the university of texas at austin office of internal … university of texas at austin, office of...
TRANSCRIPT
The University of Texas at Austin
Office of Internal Audits
Annual Audit Report
For the Fiscal Year Ended August 31, 2014
Table of ContentsPage
I. Compliance with House Bill 16: A Brief Description 3
II. Planned Work Related to the Proportionality of Higher Education Benefits 4
III. Internal Audit Plan for Fiscal Year 2014 5This schedule shows:
Project StatusRecommendationsManagement Action Plans Implementation StatusExplanation for Changes in the Audit Plan
IV Consulting Engagements and Non-audit Services Completed 15
V. External Quality Assurance Review (Peer Review) 17
VI. Internal Audit Plan for Fiscal Year 2015 19a. The Audit Planb. Risks Ranked as High and Are Not on the FY 2015 Audit Planc. Description of Risk Assessment or Methodology
VII. External Audit Services Procured in Fiscal Year 2014 27
VIII. Reporting Suspected Fraud and Abuse 28
This report will be posted on the website: http://www.utexas.edu/admin/audit/reports.html
Annual Report Distribution:Governor's Office of Budget, Planning, and PolicyState Auditor's OfficeLegislative Budget BoardSunset Advisory Commission
The University of Texas at Austin, Office of Internal AuditsAnnual Audit Report for Fiscal Year 2014
The University of Texas at Austin Annual Audit Report, FY '14
Page 2
I. Compliance with Texas House Bill 16
House Bill 16 requires The University of Texas at Austin to post the Internal Audit Plan, Internal Audit Annual Report, and Other Audit Information on the Internet Web site.
Office of Internal Audits’ Description of Plans to Comply: We plan to continue posting the Internal Audit Annual Report on the Office of Internal Audits’ internet Web site, http://www.utexas.edu/admin/audit/reports.html. We plan to include all required information in the report on that webpage.
The University of Texas at Austin Annual Audit Report, FY '14
Page 3
II. Planned Work Related to the Proportionality of Higher Education Benefits
At the request of the Governor, an internal audit of the proportionality of higher education benefits process is underway during the first quarter of fiscal year 2015. A consistent audit methodology has been deployed across the UT System that will assess the reporting process and accuracy of benefits funding information provided to the State Comptroller as applicable under the General Appropriations Act, Article IX, Sec. 6.08: Benefits Paid Proportional by Fund. The audit will be complete by November 30, 2014.
The University of Texas at Austin Annual Audit Report, FY '14
Page 4
OO FF FF II CC EE OO FF II NN TT EE RR NN AA LL AA UU DD II TT SS
F Y 2 0 1 4 A U D I T P L A N
The University of Texas at Austin Annual Audit Report, FY '14
Page 5
FY 2014 Audit Plan Audit Report/Project Title
Project Status*
Report # Report Date High Level Objectives Recommendations/ Results
Management Responses/ Action Plans
Status of Implementing Action Plans**
Financial AuditsUT System Requested/Externally Required Audits
FY 2013 Financial Statement Audit - Assistance to External Auditor completed for FY 14 no report not applicable
(N/A) to provide assistance N/A N/A N/A
FY 2014 Financial Statement Audit - Assistance to External Auditor (interim financial work and IT work)
completed for FY 14 no report N/A to provide assistance N/A N/A N/A
Operational AuditsUT System Requested/Externally Required Audits
Presidential Travel, Entertainment, and Housing Expenses - Assistance to UT System
completed for FY 14 no report N/A to assist UT System N/A N/A N/A
Executives' Travel, and Entertainment Expenses FY14 Postponed***
Risk-Based Tier Two AuditsChange in Management Audits, FY14 Near CompletionCamps - Departmental Cancelled***Human Resources - General Controls Postponed***UT Market Near CompletionPayroll - Overtime Hours Postponed***Tuition and Fees Postponed***Building Security Postponed***Longhorn Foundation/Business Office In Progress***
Carryforward - Risk-Based Tier Two AuditsChange in Management Audits, FY13:
Office of the Vice President for Student Affairs completed 805.13 3/28/2014
to determine compliance with certain UT policies and
procedures
Enhance compliance with policies regarding
information systems security.
Management agreed and plans to implement recommendations.
fully implemented
Internal Audit Plan for Fiscal Year 2014
This schedule presents the FY 2014 Audit Plan, displays changes to the audit plan, and provides explanations for the changes (an explanation for changes is at the end of this schedule). This schedule also shows the status of each project. To comply with Texas House Bill 16, high level objectives, recommendations, management action plans, and status of implementing those action plans are provided.
