Page 1

OFFICE OF AUDIT AND C O N S U LT I N G S E R V I C E S

2013 Report of Accomplishments COMMUNITY

QUALITY

INTEGRITY

VISIONARY OBJECTIVITY


All qualified applicants will receive equal consideration for employment without regard to race, color, national origin, religion, sex, pregnancy, marital status, sexual orientation, gender identity, age, physical or mental disability, or covered veteran status. Eligibility and other terms and conditions of employment benefits at the University of Tennessee are governed by laws and regulations of the State of Tennessee, and this non-discrimination statement is intended to be consistent with those laws and regulations. In accordance with the requirements of Title VI of the Civil Rights Act of 1964, Title IX of the Education Amendments of 1972, Section 504 of the Rehabilitation Act of 1973, and the Americans with Disabilities Act of 1990, The University of Tennessee affirmatively states that it does not discriminate on the basis of race, sex, or disability in its education programs and activities, and this policy extends to employment by the university. Inquiries and charges of violation of Title VI (race, color, national origin), Title IX (sex), Section 504 (disability), ADA (disability), Age Discrimination in Employment Act (age), sexual orientation, or veteran status should be directed to the Office of Equity and Diversity (OED), 1840 Melrose Avenue, Knoxville, TN 37996-3560, telephone 865-974-2498 (V/TTY available) or 865-974-2440. Requests for accommodation of a disability should be directed to the ADA Coordinator at the Office of Equity and Diversity. • A project of the Office of Audit and Consulting Services of the University of Tennessee.


CONTENTS MISSION, VALUES, AND VISION . . . . . . . . . . . . . . . . . . . . . . . . . 4 MESSAGE FROM THE EXECUTIVE DIRECTOR .

. . . . . . . . . . . . . .

5

OVERVIEW OF AUDIT AND CONSULTING SERVICES.

. . . . . . . . 6 Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Management Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Staffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

INSTITUTIONAL COMPLIANCE. . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Mission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Goals and Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Other Accomplishments in 2013 . . . . . . . . . . . . . . . . . . . . 11 Plans for 2014 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2013 ACCOMPLISHMENTS.

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

12

PLANS FOR 2014. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2013 PROJECTS COMPLETED .

. . . . . . . . . . . . . . . . . . . . . . . . . .

15

INTERNAL AUDITS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 UT System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 UT System Administration . . . . . . . . . . . . . . . . . . . . . . . . 17 Knoxville . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Health Science Center . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Chattanooga . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Martin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Institute of Agriculture . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 UT Space Institute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

INVESTIGATIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 UT System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 UT System Administration . . . . . . . . . . . . . . . . . . . . . . . . 25 Knoxville . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Health Science Center . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Chattanooga . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Martin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 UT Space Institute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

FOLLOW-UP AUDITS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 SUPPLEMENTARY PROJECTS . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 ACS Strategic Planning . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Quality Assurance and Improvement Program . . . . . . . . . . . 32 AutoAudit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 SharePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Electronic Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Videoconferencing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Navigational Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 ACS Grammar and Style Guide . . . . . . . . . . . . . . . . . . . . . . 33 UT and Departmental Committees . . . . . . . . . . . . . . . . . . . 34 Training Provided Within and Outside the University . . . . . . . 35 Training Obtained Within and Outside the University . . . . . . 35

APPENDIX A: ORGANIZATION OF THE UNIVERSITY OF TENNESSEE 2014 . . . . . . . . . . . . . . . . . 36 AND AUDIT AND CONSULTING SERVICES . . . . . . . . . . . . . . . 37 APPENDIX B: INTERNAL AUDIT CHARTER. . . . . . . . . . . . . . . . 38 APPENDIX C: PERSONNEL QUALIFICATIONS. . . . . . . . . . . . . . 39 APPENDIX D: FOLLOW-UP AUDITS .

. . . . . . . . . . . . . . . . . . . . .

42

DIRECTORY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

3


AUDIT AND CONSULTING SERVICES MISSION, VALUES, AND VISION STATEMENTS

VISION A team of world-class professionals helping to shape the future of the university.

MISSION Audit and Consulting Services helps the university achieve its mission by providing objective and independent evaluations to reduce risk and improve operations.

VALUES • Integrity—exhibit fairness, honesty, and ethical behavior in our service to the university. • Objectivity—perform duties in an unbiased manner, i.e., based on an informed analysis of the issues and a clear understanding of the operations affected.

COMMUNITY

• Quality—provide accurate reports and timely, feasible, and relevant recommendations. • Community—collaborate with colleagues and clients to provide services that improve the university’s effectiveness and efficiency. • Visionary—develop creative and innovative approaches to key issues facing the university.

QUALITY

INTEGRITY

VISIONARY OBJECTIVITY

4

UNIVERSITY OF TENNESSEE


TO THE AUDIT COMMITTEE OF THE UNIVERSITY OF TENNESSEE BOARD OF TRUSTEES:

I

am excited to report on the 2013 accomplishments for Audit and Consulting Services and Institutional Compliance. This year, the team focused on enhancing our effectiveness and efficiency to provide value to our stakeholders. An important step in providing value was to undertake a strategic planning process. During the process, we updated our mission statement, created values and vision statements, identified key stakeholders and their expectations, and developed goals to help us achieve our mission of providing objective and independent evaluations to reduce risk and improve operations. This work moves us closer to our vision of being a team of world-class professionals helping to shape the future of the university. As part of strategic planning, we will develop metrics to determine whether ACS is achieving its goals. In 2013, we expanded our use of technology to enhance efficiency and effectiveness. For example, we began using an electronic report template and automated workflow to streamline our reporting process and now issue reports electronically. We also used technology to support our monthly staff meetings, which are conducted via videoconference. This technology has helped improve statewide interaction, communication, and teamwork. In addition, the Institutional Compliance team enhanced its online risk assessment tool to allow campus compliance officers to enter corrective action plans for automated uploading. All of these efforts help us provide more value to our key stakeholders: the Audit Committee, president, chief financial officer, and the chief business officers across the UT System. The audit team focused on fraud prevention and detection, effectiveness and efficiency, controls, and expenditure and equipment audits. As part of the fraud prevention and detection efforts, we continued to conduct UT procurement card monitoring and chief executive officer audits, adding audits of the chief business officers. Our academic advising audits were a major part of the effectiveness and efficiency work this year. We continued to focus on providing objective examinations of internal controls and dedicated time for departmental expenditure and equipment audits to determine whether controls at the departmental level are effective. This work is important because of the decentralized expenditure controls at the university. The areas of focus for Institutional Compliance included promoting an ethical culture by launching the revised Code of Conduct, conducting campus compliance risk assessments, facilitating campus compliance committees, and monitoring compliance. In 2014, the audit team will focus on the following goals developed during strategic planning: • Meet stakeholders’ needs and add value to the university. • Expand information technology audit coverage. • Expand research audit coverage.

Some of the office’s goals for 2014 include expanding IT and research audit coverage and fostering the professional development of our team members.

• Expand the use of data analytics to focus audits on high-risk areas. • Ensure effectiveness and efficiency of our operations. • Foster the professional development of team members. Institutional Compliance will work to enhance campus compliance committee efficiency and effectiveness and promote an ethical culture. I wish to express thanks to the entire ACS and Institutional Compliance team for their hard work and dedication. I would also like to thank university management and the Audit Committee for their support and commitment to an ethical environment at the University of Tennessee. Sandy S. Jansen, CIA, CCSA, CRMA Executive Director OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

5


OVERVIEW OF AUDIT AND CONSULTING SERVICES

A

udit and Consulting Services provides the University of Tennessee System with objective, independent appraisals of accounting, financial, administrative, and other operations in departments and units as a service to all levels of management and the UT Board of Trustees. These appraisals help ensure that the university’s assets are protected, departments are operating efficiently and effectively, and UT is complying with applicable policies, laws, and regulations. Our role is also to facilitate cost-effective decisions that will support the missions and strategic plan of the University of Tennessee and, through our assurance and consulting activities, to add value to UT’s operations. The internal auditing profession is governed by standards promulgated by The Institute of Internal Auditors, Inc., which require us to evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. The primary functions of the office are conducting audits (financial, compliance, information technology, and performance) and investigations and overseeing the university’s institutional compliance function. At the conclusion of each engagement, reports are issued to audited parties, senior management, the Audit Committee of the Board of Trustees, and the Tennessee Division of State Audit. The internal audit function reports to the Audit Committee, with administrative oversight by UT’s chief financial officer. (Appendix A is the university’s organizational chart, and Appendix B is the Internal Audit Charter, which establishes our purpose, authority, and responsibility in the university community.)

6

AUDITS One of our main roles is to reduce the university’s risk, or exposure to loss. To that end, we develop an annual audit plan based on a risk assessment. Our objectives are to evaluate risk exposures related to the university’s governance, operations, and information systems and to evaluate the potential for fraud. We also evaluate the adequacy and effectiveness of internal controls (administrative and operational policies, procedures, and practices) in responding to risks, determine compliance with applicable policies and regulations, and make recommendations to strengthen any deficiencies noted. The types of audits we perform are discussed below. Financial. Our office performs a limited number of financial audits (e.g., public radio stations) annually as required. We examine the financial statements and perform tests of transactions sufficient to express an opinion on the financial statements as a whole. Internal control. The nature of this work is to identify significant internal control weaknesses in departmental and functional financial operations and provide effective recommendations for improvement. We also identify the significant risks to the university’s financial operations and information at the departmental and functional levels. Internal control engagements can contribute to and improve the governance of the area being audited, especially when control environment recommendations are included. Auditing for fraud. Our objective here is to look for fraudulent transactions. One result of this work may include recommendations to improve internal controls. These audits, along with risk assessments for other audit engagements, evaluate the potential for the occurrence of fraud. Compliance. The goal in such audits is to determine whether university policies and external laws and regulations are being followed. This type of work is usually coupled with reviewing internal controls so that we can provide recommendations to strengthen the controls to help prevent future violations of policies or regulations. Information technology (IT). IT audits are designed to identify significant weaknesses in the confidentiality, integrity, and availability of the university’s information systems and to provide effective recommendations for improvement. In addition, this work evaluates whether the information technology governance of the university supports its strategies and objectives. These audits are performed to help safeguard the information systems and the data stored on them, including administrative and student data, programs and operating systems, personal computers, servers, and networks. Objectives include assessing vulnerabilities in both technical and physical security; ensuring that university systems conform to best practices in industry standards; reviewing the storage and transmittal of electronic information; determining compliance with applicable policies, laws, and regulations; and making recommendations to strengthen any deficiencies noted. Performance. We conduct performance audits and other consulting-type projects in response to requests from university administration and departments and from other sources such as risk assessments. Our objectives are to provide management with information to improve an area’s organizational structure, staffing, and operating procedures and to ensure that UT resources are used effectively and efficiently, accounted for properly, and safeguarded adequately. We also determine whether operations and programs are being carried out as planned and their results are consistent with university objectives. Performance audits can address whether internal controls are operating effectively and in compliance with legal or other requirements, though such objectives are examined routinely in financial and compliance audits. UNIVERSITY OF TENNESSEE


INVESTIGATIONS State law requires Audit and Consulting Services to investigate substantive allegations of fraud, theft, abuse, and shortages and losses of university assets. Our objectives include verifying the facts in a legal and objective manner, determining responsibility, identifying control breakdowns that led to the loss, and recommending corrective actions to help ensure that similar actions do not occur in the future. These matters are referred to the state comptroller’s office for its review and possible referral for criminal prosecution.

In our strategic planning process, ACS staff created values and vision statements, updated the mission statement, and documented key stakeholders to help focus and further the office’s goals and objectives.

MANAGEMENT SUPPORT ACS provides other value-added work, such as promoting appropriate ethics and values within the university, communicating risk and control information on a systemwide level, and coordinating and communicating information among the Board of Trustees, State Audit, and UT management.

STAFFING The Audit and Consulting Services staff consists of an executive director, 2 associate directors, 14 audit professionals, a compliance director and officer, a coordinator/editor, and a support staff member. (Biographical information is provided in Appendix C.) The staff has over 200 years of combined auditing experience, with most of that obtained at higher education institutions. The average tenure in the office is approximately 10 years. Three staff members are certified public accountants (1 inactive); 8 are certified internal auditors; 2 are certified information systems auditors; 3 are certified fraud examiners; and 2 are certified compliance and ethics professionals. In addition to these and other certifications, over half the professional staff has master’s degrees. The audit staff received numerous hours in continuing education credits for the year, which includes training received at seminars, conferences, workshops, and in classes. The auditors are members of such professional organizations as The Institute of Internal Auditors and the Association of College and University Auditors. Some staff members also served on university committees at the request of management and provided training on internal controls and procurement cards. See page 35 for detailed information.

In coordination with strategic planning, we use performance metrics to promote continuous improvement in ACS, helping us better serve the university community and meet stakeholder expectations.


INSTITUTIONAL COMPLIANCE MISSION The mission of Institutional Compliance is to serve and safeguard our university community from the regulatory risks we face and promote a cultural environment of high ethical standards by: • Identifying compliance risk faced by the university community. • Promoting an awareness of compliance risks and the objectives of our compliance activities through communicating with and educating the university community. • Developing innovative and effective ways to mitigate compliance risk through collaboration with the university community.

RESPONSIBILITIES The Institutional Compliance Office is responsible for designing, implementing, and monitoring the UT systemwide compliance program. The office’s primary responsibilities include the following: • Develop and implement the university compliance risk assessment process. • Assist the campus/institute compliance committees in their various duties. • Help functionally responsible offices overcome barriers to compliance by recommending improved controls or providing independent services such as communicating the need for new procedures, resources, or stronger enforcement or working as a liaison between multiple parties. • Independently investigate and act on matters related to compliance. • Collaborate with the university community to develop innovative and effective ways to mitigate compliance risk. • Report regularly to the Executive Compliance Committee and the Audit Committee. • Promote the university’s Code of Conduct and Compliance Hotline.

