1

ADMINISTRATIVE MANUAL

Internal Audit Office 1500 Bull Lea Rd.

Suite #200 Lexington, KY 40511

T: (859) 257-3126 F: (859) 257-3566

www.uky.edu/InternalAudit

Updated 7/28/2020

Internal Audit Administrative Manual

2

INTRODUCTION TO THE ADMINISTRATIVE MANUAL The University of Kentucky Internal Audit (UKIA) Administrative Manual includes the following:

• General guidelines • Business continuity plan • Emergency preparedness plan

All policies and procedures established by the University of Kentucky are considered the minimally acceptable standard for employees of this department. The guidelines documented in this manual shall be consistent with the University of Kentucky’s policies and procedures as well as the Internal Auditing standards included in the International Professional Practices Framework (IPPF) issued by the Institute of Internal Auditors. This manual will provide guidance but is not intended to be all-inclusive. The UKIA Administrative Manual and UKIA Process Manual are companion guides. The Administrative Manual covers University-wide policies and procedures that UKIA employees must follow. The Process Manual is more specific to UKIA in that it covers procedures and expectations specific to the function, responsibilities and practices of this department. UKIA Employees must abide by both the Administrative and Process Manuals.

Internal Audit Administrative Manual

3

Table of Contents A. UKIA BUSINESS FUNCTIONS ........................................................................................... 6

Appliances................................................................................................................................... 6

Accepting Gifts ........................................................................................................................... 6

Budgets ....................................................................................................................................... 6

Capital Inventory Equipment ...................................................................................................... 6

Confidentiality/Document Shredding ......................................................................................... 6

Document Retention ................................................................................................................... 6

Employee Access (Per Internal Audit Director) ......................................................................... 6

Office Supplies............................................................................................................................ 6

Reconciliations ............................................................................................................................ 7

Review and Approval Processes ................................................................................................. 7

Work Orders................................................................................................................................ 7

B. TRAINING AND PROFESSIONAL DEVELOPMENT ....................................................... 8

Employee Education Program (EEP) .......................................................................................... 8

IRIS Training Plan/SAP Access Agreement ........................................................................... 8

New Employee Training ......................................................................................................... 8

Office of Training and Development .................................................................................... 10

Professional Organizations and Conferences ........................................................................ 10

Professional Certifications ........................................................................................................ 10

Professional Affiliations and Organizations ......................................................................... 12

C. UKIA FINANCIAL ACTIVITY .......................................................................................... 13

Business Travel ......................................................................................................................... 13

Parking Policies and Transportation Services ....................................................................... 13

Travel Arrangements ............................................................................................................ 14

Travel Reimbursement .......................................................................................................... 14

Payroll ....................................................................................................................................... 14

Procurement .............................................................................................................................. 14

ProCard ................................................................................................................................. 14

UK Repayment Procedure ........................................................................................................ 15

D. UKIA POLICIES ............................................................................................................... 16

Human Resources ..................................................................................................................... 16

Payroll ................................................................................................................................... 16

Internal Audit Administrative Manual

4

Attendance Policy HR P&P #70.0 ........................................................................................ 17

Benefits ................................................................................................................................. 18

Reporting Concerns .............................................................................................................. 21

Maintenance of Employee Inner Department Files .............................................................. 22

Separation from Employment ............................................................................................... 22

Media & Public Records ........................................................................................................... 23

Media Contact ....................................................................................................................... 23

Media Interviews .................................................................................................................. 23

Media Policy ......................................................................................................................... 23

Open Record Requests .......................................................................................................... 24

Public Access ........................................................................................................................ 24

Professionalism Regarding Politics .......................................................................................... 24

E. INFORMATION SYSTEMS & DATA SECURITY ........................................................... 25

Access ....................................................................................................................................... 25

Acceptable Use ......................................................................................................................... 25

Administrator Rights ................................................................................................................. 26

Backups ..................................................................................................................................... 26

Data Security ............................................................................................................................. 27

Data Storage .............................................................................................................................. 27

De-provisioning ........................................................................................................................ 27

Devices ...................................................................................................................................... 27

Disaster Recovery ..................................................................................................................... 27

Encryption ................................................................................................................................. 27

Helpdesk ................................................................................................................................... 27

Internet Use ............................................................................................................................... 28

Inventory ................................................................................................................................... 28

Printing ...................................................................................................................................... 28

Purchasing ................................................................................................................................. 28

Surplus ...................................................................................................................................... 28

Theft/Loss ................................................................................................................................. 28

F. SAFETY INFORMATION .................................................................................................. 29

UKIA’s Building Emergency Action Plan ............................................................................... 29

Approval and Execution Authority ....................................................................................... 29

Building & Floor Coordinators ............................................................................................. 29

Internal Audit Administrative Manual

5

Plan Location ........................................................................................................................ 29

Safety Guidelines ...................................................................................................................... 30

Campus Police ...................................................................................................................... 30

Comply Line ......................................................................................................................... 30

Emergency Shelter ................................................................................................................ 30

Evacuation Plan and Location .............................................................................................. 30

Office of Environmental Health and Safety .......................................................................... 30

UK Alert................................................................................................................................ 30

G. BUSINESS CONTINUITY PLAN....................................................................................... 31

Approval and Execution Authority ........................................................................................... 31

Disaster Recovery ..................................................................................................................... 31

Plan Location and Access ......................................................................................................... 31

Significant Business Disruptions (SBDs) ................................................................................. 31

Test Restore Procedure ............................................................................................................. 31

H. APPENDIX ........................................................................................................................... 32

Appendix A ............................................................................................................................... 32

Building Emergency Action Plan ......................................................................................... 32

Appendix B ............................................................................................................................... 46

Building Evacuation Plans/Routes ........................................................................................ 46

Appendix C ............................................................................................................................... 47

Severe Weather Locations .................................................................................................... 47

Procedures for Providing Assistance to Mobility Impaired Individuals ............................... 48

Threatening Call/Bomb Threat Checklist ............................................................................. 50

Designated Assembly Areas ................................................................................................. 51

Key Personnel Emergency Call List ..................................................................................... 52

Internal Audit Administrative Manual

6

A. UKIA BUSINESS FUNCTIONS This section applies to business functions that are carried out by UKIA. Appliances The UKIA office currently has a microwave and refrigerator in the kitchen for all office use. Additional appliances and/or appliances for personal use are allowed at the discretion of the UKIA CAE.

