Annual Report on Internal Audit Activities 2007-08. ANNUAL REPORT ON INTERNAL AUDIT ACTIVITIES 2007- 08. Executive Summary – Introduction Internal Audit Program--Results & Analysis Statistics Systemwide and Significant Individual Audit Results
Internal Audit Activities
During FY08, the UC Internal Audit Program:
* See definitions at Page 11
In conjunction with the over 650 completed Audit, Advisory Services and Investigation reports issued, we identified no conditions that we believed to represent material deficiencies in internal controls to the University system as a whole from a financial standpoint. In addition, while we acknowledge that management has ultimate responsibility for establishing internal controls to manage risks, we identified no circumstances in which we believe that management’s decisions resulted in the acceptance of unreasonable levels of risk.
Further, based on our FY08 work, we can assert the following as being generally true with no reportable exceptions:
Although we did not identify material control deficiencies, there are opportunities for the University to implement more effective controls in a number of areas and there are ongoing challenges to effective controls and compliance as indicated by the frequency of observations regarding:
See Section II.C at pages 15-17 for a more detailed discussion of internal control challenges and opportunities.
See also information on staffing and turnover in Section III at pages 29 and 30.
High Risk Audit Coverage
In conjunction with the audit planning risk assessment, the top ten risks are identified at each campus and medical center, LBNL and UCOP. Coverage statistics for High Risk items relates to completed audits and advisory service projects. All of the risks initially identified as high risks, are either subject to current audit work, reassessed based on later data at a lower risk level, or determined to be addressed through another process (e.g. compliance, management initiative) such that all risks initially identified as high are addressed in some fashion.
Coverage of Core Audit Areas
The audit program has identified a number of core business processes and functions (e.g. payroll, hospital receivables, procurement and disbursements) that are subjected to periodic auditing to ensure coverage over approximately a 3-5 year cycle. The result is an audit approach that is fundamentally risk based, but ensures attention to basic business processes and functions with reasonable frequency.
The chart below distributes effort by service type (7-Year Trend).
This chart demonstrates that our continued primary emphasis is the program of regular audits.
The chart also depicts a leveling off of the advisory services and investigation activities. Our goal has been to increase the advisory service activity but special audit work has prevented us from achieving that goal.
B. SYSTEMWIDE AND SIGNIFICANT INDIVIDUAL AUDIT RESULTS
Executive Compensation—We continued to perform an annual review of Executive Compensation, verifying the accuracy of the Annual Report on Executive Compensation. While we found the processes for preparing the report to be generally adequate to ensure its completeness and accuracy, we continue to work with the SMG coordinators to strengthen the processes.
Health Sciences Compliance Programs—For year end 2007, we continued to perform an annual review of the Health Sciences Compliance Programs, reviewing their annual reports, program structure adequacy, and conformance to the commitments made to regulators for the conduct of the programs. We concluded that the programs continued to function effectively. For 2008 and beyond, the new Compliance Program under SVP Vacca assumes monitoring of these programs.
Willed Body Programs—We continued to assess the progress toward full implementation of corrective actions resulting from the report of the Task Force headed by former Governor Deukmajian. While progress in certain areas has been slow, the long-awaited system for tracking of all donations, utilization, allocations and disposition is in the process of implementation. We have reported to SVP for Health Sciences and Services Dr. Stobo, the continuing needs to complete the secondary phases of the system implementation, finalize the RFID system for material control, and establish a policy for procurement of anatomical material by all UC users.
IT Security—The audit plan for the year anticipated performing a validation of a self assessment carried out by the CIO’s at each UC location. While the self assessments were completed, we found that they lacked consistency in applying evaluation criteria that would allow internal auditors to perform uniform validation across the System. As a result, we have worked with UC’s new CIO, David Ernst on improvements to the process that will be carried out in the current year as a next iteration of the assessments of IT security.
B. SYSTEMWIDE AND SIGNIFICANT INDIVIDUAL AUDIT RESULTS (con’t.)
Office of the President, Special Research Programs—At the request of Vice President Beckwith, Internal Audit engaged in a study of organizational structure, compliance with enabling legislation, funding and business practices, and reasonableness of expenditures of the Special Research Programs administered by UC for the state of California. These are the programs related to Breast Cancer, Aids and Tobacco Related Diseases research. The purpose of the special project was to provide information to VP Beckwith to assist him in reorganization efforts for the research programs.
