internal audit annual report - msutexas.edu · internal audit plan for fiscal year 2018 and...

INTERNAL AUDIT ANNUAL REPORT

For the Fiscal Year Ended August 31, 2018

MIDWESTERN STATE UNIVERSITY

Office of Internal Audits

Leigh Kidwell, CPA, CIA, CGMA, Director

3410 Taft Blvd. Wichita Falls, TX 76308 Phone: (940) 397-4914

www.msutexas.edu/internal-audit

Transmittal Letter

October 11, 2018

Dr. Suzanne Shipley, President Ms. Tiffany Burks, Chair - Audit, Compliance

And Management Review Committee

I am pleased to submit the internal audit annual report for the fiscal year ended August 31, 2018. This report lists the services provided and other activities performed by the Office of Internal Audits and fulfills the Texas Internal Auditing Act (the Act) requirements set out in Texas Government Code, Section 2102.009.

This report includes the Fiscal Year 2018 audit plan, explanations for any deviations from the plan, audits completed during the year and those in progress at year end, a list of all external audit services procured, the Fiscal Year 2019 audit plan, and other required disclosures.

The Act requires the submission of the annual report by November 1 to the State Auditor's Office, the Governor's Budget and Policy Division, the Legislative Budget Board, and the Sunset Advisory Commission. Typically, no reports are submitted to oversight agencies prior to approval by the institution's governing board. However, a draft version of this report will be accepted by the oversight agencies when the institution's governing board is scheduled to meet after the deadline but early in month of November. To ensure the compliance with the Act, I will submit a draft version of the report prior to the due date and submit the final report following approval by the Board of Regents at the November 8, 2018 meeting.

I want to thank the Board of Regents, the President, University management, faculty and staff for the support provided in the performance of my responsibilities and formally request this report be approved.

Respectfully,

Leigh Kidwell, CPA, CIA, CGMA Director Office of Internal Audits

FY 2018 Internal Audit Annual Report

TABLE OF CONTENTS

I. Executive Summary .......................................................... . .........1

II. Compliance with Texas Government Code, Section 2102.015 .................1

III. Internal Audit Plan for Fiscal Year 2018 and Explanation of Changes .. .2

IV. Fiscal Year 2018 Audits Completed ...................................... ....... . ...4

V. Consulting Services and Non-audit Services .....................................9

VI. External Quality Assurance Review . ............ ............................ . ...... 10

VII. Internal Quality Assessment .........................................................12

VIII. Internal Audit Plan for Fiscal Year 2019 ..........................................14

IX. External Audit Services ...............................................................19

X. Reporting Suspected Fraud and Abuse ............................................19


I. Executive Summary

The purpose of the internal audit annual report is to provide information on the assurance services, consulting services, and other activities of the internal audit function. Additionally, the annual report assists oversight agencies in their planning and coordination efforts. It is submitted in compliance with the Texas Internal Auditing Act (Texas Government Code, Section 2102.009), the Office of Internal Audits Charter, and the rules and regulations of the Board of Regents of Midwestern State University.

The Office of Internal Audits mission is to enhance and protect the University's value by providing risk-based and objective assurance, advice and insight. A systematic, disciplined approach is used to evaluate risk management, internal controls, operational and governance processes. The primary objective of the internal audit function is to assist the Board of Regents, the President, and University management in effectively discharging their responsibilities.

Fiscal Year 2018 was a productive year. Twelve projects were completed including an external quality assurance review, and three additional projects were in progress at August 31. The full time auditor hired in 2017, relocated and left the University in July 2018. The auditor position was filled on August 1, 2018. Other activities occurring during this fiscal year include configuring and implementing TeamMate, an integrated auditing software, performing numerous special projects and investigations from the University's hotline.

In accordance with Texas Government Code, Sections 2102.009 and 2102.0091, internal audit annual reports must be submitted by November I to the State Auditor's Office, the Governor's Budget and Policy Division, the Legislative Budget Board, and the Sunset Advisory Commission. A draft version of the report will be submitted to these oversight agencies to meet the November l deadline. The final report will be submitted following approval by the Midwestern State University Board of Regents at their November 8, 2018 meeting.