Accepting Gifts If engaged in the audit process, receiving gifts is not acceptable. Employees must disclose all gifts received outside of the audit process when work is performed. For example, if a client buys your lunch while you are doing the fieldwork, it may affect your objectivity when performing an audit on this client because now you feel like you owe them a good deed. For more information, please refer to the UK Code of Conduct & Ethical Principles in the Process Manual’s respective Appendices. Budgets Each fiscal year, the University Budget Office constructs the budget for UKIA. The budget is utilized for staff compensation and other expenditures of the UKIA Department. Capital Inventory Equipment Each year, the Business Liaison confirms inventory of all capital equipment per Plant Assets policy and BPM E-12-3 Equipment Inventory. Computer devices are tracked by the IT Audit Staff and outlined in the Inventory section of IT.

Confidentiality/Document Shredding It is required that all documents of a confidential nature which require disposal be shredded. Employees can either shred the documents themselves, or they may dispose of these documents in the locked blue container that is kept by the back exit or one of the Executive Shred-it containers.

Document Retention State University Records Retention Schedule Employee Access (Per Internal Audit Director) Staff members’ access to information, data systems and software applications is determined on an as-needed basis by the Internal Audit Director and CAE and may be temporarily adjusted for certain projects. Please see the Audit Director if specific needs arise.

Office Supplies Office supplies are located in the cabinet in the office suite. Requests for supplies must be given to the Business Liaison Manager by email and approved by the UKIA CAE. A business purpose must be given for all supplies not normally ordered.

Internal Audit Administrative Manual

7

Reconciliations Each month, the Business Liaison retrieves departmental expense reports through the SAP system. The reports include payables to vendors, as well as wage information. The Business Liaison verifies the amounts contained in the monthly reports. Review and Approval Processes All fiscal activities of the department are to be reviewed and approved by the Chief Audit Executive (CAE) or the appropriate UKIA staff. The list of the items to be approved includes, but is not limited to, purchase orders, Payment Request Documents (PRDs), journal vouchers, travel expenses and payroll.

Work Orders Work Orders pertaining to office equipment and facilities must be requested through the Business Liaison and approved by the UKIA CAE.

Internal Audit Administrative Manual

8

B. TRAINING AND PROFESSIONAL DEVELOPMENT All UKIA employees are trained professionals. It is highly encouraged for all employees to obtain professional certifications, along with regularly attending professional conferences and symposiums. This section discusses the types of training opportunities that are expected and available for all UK auditors. For more training information, the Human Resources department can be contacted: https://www.uky.edu/hr/training.

Employee Education Program (EEP) UK offers regular full-time employees a tuition waiver of up to 18 credit hours per year at UK. As of April 26, 2018, there is no longer a waiver for classes taken at other Kentucky colleges or universities. Daytime classes should be approved by the CAE. It is important to keep in mind the commitment it takes to be enrolled in classes during the day while working at UK. Class schedule and homework assignments may conflict with busy work weeks where the employee may need to spend more hours at work. Information regarding this program can be obtained through the UK Human Resources website on Benefits/EEP Overview.

IRIS Training Plan/SAP Access Agreement This is training that allows UKIA staff access to SAP in order to conduct an audit. To request access, a training plan must be submitted by the designated requester from UKIA. Access will then be granted after the plan is submitted, approved and training courses are completed.

New Employee Training Beginning July 1, all new regular staff employees will automatically be assigned to take University New Employee Orientation through an online program in myUK Learning once they are entered into SAP. Moving orientation online allows videos and other information to be presented in a way that will help new employees become more easily acquainted with the University and their employment with us. New hires will have 30 days from their official start date to complete the online orientation program.

Schedule and attend UK New Employee Orientation through HR Set up office with supplies and materials Tour of office and campus Review of office policies and procedures:

o Printer, scanner, copier o Common area o Lunch hours

Submit request for additional supplies, such as business cards, to Business Administrative Support Setup voicemail and email Review UKIA Administrative Manual:

o Dress code o Work hours o Holiday schedule o Vacation/TDL o Payroll process

Internal Audit Administrative Manual

9

o Job descriptions o Media policy o Computer policy

Review of University structure: o Reporting systems o Organizational charts

Review of audit department structure, functions and individual role Explore UKIA’s Website:

o Audit process o Benchmark Universities o Professional organizations o Newsletters o Client feedback

Read reference materials and resources Review of job description, job evaluation and JAQ Data Storage:

o J: Drive – “NEMO” – Depreciated and no longer actively used. UK ITS managed server o K: Drive – “SS” (storage solution) – Actively used fileserver for UKIA. UK ITS managed

server but IT Audit Manager and Audit Director have Administrator permissions. o “Audits” folder – Working area for audit files. Final files should be uploaded to audit

management tool, HighBond. o “Staff” folder – This administrative manual, audit reference papers, UKIA governing

documents, staff meeting notes. o “User” folder – Working area for individual user files. o Galvanize’s HighBond – Formerly “ACL GRC”, this is UKIA’s audit management tool. All

final audit documentation is stored here. o AutoAudit – Depreciated and no longer actively used. Contains historical audits (pre-2016).

Employee technology/related resources – as provided/approved by supervisor: o SAP Application

o R3 o HANA

o Galvanize’s Application o HighBond o Robotics

o Microsoft Suite o Office 365 – Web access (Outlook, Word, Excel, PowerPoint, OneNote, Teams,

SharePoint, Visio) o Microsoft SQL

o Tableau Server o Adobe Suite

Internal Audit Administrative Manual

10

Office of Training and Development UK offers a number of training and certification courses to employees through the Office of Training and Development. Please visit the UK Human Resources website on Training and Development. Classes are offered in areas of workplace skills, professional development, leadership, technology and certifications. Specific information can be found through the Office of Training and Development website, or by calling the office at (859) 257-9623.

Professional Organizations and Conferences Staff are expected to stay up to date with industry standards by furthering their training through participation in professional organizations, including attending workshops, conferences and supplementary materials. Audit staff are required to participate in up to 40 hours of professional training per year (non-audit staff are required to complete 20 hours). Based on performance and availability, this may include one conference paid for by UKIA every other year. Attendees to conferences will give a presentation on a selected conference topic at the next scheduled staff meeting. Professional Certifications It is expected that all auditors participate and acquire industry professional certifications. Each auditor should currently possess or be working toward a professional designation in order to increase the credibility and professionalism of the department. The department will purchase available resources for studying; once completed, materials should be retained by Business Administrative Support, as directed by the CAE. It is UKIA’s goal to increase the percentage of its certified staff members from 43 percent to 75 percent.

