Transcription
2017-18 ANNUAL REPORTUSF System Audit
MESSAGE FROM THE EXECUTIVE DIRECTORA year of transition Has it been a year already? Each and every member ofthe audit team, as well as senior leadership and theBoard of Trustees, especially the Audit andCompliance Committee (ACC), has been invaluable inmy transition to the university. It’s great to be homeagain!It was a very productive year, despite some personnelvacancies. USF System Audit (Audit) completed yeartwo of its two-year work plan with ten audits, includingthree Information Technology (IT) audits, threeconsulting projects, and sixteen investigations. Theteam’s efforts throughout the year assisted universityleadership with ensuring the appropriate internal controlstructure was in place to minimize the risk of asset loss,including fraud; promote effectiveness and efficiency ofinstitutional resources; comply with applicable laws,rules, and regulations; and ensure data supporting thepath to preeminence and performance-based metricscould be relied upon. Summaries of the work performedare included within this report.Demonstrating their commitment to excellence, universityleadership was proactive in responding to improve thecontrol environment. Semi-annual reports were producedsummarizing university leadership’s implementation of55% of the audit recommendations open during the fiscalyear.provided at the request of USF Health Care forapproximately 0.6 full-time resource equivalent.As part of the Quality and Assurance ImprovementProgram, Audit underwent an intensive, externalquality assessment, which is required at least once everyfive years. This was Audit’s third such review and thedepartment has progressively improved with eachassessment performed. This year’s external assessmentconfirmed the department “generally conforms” with theInstitute of Internal Auditors International Standardsfor the Professional Practice of Internal Auditing andCode of Ethics. “Generally conforms” is the highestlevel of achievement in the assessment process and for thefirst time no conformance gaps were identified. This wasa great accomplishment for the team!What an exciting, productive, and successful year forUSF System Audit! We appreciate the unwaveringsupport received from the President, senior leadership,and the ACC. A special thank you goes out to theAudit team, as well, for their expertise, persistence, andpursuit of excellence in making this year’s successpossible!Virginia L. KalilCIA, CFE, CISA, CRISCAlong with the internal work performed, the teamcontinued to support external services received from theState Auditor General and the Office of InspectorGeneral and Compliance. Also, IT audit services wereAUDIT 2017-182
USF SYSTEM AUDITVirginia Kalil, Executive Director/Chief InternalAuditor Certified Internal AuditorCertified Fraud ExaminerCertified Information Systems AuditorCertified in Risk and Information SystemsControlBS Accounting, USFKate Head, Associate Director Certified Public AccountantCertified Fraud ExaminerCertified Information Systems AuditorBS Accounting, Oklahoma StateSteve Cuppett, Assistant Director Certified Public AccountantCertified Internal AuditorCertified Information Systems AuditorMaster of Accountancy, USFBS Accounting, USFAmy Rollie, Assistant Director Certified Public AccountantCertified Fraud ExaminerMaster of Accountancy, USFBS Accounting, USFMariana Souza, Senior Audit Consultant Certified Accountant, BrazilMaster of Control/Finance, Universidad deBrasilia, BrazilBachelor of Accounting, Universidad deBrasilia, BrazilBS Bus Admin/Accounting, CampbellsvilleUniversityOlu Abiose, Senior Information TechnologyAudit Consultant Certified Information Systems AuditorMicrosoft Certified Systems EngineerCertified in Risk and Information SystemsControlCertified Information Security ManagerHealthCare Information Security and PrivacyPractitionerMBA, Creighton UniversityMS Information Technology Management,Creighton UniversityBS Accounting, University of IlorinLena Huggett, Senior Information TechnologyAudit Consultant Certified Information Systems AuditorMS, Information Systems, University ofSheffieldBA, Accounting and Finance, ManchesterMetropolitan UniversityEric Harmon, Audit Consultant Certified Public AccountantCertified Internal AuditorCertification in Control Self-AssessmentMBA, University of FloridaBSBA Finance, University of FloridaKethessa Carpenter, Audit Consultant Certified Public AccountantBA Business Administration & Accounting,St. Leo UniversityJolanda Thompson, Administrative Specialist BSBA Management, Northwood University2018 Audit TeamSitting (L-R): Amy Rollie, Steve Cuppett, Olu Abiose, EricHarmon, Kethessa Carpenter; Standing (L-R): Lena Huggett,Mariana Souza, Virginia Kalil, Kate Head, and Jolanda ThompsonAUDIT 2017-183
