Finance and Audit Committee FY2013 Risk Assessment and Internal Audit and Compliance Plan August 27, 2012 FY2013 Internal Audit Risk Assessment KEY RISK AREAS ACADEMIC ENTERPRISE: STUDENT- AND FACULTY-BASED PROCESSES BUSINESS RISK PLANNED ACTIVITY • Does the research and innovation division of the University conduct its financial business in a responsible and transparent manner, consistent with appropriate accounting principles? • Review financial transactions of the University of Toledo Innovation Enterprises. Ensure that appropriated amounts were used for their intended purposes. • Is financial aid awarded only to eligible students consistent with the terms of the various award programs? • Review student financial aid procedures and test a sample of loans to ensure that eligibility requirements are met and financial aid is disbursed accurately. • Are faculty members utilized to their fullest potential, consistent with University policy and expectations? Are academic programs meeting the financial and societal goals established for them? • Advise in the development of a methodology for confirming the achievement of faculty workload goals. Support the University-wide initiative for evaluating the viability of academic programs. 2 FY2013 Internal Audit Risk Assessment KEY RISK AREAS ACADEMIC ENTRPRISE: INFORMATION TECHNOLOGY BUSINESS RISK PLANNED ACTIVITY • Is access to Electronic Protected Health Information restricted only to employees and clinical business partners on a “need to know” basis ? • Evaluate procedures and controls over information security administered by the Information Technology Department. Evaluate the effectiveness of provisioning and de-provisioning access privileges to the various clinical systems. • Are The University’s operating practices wellaligned regarding recent changes to information security and privacy regulations? • Collaborate with the IT Department to identify areas of required federal or state compliance across functional and administrative boundaries, such as: HIPAA Privacy and Security Rules FERPA Identity Theft Red Flags Records Retention Use of Electronic Signatures and Records Gramm–Leach–Bliley Act Authenticating Health Care Records • Does the University comply with Payment Card Industry standards for network security when processing University credit card transactions at all locations? • Self-Assess security and application controls over the computer networks that process student and patient credit card transactions. Independently evaluate compliance with these controls. • Have the system implications of the recent changes to the academic advising process been fully tested prior to implementation? • Participate in the student advising new systems development project as a controls consultant and review the nature and extent of user testing and acceptance. 3 FY2013 Internal Audit Risk Assessment KEY RISK AREAS ACADEMIC ENTERPRISE: INTERCOLLEGIATE ATHLETICS BUSINESS RISK PLANNED ACTIVITY • Are revenues and expenses pertaining to intercollegiate athletics accounted for properly according to National Collegiate athletics Association (NCAA) rules and University policy? • Evaluate the quality of financial controls over athletic student aid; guarantees; support staff/administrative salaries, benefits and bonuses paid by the University and related entities; and recruiting. • Do student-athletes meet all applicable academic eligibility requirements, and if the student does not, are they prohibited from representing The University in intercollegiate athletics competition? • Determine the level of compliance with NCAA regulations pertaining to academic and general requirements. These include general eligibility requirements, seasons of competition, freshmen academic requirements, progress-toward-degree requirements, transfer regulations, high school all-star games, and outside competition. • Does The University limit its organized practice activities, the length of its playing seasons and number of its regular-season contests and/or dates of competition in all sports, as well as the extent of its participation in non-collegiate sponsored athletics activities, to minimize interference with the academic programs of its student-athletes. • Determine the level of compliance with NCAA regulations pertaining to playing and practice sessions. These include general playing-season regulations, foreign tours, and playing rules. • Are football attendance statistics accurately recorded and reported in a timely manner to the NCAA? • Review and certify attendance counts for all University home football games per NCAA regulations. 4 FY2013 Internal Audit Risk Assessment KEY RISK AREAS ACADEMIC ENTERPRISE: CROSS-FUNCTIONAL ACTIVITIES BUSINESS RISK PLANNED ACTIVITY • Does The University provide reasonable accommodations to students, patients, and staff that have a form of disability. • Establish a comprehensive Americans with Disabilities Act compliance program, which includes a comprehensive series of audits in the following areas … Employment Public Accommodations (and commercial facilities) Public Entities (and public transportation) Telecommunications • Do campus-wide enterprises such as meal plans, parking permits, Rocket ID cards, campus bookstore, Rocket Wireless, vending/copy machines, UT Medical Center gift shop, on-campus banking, and affiliate UTAD creation capture the revenue they receive in a controlled manner? • Assess the accuracy and integrity of the components of miscellaneous income as reported in The University of Toledo financial statements. Review compliance with key terms of various services contracts in this area. • Are employees paid only for time worked, and are the associated expenses accurately recorded in the general ledger. • Comprehensively evaluate procedures and controls pertaining to payroll processing, including reporting and monitoring procedures. Develop a risk and controls assessment for payroll processing. 5 FY2013 Internal Audit Risk Assessment KEY RISK AREAS CLINICAL ENTERPRISE: UNIVERSITY OF TOLEDO MEDICAL CENTER BUSINESS RISK PLANNED ACTIVITY • Are all billable transactions captured at the time of inpatient diagnosis and fully reflected in customer bills? • Review the accuracy and reliability of the charge master databases, the charge capture process, and procedures for maximizing inpatient margins. • Do construction and supply chain vendors doing business with the University comply with the provisions of their contracts? • Review commercial contracts of selected vendors and projects at The University of Toledo Medical Center. • Is UTMC taking appropriate steps to ensure compliance with Joint Commission accreditation standards as they pertain to human resource support on an ongoing basis? • Review Joint Commission standards pertaining to human resource support, determining whether effective UTMC problem identification/resolution procedures are in place relative to these standards. 6 FY2013 Internal Audit Risk Assessment KEY RISK AREAS BUSINESS RISK PLANNED ACTIVITY CLINICAL ENTERPRISE: CLINICAL COMPLIANCE • Is UTMC prepared for upcoming changes to coding of medical transactions? • Review system and documentation requirements to ensure readiness for future ICD-10 coding classifications. • Do the hospital and clinic computer systems under development promote a streamlined and secure process flow between the patient, Information Technology, and operating departments? • Participate in the various “Meaningful Use” new clinical systems development projects as a controls consultant and identify opportunities for system and process integration between diverse stakeholder business functions. • Does the compliance plan protect the academic and clinical enterprises from significant violations of the law and internal policies, as well as preserve the confidentiality of patient and student information? • Update the Finance and Audit Committee on the nature and resolution of clinical and academic compliance and privacy events processed by the University, including … 7 HIPAA FERPA Stark Law Other aspects of clinical compliance