Internal Audit Administrative Manual

11

The following are industry accepted certifications: • CCSA – Certification in Control Self-Assessment – www.iia.org

Offered by the Institute of Internal Auditors

• CFE – Certified Fraud Examiner – www.acfe.org Offered by the Association of Certified Fraud Examiners

• CIA – Certified Internal Auditor – www.iia.org Offered by the Institute of Internal Auditors

• CISA – Certified Information Systems Auditor – www.isaca.org Offered by the Information Systems Audit and Control Association

• CISM – Certified Information Security Manager – www.isaca.org Offered by Information Systems Audit and Control Association

• CISSP – Certified Information Systems Security Professional – https://www.isc2.org/ Offered by the International Association Information System Security Certification Consortium

• CPA – Certified Public Accountant – www.aicpa.org Offered by the American Institute of Certified Public Accountants

• CPIM – Certified in Production and Inventory Management – www.apics.org Offered by the American Production and Inventory Control Society

• CRISC – Certified in Risk and Information Systems Control – www.isaca.org Offered by Information Systems Audit and Control Association

Internal Audit Administrative Manual

12

Professional Affiliations and Organizations • Association of Certified Fraud Examiners

www.acfe.com 716 West Ave Austin, Texas 78701-2727 USA Fax: (512) 478-9297

• ISACA www.isaca.org 1700 E Golf Rd., Suite 400 Schaumburg, Illinois 60173 USA Phone: (847) 253-1545 Fax: (847) 253-1443

• ISC2 Corporate Headquarters 311 Park Place Blvd., Suite 400 Clearwater, Florida 33759 USA 1.866.331.ISC2 (4722) 1.727.785.0189

• The Association of College and University Auditors (ACUA) www.acua.org 4400 College Blvd., Ste. 220 Overland Park, Kansas 66211 USA Phone: (913) 222-8663 Fax: (913) 222-8606

• The Institute of Internal Auditors www.theiia.org 1035 Greenwood Blvd., Suite 401 Lake Mary, Florida 32746 USA Phone: (407) 937-1111 Fax: (407) 937-1101

Internal Audit Administrative Manual

13

C. UKIA FINANCIAL ACTIVITY UKIA’s business functions include procurement, travel, parking and transportation, and repayments. This section will review each of these functions as it relates to UKIA and include all related University policies and procedures. Related policies:

• Business Procedures Manual Section E-2-10 Collection of Amounts Owed to the University from Overpayment

Business Travel All business travel must be pre-approved by the CAE. Business travel may include conferences, workshops and meetings. The CAE decides expenses to be covered in accordance with UK regulations. All trips must be approved within 60 days of travel. Parking Policies and Transportation Services The UKIA audit staff must purchase parking permits to display on their vehicles when they go to campus and need to park in University controlled areas between 5:00 a.m. and 7:30 p.m., Monday through Thursday, and until 3:30 p.m. on Friday. Certain employee areas are controlled for permits until 7:30 p.m., Monday through Thursday, while the University is in official session. All employee permits are issued on an annual basis and become effective April 1 of the year for which issued and expire on March 31 of the following year. Payroll withholding is available to eligible regular full-time employees. Payment through payroll deduction is automatically on a pretax basis unless you affirmatively indicate otherwise. Permit costs may be paid in advance by check, Visa, or Master Card. Application forms are available from the Parking Office or from departmental staff support. Also, visit the Parking Office website: www.uky.edu/Parking. Parking for the disabled is available to University employees if approved by the Application Review Committee for Parking for Persons with Disabilities. Special application forms for disabled parking are available from the Parking Office. You are responsible for securing and displaying your valid parking permits on your vehicle in a timely manner and for abiding by the University of Kentucky Motor Vehicle and Traffic Regulations. Parking permits are NONTRANSFERABLE. You are the only person that may use your parking permit; however, as the owner of the permit, you may use the permit in any of your vehicles. The responsibility for finding a proper parking space rests with you, the vehicle operator. inability to do so is not a license to violate University parking regulations. Free shuttle bus service is available to University employees who need to travel around campus during the day. For information on this service, please call 859-257-7433. For information on the UK HealthCare shuttle service, call 859-323-8085. Parking maps, shuttle bus schedules and other information are available at Parking and Transportation Services, 721 Press Avenue. Office hours are 7:30 a.m. until 4:00 p.m., Monday through Friday. Questions regarding permits, regulations, or citations should be addressed to Parking Office staff at 859-257–5757 or visit the Transportation Services website. The employee needs to take the department scratch-off to the cashier in

Internal Audit Administrative Manual

14

the Peterson Parking Garage and the cashier will exchange the scratch-off permit for a value card that will allow the employee to exit the structure. The only fee associated with this transaction is the pre-paid cost of the scratch-off permit.

Travel Arrangements The UKIA Business Liaison is responsible for scheduling and arranging travel plans, including flight, hotel and registration through the University Travel System (TRIP), or another University-approved travel agency. Dates, times and special needs should be clearly stated to the Business Liaison in the planning phase and prior to the booking of any arrangements. When conducting audit work outside the city limits of Lexington, UKIA prefers that arrangements be made through the UK Motor Pool to use a fleet vehicle. To make a reservation, visit the Facilities Management Vehicle Reservations page. Travel Reimbursement When circumstances do not allow for advance reservations of a motor pool vehicle to conduct audit work or attend a conference outside of Lexington, UKIA will reimburse for mileage and appropriate travel expenses in accordance with UK’s travel reimbursement policy and procedures with advance approval by the CAE. Accordingly, the staff is responsible for maintaining records of all travel expenses that are to be reimbursed. Staff must also enter their records into the TRIP system for reimbursement. Receipts and records should be utilized for TRIP as well as returned promptly to the Business Liaison to be kept on file for travel reimbursement. UK policies require substantiation of expenses through submission of a travel voucher to Accounts Payable within 30 calendar days of the date of return. Please refer to UK’s Reimbursement of Travel Expenses policy located in the Business Procedures Manual here.

Payroll UKIA utilizes the SAP online time entry system for payroll. Each staff member is responsible for inputting requests for vacation, temporary disability leave (sick) and other annual leave time. Supervisors are responsible for approving these requests. Non-exempt employees also record time worked on a bi-weekly basis. Supervisors are responsible for approving time worked. When a new employee is hired, the Business Liaison enters the PAR (Personnel Authorization Record) information into the SAP system. It is then printed, signed by the CAE and sent via campus mail to both the Compensation and Payroll Departments.

Procurement

ProCard A Procurement Card (ProCard) is a University issued credit card and has been issued to the Business Liaison. The card is utilized for purchases of goods and services to be used by UKIA staff from authorized University vendors only, such as travel agencies, subscriptions, office supplies and books.

Internal Audit Administrative Manual

15

UK Repayment Procedure

UK’s Business Procedures Manual Section E-2-10 Collection of Amounts Owed to the University from Overpayment states the following: A. When a unit is made aware of an inadvertent overpayment, the unit should contact the individual or

organization to request reimbursement. Initial contact may be via telephone or email; however, the results of the conversation must be documented in a letter, sent via regular mail. The purpose of this contact should be to seek reimbursement of University funds.

B. After multiple documented attempts, if the unit is unable to obtain an immediate and full reimbursement, the collection effort should be turned over to the Treasury Services Director within the Office of the Treasurer.

