annual report on internal audit activities 2006 - 2007

Annual Report on Internal Audit

Activities2006 - 2007

University of California

2

I. Executive Summary - Introduction

II. Audit Program Analysis

III. Audit Program Results

IV. Investigation Activities

V. Staffing and Other Benchmark Analyses

VI. Strategic Plan

Appendix 1 Internal Audit Organizational Chart

3

9

13

28

32

39

41

ANNUAL REPORT ON INTERNAL AUDIT ACTIVITIES 2006 - 2007

3

Executive Summary - IntroductionThis Annual Report on Internal Audit Activities presents various summary level and analytical information regarding the University of California Internal Audit Program for Fiscal Year 2006-2007 (FY07). The objective of this report is to communicate the results of our Audit, Advisory Service, and Investigation efforts and, through interpretation of these results, comment on the University’s internal control environment. The twelve campus/national laboratory and UCOP Internal Audit Directors prepared annual reports for their local audit committees and leadership which underlie this systemwide annual report.

During FY07, we continued the emphasis on follow-up activities to ensure timely corrective action on audit findings. We closed over 2,000 management corrective actions (MCAs) and reduced by 28% the number of open items as compared to the prior June 30 th. Since 2005, we have closed over 7,300 management corrective actions.

With the creation of our Audit Tracker database, we have been able to report on delinquent MCA’s for those items that we considered to be of the highest risk. Throughout the year, effort was made to address these open conditions, and we reported the status of those items periodically to The Regents’ Committee on Audit as well as to the local audit committees. As of October 2007, there are 12 remaining delinquent MCA’s with high risk exposure. This is down from 67 reported in 2005, and 36 reported in 2006. There are a variety of business reasons for the delays, principally long-term IT solutions and resource constraints. All of these past due corrective actions have been brought to senior management attention and are subject to active plans for completion.

A complete listing of the high risk past due items is provided in Section III of this report.


4

Highlights

During FY07, the UC Internal Audit Program:

Rendered nearly 600 audit, advisory services, and investigation products resulting in nearly 1,800 recommendations for improvements to internal controls that were agreed upon with management.

For the second year in a row, hours devoted to Advisory Services surpassed Investigation hours. This is a positive trend that we hope to continue and build upon as we believe our advisory service efforts address internal control issues more proactively.

Completed several noteworthy systemwide audits (see Section III, pages 19-20)

Reduced the number of open Management Corrective Actions (MCA’s) as follows:● Beginning MCA Number – 859● MCAs added – 1,798● MCAs closed – 2,047● Current open inventory of MCAs – 610

Reduced the number of Open High Risk MCA’s from 139 in FY06 to 78 for FY07.

Reduced the number of Open High Risk MCA’s that are past due from 36 in FY06 to 12 in FY07


5


Highlights (cont’d)

Met or exceeded benchmarks for:● Productivity--86% (goal 85%)● Completion of the Audit Plan--79% (goal > 70%)● Coverage of matters assessed as High Risk (72%)● Coverage of Core Audit areas--26% (target of 20-33% for a 3-5 year cycle)

Led the roll-out of the Ethics Briefing Program and the Conflict of Interest training modules.

Participated in efforts to educate the University about SAS 112 and prepare for its increased levels of reporting on internal controls by external auditors.

The University Auditor’s Office sponsored a three day All Auditor Conference that was attended by over 110 campus and laboratory auditors. The conference provided general audit training as well as specialized sessions for laboratory and health science auditors, and included opening remarks by Regent Ruiz as Audit Committee Chair.

Conducted a number of campus internal audit Quality Assurance reviews, and sponsored a New Auditor Orientation session for newly hired campus and laboratory auditors.

6

Summary and Conclusions

We believe the University of California Internal Audit Program continues to be a significant element of the University’s overall control structure and a positive influence on the control environment. A robust program of work was carried out during the year to assist management and The Board of Regents, a substantial portion of which was responsive to current events.

Based on our FY07 work, we can assert the following as being generally true with no reportable exceptions:

1. Management of the University is cognizant of their responsibility for internal controls and takes seriously the need for controls and accountability.

2. There is respect for the objectives of the Internal Audit Program; a high level of cooperation is received, and there is no interference with either the accomplishment of our tasks or our responsibilities to report to The Regents.

3. Managers actively participate in the identification of risks and work collaboratively with Internal Auditors to address issues raised during Audits, Advisory Services engagements, and Investigations.

4. Management is comfortable seeking out Internal Audit for advice and consultation on matters with internal control implications.

5. Matters of importance are reported to The Regents.


7

Summary and Conclusions (cont’d)

In conjunction with the nearly 600 completed Audit, Advisory Services and Investigation projects, we identified no conditions that we believed to represent material deficiencies in internal controls to the University system as a whole from a financial standpoint. Further, while we acknowledge that management has ultimate responsibility for establishing internal controls to manage risks, we identified no circumstances in which we believe that management’s decisions resulted in the acceptance of unreasonable levels of risk.

