OFFICE OF AUDIT AND COMPLIANCE
2014 Report of Accomplishments COMMUNITY
All qualified applicants will receive equal consideration for employment without regard to race, color, national origin, religion, sex, pregnancy, marital status, sexual orientation, gender identity, age, physical or mental disability, or covered veteran status. Eligibility and other terms and conditions of employment benefits at the University of Tennessee are governed by laws and regulations of the State of Tennessee, and this non-discrimination statement is intended to be consistent with those laws and regulations. In accordance with the requirements of Title VI of the Civil Rights Act of 1964, Title IX of the Education Amendments of 1972, Section 504 of the Rehabilitation Act of 1973, and the Americans with Disabilities Act of 1990, The University of Tennessee affirmatively states that it does not discriminate on the basis of race, sex, or disability in its education programs and activities, and this policy extends to employment by the university. Inquiries and charges of violation of Title VI (race, color, national origin), Title IX (sex), Section 504 (disability), ADA (disability), Age Discrimination in Employment Act (age), sexual orientation, or veteran status should be directed to the Office of Equity and Diversity (OED), 1840 Melrose Avenue, Knoxville, TN 37996-3560, telephone 865-974-2498 (V/TTY available) or 865-974-2440. Requests for accommodation of a disability should be directed to the ADA Coordinator at the Office of Equity and Diversity. â€˘ A project of the Office of Audit and Compliance of the University of Tennessee.
CONTENTS MISSION, VALUES, AND VISION
. . . . . . . . . . . . . . . . . . . . .
MESSAGE FROM THE EXECUTIVE DIRECTOR
. . . . . . . . . . . .
OVERVIEW OF OFFICE OF AUDIT AND COMPLIANCE . . . . . . 6 Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Management Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Staffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
INSTITUTIONAL COMPLIANCE . . . . . . . . . . . . . . . . . . . . . . 8 Mission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Goals and Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Other Accomplishments in 2014 . . . . . . . . . . . . . . . . . . . . 11 Plans for 2015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2014 ACCOMPLISHMENTS . . . . . . . . . . . . . . . . . . . . . . . . 12 PLANS FOR 2015
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2014 PROJECTS COMPLETED
. . . . . . . . . . . . . . . . . . . . . .
INTERNAL AUDITS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 UT System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 UT System Administration . . . . . . . . . . . . . . . . . . . . . . . . 16 Knoxville . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Health Science Center . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Chattanooga . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Martin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Institute of Agriculture . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Knoxville . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Health Science Center . . . . . . . . . . . . . . . . . . . . . . . . . . . Chattanooga . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Martin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
23 23 24 24 24
FOLLOW-UP AUDITS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 INSTITUTIONAL COMPLIANCE . . . . . . . . . . . . . . . . . . . . . 25 SUPPLEMENTARY PROJECTS
. . . . . . . . . . . . . . . . . . . . . . 26 Quality Assurance and Improvement Program . . . . . . . . . . . 26 UT Audit Manual/OAC Policies and Procedures . . . . . . . . . . . 26 OAC Body of Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . 26 UT and Departmental Committees . . . . . . . . . . . . . . . . . . . 26 Training Provided Within and Outside the University . . . . . . . 28 Training Obtained Within and Outside the University . . . . . . 29
APPENDIX A: ORGANIZATION OF THE UNIVERSITY OF TENNESSEE 2014 . . . AND OFFICE OF AUDIT AND COMPLIANCE APPENDIX B: INTERNAL AUDIT CHARTER
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . . . .
APPENDIX C: PERSONNEL QUALIFICATIONS . . . . . . . . . . . 33 APPENDIX D: FOLLOW-UP AUDITS DIRECTORY
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OFFICE OF AUDIT AND COMPLIANCE REPORT 2014
OFFICE OF AUDIT AND COMPLIANCE MISSION, VALUES, AND VISION STATEMENTS
VISION A team of world-class professionals helping to shape the future of the university.
MISSION Audit and Compliance helps the university achieve its mission by providing objective and independent evaluations to reduce risk and improve operations.
VALUES • Integrity—exhibit fairness, honesty, and ethical behavior in our service to the university.
• Objectivity—perform duties in an unbiased manner, i.e., based on an informed analysis of the issues and a clear understanding of the operations affected. • Quality—provide accurate reports and timely, feasible, and relevant recommendations.
• Community—collaborate with colleagues and clients to provide services that improve the university’s effectiveness and efficiency. INTEGRITY
• Visionary—develop creative and innovative approaches to key issues facing the university.
UNIVERSITY OF TENNESSEE
TO THE AUDIT COMMITTEE OF THE UNIVERSITY OF TENNESSEE BOARD OF TRUSTEES:
he Office of Audit and Compliance had a successful 2014, and I am excited to report on our accomplishments and progress on our strategic plan. This year, we focused on meeting stakeholdersâ€™ needs, expanding information technology (IT) and research audit coverage, and fostering the professional development of team members. We began our expansion of research audits by providing training so that all team members have a baseline understanding of research risks and sponsored program activities. At the close of 2014, three research-related projects were in progress. We plan to complete them in early 2015. The office spent considerable time on audits of cash controls to assist management with fraud prevention and detection efforts. Given the importance of cash controls in our environment, we plan to continue work in this area in 2015. The audit team continued to conduct audits focused on controls in departments, a request from the chief business officers, to determine whether controls at the departmental level are effective. This work is important because of the decentralized controls at the university. As planned, we focused on expanding information technology coverage to provide assurance to the Audit Committee. In 2014, our audit function expanded to include an IT audit and security assessment team. In response to the external security assessment conducted last year, management reorganized the System Administration IT responsibilities, and the security assessment team moved to our office. We worked quickly to integrate team members and develop an interim audit plan. The team began Health Insurance Portability and Accountability Act (HIPAA) security assessments in the latter half of 2014 and planning follow-up activities for the external security assessment. We expect enhanced audit coverage in this area in 2015. In addition, the Institutional Compliance team continues to enhance campus compliance committee effectiveness. Several UT campus compliance committees are busy addressing key compliance risks on their respective campuses. Iâ€™m proud of the work Institutional Compliance has done to highlight key risks and work with stakeholders as we promote an ethical environment. Looking to next year, we plan to continue on the path of our strategic plan, focusing on research and IT risks and the use of data analytics to conduct audits on high-risk areas. I wish to express thanks to the world-class professionals in the Office of Audit and Compliance for their dedication to reducing risk and improving operations. I would also like to thank university management and the Audit Committee for their support and commitment to an ethical environment at the University of Tennessee.
Audit and Compliance completed 60 engagements, including required audits, risk-based departmental expenditure and equipment audits, projects in progress from 2013, investigations, and consulting projects.
Sandy S. Jansen, CIA, CCSA, CRMA Executive Director
OFFICE OF AUDIT AND COMPLIANCE REPORT 2014
OVERVIEW OF OFFICE OF AUDIT AND COMPLIANCE
he Office of Audit and Compliance (OAC) provides the University of Tennessee System with objective, independent appraisals of control processes, risk management, and governance as a service to the UT Board of Trustees and all levels of management. These appraisals help ensure that the university’s assets are protected, departments are operating efficiently and effectively, and UT is complying with applicable policies, laws, and regulations. Our role is also to facilitate cost-effective decisions that will support the mission and strategic plan of the University of Tennessee and, through our assurance and consulting activities, to add value to UT’s operations. The internal auditing profession is governed by standards promulgated by The Institute of Internal Auditors, Inc., which require us to evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. The office is comprised of two functions: audit and institutional compliance. Two divisions operate within the audit function: the audit and the information technology and security assessment divisions. At the conclusion of each engagement, reports are issued to audited parties, senior management, the Audit Committee of the Board of Trustees, and the Tennessee Division of State Audit. The audit function reports to the Audit Committee, with administrative oversight by UT’s chief financial officer. (Appendix A is the university’s organizational chart, and Appendix B is the Internal Audit Charter, which establishes our purpose, authority, and responsibility in the university community.)
AUDITS One of our main roles is to reduce the university’s risk, or exposure to loss. To that end, we develop an annual audit plan based on a risk assessment. Our objectives are to evaluate risk exposures related to the university’s governance, operations, and information systems and to evaluate the potential for fraud. We also evaluate the adequacy and effectiveness of internal controls (administrative and operational policies, procedures, and practices) in responding to risks, determine compliance with applicable policies and regulations, and make recommendations to strengthen any deficiencies noted. The types of audits we perform are discussed below. Financial. Our office performs a limited number of financial audits (e.g., public radio stations) annually as required. We examine the financial statements and perform tests of transactions sufficient to express an opinion on the financial statements as a whole. Internal control. The nature of this work is to identify significant internal control weaknesses in departmental and functional financial operations and provide effective recommendations for improvement. We also identify the significant risks to the university’s financial operations and information at the departmental and functional levels. Internal control engagements can contribute to and improve the governance of the area being audited, especially when control environment recommendations are included. Auditing for fraud. Our objective here is to look for fraudulent transactions. One result of this work may include recommendations to improve internal controls. These audits, along with risk assessments for other audit engagements, evaluate the potential for the occurrence of fraud. Compliance. The goal in such audits is to determine whether university policies and external laws and regulations are being followed. This type of work is usually coupled with reviewing internal controls so that we can provide recommendations to strengthen the controls to help prevent future violations of policies or regulations. Information technology (IT). IT audits and security assessments are designed to identify significant weaknesses in the confidentiality, integrity, and availability of the university’s information systems and to provide effective recommendations for improvement. In addition, this work evaluates whether the information technology governance of the university supports its strategies and objectives. These audits are performed to help safeguard the information systems and the data stored on them, including administrative and student data, programs and operating systems, personal computers, servers, and networks. Objectives include assessing vulnerabilities in both technical and physical security; ensuring that university systems conform to best practices in industry standards; reviewing the storage and transmittal of electronic information; determining compliance with applicable policies, laws, and regulations; and making recommendations to strengthen any deficiencies noted. Consulting. We conduct consulting projects and performance-type audits in response to requests from university administration and departments and from other sources such as risk assessments. Our objectives are to provide management with information to improve an area’s organizational structure, staffing, and operating procedures and to ensure that UT resources are used effectively and efficiently, accounted for properly, and safeguarded adequately. We also determine whether operations and programs are being carried out as planned and their results are consistent with university objectives. Consulting projects can address whether internal controls are operating effectively and in compliance with legal or other requirements, though such objectives are examined routinely in financial and compliance audits. UNIVERSITY OF TENNESSEE
This year, we focused on expanding IT and research audit coverage. In 2015, weâ€™ll continue our use of data analytics in auditing high-risk areas.
State law requires Audit and Compliance to investigate substantive allegations of fraud, theft, abuse, and shortages and losses of university assets. Our objectives include verifying the facts in a legal and objective manner, determining responsibility, identifying control breakdowns that led to the loss, and recommending corrective actions to help ensure that similar actions do not occur in the future. These matters are referred to the state comptrollerâ€™s office for its review and possible referral for criminal prosecution.
MANAGEMENT SUPPORT OAC provides other value-added work, such as promoting appropriate ethics and values within the university, communicating risk and control information on a systemwide level, and coordinating and communicating information among the Board of Trustees, State Audit, and UT management.
The audit function expanded to include an IT audit and security assessment team, who began HIPAA security assessments and planning follow-up activities for the external security assessment.