Our focus areas in 2013 were promoting an ethical culture at UT, conducting the campus compliance risk assessments, facilitating campus compliance committees, and monitoring compliance throughout the system.

GOALS AND OBJECTIVES The Institutional Compliance Office was established in 2008 as a division of Audit and Consulting Services. Our mission and objectives are primarily driven by the Federal Sentencing Guidelines for Organizations, which has established what constitutes due diligence for an organization to comply with regulations. The office’s goals focus on promoting an ethical culture and identifying and mitigating compliance risk. Our four areas of focus in 2013 were promoting an ethical culture, conducting the campus compliance risk assessments, facilitating campus compliance committees, and monitoring compliance throughout the UT System.

Promoting an Ethical Culture In February 2013, the university launched the new Code of Conduct, initiated by Institutional Compliance. The Code was revised for greater compliance with the federal sentencing guidelines. Specifically, it was expanded to include: requirements to obey all laws and to report violations internally, an anonymous hotline number, a chain of command to report issues, and important ethical areas such as scientific misconduct, protection of confidential information, and child abuse. 8

UNIVERSITY OF TENNESSEE


We worked with the UT System Office of Communications and Marketing to develop an awareness and branding campaign and met with several university employee organizations to explain the new Code before its official promotion. The Code was launched with an introduction from the UT president and a website that provides the Code and related policies and training, which we monitor for accuracy and functionality. Since its creation, the website has been a top ten most commonly viewed policy site.

Conducting Campus Compliance Risk Assessments An important function of the Institutional Compliance Office is performing periodic compliance risk assessments for the university’s campuses and institutes. The objectives of these risk assessments are to identify control weaknesses, identify areas of noncompliance, and develop plans for corrective action. The Institutional Compliance Office conducted the university’s first campus compliance risk assessment in May 2010 at UT Knoxville (UTK) and the second at the UT Health Science Center (UTHSC) in December 2011. In 2013, the office launched the risk assessment process with the UT Institute of Agriculture (UTIA) and identified and trained 68 compliance officers. At year end, UTIA was close to completing the data collection phase of the compliance risk assessment. A chair and assistant were appointed for UTIA’s Campus Compliance Committee and are working with our office to analyze the data and determine priorities. UTIA shares many risks with UTK and will benefit from UTK’s work in these areas.

Facilitating Campus Compliance Committees Institutional Compliance guides and assists the campus compliance committees in their responsibilities in reviewing the results of the risk assessments, establishing priorities, and developing appropriate plans of corrective action. These high-level oversight committees are required by the Federal Sentencing Guidelines for Organizations and were implemented by the campuses at our request in conjunction with the campus risk assessments. Campus compliance committees currently exist at UTK, UTHSC, and UTIA, with plans for such committees at the remaining UT campuses and institutes as the risk assessments are begun. Campus compliance committees have the following responsibilities:

In 2013, Institutional Compliance initiated revisions to UT’s Code of Conduct, now including an anonymous hotline number, a chain of command to report issues, and important ethical topics such as scientific misconduct, protection of confidential information, and child abuse.

• Ensure a campus/institute compliance officer is assigned to each regulatory area in the risk assessment. • Review risks identified in the risk assessment and determine the compliance priorities to address. • Coordinate the effort to develop plans of corrective action. The Institutional Compliance Office assists these committees in their duties and helps compliance officers and functionally responsible offices overcome barriers to compliance, including providing advice on appropriate controls and coordinating assistance from UT System Administration or other UT campuses. We also provide training to the compliance officers in performing the risk assessment and in important general compliance issues such as compliance program standards from the federal sentencing guidelines, whistleblower laws, reporting violations, culpability factors, and potential penalties. Accomplishments of the campus committees are given below.

UTK Campus Compliance Committee During 2013, the Institutional Compliance Office worked with the UTK Campus Compliance Committee to develop a summary analysis of the compliance risk assessment and 41 proposed comprehensive plans of corrective action to present to the campus administration for review. The following graph illustrates the relative risk of OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

9


UTK Compliance Risk HIGH *Research

Environmental Student *Employee

Financial Impact

Tax

*Safety

Facilities

*Athletes

*Legal/Contracts

*Privacy/IT

Investments/Accounting Procurement Gifts Academic

Healthcare Federal Reporting

UTHSC Campus Compliance Committee

Communications Transportation

LOW

HIGH

Operational Impact

*Areas with compliance weaknesses that were addressed with plans of corrective action.

UTHSC Compliance Risk HIGH *Research Financial

Environmental *Employee

Financial Impact

*Legal/Intellectual Property

*Safety/Health *Privacy/IT

Tax

*Student *Healthcare

Gifts Academic

*Facilities

Federal Reporting

Communications

Operational Impact

HIGH

*Areas with compliance weaknesses and proposed plans of corrective action.

HIGH

LOW Reputational Impact

HIGH

LOW Legal Sanctions Impact

10

The Institutional Compliance Office also assisted the UTHSC Campus Compliance Committee in analyzing the results of the campus compliance risk assessment and in developing plans of corrective action. The risk assessment included approximately 400 regulations or compliance areas. The committee identified 126 significant risks and worked with the respective compliance officers to develop 59 proposed plans of corrective action. These proposed plans are pending review and approval. The accompanying graph illustrates the relative risk of the compliance areas reviewed and where proposed plans of action were developed. Proposed plans of corrective action addressed many of the same areas as UTK, as well as training for researchers on the following topics: patient confidentiality and appropriate consent, meeting Affirmative Action goals, campus disaster and recovery plan, communicating campus policies, and executing contracts, among others. In 2013, UTHSC administration created positions for an assistant vice chancellor for compliance and a campus compliance officer.

Monitoring Compliance

Procurement

LOW

the compliance areas reviewed and where weaknesses were addressed. Corrective action plans involved areas such as sponsored projects effort certification, cost transfers, and sub-recipient monitoring; improved training and monitoring for radiation safety, the Animal Welfare Act, OSHA, EPA, Civil Rights Act, and Title IX; and improved monitoring of NCAA compliance and information technology privacy and security. UTK administration approved the proposed plans, 19 of which were fully implemented at year end and the remainder being implemented. The Institutional Compliance Office assisted the UTK Campus Compliance Committee in determining the next 25 risks for consideration and a methodology for subsequent risk assessments. The administration created a new position, assistant vice chancellor for scientific misconduct and compliance, to chair the UTK committee, who will assume duties in January 2014.

UNIVERSITY OF TENNESSEE

The National Science Foundation’s Office of the Inspector General has implemented the practice of using data analytics for determining audit risk. In light of this move, our office explored the feasibility of using the methodology internally to identify potential compliance risk areas. Data analytics involves analyzing information in databases to identify potential exceptions such as unallowable expenses, duplicate funding, improper cost transfers, inflated budgets, and unreported sponsored program income. We worked with UT financial, research, and information technology offices to identify the location and accessibility of key data and performed a pilot analysis. Some data integrity issues were found, which limits the potential utility of data analytics at this time. Despite the limitations, our office has obtained the expertise and laid the groundwork for future implementation as resources permit.


OTHER ACCOMPLISHMENTS IN 2013 • The Institutional Compliance Office resumed meetings with the Executive Compliance Committee. The committee meetings had been postponed pending the completion of the first compliance risk assessment cycle at UTK. • Several modifications were made to the list of regulations reviewed in the UTK risk assessment, including adding 22 new regulations, modifying 54 current regulations, and deleting 12 regulations. A total of 434 regulatory areas are now under consideration for the risk assessment. • We received 10 compliance hotline calls during 2013. Nine were referred to other university offices for resolution, and we investigated and resolved one. • Institutional Compliance followed up with campuses on new regulations, including changes to the federal I-9 form, new state laws requiring emergency plans for daycares, and policies for concussions received in athletic events. • The Institutional Compliance officer obtained the Certified Compliance and Ethics Professional (CCEP) certificate, making all members of the office certified.

In 2014, the office will continue facilitating the campus compliance committees at UTK, UTHSC, and UTIA. We plan to conduct a risk assessment at UT Martin and identify all applicable compliance officers and to begin the risk assessment process at UT Chattanooga.

PLANS FOR 2014 In 2014, we will continue facilitating the campus compliance committees at UTK, UTHSC, and UTIA. Committee activities will include the following. • UT Knoxville: Follow up on implementation of plans and address the next level of risks. • UT Health Science Center: Finalize, approve, and implement plans of corrective action. • UT Institute of Agriculture: Develop plans for risks identified in the risk assessment and begin implementation. The office also plans to conduct a risk assessment at UT Martin and to begin the risk assessment process at UT Chattanooga. At UT Martin, we plan to identify all applicable compliance officers and complete the risk assessment. In Chattanooga, we plan to begin identifying applicable compliance officers before year end. We plan to continue refining the risk assessment process and the operations of the campus compliance committees. The committees face a large volume of work, and our office will explore strategies to increase their efficiency. In addition, we will continue to promote an ethical culture in the university community through systemwide communication of the Code of Conduct and the Compliance Hotline. Promotional campaigns for the Code and hotline are tentatively planned for the fall 2014 semester.

OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

11


AUDIT AND CONSULTING SERVICES 2013 ACCOMPLISHMENTS

A

s illustrated in the pie chart “2013 Effort by Audit Type,” Audit and Consulting Services provided a variety of services to the UT System. We spent 58 percent of our effort on the areas of focus outlined in the 2013 audit plan:

2013 Effort by Audit Type

• Fraud prevention and detection • Controls • Expenditure and equipment audits (included in Controls)

Fraud Prevention and Detection 16%

Controls 23%

Investigations 19% Effectiveness and Efficiency 19%

Compliance 6% Information Technology 6%

Follow-Up 4%

Financial 3%

Other Value Added 4%

2013 Effort by Entity Institute of Agriculture 2%

Health Science Center 14%

Chattanooga 11% Martin 10%

Knoxville 25% UT System 31%

UT System Administration Offices 7%

12

• Effectiveness and efficiency Fraud prevention and detection audits continue to be an important aspect of our work. The Association of Certified Fraud Examiners indicates that the typical organization loses 5 percent of its revenues to fraud each year and that a typical fraud lasts 18 months before it is detected. Our control audits, including departmental expenditure and equipment audits, provide assurance to both the Audit Committee and senior management, help establish a strong control environment, and assist department heads in implementing effective controls at the department level. Because of the importance of this work, we focused almost a quarter of our time on controls. We also focused on effectiveness and efficiency to assist the university and individual departments in meeting goals and objectives. In various notable projects, the objectives involved assessing the effectiveness of programs, including the undergraduate academic advising audits and the UTHSC nursing practice plan engagement. The pie chart also shows we spent 6 percent of our effort on information technology audits. This time does not reflect the external assessment the Audit Committee requested to review the security posture of the university. Another 6 percent was for compliance audits and 3 percent for financial audits. Four percent of our effort was used to conduct follow-up audits to ensure that our recommendations in previous years’ audits were implemented. Finally, 4 percent was devoted other value-added work, such as serving on university committees, providing training to the university community, and consulting provided to management. In 2013, Audit and Consulting Services conducted numerous projects for the UT System, as noted by 31 percent of our effort in the “2013 Effort by Entity” pie chart to the left. These projects provided coverage for all campuses and institutes, including the SelfAssessment of Controls, Complete College Tennessee Act audit, monthly procurement card monitoring, and follow-up audits. Audit coverage for UT System Administration offices accounted for 7 percent of effort and included the annual audit of the president’s office, among others. Ten percent of audit effort was for UT Martin, primarily focused on the chancellor’s office and academic advising, and we devoted 11 percent of effort at UT Chattanooga on numerous special projects and investigations. Consistent with past years, most of our campus-specific effort focused on UT Knoxville and the UT Health Science Center, our flagship campus and the academic healthcare center, respectively.

UNIVERSITY OF TENNESSEE


PLANS FOR 2014

A

s illustrated in the “2014 Allocation of Time� chart below, Audit and Consulting Services divides effort among the campuses and institutes in the UT System. After estimating time for staff meetings, continuing professional education, holidays, and annual leave, we determined our allocable chargeable time for the coming year to be approximately 19,700 hours. ACS has budgeted 3,880 hours (20 percent) for required audits (required by statute, administrative policy, or based on an agreement with management); 2,600 hours (13 percent) for audits in progress on January 1, 2014, from the prior calendar year; 9,090 hours (46 percent) for risk-based engagements resulting from our annual assessment of risks; and 4,130 hours (21 percent) for unscheduled projects and other value-added work, including investigations, board and management requests, committee service, and special projects.

2014 Allocation of Time Required Audits

Prior-Year Audits

Risk-Based Audits

Total

1,960

850

3,150

5,960

UT System Administration Offices

300

435

UT Knoxville

880

510

2,260

3,650

UT Health Science Center

200

200

1,280

1,680

UT Chattanooga

350

200

940

1,490

40

100

800

940

150

305

660

1,115

3,880

2,600

9,090

15,570

2014 Allocation of Time UT System

UT Martin UT Institute of Agriculture Total Hours Unplanned Special Projects and Investigations Other Value-Added Work Total Hours

735

3,580

2014 Planned Audit Focus

Controls 33% Compliance 15%

Investigations 18%

Fraud Prevention and Detection 14%

550 Other* 12%

19,700 Information Technology 4%

While ACS plans to perform a variety of engagements, including information technology, effectiveness and efficiency, financial, consulting, and risk management audits, there are three areas of focus for 2014. Those areas are fraud prevention and detection, compliance, and controls, including departmental expenditure and equipment audits. These focus areas, which comprise 62 percent of the audit plan, are illustrated in the pie chart to the right.

Effectiveness and Efficiency 4%

*Consulting, financial, follow-up, risk management, and other value-added work.

OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

13


INTEGRITY

14

UNIVERSITY OF TENNESSEE


2013 PROJECTS COMPLETED

A

udit and Consulting Services completed 64 engagements, including required audits, risk-based projects, risk-based departmental expenditure and equipment audits, projects in progress from 2012, investigations, and consulting projects. The audits of undergraduate academic advising at UT Knoxville, UT Chattanooga, and UT Martin were among the significant projects completed for the year. These audits were requested by the Audit Committee of the UT Board of Trustees. Because advising plays an essential role in student retention and success, and the UT System continues work to increase the percentage of completion, the UT Board and senior management have focused on advising processes. These audits provided recommendations to enhance advising at the three campuses. Also in 2013, we conducted the first audit of the data submitted for funding under the Complete College Tennessee Act, as requested by the Division of State Audit. Our plan is to conduct an annual audit and add a new component of the formula each year until we have evaluated all data in the state’s funding formula. The initial audit focused on progression data in the formula. Of particular interest was the audit of scholarships at UT Knoxville. As colleges and universities continue to experience a decline in state support, the fundraising arm in higher education is more important than ever. Along with fundraising efforts, it is important for UT to be a good steward of donated funds and to use them as the donors intended. These efforts help maintain the goodwill of the donor base. The objective of this audit was to determine if scholarship funds were used in accordance with donor wishes. We found that over 97 percent of the scholarship recipients tested met the qualifications outlined by the donors. A similar engagement will be completed for the Health Science Center in 2014. Of note for systemwide coverage, we completed a project on the protection of minors in UT facilities and programs. This audit was performed after the investigation and resulting report of child sexual abuse at The Pennsylvania State University. In our review of existing controls to protect minors, we recommended designating an officer to coordinate the programs for each campus, administering the federal Clery Act consistently across the UT System, establishing an ethics officer or committee, and developing a system security policy for keys and other entry control devices. Also, our office completed audits for the 2012 fiscal year of the offices of the UT president, UT Knoxville chancellor, and UT Martin chancellor, as required by Tennessee Code Annotated § 49-7-3001. This statute is intended to strengthen higher education financial accountability and requires risk-based internal financial audits for the offices of the university president and chancellors. The statute requires at least 30 percent of the offices to be audited in any given year. We found no evidence of fraud, waste, or abuse and provided recommendations to enhance processes and controls. In addition to the required chief executive audits, we audited the UT System chief financial officer and the UTK chief business officer. The audit objectives were to determine whether internal controls are designed to prevent and detect fraud, waste, and abuse. No instances of fraud, waste, or abuse were identified. Another noteworthy project was the Self-Assessment of

Controls, which is performed to comply with the Tennessee Financial Integrity Act of 1983. Each year, our office surveys all University of Tennessee departments (approximately 500) on internal controls. We cycle through eight processes and related controls and survey on two areas each year, this year’s being computer usage and money handling. We see the selfassessment as one of the most significant projects we conduct because it allows us to reach all UT departments at least annually and provides a forum for educating departmental management on effective controls. The Act also requires the completion of an entity-wide risk assessment. Each fall, we facilitate a risk assessment with the chief financial officer and the chief business officers to update the risk assessment to reflect changes in the university’s operating environment. Several information technology audits were conducted on the Banner Student Information System. We audited the processing of student course grades in Banner at the Knoxville, Chattanooga, and Martin campuses. The audit objective was to determine whether controls existed and were operating effectively to ensure course grades recorded in Banner were approved, complete, accurate, documented, and confidential. We recommended enhancements to ensure that all grades are entered timely and grade integrity is protected. We also audited student course fees in Banner at UT Knoxville. The objective was to analyze Banner business process and application controls to determine whether controls exist and are operating effectively. We recommended enhancements to ensure that all fees are entered timely and accurately, documentation is correct and current, and the confidentiality of sensitive data is protected. As requested by the chief business officers, we completed numerous departmental expenditure and equipment audits to assess controls at the departmental level. Common control issues found were the lack of monthly ledger reconciliation or reconciliation documentation and weaknesses in the annual inventory verification processes. We provided recommendations for strengthening these foundational controls to enhance the control environment in the departments. We also monitored the university’s procurement card transactions each month to identify fraudulent activity. Our summary report covered transactions totaling nearly $37 million for an average of 1,770 cardholders. No fraud was identified. Given the volume of transactions and the decentralized controls for the procurement card process, relatively few policy violations were found. The results and recommended corrective actions were reported to the cardholders and the issues were resolved. In addition to our other projects, we completed a valuable consulting engagement where we assessed the financial sustainability of the faculty practice plan at the Health Science Center’s College of Nursing and recommended ways to improve the plan’s financial status and increase efficiency. The UTHSC chief business officer and the dean of the college requested the review. Finally, the office completed 21 investigations of fraud, waste, and abuse this year. As always, even when fraud was not confirmed, we examined internal controls for potential improvements. Our reports included recommendations to strengthen controls. OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

15


INTERNAL AUDITS INTERNAL AUDITS: UT SYSTEM Self-Assessment of Controls/Risk Assessment

Complete College Tennessee Act

The university performs an annual self-evaluation of internal accounting and administrative controls to comply with the Tennessee Financial Integrity Act of 1983. Requirements of the Act include performing an entity-wide risk assessment and a comprehensive evaluation of internal controls. Audit and Consulting Services (ACS) coordinates UT’s compliance efforts with the Act and conducts the self-assessment using a web-based questionnaire. For the evaluation of controls, the university reviews the controls for two areas each year, with 2013’s topics being computer usage and money handling. Of about 500 UT departments, 215 identified and corrected 589 control weaknesses in the areas reviewed. Fourteen material weaknesses were noted for the university. ACS facilitated the 2013 entity-wide risk assessment of UT’s financial operations with the assistance of the campus/institute chief business officers. This was an update of the 2012 risk assessment, and minor changes were made to existing risks and new risks and controls were added. Risks and recommended corrective actions were reported to the individual departments, and the results of the risk assessment and control weaknesses were reported to the state. Attached were the letter from the university’s president to the state comptroller and the commissioner of finance and administration and the results of the assessment of internal controls.

The audit objective was to determine if student credit hours UT reported to the Tennessee Higher Education Commission, as required by the Complete College Tennessee Act of 2010, were accurate and supported by student records. The scope included undergraduate credit hours earned as recorded in UT’s fall 2012 end-of-term report. The university was found to be in compliance with the Act. Recommendations were provided to report all instances affecting student progression, such as credit hours for nondegree-seeking students and repeated courses, thus ensuring accurate state funding.

Protection of Minors in UT Facilities and Programs Auditors reviewed the existing controls to protect minors in programs at university facilities and sponsored by the university. They identified programs involving minors, reviewed practices and policies in several of these programs, and performed a gap analysis between the university’s current practices and the recommendations in the report prepared by Freeh Sporkin & Sullivan, LLP for The Pennsylvania State University. The audit identified 277 unique programs involving minors across the university system, with 24 selected for review. Policies and practices were inconsistent and decentralized. Most of the Freeh report recommendations did not apply, primarily because UT campuses have been proactive in addressing the risks cited by the report. Some of Freeh’s recommendations were adopted, thereby strengthening the control environment at UT, and a system policy has been developed to promote a safe environment for minors in programs on UT campuses or using university resources. Recommendations were made to reinforce the protection of minors on UT campuses, including having a designated officer on each campus to coordinate the programs that bring minors to campuses, administering the federal Clery Act consistently across the UT System, establishing an ethics officer or committee, and developing a UT System security policy regarding keys, access cards, and other entry control devices.

16

UNIVERSITY OF TENNESSEE

Annual Procurement Card Summary The monthly monitoring of the university’s procurement card involves a cursory review of all card transactions for the university system for a month to identify fraudulent activity. The scope of this summary report included all procurement card expenditures (144,501 transactions totaling $36,752,627.47 and an average of 1,770 cardholders) for the entire university from October 2012 through September 2013. No fraud was identified, but policy violations were noted. Given the volume of transactions and the decentralized controls for the procurement card process, relatively few violations were found. For 2009–2013, violations of personal and gift card purchases increased over the last three years. Violations related to entertainment expenses over the prescribed limit have remained relatively stable, and travelrelated violations declined this year. In addition, instances of split purchases increased whereas the last four years had seen a steady decline. The results and recommended corrective actions were reported to the applicable cardholders and the issues were resolved.

Year-End To facilitate year-end closing of the university’s financial records, the department provides year-end instructions and special requests to certain UT System and UT Knoxville departments. Auditors coordinate the observation of physical inventories and provide inventory balances for adjusting entries made by the campus/institute business offices. This year no significant discrepancies were noted in the UT bookstore’s 2013 physical inventory, listed as $1,957,377.21. A 16.5 percent decrease was noted from last year’s inventory dollar amount to this year’s, which was considered a noticeable difference. Staff stated the reduction resulted from a change in purchasing procedures where buyers purchase only what is needed. The bookstore also reduced inventory by holding clearance sales and partially stocking two stores that were being closed (Stokely Management Center and Hodges library). The explanations were deemed reasonable and appropriate.


OBJECTIVITY

INTERNAL AUDITS: UT SYSTEM ADMINISTRATION Office of the President The audit scope included travel, entertainment, equipment, payroll, procurement card, and other expenses for fiscal year 2013. The expenditures were reviewed for compliance with university policies and to determine whether they appeared appropriate and reasonable. Auditors also verified the office’s equipment inventory records. The recommendation was made to assign an employee to oversee and verify the activity of the special events procurement card to ensure proper documentation of expenditures and compliance with policies.

Athletic Ticket Allotment Program—Public Relations The audit objective was to determine if the Office of Public Relations maintains sufficient controls over football ticket sales revenue and inventory. The ticket program makes football and basketball tickets available to various university guests, university departments, and employees. Auditors examined 2012 football season tickets purchased from the UT Athletics department and sold by Public Relations, approximately

$242,000 in tickets. The audit found that Public Relations does not adequately oversee and control the sale of football tickets and that the office’s internal controls are inadequate to prevent or detect the misappropriation of funds. Employees who are not responsible for ticket inventory, ticket sales, and deposits should reconcile game sales and tickets and document the approvers and recipients for all complimentary tickets.

Chief Financial Officer—Travel and Entertainment The audit objectives were to determine whether internal controls are designed to prevent and detect fraud, waste, and abuse in the Office of the Treasurer and to identify instances of fraud, waste, and abuse in the chief financial officer’s (CFO) travel and entertainment expenses. Auditors reviewed these expenses from February 1, 2012, to February 28, 2013. Internal controls for the CFO’s travel and entertainment expenses were in place, and no fraud, waste, or abuse was identified. A few reimbursements for meals and mileage were erroneously overpaid, and the CFO has repaid these amounts.

INTERNAL AUDITS: KNOXVILLE Office of the Chancellor The audit scope included travel, entertainment, equipment, payroll, and other expenses for fiscal year 2013. The expenditures were reviewed for compliance with university policies and to determine whether they appeared appropriate and reasonable. Auditors also verified the office’s equipment inventory records. All expenditures reviewed appeared reasonable and appropriate. The equipment inventory records appeared accurate, with all expenditures made and recorded in compliance with university policies.

Athletics—NCAA Compliance The objectives of the audit were to determine whether policies and procedures are in place to administer and monitor the awarding of financial aid to student-athletes in accordance with National Collegiate Athletic Association (NCAA) legislation during the 2011 academic year. The audit was performed as part of Audit and Consulting Services’s annual audit cycle of the Athletics department’s rules compliance program. The

procedures established by Athletics and the Financial Aid and Scholarships office were effective, with no recommendations provided for improvement.

Athletics—Direct Financial Support The objective of the review was to substantiate the direct financial support the UT Knoxville (UTK) Athletics department generated for the university during fiscal years 2010 and 2011. Auditors verified the amounts and obtained information on how the funds were used. Athletics provided direct support totaling approximately $6.9 million in 2010 and $6.7 million in 2011. Slightly more than 83 percent of these funds were provided to UTK for academic scholarships, capital improvements, housing, and other faculty and student support. The Memphis, Martin, Chattanooga, and Agriculture campuses received an average of 14.5 percent of the funds to be used at the chancellors’ discretion. Slightly less than 2.5 percent was paid as a subsidy for the university’s flight operations, a function of UT System Administration. Athletics will discontinue most of its direct OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

17


financial support for the next three years but will continue paying debt service on parking garages.

Mandatory Student Fees The purpose of the audit was to assess the university’s internal controls regarding the implementation and management of mandatory student fees during the academic year 2012-13 by the University of Tennessee, Knoxville. The objectives included reviewing proper approval of all mandatory student fees in accordance with applicable state and university laws and policies, determining whether controls were in place to ensure that fees were used for their authorized purpose, and reviewing maintenance and tuition fees to ensure the accuracy of in-state versus out-of-state classification. Auditors found that the campus is following university policies and guidelines dictating the approval and use of mandatory student fees.

Banner Student Information System—Fees The audit was conducted to examine the processing of student course fees in the Banner Student Information System. The objective was to analyze Banner business process and application controls to determine whether controls are in place and operating effectively. Course fees for the fall 2012 semester were reviewed. Auditors found the business process and application controls in the Banner system allow for appropriate

Our audit of scholarships at UT Knoxville found that 97 percent of scholarship recipients tested met the qualifications outlined by the donor. Conscientious stewardship of donated funds helps maintain the goodwill of UT’s donor base.

18

UNIVERSITY OF TENNESSEE

approval and processing of course fees. Recommendations were made to ensure that all fees are entered timely and accurately, documentation is correct and current, and the confidentiality of sensitive data is protected, among others.