C. Once referred to Treasury Services, the following collection efforts will take place:

1. The Treasury Services Director will contact the individual or organization and request reimbursement, informing them that lack of repayment will result in the issue being turned over to a collection agency.

2. If Treasury Services is unable to fully collect the payment within thirty (30) days, or make satisfactory arrangements for repayment, the account will be referred to one of the University’s contracted collection agencies.

3. To ensure the consistent treatment of all individuals or organizations owing the University funds, Treasury Services has the authority to establish a written repayment plan with the individual if deemed in the University’s best interest. Units are not authorized to enter into repayment plans with individuals or organizations.

4. If the collection agency is unable, through normal collection processes and procedures, to collect the payment within six months, Treasury Services may authorize the collection agency to initiate legal action to collect the debt on behalf of the University.

5. All collections will be remitted to Treasury Services for allocation to the originating unit, in consultation with the Area Fiscal Officer. https://www.uky.edu/ufs/sites/www.uky.edu.ufs/files/bpm/E-2-10.pdf

Internal Audit Administrative Manual

16

D. UKIA POLICIES The purpose of this section is to establish guidelines to comply with federal, state and University regulations regarding paid time off, overtime and compensatory time. Procedural discussions will focus on; (1) University regulations that comply with federal and state laws, and (2) UKIA’s process for adherence and restrictions. This section will also highlight a few relevant policies and procedures. For more information on HR policies: https://www.uky.edu/hr/policies. Related Policies:

• Human Resources Policy & Procedure #7.0: Grievances • Human Resources Policy & Procedure #12.0: Separation from Employment • Human Resources Policy & Procedure #70.0: Attendance/Hours of Work • Human Resources Policy & Procedure #71.0: University Emergencies • Human Resources Policy & Procedure #72.0: Voting • Human Resources Policy & Procedure #73.0: Jury Duty • Human Resources Policy & Procedure #80.0: Vacation Leave • Human Resources Policy & Procedure #82.0: Temporary Disability Leave • Human Resources Policy & Procedure #83.0: Holiday Leave • Human Resources Policy & Procedure 84.0: Funeral Leave • Human Resources Policy & Procedure #88.0: Family and Medical Leave • Administrative Regulations 6.1: Policy on Discrimination and Harassment • Administrative Regulations 6.2: Policy and Procedures for Addressing and Resolving Allegations

of Sexual Assault, Stalking, Dating Violence, Domestic Violence, and Sexual Exploitation

Human Resources

Payroll Exempt Employees Exempt employees are paid without regard to the number of days or hours worked. Exempt employees are not paid overtime. UKIA’s exempt employees are expected to work the hours required to perform their function in an effective and efficient manner. Additionally, the section entitled Activity Reporting (in the Process Manual) reviews standard reporting of time for professional staff to appropriately enter and account for project time. Time tracking is used for project allocation and final reporting to UK Leadership (Administration and the Audit and Compliance Committee of the Board of Trustees). This should not be interpreted to mean that 40 hours completes a workweek, as that is the minimal requirement for exempt employees. The CAE expects all exempt employees to work an average of 45 hours per week. Furthermore, accruing hours for compensatory purposes is not possible or permitted. Non-exempt Employees Overtime is defined as the amount of time worked over 40 hours in the same workweek (Sunday – Saturday). Overtime is rarely worked in UKIA and advance authorization by the CAE is required when a

Internal Audit Administrative Manual

17

nonexempt employee works in excess of 40 hours in a single week. If overtime is approved by your supervisor, it will be paid. Compensatory time is not allowed in lieu of overtime. Non-exempt employees will be allowed to make up short periods of missed work time during the same workweek. An example would be reducing your lunch by 30 minutes to leave 30 minutes early in lieu of approved paid time off. The employee's supervisor must authorize in advance all such time adjustments via email. Time reports should accurately reflect hours worked in each week of the bi-weekly pay period.

Attendance Policy HR P&P #70.0

Absence An employee is obligated to report for each and every scheduled working day or shift, to report on time and to complete all scheduled hours. Being absent from or reporting to work after the scheduled beginning time requires the employee to notify the supervisor in advance and to utilize appropriate leave or to lose payment for time not worked. The CAE or designee is responsible for maintaining work schedules, recording hours worked, authorizing leaves and reporting hours approved for payment. The University will produce a final paycheck for a staff employee who dies for the appropriate rate of pay for the number of hours/days the employee actually worked. The supervisor is responsible for documenting all absences. If you are absent from work for three or more consecutive days, you are required to obtain a physician’s statement. If upon your return to work, a physician’s statement is not provided, a coaching session will be administered. For each occurrence thereafter, corrective action may range from an oral warning up to termination. An employee shall not receive pay for unauthorized absences and may be subject to termination from employment as follows: Failure to report to work as scheduled or failure to notify the supervisor and/or failure to present adequate justification for an absence upon return to duty. Tardiness Arriving and reporting to work at the beginning of the scheduled work shift is the employee’s responsibility. An employee arriving any time after the beginning of the scheduled work shift is considered tardy for that day. If an employee is tardy more than six times in a single month, a coaching session will be administered. For each occurrence thereafter, corrective action may range from an oral warning up to and including termination. Additionally, for nonexempt employees, arrival will be recorded on the basis of 15-minute periods for payment purposes. An employee arriving eight or more minutes late will be considered 15 minutes late. The 15 minutes missed due to tardiness will be recorded in order to deduct that time from payroll time reports.

Internal Audit Administrative Manual

18

Benefits Eligibility A permanent staff employee with a full-time equivalent (FTE) of 0.5 or greater is eligible to accrue paid temporary disability leave (TDL) and holidays (pro-rated according to the FTE). Per UK regulations, temporary employees and work-study students are not eligible for paid leave or holiday pay. Policy information can be found on UK’s Human Resources website – Policy 83.0: Holiday Leave. Leave pay is available to eligible employees who have an illness or injury preventing them from performing their jobs on a temporary basis, or to care for eligible family members within policy guidelines. Please visit UK’s Human Resources website – Policy 82.0: Temporary Disability Leave.