The Audit and Compliance staff consists of an executive director, 2 associate directors, 12 audit professionals, 2 IT audit professionals, a compliance director and a compliance officer, a coordinator/editor, and a support staff member. (Biographical information is provided in Appendix C.) The staff has over 200 years of combined auditing experience, with most of that obtained at higher education institutions. The average tenure in the office is 10 years. Certifications attained include certified public accountant (CPA), certified internal auditor (CIA), certified information systems security professional (CISSP), certified fraud examiner (CFE), certified information systems auditor (CISA), and certified compliance and ethics professional (CCEP), among others. The audit staff received numerous hours in continuing education credits for the year, which includes training received at seminars, conferences, workshops, and in classes. The auditors are members of such professional organizations as The Institute of Internal Auditors and the Association of College and University Auditors. Some staff members also served on university committees at the request of management and provided training on internal controls, procurement cards, and other topics. See pages 28-29 for detailed information.
INSTITUTIONAL COMPLIANCE MISSION
Promoting an Ethical Culture
The mission of Institutional Compliance is to serve and safeguard our university community from the regulatory risks we face and promote a cultural environment of high ethical standards by: • Identifying compliance risk faced by the university community. • Promoting an awareness of compliance risks and the objectives of our compliance activities through communicating with and educating the university community. • Developing innovative and effective ways to mitigate compliance risk through collaboration with the university community.
RESPONSIBILITIES The Institutional Compliance Office is responsible for designing, implementing, and monitoring the UT systemwide compliance program. The office’s primary responsibilities include the following:
We developed a systemwide communication plan for the Code of Conduct, launched in 2013, and the state comptroller’s fraud hotline in collaboration with the UT System Administration Office of Communications and Marketing. The plan’s key themes are the responsible reporting of suspected violations (one of the Code’s main principles) and the availability of the hotline. Although the Code was promoted in the UT Human Resources newsletter in 2014, the full launch of the communication plan was delayed when approval was received to acquire a new university hotline system. Currently, all anonymous complaints are received through the state’s fraud hotline. The new hotline system will allow more timely and effective triage of reported anonymous complaints to the appropriate university personnel. Further, the new system will allow both phone and online input and enable continuing anonymous communication with the complainant. In 2014, a Request for Proposal committee was established to develop the specifications for the hotline system. Once the new hotline is implemented in 2015, the full systemwide communication plan for the Code of Conduct and the new hotline system will be launched.
• Develop and implement the university compliance risk assessment process. • Assist the campus/institute compliance committees in their various duties. • Help functionally responsible offices overcome barriers to compliance by recommending improved controls or providing independent services such as communicating the need for new procedures, resources, or stronger enforcement or working as a liaison between multiple parties. • Independently investigate and act on matters related to compliance. • Collaborate with the university community to develop innovative and effective ways to mitigate compliance risk. • Report regularly to the Executive Compliance Committee and the Audit Committee. • Promote the university’s Code of Conduct and Compliance Hotline.
GOALS AND OBJECTIVES The Institutional Compliance Office was established in 2008 as a division of Audit and Consulting Services (now Audit and Compliance). Our mission and objectives are primarily driven by the Federal Sentencing Guidelines for Organizations, which has established what constitutes due diligence for an organization to comply with regulations. The office’s goals focus on promoting an ethical culture and identifying and mitigating compliance risk. Our three areas of focus in 2014 were promoting an ethical culture, conducting the campus compliance risk assessments, and assisting campus compliance committees. 8
UNIVERSITY OF TENNESSEE
Conducting Campus Compliance Risk Assessments An important function of the Institutional Compliance Office is performing periodic compliance risk assessments for the university’s campuses and institutes. The objectives of the risk assessments are to identify control weaknesses, identify areas of noncompliance, and develop plans of corrective action. The university risk assessment process addresses over 430 potential compliance areas, covering the full spectrum of federal, state, and local regulations, as well as significant contractual and liability issues.
UT Martin Risk Assessment In 2014, the office launched the risk assessment process at UT Martin (UTM). UTM formed its Institutional Compliance Committee and identified 289 applicable regulations and 37 compliance officers. All compliance officers received training and completed the risk assessment for their respective areas. UT Martin Risk Assessment Statistics Number of applicable regulatory areas assessed
Total number of risks identified
Number of risks deemed significant
The top compliance risks identified by UTM compliance officers included risks associated with sexual assault (Title IX), research accounting and administration, animal welfare, biosafety, human subjects, controlled substances, radiation safety, IT security/privacy, and procurement. At the end of 2014, the UT Martin Institutional Compliance Committee was developing plans of corrective action for the significant risks identified in the risk assessment.
Assisting Campus Compliance Committees
• Review risks identified in the assessment and determine the compliance priorities to address. • Coordinate the effort to develop plans of corrective action. In addition to the assistance described above, we also provide training to the compliance officers in performing the risk assessment and in general compliance issues such as compliance program standards from the Federal Sentencing Guidelines, whistleblower laws, reporting violations, culpability factors, and potential penalties.
UTK Compliance Risk High Environmental
Student *Employee Tax
Institutional Compliance guides and assists the campus compliance committees in reviewing the results of the risk assessments, establishing priorities, and developing appropriate plans of corrective action. We also help compliance officers and functionally responsible offices overcome barriers to compliance, including providing advice on appropriate controls and coordinating assistance from UT System Administration or other UT campuses. The compliance committees are required by the Federal Sentencing Guidelines and were implemented by the campuses at our request in conjunction with the campus risk assessments. Compliance committees currently exist at UT Knoxville (UTK), UT Health Science Center (UTHSC), UT Institute of Agriculture (UTIA), and UTM, with plans for such committees at the remaining UT campuses and institutes as they begin their risk assessments. Campus compliance committees have the following responsibilities: • Ensure a campus/institute compliance officer is assigned to each regulatory area in the risk assessment.
*Athletics *Legal/Contracts *Privacy/IT
Investments/Accounting Procurement Gifts Academic
Healthcare Federal Reporting
*Areas with compliance weaknesses that were addressed with plans of corrective action.
Low Reputational Impact
Low Legal Sanctions Impact
Reorganization of Campus Compliance Committee Membership During 2014, the campus compliance committees adopted a different approach in appointing committee members. The sentencing guidelines require organizations to have a compliance oversight committee comprised of “high-level administrators.” To meet this requirement, the Executive Compliance Committee is comprised of the president’s staff members or their appointees. This was also the initial approach for the campus committees, which were to be comprised with members of the chancellors’ cabinets. Because of the enormous amount of information on risks and potential solutions to review, the compliance committees selected members from representative areas who have the time, experience, and authority to coordinate the review of risks and development of solutions for their respective areas. Reporting channels for the committees ensure that proper communication occurs between these committees and campus upper management, the UT System Executive Compliance Committee, and the Board of Trustees’ Audit Committee. All campus compliance committees have adopted this approach for their committee membership. Accomplishments of the campus committees for 2014 follow.
UT Knoxville Campus Compliance Committee Dr. Robert Nobles, assistant vice chancellor for research, was appointed chairman of the UTK Institutional Compliance Committee in 2014. In addition, new committee members were appointed to represent each vice chancellor area, the provost, UT Space Institute, and the Research Council of the Faculty Senate. Members began following up on any unfinished plans of corrective action. Of the 41 original plans, 28 have been implemented and members have made significant progress in completing the remaining 13 plans. The graph above illustrates the relative risk of the compliance areas reviewed and where weaknesses were addressed. Corrective action plans involved areas such as sponsored projects effort certification, cost transfers, and subrecipient monitoring; improved training and monitoring for radiation safety, the Animal Welfare Act, OSHA, EPA, the Civil Right Act, and Title IX; and improved monitoring of NCAA compliance and information technology privacy and security. The following table illustrates the statistics related to the UTK risk assessment.
OFFICE OF AUDIT AND COMPLIANCE REPORT 2014
Plans of Action
Plans in Progress
Finance and Administration
Development and Alumni
Equity and Diversity
UT Institute of Agriculture Campus Compliance Committee The UT Institute of Agriculture completed its compliance risk assessment in 2014. The UTIA Institutional Compliance Committee reviewed the risks identified in the assessment, determined compliance priorities, and consolidated similar significant risks into 36 basic compliance issues. Preliminary plans of corrective action were developed by the responsible areas to address these issues. The committee has begun reviewing the 36 plans for appropriateness given the associated risks. Important areas where corrective action plans are being developed include sexual assault and civil rights, animal welfare, research accounting and administration, procurement, safety, human subjects, export control, IT security and privacy, program accreditation, and contract administration. The following graph illustrates the relative risk of the compliance areas reviewed and where weaknesses were addressed. UTIA Risk Assessment Statistics Number of applicable regulatory areas assessed*
Total number of risks identified
Number of risks deemed significant
Number of plans to address significant risks
Number of plans completed
Number of plans in progress
*Does not include regulatory areas managed by UT System Administration.
UT Health Science Center Campus Compliance Committee The UTHSC Office of Institutional Compliance was created in 2013, and an interim director of institutional compliance and an assistant vice chancellor for compliance and special projects were appointed. A 22-member Institutional Compliance Committee began meeting in July 2014. The committee has started a process for continuous assessment of compliance risk and is reviewing the risks identified in the 2012 compliance risk assessment. The UTHSC Institutional 10
UNIVERSITY OF TENNESSEE
Compliance office has also begun working on solutions for policy management and training. A Request for Proposals for policy management software has been drafted, and the office is in the early stages of reviewing training software in an effort to streamline training across campus departments.
UTHSC Compliance Risk High
*Privacy/IT Security Environmental
*Areas with compliance weaknesses and proposed plans of corrective action.
Low Reputational Impact
Low Legal Sanctions Impact
OTHER ACCOMPLISHMENTS IN 2014 • The director of institutional compliance participated in the UT System Uniform Guidance Work Group. The group is developing UT policy to address the new Uniform Guidance rules created by the federal Office of Management and Budget for federally sponsored projects. The director served on the general committee and three subcommittees, including co-chairing the subrecipient monitoring subcommittee. • The director of institutional compliance facilitated the annual meeting of the UT System Executive Compliance Committee on December 2, 2014. • Several modifications were made to the list of regulations reviewed in the UTK risk assessment, including adding 2 new regulations, modifying 97 current regulations, and deleting 1 regulation. A total of 431 regulatory areas are now under consideration for the risk assessment. • The Institutional Compliance Office received 8 compliance hotline calls in 2014, referring them to other university offices for resolution. • Institutional Compliance researched whether an annual audit was required of the Automated Clearing House (the electronic network for financial transactions). We determined that financial institutions could request this audit, but no requests have been made. • The director of institutional compliance served on the search committee for the UTK Sponsored Projects Accounting Office’s new compliance officer position. • The director of institutional compliance’s article “Creating and Supporting an Effective Executive Compliance Committee” appeared in the Compliance & Ethics Professional magazine, published by the Society of Corporate Compliance and Ethics.
PLANS FOR 2015 Hotline and Ethical Culture An important goal for 2015 is to implement the new UT System anonymous hotline. Specific objectives include the following. • Implement the UT hotline in a manner that allows complaints to be received anonymously through multiple input methods and ensures that complaints are triaged to the proper university parties in a timely fashion. • Coordinate systemwide communication of the new hotline system. • In collaboration with the UT System Office of Communications and Marketing, coordinate systemwide communication of the Code of Conduct and other pertinent compliance and ethics issues.
Risk Assessments The Institutional Compliance Office plans to conduct a risk assessment at UT Chattanooga (UTC) in 2015. The assessment will include the following tasks. • Establish a UTC Institutional Compliance Committee and chair. • Identify applicable regulations and campus compliance officers (subject matter experts). • Perform the compliance risk assessment. • Begin reviewing the risks identified and developing plans of corrective action.