II. Compliance with Texas Government Code, Section 2102.015

Texas Government Code, Section 2102.015, requires higher education institutions to post certain information on their internet websites. It also requires them to update the website postings with detailed summaries of weaknesses, deficiencies, wrongdoings, or other concerns, if any, raised by the audit plan or annual report, and summaries of the actions taken by the institution to address those concerns. Within 30 days, after approval by the entity's governing board, the internal audit annual report as required by Texas Government Code, Section 2102.009 and the audit plan as required by Texas Government Code, Section 2102.008 should be posted on the institution's website.

1

FY 2018 lnternal Audit Annual Report

In order to comply with Texas Government Code, Section 2102, the University's Fiscal Year 2018 Internal Audit Annual Report and the Fiscal Year 2019 Audit Plan will be posted within 30 days after Board of Regents' approval, on https://msutexas.edu/regents/board-minutes and on the Office of Internal Audits web page, https://msutexas.edu/internal-audits/reports. The University retains the right to not post information contained in the audit plan or internal audit annual report if the information is exempt from public disclosure under Texas Government Code, Section 552.

III. Internal Audit Plan for Fiscal Year 2018 and Explanation of Changes

The Office of Internal Audits was staffed by a full time Director for the entire fiscal year and a full time auditor for eleven months. Available time for this year's projects after consideration of University holidays, vacation and sick leave was 3,613 hours. Audit resources were used to perform the required audits, special projects, investigations, meetings, committee service, and audit department activities and administration.

Listed below are the details for the Fiscal Year 2018 Audit Plan approved by the University's Board of Regents on August 4, 2017.

l'r11jl0d I l>l'srri11ti1111 - --- j llour-,

Fi11a11cial, Complia11ce, Operatio11al, Efficie11cy & Effecti11e11ess Audits

Audit assistance to oversight Provide audit assistance to state and federal oversight agencies such as 80agencies Texas Stale Auditor's Office. Texas Higher Education Coordinating

Board, Texas State Comptroller·s Office and grant agencies.

Public Funds Investment Act Verify compliance with requirements to implement controls in policies. in 240 contracting. in reporting, and in reviewing of investments according to the Act. Texas Government Code. Chapter 2256.

Verify compliance with requirements to pay benefits in proportion to the Benefits Proportional By Fund sources of funds from which they paid the corresponding salaries and 240

wages in accordance with applicable statutes, General Appropriations Act requirements, and related University policies and procedures.

Provide assurance the University complies with policies, procedures. laws. Joint Admission Medical Program 80

(JAMP) Council Agreement. and regulations as required by the Joint Admission Medical Program

Provide assurance the University complies with the Texas Higher Education Coordinating Board's building projects and real estate Facilities Audit acquisitions and provide assistance to the Peer Review Team's review of planning and construction processes. project management. and facilities inventory control.

Contract Management and Verify compliance with requirements of Senate Bill 20. 844h Texas 240Purchasing Legislature and Senate Bill 533, 85'h Texas Legislature. Prior fiscal year audits not complete al 8/31 and carried forward into Audits Carried Forward 200current year.

2

https://msutexas.edu/internal-audits/reports

https://msutexas.edu/regents/board-minutes

202


h1fonnatio11 Technology

Texas Administrative Code Section

Follow-up Audits

Implementation of Prior Audit Recommendations

Special Projects

Hotline, Fraud, or Ethics Investigations

Special Projects

Meetings a11d Committee Service

Ethics and Compliance Committee

Administrative Meetings

Other University Meetings or Events

Board of Regents Meetings

Obtain representations from management and verification ifnecessary. regarding status of implementation of prior audit recommendations or action plans and prior year's risk assessment action plan.

Obtain representations from management and verification if necessary. regarding status of implementation of prior audit recommendations.

Facilitate University anonymous reporting system and investigations.

Based on requests from Board of Regents, Administration or others.

Serve as advisory member of the committee and all sub-commiuees.

Attend administrative meetings as requested.

Attend other meetings or events as requested.

Preparation and attendance of meetings or events.

Audit Departme11t Activities a11d Administration

Annual Audit Plan and Report

Audit Manual and Webpage Revisions. and Records Management

Annual Risk Assessment

Audit Software Installation and Implementation

Professional Development and Travel

Staff Meetings

General and Administrative Tasks

Prepare annual audit plan and report.

Update audit manual and webpage, and records management / retention.

Facilitate annual University risk assessment.

Install. set up and implement TeamMate audit management system software.

Professional development. maintain certifications. continuing education and related travel.

Intra office communications and planning.