Voting Leave HR P&P #72.0 Any employee who is eligible to vote in national, state or local elections, is encouraged to exercise those voting privileges. Work schedules normally permit adequate time for an employee to vote, either before or after normal working hours. Jury Duty HR P&P #73.0 Any employee who is called for jury duty shall be granted time off to fulfill this responsibility. Please visit the HR website - Policy and Procedure Number 73.0: Jury Duty. Vacation Time HR P&P #80.0 Pertinent information regarding the University Vacation Leave policy can be found on UK’s Human Resources website – Policy 80.0. Advanced notification to the immediate supervisor must be requested using the UK online time/leave entry system for vacation leave. This request must be submitted at least 7 days in advance. The supervisor will approve online using the same system. The Business Liaison Manager should be notified once the vacation time has been approved so that the dates can be placed on the calendar. Vacation leave may only be used after it has been accrued. You may not go into an unpaid leave status at any time during your employment unless you are on Family Medical Leave. An immediate write-up is issued if you go into unpaid status at any time other than FMLA. TDL- Sick Leave - Temporary Disability Leave HR P&P #82.0 Pertinent information regarding the University Temporary Disability Leave (TDL, or sick leave) can be found on UK Human Resources’ website, Policy #82. Employees must notify their immediate Supervisor of the request to use accrued TDL by email or through a phone call in advance, when possible. An online time/leave entry system request must be completed and approved by your supervisor. TDL may be used for time off for medical or dental appointments. The employee shall have prior approval of the supervisor to take TDL for this purpose. TDL for necessary time off due to an illness or injury of a family member may be used in accordance with this policy. For the purposes of this policy, a family member is defined as a spouse, sponsored adult dependent, child, sponsored child dependent, grandchild, mother/father, grandmother/grandfather, brother/sister, aunt/uncle, niece/nephew, and legal dependent.

Internal Audit Administrative Manual

19

Holiday Information HR P&P #83.0 UKIA recognizes certain holidays, as well as additional bonus days announced by the University President, in accordance with UK Human Resources Policies and Procedures #83.0 – Holiday Leave. Updates to the calendar can be found on UK’s Human Resources website’s Official Staff Holiday Schedule. As UK non-essential employees, UKIA staff do not work on these approved holidays, except under special circumstances and with the advance approval of the CAE, the Internal Audit Director or designee. An employee who is in an unpaid status on a scheduled day immediately before or after a holiday shall not be paid for the holiday. Funeral Leave HR P&P 84.0 An employee shall be allowed funeral leave with pay for attendance to funeral matters. An employee shall be allowed up to five working days of funeral leave for the death of a mother/father, brother/sister, spouse, child or stepchild, sponsored child dependent, or other persons with whom the employee has a “loco parentis” relationship. FMLA HR P&P #88.0 The purpose of the Family Medical Leave Act (FMLA) is to recognize the occurrence(s) of serious health conditions that involve either the University employee or a qualified family member. The University provides unpaid family medical leave of up to 12 weeks in a 12-month period for eligible employees. An employee who has been a University employee (regular, temporary, faculty or student) for 12 months and worked at least 1,250 hours during the previous 12-month period may take up to 12 weeks of unpaid leave for a serious health condition involving the employee or a qualified family member during any 12-month period for any of the following reasons: birth of a child, placement of a child for adoption or foster care, or to care for a spouse or sponsored dependent.

Internal Audit Administrative Manual

20

TDL Policy • A written physician's statement, justifying the request for TDL may be required by UKIA or the

Human Resources Office of Employee Relations (Employee Relations). An employee returning to work from TDL may be required to submit a physician’s statement indicating the employee is able to return to work.

• Any absence which extends 10 working days beyond the exhaustion of all accrued leaves (TDL and vacation leave) shall be reported to the Human Resources Office of Compensation.

• An employee who is absent on a regular basis or who has attendance patterns that interfere with his/her job shall not be entitled to the provisions of this policy.

• An employee with continuing health problems who is not able to work regularly may be separated from employment.

• It is recommended that excessive use of TDL be reviewed with Employee Relations. • An employee’s job shall be held available for the employee’s return from TDL without loss of

benefits. • Accrued TDL or vacation leave shall be used during a period of temporary disability. • An employee may be in a leave without pay status when accrued TDL and vacation leave are

exhausted. This unpaid leave must be approved by the Office of Employee Relations. • TDL accrues at the rate of one day per month for regular full-time employees who are paid on a

monthly basis. TDL accrues at the rate of 0.46 days per pay period for regular full-time employees who are paid on a bi-weekly basis.

• An employee accrues TDL while in a paid status, excluding long term disability. • An employee who is in a paid status for one-half or more of the pay period shall accrue TDL for

that pay period. • TDL accruals will be assessed and posted at the end of each pay period. Those leave hours will

be available for use at the beginning of the next pay period. • There is no maximum limit on the amount of TDL that can be accumulated. • An employee transferring from one department to another as a regular staff employee will carry

into the new department accrued TDL.

Note: For the purposes of this policy, a day is defined as the minimum number of hours exempt employees are normally expected to work in a week (40) divided by five, not to exceed eight hours. For a non-exempt employee, a day is defined as the number of hours the employee normally works in a bi-weekly pay period divided by 10, not to exceed eight hours. For example, this is usually 75 divided by 10, not to exceed eight hours.

Internal Audit Administrative Manual

21

For regular staff employees with an assignment of less than 1.0 FTE, but at least 0.5 FTE, the accrual rate for TDL shall be based upon the FTE for the position. In cases where the scheduled work week is not consistent, the pro-rata percentage to full-time shall be calculated on an annualized basis. TDL may be used for time off for medical or dental appointments. The employee shall have prior approval of the supervisor to take TDL for this purpose. Emergency Closing HR P&P #71.0 Though Plan B scheduling changes occur relatively infrequently, typically in the wake of severe weather, it is important that employees and departments be aware of responsibilities and processes related to unexpected delays or closures. Non-designated employees should not report to work during the delay or closure. Indicate the appropriate period of time on your timesheet with a 7407 Emergency Closing absence/attendance code. If the University operates on a two-hour delay and you are a regular employee whose normal start time is 8 a.m., indicate the time between 8 a.m. and 10 a.m. as a 7407 Emergency Closing code. Please check with your supervisor regarding specific use of the Emergency Closing code for your department. During University closings, there will be a 9 a.m. conference call scheduled for UKIA to discuss projects for the day. The Business Liaison will set up the conference call over Skype using the number (859) 218-2400. Reporting Concerns If an employee of the UKIA Department believes that they have a legitimate concern, they are encouraged to report it. Ideally, concerns should be reported to the department’s supervisor first. If, for whatever reason, the employee does not feel comfortable talking with their supervisor, they can raise the issue directly with a higher authority. Eric Monday, the Executive Vice President Office of Finance and Administration, should be notified first. If after notifying his office, the employee is not satisfied with the response, they may contact the President, Dr. Eli Capilouto; or next, the Audit and Compliance Committee. Grievances HR P&P #7.0 In the event of a grievance against a supervisor or a fellow employee, you are expected to follow UK’s Human Resources policy. Complete information regarding this policy can be found on the UK Human Resources website – Policy 7.0: Grievances.