Campus Compliance Committees In 2015, we will continue assisting campus compliance committees at UTK, UTHSC, UTIA, and UTM as follows. UT Knoxville • Implement corrective action plans from the 2010 risk assessment. • Review the assignment of compliance officers (subject matter experts). • Complete new risk assessments (including UT Space Institute and UT System Administration). • Begin to review risks identified. UT Health Science Center • Develop a process for continuous assessment of compliance risks, policies, and procedures. • Promote compliance with regulations. • Address HIPAA policy. • Complete the risk assessment by department. • Address risks identified in the 2012 risk assessment. UT Institute of Agriculture • Complete the review of preliminary corrective action plans. • Present a prioritized list of recommendations to the UTIA chancellor. • Oversee the implementation of the corrective action plans. UT Martin • Complete the review of preliminary corrective action plans. • Present a prioritized list of recommendations to the UTM chancellor. • Oversee the implementation of the corrective action plans. During 2015, we also plan to continue refining the reporting structure between the campus compliance committees and the campus senior staff and the UT System Executive Compliance Committee.
OFFICE OF AUDIT AND COMPLIANCE REPORT 2014
2014 ACCOMPLISHMENTS 2014 Effort by Audit Type Compliance 7% Fraud Prevention and Detection 21%
Effectiveness and Efficiency 7%
2014 Effort by Entity UT System Administration Offices 6%
Health Science Center 18%
Institute for Public Service 1%
UT System 33%
Martin 4% Knoxville 21%
• Controls • Compliance • Departmental expenditure and equipment audits (included in Controls)
Other Value Added 5%
s illustrated in the chart “2014 Effort by Audit Type,” the Office of Audit and Compliance provided a variety of services to the UT System. We spent 59 percent of our effort on the areas of focus outlined in the 2014 audit plan: • Fraud prevention and detection
Information Technology 9%
Fraud prevention and detection audits continue to be an important aspect of our work. Our fraud prevention and detection efforts increased by 5 percent (16 percent in 2013 to 21 percent in 2014). The Association of Certified Fraud Examiners indicates that the typical organization loses 5 percent of its revenues to fraud each year. Given that statistic, we will continue to focus on audits to prevent and/or detect fraud. Our efforts on control audits increased by 8 percent from 2013 partly because we focused on cash controls in 2014. The control audits, including departmental expenditure and equipment audits, provide assurance to both the Audit Committee and senior management, help establish a strong control environment, and assist department heads in implementing effective controls at the departmental level. Because of the importance of this work, we focused almost a quarter of our time on controls. The audit effort on compliance remained fairly consistent with the prior year, and information technology audits increased by 3 percent. To increase our effort for controls, fraud prevention and detection, and information technology, we reduced the effort for effectiveness and efficiency from 2013. The chart also shows we spent 8 percent of our effort conducting follow-up audits to ensure that our recommendations in previous years’ audits were implemented. Finally, 5 percent was devoted other value-added work, such as serving on university committees, providing training to the university community, and consulting provided to management. In 2014, Audit and Compliance conducted numerous projects for the UT System, as noted by 33 percent of our effort in “2014 Effort by Entity.” These projects provided coverage for all campuses and institutes, including the Self-Assessment of Controls, Complete College Tennessee Act audit, monthly procurement card monitoring, and follow-up audits. Audit coverage for UT System Administration offices decreased slightly from 2013, accounting for 6 percent of effort. Four percent of audit effort was for UT Martin, a 6 percent decrease from 2013, primarily because of the extra effort for the academic advising project in 2013. Effort at UT Chattanooga increased slightly to 12 percent. We anticipate another increase in 2015 now that the UTC audit office is fully staffed. Consistent with past years, most of our campus-specific effort focused on UT Knoxville and the UT Health Science Center, our flagship campus and the academic healthcare center, respectively.
Institute of Agriculture 5%
UNIVERSITY OF TENNESSEE
PLANS FOR 2015
s illustrated in “2015 Allocation of Time,” Audit and Compliance divides effort among the campuses and institutes in the UT System. After estimating time for staff meetings, continuing professional education, holidays, and annual leave, we determined our allocable chargeable time for the coming year to be approximately 21,030 hours. OAC has budgeted 6,020 hours for required audits (required by statute, administrative policy, or based on an agreement with management), an increase of 2,140 hours from 2013. This increase is primarily because of the addition of the IT security and assessment division and the required assessments our office was asked to perform. We budgeted 1,530 hours for audits in progress on January 1, 2014, from the prior calendar year, 9,120 hours for risk-based engagements from our annual assessment of risks, and 4,360 hours for unscheduled projects and other value-added work such as investigations, board and management requests, committee service, and special projects.
2015 Planned Audit Focus Other Value Added 3%
2015 Allocation of Time 2015 Allocation of Time UT System
UT Health Science Center
UT System Administration Offices UT Knoxville
UT Institute of Agriculture
UT Institute for Public Service Total Hours
Unplanned Special Projects and Investigations Other Value-Added Work Total Hours
500 Information Technology 16%
Fraud Prevention and Detection 13%
Effectiveness and Efficiency 8%
3,700 660 21,030
While we plan to perform a variety of engagements as illustrated in “2015 Planned Audit Focus,” OAC has four areas of focus for 2015. • Fraud prevention and detection—13 percent of planned hours • Controls—29 percent of planned hours • Information technology—16 percent of planned hours • Compliance—11 percent of planned hours
OFFICE OF AUDIT AND COMPLIANCE REPORT 2014
UNIVERSITY OF TENNESSEE
2014 PROJECTS COMPLETED
he Office of Audit and Compliance completed 60 engagements, including required audits, risk-based projects, risk-based departmental expenditure and equipment audits, projects in progress from 2013, investigations, and consulting projects. Among the significant projects were audits of cash controls at UT Knoxville and UT Martin. Although no higher education institution, including UT, is immune to fraud, the presence of proper controls can reduce the likelihood and potential impact of fraud. Because cash is an asset prone to fraud and abuse, we dedicated a significant portion of our time to the audits of cash controls, conducting them at several locations throughout the UT System. This work assisted management by identifying control weaknesses and providing recommendations to enhance fraud prevention efforts. We plan to continue this work by conducting an audit on the UT Chattanooga campus and in select departments in 2015. Several information technology (IT) audits were conducted this year. In addition to supporting the external security assessment and following up on those recommendations, our office conducted audits of business continuity planning and disaster recovery, as well as configuration and change management. We provided recommendations to strengthen IT controls. We also began Health Insurance Portability and Accountability Act (HIPAA) assessment projects as two security team members transitioned to our office and will continue to build on the security assessment work in 2015. Of note for systemwide coverage, we reviewed the university policy development and revision processes. The report provided recommendations to the president on developing a formal process, identifying key participants, disseminating new and revised policies to the university community, and developing a review schedule and a method to preserve historical information. Given the importance of university policy, these recommendations help decrease risk, protect the institution as well as its employees and students, and provide for structure, support, compliance, and consistency. Also, OAC completed audits for the offices of the UT president and the UT Knoxville and UT Chattanooga chancellors, as required by Tennessee Code Annotated § 49-73001. This statute is intended to strengthen higher education financial accountability and requires risk-based internal financial audits for the offices of the university president and chancellors. The statute requires at least 30 percent of the offices to be audited in any given year. We found all expenditures to be appropriate, reasonable, and in compliance with applicable policies and procedures. In addition to the required chief executive audits, we continued our audits of the chief business officers and completed an audit of the UT Health Science Center’s chief business officer. The audit objective was to determine whether internal controls are designed to prevent and detect fraud, waste, and abuse. No instances of fraud, waste, or abuse were identified. Another chief business officer audit will be issued in 2015.
Another noteworthy project was the Self-Assessment of Controls, performed to comply with the Tennessee Financial Integrity Act of 1983. Each year, our office surveys all University of Tennessee departments (approximately 600) on internal controls. We cycle through 8 processes and related controls and survey on 2 areas each year, this year’s being procurement of goods and services and sponsored projects. The self-assessment is one of our most significant projects because we are able to reach all UT departments annually and educate departmental management on effective controls. The Act also requires the completion of an entity-wide risk assessment. Each fall, we facilitate a risk assessment with the chief financial officer and the chief business officers to update the previous assessment to reflect changes in the university’s operating environment. As requested by the chief business officers, we continued to conduct departmental expenditure and equipment audits to assess controls at the departmental level. Common control issues found were the lack of monthly ledger reconciliation or reconciliation documentation and weaknesses in the annual inventory verification process. We provided recommendations to strengthen these foundational controls to enhance the control environment in the departments. We continued to monitor the university’s procurement card transactions each month to identify fraudulent activity and compliance issues. The work involves a cursory review of all card transactions systemwide. Our summary report covered transactions totaling $39.8 million, an increase of $3 million and 7,600 transactions from the previous year. While the number of cardholders remained stable, the volume of transactions increased. Given the higher volume and risk associated with procurement cards, we will expand this work in 2015. In addition to the monthly monitoring, we plan to examine procurement card trends at UT Knoxville to determine whether abuse can be identified. Finally, the office completed investigations of fraud, waste, and abuse this year. As always, even when fraud was not confirmed, we examined internal controls for potential improvements. Our reports included recommendations to strengthen controls.
OAC annually audits the data submitted for the Complete College Tennessee Act, choosing one component in the state’s funding formula. This year, the reported degrees and undergraduate credit hours earned were found to be accurate and supported by student records.
OFFICE OF AUDIT AND COMPLIANCE REPORT 2014
INTERNAL AUDITS INTERNAL AUDITS: UT SYSTEM Self-Assessment of Controls/Risk Assessment The university performs an annual self-evaluation of internal accounting and administrative controls to comply with the Tennessee Financial Integrity Act of 1983. Requirements of the Act include performing an entity-wide risk assessment and a comprehensive evaluation of internal controls. The Office of Audit and Compliance (OAC) coordinates UT’s compliance efforts with the Act and conducts the self-assessment using a web-based questionnaire. For the evaluation of controls, the university reviews the controls for two areas each year, with 2014’s topics being procurement of goods and services and sponsored projects. Of about 600 departments, 173 identified and corrected 281 control weaknesses in the areas reviewed. No material weaknesses were noted for the university. OAC facilitated the 2014 entity-wide risk assessment of UT’s financial operations with the assistance of the campus/institute chief business officers. This was an update of the 2013 risk assessment. Minor changes were made to existing risks, and risks and controls related to Uniform Guidance and the Patient Protection and Affordable Care Act were added. Risks and recommended corrective actions were reported to the individual departments, and the results of the risk assessment and control weaknesses were reported to the state. Attached were the letter from the university’s president to the state comptroller and the commissioner of finance and administration and the results of the assessment of internal controls.
Annual Procurement Card Summary The monthly monitoring of the university’s procurement card involves a cursory review of all card transactions for the university system for a month to identify fraudulent activity. The scope of
this summary report included all procurement card expenditures (152,127 transactions totaling $39,773,295.31 and approximately 1,772 cardholders) for the entire university from October 2013 through September 2014. No fraud was identified, but policy violations were noted. Given the volume of transactions and the decentralized controls for the procurement card process, relatively few violations were found. No violations related to entertainment expenses over the prescribed limit occurred in 2014. All other violations, with the exception of travel-related purchases, decreased this year. Travel-related violations increased 73 percent over the previous year. This year the Treasurer’s office sent reminders to departments regarding the prohibition of gift card purchases with the procurement card and issued a specific policy on gift card purchases in fall 2014. Results and recommended corrective actions were reported to the applicable cardholders and the issues were resolved.
Year-End For each year-end closing, the department observes the physical inventory of the UT Knoxville and UT Health Science Center bookstores to help assure the inventory balance reported in the university’s financial statements is accurate. An accurate inventory balance is important for determining the bookstore’s annual financial performance. In Knoxville’s VolShop, the dollar value of this year’s inventory was 22 percent less than in fiscal year 2013, a significant change. The reduction was because of markdowns associated with the move from Adidas to Nike contracts and the closing of stores. The explanations were reasonable and appropriate. For UTHSC, the inventory amount was immaterial, with a value of $239,136.50.