Education Loan Policy—Based on a systemwide audit assessment of UC’s student lending programs and practices late in the prior year, we were instrumental in the formulation of revised UC Presidential Policy on Education Loan Practices.
Professional School Admissions—At the request of then Provost Humes, and in response to the findings of a UCLA investigation, we performed a systemwide review of admissions practices for professional schools in the health sciences. While the review identified no improper practices, we made a number of recommendations to improve processes, documentation of admissions decision-making criteria and management of potential conflicts of interest that will aid clarity, consistency and transparency.
Major Investigations—Several notable investigations were concluded which have earlier been the subject of communications to The Regents and management. Those with the most significant outcomes and internal control implications include: UC Davis Food Stamp Nutrition Education Program fraudulent expenditures and unallowable costs, UCSD Preuss Charter School grade changes and related matters, UCI Communications payments to a non-existent vendor controlled by an employee, and the UCLA/UC Santa Barbara Electrical and Computer Engineering investigation of payments to a full time employee for services through a temporary services agency. For some of the cases, there remain pending criminal and administrative actions. Internal control contributing factors in the investigations and corrective actions are included in observations expressed in following sections of this report.
C. SIGNIFICANT AND RECURRENT INTERNAL CONTROL ISSUES (con’t.)
The University’s control challenges are made more acute by the shortage of resources to address all issues with adequate solutions, especially technology solutions. UC has continued to experience substantial growth without comparable investment in administrative systems and infrastructure, including personnel. Historically, UC has relied on many people-based controls at the transaction or “event” level, together with trust and the goodwill of a committed workforce. With dated systems, and a diminishing capacity of people-based processes the reliability of controls becomes more and more suspect. As a result, the challenges to the control systems are chronic and require new and different approaches.
The creation of the Compliance & Ethics programs are important new initiatives, as is the beginning of the establishment of an Enterprise Risk Management system. In addition, Internal Audit recommends a more aggressive use of continuous monitoring techniques—data mining, analytical and budgetary reviews, scanning for anomalies, etc. to identify possible aberrant events and to improve oversight as a deterrent to inappropriate behavior.
D. STATISTICAL INFORMATION – Coverage and MCAs
As previously indicated, our FY08 audit program work produced 652 audit, advisory service, and investigation reports resulting in 2,253 Management Corrective Actions (MCAs). The chart below depicts the breadth of coverage over the 13 major functional areas of the University. As shown in the table below, the distribution of MCAs correlates closely with the effort expended across the functional areas. This demonstrates that there are opportunities for control improvement wherever our attention is focused.
The chart below shows the risk rating of the 2,253 MCAs for FY08 by service type.
Each audit finding and its associated MCA is given a rating of high, medium or low risk by the auditors. This judgment is made in a local context, and items identified as high do not necessarily convey material deficiencies or risks beyond the operating environment in which found. A primary objective of this classification is to drive a greater sense of urgency in completing the corrective action and completion of audit follow-up.
High risk MCAs would include those that are systemic or have a broad impact, have contributed to a significant investigation finding, are reportable conditions under our professional literature, create health or safety concerns, involve senior officials, create exposure to fines, penalties or refunds or are otherwise judged as significant control issues.
Status of Completion of Management Corrective Actions
MCAs are classified initially as open and are only moved to closed status after validation by auditors that the agreed upon corrective actions have been taken and sustainable improvement has been achieved.
The number of open MCAs increased from 610 to 1,073 at the end of the year because of the significant volume of new MCA’s resulting from current year audit activities. The overall churning of MCAs—with closures representing nearly three times the opening volume and nearly 80% of new MCAs—demonstrates that in general management completes the agreed upon corrective action in a timely fashion.
The following charts display the completion status for the entire population of MCAs with more detailed analysis of high risk past due items which are individually reported starting on page 23. We believe that reporting to the Audit Committee the unmitigated high risk audit findings fulfills a core professional obligation.
The chart below shows the status of all 11,782 MCAs
The 91% overall rate of closure of the MCAs to date reflects the success of audit follow-up efforts. The 93% rate of closure for high risk items reflects their appropriately greater attention.
The reasons for untimely completion are unique to each situation, however a common factor has been delays in systems’ solutions. Resource constraints is the other most commonly cited reason. For all high risk past due items auditors have determined that the matter is currently receiving attention needed to bring to closure in a reasonable time frame.
The chart below shows the aging statistics of the inventory of 182 Open High Risk MCAs
The majority of the open items (163) are not yet due, however, 19 are past due.