Internal Audit Administrative Manual

22

Maintenance of Employee Inner Department Files We maintain UKIA personnel files in our department (in addition to the ones that are maintained in Human Resources). An employee may only examine their UKIA personnel file in the presence of a UKIA management team member. Harassment AR 6.1 and 6.2 Please visit UK’s Human Resources website to review Human Resources’ policies on harassment: AR 6.1: Policy on Discrimination and Harassment. AR 6.2: Policy and Procedures for Addressing and Resolving Allegations of Sexual Assault, Stalking, Dating Violence, Domestic Violence, and Sexual Exploitation Separation from Employment Regular staff employment termination may be initiated at any time by either the employee or by the University in accordance with HR Policy 12.0 Separation from Employment. An employee voluntarily separating from employment shall be required to give and fulfill the proper notice period in order to separate in good standing. Generally, the notice period is two weeks for nonexempt (hourly) and four weeks for exempt (salaried) employees. This requirement may be waived by the supervisor or appropriate department official. An employee who does not separate in good standing is not eligible for re-hire in any capacity within the University and is not eligible for Terminal Vacation pay. All employees separating from employment with the University shall be required to complete an exit interview, whereupon they will be required to turn in UK keys and devices (e.g., security key, flash drives, laptops). Additionally, UKIA IT will de-provision the employee according to section F page 38 in this manual to prevent inappropriate access after separation. Paid Time Off or Temporary Disability Leave (TDL) during Resignation Period UKIA’s policy is to require a Physician’s statement for all TDL requests during the resignation period. A physician’s statement must support the date(s) requested and substantiate the need for being absent from work and may not be retroactive. Failure to provide an appropriate physician’s statement may result in the absence being unauthorized. Unauthorized absence(s) are subject to corrective action up to and including employee termination.

Internal Audit Administrative Manual

23

Media & Public Records Media Contact In the event you are contacted by a member of a Media Outlet, it is UKIA’s policy not to comment or discuss any issues. Your standard response should be to forward the individual in Public Relations for an appropriate response. Jay Blanton is our Public Relations contact. The Director of UKIA will follow up with UK Public Relations. All Letters to the Editor written to campus, local, regional, national or International media, which are intended to portray the position of the University, must be reviewed by UK Public Relations. Media Interviews UK Public Relations will arrange all internal and external interview sessions with the media. If you are contacted by any media outlet for an interview, notify your supervisor immediately and forward the media request to Public Relations. Public Relations will handle all meeting preparation, including meeting location, resources and personnel. Media Policy UK Public Relations is responsible for coordinating UKIA’s media interviews, photography and preparing all news releases. The Public Relations staff can be reached individually during weekday work hours. Their contact information can be accessed through this link: https://www.uky.edu/prmarketing/staff/. In the event advice is needed during weekday evenings or weekends, the Public Relations staff can be reached on their on-call phone number of (859) 230-9086. This media policy applies in the instances in which you are representing the University only.

Internal Audit Administrative Manual

24

Open Record Requests All open records requests should be forwarded immediately to Ms. Amy Spagnuolo, in the Office of Legal Counsel. Kentucky law mandates that the University must respond to requests for records within three (3) days of receipt. “Receipt” is from the date you or your office receives the request; not from the date when Ms. Spagnuolo or the Office of Legal Counsel receives it. Therefore, it is imperative that you notify the legal office as soon as you receive a request for records so we can review the matter and respond in a timely manner. Ms. Spagnuolo, on behalf of the official University records custodian, is responsible for determining whether the request is proper and whether any legal exemptions apply to the request. Ms. Spagnuolo is also responsible for gathering the requested documents and then either arranging a time for inspection of the documents or for making copies available to the requestor. The official University records custodian is Eric Monday, Executive Vice President for Finance and Administration. Ms. Spagnuolo may be contacted at 301 Main Building, Lexington, Kentucky 40506-0032; Phone (859) 257-6366. For more information on open records, please visit the UK Library website on Public and Open Records. Public Access As a state-funded University, all records within the University are available to the public. Professionalism Regarding Politics While the UK campus is always a center of civic involvement and political discussion, there are restrictions, based on federal and state laws and UK regulations, on political activities that may occur on the campus. Subject to the exact language of the laws and the UK Regulations, these general guidelines must be followed: University resources (buildings, facilities, email systems, supplies, etc.) shall not be used to endorse, promote or support any political candidate or political party. University facilities may be used as a public forum to which all candidates shall be invited to participate. Registered student organizations may use UK facilities for meetings of their organization and the organization may invite political candidate(s) to be their guests. Public support of a candidate or party by members of the University community (for example, a letter to a newspaper) shall come from a UK employee whose identity is that of a citizen of the Commonwealth and not an employee of UK. The University values the contribution of all students, faculty, staff and visitors. Most importantly, we must always be mindful of fostering an environment dedicated to respecting the rights and beliefs of all members of the University community. Frequently asked questions on the subject of political activity and campaigning on campus are on the University of Kentucky’s legal website.

Internal Audit Administrative Manual

25

E. INFORMATION SYSTEMS & DATA SECURITY These policies and procedures are a living document and reflect the most accurate assessment of campus policies and best practices at the time of their incorporation. They are subject to change over time, and one should always consult the appropriate official or resource to verify the continued accuracy of the following policies. Failure to adhere to these policies and procedures may result in:

• Removal of security permissions • Notification of direct supervisor, Audit Director, and/or CAE • Disciplinary action • Civil or criminal prosecution

Abuse or inappropriate use of University technology resources is subject to corrective action up to and including termination of employment. Related Policies:

• Administrative Regulations 10:1: Policy Governing Access to and Use of University Information Technology Resources

• Governing Regulations XIV: Ethical Principles and Code of Conduct

Access See De-provisioning page 28. As you are assigned to various audit projects, you may be granted temporary access to certain University data to help you complete your work. This access is to be used only for conducting official University business and must remain confidential. UKIA staff should route unit-specific data requests through the IT Audit Manager to ensure appropriate access control practices are followed. The Administrative Staff Officer requests staff training plans for SAP access.

Acceptable Use Computing resources and information are provided to UKIA employees to support the University’s business functions. Any use of these resources that interferes with these functions or to malign or defame the image and reputation of the University of Kentucky is prohibited. Appropriate personal computer use is allowed during breaks and lunchtime. Please refer to UK Administrative Regulation AR 10:1 and UK Legal Ethical Principles and Code of Conduct for information on the use of University resources. UKIA employees should also review UK ITS Policies.