INTERNAL AUDITS: UT SYSTEM ADMINISTRATION Office of the President The audit scope included travel, entertainment, equipment, payroll, procurement card, and other expenses for fiscal year 2014. The expenditures were reviewed to determine whether they appeared appropriate, reasonable, and in compliance with university policies. All expenditures reviewed were found to be appropriate, reasonable, and in compliance. In addition, the equipment records were accurate.
Capital Projects The audit was performed largely as the result of a $1.5 million capital project being designed before the State Building Commission (SBC) approved it. The UT System’s capital projects planning and approval practices and policies were reviewed, specifically the processes used by the campus Facilities Services departments and the system’s Capital Projects department to collaborate on capital projects requiring SBC approval. Auditors also determined whether SBC-approved campus consultants were used appropriately. The scope included 30 capital projects in progress at UT campuses and the Institute of Agriculture from 16
UNIVERSITY OF TENNESSEE
fiscal year 2009 to the present. No other projects were found to have violated this SBC approval requirement but, in three additional projects, campus consultants were used excessively, circumventing the SBC requirement that its executive committee select designers for projects over $100,000. University Policy FI0620 (capital outlay) should be revised to help ensure proper approvals are obtained, among other issues noted.
Policy Development and Revision The objective was to determine if the processes used to develop and revise university system policies are effective and efficient. Auditors interviewed fiscal, human resources (HR), information technology (IT), and safety staff to determine UT’s current practices, benchmarked those against peer universities, and researched best practices identified by the Association of College and University Policy Administrators. The review did not include UT Board of Trustees, faculty, or student policies. Although the current processes are functioning, auditors found variations in the UT policy development, approval, and recordkeeping processes among the areas responsible for fiscal, HR, IT, and safety policies.
Recommendations were to develop a formal, centralized process to manage university policies, identify key participants and their roles in the policy process, disseminate policies to all parties governed by the policy, institute a periodic review schedule, and preserve historical information regarding changes and related items.
Information Technology Services Business continuity planning and disaster recovery (BCP/DR) policies, plans, and procedures were audited for the Alumni and Development Information system (ANDI), Integrated R/3 Information System (IRIS), Tennessee Electronic Research Administration (TERA), and supporting infrastructure and services managed by the UT System’s (UTSA) Information Technology Services department and UT Knoxville’s (UTK) Office of Information Technology. All university campuses and institutes use these systems. The objective was to determine whether BCP/DR policies, plans, and procedures are in place and operating effectively to ensure that the capability to process, retrieve, and protect electronically maintained information can be sufficiently restored to allow UT to accomplish its mission. Although the existing BCP/DR controls allow systems to be
restored, controls can be improved to ensure better system-wide planning for more complete and cost-effective BCP/DR policies, plans, and procedures that underpin the mission of the university. Recommendations were made to develop a more comprehensive BCP/DR policy and more complete emergency response training, develop problem management policies and procedures for UTSA systems, strengthen and update the UTSA disaster recovery plan, improve the UTK datacenter environmental controls, and ensure security patches are applied to UTSA systems.
Complete College Tennessee Act The audit objective was to determine if degrees and student credit hours reported by the UT System to the Tennessee Higher Education Commission (THEC), as required by the Complete College Tennessee Act, were accurate and supported by student records. The scope included degrees awarded for summer 2012, fall 2012, spring 2013, and summer 2013 and undergraduate credit hours earned as recorded in UT’s fall 2013 end-of-term report to THEC. Auditors found the reported degrees and undergraduate credit hours earned were accurate and supported by student records for the period reviewed.
INTERNAL AUDITS: KNOXVILLE Office of the Chancellor
The audit scope included travel, entertainment, equipment, payroll, and other expenses for fiscal year 2014. The expenditures were reviewed to determine whether they appeared appropriate, reasonable, and in compliance with university policies. All expenditures reviewed were found to be appropriate, reasonable, and in compliance. In addition, the equipment records were accurate.
The audit objective was to determine whether internal controls exist and are functioning as intended for the cash receipting process in 13 UT Knoxville departments selected for review. A few important controls, such as reconciling receipts with deposits, did not appear to be functioning effectively. Significant control weaknesses exist in the online receipting system that could result in errors and undetected theft. The receipting system should be modified to provide greater control or be discontinued, and training should be provided on the requirements in Policy FI0310 and guidance provided on implementing the online receipting system effectively.
WUOT-FM Radio Auditors conducted the annual financial audit of UT Knoxville’s public radio station, WUOT-FM, for the year ended June 30, 2014, with comparative information presented for fiscal year ended June 30, 2013, and prepared the report for submission to the Corporation for Public Broadcasting (CPB). This audit is required by the CPB and was included in the annual audit plan. The financial statements present fairly, in all material respects, the financial position of the station as of June 30, 2014 and 2013, and the changes in its financial position and its cash flows for the years then ended in conformity with the accounting practices prescribed by the CPB.
Athletics Camps and Clinics The audit objective was to determine whether controls exist to ensure compliance with NCAA Bylaws governing sport camps and clinics in the Athletics department. Auditors also determined whether camp revenue was received and deposited properly, expenditures were appropriate, payments to coaches were made in a timely manner, and camp closeout procedures were adequate. OFFICE OF AUDIT AND COMPLIANCE REPORT 2014
Athletics has implemented effective measures to comply with relevant NCAA Bylaws. Camp expenditures appeared appropriate, with recommendations to improve revenue reconciliation, depositing, receipt documentation, and financial reporting.
Building and Facility Access The audit objective was to assess the adequacy of controls related to physical access to the University of Tennesseeâ€™s Knoxville-area buildings and facilities. The scope included all UT Knoxville, UT System Administration, and Knoxville-area UT Institute of Agriculture buildings and facilities, excluding housing, and all employees recorded as having access in Lock and Key Servicesâ€™s and Central Alarmâ€™s records. Lock and Key Services and Central Alarm should establish an electronic approval process for building access requests and automatically generate employee transfer and separation reports.
Video and Photography Center The audit examined departmental invoices and ledgers, procurement card expenditures, and equipment inventory to assess internal controls for fiscal year 2013. Recommendations concerned timely ledger reconciliation and approval and recording equipment identifiers.
Chemical and Biomolecular Engineering The audit examined invoices and ledgers, procurement card expenditures, and equipment to assess internal controls for fiscal years 2012 and 2013. Auditors recommended correcting several serial numbers in the equipment inventory system, errors caused by a deficiency in the system.
Institute for a Secure and Sustainable Environment The objective was to assess internal controls for the expenditure and equipment processes for fiscal years 2013 and 2014, specifically invoices, procurement cards, bookkeeping procedures, and equipment. Auditors found that controls were not in place to ensure compliance with UT policies and procedures regarding recording and tracking equipment. The department should obtain additional training in maintaining equipment and ensure that employees read and abide by University Policy FI0605. Recommendations were made to improve the recording of serial numbers in the inventory system and to tag and manage equipment properly.
and procurement card transactions. The department has established effective controls for expenditures and reconciling payroll reports and departmental ledgers but not for recording and tracking equipment. The department should obtain additional training in maintaining equipment, ensure that employees read and abide by University Policy FI0605, and strengthen controls related to tracking and protecting equipment. Improvements made in response to the audit should also be implemented at the Joint Institute for Biological Sciences.
Joint Institute for Neutron Sciences The audit objective was to assess internal controls for the expenditure and equipment processes for fiscal years 2012 and 2013. The scope included invoices, departmental ledgers, equipment, and procurement card transactions. The department has established effective controls and is in compliance with applicable policies and procedures.
Center for Ultra-wide-area Resilient Electric Energy Transmission Networks The policies and procedures for processing credit and debit cards using an online processing system were reviewed. No weaknesses were identified.
Korn Learning, Assessment, and Social Skills Center The policies and procedures for processing credit and debit cards using a point-of-sale terminal system were reviewed. No weaknesses were identified.
University of Tennessee Bands The policies and procedures for processing credit and debit cards using an online processing system were reviewed. No weaknesses were identified.
New Students and Family Programs The policies and procedures for processing credit and debit cards using an online processing system were reviewed. No weaknesses were identified.
Warehousing and Surplus Property The policies and procedures for processing credit and debit cards using an online processing system were reviewed. No weaknesses were identified.
Center for Environmental Biotechnology
The audit objective was to assess internal controls for the expenditure and equipment processes for fiscal years 2013 and 2014. The scope included invoices, payroll reports, departmental ledgers, equipment,
The policies and procedures for processing credit and debit cards using an online processing system were reviewed. No weaknesses were identified.
UNIVERSITY OF TENNESSEE
Given the volume of transactions and the decentralized controls for procurement cards, our monthly monitoring of transactions noted relatively few violations. No violations related to entertainment expenses over the prescribed limit occurred in 2014. All other violations, except for travelrelated purchases, decreased.
INTERNAL AUDITS: HEALTH SCIENCE CENTER Vice Chancellor for Finance and Operations
The audit objectives were to evaluate the internal controls for travel and entertainment expenses of the vice chancellor for finance and operations and to determine the effectiveness of controls in preventing and detecting fraud, waste, and abuse. No instances of fraud, waste, or abuse were identified, and the travel and entertainment supported university business, were not excessive, and were appropriate. A few entertainment expenditures were not documented with a business purpose as required by university policy. Upon inquiry, a legitimate business purpose was provided, and the staff was advised to document the business purpose of functions in writing.
The audit was performed to evaluate the internal controls over inventory management. Auditors found opportunities to enhance inventory controls and procedures as follows: end the practice of entering items in the inventory system before they are received, reconfigure system access controls for proper segregation of employee functions, separate the duties of managing inventory on a daily basis and performing the annual inventory, and develop an operations manual for daily inventory management and training purposes.
Endowments The objectives were to determine if the UT Health Science Center’s six colleges (Pharmacy, Dentistry, Medicine, Allied Health Sciences, Nursing, and Graduate Health Sciences) and the Office of the Chancellor were spending their endowments and if the money was spent in accordance with the donors’ directives. Fifty endowments were reviewed over a 5-year period. Auditors recommended that the College of Medicine develop a system to monitor the spending of its endowments and to ensure the donors’ directives are met.
College of Dentistry The audit was performed to evaluate the internal controls over inventory management. The scope included a review of current inventory controls and procedures, with an emphasis on the Implant Center. The college is working to implement an automated inventory system in the center. Recommendations were made for the college to report the Implant Center’s inventory values at year-end and for the center to implement an accurate inventory tracking system, develop written inventory procedures for primary functions, separate key inventory duties, limit access to the inventory, and perform periodic inventory counts.
Information Technology Services The audit objective was to determine whether the campus’s information technology configuration and change management (CCM) controls provide reasonable assurance that changes to information system resources are authorized and systems are configured and operated securely and as intended. The existing CCM controls are at a medium maturity level. They allow repeatable processes with consistent results, and process governance is in place. Findings detailed strengths and weaknesses, with recommendations to develop a comprehensive CCM policy and procedures and establish a vulnerability management program.
Parking Services The policies and procedures for processing credit and debit cards using an online processing system were reviewed. No weaknesses were identified.
Parking Services Garages The policies and procedures for processing credit and debit cards using an online processing system were reviewed. No weaknesses were identified.
Audiology and Speech Pathology The policies and procedures for processing credit and debit cards using an online system were reviewed. No weaknesses were identified. OFFICE OF AUDIT AND COMPLIANCE REPORT 2014
INTERNAL AUDITS: CHATTANOOGA Office of the Chancellor
Biological and Environmental Sciences
The audit scope included travel, entertainment, equipment, payroll, the university-owned residence, and other expenses for fiscal year 2014. The expenditures were reviewed to determine whether they appeared appropriate and reasonable and in compliance with university policies. All expenditures reviewed were found to be appropriate, reasonable, and in compliance. In addition, the equipment records were accurate.