TABLE OF CONTENTS MISSION, PURPOSE, AND ORGANIZATION . 5AUDITS . 5oooooooooo USF HEALTH OFFICE OF CLINICAL RESEARCHUSF HEALTH INFORMATION TECHNOLOGY - EPIC SYSTEM INTERFACESVISITING SCHOLAR VISA PROCESSINGEXEMPT/NONEXEMPT EMPLOYEE CLASSIFICATIONPERFORMANCE-BASED FUNDING DATA INTEGRITYCOLLEGE OF THE ARTS BUSINESS OPERATIONSUNIVERSITY TREASURER'S OFFICERESEARCH EXPENDITURESBANNER ACCESS CONTROLSHEALTH CARE AFFILIATE HEALTH INSURANCE PORTABILITY ANDACCOUNTABILITY ACT (HIPAA) RISK ASSESSMENT REVIEWINFORMATION TECHNOLOGY . 7CONSULTING SERVICES . 8ADVISORY SERVICES . 8INVESTIGATIONS . 8FOLLOW-UP ACTIVITY . 9ACTIVITY ANALYSIS .11QUALITY ASSURANCE AND IMPROVEMENT PROGRAM .12PROFESSIONAL ACTIVITIES .12UPCOMING YEAR .12AUDIT FY 2019 AND 2020 WORK PLAN .13AUDIT 2017-184
MISSION, PURPOSE, ANDORGANIZATIONUSF System Audit (Audit) is responsible forproviding the University of South FloridaSystem with independent and objectiveassurance and advisory services that ency, and compliance. These servicesassist the university in evaluating andimproving governance, risk management, andcontrol processes.In order to effectively fulfill its responsibilities,Audit is organizationally independent from lly reports at an appropriate levelwithin the organization.Audit reportsfunctionally to the Audit and ComplianceCommittee (ACC) of the Board of Trustees(BOT) and administratively to the universityPresident. This reporting relationship ensuresresponsibilities are carried out in a manner freefrom actual or perceived impairment.The nature and scope of services provided byAudit include audits, compliance reviews,management advisory services, consulting, andinvestigations.Audit is committed toupholding the values of integrity, respect,excellence, and service in the performance ofour duties.AUDITSAudit projects are performed in accordancewith the Institute of Internal Auditors (IIA)International Standards for the Professional Practice ofInternal Auditing (the “IIA Standards”). The IIAis the recognized authority for those in theinternal audit profession and the IIA standardsare required by the Florida Board ofGovernor’s Regulation 4.002 (6)(a) StateUniversity System Chief Audit Executives.The USF System has adopted the Committeeof Sponsoring Organizations of the TreadwayAUDIT 2017-18Commission (COSO) Control Frameworkwhich is utilized by Audit to assess theeffectiveness of the internal control systems inplace. The USF System’s internal controlobjectives are communicated to all USFSystem employees via USF System Policy 0023 Internal Control.USF Health Office of astructure surrounding clinical trials. Theaudit focused on the internal control structureover non-federally sponsored clinical trialstudies managed by the USF Health (USFH)Office of Clinical Research (OCR), with anemphasis on post-award administration.Specific objectives evaluated the design andeffectiveness of controls in place related to:budget and project account setup in theuniversity’s Financial Accounting SysTem(FAST); OCR fees and interdepartmentalcharges; sponsor billings; study participantpayments; project closure; and system accesscontrols.Based on the review, Audit concluded therewas an adequate system of internal controls inplace, assuming corrective actions are takentimely to address the seven risks identifiedrelated to effective and efficient operations, IT,reporting, and safeguarding of assets.USF Health InformationTechnology – Epic SystemInterfacesAudit reviewed the controls over USFH’s Epicsystem interfaces, their electronic health recordsystem. Epic is hosted by and shared withTampa General Hospital (TGH).Based on the review, recommendations weremade to address three risks identified. Thisreport was classified as confidential due to thesensitive nature of the IT issues disclosed.5