Banner Student Information System—Grades The audit was performed to review the processing of student course grades in the Banner Student Information System. The objectives were to determine whether controls existed and were operating effectively to ensure that the course grades recorded in Banner are approved, complete, accurate, documented, and confidential. The scope included course fees for the spring 2013 semester and the entry of grades by faculty, the grade change process, and end-of-term grade processing. Auditors concluded that the business process and application controls in the Banner system allow for the appropriate entry and processing of course grades. Recommendations were made to help ensure that all grades are entered timely and grade integrity is protected, specifically by replacing the current paper-based grade change process with an electronic form and associated workflow.

Undergraduate Academic Advising Undergraduate academic advising was reviewed at UT Knoxville (UTK). The UT Board of Trustees’ Audit Committee requested


the review to assess the effectiveness of academic advising processes and practices at UTK. The campus has established an academic advising policy and has invested resources to help advisors accomplish their objectives. Each college determines its own advising model, assessment methods, and training. Some use only professional advisors; some use only faculty advisors; and some use both. Auditors concluded UTK’s academic advising programs help sustain retention and graduation rates that exceed national averages. Recommendations were made to determine the most appropriate advising model in the colleges, including mission statements, objectives, and policies; evaluate advisors and program success regarding performance and outcomes; and expand advisor training.

Vice Chancellor for Finance and Administration— Travel and Entertainment The audit objectives were to determine whether internal controls are designed to prevent and detect fraud, waste, and abuse in the Office of the Vice Chancellor for Finance and Administration and to identify any instances of fraud, waste, and abuse in the vice chancellor’s travel and entertainment expenses. The scope included expenses for February 1, 2012, to February 28, 2013. Internal controls were properly designed, and no instances of fraud, waste, or abuse were noted in the vice chancellor’s travel and entertainment expenses for the period reviewed.

Scholarships The objective of the audit was to determine if UT Knoxville awarded scholarship funds in accordance with donor wishes. Auditors found that over 97 percent of scholarship recipients tested met the qualifications outlined by the donors and noted an inconsistent use of selection committees, even when stipulated by the donor. Recommendations were made to provide guidance on the use of a selection committee, including the role of the committee and its members, and guidance on interpretation of common criteria, such as financial need, to all colleges and departments responsible for selecting scholarship recipients.

WUOT-FM Radio Auditors conducted the annual financial audit of UT Knoxville’s public radio station, WUOT-FM, for the year ended June 30, 2013, with comparative information presented for fiscal year ended June 30, 2012, and prepared the report for submission to the Corporation for Public Broadcasting (CPB). This audit is required by the CPB and was included in the annual audit plan. The financial statements present fairly, in all material respects, the financial position of the station as of June 30, 2013 and 2012, and the changes in its financial position and its cash flow for the years then ended in conformity with generally accepted accounting principles.

VolShop An audit was conducted of the Payment Card Industry Data Security Standard (PCI DSS) Self-Assessment Questionnaires for the VolShop at UT Knoxville. The objective was to verify the accuracy of the questionnaires completed in 2013. Auditors evaluated the VolShop’s compliance with the controls required

by the university and PCI DSS, which included reviewing credit card policies and procedures, information technology security, and physical security of credit card data. The VolShop complied with PCI DSS and university policies and procedures, with recommendations to increase security by segmenting the network among store locations, moving applicable servers and terminals into the correct firewall zone, using two-factor authentication for administrators, and conducting the required vulnerability scans.

Civil and Environmental Engineering— Expenditures and Equipment The audit included an examination of departmental invoices, procurement card expenditures, equipment inventory, and ledgers to assess internal controls for fiscal years 2012 and 2013. The department has established effective controls for expenditures and equipment. Auditors recommended correcting several serial numbers in the equipment inventory system.

Materials Science and Engineering— Expenditures and Equipment The audit included an examination of departmental invoices, procurement card expenditures, equipment inventory, and ledgers to assess internal controls for fiscal years 2012 and 2013. The department has established effective controls for expenditures and equipment. Auditors made recommendations to correct issues involving invoice and ledger documentation, procurement card use, and recording of equipment identifiers.

Center for Transportation Research— Expenditures and Equipment The audit included an examination of departmental invoices, procurement card expenditures, equipment, and ledgers to assess internal controls for fiscal years 2012 and 2013. The department has complied with applicable policies and established effective controls for expenditures and equipment for the areas reviewed.

UT Police Department—Evidence and Property Inventory Auditors selected 25 items from the UT Police Department’s (UTPD) lost and found inventory and 25 items from the evidence inventory. All items reviewed in the evidence inventory were considered high-risk items, including money, precious metals, jewelry, firearms, and drugs. All items were accounted for; proper documentation was provided; the items were maintained in a clean and orderly manner and protected from damage and deterioration; overflow inventory is being protected from damage and deterioration; access to all areas is limited to authorized personnel; and the status of all evidence and property is reflected in UTPD records. Auditors found that overall UTPD had good controls over its evidence and lost and found property.

Reliability and Maintainability Center— Information Security Review The policies and procedures for processing credit and debit cards using an online processing system were reviewed for the center in the College of Engineering. No weaknesses were identified. OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

19


INTERNAL AUDITS: HEALTH SCIENCE CENTER Joint Appointments—College of Medicine The audit was performed to determine whether faculty members in the College of Medicine (COM) with joint appointments at the Memphis VA Medical Center had combined full-time equivalents (FTE) of 163 percent or less, as agreed upon by state and UT administrators, and whether a system exists to monitor the FTEs. Seventeen faculty members had their joint FTEs reduced, and one will be compliant with the standard in April 2013. His name was initially overlooked on the list to reduce FTEs. An informal system exists to track the faculty FTEs. Auditors recommended verification of the percentages by the COM and the VA to monitor the appointments and ensure compliance with the standard.

Gift Cards The audit objectives were to determine the extent of gift card use on the campus and to evaluate controls over their purchase, storage, distribution, and disposition. UT departments conducting research studies involving human subjects often provide gift cards to entice participation. By their nature, the cards are very vulnerable to theft and abuse. Auditors examined selected gift cards (over $150 from Walmart, Target, and Amazon) purchased in fiscal years 2011 and 2012. Four departments with large card purchases were identified for review: Preventive Medicine, Surgery, Pediatrics/OB, and Nursing. The university provides no guidance on managing gift cards intended for research study participants (except a policy disallowing their purchase with the UT procurement card), and procedures varied among the departments reviewed. Consistent policies and procedures should be developed for greater security and 20

UNIVERSITY OF TENNESSEE

accountability over gift card use.

General Surgery—Expenditures and Equipment The audit included an examination of departmental invoices, procurement card expenditures, equipment inventory, and departmental ledgers to assess internal controls for fiscal years 2012 and 2013. The department has not established effective controls for expenditures and equipment, with lapses in the departmental ledger reconciliation, equipment inventory verification, and procurement card processes. Recommendations were made to strengthen the effectiveness of controls in these areas.

Neurology—Expenditures and Equipment The audit included an examination of departmental invoices, procurement card expenditures, equipment inventory, and departmental ledgers to assess internal controls for fiscal years 2012 and 2013. The department has not established effective controls for expenditures and equipment, with lapses in the departmental ledger reconciliation and equipment inventory verification processes. Recommendations were made to strengthen the effectiveness of controls in these areas.

Obstetrics and Gynecology—Expenditures and Equipment The audit included an examination of departmental invoices, procurement card expenditures, equipment inventory, and departmental ledgers to assess internal controls for fiscal years 2012 and 2013. The department has not established effective controls for expenditures and equipment, with lapses in the departmental ledger reconciliation, procurement card, and


equipment inventory verification processes. Recommendations were made to strengthen the effectiveness of controls in these areas.

Faculty Practice Plan—College of Nursing This consulting engagement assessed the financial sustainability of the faculty practice plan at the College of Nursing (CON) and made recommendations to improve the plan’s financial health and identify opportunities to increase efficiency. The objectives were to benchmark the organization and operations of the practice plan to industry-similar health science centers; determine the sustainability of the existing business plan, including the incentive plan; and identify opportunities to enhance net income generated by the practice plan. The CON practice plan consists of faculty working for third-party clinics, which pay the CON a contracted hourly rate for the services of the faculty member. The exception is the Shelby County Airport, which pays the college a set annual rate for staff. Participation in the plan is optional. Participating faculty receive an annual incentive payment of 40 percent of the revenue generated through their practice agreement. Recommendations were made to establish and/or update practice plan objectives, policies, and standard operating procedures; modify faculty appointments and/or practice contracts to be consistent with these procedures; streamline accounting processes and reorganize the plan on the basis of a consultative, staffing, or nurse-managed clinic model; assess a 15 percent overhead rate to help cover administrative costs; and optimize the incentive rate and structure of the incentive plan using one of three options.

College of Medicine Chattanooga Procurement card expenditures were reviewed for the UT College of Medicine Chattanooga (UTCOMC), as well as

participant payments for the flu study conducted in the Family Medicine department. The engagement was performed based on the purchase of gift cards found during the monthly procurement card monitoring. The objectives were to determine whether the gift card purchases supported operations and to identify any instances of fraud, waste, or abuse. Overall, procurement card expenditures supported the operations of UTCOMC. Auditors recommended separating the duties of procurement card administration, obtaining additional training on approving statements, and following any gift card policies and/or procedures for future studies that allow participant compensation.

Petty Cash—Parking Services The audit was performed to determine if existing internal controls ensure compliance with policies and safeguard petty cash. In general, Parking Services has established controls to ensure compliance with policies and safeguarding of petty cash; however, a control weakness in revenue collections was noted at the parking lot adjacent to the Dunn Dental Building. Management should implement a new process to ensure deposits are intact, such as a time-stamp machine, cash register, or electronic pay station.

Petty Cash The audit was performed to determine if existing internal controls ensure compliance with policies and safeguard petty cash at the UT Health Science Center. In general, the Bursar’s Office has established controls to ensure compliance with policies and to safeguard petty cash; however, the office should provide more oversight and further strengthen the control environment, including developing an internal policy requiring an annual review and other procedures.

A consulting project assessed the financial sustainability of the faculty practice plan at the UT Health Science Center’s College of Nursing and recommended ways to improve the plan’s financial health and identify opportunities to increase efficiency.

OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

21


INTERNAL AUDITS: CHATTANOOGA Banner Student Information System—Grades The audit was performed to review the processing of student course grades in the Banner Student Information System. The objectives were to determine whether controls existed and were operating effectively to ensure the course grades recorded in Banner are approved, complete, accurate, documented, and confidential. The scope included course fees for the spring 2013 semester and the entry of grades by faculty, the grade change process, and end-of-term grade processing. Auditors concluded that the business process and application controls in the Banner system allow for the appropriate entry and processing of course grades. Recommendations were made to ensure that all grades are entered timely and grade integrity is protected, specifically by replacing the current paper-based grade change process with an electronic form and associated workflow.

Undergraduate Academic Advising Undergraduate academic advising was reviewed at UT Chattanooga (UTC). The UT Board of Trustees’ Audit Committee requested the review to assess the effectiveness of academic advising processes and practices at UTC. The Center for Advisement and Student Success (CASS) was created in 2009 to provide academic advising to freshmen, and the campus has increased its reliance on professional advisors. CASS and the colleges and departments operate their advising function autonomously with little interdepartmental interaction or guidance from campus administration. UTC’s focus on advising over the last five years has had a positive impact on first-year retention rates, and the 2012 four-year graduation rate has increased, but first-year retention and six-year graduation rates remain below national and peer institution averages. Recommendations were made to

ACS plans to annually audit the data submitted for the Complete College Tennessee Act, each year choosing one component in state’s funding formula. Our initial audit focused on progression data in the formula.

22

UNIVERSITY OF TENNESSEE

expand campus oversight of the advising programs and use more non-faculty advisors; develop mission statements, goals, objectives, advisor/advisee expectations, and desired outcomes; develop measurable standards of performance for faculty and professional advisors; develop written policies and/or handbooks for advising programs; and provide annual training for advisors.

WUTC-FM Radio Auditors conducted the annual financial audit of UT Knoxville’s public radio station, WUTC-FM, for the year ended year ended June 30, 2013, with comparative information presented for fiscal year ended June 30, 2012, and prepared the report for submission to the Corporation for Public Broadcasting (CPB). This audit is required by the CPB and was included in the annual audit plan. The financial statements present fairly, in all material respects, the financial position of the station as of June 30, 2013 and 2012, and the changes in its financial position and its cash flow for the years then ended in conformity with generally accepted accounting principles.

Summary Procurement Card Report The report summarizes procurement card audits performed from December 2011 through February 2012 at UT Chattanooga (UTC). The audits evaluated each department’s internal controls and compliance with university policies regarding UT procurement cards. Eight audits were conducted encompassing 10 accounts, 73 monthly statements, and 346 randomly selected transactions. Although the purchasing department is the campus’s procurement card coordinator, its role is limited to ordering and distributing cards. A high rate of exceptions was found for cardholders and verifiers signing


statements, electronic approval of statements, and inadequate or missing receipts. These areas constitute significant controls for the use of the cards. A campus official stated UTC did not use the university reports produced to help monitor departments’ performance. Recommendations included the business office following up on certain exceptions, the purchasing department canceling cards not picked up timely, and reemphasizing to cardholders and verifiers their duties and providing additional training. Results and recommendations were reported to the audited departments, which responded and have taken corrective actions or agreed to the recommendations to correct their exceptions.

Summary Equipment Report The report summarizes equipment audits performed in December 2011 at UT Chattanooga. Ten audits were conducted encompassing 270 equipment items. The Facilities Planning and Management office tags and records serial numbers of

items received and makes corrections in the inventory records, among other duties. A high rate of exceptions was found for incorrect serial numbers and missing UT tags; undocumented surplus or inadequate documentation for missing, transferred, or dismantled equipment; and late submission of the annual inventory. These areas constitute significant controls for recording and safeguarding equipment assets. Some of the exceptions may have resulted from the prolonged absence of a key employee in Facilities which may have been corrected upon the employee’s return. Other exceptions represented a lack of understanding or lapse in performance at the departmental level. Recommendations involved strengthening equipment management on the UTC campus, including additional training, decentralizing some activities such as tagging, and reemphasizing timeliness for the annual inventory. Results and recommendations were reported to the audited departments, which responded and have taken corrective actions or agreed to the recommendations to correct their exceptions.