Office adminis1rative duties (planning. purchasing, recordkeeping scheduling. reporting. etc.).

Total Allocated Hours

Available Hours/or All Staff Less estimated hours for:

Holidays

Vacation & Birthday Leave Sick Leave

Wellness Release

Net Available Hours

240

120

40

352

304

240

48

120

80

56

40

160

128

48

477

4.160

(224)

(227) (80)

!.!.fil :t6!3

3


Changes to the 2018 audit plan are as follows:

• University Website Compliance Audit - This outsourced audit was added to the fiscal year 2018 audit plan. Its objective was to assess all website content and functionality and identify any area that is inaccessible to persons with disabilities.

• Construction Contract Compliance Audit - This outsourced audit was added to the fiscal year 2018 audit plan. Its objective was to identify opportunities for cost avoidance, potential cost exceptions, overcharges, and to evaluate the contract to build the Gunn College of Health Sciences and Human Services Building.

IV. Fiscal Year 2018 Audits Completed

Twelve projects were completed during the fiscal year including an external quality assurance review. Three projects remain in-progress at year-end. Listed below are the completed projects for Fiscal Year 2018.

Report Report Report Title High-Level Audit Objective Number Date

17-01 12/13/17

17.02 12/18/17

17-03 10/12/17

l7-04 02/14/18

17-05 12/07/17

JJ.•A 12/01/17

Clery Act Compliance Assessment

Title IX Compliance Assessment

QAR Self-Assessment Report

Petty Cash and Change Fund Audit

NCAA Agreed-Upon Procedures

Evergreen Student Support Study Project

Receive an independent assessment of the University' s compliance with the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act.

Receive an independent assessment of the University' s compliance with Title IX of the Education Amendments of 1972 to the Civil Rights Act of 1964. Perform a quality assurance self-assessment review of the internal audit activity in preparation for validation by an independent reviewer. Determine whether petty cash /change fund policies and procedures have been developed and implemented to effectively manage risks, verify cash on hand agrees to recorded amounts, review internal controls and determine ifcash is adequately safeguarded. Outsource the evaluation of the University's intercollegiate athletics program operating revenues and expenses per the National Collegiate Athle tic Association Division II By-laws.

Outsource the analyzation of processes. outcomes and staffing in select departments for workload, structure, resource allocation, and process improvements.

4


Report Report Report Title High-Level Audit Objective Number Date

17-B

17-D

18-01

18-02

18-03

18-04

09/29/17

02/18/18

I0/26/17

12/21/17

02/14/18

06/28/18

Clery Records/Incident Review Project

Information Security Corrective Action Plan Updates

Joint Admission Medical Program (JAMP) Audit

Public Funds Investment Act Audit

Texas Higher Education Coordinating Board (THECB) Facilities Audit

Benefits Proportional by Fund Audit for Fiscal Years 2015. 2016 and 2017

Review of relevant records, incident reports, crime numbers and student conduct cases for calendar years 2014, 2015, and 2016 to ensure the University has accurately recorded and correctly classified crimes reported to the Department of Education. Obtain representations from management and verification if necessary, regarding the implementation status of prior audit recommendations and corrective action plan.

Provide assurance that the University is in compliance with the JAMP Agreement and expenditure Guidelines. Provide assurance that the University complies with the Public Funds Investment Act, Gov't Code Section 2256, management controls on investments, and adherence to University policies. Provide assurance the University complies with THECB regulations for facility development and real property project applications and controls.

Audit to address the benefits proportionality audit requirement prescribed in Rider 8, page 111-45, the General Appropriations Act (85th Legislature).

Report 18-04, Benefits Proportional by Fund Audit addressed the requirement in Rider 8, page 111-45, of the General Appropriations Act (851

h Legislature). In addition, Report 18-06, Contract Management Audit, addressed the requirement of Texas Education Code, Section 51.9337(h).

Listed below are the in-progress projects as of August 31, 2018.

Report Number

Report Title Report Status High-Level Audit Objective

18-05 Construction Two phase project, at Outsourced audit to identify opportunities for cost Contract interim and post avoidance, potential cost exceptions, overcharges, and Compliance Audit construction. Interim report to evaluate the contract to build the Gunn College of

expected by 12/31/18. Final Health Sciences and Human Services Building. report expected by 8/31 / I 9.

