board of visitors audit, compliance, and risk …...september 2016 erm governance architecture bov...

Board of VisitorsAudit, Compliance, and Risk Committee

September 16, 20161

Audit Department Activities

2

September 2016 Audit Department Status

Assurance and Advisory Projects: Completed FY 2017 To DateSubject UVA DivisionCurry School of Education Academic DivisionDarden Fund Transfers AcademicDistributed IT Systems Current State Assessment

Academic

FY2016 Inventories (UVA Bookstore, Pharmacy)

Academic, Health System

Action Plan Implementation Status— Follow Ups

Academic, Health System

3


4

Assurance and Advisory Projects: In Progress as of September 2016 BOV Meeting

Subject UVA DivisionEpic Phase 2 Implementation— Project Health Check w/ IT Security Focus

Health System

Fiscal Stewardship (Data-driven Internal Controls Analytics) Proof of Concept

Academic

Integrated Assurance – Compliance Assessment AcademicSystem Security: Privileged Access (Core Systems) Health SystemIvy Cloud — Project Health Check w/ Security and Governance Focus

Pan-University

Security Enhancement Plan (SEP) Project Health Check

Academic

SCADA Consultation Pan University


5

Current View of Risk Prioritized Future Projects (Remainder of FY17)Subject UVA Division340B Drug Discount Program Health SystemEnvironmental Health & Safety Compliance Health SystemHIPAA Risk Assessment AcademicUniform Guidance Implementation: Consultation with Office of Sponsored Programs

Academic

ARMICS (Agency Risk Management and Internal Control Standards) Consultation

Academic

Epic Phase 2 Implementation— Project Health Check w/ Control Framework Focus

Health System

Strategic Investment Fund Expenditures Monitoring Pan-University

UFirst HR Transformation— Project Health Check Pan-University

IT Change Controls Health SystemPresidential Travel and Expenses Pan-University

6

1

2

25

3

2

2

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Priority 1

Priority 2

Legacy (Unrated)

By Priority Rating

Closed Open

Academic Division Health System College at WiseOpen 7 0 0Closed 16 5 7

0

5

10

15

20

25

By UVA Division

Closed Open

Actio

n Pl

an C

ompl

etio

n St

atus

Compliance-Related Action PlansBy Fiscal Year, By Compliance Subcategory

7

6

6

1

0

2

4

6

8

10

12

14

FY 2016 FY2017

Regulatory ComplianceUVA Policies & Procedures

Operational Action Plans, By Fiscal Year, By Risk Subcategory

8

54

1

8

12

1

0

1

2

3

4

5

6

7

8

9

10

Cybersecurity Efficiency andEffectiveness

Key FinancialControls

Student Experience General IT Controls

FY 2016 FY2017

University Compliance: Report on Medical Center Compliance and Privacy Officer Search

9

SECTION TITLE

ERM Program Update

10

ERM Priorities

ERM Priorities

Reposition & Enrich Program

Enhance Board

ReportingOnboard Health System

11

5. Reporting to University Leadership

• Risk Management Council

4. Response and

Management of Key

Identified Risks


• Risk Owners

3. Assessment of Identified

Risks


• President/EVP’s

2. Identify Risks to Major

Objectives

• BOV• President’s

Cabinet• Risk Management

Council/Networks• Key Stakeholders

1. Clarify Major Objectives

• President/EVP’s

ERM Process Flowchart

BOV – Audit, Compliance, and

Risk

President and Cabinet

Risk Management

Council

Risk Management Network – Health

System

Risk Management Network– Academic

Division

ERM Governance Architecture

13

September 2016Key Risk Dashboard

RISKRISKOWNER

LAST REPORTED CURRENT

1-2 YEAR HORIZON

MITIGATIONCONFIDENCE

1 Risk 1 Owner name here










INHERENT RISK TREND

R Y GLow High

!

Does the risk present a material threat to the achievement of our objectives?

R Y G

R Y G

R Y G

R Y G

R Y G

R Y G

R Y G

R Y G

R Y G

R Y GYes NoMaybe

Enterprise Risk Management (ERM) Updates

Key Risk Update: Mitigation ConfidenceChange in the status of a key risk

Owner:

Description:

Mitigation (Actions to date and Future Actions):

Low High

!

Emerging Risk Update: Mitigation ConfidenceRisks on the horizon that have the potential to be significant

Owner:

Description:

Mitigation (Actions to date and Future Actions):

Low High

!

September 2016

ERM Governance ArchitectureBOV – Audit,

Compliance, and Risk

President and Cabinet

Risk Management

Council

Risk Management Network – Health

System

Risk Management Network– Academic

Division

Jim Matteo (Chair) Carolyn SaintGary Nimax Archie Holmes Michael Marquardt

Jim Matteo (Chair) Nancy Rivers Carolyn Saint Pam Sellers Melody Bianchetto Virginia Evans Bryan Garey Gary Nimax Colette Sheehy Jeff Legro Dorrie Fontaine Josh Bowers Cindy Frederick Elisa HolquistAnthony De Bruyn Dave HudsonCraig Littlepaige Sim Ewing

Mike Marquardt (Chair)Sally BarberLarry FitzgeraldKathy PeckNick MendykaBill FulkersonRebecca HillMichelle HerefordBrad HawsRick Skinner

17

Closed Session

Audit, Compliance, and Risk Committee Agenda

CLOSED SESSIONDiscussion of Medical Center operations as provided for in Section 2.2-3711(A) (22) of the Code of Virginia

18

19

Resume Open Session and Adjourn

board of visitors audit, compliance, and risk …...september 2016 erm governance architecture bov...

Documents