The objective of the audit was to evaluate the internal controls for expenses paid by invoices and procurement cards, departmental ledger reconciliation, travel reimbursements, and payroll register approval. Increased employee workloads following a position vacancy likely contributed to the findings and demonstrates the importance of planning for such contingencies. Recommendations were made to document the verification of procurement card purchases, electronically approve procurement card statements by the deadline, reconcile departmental ledgers monthly, and review and approve payroll registers in a timely manner.
WUTC-FM Radio Auditors conducted the annual financial audit of UT Chattanoogaâ€™s public radio station, WUTC-FM, for the year ended June 30, 2014, with comparative information presented for fiscal year ended June 30, 2013, and prepared the report for submission to the Corporation for Public Broadcasting (CPB). This audit is required by the CPB and was included in the annual audit plan. The financial statements present fairly, in all material respects, the financial position of the station as of June 30, 2014 and 2013, and the changes in its financial position and its cash flows for the years then ended in conformity with the accounting practices prescribed by the CPB.
Mathematics The objective of the audit was to evaluate the internal controls for expenses paid by invoices and procurement cards, departmental ledger reconciliation, and payroll register approval. Recommendations were made to reconcile departmental ledgers monthly, review and approve payroll registers in a timely manner, and make electronic distributions to the appropriate general ledger accounts when verifying procurement card statements. 20
UNIVERSITY OF TENNESSEE
Communication The objective of the audit was to evaluate the internal controls for expenses paid by invoices and procurement cards, departmental ledger reconciliation, travel reimbursements, and payroll register approval. Recommendations were made to separate the duties regarding ledger reconciliation; make electronic distributions to the correct general ledger code when verifying procurement card statements; account for assets properly by including the costs of accessories, component parts, and installation in the cost of the main item; and review and reconcile the payroll distribution report and the check register before payday to verify that those listed are active employees and the amounts paid are appropriate.
Housing and Residence Life The objective was to evaluate the internal controls for expenses paid by invoices and procurement cards, ledgers, and payroll registers. Recommendations were made to review payroll registers for accuracy each month before payday and to use the correct general ledger code for entertainment and group-arranged events.
The audit objective was to determine whether the campusâ€™s information technology configuration and change management (CCM) controls provide reasonable assurance that changes to information system resources are authorized and systems are configured and operated securely and as intended. The existing CCM controls are at a low maturity level. They allow repeatable processes with consistent results, but process governance is not rigorous, so CCM processes are not always applied consistently or properly. Findings detailed strengths and weaknesses, with recommendations to develop a comprehensive CCM policy and procedures and establish a vulnerability management program.
The policies and procedures for processing credit and debit cards using a point-of-sale device and an online processing system were reviewed. No weaknesses were identified.
Campus Recreation The policies and procedures for processing credit and debit cards using an online processing system were reviewed. No weaknesses were identified.
Housing and Residence Life The policies and procedures for processing credit and debit cards using an online processing system were reviewed. No weaknesses were identified.
INTERNAL AUDITS: MARTIN NCAA Special Assistance Fund The audit was performed to determine adherence to NCAA Special Assistance Fund guidelines and to evaluate the adequacy and effectiveness of expenditure controls for the fund for fiscal year 2014. The audit is required annually by the Ohio Valley Conference. Auditors found the use of the fund complied with NCAA guidelines and recommended improvements in monitoring squad lists to include all student-athletes and in processing payroll for tutors.
Cash Controls outside of Banner The audit objective was to evaluate the internal controls for cash receipting and depositing in departments at the University of Tennessee at Martin not using the Banner system for such transactions. Eleven departments were reviewed: Surplus, Health and Human Performance, Dunagan Chair of Excellence, Music, Vanguard Theatre, Nursing, Agriculture, Digital Copy Store, Athletics, Transportation Services, and Recycling. Recommendations were made to separate the duties of payment collection, deposit preparation, and ledger reconciliation; develop written cash-handling procedures; maintain deposit documentation; and work with the Bursarâ€™s Office to collect student fees though Banner.
Extended Campus and Online Studies The audit examined departmental invoices and ledgers, procurement card expenditures, and equipment to assess internal
controls for fiscal years 2012 and 2013. The department has established effective controls for expenditures and equipment for the areas reviewed.
Student Housing The audit examined departmental invoices and ledgers, procurement card expenditures, and equipment to assess internal controls for fiscal years 2012 and 2013. Management should emphasize the importance of verifying equipment identifiers during the annual inventory and should request duplicate tags for items with missing tags.
Information Technology Services The audit objective was to determine whether the campusâ€™s information technology configuration and change management (CCM) controls provide reasonable assurance that changes to information system resources are authorized and systems are configured and operated securely and as intended. The existing CCM controls are at a low maturity level. They allow repeatable processes with consistent results, but process governance is not rigorous, so CCM processes are not always applied consistently or properly. Findings detailed strengths and weaknesses, with recommendations to develop a comprehensive CCM policy and procedures and establish a vulnerability management program.
OFFICE OF AUDIT AND COMPLIANCE REPORT 2014
INTERNAL AUDITS: INSTITUTE OF AGRICULTURE Soil, Plant, and Pest Center
College of Veterinary Medicine Administration
The audit was performed to evaluate the internal controls and policy compliance regarding revenue collection. Recommendations involved strengthening procedures for receiving and depositing customer payments, specifically ensuring documentation and employee accountability, and following university policy on disposing of obsolete or unusable property.
The audit examined departmental invoices and ledgers, procurement card expenditures, and equipment to assess internal controls for fiscal years 2012 and 2013. The department has established effective controls for expenditures and equipment for the areas reviewed and complied with applicable policies.
UT Extension Bank Accounts
The audit examined departmental invoices, ledgers, procurement card expenditures, and equipment to assess internal controls for fiscal years 2012 and 2013. The department has established effective controls for expenditures and equipment for the areas reviewed.
The UT Extension bank accounts were audited for Hardin, Scott, and Union county offices. Each office received a separate report detailing noncompliance with university policy or Extension financial procedures. Auditors noted receipts not provided or documented inadequately, expenditure authorization not documented adequately, commingling of personal and Extension funds, and bank deposits not reconciled with associated receipts, among other issues. Also, UT Extension administration should reeducate all county and regional offices on the proper documentation of expenditures for reimbursement of programrelated expenses and should counsel the Scott County Extension office director concerning the impropriety of his actions. The individual reports contained responses to the recommendations for corrective actions from each county director, and UT Extension administration responded to the items noted in the summary report.
Middle Tennessee Research and Education Center The objective of the audit was to evaluate the internal controls for expenses paid by invoices and procurement cards, ledgers, and equipment. The serial numbers for two equipment items should be corrected in the inventory system.
Institutional Compliance led a coordinated review to examine the safety practices and liability issues associated with Agricultural Field Days hosted by the UT Research and Education Centers across the state.
UNIVERSITY OF TENNESSEE
Small Animal Clinical Sciences
Highland Rim Research and Education Center The objective of the audit was to assess internal controls for the expenditure and equipment processes for fiscal years 2013 and 2014. The scope included invoices, payroll reports, departmental ledgers, equipment, and procurement card transactions. The department should ensure that invoices for payment are approved appropriately, ledgers and payroll reports are printed and reconciled in a timely manner, procurement card statements are verified and approved properly, and equipment serial numbers and other identifiers are verified and corrected during the annual inventory process.
Research and Education Center at Milan The audit objective was to assess the internal controls for the expenditure and equipment processes for May 1, 2013, to April 30, 2014. The scope included invoices, departmental ledgers, procurement card transactions, payroll reports, and equipment. The department should ensure that payroll reports are printed, reviewed, and reconciled in a timely manner and equipment serial numbers and other identifiers are verified and corrected during the annual inventory process.
INVESTIGATIONS INVESTIGATIONS: KNOXVILLE Institute for Leadership, Ethics, and Diversity The review was performed in response to allegations that the former director of the Institute for Leadership, Ethics, and Diversity (I-LEAD) misappropriated funds donated for I-LEAD program events and circumvented the College of Education, Health, and Human Sciences’ (CEHHS) procedures for reporting donations. All available records for I-LEAD donations and expenditures were reviewed for 2011–2013. The expenditures appeared appropriate, were supported with documentation in accordance with UT policy, and approved by the college budget director. Auditors, however, identified several instances of the director’s failure to follow UT policies and best business practices in the financial management of the I-LEAD program. He did not record cash expenditures, and there was insufficient information to determine if a financial loss occurred. Auditors found evidence to partially substantiate some of the allegations, but the director denied any intentional circumvention of procedures or misuse of I-LEAD funds, stating he received no instructions from the college on handling donations (which was disputed by business office staff). He did not ensure cash donations were recorded by the CEHHS Development office or formally account for the money in the I-LEAD account. To help ensure that CEHHS faculty in charge of programs funded by donations and sponsorships can be held accountable for failure to follow UT policies and best business practices, the college administration should develop specific, written guidelines for such programs.
WAVE Program Auditors conducted a review of the Work, Achievement, Values, and Education (WAVE) program after receiving allegations that the director manipulated testing materials and
falsified documents. No evidence was found to substantiate the allegations. Some participants took General Educational Development (GED) practice tests multiple times, and some tests were not dated; however, Tennessee’s policies for the GED do not forbid the repetition of practice tests nor require them to be dated. No evidence was found that WAVE violated the False Claims Act, that dates were falsified on eligibility forms, effort certification was falsified, or that issues existed with effort certification for WAVE. Auditors found no indication that a coordinator’s employment was terminated for the reasons alleged. He was terminated during his probationary period according to university policy because of performance issues.
Physics and Astronomy The review was conducted in response to anonymous allegations reported to the university and the state comptroller’s hotline for fraud, waste, and abuse concerning time fraud by an administrative staff member in Physics and Astronomy. The complainant alleged the staff member falsified timesheets, used sick leave for personal or vacation time because of insufficient annual leave, reported early to and left work without permission or notifying other staff, claimed time off using Family and Medical Leave without having applied, claimed to work from home during vacations, and claimed overtime for time not worked. Auditors found no evidence to substantiate the allegations but noted inconsistent departmental policies and procedures. Controls should be strengthened regarding leave requests, schedule changes, requests to work from home, overtime worked by administrative staff, entry of time in UT’s accounting system, and review of payroll records. OFFICE OF AUDIT AND COMPLIANCE REPORT 2014
INVESTIGATIONS: HEALTH SCIENCE CENTER Audiology and Speech Pathology The review was conducted in response to fraudulent credit card refunds made by the former billing specialist in Audiology and Speech Pathology. The objectives were to determine whether she committed additional fraudulent acts and to evaluate the departmentâ€™s system of internal controls. Auditors found no evidence of additional fraud but noted that controls did not exist for business processes related to the specialistâ€™s job duties. Recommendations were made to improve the processes and policies regarding refunds, credit card usage, records management, segregation of duties, and software. The employee was terminated for gross misconduct before the review and paid restitution totaling $12,807.73.
INVESTIGATIONS: CHATTANOOGA Facilities Planning and Management The review was performed in response to allegations that contractors misuse and abuse university materials, tools, and equipment and that employees steal electrical and other supplies from Facilities Planning and Management. Auditors found that a contractor uses UT materials, tools, equipment, and a bucket truck infrequently, which is intended to provide cost savings to the university. Without the necessary contract language and procedures, however, UT is at risk for potentially significant liability, as well as negative perceptions of the competitive bidding process for contracts. Contractors who are aware they can use university materials, tools, and equipment could significantly underbid competitors. Also, an instance of employee theft (and termination) occurred before the review. Policies and procedures should be developed to assist staff regarding potential contract changes, help prevent liability-related issues, provide guidance in developing cost savings and recovery measures, and help deter employee theft. Before the review was completed, Facilities management prohibited certain contractors from using university resources and contacted UTC Purchasing to initiate modifying contract language when contracts require the campus to provide materials to contractors.