INTERNAL AUDITS: MARTIN Office of the Chancellor The audit scope included travel, entertainment, equipment, payroll, procurement card, and other expenses for fiscal year 2013. The expenditures were reviewed for compliance with university policies and to determine whether they appeared appropriate and reasonable. Auditors also verified the office’s equipment inventory records. Recommendations were made to not purchase gift cards for employees and determine whether the chancellor’s development fund may be used to purchase flowers (or request a policy exception from the UT chief financial officer).

Banner Student Information System—Grades The audit was performed to review the processing of student course grades in the Banner Student Information System. The objectives were to determine whether controls existed and were operating effectively to ensure the course grades recorded in Banner are approved, complete, accurate, documented, and confidential. The scope included course fees for the spring 2013 semester and the entry of grades by faculty, the grade change process, and endof-term grade processing. Auditors concluded that the business process and application controls in the Banner system allow for the appropriate entry and processing of course grades.

Undergraduate Academic Advising Undergraduate academic advising was reviewed at UT Martin (UTM). The UT Board of Trustees’ Audit Committee requested

the review to assess the effectiveness of academic advising processes and practices at UTM. Academic advising is provided to all regularly enrolled students before each semester, and each college decides the advising method for its students. Most departments rely on faculty advisors, while some use professional advisors, advising coordinators, and/or graduate students. The campus does not offer regularly scheduled training sessions for advisors. Based on first-year freshman retention and six-year graduation rates, UTM does a reasonable job of retaining and graduating students. Recommendations were made to appoint a full-time senior administrator to coordinate advising campuswide, which should include developing mission statements, objectives, expected outcomes, and advising policies; consider campuswide training for advisors; and determine a more equitable method of assigning advisees than is used currently.

NCAA Special Assistance Fund—Athletics Department The NCAA Special Assistance Fund was reviewed for fiscal year 2013. The audit included an examination of disbursements and expenditures and is required annually by the Ohio Valley Conference. Auditors found the Athletics department’s use of the funds to be in compliance with NCAA guidelines, with one exception. A non-student-athlete received tutoring services (a benefit of $140). Athletics should verify students’ eligibility to avoid denial of funds or other adverse actions. OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

23


INTERNAL AUDITS: INSTITUTE OF AGRICULTURE UT Extension Bank Accounts Summary Report The objective of the audits was to determine the UT Extension offices’ compliance with procedures for the county bank accounts and applicable university policies and to determine the effectiveness of related internal controls. Claiborne, Johnson, Loudon, McMinn, and Washington County Extension offices were selected for review. The scope included a review of bank account records, the receipt and expenditure of funds, and related records from July 1, 2011, to October 12, 2012. Reports were sent

to each office and included responses from the county director for any recommendations provided. Recommendations were provided to Extension administration to address documenting expenditures (missing receipts, receipts without the vendor’s name, receipts not itemized or dated, and undocumented awards), reporting changes in authorized checking account signatures to the regional office within three business days, reconciling the county bank accounts each month, and separating the duties of account management and cash handling.

INTERNAL AUDITS: UT SPACE INSTITUTE Center for Laser Applications The audit was conducted to examine the processing of effort reporting and operating expenditures for sponsored projects active from July 1, 2011, to March 31, 2012. The Center for Laser Applications complied with applicable university

Given the volume of transactions and the decentralized controls for the procurement card process, our monthly monitoring of transactions noted relatively few violations this year. Policy violations of entertainment expenses over the prescribed limit have remained relatively stable, and travel-related violations declined.

24

UNIVERSITY OF TENNESSEE

policies and procedures and had an effective system of internal controls for the areas reviewed. Effort certification records were calculated correctly, well documented, and approved. The expenditures reviewed appeared appropriate for the sponsored projects.


INVESTIGATIONS INVESTIGATIONS: UT SYSTEM Facilities Planning Auditors reviewed anonymous allegations that a personal relationship existed between the director of Facilities Planning and the principal engineer with Professional Engineers, Inc. (PE), proposals for geotechnical engineering services for UT capital projects were potentially rigged, and other alleged financial misconduct by the engineer. No indication was found of a personal relationship affecting how contracted design firms selected the engineering services. Local designers frequently selected PE because of its extensive experience with the local geography and the university. The designers interviewed denied the director told them to use PE. Auditors also reviewed UT’s Min Kao Electrical and Computer Engineering capital project as representative of all such projects and found no evidence the PE engineer was given information about other proposals before submitting his. Additional proposals were found, however, for geotechnical services submitted by the engineer after PE’s initial work on the project. Although no evidence of fraud was found, Facilities Planning relies almost solely on the designer to ensure that all necessary work is conducted by the geotechnical engineer and subsequent billing is accurate. Such reliance on the designer could allow fraudulent activity to occur. The new Capital Projects director has implemented numerous procedural changes, including the creation of a budget director position, which will allow for a more structured review of billing. Auditors plan to review Facilities Planning’s operations this year to evaluate controls for effectiveness.

INVESTIGATIONS: UT SYSTEM ADMINISTRATION Chief Information Officer Auditors investigated anonymous allegations of financial misconduct by the former chief information officer (CIO) for UT Knoxville (UTK) and UT System Administration. The complainant alleged the CIO misused the student technology fee for UTK’s new portal project, used university resources for a personal business while being paid by UT, and tried to influence purchasing decisions so that friends could obtain contracts with the university. It was also alleged that the search process for the permanent CIO violated the UT Office of Equity and Diversity’s (OED) search procedures, the job description for the CIO position was written restrictively so that only this employee would qualify, and he had been dismissed from his previous position with UT-Battelle under questionable circumstances. No evidence was found to support the allegations that he misused the student technology fee or that university resources were used for personal business; however, it appeared the CIO attempted to steer a university contract to a friend, but the university’s purchasing procedures and questioning prevented the award. Also, hiring procedures were not followed when the CIO was placed in a limited duration appointment. Although UT administrators may authorize exemptions to policies and procedures, the reasons for such exceptions should be documented and retained.

UT Research Foundation Auditors investigated an allegation that the former president of the University of Tennessee Research Foundation (UTRF)

and a UTRF staff member operated a personal business that directly competed with UTRF by helping developers of intellectual property commercialize their inventions. Two faculty members named in the allegation denied any involvement, and auditors identified no personal businesses owned by the employees that compete with UTRF. The former president has two personal businesses to commercialize intellectual property, but they are focused on specific intellectual property that his companies own. It was recommended that no further action be taken.

Former Chief Operating Officer Expenditures The expenditures under the control of the former chief operating officer (COO) for the University of Tennessee Foundation, Inc. (UTFI) were reviewed at the request of the UTFI president. The objectives were to determine whether the expenditures supported UTFI operations and to identify any instances of fraud, waste, or abuse. The scope included fiscal year 2013 expenditures through April 2013. Overall, expenditures supported UTFI’s operations. Recommendations were made to review certain expense items as possible taxable income for the former COO, discontinue conducting business with vendors whose relationships with UTFI employees create conflicts of interest and ensure that employees properly disclose all financial interests, and remove procurement responsibilities from the former COO’s executive assistant and establish proper separation of duties in the procurement card process. The assistant was terminated as a result of the review. OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

25


INVESTIGATIONS: KNOXVILLE Athletics Ticket Office Auditors investigated concerns that Athletics Ticket Office staff may have been the intended recipients of gift cards from IMG College, LLC (IMG) as bonuses for selling season tickets. The objective was to determine if the university’s contracted vendor, IMG, established an incentive program providing gift cards to Athletics Ticket Office staff. Auditors were notified after the gift cards in question were stolen by a UT mail clerk, who was arrested. IMG had implemented an incentive program for sales of seat cushions by IMG account executives, and these were the gift cards stolen. No evidence was found that IMG provides gift cards as incentives to Athletics Ticket Office staff or that the staff participate in any UT incentive programs. Nothing was found to indicate Athletics Ticket Office staff violated university policy, and no recommendations were provided.

Athletics Event Management Auditors reviewed the attendance and payroll processes for ushers in Event Management, focusing on the adequacy of controls to help ensure the accuracy of records and to prevent fraud. The review was conducted in response to an allegation that an usher at Neyland Stadium was paid for a game not worked, consequently receiving two game tickets for perfect attendance during the season. The complainant stated another employee signed in for the usher in question. Auditors identified two control weaknesses in the department’s attendance timekeeping process and recommended corrective actions to document and monitor the ushers’ presence during games.

Early Learning Center Auditors reviewed anonymous allegations of outstanding tuition for the former director and former administrative specialist in the Early Learning Center (ELC). The employees admitted having outstanding tuition balances for children enrolled in ELC programs ($6,425 for the director and $5,551.35 for the specialist). The director’s amount was withheld from his final paycheck and returned to the department, and the specialist’s remaining debt was $3,411.78 after applying her final paychecks. Numerous outstanding accounts for others were identified which the department had not attempted to collect. The amounts owed for each account were verified and letters were issued to the account holders to begin collecting the debts. Also, a conflict of interests was found for the director regarding a consulting agreement. Auditors recommended strengthening controls for receiving, receipting, securing, and depositing funds, among others. The director was terminated from his position and the assistant resigned.

Parking and Transit Services Auditors reviewed an anonymous allegation that parking attendants in the Neyland Drive G10 garage (lower level) mishandled funds during athletic and special events at the direction, or with the knowledge, of the former coordinator. Auditors found he violated departmental policy by directing the attendants to continue selling parking spaces after tickets were 26

UNIVERSITY OF TENNESSEE

sold out and instructing them to separate the “overage” funds from the sale of those spaces from the funds to be deposited. Attendants interviewed and the coordinator confirmed this statement. Auditors could not locate the overage funds in the deposit records, even though the coordinator said he deposited them. During interviews, he continually changed the description of the process he used to deposit the overages. He admitted forging signatures of lot attendants on deposit documents, falsifying documents, and destroying tickets to hide any overage because he believed it would trigger an audit. Auditors identified three instances consistent with the coordinator’s explanation of how he disguised overages to appear like ticket sales; however, the instances could also be the result of the department’s normal operating procedures. He retired in fall 2012. Departmental policies and procedures were updated to help ensure that funds received are properly documented, secured, and deposited.

Athletics Event Management—Cash Controls Following a burglary in Athletics’ Event Management office, auditors were asked to review the office’s cash-handling process. Personal cash totaling $4,150 was taken from an employee’s desk. Staff believe the suspect targeted the office because large sums of cash are routinely received for team travel advances. The review focused on the adequacy of controls to safeguard cash in the office. The travel advance records and practices indicated that 33 percent of travel advance funds were not returned to the Athletics business office within 30 days of completion of travel as required by UT policy. Also, the department does not have a proper safekeeping facility for large quantities of cash pending return to the business office. The business office currently issues travel advances in cash. Staff noted the need for additional options to reduce the risk involved in employees carrying large sums of cash. Recommendations were provided to address the identified weaknesses, as well as alternatives to cash travel advances.

Office of the Dean—College of Agricultural Sciences and Natural Resources Auditors reviewed an anonymous allegation from the state’s hotline for fraud, waste, and abuse. The complainant stated the former director of student retention in the Dean’s office stole university furniture from her office when she resigned from the College of Agricultural Sciences and Natural Resources (CASNR). All items alleged to have been stolen were located, except a desk valued at $700. The coordinator said her moving company may have unintentionally taken the desk while moving her personal items from campus. She refused to examine her storage unit, located out of state, making it impossible to investigate further. Auditors learned the department never paid for the furniture in question. An employee from the office furniture company said he neglected to invoice UT for the items. CASNR lost track of the missing invoice during a departmental move in 2010. CASNR should formally document the receipt of materials, supplies, and equipment in compliance with university policy.


Ecology and Evolutionary Biology

Sponsored Projects Accounting

Auditors reviewed an allegation that a student worker submitted timesheets for hours not worked totaling nearly $10,000. The allegation could not be substantiated or refuted. The student’s direct supervisor judged the amount of work he produced to be insufficient. Auditors could not determine whether the hours on timesheets were justifiable because he was allowed to use paid time to learn software for the project and his work was not monitored. Both the student’s direct supervisor and another faculty member involved believed he had stopped working on the project. The departmental business office processed timesheets without requiring supervisory approval, and procedures for reviewing and approving reconciled ledgers for the project were not followed. A business manager with no knowledge of the project requirements reviewed and approved the ledgers instead of the responsible faculty member. During the review, policies and procedures were updated to help ensure that all timesheets are approved by a supervisor with actual knowledge of the work performed before being processed for payroll. Faculty with gift accounts are now required to review and approve the monthly ledgers.

Auditors reviewed allegations that the director of Sponsored Projects Accounting (SPA) overdrew a National Science Foundation (NSF) award made to the UT Joint Institute for Computational Sciences (JICS) by approximately $2.3 million, made the draws without knowledge that NSF would provide additional funding, and violated UT policy on sponsored grants and contracts. The director’s actions did not appear to violate any NSF regulations, grant terms or policies, or the intent of university policy. She acknowledged that three WBS elements used for the grant were overdrawn, but that the overall grant was never overdrawn. Although the WBS elements were overdrawn by $1,567,948.08, the cumulative draws from the grant, including the director’s draws during the complainant’s leave of absence, totaled $48,682,491, equal to the total award amount. She stated JICS notified her that additional funding from NSF would soon be available, which the JICS budget director confirmed. Her draws did not overspend the overall grant, and corrections to the overdrawn WBS elements were made after additional funding was received. SPA should consider developing written procedures for staff when circumstances require actions that may overdraw WBS elements.