18-06 Contract Fieldwork is complete. Final Addresses the requirement of Texas Education Code, Management audit report will be Section 5 I .9337(h). Audit presented to Board of

Regents in November 2018 18-c University Report in draft form. Outsourced audit to assess all website content and

Website Waiting on management's functionality and identify any areas that are Compliance Audit corrective action plan. inaccessible to persons with disabilities.

Anticipated completion 1/31/19.

5


Listed below is the status of audit finding recommendations from each project completed during Fiscal Year 2018. The status is based on the following definitions and dependent upon the targeted implementation dates:

• Implemented: Successful development and use of a process, system, or policy to implement a recommendation.

• Ongoing: Ongoing development of a process, system, or policy to address a recommendation. • Not Implemented: Lack of a formal process, system, policy to address a recommendation. • No Action Required: No findings or recommendations were made.

R1:po1 I JI

Repo1t Name Recomrnondat1on

-

Implemented

-------- ---

Recommonclat1on Status

NotOngoing

Implemented No Action Required

17-01 Clery Act A consultant reviewed Compliance the University's Assessment processes and

methodology for complying with the Clery Act during the spring of 2017. They identified areas of non-compliance and made 342 recommendations. At 10/01/18, 67% or 230 recommendations have been fully implemented. I% are ongoing, and 32% or 108 recommendations have not yet been implemented.

X X X

11.02 Title IX Compliance Assessment

The consultant strongly recommends the University hire a full-time Title IX Coordinator.

X

Identify and train Responsible Employees. X

Adopt the true-umbrella handbook proposed by the consultant.

X

Annually train officials who have any ro le in the intake, resolution and investigation of complaints how to comply with the Violence Against Women Act.

X

6


R,:pOl l Ii Repo1t Name Recommcnclat1on

lmplcmcntecl

Recommenclat1on Status

NotOngoing lmple mentecl

No Action Re(] u11 ed

17-03 Quality Assurance Review (QAR)-Self Assessment

Develop a centralized content-filled website regarding Sexual Misconduct. Revise existing institutional policies to renect umbrella handbook. Distribute an Annual Notice of Non-Discrimination as reQuired by Title IX. Form Educational Training Committee to institute primary prevention programs for all incoming employees and students and ongoing prevention and awareness campaigns for all current students and employees that is compliant with the requirements of the Clery Act.

No recommendations were made.

X

X

X

X

X

17-04 Petty Cash and Change Fund Audit

Eight of the ten departments did not have petty cash and change fund policies. Two departments had outdated policies. All departments should develop formal cash handling policies that align with the Business Office. At 10/01/18, seven of the ten departments have developed and implemented new ..polices. The remaining three departments' status is Onj!Oi n2.

X X

7


Report It Report Name Recommc11clat1on

-

Implemented

-----------

Recommenclat1on Status

Not No Action Ongoing Implemented Required

All fund overages or shortages should be cleared by the cash custodians, a reconciliation process should be added to departmental cash count procedures, and the Business Office should initiate regular cash counts ofall funds held by departments. At 10/01/ 18, nine departments have fully implemented their recommendations and one department's status is ongoing.

X X

To strengthen overall controls: the Business Office should develop cash handling training, require all new cash custodians to attend, and annually provide a copy of the rules and responsibilities for cash handling; the Business Office should implement a system to count and verify cash prior to a custodian changing jobs or leaving the university; and alternate custodians should be identified and trained to count and reconcile cash when primary custodians are absent. At 10/01/18, nine departmenls have fully implemented multiple recommendations and one department's status is ongoing.

X X

17-05 NCAA Agreed-Upon Procedures

No recommendations were made. X

17-A Evergreen Student Support Study Project

No recommendations were made. X

8


Repo11 M

17-B

Report Name

Clery Records/Incident Review Project

Re( ommend;it on

No recommendations were made.

Implementeel

---------- - -----

Recommenc1at1on Status

Not No Action Ongoing

lmplementecl Req u11ecl

X

17-D

18-01

l 8-02

18-03

18-04

Information Security Corrective Action Plan Update Proiect Joint Admissions Medical Program (JAMP) Audit

Public Funds Investment Act Audit

Texas Higher Education Coordinating Board Facilities Audit

Benefits Proportional by Fund Audit

These recommendations are security sensitive.