Although we did not identify material control weaknesses, there were opportunities for the University to implement more effective monitoring and oversight activities. This observation was evidenced by our work in Construction Soft Costs, Conflict of Commitment and Outside Activities of Faculty Members, and Executive Compensation. Locations also saw this condition in research programs, contract and grant administration, and medical center activities and support the need for an increased level of systemwide monitoring for consistency and compliance with policy.

Our audit efforts also identified that the University is faced with the challenge of maintaining adequate security and control over data. Our decentralized campus environment, sophistication of network hackers, and increased regulatory requirements for protecting personal information have increased the risk to the University.


8

ChallengesThe Internal Audit Program is always challenged to keep pace with an ever-changing environment and a growing University with the same or reduced resources. While turnover during 2006-07 was at a normal level, we remain less than fully staffed and are in the process of filling two vacancies at the Audit Director level for the first time in several years. Compensation has proven to be an issue in both of those recruitments.

The challenge to keep pace with change and maintaining adequate resources are constant challenges that only vary by degree from year to year. Our most contemporary and unique challenge currently is adaptation to the establishment of a new combined compliance oversight and audit program under new leadership. This change is also occurring against the backdrop of the restructuring of UCOP and the redefinition of its role. The Internal Audit Program is committed to contributing to the strengthening of the governance structure of the University while maintaining the appropriate role and responsibilities of management for internal controls and preserving a vital Internal Audit Program.


9


The tables and charts contained in the following section show the summary and distribution of Audit Program efforts for the year by type of service (Audits, Advisory Services and Investigations) and across functional areas of the University. They demonstrate the breadth of coverage and areas of greatest concentration.

We believe this distribution represents a reasonable deployment of resources and demonstrates our primary commitment to the program of regular audits, availability for advisory services and responsiveness to the needs of investigations without undue intrusion on the audit program. We also believe the distribution along functional lines is reasonably balanced in relation to relative risk in the University’s lines of business.

As a result of the creation of Los Alamos National Security, LLC (LANS), effective June 1, 2006, the LANL audit department no longer reports to the University Auditors’ Office and is not a part of the following audit analysis. With the creation of Lawrence Livermore National Security, LLC (LLNS), the LLNL audit department will no longer report to the University Auditor’s Office, however, their audit results for the year ended September 30, 2007 are included in the following analysis. The University Auditor sits on the Audit & Ethics Committees of LANS and LLNS.

10Table 1 Table 3

Table 2

II. Audit Program AnalysisProjects FY07 FY07 Prior

Plan Actual YearAuditsAudit Program Hours 108,361 107,576 125,740Number of Completed Projects 319 313 335Average hours per completed project(1) 270 319 349

Advisory ServicesAdvisory Service Hours 31,101 29,835 29,391Number of Distinct Projects 74 139 208Average hours per completed project(1) 137 92 117

InvestigationsInvestigation Hours 23,687 26,777 26,630Number of Completed Investigations N/A 142 146Average hours per completed project(1) N/A 166 145

SummaryTotal Audit, Ad Serv., and Inv. hours 163,149 164,188 181,761Total Number of Completed Projects N/A 594 689

Average hours per completed project(1) N/A 230 236Number of projects per auditor N/A 5.2 5.4Percent of Audit Plan Completed 100% 79% 69%

(1) Not calculated from the above due to projects in process at beginning and end of period.

(2) Three to five year cycle

(3) Prior year ending head count includes 12 FTE for LLNL

N/A - Not applicable to Plan Data

Other PriorPlan Actual Year

Coverage of Core Audit Hours (2) 20-33% 26% 15%Coverage of High Risk 80% 72% 71%

People FY07 FY07 PriorPlan Actual Year

Authorized 127 126 151Average Actual Filled 116 114 127Percent Filled 91% 90% 84%Ending Head count (3) 119 102 117Turnover N/A 13% 13%Training hours per auditor 74 84 74

Available HoursGross Available Hours 242,291 241,775 267,203Net Available Hours* 203,775 203,146 223,247Percent of Net to Gross 84.1% 84.0% 83.5%* Reduced by vacation, illness, holiday, etc.

Distribution of Net Available HoursAdministration and Training 27,117 27,945 28,797Direct Hours 176,658 175,201 194,450Net Available Hours 203,775 203,146 223,247Productivity Percent 86.7% 86.2% 87.1%

Distribution of Direct HoursAudits 108,361 107,576 125,740Advisory Services 31,101 29,835 29,391Investigations 23,687 26,777 26,630Audit Support 13,509 11,013 12,689Total Direct Hours 176,658 175,201 194,450

11

The chart below distributes effort by service type (7-Year Trend).

Hou

rs

Chart 1


This chart demonstrates that our continued primary emphasis is the program of regular audits.

The chart also depicts a leveling off of the advisory services and investigation activities. Our goal has been to increase the advisory service activity but special audit work has prevented us from achieving that goal.

0

20000

40000

60000

80000

100000

120000

140000

2000-01 2001-02 2002-03 2003-04 2004-05 2005-06 2006-07

Planned Audit Program Advisory Services Investigations

12

The chart below distributes Audit, Advisory Service, and Investigation hours by functional area and service type.