QUALITY

OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

27


VISIONARY

INVESTIGATIONS: HEALTH SCIENCE CENTER Facilities Services Auditors investigated anonymous allegations made to the state’s fraud, waste, and abuse hotline. The caller alleged that Facilities Services employees worked on a contracted job and that performance evaluations were changed to prevent employees from receiving merit raises. Auditors focused on whether unnecessary costs were incurred by having Facilities staff work on a project contracted to an external vendor. No evidence was found that staff evaluations were changed, but Facilities Services allowed employees to help the contractor complete building renovations on a tight deadline. This assistance may have resulted in the university’s overpaying for services. Although it was reasonable to allow UT employees to work with the contractor, the scope of work to be performed by both parties in such future arrangements should be defined and documented in the bid materials and purchase order.

College of Pharmacy Auditors reviewed anonymous allegations that the College of Pharmacy (COP) maintained an external account with a balance of $30,000 and that donors were contributing to possibly fund a golf tournament and other student activities. It was also alleged the COP requested $172,000 transferred from the UT Foundation to the account. No evidence was found of the account, and those interviewed had no knowledge of it. Campus student organizations 28

UNIVERSITY OF TENNESSEE

commonly have external accounts to use for community projects and to solicit funds from alumni. Also, the UT Foundation has an external account to which the COP has access. Student solicitation procedures were updated to address the concerns of Alumni Affairs and Development staff that multiple solicitations by their office and student organizations could result in lower donations to the COP and other campus colleges.

University Family Physicians Auditors reviewed information that an employee in the University Family Physicians clinic held 14 payment checks up to 2 years without depositing or forwarding them to the appropriate university department or private physicians group. The employee was terminated as a result of declining job performance. The objective of the review was to determine whether fraud occurred and controls exist to prevent fraud at the clinic. Weaknesses were identified in the cash-handling process, including no separation of duties among employees who receive payments and who perform invoicing or record payments in accounts receivable and inadequate recording of patient payments. Auditors worked with clinic staff to develop and implement procedures to strengthen the receipting and deposit processes. Although the procedures do not provide optimal assurance that all funds received are deposited and/or posted, further separation of duties is not reasonable because of the limited number of staff.


INVESTIGATIONS: CHATTANOOGA Upward Bound Auditors reviewed anonymous allegations provided to the US Department of Education that UT Chattanooga misused Upward Bound (UB) grant funds. The six allegations involved diverting grant funds to other programs; allowing family members to take the place of students on UB trips; failing to spend funds for supplies, books, and tutors; low graduation and post-secondary enrollment rates; failing to include documentation of eligibility in participants’ files; and failing to allocate funds for staff as outlined in the approved grant. The grant period from June 1, 2007, to May 31, 2012, was reviewed. Five of the six allegations were partially substantiated, though no intentional wrongdoing was uncovered. No evidence was found that federal funds intended for the Upward Bound program were diverted to other university programs. The current program director’s daughter participated in two UB trips, but her participation did not appear to preclude any UB students from attending. Expenditures for supplies, books, and tutors increased significantly over the grant period, indicating that participants in the early years of the grant may not have received the same level of benefits as later participants. The program did not achieve the postsecondary enrollment goal of 90 percent, but that goal may have been unrealistic. Documentation of eligibility was incomplete,

sometimes missing, and other times failed to meet the grant requirements. Although 82 percent of the files were incomplete, 88 percent of the participants appeared eligible. Less than 70 percent of the budget for staffing was spent over the life of the grant, but most positions were filled during the grant period. UTC Upward Bound staff should be aware of university policies that were violated, strengthen procedures regarding program documentation, and resolve any remaining issues regarding participant eligibility with the Department of Education.

Campus Recreation The review was performed in response to two cash thefts totaling approximately $1,223.02 reported to campus police. The police investigated to pinpoint responsibility for the thefts but found no suspects. The review objective was to determine the adequacy of existing controls to safeguard cash in the Campus Recreation offices. Auditors found that ineffective cash controls allowed the thefts to occur. Corrective actions taken by the department will improve the effectiveness of cash-handling procedures and strengthen internal controls, including new locks and keys, new combination lock boxes and related procedures, and additional training. The actions appear adequate to reduce the likelihood of future thefts.

OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

29


INVESTIGATIONS: MARTIN Academic Records Auditors reviewed allegations made to the state hotline for fraud, waste, and abuse that the coordinator in Academic Records operates a tax service on the UT Martin campus and that her supervisor is aware of and condones the activity. No evidence was found to support the allegations, and both the employee and her supervisor denied the claims. Auditors did find e-mails indicating the employee filed tax returns electronically for three nephews, her niece, and herself. She said she prepared her family’s tax returns for 2011 and 2012 and her own returns for 2012, 2011, and possibly 2010 on her office computer. She said she performed the work on lunch breaks and before regular work hours. When three returns were found to have been transmitted during business hours, she amended her original statement, saying she worked through her lunch break on those days. Management should stress that the coordinator not spend excessive amounts of time conducting personal business during university work hours. Human Resources should review the matter and determine if disciplinary action is appropriate.

INVESTIGATIONS: UT SPACE INSTITUTE Dining Hall A possible theft of $100 from a Dining Hall deposit was reviewed. The objective was to determine if an investigation was needed and to examine cash-handling controls in the Dining Hall. The director stated the cashier normally stored daily deposits in her purse at the register until they were delivered to the Business and Finance office and did not remain while the deposit was counted. Several Dining Hall employees had access to the money. Therefore, responsibility for the loss could not be determined. Before the review, the Dining Hall implemented corrective actions to help ensure the security of cash deposits. Written department-specific procedures have been developed, detailing cash register operations and deposit preparation as recommended in university policy.

Mechanical, Aerospace, and Biomedical Engineering Auditors investigated the allegation that a professor of Mechanical and Aerospace Engineering submitted improper travel reimbursement requests. The objectives were to determine if the allegation was true and if expenditures on a National Science Foundation (NSF) grant were allowable under federal regulations and university policy and directly related to the grant. The professor requested reimbursement for seven trips for which other agencies also reimbursed expenses in violation of UT policy. He said he considered the NSF payments to be honorariums, did not read the NSF materials specifying the purpose of the payments, and relied on his administrative assistants to tell him what was allowable. UTSI administrators had approved all of his travel requests. Also, he certified that expenses requested for reimbursement from another organization for a course and presentations were not submitted elsewhere. Recommendations included crediting the grants that were charged improperly, collecting the amount owed ($7,322.08), and ensuring that applicable UTSI employees are aware of policy requirements regarding travel and sponsored grants and contracts. Auditors recommended that the Treasurer’s office revise UT’s Travel Expense Report for the traveler to certify that no other organization has reimbursed any of the items listed. An addendum to the report concerned a $500 payment the professor received for travel expenses to a conference. Because NSF investigators were pursuing this matter, UT auditors did not follow up on the issue. The professor resigned as a full-time faculty member to work at another institution and serves as an adjunct professor at UTSI.

30

UNIVERSITY OF TENNESSEE


Aviation Systems The review was performed in response to anonymous allegations that the chair of Aviation Systems Programs at the UT Space Institute (UTSI) used university funds to purchase an aerobatics plane solely for personal use and lived in California while working for UTSI. Auditors found no evidence that the professor used university funds to purchase such a plane for personal use. They confirmed that he spent time in California while receiving a salary from UTSI but were unable to determine if he performed his duties as required. The plane was purchased to help obtain a research grant (which was not funded) and for use in a graduate course, and the professor was the only person at UTSI qualified to fly it. Although he spent time regularly in California, it appeared he participated in the functioning of the department while employed by UTSI. The professor resigned in 2012, and UT auctioned the plane in 2013.

FOLLOW-UP AUDITS In 2013, the audit staff followed up on 16 audits and investigations to determine whether their recommended corrective actions had been implemented. (Appendix D is a complete list of departments.)

This year we replaced departmental audits of UT procurement cards and equipment with more comprehensive assessments of internal controls by reviewing departmental invoices and ledgers, procurement card expenditures, and equipment inventory.

OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

31


SUPPLEMENTARY PROJECTS

O

ther completed audit-related projects and enhancements were designed to educate the university community, improve accountability, and improve office efficiency. At the request of management, some Audit and Consulting Services staff members also served on university committees and provided training on internal controls, procurement cards, and other areas.

ACS STRATEGIC PLANNING ACS is involved in strategic planning for the department to better serve the university community. In summer 2013, the director of Employee and Organization Development for the university facilitated a session with the entire ACS team. Team members engaged in the process and continued work in the fall. The team created values and vision statements, updated the mission statement, and documented key stakeholder expectations. This work is the foundation for the establishment of goals and actions. The team will complete the process in early 2014 and begin implementing the plan.

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (QAIP) The primary objective of this program is to promote continuous improvement in ACS. In 2013, ACS began work to formalize ongoing monitoring as part of the QAIP. A team has been working to establish performance metrics and consider other opportunities to enhance monitoring. ACS continues to receive feedback from audit clients after each engagement, which is an important part of the monitoring process. In addition, ACS is implementing internal metrics to be reported to the Audit Committee annually. The progress in 2013 laid the groundwork for a more fully developed and documented quality assurance and improvement program with ongoing monitoring and reporting. Work on this project was put on hold until information was developed as part of the strategic planning process. The team will complete its work in early 2014, and metrics will be established for ACS. These measures will help us meet stakeholders’ expectations. The Institutional Compliance Office developed performance metrics at the beginning of 2013. Each month, the Institutional Compliance team and the executive director review metrics and goals to determine needed course corrections and to move forward with successes.

ACS now uses SharePoint, an organizational intranet that allows staff to collaborate on projects, share ideas and resources, and manage documents and files.

AUTOAUDIT AutoAudit (AA), a commercial software package used by the department, is designed to assist in managing and conducting audits and other projects. This database tool includes modules for planning and budgeting audit projects, reporting and managing staff time, creating electronic workpapers, and other functions. In 2013, ACS revised the audit approach for procurement cards and equipment, which changed the scope and format of the audit programs and related workpapers. The new program for departmental expenditure and equipment audits resides in the AA library and provides steps and guidance on conducting the audits and creating workpapers. This program streamlines planning for these engagements and helps to ensure consistent audit steps across the university system for these particular projects. In addition, we renamed two labels in the ‘Issues’ section of AA for clarity and revised the audit follow-up procedure to include a new project classification in AA that enables auditors to better track the implementation of audit recommendations.

SHAREPOINT ACS began using the organizational intranet SharePoint, which allows staff to collaborate on projects, share ideas and resources, and manage documents and files. Functions and 32

UNIVERSITY OF TENNESSEE


materials specific to ACS include the annual audit plan, report workflow, work schedules, office calendar, ACS Grammar and Style Guide, meeting agendas and presentations, report template, and administrative requests such as leave and travel, among others. We continue to increase ACS’s effectiveness and efficiency by adding and utilizing workflows in SharePoint. The workflows help with report review and ensure that all reviews are accomplished prior to report release. SharePoint is particularly helpful for team members when working across the UT System in various locations. Team members can share documents easily and alleviate versioning issues. SharePoint will also house an updated audit manual. Previously, this manual was a paper desk manual provided to each auditor. When the manual is updated, it will be on the ACS SharePoint site allowing for easy access and more efficient updates.

ELECTRONIC REPORTING ACS began preparing reports electronically for monthly submission to the Audit Committee, State Audit office, and executive management. A task force of ACS team members developed a report template. The template increases efficiency because formatting is designed as part of the template rather than on a report by report basis. In addition, the template was designed in a format compatible with both PC and Mac operating systems. This reporting has resulted in significant time savings from a paperintensive reporting process and has provided the audit team a valuable tool to increase productivity and better utilize word processing. Not including time savings, the postage savings is estimated to be over $400 annually.

VIDEOCONFERENCING During ACS staff, committee, and other departmental meetings, we use videoconferencing to increase the effectiveness of teamwork and communication by including our auditors located at campuses across the state.

Navigational Tools: Fiscal Guidelines for the President and Senior-Level Staff was revised this year. The guidebook was created to help UT administrators fulfill the responsibilities of their positions and to use their fringe benefits wisely.

 AVIGATIONAL TOOLS: FISCAL GUIDELINES FOR THE N UT PRESIDENT AND SENIOR-LEVEL STAFF The former Fringe Benefits Guidebook was revised and retitled Navigational Tools: Fiscal Guidelines for the President and Senior-Level Staff. The purpose of the guidebook is to help UT administrators fulfill the responsibilities of their positions and to use their fringe benefits wisely. Some policy and procedural material was removed, and the guidebook was streamlined regarding administrators’ use of fringe benefits and other expectations. Major revisions were made in the travel, entertainment, and wireless/IT sections based on current UT policy. In particular, the wireless and IT sections were combined to address new technology and related interpretation of the state’s public records laws; a new section was added on taxable fringe benefits, based on the new fringe benefits policy; and the section on UT vehicles was deleted.

ACS GRAMMAR AND STYLE GUIDE The ACS Grammar and Style Guide was developed for ACS staff. The guide was compiled from UT Knoxville’s editorial/style guide, ACS grammar workshop materials, Chicago Manual of Style, Associated Press Stylebook, online materials, and examples in departmental reports. Included are examples of how to make common words and phrases used in ACS reports more direct and concise. The guide is updated as needed and available on the office SharePoint site. OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

33


UT AND DEPARTMENTAL COMMITTEES Steve Bamburg

Sandy Jansen

Judy Burns

Human Resources Policy Advisory Group (June 2010 to present). The purpose is to advise the Human Resources officers of changes needed in university HR policies. The systemwide group reviews existing policies to ensure that all needed information is included, the policies are clear and understandable, and they apply to all campuses and institutes. The group may also suggest new policies.