To comply with the JAMP Agreement, the oversight comminee should be convened, and minutes of the meetings should be documented lo support program administration. To comply with the Public Funds Investment Act, University Policy 4.182 should be amended to include procedures to liquidate investments that do not meet the required minimum rating requirements.

No reco mmendations were made.

Instructions should be developed for preparing the APS O11 Report.

A reconciliation of amounts reported o n the APS 011 Report, USAS, Banner Finance, and Banner Payroll should be included in year-end procedures.

X

X

X

X

X

X

x.

V. Consulting Services and Non-audit Services The Office of Internal Audits did not perform any consulting services as defined by the Institute of Internal Auditors' International Standards for the Professional Practice ofInternal Auditing or nonaudit services as defined by Governmental Auditing Standards, 2011 revision, Sections 3.33 - 3.58.

9


Other value-added activities performed during Fiscal Year 2018 are included in the following table.

Activity Impact Provide assistance with the Department ofVeteran Affairs compliance survey of VA beneficiary records. Provide assistance with the Texas Higher Education Coordinating Board Peer Review Team assessment and verification of campus facilities usage and project funding. Provide assistance with the Small Business Administration on-site review of the University's Small Business Development Center. Serve as advisor on multiple compliance committees. Serve on the University's Compliance Support and Advisory Committee.

Facilitate anonymous, online, 24/7 accessible, hotline reporting system. Investigate complaints or claims of fraud, waste or abuse. Facilitate the annual risk assessment.

Serve as advisor to departments for various issues. Other special projects.

Coordinate and assist to aid in audit efficiency and provide expertise.



Provide guidance to sub-committees formed to address specific compliance areas. Provide guidance for maintaining an effective compliance program and investigating reported compliance concerns. Promote commitment to ethical behavior, improve information gathering, and mitigation of risk. Review information, investigate allegations, and determine if grounds exist to initiate an audit. Contribute to the University's risk assessment and management efforts. Provide guidance and/or to strengthen controls. Provide information and analysis.

VI. External Quality Assurance Review

A self-assessment (SA) of the internal audit activity was completed on October 12, 201 7, in prepa ration for validation by an independent reviewer. The principal objective of the SA was to assess the Office of Internal Audits' conformance with The Texas Inte rnal Auditi11R Act (Tex. Gov't. Code Chapter 2102), the Institute of Internal Auditors Code of Ethics and lntematio11al Sta11dards fortl1e Pr<~fessional Practice of /11temal Auditing , and U.S. General Accounting Office Generally Accepted Gm ·emmenr Auditing Standards (collectively the "Standards ") in effect at the time the audits were conducted. It is our o verall opinio n that the Office of Internal Audits generally conforms to the Standards and Code ofEthics.

Copied below is the External Quality Assurance Review Report.

10


STEPHEN F. AUSTIN STATE U NIVERSITY

Department ol Audit Services P.O. Box 6121 , SFA Stotlon • Nacogdoches, Texas 75962-6121 Phone (9361 468•5204 • Fox 19361 468-7698

February 28, 2018

Mr. Samuel M. Sanchez, Board of Regents Chair Ms. Tiffany Burks, Audit, Compliance, and Management Review Chair Midwestern State University 3410 Taft Boulevard Wichita Falls, TX 76308

Dear Mr. Sanchez and Ms. Burks:

We conducted an independent validation of the assertions and conclusions made in the Quality Assurance Review Self-Assessment Report issued by Director Leigh Kidwell on October 12, 2017. The primary obiective of our engagement was to offer an independent opinion on whether the program of internal auditing of the Midwestern State University Office of Internal Audits meets the requirements expected of internal audit activities at institutions of higher education supported by the State of Texas, as asserted in the SelfAssessment Report previously mentioned. Those requirements are set forth by the Texas Internal Auditing Act (Texas Government Code Chapter 2102); the Institute of Internal Auditors' (IIA) International Standards for the Professional Practice of Internal Auditing and Code of Ethics; and the U.S. Government Accountability Office's Generally Accepted Government Auditing Standards. For purposes of this review, we collectively refer to these as the Standards.

The validation was performed by Gina Oglesbee, Chief Audit Executive for Stephen F. Austin State University, and Justin McAninch, Audit Manager for the University of Texas Health Science Center at Tyler. We attest that we are independent from all internal audit activities at Midwestern State University (MSU) and have the requisite skills and knowledge to perform the engagement.

