board of visitors audit, compliance, and risk …...september 2016 erm governance architecture bov...
TRANSCRIPT
Board of VisitorsAudit, Compliance, and Risk Committee
September 16, 20161
Audit Department Activities
2
September 2016 Audit Department Status
Assurance and Advisory Projects: Completed FY 2017 To DateSubject UVA DivisionCurry School of Education Academic DivisionDarden Fund Transfers AcademicDistributed IT Systems Current State Assessment
Academic
FY2016 Inventories (UVA Bookstore, Pharmacy)
Academic, Health System
Action Plan Implementation Status— Follow Ups
Academic, Health System
3
September 2016 Audit Department Status
4
Assurance and Advisory Projects: In Progress as of September 2016 BOV Meeting
Subject UVA DivisionEpic Phase 2 Implementation— Project Health Check w/ IT Security Focus
Health System
Fiscal Stewardship (Data-driven Internal Controls Analytics) Proof of Concept
Academic
Integrated Assurance – Compliance Assessment AcademicSystem Security: Privileged Access (Core Systems) Health SystemIvy Cloud — Project Health Check w/ Security and Governance Focus
Pan-University
Security Enhancement Plan (SEP) Project Health Check
Academic
SCADA Consultation Pan University
September 2016 Audit Department Status
5
Current View of Risk Prioritized Future Projects (Remainder of FY17)Subject UVA Division340B Drug Discount Program Health SystemEnvironmental Health & Safety Compliance Health SystemHIPAA Risk Assessment AcademicUniform Guidance Implementation: Consultation with Office of Sponsored Programs
Academic
ARMICS (Agency Risk Management and Internal Control Standards) Consultation
Academic
Epic Phase 2 Implementation— Project Health Check w/ Control Framework Focus
Health System
Strategic Investment Fund Expenditures Monitoring Pan-University
UFirst HR Transformation— Project Health Check Pan-University
IT Change Controls Health SystemPresidential Travel and Expenses Pan-University
6
1
2
25
3
2
2
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Priority 1
Priority 2
Legacy (Unrated)
By Priority Rating
Closed Open
Academic Division Health System College at WiseOpen 7 0 0Closed 16 5 7
0
5
10
15
20
25
By UVA Division
Closed Open
Actio
n Pl
an C
ompl
etio
n St
atus
Compliance-Related Action PlansBy Fiscal Year, By Compliance Subcategory
7
6
6
1
0
2
4
6
8
10
12
14
FY 2016 FY2017
Regulatory ComplianceUVA Policies & Procedures
Operational Action Plans, By Fiscal Year, By Risk Subcategory
8
54
1
8
12
1
0
1
2
3
4
5
6
7
8
9
10
Cybersecurity Efficiency andEffectiveness
Key FinancialControls
Student Experience General IT Controls
FY 2016 FY2017
University Compliance: Report on Medical Center Compliance and Privacy Officer Search
9
SECTION TITLE
ERM Program Update
10
ERM Priorities
ERM Priorities
Reposition & Enrich Program
Enhance Board
ReportingOnboard Health System
11
5. Reporting to University Leadership
• Risk Management Council
4. Response and
Management of Key
Identified Risks
• Risk Management Council
• Risk Owners
3. Assessment of Identified
Risks
• Risk Management Council
• President/EVP’s
2. Identify Risks to Major
Objectives
• BOV• President’s
Cabinet• Risk Management
Council/Networks• Key Stakeholders
1. Clarify Major Objectives
• President/EVP’s
ERM Process Flowchart
BOV – Audit, Compliance, and
Risk
President and Cabinet
Risk Management
Council
Risk Management Network – Health
System
Risk Management Network– Academic
Division
ERM Governance Architecture
13
September 2016Key Risk Dashboard
RISKRISKOWNER
LAST REPORTED CURRENT
1-2 YEAR HORIZON
MITIGATIONCONFIDENCE
1 Risk 1 Owner name here
2 Risk 2 Owner name here
3 Risk 3 Owner name here
4 Risk 4 Owner name here
5 Risk 5 Owner name here
6 Risk 6 Owner name here
7 Risk 7 Owner name here
8 Risk 8 Owner name here
9 Risk 9 Owner name here
10 Risk 10 Owner name here
INHERENT RISK TREND
R Y GLow High
!
Does the risk present a material threat to the achievement of our objectives?
R Y G
R Y G
R Y G
R Y G
R Y G
R Y G
R Y G
R Y G
R Y G
R Y GYes NoMaybe
Enterprise Risk Management (ERM) Updates
Key Risk Update: Mitigation ConfidenceChange in the status of a key risk
Owner:
Description:
Mitigation (Actions to date and Future Actions):
Low High
!
Emerging Risk Update: Mitigation ConfidenceRisks on the horizon that have the potential to be significant
Owner:
Description:
Mitigation (Actions to date and Future Actions):
Low High
!
September 2016
ERM Governance ArchitectureBOV – Audit,
Compliance, and Risk
President and Cabinet
Risk Management
Council
Risk Management Network – Health
System
Risk Management Network– Academic
Division
Jim Matteo (Chair) Carolyn SaintGary Nimax Archie Holmes Michael Marquardt
Jim Matteo (Chair) Nancy Rivers Carolyn Saint Pam Sellers Melody Bianchetto Virginia Evans Bryan Garey Gary Nimax Colette Sheehy Jeff Legro Dorrie Fontaine Josh Bowers Cindy Frederick Elisa HolquistAnthony De Bruyn Dave HudsonCraig Littlepaige Sim Ewing
Mike Marquardt (Chair)Sally BarberLarry FitzgeraldKathy PeckNick MendykaBill FulkersonRebecca HillMichelle HerefordBrad HawsRick Skinner
17
Closed Session
Audit, Compliance, and Risk Committee Agenda
CLOSED SESSIONDiscussion of Medical Center operations as provided for in Section 2.2-3711(A) (22) of the Code of Virginia
18
19
Resume Open Session and Adjourn