Draft Internal Audit Plan 2017-18

DRAFT 2

Internal Audit Plan Objectives

• Improve the effectiveness of campus governance, risk management and control processes;

• Assist campus leadership in the discharge of their oversight, management, and operating responsibilities;

• Assist management in addressing the University’s significant financial, operational and compliance risks and making informed risk acceptance decisions;

• Support and leverage campus efforts to identify, evaluate and mitigate risks;

• Support management’s restructuring and budget coping strategies;

• Serve the needs of campus/laboratory leadership while addressing broader issues from a systemwide perspective;

• Support the evolution of the Systemwide Compliance Program; and

• Meet the challenge to enhance the value of the Internal Audit Program.

DRAFT 3

Audit Plan Development Risk Assessment Process for 2017-18

Solicit input from the Regents, Senior Management, system-wide and campus management perspective

Rely on existing risk identification processes wherever they exist (e.g. Compliance, Risk Services, functional areas)

Gather and assess input from external sources (e.g. regulatory area, industry)

Share information among campus/laboratory auditors to leverage input and ensure consistent consideration of risks of interest, industry sources

The result of the risk assessment is an informed perspective on the current risk environment – including a prioritization of risks that are scalable to available resources.

Governance •Joint Ventures, Partnerships and Affiliations*

•Executive Compensation • Incentive Plans •Outside Professional Activities •Executive Transition Reviews

Risk Management •Environment Health & Safety •Volunteers •Disability Management •Fiat Lux (Captive Insurance)* •Student Health Insurance Plan (SHIP)

Compliance •Clery Act Compliance •Fair Wage/Fair Work* •Contract Management •State Audit Follow-up •Export Control

Financial •Financial Monitoring •Cash Management •Health Sciences Revenue Cycle •Strategic Sourcing* •Financial Aid

Operations •Disaster Recovery & Business Continuity • Intercollegiate Athletics •Merced 2020* •UC-Mexico* •Construction •Maintenance

Information Technology •Cybersecurity* • IT System Implementations* •Mobile Devices •Cloud Computing •Systems Operational Readiness • IT Project Costs* • IT Asset Management

Human Resources •Rehired Retirees •Temporary Employees •Recruitment Process •Background Checks •Off-Boarding and Continuity of Operations

Research •Research Award Closures •Organized Research Units •Research Partnerships* •Research Compliance

Health Sciences •Pharmacy Operations •Telemedicine •Clinical Operations •Claim Denial Management* •Clinical Integration and Affiliations •Electronic Medical Records – EPIC*

DRAFT 4

* Management Strategic Priority/Initiative

Topics Addressed in FY17 Draft Audit Plans

International Activities

Innovation and Entrepreneurship

UC Health Strategic Priorities

Shared Admin Systems

Cybersecurity

Financial Sustainability

UC Audit &

Advisory Services

Diversity, Equity and Inclusion

Operational Efficiency/Cost

Reduction

Focus on Strategic Alignment

DRAFT 6

Cybersecurity Examples of Planned Audit and Advisory Activities • Vulnerability assessments and penetration testing to identify and validate configuration

and/or technical flaws within systems and networks

• Evaluate controls over critical infrastructure IT systems

• Assess security of medical devices

• Assess access controls in cloud environments • Review user authentication and access controls • Ensure third party risks are managed and service providers meet security standards

• Assess security of restricted information

DRAFT 7

Operational Efficiency/Cost Reduction Examples of Planned Audit and Advisory Activities • Review departments, units and processes to ensure departments and units are

operating effectively and efficiently

• Identify opportunities for improvement to:

o Streamline processes

o Achieve greater consistency

o Reduce redundancy

o Eliminate unnecessary work

o Improve the use of IT systems

o Reduce costs o Improve financial performance

• Assess and evaluate UCPath project readiness for pilot campuses

• Review and provide advice on UCPath business process design and modifications

• Assess efficiency and effectiveness of new enterprise systems

• Evaluate ongoing efforts to streamline and consolidate operations • Evaluate campus administrative realignment strategies

DRAFT 8

Examples of Planned Audit and Advisory Activities Shared Administrative Systems

• Assess the funding sources including funding for compensation

• Ensure the campus is maximizing revenue by minimized claim denials

• Assess the financial viability and management of research units and self-supporting operations