We conducted the validation using the State Agency Internal Audit Forum Peer Review Guidelines and the Master Peer Review Program as guidance. The review included internal audit activities for the three year period, January 1, 2014 through December 31, 2016. Onsite fieldwork was performed December 4-6, 2017 and February 28, 2018. We reviewed the self-assessment documentation and select audit workpapers, and performed interviews with the Chair of the Board of Regents, President, General Counsel, Vice President of Administration and Finance, Chief Information Officer, Chief Information Security Officer, Audit Director, and Auditor.

11


Based on our procedures, we agree with the overall conclusion that the Office of Internal Audits "Generally Conforms" to the Standards, with specific conformance noted as follows:

and Deecrf tlon

ram

0 inion

Confonns Confonns Conforms Conforms

General! Conforms Partlatl Conforms

We believe the goals set by the Office of Internal Audits as stated in the Quality Assurance Review Self-Assessment Report evidence the commitment to continuous improvement by the Audit Director. Achievement of the goals will enhance compliance and improve processes.

We appreciate the cooperation and assistance provided to us throughout the course of this validation by the Board of Regents, President, Audit Director, and MSU staff.

Gina Oglesbee, CPA, CFE Chief Audit Executive Stephen F. Austin State University

VII. Internal Quality Assessment

The Office of Internal Audits maintains a quality assurance and improvement program. To ensure adherence to auditing standards the following is performed:

• Annual review of compliance with International Standards for the Professional Practice of Internal Auditing and Generally Accepted Government Auditing Standards (collectively called the Standards).

12


• Remain up-to-date on auditing standards through continuing professional education, membership in accounting and auditing associations, technical reading, and independent research.

• Complete an audit standards compliance review at the end of each audit. • Complete annual independence disclosure statements. • Comply with annual continuing professional education requirements.

Ongoing assessment of the internal audit activity is maintained through daily supervision and review; audit exit conferences; annual employee performance evaluations; and meetings with the President, the Vice-Presidents, and the Board of Regents Audit, Compliance and Management Review Committee Chair. Monitoring of other performance measures include:

• Effective utilization of resources, • Meeting internal and external deadlines, • Timely completion of audits and special projects, • Percentage of recommendations implemented by management, and • Maintaining of professional certifications.

The Director of Internal Audits set the following goals for Fiscal Year 2018 to aid in compliance with standards and increase efficiency.

1. Increase efficiency by utilizing technology. TeamMate automated auditing software was configured and installed in August 2018. Additionally, the Director and Auditor received 24 hours of end user training. All modules went live in September 2018, including; a) EWP -electronic work papers with report writing, b) CENTRAL - track audit issues and recommendations, c) RISK - provides advanced risk assessments and risk-based audit planning, d) TEC - captures and reports on time related to projects and tasks, e) SCHEDULE - tool for scheduling staff and projects.

2. Establish an internal assessment process. An audit standards compliance questionnaire was completed for every audit to comply with on-going monitoring. The Office of Internal Audits performed a self-assessment of its compliance with the Standards and reported the results in the annual report.

3. Strengthen the risk management process. The number of recipients receiving risk surveys in the spring of 2018 increased to include the members of the Board of Regents and all college deans.

4. Ensure that audit staff enhance their knowledge, skills. and competencies. The Director fulfilled the requirements and received the Certified Internal Auditor designation in March 2018. Due to position vacancy, the goal for the auditor to obtain the Certified Fraud Examiner certification was not met.

13


The annual review of the Standards found the Office of Internal Audits to be in compliance. As part of this review, the following goals for Fiscal Year 2019 were set:

l. Continue to enhance knowledge in the use of TeamMate auditing software. 2. Update policy manual to reflect changes and website for accessibility. 3. Achieve one-half of the requirements to obtain a certification for newly hired auditor. 4. Integrate the Internal Control Integrated Framework published by the Committee of

Sponsoring Organizations (COSO) into the risk assessment process.

VIII. Internal Audit Plan for Fiscal Year 2019

The Board of Regents at their August 2, 20I 8 meeting approved the Fiscal Year 2019 Internal Audit Plan. The plan includes audits that are required by statute or administrative policy, assistance required by oversight agencies, audits that are currently in progress, and planned engagements based on assessment ofrisk. Audit resources will be allocated among required audits, risk-based audits, special projects, investigations, meetings, committee service, and audit department activities and administration.