Visiting Scholar Visa ProcessingAudit reviewed the controls over visitingscholar visa processing. The audit focused ona review of the procedures used by the USFWorld Office of International Services (OIS)to process non-student J visas, utilized byvisiting scholars hosted by the USF System.The audit included a review of the controlsover data entered into the Student andExchange Visitor Information System(SEVIS), a web-based system maintained bythe United States (U.S.) Department of Stateand the U.S. Department of HomelandSecurity, to collect information on exchangevisitors.Based on the review, Audit concluded therewas an adequate system of internal controls inplace, assuming corrective actions are takentimely to address the five risks identifiedrelated to authorization, compliance withfederal laws, effective and efficient operations,IT, and reporting.Exempt/Nonexempt EmployeeClassificationAudit reviewed exempt/nonexempt employeeclassification. The audit focused on theprocesses by which USF System employees areclassified as exempt or nonexempt andcompliance with the Fair Labor Standards Act(FLSA), as well as other applicable federal andstate regulations, industry best practices,guidance from the Society for HumanResource Management (SHRM), and relevantUSF policies and procedures.Based on the review, Audit concluded therewas an adequate system of internal controls inplace, assuming corrective actions are takentimely to address the five risks nce, IT, reporting, and separation ofduties.AUDIT 2017-18Performance-Based Funding DataIntegrityAudit reviewed the processes and controlsestablished to ensure the completeness,accuracy, and timeliness of data submissions tothe Board of Governors (BOG) in support ofthe Performance-Based Funding measures.Based on the review, Audit concluded therewas an adequate system of internal controls inplace, assuming corrective actions are takentimely to address the two risks identifiedrelated to IT and reporting.College of The Arts BusinessOperationsAudit reviewed the design and effectiveness ofthe administrative and financial controlsrelated to the College of The Arts BusinessOperations. The audit focused on thosecontrols performed by the college, ures, journal entries, property, payrolland human resources, research, USFFoundation activity, and USF ResearchFoundation activity.Based on the review, Audit concluded therewas an adequate system of internal controls inplace, assuming corrective actions are takentimely to address the five risks identifiedrelated to IT, reporting, safeguarding of assets,and separation of duties.University Treasurer’s OfficeAudit reviewed the design and effectiveness ofthe University Treasurer’s Office (UTO)control structure related to investments anddebt management.Based on the review, Audit concluded therewas an adequate system of internal controls inplace, assuming corrective actions are taken6
timely to address the five risks identifiedrelated to authorization, reporting, andsafeguarding of assets.Research ExpendituresAudit reviewed the centralized administrativeoversight procedures used by USF SponsoredResearch Post Award for expenditures chargedto research grants, contracts, or relatedagreements between USF and a sponsoringagency. The audit focused on controls in placedesigned to ensure compliance with applicableUSF policies, procedures, and UniformGuidance including:new award setup,expenditure transfers, certification of effortreporting, cost sharing, and final expenditures.Based on the review, Audit concluded therewas an adequate system of internal controls inplace, assuming corrective actions are takentimely to address the six risks identified relatedto authorization, effective and efficientoperations, reporting, and training andguidance.Banner Access ControlsAudit performed a review of StudentInformation System security as related toBanner access controls.Based on the review, recommendations weremade to address two risks identified. Thisreport was classified as confidential due to thesensitive nature of the IT issues disclosed.Health Care Affiliate HealthInsurancePortabilityandAccountability Act Risk AssessmentReviewAudit reviewed the Health InsurancePortability and Accountability Act (HIPAA)risk assessments of a health care affiliate toobtain assurance that controls were sufficientAUDIT 2017-18to meet USF’srequirements.ITinternalcontrolThis report was classified as confidential due tothe sensitive nature of the IT issues disclosed.INFORMATION TECHNOLOGYAudit’s information system projects areperformed in accordance with the ISACA(formerly Information Systems Audit andControl Association) standards and guidelines.ISACA has designed this guidance as theminimum acceptable level of lities set out in the ISACA Code ofEthics for Auditing and Control Professionals.ISACA standards and guidelines are consistentwith the Control Objectives for Informationand Related Technology (COBIT)--an ITgovernance framework which enablesmanagement to bridge the gap between controlobjectives, technical issues, and business risk.The IT Audit Team focuses on factors whichimpact the confidentiality, integrity, andavailability of the university’s informationsystems as well as the resources held withinthose systems.Confidentiality not onlyaddresses the security of sensitive data, but alsowhether access to such data is effectivelycontrolled. IT audits of USF Health IT-EpicSystem Interfaces, and Banner System AccessControls were performed. The IT Audit Teamalso evaluated HIPAA risk assessments of ahealth care affiliate and consulted withmanagement to perform a Banner andDegreeWorks Provisioning Gap Analysis (seeConsulting Services).Audit utilizes an integrated audit approachwhereby the IT Audit Team assists the generalAudit Team on audit and consulting s. Integrated audit projects thisyear included the USF Health Office of Clinical7