• Evaluate overall department financial position and key internal controls

• Validate that construction costs are adequately managed and controlled

Financial Stewardship

DRAFT 9

Examples of Planned Audit and Advisory Activities

UC Health Strategic Priorities

DRAFT 10

Examples of Planned Audit and Advisory Activities • Evaluate contractual arrangements with community entities related to clinical

integration

• Assess financial management and infrastructure support of capitated healthcare contracts

• Evaluate processes for the provision of professional services at affiliated healthcare organizations

• Evaluating the effectiveness of the process changes to ensure accurate and complaint

clinical research billing

• Identifying opportunities to improve revenue management processes and financial performance

• Evaluate key administrative and financial controls to ensure compliant operational processes

DRAFT 11

Examples of Planned Audit and Advisory Activities Diversity, Equity and Inclusion

• Assist in review and evaluation of campus climate action plans and related systems of accountability

• Assess efforts to promote the diversity of students, faculty and staff

• Assess efforts to promote and ensure equitable compensation in an effort to attract and retain a quality and diverse workforce

• Assess recruitment process and assure that the University's hiring practices are

inclusive, fair and attract individuals from diverse backgrounds, experiences and perspectives

• Assess effectiveness of labor and employee relations processes, including the onboarding of employees and vendors

• Evaluate the University's international visa application processes to meet regulatory compliance to attract top quality scientific faculty and scholars

DRAFT 12

Innovation and Entrepreneurship Examples of Planned Audit and Advisory Activities • Evaluate due diligence processes and associated risks for entrepreneurial investment

initiatives

• Assess controls over identifying and evaluating potential conflict of interest • Review and evaluate campus practices regarding faculty start-up funds

• Examine risks and contractual responsibilities across participating affiliates

• Ensure campus resources are effectively managed and return on investment is

monitored • Ensure that the campus infrastructure is sufficient to effectively evaluate new ventures,

manage active ventures, repay internal loans for startup expenses, and establish metrics for continuing and decommissioning ventures

• Review the processes in place to enable the campus to develop collaborative partnerships

DRAFT 13

International Activities Examples of Planned Audit and Advisory Activities • Evaluate the activities of the UC-Mexico initiative to determine if they conform to the

main objectives of the initiative

• Review compliance and awareness of export controls within the research enterprise

• Review financial and administrative business processes in the international and global studies areas

• Ensure processes are in place to appropriately conduct research and educational

activities abroad

• Review international agreements for compliance with policy • Review international travel for compliance with travel policy

DRAFT

Appendix – List of Audit and Advisory Service Projects by Location

14

Systemwide-Focused Projects – Audits Outside Professional Activities Executive Compensation Fair Wage Fair Work Medical Centers Clinical Enterprise Management Recognition Plan (CEMRP) Office of the Treasurer Annual Incentive Plan (AIP) Retirement Administration Service Center (RASC) User Access Student Health Insurance Plan (SHIP) Financial Controls Fiat Lux Financial Controls Rehired Retirees Policy Compliance Systemwide-Focused Projects – Advisory Services RASC Redwood Operational Readiness UCPath Operational Readiness Assessment – Pilot Deployment* State Audit Follow-up Diversity – Campus Climate Action Plan Review Assistance Systemwide-Focused Projects - Cybersecurity Critical Infrastructure - IT Systems* Incident Response* Vulnerability Assessment and Penetration Testing* Medical Device Security*

National Institute of Standards and Technology (NIST) – Cybersecurity Framework Advisory* UC Health Affiliates Cybersecurity Review* Lawrence Berkeley National Laboratory – Audits FY17 Cost Allowability FY17 Home Office Costs Continuous Controls Monitoring OMB A-123 IT General Controls Conflict of Interest Compensated Outside Professional Activities Subcontract Audits Construction Projects Lawrence Berkeley National Laboratory – Advisory Services CY17 Executive Compensation UC Berkeley – Audits Affiliated Organizations Berkeley Resource Center for Online Education and New Academic Ventures Bowles Hall Business Continuity Campus Shared Services Human Resources—Management and Supervisor Training IT Placeholder* Organized Research Units *Assistance will be provided by the