The Office of Internal Audits is currently staffed by a full time director and a full time auditor. Available hours for Fiscal Year 2019 projects after consideration of University holidays, vacation, sick leave and wellness release is 3,676 hours.

Risk based audits planned for Fiscal year 2019 include the following:

• Minors on Campus

• International Services

• Electronic Payroll Timekeeping System

• Donor Management

Listed below is the Fiscal Year 2019 Internal Audit Plan.

Project j Description I Ho urs1

Financial, Compliance, Operational, Efficiency & Effectiveness Audits

Provide audit assistance to state and federal oversight agencies such Audit Assistance to Oversight as Texas State Auditor's Office, Texas Higher Education 80Agencies Coordinating Board, Texas State Comptroller's Office and grant

agencies.

Verify compliance with requirements to pay benefits in proportion to the sources of funds from which the corresponding salaries and

Benefits Proportional By Fund 120wages were paid in accordance with applicable statutes, General Appropriations Act requirements, and related University policies and procedures.

14


I --- - ----

Project i Description Hours

Donor Management

Electronic Payroll Timekeeping System

International Services

Minors on Campus

Safety and Security

Disaster Recovery Plan & Business Continuity Plan (Outsourced)

Departmental

Audits Carried Forward

Follow-up Audits

Implementation of Prior Audit Recommendations

Special Projects

Hotline, Fraud, or Ethics Investigations

Special Projects

Quality Assurance

Review and test procedures and controls over the acceptance, 240 recording and use of gifts received by the University.

Verify that controls exist to ensure electronic timekeeping transactions and related activities are appropriate and in compliance 240 with laws, policies and regulations.

Verify adequacy of controls, and compliance with applicable laws, 240 policies and regulations. Determine whether the University has developed and implemented the necessary policies and procedures to ensure the safety and well• 240 being of minors on campus.

Verify compliance with safety and security requirements of Texas 120 Education Code, Section 51.217. Provide assistance to determine if the University has a business continuity plan and to review the IT department's plan to timely

120resume system resources should a disaster occur in compliance with Texas Administrative Code 202.

Review for compliance with various regulations and/or for 64efficiency and effectiveness.

Prior fiscal year audits not complete at 8/31 and carried forward into 248current year.

Obtain representations from management and verification if necessary, regarding status of implementation of prior audit !68 recommendations.

Facilitate University anonymous reporting system and 40

investigations.

Based on requests from Board of Regents, Administration or 160others.

Provide assistance with external assessment of another Texas 80

university's compliance with auditing standards.

Meetings and Committee Service

Ethics and Compliance Committee

Administrative Meetings

Other University Meetings or Events

Board of Regents Meetings

Serve as advisory member of the committee and all subcommittees. 220

Attend administrative meetings as requested. 240

Attend other meetings or events as requested. 48

Preparation and attendance of meetings or events. 120

Audit Department Activities andAdministration

Annual Audit Plan and Report Prepare annual audit plan and report. 80

15

----


1 I JProject Description Hours

Audit Manual and Webpage Update audit manual and webpage, and manage records Revisions, and Records 80maintenance.

Management

Annual Risk Assessment Facilitate annual University risk assessment. 40 Professional Development and Professional development, maintain certifications, continuing

160Travel education and related travel.

Staff Meetings Intra office communications and planning. 48 General and Administrative Office administrative duties (planning, purchasing, recordkeeping Tasks scheduling, reporting, etc.).

Total Allocated Hours

Available Hours for All Staff 4,160 Less estimated hours for:

Holidays (208) Vacation & Birthday Leave (180) Sick Leave (80) Wellness Release _(.!fil

Net Available Hours ~

The methodology used to develop the Fiscal Year 2019 audit plan included conducting three risk assessment surveys. The most comprehensive survey was sent to the University's President, the Provost, all Vice Presidents, the Director of Board & Government Relations, the Director of Marketing & Public Information and General Counsel. It was also sent to the Associate Vice President of Facilities Services, the Athletic Director, the Director of Human Resources, the Director of Purchasing & Contract Management and the Director of Internal Audits. A slightly less comprehensive survey was sent to all members of the Compliance and Ethics Coordinating Committee. The third survey was sent to the University's Board of Regents and to each college dean.