INVESTIGATIONS: MARTIN Sodexo Contract The review was conducted as a result of anonymous allegations made to the state comptrollerâ€™s fraud, waste, and abuse hotline regarding impropriety in the food service bid process at UT Martin. Auditors reviewed documents regarding the 2007 and 2013 bid processes and found that university policies and procedures were followed. No evidence was found of impropriety in the bid process or of any favoritism toward Sodexo.
UNIVERSITY OF TENNESSEE
FOLLOW-UP AUDITS In 2014, the audit staff followed up on 25 audits and investigations to determine whether their recommended corrective actions had been implemented. (Appendix D is a complete list of departments.)
Numerous audits of the departmental expenditure and equipment process examined invoices and ledgers, procurement card expenditures, payroll reports, and equipment inventory to assess internal controls for fiscal year 2014.
The Institutional Compliance Office serves the university by promoting an awareness of compliance risks and developing innovative ways to mitigate risk through collaboration with the UT community. Although this work is often handled outside of a formal report, occasionally reports are issued to assist management in reducing risks.
Agricultural Field Day Safety The Institutional Compliance Office led a coordinated review, along with members of the UT Institute of Agriculture (UTIA) Safety Office and UT System Administration Risk Management Office, to examine the safety practices and liability issues associated with Agricultural Field Days hosted by the UTIA Research and Education Centers (REC) across the state. To enhance an otherwise sound system of safety controls for participants at these events, the review team recommended that RECs complete and file the Public Event Safety Checklist before a major event to show due diligence in case of an accident and provide food vendors with guidelines on safe food practices before an event.
OFFICE OF AUDIT AND COMPLIANCE REPORT 2014
ther completed audit-related projects and enhancements were designed to educate the university community, improve accountability, and improve office efficiency. At the request of management, some Audit and Compliance staff members also served on university committees and provided training on internal controls, procurement cards, and other areas.
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM In 2014, the QAIP team established performance metrics and began gathering baseline data on client feedback, the report writing process, percentage of draft reports issued by the due date, and percentage of current and prior-year projects completed. A new online client survey was developed and implemented. The survey includes questions on the audit’s benefit, the usefulness of the recommendations in improving operations, the auditor’s communication of the audit objectives and project status, and the auditor’s ability to educate staff on policies, regulations, and best practices. All survey areas received high ratings, from 3.23 to 3.67 on a 4.0 scale. The team collected data to measure the efficiency of the three phases of the report writing process—drafting, incorporating management’s responses, and issuing the final report. Data on the first phase was incomplete because of difficulties with the tool used but was more reliable on the second and third phases, showing them to be operating efficiently. For the remaining measures, the emphasis was on completing prior-year projects, which resulted in a 92 percent completion rate. Each month, the Institutional Compliance team and the executive director review the performance metrics and goals to determine needed course corrections and to move forward with successes. These internal measures help us meet stakeholders’ expectations and are reported annually to the Audit Committee.
UT AUDIT MANUAL/OAC POLICIES AND PROCEDURES The UT Audit Manual was created to aid in training new employees and to document the department’s policies, procedures, and expectations. This year we began moving from an intact paper manual to separate online documents housed in SharePoint, now called OAC Policies and Procedures. Revisions were made or new topics added in such areas as general office policies, career path, follow-ups, client communications, engagement risk assessment, effort reporting, professional development, and workpapers. The documents will be updated and new topics added as needed for the continued education and development of staff.
OAC BODY OF KNOWLEDGE OAC’s Quality Assurance and Improvement Program team developed a new online client survey and metrics for measuring our performance, including client feedback, cycle time for report writing, and percentage of draft reports issued by due date.
An office team developed the OAC Body of Knowledge, a compilation of knowledge, skills, and other competencies needed to perform work in the department. The team leader created a survey and distributed to staff, who provided their strengths and interests, including accounting principles, fraud awareness, athletics/NCAA, compliance, and PowerPoint, among many others. The document created from the responses serves as a resource that staff may consult when questions arise during projects and also contains a list of professional organizations to which OAC staff belong.
UT AND DEPARTMENTAL COMMITTEES Steve Bamburg
Conflict of Interests Review Committee (April 2011 to August 2014). The purpose is to review outside financial interests disclosed by faculty and staff at UT Chattanooga to determine if the interests create a potential conflict between the employees’ personal and university responsibilities. The committee will make recommendations to the campus chief business officer to ensure the campus is in compliance with university policies and state statutes.
Human Resources Policy Advisory Group (June 2010 to present). The purpose is to advise the Human Resources officers of changes needed in university HR policies. The 26
UNIVERSITY OF TENNESSEE
systemwide group reviews existing policies to ensure that all needed information is included, the policies are clear and understandable, and they apply to all campuses and institutes. The group may also suggest new policies. Search Committee for Employee and Organizational Development (EOD), Chair (January–June 2014). This committee reviewed applicants for a trainer/management specialist position for the EOD department. Over 125 candidates were screened, and multiple on-campus interviews were held. The new staff member was hired in June.
UT Institute of Agriculture Institutional Compliance Committee (April 2013 to present) and UT Martin Institutional Compliance Committee (May 2013 to present). The purpose of each committee is to interpret the results of the compliance risk assessment the Institutional Compliance Office performs for the campus and to establish priorities and appropriate plans of corrective action.
A team developed the OAC Body of Knowledge, a resource of knowledge, skills, and other competencies needed to perform work in the department, including accounting principles, fraud awareness, athletics/NCAA, compliance, and PowerPoint.
Fiscal Policy Review and Reform Committee (May 2013 to September 2014).This group, composed of administrators from all UT campuses and institutes, meets monthly to discuss opportunities to clarify and revise UT fiscal policy. The committee’s primary goal is to contribute to accomplishing goal #5 of the UT Strategic Plan by ensuring that campuses and institutes have clear guidance related to fiscal processes and controls. UT Knoxville Policy for Minors Implementation Committee (September 2013 to August 2014). The committee is charged with implementing processes and controls to ensure the safety of minors participating in programs on the Knoxville campus.
Conflict of Interests Review Committee (August 2008 to present). The purpose is to review outside financial interests disclosed by faculty and staff at UT Knoxville to determine if the interests create a potential conflict between the employees’ personal and university responsibilities. The committee chair further investigates potential conflicts identified by the committee.
Conflict of Interests Review Committee (August 2014 to present). The purpose is to review outside financial interests disclosed by faculty and staff at UT Chattanooga to determine if the interests create a potential conflict between the employees’ personal and university responsibilities. The committee will make recommendations to the campus chief business officer to ensure the campus is in compliance with university policies and state statutes.
Fiscal Policy Review and Reform Committee (September 2014 to present). This group, composed of administrators from all UT campuses and institutes, meets monthly to discuss opportunities to clarify and revise UT fiscal policy. The committee’s primary goal is to contribute to accomplishing goal #5 of the UT Strategic OFFICE OF AUDIT AND COMPLIANCE REPORT 2014
Plan by ensuring that campuses and institutes have clear guidance related to fiscal processes and controls.
Benefits Advisory Board (March 2012 to present). This group, composed of administrators from all UT campuses and institutes, meets quarterly to discuss issues involving all types of employee benefits, such as leave, insurance, retirement, and tuition waivers. Executive Compliance Committee (March 2011 to present). This group provides vision for the institutional compliance program and oversees the UT campuses’ compliance risk assessments and corrective actions. IRIS Steering Committee (January 2013 to present). This group provides oversight and input on IRIS (the university’s financial and human resources system) priorities. Conflict of Interests Review Committee (2014). The purpose is to review outside financial interests disclosed by faculty and staff at UT Martin to determine if the interests create a potential conflict between the employees’ personal and university responsibilities. Accessibility Task Force (October 2014 to present). The purpose is to review recommendations of the Tennessee Accessibility Task Force submitted to the Tennessee General Assembly and to work with the campuses on accessibility issues.
Bill Moles Facilitator and non-voting member of the following campus compliance committees: UT Knoxville Campus Compliance Committee (October 2011 to present), UT Health Science Center Campus Compliance Committee (September 2012 to present), Institute of Agriculture Compliance Committee (March 2013 to present), and UT Martin Campus Compliance Committee (June 2014 to present). The purpose is to interpret
the results of the compliance risk assessment performed by the Institutional Compliance Office for each campus and to establish priorities and plans of corrective action. UT System Executive Compliance Committee (December 2013 to present). This committee has general oversight of the institutional compliance function for the university. It provides vision and direction to the institutional compliance program and provides guidance on allocating resources and determining acceptable levels of risk as issues arise. The committee held its annual meeting in December 2013. UT System Uniform Guidance Work Group (March 2014 to present). This group is developing new university policy in response to the new Uniform Guidance rules created by the US Office of Management and Budget regarding federally sponsored projects. Served on the general committee and three subcommittees and co-chaired the subrecipient monitoring subcommittee.
IT Security Community of Practice (July 2012 to present). The Security CoP provides input to the Statewide IT Committee on priorities related to the university’s IT security strategy. The Security CoP ensures that the committee has necessary information on security priorities, best practices, and standards to make decisions concerning IT priorities and investments, IT applications, overall policies and standards, and common data and business processes. Many staff also served on internal committees to develop or update procedures and training materials, such as the audit manual, risk assessment process, and career ladder, and to develop the OAC Body of Knowledge, among other efforts to increase the department’s efficiency and effectiveness.
TRAINING PROVIDED WITHIN AND OUTSIDE THE UNIVERSITY Judy Burns presented “The Workshop Method” at the fall meeting of the UT Leadership Institute staff and facilitators. The workshop method is a structured process that allows groups to generate, organize, and analyze many ideas and reach consensus and make decisions in a short amount of time. The purpose of the training was to prepare staff to use the method during a session at the upcoming Leadership Institute and to provide them with a tool that could be useful in their university positions. Chasity Davis presented “Departmental Financial Management: Establishing Effective Internal Controls in Your Department” during the College of Medicine’s business managers meeting at the UT Health Science Center. The presentation addressed key control activities such as segregation of duties, monitoring, safeguarding assets, as well as authorization, approvals, and verifications. Sherry Davis taught classes on general ledgers through the IRIS department.
UNIVERSITY OF TENNESSEE
James Hodge taught classes on UT procurement cards through IRIS. The class introduces the concepts, policies, and responsibilities of procurement card management, including reconciling monthly statements. Sandy Jansen participated in the Chief Audit Executive Conference at the California State University System and shared examples of best practices from UT’s audit function. She also facilitated a day-long seminar for the East Tennessee Chapter of the IIA on essential skills for the in-charge auditor. She facilitated a similar session for OAC to assist the internal audit team in using engagement-level risk assessments to focus audits on highrisk areas, setting project priorities to focus on audit objectives, building client relationships during the project, and reviewing workpapers effectively and efficiently. Sandy also participated in the University of Tennessee’s annual Conferences for Counselors, welcoming high school counselors and helping them navigate the state’s changing higher education environment.
Nancy Lange and Judy Burns were invited to a Financial Brown Bag session sponsored by UT AgResearch in September 2014. They attended to answer questions from administrative staff in AgResearch and other Institute of Agriculture units about the use of the university procurement card and OAC’s monthly procurement card monitoring process. Discussion topics included using the card to make purchases on framework orders, the need for departmental planning when making multiple purchases from the same vendor in a month, the reason auditors request receipts from PayPal and other commonly used vendors, and the need to include administrative staff on requests to cardholders for receipts.