Systemwide Cybersecurity Audit Team

DRAFT 15

UC Berkeley – Audits (continued) Scholarships Self Supporting Operations Student Information System Post Implementation Review Executive Compensation Fair Wage Fair Work Outside Professional Activities UCPath Readiness Vice Chancellor Transition Reviews UC Berkeley – Advisory Services Operational Efficiency UC Davis - Audits Accounts Payable Annual Report on Executive Compensation Campus Data Warehouse IT Operations Chancellor's Expenses (BFB G-45) Financial Aid Police and Fire IT Operations Student Accounting Temporary Employment Services Vet Med Teaching Hospital Cancer Center Claim Denial Management Department of Radiology Emergency Room Environmental Health and Safety EPIC Cashiering Food Services

Fair Wage Fair Work Outside Professional Activities Pharmacy Vendor On-Site Monitoring Volunteers Write-Off Accounts Email Systems* UC Davis – Advisory Services Academic Affairs Administrative Review Aggie Surplus Counseling Services Office of Research Administrative Review Faculty Start-Up Funds Basic Science Departments Quincy Data Center* UCDHS Administrative Review ACL Analytics and Transition UC Irvine – Audits Cloud Computing and IT Vendor Management/Contracts* School of the Arts Information Security – Restricted Data and Electronic Inventory Resources* Graduate Division Contract and Grants Accounting Disability Services Center School of Humanities EPIC - Hosting Neurology Biological Chemistry

DRAFT 16

UC Irvine – Audits (continued) Accounts Payable Telecommunications Real Estate Lease Payments and Income Affiliation Agreements Physical Medicine and Rehabilitation Export Controls Executive Compensation and Chancellor’s Expenses Stipend Payments Returning Retirees Cost Transfers Fair Wage Fair Work Outside Professional Activities UC Irvine – Advisory Services Sight of Service 11 and 22 Reviews EPIC Post Implementation Business Continuity/Disaster Recovery Validation Data Analytics Student Center – IT Environment Continuous Auditing Corporate Card Transactions Physical Inventory Observations UC Los Angeles – Audits General Books Division Lu Valle Division Trademarks & Licensing Facilities Maintenance Accounts Receivable Client Recharge Process (Customer Relations) Materials and Equipment (Design, Project Management & Operations)

Purchasing Process Review (Finance & Information Systems)

Preventive and Deferred Maintenance Capitalization Procedures and Practices Project Management Shared Point System Review* Access Controls* Construction Housing Assignments Office UA – Maintenance Shop University Guest House F&T – Recharge Audit Parking Citation Contract Review Vanpool Program UCLA Events Office Records Management Travel and Accounts Payable Recharges Enterprise Messaging* Human Resource and Payroll Center - South Ticket Inventory Asset Management UCLA Recreation (UREC) The UCLA Foundation Athletics Academic Departments (2) Academic Department – General IT Controls Review UCLA Lab School UCLA International Institute Cloud Computing* Fowler Museum at UCLA Phase II Program Review – Assessment of Export Control

DRAFT 17

UC Los Angeles – Audits (continued) Hemapheresis Contract (SMUCLA) Laundry Service Contract Santa Monica Emergency Physicians Contract Accounts Payable Purchasing Disaster Recovery IT Access Controls – Off-Boarding Medical Device Security* International Relations Patient Accounts Credit Balances Time Reporting UCLA Health Clinical Practice Operations Housestaff Duty Hours Fair Wage Fair Work Executive Compensation Professional Outside Activities UC Merced – Audits Strategic Sourcing Clery Act Annual Report on Executive Compensation Purchase Cards Post Award Spending Cash Controls and Payments Downtown Campus Center Construction Project Fair Wage Fair Work Outside Professional Activities

UC Merced – Advisory Services Vice Chancellor Transition Review Fraud and Financial Analytical Review UCPath Readiness Assessment Review Review of Project 2020 UCOP – Audits Relocation and Moving Expenses (non SMG) Power Source Disclosure Program Innovation Alliances Financial Administration ANR Statewide Programs Administrative Activities IT Asset Management Student Affairs Business Continuity