The University of Texas at Austin Annual Audit Report, FY '14
Page 6
FY 2014 Audit Plan Audit Report/Project Title
Project Status*
Report # Report Date High Level Objectives Recommendations/ Results
Management Responses/ Action Plans
Status of Implementing Action Plans**
Internal Audit Plan for Fiscal Year 2014
Nuclear Engineering Teaching Laboratory completed 805.13 11/18/2013to determine compliance
with certain UT policies and procedures
Enhance compliance with policies regarding
information systems security, inventory, and
entertainment.
Management agreed and plans to implement recommendations.
substantially implemented
Special Education completed 805.13 9/17/2013, 4/1/14
to determine compliance with certain UT policies and
procedures
Enhance compliance with policies regarding
information systems security, travel,
entertainment, employee time reporting, cash and
cash equivalent handling, and procurement cards.
Management agreed and plans to implement recommendations.
substantially implemented
Kinesiology and Health Education completed 805.13 11/18/2013, 4/1/14
to determine compliance with certain UT policies and
procedures
Enhance compliance with policies regarding
information systems security (policy changes), inventory,
account reconciliations, cash and cash equivalent
handling, procurement cards, entertainment, and
travel.
Management agreed and plans to implement recommendations.
substantially implemented
University Health Services completed 805.13 9/17/2013to determine compliance
with certain UT policies and procedures
Enhance compliance with policies regarding
information systems security, procurement cards,
and entertainment.
Management agreed and plans to implement recommendations.
fully implemented
Art & Art History completed 805.13 6/13/2014to determine compliance
with certain UT policies and procedures
Enhance compliance with policies regarding
information systems security, inventory,
purchasing, petty cash, procurement cards, travel,
entertainment, and handling of cash and cash
equivalents.
Management agreed and plans to implement recommendations.
fully implemented
School of Law Near Completion
The University of Texas at Austin Annual Audit Report, FY '14
Page 7
FY 2014 Audit Plan Audit Report/Project Title
Project Status*
Report # Report Date High Level Objectives Recommendations/ Results
Management Responses/ Action Plans
Status of Implementing Action Plans**
Internal Audit Plan for Fiscal Year 2014
Marine Science Institute Completed 817.13 8/19/2014
to evaluate the internal control environment to
determine compliance with University policies
19 recommendations were made to improve internal
controls and compliance in the areas of information systems security, cash
handling, inventory, procurement cards, and
travel.
Management agreed and plans to implement recommendations.
substantially implemented
Change in Management Audits, FY12
Anthropology completed 779.12 9/6/2013to determine compliance
with certain UT policies and procedures
Enhance compliance with policies regarding
information security, entertainment, handling of cash and cash equivalents,
and purchasing.
Management agreed. substantially implemented
Department of Finance completed 779.12 9/6/2013to determine compliance
with certain UT policies and procedures
Enhance compliance with policies regarding
information systems security and cashier training.
Management agreed. substantially implemented
Department of Accounting (academic) completed 779.12 9/6/2013to determine compliance
with certain UT policies and procedures
Enhance compliance with policies regarding
information systems security.
Management agreed. substantially implemented
Department of Electrical & Computer Engineering completed 779.12 9/6/2013
to determine compliance with certain UT policies and
procedures
Enhance compliance with policies regarding
information systems security and cash/cash equivalents.
Management moved their IT operations to UT Austin's centralized IT services.
substantially implemented
Department of Middle Eastern Studies completed 779.12 9/6/2013to determine compliance
with certain UT policies and procedures
Enhance compliance with policies regarding
information systems security, inventory,
entertainment, purchasing, and handling of cash and
cash equivalents.
Management agreed. substantially implemented
Carryforward - Management Requests
Frank Erwin Center - Box Office Operations Near Completion
The University of Texas at Austin Annual Audit Report, FY '14
Page 8
FY 2014 Audit Plan Audit Report/Project Title
Project Status*
Report # Report Date High Level Objectives Recommendations/ Results
Management Responses/ Action Plans
Status of Implementing Action Plans**
Internal Audit Plan for Fiscal Year 2014
Executive Travel and Entertainment Audit FY13 completed 812.13 11/12/2013
to determine compliance with University travel and
entertainment rules
Two campus-wide issues need to be addressed
through revisions to the University policy: serving
alcohol at off-campus university sponsored events and revising the process for approval of executive level entertainment expenses.
Several recommendations were made at the individual executive level to improve compliance with University
policy.