These past due issues have been brought to the attention of senior management and active resolution plans are in process. The goal of reducing these items to zero (or a negligible number occasioned by highly unusual circumstances) is clearly understood and accepted by all responsible for addressing these items.
The 19 past due MCAs are listed on the following pages.
Past Due High Rated MCAs
This section contains an analysis of staffing levels by location compared to UC and industry benchmarks. The analysis is based on the authorized staffing levels rather than the number of positions actually filled at any moment in time. For FY08, the Internal Audit Program operated at approximately 89% of authorized capacity due to turnover, and positions left open because of budget constraints.
This section also contains a table of miscellaneous statistical information for the University Audit Program.
And lastly, this section chronicles change initiatives and program improvements currently underway.
The charts below display staffing benchmarks for the campuses and Office of the President.
UC in general varies from the higher education benchmark average for expenditures per auditor by a substantial margin, and this gap has widened in recent years. However, when combined with the employee ratio data you can see that UC employees in general are more highly leveraged than our average counterparts. As a result, at only four campuses, UCB, UCD, UCI and UCSF, is there some concern regarding staffing adequacy.
In general, the smaller institutions appear to be more well staffed. However, this is due to the fact that certain audit activities are not directly impacted by size.
We share this information with management at each location for the purpose of assessing the adequacy of the audit program staffing.
In June 2008, Protiviti reported on their Quality Assurance Review of the UC Internal Audit Program. While the results were generally favorable, confirming a program that meets all professional standards, Protiviti provided a number of recommendations for further improvement of the Program most notably in the IT audit program. Since receiving the report, a workgroup of UC Audit Directors has redefined the expectations of the UC IT audit program, and under a new systemwide IT audit leadership structure, is addressing the issue of skills, resources and programs to meet the revised expectations for each UC audit location.
The Certified Internal Auditor (CIA) designation is the only globally accepted certification for internal auditors and remains the standard by which individuals demonstrate their competency and professionalism in the internal auditing field. At present, the University of California has 100 auditors at 11 locations, of whom 33 hold the CIA designation. In an effort to increase the number of UC auditors holding this designation, the Office of Ethics, Compliance, and Audit Services has sponsored a CIA designation drive. At present 25 auditors from 9 locations have signed up to participate in this effort.
The systemwide audit program is in the midst of a project to improve our internal project management and reporting capabilities through development of web based modules for time reporting, project management, quarterly reporting to the University Auditor and management of MCA’s. The initial module is in use at several locations and all of the system’s capabilities are expected to be rolled-out during the current year for full utilization by the beginning of the next fiscal year.
The auditing profession has long struggled with the question of how to determine the appropriate staffing level for an audit program. The existing benchmark data tends to consider organization size as the only driver. There is an increasing awareness that risk varies considerably within comparably sized organizations and that audit staff size should be related more to risk than size. In addition, the creation of compliance and ethics programs have served to somewhat change the role of internal audit for many institutions. UC, in partnership with the Institute of Internal Auditors Research Foundation and the Association of College and University Auditors is sponsoring an academic–led research project to identify improved measures of staffing adequacy factoring in more variables than organization size. The results are expected in the winter of 2009.
The Regents’ Committee on Audit
UCB UCD UCI UCLA UCR UCSB UCSC UCSD UCSF LBNL
Chancellor Birgeneau Interim Provost and Executive VC Horwitz Vice Chancellor Brase Vice Chancellor Olsen Vice Chancellor Bolar Vice Chancellor Carpenter
Vice Chancellor Vani
Vice Chancellor Matthews
Interim Vice Chancellor Lopez Laboratory Director Chu
UC President M. G. Yudof
SVP, Chief Compliance and Audit Officer, S. Vacca
EVP, Business Operations K. Lapp
University Auditor P.V. Reed (2.5)
UCI P.Reed (acting) (9)
UCR M. Jenson (6)
UCSC G. Gail (6)
UCSF A. Zubov (12)
UCLA E. Pierce (27)
UCSB C. Whitebirch (6)
UCSD S. Burke (16.2)
UCOP P. Reed (6.5)
UCD R. Catalano (12)
UCB W.L. Riley (8.5)
LBNL T. Hamilton (6)
Total Professional Staff, including the Director, is in parentheses. Total Authorized Professional Positions = 117.7
(LANL& LLNL Audit Departments not reflected in UC Audit Program)