Internal Audit Administrative Manual

26

Administrator Rights UKIA strictly adheres to the best practice principle of “least privilege” when determining access rights. Generally, most staff will not be provisioned with administrator rights. Software installation and update requests should be sent to the IT Auditors helpdesk: InternalAudit-IT@uky.edu. Staff should never use mail-enabled, privileged accounts on their devices. This particularly includes IT Audit staff. Users with local administrator rights are permitted to:

• Install appropriately licensed software • Update existing, approved software • Affect own user data and desktop settings • All actions available to a standard user account

Without the explicit permission of the CAE, Audit Director, or IT Audit Manager, users with local administrator rights will not:

• Create, modify, and access local user accounts and local user account groups • Affect other users’ data or desktop settings • Install new hardware • Modify existing hardware • Install unlicensed or pirated software • Uninstall UKIA IT approved software • Modify operating system settings (e.g., network settings, access control, file/resource sharing,

firewall, virus protection, services configuration, Group Policy, etc.) • Modify boot sector or install additional operating systems • Other malicious or subversive activity

Backups See Disaster Recovery page 32.

Internal Audit Administrative Manual

27

Data Security UKIA has access to the University’s private and confidential data. Unattended, unlocked devices increase the risk of unintended disclosure of University data. Windows devices can be locked by pressing Ctrl-Alt-Del simultaneously, then clicking on the “Lock” button. Mac devices can be locked by pressing Control + Shift + Eject simultaneously. Additionally, Group Policy forces Windows devices to lock after five minutes of inactivity.

Data Storage UKIA staff are expected to store all work-related files that are critical to their job function on the aforementioned file servers rather than on local drives or mobile USB drives. Data on fileservers managed by the IT Audit staff is copied nightly to a secure off-site location managed by UK ITS. Staff should only store work-related files on these fileservers, as space is a premium. Duplicate or personal files may flag a user to be reviewed by the IT Audit staff for abuse of this policy. UKIA staff can use the University’s instance of Microsoft OneDrive for file storage, as well. Staff should also be aware of potential security concerns when working with sensitive data (see Encryption).

De-provisioning See Access page 26. UKIA staff may request temporary access to University technology resources during audits. UKIA staff will document these requests to ensure appropriate de-provisioning after completion of the audit.

Devices IT resources are provided to UKIA staff to support University business functions. Any use of these resources that interferes with these functions or maligns or defames the image or reputation of the University of Kentucky is prohibited. If UKIA staff elect to use personally owned devices to access University technology resources, personally owned devices must be configured securely and appropriately to meet departmental and University policies.

Disaster Recovery See Disaster Recovery page 32.

Encryption Both University-owned and personally owned devices that store or have access to private or confidential University data should be encrypted. This includes computers, mobile devices (e.g., tablets, phones), USB storage devices.

Helpdesk UKIA IT Audit staff use Microsoft Teams to manage workflow and share knowledge. All IT requests should be sent to the IT Audit staff email:InternalAudit-IT@uky.edu.

Internal Audit Administrative Manual

28

Internet Use See Acceptable Use page 26. It is the responsibility of every employee to follow acceptable standards when using the Internet. The following are some examples of unacceptable Internet usage:

• Web sites relating to pornography, militant extremist groups, gambling and illegal activities, and others deemed inappropriate by UKIA.

• Use of chat and newsgroups for purposes other than official University business. The department has the right to limit and block any employee’s Internet access in accordance with the University policy. Your usage may be monitored. During the lunch hour and rest periods, employees may use the Internet if they do not go to any sites that are deemed inappropriate by the University or UKIA.

Inventory The IT Audit staff maintain a cloud-based device and resource inventory in Microsoft Teams via the University’s Office365 portal.

Printing Printing is managed by the Administrative Staff Officer I. Printers are installed via Group Policy. UKIA staff are provided mobile devices for document review and should limit printing/copying whenever possible. Personal printing costs the University/Department resources and is, therefore, prohibited.

Purchasing IT Audit staff will quote IT resources from approved vendors and provide to Administrative Staff Officer I for appropriate approvals and procurement.

Surplus IT Audit staff will ensure devices are appropriately decommissioned before providing to Administrative Staff Officer I to be sent to UK Surplus.

Theft/Loss Theft or other unauthorized access to UKIA devices should be reported immediately to the appropriate officials (supervisor, Audit Director, CAE, etc.).

Internal Audit Administrative Manual

29

F. SAFETY INFORMATION UKIA is committed to ensuring the safety of all of its employees. Below are UKIA’s building emergency action plan, safety guidelines, evacuation plan, and contact information for emergency personnel. UKIA’s safety officer is April Fox, please see Appendix A: Section 3.0 – Contact Numbers for contact information.

UKIA’s Building Emergency Action Plan

• Significant Business Disruptions (SBDs) • Our plan anticipates several types of emergencies that may include but are not limited to the

following: o Fire o Severe Weather o Earthquake o Utility Outage o Workplace Violence/Terrorism o Bomb Threat o Medical Emergency

Approval and Execution Authority

The CAE of UKIA is responsible for approving the plan and for conducting the required annual review and has the authority to execute this Building Emergency Action Plan.

Building & Floor Coordinators The plan also identifies the building & floor coordinators who will take the lead in creating as well as updating the plans. Jim Connor, BEC for Cold Stream location on the first floor. Plan Location The Cold Stream Manager Offices will maintain copies of its Building Emergency Plan and the annual reviews, as well as any changes that have been made to it for inspection. Building Evacuation Plans are in the front of the building and in front of the CAE’s door. An electronic copy of our Emergency Plan is located on the J: Drive (Internal share drive). Physical copies are located at the homes of the persons responsible for the plan.

Internal Audit Administrative Manual

30

Safety Guidelines UK would like to ensure that all of its employees are safe by managing environmental health and safety processes with the same strength and leadership skills as other fundamental processes. Employees are expected to take personal responsibility for their own safety and to help identify potential safety hazards so that they can be corrected. All potential safety hazards or risks should be immediately reported to your supervisor. UKIA employees are required to read UK’s “Employee Safety Handbook” found on the HR website. Every employee must be committed to working in a safe environment. As the Internal Audit activity will expose employees to a number of environments, each member must take the time to understand the potential safety risk and proper safety protocol for that environment. Campus Police

• Emergencies: 911 • Police Dispatch: (859) 257-1616

Comply Line The Comply-Line is a toll-free phone number that is staffed 24 hours a day, seven days a week, every day of the year by an independent contractor. The contractor is professionally trained to take calls about possible misconduct or to arrange for you to receive answers to any questions that may arise about compliance issues. You may call UK HealthCare’s toll-free Comply-Line at (877) 898-6072. Any compliance issue may be reported anonymously. The issues raised will be addressed promptly and professionally. Emergency Shelter At work, in case of a hurricane or tornado warning, please seek shelter in the budget side of the offices in 1500 Bull Lea Rd., Suite 200 Lexington, KY 40511. It is important to shut all the doors to the offices. The kitchen area and the bathrooms are also safe spaces to take shelter during such events. Evacuation Plan and Location In the case of a fire or other emergency where evacuation is necessary, proceed immediately out of the building to UKIA’s designated meeting area located in the employee parking lot in the back-corner of 1500 Bull Lea Rd., Suite 200 Lexington, KY 40511. Office of Environmental Health and Safety

• Phone: (859) 257-3845 • Fax: (859) 257-8787 • To Report an Employee Injury, call UK Worker’s Care: (800) 440-6285 • Property Damage should be reported to the Risk Manager: (859) 257-3372

UK Alert All staff must sign up for the E-mail alert system, the University alert system regarding weather, emergencies, closing, etc. Please visit the UK Emergency Management website under UK Alert.