Internal auditors provided such training as building an effective information security program, using the OAC Grammar and Style Guide as a resource in report writing, and using “the workshop method,” a structured process that allows groups to generate, organize, and analyze a large number of ideas and make decisions quickly.
Linda Marion developed exercises based on the OAC Grammar and Style Guide and presented and discussed them at a staff meeting as a “Treasure Hunt” to reinforce using the guide as a resource in writing reports. She also arranged the MS Word training class offered by UT Human Resources, “Word: Tips and Best Practices,” for interested staff. The four-hour class covered Word shortcuts; using styles to speed up document formatting; creating and managing section breaks, headers, footers, and pagination; among others. The instructor used the OAC report template to illustrate formatting techniques. Jim Purcell presented “What Auditors Want” at the 2014 Tennessee Higher Education IT Symposium. The presentation addressed steps and techniques to build an effective information security program. He presented this talk to several internal IT groups as well. Jim also participated on the CISO/Information Assurance discussion panel at the IIA’s IT Risk Assessment Day of Learning. The panel discussed good risk management practices and answered questions from the audience.
TRAINING OBTAINED WITHIN AND OUTSIDE THE UNIVERSITY To expand their knowledge and obtain the required continuing professional education credits (CPE), auditors in the department attended training in areas as diverse as foundations, IT risks, COSO update, cybersecurity, data
analytics, governmental and sponsored project accounting, contract management, advanced Excel, and UT business warehouse. The OAC audit staff obtained over 1,150 CPEs in 2014.
OFFICE OF AUDIT AND COMPLIANCE REPORT 2014
APPENDIX A: 2014 ORGANIZATION OF THE UNIVERSITY OF TENNESSEE
BOARD OF TRUSTEES
EXECUTIVE ASSISTANT TO PRESIDENT
GENERAL COUNSEL & SECRETARY
CHIEF OPERATING OFFICER UTSI
EXECUTIVE VP/ VP RESEARCH & ECONOMIC DEV/ORNL RELATIONSHIPS
VICE PRESIDENT GOVERNMENT RELATIONS & ADVOCACY
VICE PRESIDENT FOR HUMAN RESOURCES
VICE PRESIDENT ACADEMIC AFFAIRS & STUDENT SUCCESS
INTERIM CHIEF INFORMATION OFFICER
UNIVERSITY OF TENNESSEE
INTERIM VICE PRESIDENT IPS
VICE PRESIDENT COMMS. & MARKETING
VICE PRESIDENT DEVELOPMENT & ALUMNI AFFAIRS
TREASURER & CHIEF FINANCIAL OFFICER
EXECUTIVE DIRECTOR, IT
EXECUTIVE DIRECTOR OFFICE OF AUDIT AND COMPLIANCE
SANDY JANSEN, CIA, CCSA, CRMA Executive Director
Shelly Getty Administrative Assistant
Bill Moles, CCEP, CIA Director
Leigh Cheek, CCEP, CIA, CISA Compliance Officer
Judy Burns Associate Director
Leon Hurt, CPA, CIA, CFE Manager
Andy Benson, CPA, CFE Senior Auditor
Linda Marion Coordinator
Stephanie Steeves, CIA Auditor
James Hodge, CICA, CIA, CGFM
Senior IT Auditor
Janna Hixson, CGAP Manager
Steve Bamburg, APA
Nancy Lange, CIA
IT Admin IV
Jim Purcell, CISA, CISSP, PMP
John Fox, CPA (inactive) Associate Director
Thema McCowan Auditor
James Smith Assistant Auditor
John Sturgis, Assoc. of (ISC) 2 IT Admin II
Auditor Institutional Compliance
UT Health Science Center
Jessie Williams Assistant Auditor
OFFICE OF AUDIT AND COMPLIANCE REPORT 2014
IT Audit & Security Assessment
APPENDIX B: INTERNAL AUDIT CHARTER STATEMENT OF PURPOSE, AUTHORITY, AND RESPONSIBILITY PURPOSE AND SCOPE Internal auditing at the University of Tennessee is an independent appraisal activity established to examine and evaluate the activities of the university as a service to management and the Board of Trustees. The Office of Audit and Compliance helps the university achieve its mission by providing objective and independent evaluations to reduce risk and improve operations. Internal auditors assist management in effectively carrying out their duties and responsibilities by examining financial and operational internal control systems, including administrative information systems, to evaluate the extent that: • Financial, property, and information assets are safeguarded; • Information is accurate and reliable; • University policies and external laws and regulations are followed; • Resources are employed efficiently and economically; and • Operations and programs are being carried out as planned and their results are consistent with university objectives.
AUTHORITY AND RESPONSIBILITY Internal auditors shall be authorized full and complete access to all university records (either manual or electronic), physical properties, and personnel relevant to a review. The corresponding responsibility of internal auditors is to handle documents and information obtained during a review in the same prudent manner as by those employees normally responsible for them. In fulfilling their responsibilities, internal auditors will: • Develop and implement audit plans and programs that respond to both risk and cost-effectiveness criteria; 32
UNIVERSITY OF TENNESSEE
• Suggest policies and procedures where appropriate; • Provide audit reports that identify internal control issues (among others) and make cost-effective recommendations to strengthen controls; • Facilitate the resolution of audit issues with administrators who have the most direct involvement and accountability; • Maintain a quality and assurance improvement program, consistent with the Standards promulgated by The Institute of Internal Auditors, Inc., to ensure the effectiveness and quality of the internal audit effort; and • Investigate allegations involving theft or misuse of university assets. In their staff functions, internal auditors have no direct responsibility or authority over any of the operating activities examined, and their review shall not relieve others of their responsibilities. Furthermore, the independence of the internal auditors should not be compromised by their implementing procedures, preparing records, or engaging in activities that internal auditors would normally review.
REPORTING STRUCTURE The internal audit function reports to the Audit Committee of the Board of Trustees with supporting responsibilities to the chief financial officer. Campus/institute internal auditors report to the UT System Office of Audit and Compliance. When requested, internal auditors may attend senior-level staff meetings and serve on various university committees. Their role at such meetings should be limited to rendering advice and staying abreast of strategic, governance, and risk issues. At the conclusion of each audit, the Office of Audit and Compliance will issue timely reports to audited parties, senior management, the State of Tennessee Division of Internal Audit, and the Audit Committee.
APPENDIX C: PERSONNEL QUALIFICATIONS KEY: APA CCEP CCSA CFE CGAP CGFM CHP CIA CICA
Associate in Premium Auditing Certified Compliance and Ethics Professional Certification in Control Self-Assessment Certified Fraud Examiner Certified Government Auditing Professional Certified Government Financial Manager Certified HIPAA Professional Certified Internal Auditor Certified Internal Controls Auditor Steven G. Bamburg, senior auditor, APA Bachelor of Science, Accounting, Louisiana State University, 1990 Bachelor of Science, Biological Science, Louisiana Tech University, 1978
Steven Bamburg joined the office in 2009. Previously he worked as a senior Medicare auditor at a subsidiary of BlueCross BlueShield of Tennessee. Steve conducts audits, investigations, and financial reviews of departments and operations on the Chattanooga campus.
Brittany M. Barnett, auditor, CFE Bachelor of Science, Criminal Justice/Criminology, East Tennessee State University, 2005
Brittany Barnett joined the department in 2006. Previous work experience includes retail banking, banking operations, and bookkeeping. Before leaving the department in late 2014, she conducted investigations and financial reviews of departments and operations.
CISA Certified Information Systems Auditor CISSP Certified Information Systems Security Professional CPA Certified Public Accountant CPS Certified Professional Secretary CRMA Certification in Risk Management Assurance GCIA GIAC Certified Intrusion Analyst (ISC)2 International Information Systems Security Certification Consortium PMP Project Management Professional Leigh Cheek, institutional compliance officer, CCEP, CIA, CISA Bachelor of Science, Mathematics, California Polytechnic State University, 1982
Leigh Cheek has over 25 years’ experience in computer science and accounting. She joined OAC in 1998 and has conducted information technology security reviews and risk assessments for the university’s computer systems and networks. She is currently a compliance officer in the Institutional Compliance division. Leigh is a past president of IIA’s East Tennessee Chapter and serves on its Board of Governors.
Taylor W. Cupples, associate auditor Bachelor of Business Administration, Finance, Harding University, 2012
Taylor Cupples worked as a student auditor on the UT Martin campus in 2012 before joining the UT Health Science Center team full-time in 2013. He performs compliance and control audits at the Memphis and Martin campuses and as needed at UT Chattanooga, UT Knoxville, and the UT Extension offices.
Andrew C. Benson, senior auditor, CPA, CFE Master of Accountancy, East Tennessee State University, 1993 Bachelor of Science, Accounting and Management, Carson-Newman College, 1991
Andrew Benson joined the department in late 2014. Previously the internal audit director at Roane State Community College, he has approximately 20 years of accounting and auditing experience in public organizations and private companies. He conducts investigations and audits of UT departments and
Judith A. Burns, associate director Bachelor of Arts, English and Political Science, the University of Tennessee, 1982 Master of Arts, English, the University of Tennessee, 1984
Judy Burns joined OAC in 1986. She has served as editor and office coordinator, management analyst, manager of management consulting and fiscal policy development, and as interim executive director from August 2010–February 2012. She spent several years outside the department managing training and user support during UT’s implementation of its financial and human resources system, rejoining the office in 2004. Judy was a member of the Board of Governors for the East Tennessee Chapter of The Institute of Internal Auditors (IIA) from 2009–2014 and since 1996 has been a staff member/facilitator for the University of Tennessee Leadership Institute, a leadership recognition and development program for UT leaders.
Chasity R. Davis, senior auditor Bachelor of Business Administration, Accounting, Middle Tennessee State University, 2002 Master of Business Administration, Bethel University, 2011
Chasity Davis joined OAC in 2005, with one year spent in another position on the Memphis campus. Previously she was a claims representative in the insurance industry and a cost accountant for Nissan Corporation. Before leaving the office in late 2014, she performed investigative, compliance, and operational audits for the UT Health Science Center.
Sherry S. Davis, senior auditor Bachelor of Science, Computer Science, University of Tennessee, 2002
Sherry Davis joined the department in 2012. Previously she worked as an internal auditor for Clayton Homes and has experience in bookkeeping and computer programming. Sherry coordinates the Self-Assessment of Controls for the UT system, annually surveying approximately 600 departments on existing internal controls and facilitating a risk assessment with the chief financial and business officers. She performs audits and financial reviews of university departments and operations and conducts investigations as needed. She also serves as a primary resource for OAC staff for operational questions regarding AutoAudit, the office’s effort reporting and workpaper system.
OFFICE OF AUDIT AND COMPLIANCE REPORT 2014
John M. Fox, associate director, CPA (inactive) Bachelor of Arts, Cell Biology, the University of Tennessee, 1977 Master of Accountancy, the University of Tennessee, 1981
John Fox joined the department in 1982. He worked a short time in public accounting and has been an adjunct accounting instructor over the years at Walters State Community College. John helped develop and revise UT fiscal policy for 14 years and manages the internal audit function in OAC, conducting audits and investigations as needed.
James H. Hodge, senior auditor, CGFM, CIA, CICA Bachelor of Business Administration, East Tennessee State University, 1986
James Hodge has been with OAC since 1999. Previous work experience includes internal auditing at East Tennessee State University and at North Carolina A&T State University. He performs audits and financial reviews of university departments and operations and conducts investigations as needed.
Leon Hurt, manager, CFE, CIA, CPA Bachelor of Business Administration, Accountancy, University of Memphis, 1978
Shelly J. Getty, administrative specialist II, CPS Bachelor’s degree in Christian Education, Allegheny Wesleyan College, 1998
Shelly Getty joined OAC in 2000. She is the administrative assistant to the executive director and the office manager.