Administration agrees that the policy needs to be
revised. Individual executives agreed with the recommendations and plan
to implement them.
substantially implemented
Compliance AuditsUT System Requested/Externally Required Audits
Cancer Prevention Research Institute of Texas (CPRIT) Grant Cancelled***Education Research Center FY 14 Postponed***
NCAA Football Attendance completed 14.013 2/10/2014
to determine whether football attendance
averaged 15,000 or more for all home games, as
required by NCAA to qualify for Division I status
in compliance none none
Management RequestsUT System Policy 175 Conflicts of Interest in Research cancelled***
Risk-Based Tier Two Audits
Research - Export Controls Postponed***
University Health Services (UHS) and Forty Acres Pharmacy Postponed***
NCAA Bylaw 13 - Camps and Clinics Near CompletionNCAA Bylaw 15 - Financial Aid In Progress
The University of Texas at Austin Annual Audit Report, FY '14
Page 9
FY 2014 Audit Plan Audit Report/Project Title
Project Status*
Report # Report Date High Level Objectives Recommendations/ Results
Management Responses/ Action Plans
Status of Implementing Action Plans**
Internal Audit Plan for Fiscal Year 2014
Texas Relays Completed
14.017 8/26/2014
to evaluate controls related to the receiving,
processing, and reconciling of participant entry fee
proceeds and spectator ticket sales
recommend enhancements to controls over participant
entry fees
management agrees and plans to implement recommendations
incomplete - to be implemented for the 2015 Texas
Relays
NCAA Bylaw 10/14 - Academic Integrity/Eligibility Postponed***
Carryforward - Risk-Based Tier Two AuditsResearch - Technology Commercialization/ Intellectual Property Near Completion
Clery Act Completed 822.13 7/3/2014
to determine compliance with the Clery Act regarding
gathering and reporting crime and fire safety statistics and policies
Recommendations were made in the following areas: geography, daily crime log, emergency response and evaluation procedures, the
Annual Security Report, missing student notification procedures and fire safety
log.
More training will be offered, policies will be revised, more information will be
included on the Fire Safety Log; communication to
students and employees as to the location of the Daily
Crime Log will be increased
incomplete/ ongoing
Research Compliance Completed 815.13 8/21/2014
to evaluate whether UT Austin's research
compliance program effectively manages high
risks
UT Austin's research compliance program
effectively manages high risks
N/A N/A
Education Research Center, FY 13
Completed 816.13 3/27/2014
to determine compliance with a contract with Tx
Education Agency and Tx Higher Education
Coordinating Board
in compliance, no recommendations N/A N/A
The University of Texas at Austin Annual Audit Report, FY '14
Page 10
FY 2014 Audit Plan Audit Report/Project Title
Project Status*
Report # Report Date High Level Objectives Recommendations/ Results
Management Responses/ Action Plans
Status of Implementing Action Plans**
Internal Audit Plan for Fiscal Year 2014
Norman Hackerman Advanced Research Program (ARP) Grants Completed 811.13 3/19/2014
to determine compliance with grant conditions
specified by the Texas Higher Education
Coordinating Board
Recommendations were made in the following areas:
travel, reports, and published project material.
The Office of Accounting reminded department staff about the travel rules; grant management will enhance monitoring the timeliness of
issuing progress and technical reports;
researchers will be reminded with each new
grant that the Coordinating Board needs to be
acknowledged on all publications from the grant
research
fully implemented
Research - Scientific Misconduct
Complete
818.13 3/26/2014
to determine compliance with University policies and
federal regulations on investigating and reporting
scientific misconduct
enhance investigation procedures by interviewing complainants and providing
them an opportunity to review their interview
transcripts and providing respondents an opportunity to review draft inquiry and
investigation reports
Management agrees to implement
recommendations.
incomplete/ ongoing
The University of Texas at Austin Annual Audit Report, FY '14
Page 11
FY 2014 Audit Plan Audit Report/Project Title
Project Status*
Report # Report Date High Level Objectives Recommendations/ Results
Management Responses/ Action Plans
Status of Implementing Action Plans**
Internal Audit Plan for Fiscal Year 2014
Information Technology AuditsUT System Requested/Externally Required Audits
Institute for Public School Initiatives (IPSI), TEA Grant Near Completion
National Automated Clearinghouse Association (NACHA) FY14 In Progress
Risk-Based Tier Two AuditsIT General Controls FY14 In ProgressChange in Management Audits, FY14 - IT portion In Progress
Sensitive Data Control Plans In ProgressPayment Card Industry (PCI) Data Security Standards (DSS) Postponed***
Commodity IT Services Postponed***
Health Insurance Portability and Accountability Act (HIPAA) In Progress
Centralized Authentication System Postponed***
Carryforward AuditsIT General Controls FY13 In ProgressChange in Management Audits, FY13 - IT portion Near Completion
Laptop Encryption and IT Inventory Completed 820.13 7/1/2014
to determine whether laptop inventory was
properly controlled and all laptops were either
encrypted or exempt from the exemption requirement
recommend improvements to controls over recording and tracking IT inventory
and properly encrypting all laptops
Management agreed and is taking correction actions.