Research, Visiting Scholar Visa Processing, andPerformance-Based Funding Data Integrity.There are currently five Certified InformationSystems Auditors (CISAs) on the Audit team.Two of these CISAs are also Certified in Riskand Information Systems Control (CRISC).One of the CRISCs is also a CertifiedInformation Security Manager and certified asa HealthCare Information Security and PrivacyPractitioner (HCISPP).CONSULTING SERVICESConsulting projects are collaborations betweenuniversity leadership and Audit. Services maybe requested in advance and included as part ofthe annual work plan; however, many requestsare made throughout the year. A project’sobjective will vary depending on the needs ofleadership, but may include improving aprocess or procedure; assisting in theimplementation of a new system; interpretinglaws, rules, policies, and other guidance; orfacilitating education/training programs.These services are proactive in nature and canbe helpful to any university function ordepartment.Three consulting projects were performed thisyear, as follows: Human Resources DecentralizedControls; USF College of Pharmacy’s Departmentof Pharmaceutical Sciences; and Banner and DegreeWorks ProvisioningGap Analysis.ADVISORY SERVICESAudit is committed to providing proactiveadvice on internal controls, operations, andcompliance. Requests for advisory servicesmay come from various management levelsthroughout the university and often involveemerging issues in research, IT, or compliance.AUDIT 2017-18The information we provide through theseservices assists management in decisionmaking and improving operations. Results ofthese types of services are communicatedverbally or through a memorandum.INVESTIGATIONSThe President and the BOT have chargedAudit with performing investigations related tothe university and its associated organizations.Investigations are an objective review ofevidence related to a complaint or allegation.Audit may receive complaints or allegationsfrom EthicsPoint, the university’s anonymousreporting system, or directly from anindividual. Concerns may also be referred byvarious university offices or state and localgovernment agencies.Reports of complaints, allegations, or concernsmay or may not be supported by the facts.That is why it is critical that the investigativeprocess be managed discreetly andconfidentially to ensure the integrity of theprocess and protect the reputations of namedindividuals. Florida law supports the need forconfidentiality during investigations andpermits active investigations to be classified asexempt from public record. Only those with alegitimate business need are provided withinformation related to ongoing investigations.Out of 26 such reports of complaints,allegations, or concerns received by Audit thisyear, 3 were referred to other units and 7remained open as of June 30, 2018. Of the 16completed investigations, 5 were substantiatedand are summarized in the chart below. Whilethese complaints were credible, the impact toUSF was not significant.SubstantiatedClassificationConflict of interestFailure to protect resourcesFiscal misconduct-non researchTotalNo.13158
FOLLOW-UP ACTIVITYIn accordance with IIA Standards, Auditfollows up on all internal auditrecommendations to determine if correctiveactions have been taken. Utilizing a web-basedtracking system, university leadership cancontinuously update the status of theircorrective actions, including action plans andtarget implementation dates, and Audit canefficiently and effectively monitor theirprogress. Two Follow-Up Reports, coveringactivity from July 1 through December 31,2017, and January 1 through June 30, 2018were issued during the fiscal year. The annualimplementation rate by management was 55%.The recommendations made during this fiscalyear related to the following:AUDIT 2017-18 Assi
providing the University of outh Florida S System with independent and objective assurance and advisory services that promote stewardship, accountability, integrity, efficiency, and compliance. These services assist the universit