Chart 2


Functional Area

AuditsAdvisory Services Invest. Total %

Prior Year %

Financial Management 26,559 2,852 6,986 36,397 22% 45,899 25%

Campus Research Depts & Instruction 11,898 2,217 6,216 20,331 12% 21,533 12%

Health Sciences, Research, Instr., & Clin Svcs 13,222 1,115 1,972 16,309 10% 13,039 7%

Research and Compliance 8,918 2,287 2,220 13,425 8% 10,208 6%

Information Technology & Communications 7,864 3,296 354 11,514 7% 11,494 6%

Facilities, Construction and Maintenance 9,373 101 1,388 10,862 7% 4,513 2%

Auxiliary, Bus & Employee Support 7,374 121 1,950 9,445 6% 9,832 5%

Lab Research Programs & Processes 4,670 4,483 53 9,206 6% 15,846 9%

Human Resources and Benefits 4,940 1,730 137 6,807 5% 13,874 8%

Office of the President 3,683 459 300 4,442 3% 2,307 1%

Development and External Relations 3,263 128 435 3,826 2% 3,927 2%

Ethics 3,380 0 0 3,380 1% 6,011 4%

Risk Management 1,761 312 290 2,363 1% 3,940 2%

Budget and Planning 599 0 0 599 1% 864 1%

Sub-Total 107,504 19,101 22,301 148,906 91% 163,287 90%

No Functional Category 80 10,726 4,476 15,282 9% 18,474 10%

Total 107,584 29,827 26,777 164,188 100% 181,761 100%

Percent 65.5% 18.2% 16.3% 100%

Planned Percent 66.0% 19.0% 15.0% 100%Prior Year Percent 69.2% 16.1% 14.7% 100%

13

III. Audit Program Results – FY07 MCA’sAs previously indicated, our FY07 audit program work produced approximately 600 audit, advisory service, and investigation products resulting in 1,798 Management Corrective Actions (MCAs). The following charts and tables depict the breadth of coverage over the 13 major functional areas of the University. The table on the following page illustrates that there is generally a high correlation between audit effort and management corrective actions. During FY07, specific areas that received a high level of attention and control improvement recommendations included Logical and Network Security, Cash Management, Procurement, Ethics, Hospital Receivables, HIPAA, Effort Reporting, and Equipment Management and Personal Property controls.

Distribution of FY07 Hours by Functional Area

Laboratories6%

Health Sciences

11%

Campus Dept and Instruction

14%

Office of the President

3%

Budget & Planning

1% Research and Compliance

9%

Information Technology

8%

Financial Management

24%

Facilities and Construction

7%

Development and External Relations

2%

Risk Management

2%

Human Resources &

Benefits/Ethics7%

Auxiliary, Bus and Employee

Support Services6%

Chart 3

14

The above comparison (Table 4) depicts generally high correlation between audit effort and management corrective actions.

Within the Financial Management area, the strengthening of controls were significantly evidenced in the areas of cashiering, business contracts, procurement, conflict of interest/conflict of commitment, recharge activities, and payroll processing.

The charts and table below display the functional area distribution of the 1,798 MCAs produced in FY07 and a comparison to the effort expended in these areas.

Table 4

Chart 4

Distribution of FY07 MCAsCampus Depts and Instruction

8%

Health Sciences

9%

Auxiliary, Bus & Employee Support

9%

Information Technology

10%


41%

Development & External Relations

3%

Budget and Planning

2%Laboratories

2%


1%

Research and Compliance

5%

Human Resources &

Benefits/Ethics 6%

Facilities and Construction

2%Risk Management

2%

III. Audit Program Results – FY07 MCA’s

Functional Area MCA % Hours %Financial Management 41% 24%Information Technology 10% 8%Healthsciences, Research, & Clin Svcs 9% 11%Auxiliary, Bus & Employee Support 9% 6%Campus Research Depts & Instr 8% 14%Human Resources & Benefits/Ethics 6% 7%Research & Compliance 5% 9%Development & External Relations 3% 2%Laboratories 2% 6%Risk Management 2% 2%Budget & Planning 2% 1%Facilities, Construction & Maintenance 2% 7%Office of the President 1% 3%

Comparison of MCAs and Hours

15

Each audit finding and its associated MCA is given a rating of high, medium or low risk by the auditors. This judgment is made in a local context, and items identified as high do not necessarily convey material deficiencies or risks beyond the operating environment in which found. A primary objective of this classification is to drive a greater sense of urgency in completing the corrective action and completion of audit follow-up.

High risk MCAs would include those that are systemic or have a broad impact, have contributed to a significant investigation finding, are reportable conditions under our professional literature, create health or safety concerns, involve senior officials, create exposure to fines, penalties or refunds or are otherwise judged as significant control issues.

The chart below shows the risk rating of the 1,798 MCAs for FY07 by service type.