Elizabeth H. Hall, auditor, CPA Bachelor of Science in Business Administration, the University of Tennessee, Knoxville, 2000 Master of Accountancy, the University of Tennessee, Knoxville, 2003
Elizabeth Hall joined OAC in 2010. She previously worked in public accounting for KPMG, Coulter and Justus, and PYA; taught cost accounting at South College in Knoxville; and worked for UT Knoxville as a graduate teaching assistant, graduate assistant, and residence hall director. Before leaving the department in mid-2014, she conducted audits of university departments and operations.
Douglas Hawks, senior performance auditor, CIA, CRMA Bachelor of Science in Business Administration, Southern Utah University, 2002 Master of Business Administration, Indiana University, 2005 Master of Public Administration, Southern Utah University, 2011
Doug Hawks joined OAC in 2012. Previously serving as director of internal audit at Southern Utah University, he has worked in internal audit departments in the private sector for both large and small companies. His past service to the auditing industry includes serving as chair of the publications committee for the Association of College and University Auditors (ACUA) and as the editor-in-chief for College and University Auditor and helping develop ACUA’s Internal Audit Department Start-up Guide. Doug is pursuing his PhD in higher education administration from UT Knoxville and plans to complete his degree in 2015. He conducted performance and other audits of UT departments and operations, leaving the department in mid-2014.
Janna L. Hixson, manager, CGAP Bachelor of Business Administration, Finance, Middle Tennessee State University, 2004
Janna Hixson worked in compliance for 3 years at the Tennessee Valley Authority before joining OAC in June 2014. She also worked in Internal Audit at the Tennessee National Guard United States Property and Fiscal Office for 5 years. She currently serves as a major in the Army National Guard. Janna performs compliance and departmental audits and investigations at the Chattanooga campus.
UNIVERSITY OF TENNESSEE
Leon Hurt worked 27 years at the Memphis Light, Gas and Water Division, where he prepared financial statements, performed account analyses, and served as IT project analyst, acting as a liaison between the user and programming personnel and assisting in the design and development of application systems. He has worked over 25 years in internal auditing, conducting IT, financial, and operational audits and supervising staff. Leon joined OAC in 2007 and performs compliance and departmental audits and investigations at the Memphis campus.
Sandy S. Jansen, executive director, CCSA, CIA, CRMA Bachelor of Business Administration, Accounting, Texas Tech University, 1994
Sandy Jansen joined OAC as the executive director in February 2012. She worked for 21 years in the Texas Tech University System, serving the last 7 years as assistant chief audit executive. At UT, she oversees the internal audit and institutional compliance teams for the university system. Sandy is active in professional service. In 2014, she became president of the Association of College and University Auditors (ACUA). She also led a peer review of the internal audit office at Virginia Commonwealth University. Sandy continues to serve as an ACUA faculty member and a volunteer seminar facilitator for The Institute of Internal Auditors, training internal audit professionals in higher education and various industries.
Nancy J. Lange, auditor, CIA Associate of Science, Pellissippi State Technical Community College, 1994 Bachelor of Science, Business Administration, the University of Tennessee, 1997
Nancy Lange has been with the department since 1996. She served almost 9 years in the US Air Force, working with mainframe computers as an operator and in operations support jobs. After military service, she continued in similar positions another 6 years on a civilian contract with the Department of the Navy. Nancy monitors UT’s monthly procurement card purchases and conducts audits of university departments and operations. For most of 2014, she supervised the student auditors and departmental expenditure and equipment audits.
Linda P. Marion, coordinator Bachelor of Arts, English, the University of Tennessee, 1988 Master of Arts, English, the University of Tennessee, 1991
Linda Marion has been OAC’s editor and coordinator of special projects since 1990. She helped coordinate the development, revision, and issuance of university fiscal policy for 14 years. She plays an integral role in the department’s process of developing, revising, and issuing reports of audits, investigations, and IT security reviews. She also coordinates special projects and develops publications to assist university departments with their financial responsibilities. In 2014, Linda continued one-on-one editorial ‘coaching’ sessions with the auditors and developed writing exercises tailored to their needs.
Thema A. McCowan, auditor
James A. Smith II, assistant auditor
Bachelor of Science, Biology, The Pennsylvania State University, 2000 Master of Business Administration, The Pennsylvania State University, 2004
Bachelor of Business Administration, King College, 2012 Master of Business Administration, Accounting, King University, 2014
Thema McCowan joined OAC in late 2013. She spent a combined 5 years in audit and consulting at PricewaterhouseCoopers and Deloitte Consulting working with healthcare, pharmaceutical, and government clients. She has served in higher education administration for 7 years in both academic affairs and student development. Thema previously worked at Maryville College as the director of career resources, where she was active in developing the strategic plan and the quality enhancement plan as part of the college’s Southern Association of Colleges and Schools accreditation. Thema conducts audits of UT departments and operations and investigations as needed.
William A. Moles, director of institutional compliance, CCEP, CIA Bachelor of Science, Business Administration, the University of Tennessee, 1980 Master of Business Administration, Virginia Tech, 1983
Bill Moles began as a management analyst in the department in 1986 with the management consulting group. He joined the internal audit section in 1992, where he performed internal control reviews of the university’s accounting systems and other major functions, IT security audits, and cost studies. He coordinated the annual Self-Assessment of Controls for the UT System from 1989 until 2007. As director of the Institutional Compliance Office, he works collaboratively with UT compliance programs to reduce the university’s regulatory compliance risks. Bill is a past president of IIA’s East Tennessee Chapter. This year, he published “Creating and Supporting an Effective Executive Compliance Committee” in Compliance & Ethics Professional.
James Smith came to OAC in early 2015. He has an extensive background in public service with the state of Tennessee. James previously served the Tennessee Department of Correction in administrative roles, most recently as a counselor. He assists with departmental audits and investigations as needed.
Stephanie Steeves, auditor, CIA Bachelor of Public Management, Florida Atlantic University, 1996 Master of Public Administration, Florida Atlantic University, 2001
Stephanie Steeves came to the department in late 2012 from Palm Beach County, Florida, where she worked in county government for 23 years. She conducts performance audits of university departments and operations and investigations as needed. This year Stephanie led the effort to develop the OAC Body of Knowledge, surveying staff on their strengths and interests, and compiling the information into a resource guide for OAC projects. She serves as secretary of IIA’s East Tennessee Chapter and as president of UT’s Toastmasters Club.
John P. Sturgis, IT administrator, (ISC)2 Associate, GCIA Bachelor of Arts, Political Science, University of Tennessee, 2008
John Sturgis transferred to OAC in late 2014 from UT’s Information Security Office where he managed the operational security program and performed control assessments. He conducts IT audits, focusing on regulatory areas such as HIPAA and PCI.
Jeremy J. Parrott, IT administrator, CISSP, CHP Bachelor of Science, Information System Security, Grantham University, anticipated in 2015
Jeremy Parrott joined OAC in late 2014. He previously served as the IT Security Assessments team lead and as interim chief information security officer in the UT System Information Security Office. He has over 18 years of IT security experience spanning several industries and higher education. Jeremy performed IT audits of university departments and operations before leaving in early 2015.
Jay Taylor, auditor, CFE, CICA Bachelor of Arts, Political Science, the University of Tennessee, Knoxville, 2006 Master of Science, Management, Austin Peay State University, 2010
Jay Taylor has been with UT since 1998, joining the department in 2004. She is a past vice president and a board member of the Association of Certified Fraud Examiners, Knoxville Chapter. Before leaving OAC in mid-2014, Jay performed investigations of fraud, waste, and abuse for the university system.
Jim E. Purcell, senior IT auditor, CISSP, PMP Bachelor of Science, Business Administration, Tusculum College, 1986
Jim Purcell joined OAC in 2012. His 30-year IT career spans time with TVA, Science Applications International Corporation (SAIC), and Regal Entertainment Group. Jim is an instructor for the SANS Institute and has presented information security topics at various IT conferences. He has served in management and staff roles in all aspects of information technology and currently performs IT audits of university departments and operations. As the technology coordinator for OAC, Jim supervises the IT administrators and manages the office’s SharePoint collaboration website.
Jessie D. Williams, assistant auditor Bachelor of Science, Business Administration, Accounting, the University of Tennessee, Knoxville, 2014
Jessie Williams worked as an assistant auditor in the office for over a year before joining OAC full-time in late 2014. She assists with departmental audits and investigations as needed.
OFFICE OF AUDIT AND COMPLIANCE REPORT 2014
APPENDIX D: FOLLOW-UP AUDITS 2014 Audit Year
School of Music
College of Pharmacy
2nd follow-up in 1 year
Biosystems Eng and Soil Science
2nd follow-up in 6 months
Orange Nation Student Organization
Media and Internal Relations
College of Social Work
Banner Student Information System
Athletics Event Management
Top Four Research Grants
Video and Photography Center
Menâ€™s Swimming and Diving
Early Learning Center
VolShop PCI Compliance
UNIVERSITY OF TENNESSEE
2nd follow-up in 1 year
2nd follow-up in 1 year
2nd follow-up in 60 days
2nd follow-up in 6 months
Audit and Compliance Directory Knoxville Staff UT Conference Center Bldg Suite 149 Knoxville, TN 37996-4114 Andy Benson
Senior Auditor firstname.lastname@example.org 865-974-4460
Judith A. Burns
Associate Director email@example.com 865-974-1311
Institutional Compliance Officer firstname.lastname@example.org 865-974-4420
Sherry S. Davis
Senior Auditor email@example.com 865-974-4791
John M. Fox
Associate Director firstname.lastname@example.org 865-974-4434
Shelly J. Getty
Administrative Specialist email@example.com 865-974-2390
James H. Hodge
Senior Auditor firstname.lastname@example.org 865-974-3865
Sandy S. Jansen Executive Director email@example.com 865-974-4437
William A. Moles
Director of Institutional Compliance firstname.lastname@example.org 865-974-4438
Jim E. Purcell
Senior IT Auditor email@example.com 865-974-1538
James A. Smith
Assistant Auditor firstname.lastname@example.org 865-974-0869
Stephanie Steeves Auditor email@example.com 865-974-6616
John P. Sturgis
IT Administrator firstname.lastname@example.org 865-974-6118
Assistant Auditor email@example.com 865-974-0886
Health Science Center Staff 920 Madison Building Suite #909 Memphis, TN 38163-2101 Taylor Cupples
Associate Auditor firstname.lastname@example.org 901-448-3214
Manager email@example.com 901-448-1435
Auditor/Procurement Cards firstname.lastname@example.org 865-974-0887
Chattanooga Staff Dept 4855 744 McCallie Avenue Suite 410 Chattanooga, TN 37403-2598
Linda P. Marion
Steven G. Bamburg
Nancy J. Lange
Coordinator email@example.com 865-974-6602
Auditor firstname.lastname@example.org 865-974-8422
Senior Auditor email@example.com 423-425-4532
Janna L. Hixson
Manager firstname.lastname@example.org 423-425-4072
The Office of Audit and Compliance helps the university achieve its mission by providing objective and independent evaluations to reduce risk and improve operations.
RESPONSES FROM 2014 CLIENT QUESTIONNAIRES • We had a good experience with the auditor. We learned a few things during the process that we were previously unaware of, and he did a good job of explaining them. OFFICE OF AUDIT AND COMPLIANCE UT CONFERENCE CENTER BUILDING SUITE 149 KNOXVILLE, TN 37996-4114 865-974-6611
• We appreciate everything OAC does for IT Services at UT Martin. • Your auditors are professional and the reviews timely. • The auditor was great to work with. She was professional and thorough, and we appreciated her patience when we experienced difficulty with an online system. • A fine job!
O F F I C E
A U D I T
A N D
C O M P L I A N C E
HELPING TO SHAPE THE FUTURE OF