification/resolution procedures are in place
relative to these standards.
6
FY2013 Internal Audit Risk Assessment
KEY RISK AREAS
BUSINESS RISK
PLANNED ACTIVITY
CLINICAL
ENTERPRISE:
CLINICAL
COMPLIANCE
• Is UTMC prepared for upcoming changes to coding
of medical transactions?
• Review system and documentation requirements to
ensure readiness for future ICD-10 coding classifications.
• Do the hospital and clinic computer systems under
development promote a streamlined and secure
process flow between the patient, Information
Technology, and operating departments?
• Participate in the various “Meaningful Use” new clinical
systems development projects as a controls consultant
and identify opportunities for system and process
integration between diverse stakeholder business
functions.
• Does the compliance plan protect the academic
and clinical enterprises from significant violations of
the law and internal policies, as well as preserve
the confidentiality of patient and student
information?
• Update the Finance and Audit Committee on the nature
and resolution of clinical and academic compliance and
privacy events processed by the University, including …
7




HIPAA
FERPA
Stark Law
Other aspects of clinical compliance
Download