Chart 5

FY07 MCAs by Service Type and Rating

23612 34

282

1112 36104

1252

234 10 20 264

Audits (1582)

Advisory Services (58)

Investigations (158)

Total (1798)

Low

Medium

High


16

Of the 1,798 MCAs generated in FY07, we categorized 282 as high risk (16%). Similar to the overall distribution of MCA's (See Chart 4 on page 14) the MCA's rated as high risks tend to be distributed throughout the functional areas audited and in approximate proportion to the audit effort expended. However, there are a certain common themes that arise from the high risk MCA's that are worthy of mention below. As previously mentioned, the University has been challenged with maintaining adequate security and control over data. The distributed campus environment has increased the vulnerability of security breaches. We have found that as a whole the University has had difficulty in enforcing strong security measures in regard to proper network firewalls, installing adequate anti-virus software, timely system patches and vulnerability scans and the use of encryption technology. Accordingly, confidential data such as social security numbers, grades, and credit card information are at risk of loss or unauthorized access. Corrective actions have been developed in an effort to increase the security of this information and educate both data administrators and the users. In addition, Internal Audit is working with IR&C during the current year to review the security self-assessments being performed at each location.

A significant number of audit findings have as their root cause, deficiencies in supervision, monitoring and oversight functions by people whom our control structure places in critical control positions (e.g., Principle Investigators on sponsored projects). While the PI's understandably need to rely on the support of University administrative staff as well as our business processes for procurement and payment of invoices, they have ultimate responsibility for the financial management of expenditures charged to their contracts and grants. The failure to provide timely and conscientious review of transactions as they occur, as well as periodic review of charges to contracts and grants eliminates a control upon which the University relies to ensure compliance with policies as well as federal laws. The absence of adequate oversight can be further exacerbated by the fact that the academic unit handling the sponsored projects is typically small, and therefore separation of duties is not ideal. Increased supervision is usually the antidote for poor separation of duties and therefore when supervision is not adequate there is less likelihood that errors will be detected by others in the normal course of performing their duties. A number of recommendations in 2007 addressed this issue at the business unit level. However, we have raised it in broader forums so that it may receive broader attention, such as through training for PI’s.


17

Audit Observations Defined by COSO

As part of the Audit Tracker system, each location categorizes audit observations and MCAs in accordance with the University’s adopted internal control framework (COSO). The COSO model provides for the following general categories of controls – each with sub-category detail:

Control Environment – Sets the tone of the organization. Factors include integrity, ethical values, management’s operating style and organization. Findings in this area would include matters such as the absence of a code of ethics.

Risk Assessment – This is the identification and analysis of relevant risks to achievement of the established objectives. Findings in this area would include, for example, the lack of a process to recognize or mitigate a particular type of risk in the operating environment of the unit.

Control Activities – These are the policies, procedures, and processes that help ensure the University conducts its business and complies with laws, regulations and University policy. Examples include approval, authorizations, verifications, reconciliations, and segregation of duties among many others. Most findings are in this category because these are the controls most frequently tested by auditors.

Information and Communication – Includes the identification and communication of operational, financial, compliance, and external information. Data security and integrity issues fall into this category.

Monitoring – Includes regular management and supervisory activities, as well as financial, operational, and compliance assessments and evaluations. Findings of inadequate supervision or oversight may be a root cause for many other conditions observed.


18

The chart below displays the breakdown of the MCA’s by COSO category.

Chart 6

Control activities continue to account for the highest frequency of MCAs because of the numerous types of activities encompassed. However, deficiencies in the control environment are typically significant findings. As mentioned elsewhere in this report, during 2007 there was increased attention to Information and Communications, especially as it relates to information security.

COSO Distribution of MCAs

6% 5%

24%

4% 5%

58%61%

23%

5% 9%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

FY07 (1,798) Total (9,840)

Monitoring

Information andCommunication

Control Activities

Risk Assessment

ControlEnvironment


19

Systemwide Audits Internal Audit locations performed a number of systemwide audits that were overseen by the University Auditor’s Office, and summary results were reported throughout the year to The Regents. The following is a summary of the systemwide reviews and significant outcomes:

Executive Compensation – The purpose of this review was to assess the implementation of all recommendations ensuing from the 2006 audits and reviews including the recommendations of the Task Force On UC Compensation, Accountability and Transparency, the Bureau of State Audits report, two PricewaterhouseCoopers reports and two Internal Audit reports. While the recommendations had all received substantial attention, there were select matters, most notably the creation of a Human Resources Information System that were in need of refreshed emphasis, which has now occurred.

Construction Soft Costs – We found that different methodologies were used for measuring and assigning direct and indirect charges. We recommended that additional guidance should be provided in the University’s Accounting Manual to be more explicit about the University’s application of generally accepted accounting principles to ensure greater consistency of internal cost recovery and compliance with GAAP.

Conflict of Commitment and Outside Activities of Faculty Members – The audit was conducted to assess the management of outside professional activities of UC Faculty, including prior approval and annual reporting. We noted that compliance was lacking with respect to filing required forms, approval signatures, and unresolved conflict issues.

Student Loan Programs - A survey of University student and lending practices was conducted and found that no financial conflicts appeared to exist of the nature that received national attention. However, a need for improved individual as well as institutional conflict of interest policies and training was observed. The University Auditor served on the Task Force that recommended the new policy for the President’s approval.

III. Audit Program Results – Systemwide Audits

20

Systemwide Audits (cont’d)

Chancellor Special Allocations – With respect to the policy on chancellor’s housing and administrative funds, the audits found that they were largely in compliance, both as to propriety of expenditures and newly created documentation and reporting requirements . There were no pervasive control issues identified and each location has reported on local opportunities for control improvement where called for.