UCOP – Advisory Services

ANR Financials – Part II ANR UCPath Future State Advisory UC Riverside – Audits School of Medicine IT Security – Small Departments* Deferred Maintenance Environmental Health and Safety Cash Handling Corporate Cards Outside Professional Activities Senior Management Group Travel Annual Report on Executive Compensation Annual Analytic Review and Fraud Detection Temporary employees Fair Wage Fair Work

DRAFT 18

UC Riverside – Advisory Services Organizational Excellence UCPath Readiness Assessment UC Mexico Initiative Machine Shops Training - Other Training - Whistleblower and Fraud Training – Orientation

UC Santa Barbara – Audits Information Security – Web Applications Information Security – Cybersecurity IT General Controls – Campus Security Marine Science Institute Deferred Maintenance Campus Financial System Post Implementation Controls IT General Controls – Cloud Computing* Environmental Health and Safety – Construction Close-out Hiring Practices – Faculty Recruitments Transcript Tracking System and Transfer Evaluation and Articulation System Police Department Environmental Health and Safety – Safety Training Executive Compensation/Travel and Entertainment and Chancellor Expenses Fair Wage Fair Work UCPath Project Progress Review Conference Services – Internal Control Review Enterprise and Campus-wide IT Project Costs Human Resources – Background Checks Outside Professional Activities

UC Santa Barbara – Advisory Services Work Order Systems and Processes Information Security (placeholder) Campus Physical Security Assessment Clery Act Reporting Process Internal Control Self- Assessment Data Analytics Program Outreach, Training and Presentations UC Santa Cruz – Audits Information Management of Sensitive Data – User Awareness Employee Off-Boarding and Continuity of Operations Vivarium Operations and Governance OPERS Diving and Boating Safety Program Annual Report on Executive Compensation Chancellor’s Expenses (BFB G-45) Divisional Carryforward/Deficit Management Independent Contractors Campus Use of Consultants Data Center – Amazon Web Services* Fair Wage Fair Work Outside Professional Activities UC Santa Cruz – Advisory Services Fraud Management Program – Data Analytics Spreadsheet Accuracy Data Governance Policy Development NCAA Report Annual Review Student Intern Program Limited Scope Consultations/Special Projects Compliance/CECO Support

DRAFT 19

UC San Diego – Audits Student Business Services Single Operating Fund Initiative Allocations Cashiering Compliance Scripts Institute Marine Physical lab University Centers Operations Recharge Centers Physics Department Audit SDSC - Organized Research Unit* Research Fund/Award Close-out/De-obligation Electrical and Computer Engineering Fair Wage Fair Work Clinical Practice Organization Financial Statements Clinical Integrated Network – EPIC Community Connect HealthNet Blue and Gold Medical Directorships Woman and Infant services Anesthesiology Charge Capture and Billing Sleep Center Free Clinic Concierge Medicine Patient Refunds (Downtown, Encinitas) Psychiatry and Translational Research Institute (CTRI) Moores Cancer Center Outside Professional Activities UC San Diego – Advisory Services Annual Review of Executive Compensation (AREC) Operating Ledger – Transactional Compliance Police Property and Evidence Management Research Compliance (Clinicaltrial.gov, NIH Training) Health System Purchasing and Disbursements Data Analytics External Coding and Billing Vendor Contracts

UC San Francisco – Audits Clinical Integration/Affiliations* New Providers On-Boarding and Integration

Charge Capture and Billing - Clinic Health Plans – Contract Management Telemedicine High Cost Drugs - Charging and Billing Late Charges – HB and PB Data Integrity* Third party Access* Research Partnerships International Activities Clinical Trials Agreements Facility Maintenance Student Funding Allocations Research Administration and Compliance Capital Construction Projects Professional Service Agreements International Visa Processing Contract Management Affiliates – Access to UCSF Systems Fair Wage Fair Work IT Security – Website Development* IT Delivery Model – Security* Recruitment Process Executive Compensation Outside Professional Activities UC San Francisco – Advisory Services UCSF Health Finance Integration Data Security Compliance Program* Continuous Analytics Program

DRAFT 20

UC San Francisco – Advisory Services (continued) Enterprisewide Collaboration Strategic Sourcing Financial and Compliance Dashboard E-prescribing Controlled Substances* APeX Work Queue Management Award Certification Pilot External Audit Coordination