The survey recipients were asked to rate risks based on the degree of negative impact it would have on the University and the likelihood of that risk occurring. A rating scale of high, medium, or low was used and categorized as follows:

• High impact/ high likelihood score > 13.1 • Medium impact/ medium likelihood score 10.0 - 13.0 • Low impact/ low likelihood score< 9.9

16


Each item in the heat map represents a survey question, which was plotted to measure its relative risk.

Impact

High

>13.1

Medium 10.0-13.0

Low

<9.9

Low High < 9.9 >13.1

The top five risks are listed in the table below along with the proposed audits to address them. Four of the top five risks landed in the upper right sector of the heat map indicating a high impact with medium to high likelihood The fifth risk (survey question# 14), non-compliance with federal and state laws or regulations, was rated as high impact and low to medium likelihood.

Likelihood Medium 10.0-13.0

17

--


Top 5 Risks

FY 2019 R,sk Assc:smcnt Survey

s.w., Quesdan Risk category Pen;eived Risk AuditPlan•

Risk of budaet fluctuations such as loss of fundin1 source, unexpttted or increased ~nefits Proportiorn,I, 11 FlnendalRislc expenditures, unfunded mandates, or other Departmental Audits factors affecti nsi the budaet

Donor Manaaement/Comprehensiw Risk of policies and procedures not Campaian.Complance Risk12 appropriately fol lowed. Safety & Securi ty,

International Services Risk of lrnodequate controls such as lackof sqregation ofduties, lack ofappropriate 5 Operatlonal Rlsli Electronic n mekeepin& System/Payroll policies and procedures, lack of supervi sory r~ iew etc.

OiSlJster Rl!Covery Plan / Business 17 Oi-riltion.i Rist Risk of an information sKurity breach. Continuity Plan (Outsourced)

Rlsk of non-compliance with federal and14 Compliance Rislr. M inor s on Campus state l aws or regulations.

Statutorily required audits will use the Department of Internal Audits' resources along with risk-based audits, special projects, investigations, meetings, committee service, and audit department activities and administration. The audit projects scheduled for the next three years are listed below.

FY FY FY Audit ProJects

2019 2020 2021 Audit Assistance to Oversight Agencies

Public Funds Investment Act (biennial)

TX Administrative Code 202 (biennial)

NCAA (triennial)

Safety and Security (triennial)

External Quality Assurance/Peer Review (triennial)

Benefits Proportional by Fund

Follow-up

Information Security

Departmental Audits

Risk Based and Other Audits

X

X

X

X

X

X

X

X

X

X X

X

X

X

X

X

X X

X X

X X

X X

18


The proposed audit plan was reviewed with the President, the Chairman of the Board of Regents and the Chairman of the Audit, Compliance, and Management Review Committee for further discussion of University risks and audit resources. The final plan was submitted for approval at the August 2018 Board of Regents meeting.

IX: External Audit Services

Two external audit services were procured during Fiscal Year 2018.

• CBIZ Risk & Advisory Services, LLC, Boston, MA, to perform a construction contract audit and provide risk advisory services.

• Siteimprove, Inc., Minneapolis, MN, to perform a website accessibility audit.

X: Reporting Suspected Fraud and Abuse

To comply with the fraud reporting requirements of Section 7.09, page IX.38, the General Appropriations Act (85th Legislature Conference Committee Report), and the investigation coordination requirements ofTexas Government Code, Section 321.022, the University has taken the following actions:

• A direct link on the University's website home page is provided to report suspected fraud, compliance, or ethics concerns.

• The University Fraud, Compliance, and Ethics Concerns web page at www.msutexas.edu/interoaJ. audits/fraud provides instructions, a toll free phone number and website link to the anonymous hotline service, EthicsPoint. Also listed is the State Auditor's Office Fraud Hotline phone number and a direct link to the SAO How to Report Fraud, Waste or Abuse webpage.

• University Policy 4.117, Suspected Dishonest or Fraudulent Activities established processes to identify and investigate suspected cases of defalcations, misappropriations, and other fiscal irregularities and assigned responsibilities to specific University employees involved in handling these cases. The policy was approved by the University Board of Regents in February 2017 and complies with the requirements of Texas Government Code, Section 321 .022 and Texas Education Code, Section 51.9337 as added by Senate Bill 20 (841h Legislature).

• New employee orientation includes a review of University policies on standards of conduct for state employees and ethics.

19

www.msutexas.edu/interoaJ

internal audit annual report - msutexas.edu · internal audit plan for fiscal year 2018 and...

Documents