Willed Body Program – This review focused on the status of the corrective actions that were the basis for the 2005 report to The Regents By the Task Force headed by former Governor Deukmajian. We found that most of the corrective measures have been completed, and there is oversight over these measures at both the Office of the President and in the dean’s office at each campus. However, the efforts to establish the systemwide database required refreshed attention and resources which is occurring. In addition, at the time the recommendations were made to the campuses, each Willed Body Program was asked to take broader responsibility for all human anatomical material that enters the campuses for research or other purposes. These practices are still evolving.

Health Science Compliance Program – Continuing a commitment made as part of the late 1990’s PATH settlement, each medical center campus competed a review of the Health Sciences Corporate Compliance Program, including a detailed review of a selected element of the program. The audits found that the Health Sciences Corporate Compliance Program continues to represent a substantial control over our health sciences billing operations and regulatory compliance efforts.

III. Audit Program Results – Systemwide Audits

21

Status of Completion of Management Corrective Actions

The most fundamental objective of the Audit Tracker system is to facilitate the tracking of MCAs to their timely completion. MCAs are classified initially as open and are only moved to closed status after validation by auditors that the agreed upon corrective actions have been taken and sustainable improvement has been achieved.

The following charts display the completion status for the entire population of MCAs. Part of our analysis includes an aging of the past due items. We believe that reporting the past due corrective actions to campus audit committees, senior management and The Regents’ Committee on Audit will raise the visibility in a way that helps ensure timely attention to these matters and reduces the number of unmitigated risks. We also believe that reporting to the Audit Committee the unmitigated high risk audit findings fulfills a core professional obligation. The 12 past due items are included in this Section on pages 25-27.

III. Audit Program Results – MCA Completion Status

22

Chart 7 displays the functional audit area distribution for the entire population of MCAs. Table 5 below compares the distribution percentage for all MCAs to the FY07 percentage, which remained comparable. The following pages address the status

The chart below displays the functional area distribution of the entire population of MCAs since inception (9,840).

Chart 7

Table 5

Distribution of all MCAs

Auxiliary, Bus & Employee Support

9%

Research and Compliance

9%

Health Sciences, Research, Instr., &

Clin Svcs9%

Campus Research Depts & Instruction

13%


35%

Budget and Planning

1%


1%

Information Technology &

Communications9%

Human Resources & Benefits/Ethics

4%

Facilities, Construction & Maintenance

2%

Development & External Relations

2%

Risk Management2%

Lab Research Programs & Processes

4%

Functional Area ALL FY07Financial Management 35% 41%Campus Depts & Instruction 13% 8%Research & Compliance 9% 5%Health Sciences 9% 9%Information Technology 9% 10%Auxiliary, Bus & Employee Support 9% 9%Human Resources & Benefits/Ethics 4% 6%Laboratories 4% 2%Risk Management 2% 2%Development & External Relations 2% 3%Facilities & Construction 2% 2%Office of the President 1% 1%Budget & Planning 1% 2%

Comparison of MCAs


23

The chart below shows the status of all 9,840 MCAs

Chart 8 Table 6

The 96% rate of closure of the High rated MCAs reflects the fact that these are the items with the greatest urgency to bring to closure. Added attention to closing the items ranked as Medium risks is now occurring and can be seen in the increase of percent closed (88% in FY06 to 92% in FY07).

The volume of open items will always be substantial because of the ongoing nature of our work, although substantial reduction has occurred to date as intended. We expect to be able to establish benchmarks in this area as the Audit Tracker information matures.


Status of All MCAs (9,840)as of October 2007

High (96% closed)

Low (95% closed)

Medium (92% closed)

455 open

78open

77 open

1,598 closed 2,125 closed

5,507 closed

MCA Rating Open Closed Total % closedHigh 78 2,125 2,203 96%Medium 455 5,507 5,962 92%Low 77 1598 1,675 95%

610 9,230 9,840

24

The chart below shows the aging statistics of the inventory of 78 Open High Risk MCAs

Chart 9

The majority of the open items (66) are not yet due, however, 12 are past due.

These past due issues have been brought to the attention of senior management and active resolution plans are in process. The goal of reducing these items to zero (or a negligible number occasioned by highly unusual circumstances) is clearly understood and accepted by all responsible for addressing these items.

The 12 past due MCAs are listed on the following pages.


Aging of the 78 Open/High MCAsas of October 2007

Over 1095 days1%

Not Yet Due85%

0 - 90 days6%

366 - 730 days3%

181 - 365 days4%

91 - 180 days1%

66

31

1

5

2

25

III. Audit Program Results – Past Due MCA’s

Table 7

26


27


28


This section contains charts that display the sources and methods of reporting improper governmental activities allegations which led to audit investigations during FY07, categorizing the type of improper governmental activity alleged, and the outcomes for the investigations completed in FY07.