Benefits Advisory Board (March 2012 to present). This group, composed of administrators from all UT campuses and institutes, meets quarterly to discuss issues involving all types of employee benefits, such as leave, insurance, retirement, and tuition waivers. Executive Compliance Committee (March 2011 to present). This group provides vision for the institutional compliance program and oversees the UT campuses’ compliance risk assessments and corrective actions. IRIS Steering Committee (January 2013 to present). This group provides oversight and input on IRIS (the university’s financial and human resources system) priorities. Student Activities Review Team (April to October 2013). This group reviewed funding for student organization events from sources other than student activities fees and provided recommendations.

Leigh Cheek

Bill Moles (facilitator and non-voting member)

Conflict of Interests Review Committee (April 2011 to present). The purpose is to review outside financial interests disclosed by faculty and staff at UT Chattanooga to determine if the interests create a potential conflict between the employees’ personal and university responsibilities. The committee will make recommendations to the campus chief business officer to ensure the campus is in compliance with university policies and state statutes.

UT Health Science Center Campus Compliance Committee (September 2012 to present) and UT Institute of Agriculture Campus Compliance Committee (April 2013 to present). The purpose of each committee is to interpret the results of the compliance risk assessment the Institutional Compliance Office performs for the campus and to establish priorities and appropriate plans of corrective action.

John Fox

Conflict of Interests Review Committee (August 2008 to present). The purpose is to review outside financial interests disclosed by faculty and staff at UT Knoxville to determine if the interests create a potential conflict between the employees’ personal and university responsibilities. The committee chair further investigates potential conflicts identified by the committee. Capital Projects Financial Reporting Committee (March 2011 to present). The purpose is to develop a financial report for ongoing capital projects to better communicate each project’s status to campus administrators. The committee has developed a draft financial report.

Douglas Hawks

Fiscal Policy Review and Reform Committee (May 2013 to present). This group, composed of administrators from all UT campuses and institutes, meets monthly to discuss opportunities to clarify and revise UT fiscal policy. The committee’s primary goal is to contribute to accomplishing goal #5 of the UT Strategic Plan by ensuring that campuses and institutes have clear guidance related to fiscal processes and controls. UT Knoxville Policy for Minors Implementation Committee (September 2013 to present). The committee is charged with implementing processes and controls to ensure the safety of minors participating in programs on the Knoxville campus.

34

UNIVERSITY OF TENNESSEE

UT Knoxville Campus Compliance Committee (October 2011 to present), UT Health Science Center Campus Compliance Committee (September 2012 to present), and Institute of Agriculture Compliance Committee (March 2013 to present). The purpose is to interpret the results of the compliance risk assessment performed by the Institutional Compliance Office for the campus and to establish priorities and appropriate plans of corrective action. UT System Executive Compliance Committee (December 2013 to present). This committee has general oversight of the institutional compliance function for the university. It provides vision and direction to the institutional compliance program and provides guidance on allocating resources and determining acceptable levels of risk as issues arise. The committee held its annual meeting in December 2013.

Jim Purcell

IT Security Community of Practice (July 2012 to present). The Security CoP provides input to the Statewide IT Committee on priorities related to the university’s IT security strategy. The Security CoP ensures that the committee has necessary information on security priorities, best practices, and standards to make decisions concerning IT priorities and investments, IT applications, overall policies and standards, and common data and business processes. Many staff also served on internal committees to develop or update procedures and training materials, such as the Audit Manual, risk assessment process, and career ladder, and to develop the ACS values and vision statements, among other efforts to increase the department’s efficiency and effectiveness.


TRAINING PROVIDED WITHIN AND OUTSIDE THE UNIVERSITY Brittany Barnett taught classes through Human Resources on the importance of effective internal controls for UT Knoxville departments. Judy Burns conducted the workshop “Root Cause Analysis” at ACS’s 2013 annual auditors meeting. Discussion topics included The Institute of Internal Auditors’ guidance on performing root cause analysis, tools for conducting such analyses, and how to document the results in workpapers. Participants completed exercises to identify root causes. In addition, she co-facilitated one of five small groups of administrators at the February 2013 UT Leadership Institute, a week-long leadership recognition and development program for UT leaders (deans, directors, and above). Sherry Davis taught classes on general ledgers through the IRIS department. John Fox presented a framework for organizing workpapers in the office’s electronic workpaper system at the 2013 annual auditors meeting. The framework provides a method to consistently organize workpapers for most projects for greater understanding, promotes better documentation of a project’s objectives, and helps ensure that the objectives are met. In addition, he presented a set of workpaper rules to improve the clarity of documents included in the workpapers. Elizabeth Hall led two sessions in the office’s Lunch and Learn series on IDEA and ACL software to explore potential data mining options for ACS. She also taught classes on general ledgers through UT’s IRIS department and an accounting course at Pellissippi State Community College.

Sandy Jansen facilitated the four-day seminar “Audit Manager Tools and Techniques” for The Institute of Internal Auditors. The seminar is designed to help audit mangers effectively manage audit staff and resources and increase the effectiveness of the internal audit department. Linda Marion presented the training workshop “Conquering Grammar Irritants=Pearls of Knowledge” for an office Lunch and Learn session. The presentation focused on staff requests, including discussions and grammar exercises covering subject/ verb agreement, commas, semicolons, colons, dangling modifiers, and dashes. Jim Purcell presented “Integrating IT Audit: We Can Do It!” at the 2013 ACUA Annual Conference. The presentation addressed steps and techniques for including elements of IT audits into most university internal audits. Stephanie Steeves presented “Calming the Rough Seas of Editing: Establishing Departmental Report Writing Standards” at the ACUA 2013 Annual Conference. The presentation addressed using report templates, style manuals, and report routing to expedite the release of reports and included the steps ACS has taken to streamline the reporting process. In addition, Stephanie presented a Lunch and Learn session to the office on using the features in the Outlook calendar to schedule appointments and manage appointments. Jay Taylor taught classes on UT procurement cards through IRIS. The class introduces the concepts, policies, and responsibilities of procurement card management, including reconciling monthly statements.

TRAINING OBTAINED WITHIN AND OUTSIDE THE UNIVERSITY To expand their knowledge and obtain the required continuing education credits (CPE), auditors in the department attended training in areas as diverse as ethical leadership, higher education governance, root cause analysis, strategic planning, cloud

computing, emerging fraud risks, predictive analytics, innovative customer service strategies, audit manager tools and techniques, cybersecurity, NCAA Bylaws, and forensic interviewing. The ACS audit staff obtained over 1,230 CPEs in 2013.

OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

35


APPENDIX A: 2014 ORGANIZATION OF THE UNIVERSITY OF TENNESSEE

BOARD OF TRUSTEES

ADMINISTRATIVE ASSISTANT

CHANCELLOR UTK

AUDIT COMMITTEE

PRESIDENT

EXECUTIVE ASSISTANT TO PRESIDENT

GENERAL COUNSEL & SECRETARY

CHANCELLOR UTM

CHANCELLOR UTC

CHANCELLOR UTIA

CHANCELLOR UTHSC

CHIEF OPERATING OFFICER UTSI

EXECUTIVE VP/ VP RESEARCH & ECONOMIC DEV/ORNL RELATIONSHIPS

VICE PRESIDENT GOVERNMENT RELATIONS & ADVOCACY

VICE PRESIDENT FOR HUMAN RESOURCES

VICE PRESIDENT ACADEMIC AFFAIRS & STUDENT SUCCESS

VICE PRESIDENT IPS

VICE PRESIDENT DEVELOPMENT & ALUMNI AFFAIRS

VICE PRESIDENT & DIVERSITY ADVISOR

TREASURER & CHIEF FINANCIAL OFFICER

EXECUTIVE DIRECTOR AUDIT & CONSULTING SERVICES

INTERIM CHIEF INFORMATION OFFICER

36

VICE PRESIDENT COMMS. & MARKETING

UNIVERSITY OF TENNESSEE


ACS staff served on university committees to enhance and streamline operations and develop and revise policies, including committees on human resources and fiscal policies, protecting minors on campus, conflict of interests, and UT compliance efforts.

SANDY JANSEN, CIA, CCSA, CRMA Executive Director

Linda Marion Coordinator

Bill Moles, CCEP, CIA Director Institutional Compliance

Leigh Cheek, CCEP, CIA, CISA Compliance Officer

Shelly Getty Administrative Assistant

Judy Burns Associate Director

John Fox, CPA (inactive) Associate Director

Brittany Barnett, CFE Auditor

Jim Purcell, CISSP, PMP

Steve Bamburg, APA

Sherry Davis

Stephanie Steeves, CIA Auditor

Jay Taylor, CFE, CICA Auditor

Elizabeth Hall, CPA

James Hodge, CICA, CIA, CGFM

Doug Hawks, CIA, CRMA Sr. Performance Auditor

Senior IT Auditor

Senior Auditor

Auditor

Thema McCowan Auditor

Auditor

Leon Hurt, CPA, CIA, CFE Manager

Taylor Cupples

Assistant Auditor

Senior Auditor

Chasity Davis Senior Auditor

Vacant Manager

Nancy Lange, CIA, CISA

Auditor Procurement Cards

Student Auditors

OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

37


COMMUNITY

APPENDIX B: INTERNAL AUDIT CHARTER STATEMENT OF PURPOSE, AUTHORITY, AND RESPONSIBILITY PURPOSE AND SCOPE Internal auditing at the University of Tennessee is an independent appraisal activity established to examine and evaluate the activities of the university as a service to management and the Board of Trustees. Internal Audit assists management in carrying out their duties and responsibilities effectively by examining financial and operational internal control systems, including administrative information systems, to evaluate the extent that • Financial, property, and information assets are safeguarded; • Information is accurate and reliable; • University policies and external laws and regulations are followed; • Resources are employed efficiently and economically; and

• Suggest policies and procedures where appropriate; • Provide audit reports that identify internal control issues (among others) and make cost-effective recommendations to strengthen controls; • Facilitate the resolution of audit issues with administrators who have the most direct involvement and accountability; • Maintain auditing standards consistent with those established by the Institute of Internal Auditors Inc. to ensure the effectiveness and quality of the internal audit effort; and • Investigate allegations involving theft or misuse of university assets. In their staff functions, internal auditors have no direct responsibility or authority over any of the operating activities examined, and their review shall not relieve others of their responsibilities. Furthermore, the independence of the internal auditors should not be compromised by their implementing procedures, preparing records, or engaging in activities that internal auditors would normally review.

• Operations and programs are being carried out as planned, and their results are consistent with the university’s objectives.

REPORTING STRUCTURE AUTHORITY AND RESPONSIBILITY Internal auditors shall be authorized full and complete access to all university records (either manual or electronic), physical properties, and personnel relevant to a review. The corresponding responsibility of internal auditors is to handle documents and information obtained during a review in the same prudent manner as by those employees normally responsible for them. In fulfilling their responsibilities, internal audit departments at each campus or unit will • Develop and implement audit plans and programs that respond to both risk and cost-effectiveness criteria; 38

UNIVERSITY OF TENNESSEE

The internal audit function reports to the Audit Committee of the Board of Trustees with supporting responsibilities to the chief financial officer. Campus/institute internal auditors report to the Knoxville audit office with supporting responsibilities to the chief executive of each campus or institute and their respective chief business officers. When requested, internal auditors may attend senior-level staff meetings and serve on various university committees. Their role at such meetings should be limited to rendering advice and staying abreast of strategic, governance, and risk issues. At the conclusion of each audit, Internal Audit will issue timely reports to the audited parties, senior management, the State of Tennessee Division of Internal Audit, and the Audit Committee.


APPENDIX C: PERSONNEL QUALIFICATIONS KEY: APA CCEP CCSA CFE CGFM CIA CICA

Associate in Premium Auditing Certified Compliance and Ethics Professional Certification in Control Self-Assessment Certified Fraud Examiner Certified Government Financial Manager Certified Internal Auditor Certified Internal Controls Auditor

Kasandra G. Atwood, senior auditor Bachelor of Science, Accounting, East Central University, Oklahoma, 1992 Master of Business Administration, the University of Tennessee, 2002

Kasandra Atwood joined ACS in 1999. She worked previously for a public accounting firm in Oklahoma, where she audited public school districts, cities, and towns. Before leaving the office in mid2013, Kasandra conducted audits and financial reviews of university departments and operations.

Steven G. Bamburg, senior auditor, APA

CISA CISSP CPA CPS CRMA PMP

Certified Information Systems Auditor Certified Information Systems Security Professional Certified Public Accountant Certified Professional Secretary Certification in Risk Management Assurance Project Management Professional

Leigh Cheek, institutional compliance officer, CCEP, CIA, CISA Bachelor of Science, Mathematics, California Polytechnic State University, 1982

Leigh Cheek has over 25 years’ experience in computer science and accounting. She joined ACS in 1998 and has conducted information technology security reviews and risk assessments for the university’s computer systems and networks. Now in the office’s Institutional Compliance division, she researches new laws and regulations and manages the database of laws, regulations, and the compliance risk assessment, among other duties. Leigh is a past president of IIA’s East Tennessee Chapter and serves on its Board of Governors. This year she obtained her CCEP certification.

Bachelor of Science, Accounting, Louisiana State University, 1990 Bachelor of Science, Biological Science, Louisiana Tech University, 1978

Steven Bamburg joined the office in 2009. Previously he worked as a senior Medicare auditor at a subsidiary of BlueCross BlueShield of Tennessee. Steve conducts audits, investigations, and financial reviews of departments and operations on the Chattanooga campus.

Taylor W. Cupples, assistant auditor Bachelor of Business Administration, Finance, Harding University, 2012

Taylor worked as a student auditor on the UT Martin campus in 2012 before joining the UT Health Science Center team full-time in 2013. He performs compliance and control audits at the Memphis and Martin campuses.

