Board of Visitors Audit, Compliance, and Risk Committee

June 10, 2016

1

Audit, Compliance, and Risk Committee Agenda

I. Remarks by the Committee Chair II. Consent Agenda

• Corporate Compliance and Privacy Office Project Schedule for Fiscal Year 2017

III. Committee Discussion A. Auditor of Public Accounts (APA)

Audit Entrance Meeting for Fiscal Year 2016

B. Audit Department Activities Report

C. University Compliance: Medical Center Compliance and Privacy Office Staffing Report

D. Enterprise Risk Management (ERM) Program Report

IV. Closed Session 2

Corporate Compliance And Privacy Office Project Schedule For Fiscal Year 2017

RESOLVED, the Corporate Compliance and Privacy Office Project Schedule for the Medical Center for fiscal year 2017 is approved as recommended by the Audit, Compliance, and Risk Committee.

3

Auditor of Public Accounts FY2016 Audit Entrance Meeting

4

Audit Department FY 2016 Activities

5

FY2016 Highlights

Rebuilt and Stabilized Team Audit Team

• Hired and on-boarded 3 audit directors. • Hired and on-boarded seasoned IT security professional as Senior IT Auditor • Team completed skills self- assessment as foundation to training and development plan • Hosted the annual College and University Auditors of Virginia (CUAV) conference at the Darden

School of Business

Risk Based, Strategically Relevant Audit Approach

Audit Operations

• Created data-driven audit risk universe and plan, relevant to strategic objectives and ERM risks • In design phase of forward-thinking methodologies relevant to our decentralized environment,

including Fiscal Stewardship, a data-driven analysis of internal control risk indicators • Implemented new audit reporting template to include audit finding prioritization, improved

executive summaries, management’s responses • Using risk tags for enhanced reporting and tracking of audit findings and management action

plans

6

FY2016 Highlights

Completed Audit Projects • Procurement • Outpatient Charge Capture (University Medical Associates) • Presidential Travel & Entertainment Expenditures • General Ledger Transfers • OSIG hotline investigations • 10 follow up audits • FY15 year end inventory procedures

In-Flight as of June 30, 2016 Audit Projects

• Curry School of Education (finalizing management action plans for report issuance) • Distributed IT Systems Current State Assessment (draft report) • Epic Phase 2 Implementation Project Health Check (first checkpoint report issued; ongoing

assessment of project risks occurs throughout implementation) • Fiscal Stewardship: Refining metrics for key risk indicators; moving to proof of concept mid-

summer • System Security: Privileged Access—Health System (planning) • Ivy Cloud Security and Governance (planning)

7

University Compliance: Medical Center Compliance and Privacy Office Staffing Report

8

SECTION TITLE

ERM Program Update Jim Matteo Associate VP & Treasurer

9

ERM Priorities

ERM Priorities

Reposition & Enrich Program

Enhance Board

Reporting Onboard Health System

10

ERM Priorities Timeline Task Due Date Status

Reposition the ERM Program Adopt ERM Charter Feb. 19, 2016 X

Launch Risk Management Council Mar. 21, 2016 X

Update ERM Framework May 31, 2016 X

Update Key Risks (Identification & Assessment) Sep. 1, 2016

Enhance Board Reporting Sep. 1, 2016

Onboard Health System Q4 FY 2017

Assessment of Risk Structure

Formation of Health System Risk Management Network

Development of Key Risk List

11

BOV – Audit, Compliance, and

Risk

President and Cabinet

Risk Management

Council

Risk Management Network – Health

System

Risk Management Network– Academic

Division

ERM Governance Architecture

12

Strategic

Strategic Plan Execution

Industry Trends

Market Risk

Operational

Process

Compliance

Technology

Safety/ Security

Governance

Business Continuity

Controls

Stakeholder

UVa Brand

Positioning

Market Demand

Accreditation

Financial Ratings

Community Standing

Resources

Human

Financial

Physical

ERM Risk Universe

13

Risk Identification

Risk Assessment

Risk Response /Ownership

Risk Management (Controls,

Monitoring, Reporting)

ERM Process Framework

Source: Based on COSO and NCSU ERM Initiative Frameworks

Objective Setting

14

ERM Process – Next Steps

15

Risk Identification – • Interview key stakeholders to refresh current key risk list (last updated

in 2014) Risk Assessment – • Working with Internal Audit and Compliance to measure and prioritize

key risks.

• Assessment results to be reviewed by governance parties to develop composite ranking.

Risk Ownership – • Following Identification and Assessment, identify or re-identify owners

of Key Risks Risk Management – • Risk Owners are responsible to put in place Controls to manage each

risk, Monitoring to evaluate control effectiveness, and Communication of management activities.

16

Resume Open Session and Adjourn