The University Auditor is responsible for general oversight of all audit investigations as well as communication with The Regents and Senior Management. The University Auditor’s Office is also responsible for conducting audit investigations at the Office of the President, the University of California, Merced and assumes management of investigations that involve two or more campuses or in circumstances where the Chancellor, Vice Chancellor or Locally Designated Official (LDO) are named in the complaint.

The LDO, who functions as the whistleblower and investigations coordinator at each location, in conjunction with their Investigations Work Group (comprised of investigation resources including internal audit), assesses each reported allegation for appropriate handling, such as referral to management, assignment for investigation or expanded preliminary assessment before a judgment can be made. Investigations that fall within criteria enumerated in the Whistleblower Policy are reported to the Office of the President and the University Auditor. The most significant matters are reported individually to The Regents as material events occur (principally through the Audit Committee Chair) and on a quarterly basis.

29


Internal audit investigation activity is tracked in the University Auditor’s Investigations Notice Database. This database base serves as a case management tool and provides other analytical information. In FY07, the internal audit program initiated 120 new investigations and brought to completion 142 investigations. The charts on the following pages provide a statistical overview of these new and closed investigations. The Investigations Notice Database, as of October 10, 2007, is tracking information on 65 open internal audit investigations.

Note for the Future

The information tracked by the University Auditor’s office and reported in the following data relates only to investigations in which Internal Auditors are the lead investigator. Through the LDO, many complaints are referred to other investigative bodies including police, human resources (e.g. discrimination or harassment), compliance officers or special investigators. Beginning in FY08, the University Auditor, on behalf of the EVP Business Operations who serves as the systemwide LDO, has initiated a reporting mechanism to report to the Office of the President activity on all complaints received by the LDO’s. Prospectively, we will be in a position to offer broader analysis of a wider range of complaints made and their disposition.

30

The charts below display the sources and complaint methods of the 120 new investigations opened in FY07.

Investigations conducted by Internal Audit came from a variety of sources that are depicted in Chart 10. For the last two years, UC employees and managers have accounted for 66% and 72% of the cases that we investigated. Chart 11 illustrates that only 21% of our internal audit investigations originate from calls made to the University’s independently operated hotline service. While the number of cases opened from hotline calls in the Internal Audit program is small, it is very important to provide a mechanism for complaints to be made anonymously. The Federal Sentencing Guidelines for Organizations encourage a system whereby employees can report suspected wrongdoing without fear of retribution. Chart 11 reflects that only 23% of individuals choose to remain anonymous when filing a complaint either through the hotline service or by other means. Our hotline service reported in 2006 that across most industries the number of reporting parties choosing to remain anonymous is about 50% and for public administration nearly 30%. The hotline service commented that a number of factors affect the decision to remain anonymous including the level of trust that the information will remain confidential, the significance of the issue reported or confidence that the report will be acted upon. Our 23% anonomimity rate speaks well of an environment in which suspected improprieties can be brought forward without fear of retaliation.

Chart 10 Chart 11


Sources of UC Investigations - FY07UC

Employee49%

UC Student2%

Other2%

UC Police2%

UC Supervisor/Manager

17%

Unidentified12%

Outside Agency

3%

UC Senior Manager/Regent

4%

Audit3%

GeneralPublic

3%

Vendor/Contractor

3%

Complaint Methods FY07Identified Reporter -

Non UC hotline (79)66%

Anonymous - Non UC

Hotline (16)13%

Identified Reported -

UC Hotline (13)11%

Anonymous - UC Hotline (12)

10%

31

The charts below display the types of allegations related to the 120 investigations opened in FY07, and the outcome of 142 investigations that closed in FY07.

Chart 12 Chart 13


Chart 12 demonstrates the importance of complaints received from anonymous sources in as much as their allegations were substantiated in 38% of the Internal Audit investigations. The overall rate of cases in which one or more allegation was substantiated increased from 33% in FY06 to the 40% number this fiscal year. In chart 13, we see that the five allegation categories of Improper Use of UC Resources, Fraud, Theft/Embezzlement, Payroll/Time Charge Abuse and Misfeasance /Waste accounted for 71% of the Internal Audit investigations. The two previous fiscal years have seen these categories account for the majority of Internal Audit investigations (81% in FY06 and 76% in FY05). In FY07, the hotline service received a total 598 calls. This was comprised of 197 new reports, 108 follow-up calls and 293 calls of a miscellaneous nature that did not constitute a report of impropriety. Many of the 197 reports involved information that was referred to University management for appropriate review and disposition or referred into another process, (e.g., human resources grievance process) or contained insufficient information to initiate an investigation.

Outcomes - Completed FY07 Investigations

40%

50% 41% 43%

12%19% 17%

40%38%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Anonymous Identified Total

Inconclusive

Not Substantiated

Substantiated

Types of FY07 IGA CasesMisfeasance

and waste7%

Missing/Unaccountable

assets3%

Payroll/Time Charge abuse

10%

Abuse of Authority, bribery,

kickbacks9%

Conflict of Interest

9%

Falsification of University records

8%

Fraud/Embezzlement -

other7%

Improper use of UC

Resources31%

Theft/embezzlement

16%

32

This section contains an analysis of staffing levels by location compared to UC and industry benchmarks. The analysis is based on the authorized staffing levels rather than the number of positions actually filled at any moment in time. For FY07, the Internal Audit Program operated at approximately 92% of authorized capacity due to turnover, and positions left open because of budget constraints. The benchmark analysis is presented in the absence of any generally accepted staffing models for internal audit programs universally or in higher education. However, we believe the analysis demonstrates that UC in total and at its campuses and national laboratories maintain moderately adequately staffed audit functions. The GAIN (Global Auditing Information Network) survey used for comparison purposes was conducted in 2005 by the Institute of Internal Auditors and reflects the results for public higher education institutions.