Internal Audit Administrative Manual

31

G. BUSINESS CONTINUITY PLAN In the event of a Significant Business Disruption (SBD), UKIA’s policy is to 1) safeguard employees’ lives and 2) to safeguard UKIA’s property by making a financial and operational assessment, quickly recovering and resuming operations, and protecting all the department’s records. Furthermore, UKIA has the ability to maintain an online presence in the case that a physical presence is not possible. The specific steps UKIA will follow to accomplish this are outlined in UKIA’s Business Continuity Plan.

Approval and Execution Authority The CAE is responsible for approving the plan and conducting the required annual review. The CAE also has the authority to execute this BCP.

Disaster Recovery The IT Audit staff maintain a cloud-based device and resource inventory in Microsoft Teams via the University’s Office365 portal. Devices are prioritized as standard or critical. UKIA staff are expected to store all work-related files that are critical to their job function on the departmental fileservers, which are automatically backed up each night. Backup reports are reviewed daily by the IT Audit Manager or Internal Audit Director. File restoration is tested once a month by the IT Audit Manager or Internal Audit Director to verify the integrity of the backups. In the event of a disaster, IT Audit staff will restore departmental fileservers to Microsoft OneDrive and share it with UKIA staff to access via Microsoft Office365. UKIA staff can use any device to remotely access Microsoft Office365 (e.g., Excel, OneDrive, Outlook, PowerPoint, Word) and HighBond (audit management tool) to continue operations.

Plan Location and Access UKIA maintains copies of its Business Continuity Plan, the annual reviews and the changes that have been made to it for inspection. An electronic copy of UKIA’s plan is located on the J: Drive (Internal share drive). Physical copies are located at the homes of the persons responsible for the plan.

Significant Business Disruptions (SBDs) Our plan anticipates one kind of SBD – internal. Internal SBD’s affect only our department’s ability to communicate and do business, such as a fire in our building, loss of critical data, etc.

Test Restore Procedure 1. One day each month, a test restore will be run on ss.uky.edu\iafile. 2. Files will be selected from random, various directories under iafile. 3. Dates, filenames and outcomes will be recorded in the Excel spreadsheet (restoredoc.xlsx).

Internal Audit Administrative Manual

32

H. APPENDIX

Appendix A Building Emergency Action Plan

University of Kentucky

Office of Emergency Management

1500 Bull Lea Rd., Suite 200

Lexington KY 40511

Internal Audit Administrative Manual

33

Internal Audit Administrative Manual

34

Internal Audit Administrative Manual

35

Internal Audit Administrative Manual

36

Internal Audit Administrative Manual

37

3.0 Contact Numbers

Adetokunbo (Martin) Anibaba 323-5295 Internal Audit Director

April Fox 257-3126 The Office of Internal Audit

Charles Whitehead 218-5321 Internal Audit #8

Alan Wood 323-4348 Assistant Editor

Jared Hicks 218-5855 Document Control Specialist

Melissa Feddes 257-2434 Internal Audit #10

Samuel Henderson, Jr. 218-1673 Internal Audit #9 Anastasia (Stacey)

Myers-Wilson 257-2256 Office 3

Joseph Reed 257-9734 Chief Audit Executive

Marianne Bush 257-6208 Quality Support

Albert (Lee) Walker, Jr. 257-2335 Internal Audit #6

Amanda Witt 218-5857 Internal Audit #7

Rose Stewart 218-5854 Internal Audit #9

Jason Turco 218-5859 Internal Audit #2

Marc Blevins 218-2242 Office 4

Curtis Barnhart 218-1674 Internal Auditor #5

Wes Justice 218-5856 Internal Auditor #3 / Office 4

Julie Hoover-Ernst 218-5858 Internal Audit #1

Kimbrough Conference Room 323-3101

Jim Conner (BEC) 231-8324 Cold Stream Offices

Molly Tabor 257-2948 Family & Consumer Sciences

Clayton Oliver 218-2341 Emergency Management Specialist

UKPD 257-8573

Lexington Police 911

Fax 257-3566

Internal Audit Administrative Manual

38

Internal Audit Administrative Manual

39

Internal Audit Administrative Manual

40

Internal Audit Administrative Manual

41

Internal Audit Administrative Manual

42

Internal Audit Administrative Manual

43

Internal Audit Administrative Manual

44

Internal Audit Administrative Manual

45

Internal Audit Administrative Manual

46

Appendix B Building Evacuation Plans/Routes

Internal Audit Administrative Manual

47

Appendix C Severe Weather Locations

Internal Audit Administrative Manual

48

Appendix D Procedures for Providing Assistance to Mobility Impaired Individuals

Internal Audit Administrative Manual

49

Internal Audit Administrative Manual

50

Appendix E Threatening Call/Bomb Threat Checklist

Internal Audit Administrative Manual

51

Appendix F Designated Assembly Areas

Internal Audit Administrative Manual

52

Appendix G Key Personnel Emergency Call List

Updated December 2019

Unit Contact Person Phone Email

UK Internal Audit

Joe Reed – Primary Contact

April Fox – Secondary Contact

(859) 257-9734 – Primary Contact (859) 257-3126 –

Secondary Contact

jreed3@uky.edu ahhelt2@email.uky.edu

Furniture – ORI Sherri Tompkins or Duane Tincher

(859) 241-2616 or

(859) 241-2600

stompkins@oriusa.com dtincher@oriusa.com

SITE (Building Management)

Cody Cook – Building Operator (859) 494-0272 Cody.Cook@cbre.com

UK Desktop Support

Darren Burch – Primary Contact

Wes Justice – Secondary Contact IT Desktop Support

Office

(859) 257-4197 – Primary Contact (859) 218-5856 –

Secondary Contact (859) 257-4195 –

Office

darren.burch@uky.edu

SAP Support Patrice Carroll – Team Lead (859) 257-5503 patrice.carroll@uky.edu

ACL/HighBond - - support@wegalvanize.com

Smart Draw - 1-800-768-3729 http://www.smartdraw.com/support/

UK Police Dispatch - (859) 257-1616 -

UK General Counsel Bill Thro (859) 323-2053 william.thro@uky.edu

Emergency (Police, Fire, Ambulance)

- 911 -

Environmental Health and Safety - (859) 257-1376 -

Sitelab (Website) UK Site Lab (859) 323-4000 sitelab@uky.edu