INTERNAL AUDIT OVERVIEW OF AUDIT SERVICES

Campus Administrative Training Series

December 14, 2016

Stewart Cobine, CPA

Associate Vice President & Chief Audit Officer

Welcome Colleagues • “Who Am I? Why am I here?

– Admiral James Stockdale, 1992 Presidential Debates

– Associate Vice President & Chief Audit Officer (May 2015) – Associate Vice President, Finance (October 2013) – Assistant Treasurer & Managing Director (October 2005) – Managing Director, Capital Finance & Tax Management (1995) – Director, Tax Management & Treasury Accounting (1989) – Associate Director, Accounting Records & Services (1986) – Internal Auditor, IU Credit Union (1984) – Senior Accountant/Audit Supervisor, Indy-based CPA firm (1981) – B.S. Accounting, IU Kelley School of Business (1981)

FOCUS OF SESSION • Discuss what internal audit is and how it

functions at Indiana University • Definitions • Internal Audit Charter • Mission/Values • Scope of Responsibilities • Facts & Figures from 2016 Audits

Please interact - “As iron sharpens iron . . .”

• What comes to mind first?

– Trouble Makers? – The “Gotcha” Squad? – Compliance police? – 1st cousin to the IRS? – “Infernal” Audit?

• IA Goal: Collaborative partner & trusted advisor

What is Internal Audit?

Internal Audit Defined

• Internal auditing is an independent, objective, assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve effectiveness of risk management, control, and governance processes. Definition of Internal Audit, first adopted by the Institute of

Internal Auditors in 1999, and re-affirmed in their International Professional Practices Framework, published in November of 2009

IU Internal Audit Charter Approved by Board of Trustees In August 2016

• Mission: The mission of IU Internal Audit is to provide independent and objective assurance and consulting services for Indiana University including IU management and the Board of Trustees of Indiana University. IUIA assists the University in accomplishing its mission and priorities by bringing a systematic, disciplined, and value-added approach to evaluate and improve the effectiveness of the University’s governance structures, risk management processes, and internal controls by providing independent appraisals of the University’s financial, operational, information technology and control activities.

IU Internal Audit Core Values • Professional Service

– Provide timely, high quality, value-added service – Foster collaboration – Treat clients and colleagues with respect

• Compliance – Comply with laws, regulations, standards, IU policies

• Integrity – Do the right thing for the right reason – Communication: honest, direct and transparent – Accountable, trustworthy and engaged team members – Earn and maintain the trust of the university community.

IU Internal Audit Core Values • Excellence

– Commitment to professional excellence – Maintain high professional standards through continuing

professional development – Results-focused organization – Exercise initiative in providing solutions and generating

insights for our clients

• Intentionality – About our work: plan, analyze, evaluate, measure,

deliberate, adjust, move forward – About our people: mentor, train, develop, encourage

personal and professional growth

IU Internal Audit Charter • Professional Standards

– Institute of Internal Auditors (IIA)

IU Internal Audit Charter • Authority from the Board of Trustees

– Authority to audit all parts of the University – Full access to any organization records,

properties, information systems, and personnel – Handling documents and information in the same

prudent manner as is required of those employees accountable for them

– Cannot develop or install procedures, prepare records, or engage in activities normally reviewed by internal auditors . . . (but why is that?)

IU Internal Audit Charter • Scope of Responsibility

– Evaluate risk exposure and risk management practices – Evaluate the reliability and integrity of information – Evaluate information and operating systems – Evaluate the means of safeguarding University assets – Evaluate effectiveness and efficiency of operations – Evaluate consistency of outputs with objectives & goals – Evaluate governance processes – Report IUIA performance to management and the Board – Report significant risk exposures and control issues – Administer the whistleblower hotline & reporting web site

Internal Audit Services

• Audits • IT Audits • Transitional Management Reviews • Review/Consulting Engagements • Risk Assessments • Investigations • Whistleblower Hotline Management

13

Most Common Financial/Operations Audit Findings

Findings2015- 2016 Findings

% of Audits w/ Finding

Required supporting documentation missing or inadequate 7 22.6%Business Continuity Plan (BCP) not complete and/or not updated annually 7 22.6%Revenue Producing Activity process/control violations (TRE-VI-120/121) 6 19.4%Unneeded retention and/or unmonitored access to University /critical data 5 16.1%Lack of proper segregation of duties 5 16.1%Inconsistent or inefficient operating procedures 4 12.9%PS-01 Programs Involving Children policy violation 4 12.9%Federal compliance violation (OSHA , IRS, etc.) 3 9.7%Timekeeping/ TIME system policy violations (PAY-IV-270) 3 9.7%Human Resource policy (reward plans, fringe benefits, telecommuting) 3 9.7%Inaccurate financial transactions 3 9.7%Inadequate reconciliations (Policy ACC-I-1, Role of Fiscal Officer violations) 3 9.7%Retroactive pay control issues; E-docs and overpayment issues 3 9.7%Scholarship award reconciliations, segregation of duties issues 3 9.7%

Survey Size: 31 Operational & Financial Audits

Most Common IT Audit Findings

Findings Total Findings

% with Finding 2013 2014 2015 2016

Mobile Security Issue: Mobile Device security not adequate 18 25% 4% 22% 50% 44%Server Issue: Vulnerability scans are not occuring on server(s) 17 24% 36% 33% 10% 6%Server Issue: System logs are not regularly reviewed 17 24% 40% 28% 10% 6%Access Control Issue: Admin accounts are used for day to day 16 23% 16% 28% 20% 28%Data Issue: Scans for critical data are not occuring 16 23% 40% 17% 10% 11%Server Issue: Server(s) with public facing IPs without necessity 13 18% 20% 22% 10% 17%BCP/DRP Issue: No Disaster Recovery Plan (DRP) 12 17% 24% 11% 0% 22%Desktop/Laptop: Patch management procedures are lacking 11 15% 16% 17% 10% 17%BCP/DRP Issue: Business Continuity Plan (BCP) inadequate/missing 9 13% 16% 17% 10% 6%BCP/DRP Issue: BCP and/or DRP is outdated/inadequate 8 11% 4% 11% 30% 11%Server Issue: Antivirus scans are not taking place 7 10% 8% 17% 10% 6%Server Room: Physical controls lacking 6 8% 8% 6% 0% 17%Data Issue: Critical data is not encrypted at rest - servers, laptops 6 8% 4% 22% 0% 6%Desktop/Laptop Issue: Operating system is outdated and 6 8% 0% 17% 0% 17%

2016 Annual Report Summary • Completed Engagements

FY2012 FY2013 FY2014 FY2015 FY2016Audit Engagements Financial/Operational 48 28 20 14 25 Information Technology 5 16 17 16 14 Transitional and Administrative Reviews 8 6 9 7 5 Other Audit Services 9 11 11 11 9

Audit Engagements 70 61 57 48 53 Audit Finding Follow-up Reviews 28 36 38 30 54 Investigation/Allegations (EthicsPoint) 41 29 59 49 55

Total Completed Engagements 139 126 154 127 162

Audits in Progress at Fiscal Year End 1 4 11 5 18 14

You Are on the Frontline

The Institute of Internal Auditors | Leveraging COSO Across the Three Lines of Defense

YOU

IA

Thank you

Your Questions?