In addition, this section contains a table of miscellaneous benchmark information for comparison of UC’s audit program to industry standard practices.


33

The charts below display staffing benchmarks for the campuses and Office of the President.

RATIO OF EXPENDITURES TO AUDITORS -- CAMPUS & OP(in thousands)

0

50000

100000

150000

200000

250000

UCB UCD UCI UCLA UCR UCSB UCSC UCSD UCSF UCOP

2006/07 2005/06 GAIN = 136,000 UC Average = 181,474

Dol

lars

Per

Aud

itor

RATIO OF EMPLOYEES TO AUDITORS -- CAMPUS & OP

0

500

1000

1500

2000

2500


Em

ploy

ees

Per

Aud

itor

r

2006/07 2005/06 GAIN = 1,224 UC Average = 1,211

Chart 14

Chart 15


UC in general varies from the GAIN average for expenditures per auditor by a substantial margin, and this gap has widened in recent years. However, when you combine the employee ratio data you can see that UC employees in general are more highly leveraged than our average counterparts. As a result, at only four campuses, UCB, UCD, UCI and UCSF, is there some concern regarding staffing adequacy.

In general, the smaller institutions appear to be more well staffed. However, this is due to the fact that certain audit activities are not directly impacted by size.

Management has used this information in the past to consider augmentation of audit staffing, and we continue to share this information with management at each location for the purpose of assessing the adequacy of the audit program staffing.

34

The charts below display staffing benchmarks for the national laboratories.

RATIO OF EXPENDITURES TO AUDITORS -- LAB(in thousands)

020000400006000080000

100000120000140000

LBNL LLNL

2006/07 2005/06 UC Average = 108,598

Dol

lars

Per

Aud

itor

RATIO OF EMPLOYEES TO AUDITORS -- LAB

0

100

200

300

400

500

600

LBNL LLNL

2006/07 2005/06 UC Average = 501

Em

ploy

ees

Per

Aud

itor

Chart 16

Chart 17


The ratios vary in acceptable degrees and again reflect the tendency for smaller organizations to appear to be better staffed.

There is no readily available benchmark information so the comparison is only between the two UC labs. However, if traditional universal benchmarks were applied, the national labs would appear to be generally well staffed.

35

UC Survey

Professional Staff: Avg. Years Experience 17.9yrs 19.8yrs Staff Turnover 13% 19% Training Hours Per Auditor 84hrs 56hrs

Distribution of Time: Audits 66% 66% Advisory Services 18% 25% Investigations 16% 9%*

Matters Reported to Audit Committee: Percent Completion of Plan Yes 77% Productivity Measures Yes 51% Benchmark Comparisons Yes 50% Organizational Structure Yes 51%

UC Survey

Audit Planning: Based on Risk Assessment Yes 86% Risk Assessment Model Yes 62% Defined Audit Universe Yes 64% Includes Mgmt. Requests Yes 86%

Audit Expected to Provide Consultations On Operational Matters Yes 85% Report Drafts Shared with Mgmt. Yes 99% Use Customer Satisfaction Survey Yes 58% Reporting Structure: Report Functionally to Board or Audit Committee Yes 76% Report Administratively to Management Yes 94%

* GAIN Survey includes many non-health sciences and limited research institutions .

Other Benchmarks

Chart 18


36

STAFFING FY 96-97 FY 06-07 Change

UC BERKELEY 9 9 0UC DAVIS 9 11 2UC IRVINE 7 9 2UC LOS ANGELES 20 25 5UC MERCED n/a 0 0UC RIVERSIDE 4 6 2UC SAN DIEGO 13 16 3UC SAN FRANCISCO 9 11 2UC SANTA BARBARA 6 6 0UC SANTA CRUZ 5 5 0UCOP 14 10 (4) TOTAL CAMPUS/OP 96 108 12 12.5%LLNL 15 12 (3)LBNL 4 7 3 TOTAL 115 127 12 10.4%


The Table depicts the modest growth in the Internal Audit Program overall while the Office of the President has actually decreased. Certain efficiencies have been gained in audit process and methodologies, including the use of computer assisted audit techniques. However, the growth of the University, increased regulatory complexity and competing demands (e.g. investigations and systemwide audits) have combined to more than offset efficiency gains. A good example is UCOP, which now provides coverage to UC Merced as well as its traditional customer base, with fewer resources.