Brittany M. Barnett, auditor, CFE Bachelor of Science, Criminal Justice/Criminology East Tennessee State University, 2005

Brittany Barnett joined the department in 2006. Previous work experience includes retail banking, banking operations, and bookkeeping. She conducts investigations and financial reviews of departments and operations.

Judith A. Burns, associate director Bachelor of Arts, English and Political Science, the University of Tennessee, 1982 Master of Arts, English, the University of Tennessee, 1984

Judy Burns joined ACS in 1986. She has served as editor and office coordinator, management analyst, manager of management consulting and fiscal policy development, and as interim executive director from August 2010–February 2012. She spent several years outside the department managing training and user support during UT’s implementation of its financial and human resources system, rejoining the office in 2004. She has been a member of the Board of Governors for the East Tennessee Chapter of The Institute of Internal Auditors (IIA) since 2009 and a staff member/ facilitator for the University of Tennessee Leadership Institute, a leadership recognition and development program for UT leaders, since 1996. Judy is currently associate director for the department.

Chasity R. Davis, senior auditor Bachelor of Business Administration, Accounting, Middle Tennessee State University, 2002 Master of Business Administration, Bethel University, 2011

Chasity Davis joined ACS in 2005, with one year spent in another position on the Memphis campus. Previously she was a claims representative in the insurance industry and a cost accountant for Nissan Corporation. She performs investigative, compliance, and operational audits for the UT Health Science Center.

Sherry S. Davis, auditor Bachelor of Science, Computer Science, University of Tennessee, 2002

Sherry Davis joined the department in 2012. Previously she worked as an internal auditor for Clayton Homes and has experience in bookkeeping and computer programming. Sherry performs audits and financial reviews of university departments and operations and conducts investigations as needed. In addition, she serves as a primary resource for ACS staff for operational questions regarding AuditAudit, the office’s effort reporting and workpaper system.

OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

39


John M. Fox, associate director, CPA (inactive)

James H. Hodge, senior auditor, CGFM, CIA, CICA

Bachelor of Arts, Cell Biology, the University of Tennessee, 1977 Master of Accountancy, the University of Tennessee, 1981

Bachelor of Business Administration, East Tennessee State University, 1986

John Fox joined the department in 1982. He worked a short time in public accounting and has been an adjunct accounting instructor over the years at Walters State Community College. John helped develop and revise UT fiscal policy for 14 years and manages the internal audit function in ACS, conducting audits and investigations as needed.

Shelly J. Getty, administrative specialist II, CPS Bachelor’s degree in Christian Education, Allegheny Wesleyan College, 1998

Shelly Getty joined ACS in 2000. She is the administrative assistant to the executive director and the office manager.

Elizabeth H. Hall, auditor, CPA Bachelor of Science in Business Administration, the University of Tennessee, Knoxville, 2000 Master of Accountancy, the University of Tennessee, Knoxville, 2003

Elizabeth Hall joined ACS in 2010. She previously worked in public accounting for KPMG, Coulter and Justus, and PYA; taught cost accounting at South College in Knoxville; and worked for UT Knoxville as a graduate teaching assistant, graduate assistant, and residence hall director. She conducts audits of university departments and operations.

Douglas Hawks, senior performance auditor, CIA, CRMA Bachelor of Science in Business Administration, Southern Utah University, 2002 Master of Business Administration, Indiana University, 2005 Master of Public Administration, Southern Utah University, 2011

Doug Hawks joined ACS in 2012. Previously serving as director of Internal Audit at Southern Utah University, he has worked in internal audit departments in the private sector for both large and small companies. His past service to the auditing industry includes serving as chair of the publications committee for the Association of College and University Auditors (ACUA), the editor-in-chief for College and University Auditor, and helping develop ACUA’s Internal Audit Department Start-up Guide. Doug is pursuing his PhD in higher education administration from UT Knoxville and plans to complete his degree in 2015. He conducts performance audits of UT departments and operations.

40

UNIVERSITY OF TENNESSEE

James Hodge has been with ACS since 1999. Previous work experience includes internal auditing at East Tennessee State University and at North Carolina A&T State University. He performs audits and financial reviews of university departments and operations and conducts investigations as needed. James received his CICA certification in 2013.

Leon Hurt, manager, CFE, CIA, CPA Bachelor of Business Administration, Accountancy, University of Memphis, 1978

Leon Hurt worked 27 years at the Memphis Light, Gas and Water Division, where he prepared financial statements, performed account analyses, and served as IT project analyst, acting as a liaison between the user and programming personnel and assisting in the design and development of application systems. He has worked over 25 years in internal auditing, conducting IT, financial, and operational audits and supervising staff. He joined ACS in 2007 and performs compliance and departmental audits and investigations at the Memphis campus.

Sandy S. Jansen, executive director, CCSA, CIA, CRMA Bachelor of Business Administration, Accounting, Texas Tech University, 1994

Sandy Jansen joined ACS as the executive director in February 2012. She worked for 21 years in the Texas Tech University System, serving the last 7 years as assistant chief audit executive. In her current role at UT, she oversees internal auditing, institutional compliance, and consulting services for the university system. Sandy is active in professional service. In 2013, she completed her three-year term as the professional education committee chairperson and was elected vice president of the Association of College and University Auditors, serving from 2013 to 2014. She also serves as an ACUA faculty member and as a volunteer seminar facilitator for IIA, training internal audit professionals in higher education and various industries.

Nancy J. Lange, auditor, CIA, CISA Associate of Science, Pellissippi State Technical Community College, 1994 Bachelor of Science, Business Administration, the University of Tennessee, 1997

Nancy Lange has been with the department since 1996. She served almost 9 years in the US Air Force, working with mainframe computers as an operator and in an array of jobs pertaining to operations support functions. After military service, she continued in similar positions another 6 years on a civilian contract with the Department of the Navy. She supervises student auditors, monitors monthly procurement card purchases, and manages departmental expenditure and equipment audits.


Linda P. Marion, coordinator

Jim E. Purcell, senior IT auditor, CISSP, PMP

Bachelor of Arts, English, the University of Tennessee, 1988 Master of Arts, English, the University of Tennessee, 1991

Bachelor of Science, Business Administration, Tusculum College, 1986

Linda Marion has been ACS’s editor and coordinator of special projects since 1990. She helped coordinate the development, revision, and issuance of university fiscal policy for 14 years. She plays an integral role in the department’s process of developing, revising, and issuing reports of audits, investigations, and IT security reviews. She also coordinates special projects and develops publications to assist university departments with their financial responsibilities. In 2013, Linda began conducting one-on-one editorial ‘coaching’ sessions with the auditors and developed writing exercises tailored to their needs.

Jim Purcell joined ACS in 2012. His 30-year IT career spans time with TVA, Science Applications International Corporation (SAIC), and Regal Entertainment Group. Jim is an instructor for the SANS Institute and has presented information security topics at various IT conferences. He has served in management and staff roles in all aspects of information technology and currently performs IT audits of university departments and operations. Jim also is the technology coordinator for ACS and manages the office’s SharePoint collaboration website.

Stephanie Steeves, auditor, CIA Thema A. McCowan, auditor Bachelor of Science, Biology, The Pennsylvania State University, 2000 Master of Business Administration, The Pennsylvania State University, 2004

Thema McCowan joined ACS in late 2013. She spent a combined five years in audit and consulting at PricewaterhouseCoopers and Deloitte Consulting working with healthcare, pharmaceutical, and government clients. She has served in higher education administration for seven years in both academic affairs and student development. Thema previously worked at Maryville College as the director of career resources, where she was active in the development of the strategic plan and the quality enhancement plan as part of the college’s Southern Association of Colleges and Schools accreditation. She conducts audits of UT departments and operations and investigations as needed.

William A. Moles, director of institutional compliance, CCEP, CIA Bachelor of Science, Business Administration, the University of Tennessee, 1980 Master of Business Administration, Virginia Tech, 1983

Bachelor of Public Management, Florida Atlantic University, 1996 Master of Public Administration, Florida Atlantic University, 2001

Stephanie Steeves came to the department in late 2012 from Palm Beach County, Florida, where she worked in county government for 23 years and served on the Board of Governors of IIA’s Palm Beach Chapter. She conducts performance audits of university departments and operations and investigations as needed.

Jay Taylor, auditor, CFE, CICA Bachelor of Arts, Political Science, the University of Tennessee, Knoxville, 2006 Master of Science, Management, Austin Peay State University, 2010

Jay Taylor has been with UT since 1998, previously as a senior audit clerk for the UT bookstore, joining the department in 2004. She performs investigations of fraud, waste, and abuse for the university system. Jay is a past vice president and a board member of the Association of Certified Fraud Examiners, Knoxville Chapter, and obtained her CFE and CICA certifications in 2013.

Bill Moles began as a management analyst in the department in 1986 with the management consulting group. He joined the internal audit section in 1992, where he performed internal control reviews of the university’s accounting systems and other major functions, IT security audits, and cost studies. He coordinated the annual Self-Assessment of Controls for the UT System from 1989 until 2007. As director of the Institutional Compliance Office, he works collaboratively with UT compliance programs to reduce the university’s regulatory compliance risks. Bill is a past president of IIA’s East Tennessee Chapter.

At the 2013 annual auditors meeting, staff members presented workshops on topics such as analyzing root causes and individual staff strengths, strategic planning, and workpaper framework and rules.

OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

41


APPENDIX D: FOLLOW-UP AUDITS 2013 Audit Year Date Issued

Campus

Project Description

Type

Recommendations Implemented

Jan 2013

UTSA*

Equipment Process

Audit

Yes

Feb 2013

UTK

Mech, Aerospace, and Biomedical Eng

Investigation

Yes

Mar 2013

UTSA

Super Computer

Audit

Yes

Mar 2013

UTHSC

Clinical Education Chattanooga

Other

Yes

May 2013

UTHSC

VC for Academic and Student Affairs

Audit

Yes

May 2013

UTM

Center for International Studies

Audit

Yes

May 2013

UTSA

Top Four Research Grants

Audit

No

Given 6 months to correct.

June 2013

UTM

Housing

Audit

No

Will be covered in new audit.

June 2013

UTM

Skyhawk Card

Audit

Yes

July 2013

UTHSC

Fitness Center

Audit

Yes

Aug 2013

AG

Cost Study of Labs

Audit

Yes

Sept 2013

UTK

Facilities Services Bid Rigging

Investigation

Yes

Sept 2013

UTK

Radiation Safety Department

Investigation

Yes

Dec 2013

UTHSC

College of Nursing

Audit

Yes

Dec 2013

UTSA

Auditing for Fraud

Audit

Yes

Dec 2013

AG

Travel

Audit

Yes

*UT System Administration. 42

UNIVERSITY OF TENNESSEE

Comments


Audit and Consulting Services Directory Knoxville Staff UT Conference Center Bldg Suite 149 Knoxville, TN 37996-4114 Brittany M. Barnett

Auditor/Investigations bbarnet7@utk.edu 865-974-0886

Judith A. Burns

Associate Director jaburns@utk.edu 865-974-1311

Leigh Cheek

Institutional Compliance Officer lcheek@utk.edu 865-974-4420

Sherry S. Davis

Auditor sdavis11@utk.edu 865-974-4791

John M. Fox

Associate Director jmfox@utk.edu 865-974-4434

Shelly J. Getty

Administrative Specialist sgetty@utk.edu 865-974-2390

Elizabeth H. Hall Auditor ehall6@utk.edu 865-974-0869

Douglas Hawks

Senior Performance Auditor dhawks1@utk.edu 865-974-4460

James H. Hodge

Senior Auditor hodgejh@utk.edu 865-974-3865

Linda P. Marion

Coordinator lpmarion@utk.edu 865-974-6602

Thema McCowan

Auditor mccowant@utk.edu 865-974-8422

William A. Moles

Director of Institutional Compliance wmoles@utk.edu 865-974-4438

Jim E. Purcell

Senior IT Auditor jpurcell4@utk.edu 865-974-1538

Stephanie Steeves Auditor ssteeve1@utk.edu 865-974-6616

Jay A. Taylor

Auditor/Investigations vtaylor@utk.edu 865-974-6118

Health Science Center Staff 920 Madison Building Suite #909 Memphis, TN 38163-2101 Taylor Cupples

Assistant Auditor taywcupp@uthsc.edu 901-448-3214

Chasity R. Davis

Senior Auditor cdavis58@uthsc.edu 901-448-5572

Leon Hurt

Manager ehurt1@uthsc.edu 901-448-1435

Executive Director sjansen@utk.edu 865-974-4437

Chattanooga Staff Dept 4855 744 McCallie Avenue Suite 410 Chattanooga, TN 37403-2598

Nancy J. Lange

Steven G. Bamburg

Sandy S. Jansen

Auditor/Procurement Cards nlange@utk.edu 865-974-0887

Senior Auditor steven-bamburg@utc.edu 423-425-4532

OFFICE OF AUDIT AND CONSULTING SERVICES REPORT 2013

43


Audit and Consulting Services helps the university achieve its mission by providing objective and independent evaluations to reduce risk and improve operations.

RESPONSES FROM 2013 CLIENT QUESTIONNAIRES • As always, the recommendations help strengthen our compliance efforts. • The constant dialogue with the auditor assists both parties’ understanding of what’s to be accomplished. AUDIT AND CONSULTING SERVICES UT CONFERENCE CENTER BUILDING SUITE 149 KNOXVILLE, TN 37996-4114 865-974-6611

• The audits have always been well organized and clearly defined—I applaud your efforts. • The engagement and audit personnel were very professional. • Great people! Nice job! • The recommendations added context for our advising strategic planning efforts. • The best result of the audit is the potential impact on student success and the student experience!

OBJECTIVITY

A U D I T

A N D

C O N S U L T I N G

S E R V I C E S

HELPING TO SHAPE THE FUTURE OF

Office of Audit and Consulting Services  

2013 Report of Accomplishments