Table 8

37

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

FY 96-97 FY 97-98 FY 98-99 FY 99-00 FY 00-01 FY 01-02 FY 02-03 FY 03-04 FY 04-05 FY 05-060

50

100

150

200

250

UC Revenue (in thousands) Revenue: CPI Adjusted Authorized Audit Staff

Revenue

Staffing Levels

CPI Adjusted Revenue

10 Year Comparison of Revenue and Audit Staffing

Revenue Staffing


The chart below illustrates that the Internal Audit staffing level has remained fairly constant despite the growth of the University (depicted below in terms of revenue).

Chart 19

38

V. Staffing and Other Benchmark AnalysesThe chart below illustrates that the Internal Audit staffing level in terms of revenue per auditor has lagged behind

the revenue growth of the University.

Chart 20

10 Year Revenue Per Authorized Audit Staff

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

FY 96-97 FY 97-98 FY 98-99 FY 99-00 FY 00-01 FY 01-02 FY 02-03 FY 03-04 FY 04-05 FY 05-0650,000

100,000

150,000

200,000

250,000

300,000

UC Revenue (in thousands) Revenue: CPI Adjusted Revenue Per Auditor Revenue (CPI) Per Auditor

Revenue RevenuePer Auditor

39

Strategic Plan OverviewVI. Strategic Plan

GOALS

The University Auditor and Campus/Lab Internal Audit Directors have sustained a commitment to continuous improvement of the Internal Audit Program over the years. Towards that end, a strategic plan is established and revised every two years to provide strategic guidance to the Audit Program leadership in these efforts. To address contemporary and emerging risks and issues, and to promote a culture of accountability and integrity, the UC Internal Audit Program has identified the following enduring goals:

Operational excellence – Provide timely, quality, cost-effective products and services with the effective use of resources.

Stakeholder/Client Relationships - Be a proactive, responsive, credible, trusted, respected, business-oriented resource.

Innovative Service - Render customized, creative, cutting-edge, functional, and flexible service improvements grounded in our core competencies.

INITIATIVES

In August 2005, the University Auditor and Campus/Lab Internal Audit Directors developed the following strategic initiatives geared towards strengthening the Internal Audit program:

Improve Internal Reporting

Improve Communications

Identify Partnership Opportunities for Corporate Governance

Continuous Monitoring/Auditing

Benchmarking and Staffing

40

Highlights of Current Initiatives:

The development of a Comprehensive Audit Reporting and Tracking System (CARTS) is currently underway. The University Auditor’s Office is working with Information Resources and Communication at UCOP in an effort to automate a number of our project management and reporting processes. The CARTS project, when fully functional, will be a web-based system incorporating a comprehensive time keeping system, automating our risk assessment and planning processes, and generating monthly and quarterly status reports – as well as location ad hoc reports. The CARTS system will also interface with our Audit Tracker, Investigation Notices and employee databases. Several audit locations are currently piloting various components of CARTS.

Several enhancements to Audit Tracker are also planned within the CARTS project. The new system will send email notifications prior to the due date of corrective actions, and provide a mechanism for management to record progress and completion of the corrective actions, alerting Internal Audit as to management’s readiness for our validations efforts.

With the aid of a consultant, we are developing a web access tool that will continuously surf the internet and download information based on our search criteria. The criteria will focus on current and emerging issues of concern to University auditors. The results of the data collection will be made available to all auditors on a real-time basis.

One location has partnered with their finance group to develop extensive continuous monitoring protocols in the areas of payroll and procurement cards. The tools apply a variety of criteria analysis against real time data in an effort to identify problems, trends, and aid management in decision making and will be shared with all locations. These capabilities are being shared among campuses.

A proposal was made to the Institute of Internal Auditors Research Foundation for assistance in developing a staffing model for internal audit programs based on broader analysis of data and factors then currently available. After review of research proposals for an academic research study, a project is about to be launched. A segment of the research study will focus on factors unique to higher education.

VI. Strategic Plan

41


Chancellor Birgeneau Vice Chancellor Meyer Vice Chancellor Brase Vice Chancellor Olsen Vice Chancellor Bolar Vice Chancellor CarpenterVice Chancellor Vani Vice Chancellor Matthews Senior Vice Chancellor Barclay University Auditor Reed

The Regents’ Committee on Audit

EVP, Business Operations K. Lapp

University Auditor P.V. Reed

UC Systemwide J. Lohse* / K. Heins**

(3.5)

UCB S. Siri

(8.5)

UCD R. Catalano

(11)

UCSF A. Zubov

(11)

UCSC G. Gail

(4.75)

UCR M.

Jenson (6)

UCI G. Moore

(acting) (9)

UCLA E. Pierce

(25)

UCSB W.L.

Riley (6)

LBNL T.

Hamilton (7)

UCSD S. Burke

(15.6)

UCOP H.

Valness (6.5)Total Professional Staff, including the

Director, is in parentheses

Total Authorized Professional Positions = 114

(LANL& LLNL Audit Departments not reflected in UC Audit Program)

*Director of Investigations / **Director of IT Audit Services

Appendix 1 – University of California Internal Audit Program

SVP, Chief Compliance and Audit Officer, S. Vacca

annual report on internal audit activities 2006 - 2007

Documents

internal audit activities2006

audit findings

uc internal audit program

ucop internal audit

internal controls

local audit committees

audit tracker database

systemwide annual report