substantially implemented
Texas Administrative Code 202 Completed 801.12 11/25/2013
to determine whether the UT Austin information
security program comply with Texas Administrative
Code 202
generally complies; 5 recommendations to
improve controls related to information resources security safeguards,
Security Standards Policy, and Business Continuity
Planning.
Management agreed and is taking correction actions.
substantially implemented
The University of Texas at Austin Annual Audit Report, FY '14
Page 12
FY 2014 Audit Plan Audit Report/Project Title
Project Status*
Report # Report Date High Level Objectives Recommendations/ Results
Management Responses/ Action Plans
Status of Implementing Action Plans**
Internal Audit Plan for Fiscal Year 2014
National Automated Clearinghouse Association (NCAA), FY13 Completed 824.13 1/31/2014
to determine compliance with NACHA 2013
Operating Rules for Internet-Initiated/Mobile Entries
in compliance, no recommendations N/A N/A
ReservesReserve for Investigations completed for FY 14 no report
Reserve for Management Requested Projects completed for FY 14 no report
Reserve for Consulting Projects completed for FY 14 no report
Follow-up Audits completed for FY 14 no report
ProjectsQuality Assurance Review, internal completed for FY 14 no reportQuality Assurance Review, external completed for FY 14 no reportInternal Audit Committee completed for FY 14 no reportTechnical Support for Internal Audit Office and Staff completed for FY 14 no report
TeamMate Support and Maintenance completed for FY 14 no reportAnnual Audit Plan and Risk Assessment Process completed for FY 14 no report
Annual Internal Audit Report completed for FY 14 no reportOffice Manual/Website Updates completed for FY 14 no reportUT System Issues and Assistance completed for FY 14 no reportSAO Issues and Assistance completed for FY 14 no reportProfessional Organizations and University Committees completed for FY 14 no report
Annual Financial Report - Monitoring Plan completed for FY 14 no reportData Mining completed for FY 14 no reportProject Update/ Status Meetings completed for FY 14 no report
*Project Status Definitions:Near Completion means reporting stage.In Progress means field work stage.
**Status of Implementing Action PlansN/A - not applicable because there is no report or there are no recommendationsfully implemented - all action plans have been implemented substantially implemented - most of the recommendations have been implementedincomplete/ongoing - management is working on it
The University of Texas at Austin Annual Audit Report, FY '14
Page 13
FY 2014 Audit Plan Audit Report/Project Title
Project Status*
Report # Report Date High Level Objectives Recommendations/ Results
Management Responses/ Action Plans
Status of Implementing Action Plans**
Internal Audit Plan for Fiscal Year 2014
*** Explanation for Differences in the Audit Plan
UT Austin's closure for weatherthree consulting projects that addressed new high risks
the Laptop Encryption project requested by UT System
audits on the Audit Plan that required more time than planned
All changes to the Audit Plan were approved by the Internal Audit Committee at UT Austin.
Cancer Prevention Research Institute of Texas (CPRIT) Grant, cancelled: UT System Audit Office engaged Deloitte LLP to conduct this audit for the period through FY13.
Intercollegiate Athletics projects: Internal Audit (IA) management agreed to provide audit services to Intercollegiate Athletics; Athletics management decided which areas they wanted audited after the FY14 Audit Plan had become final. These projects were added after the Audit Plan was approved: NCAA Bylaws, Texas Relays, Longhorn Foundation.
two investigations
Projects were postponed or cancelled to provide more time for:one departmental management request of high IT risk
The University of Texas at Austin Annual Audit Report, FY '14
Page 14
Project High-level Objective or Allegation Report # Report DateObservations, Results, and
Recommendations, if applicableCentral Business Office to provide advice regarding procedures, policies, and processes - this is a new
officenot applicable not applicable Advice was provided throughout the year
Chemistry/Biochemistry to determine whether a professor received appropriate approval of his work outside UT and whether he was misusing university funds
not applicable not applicable The professor had not received appropriate approval for outside employment. No evidence was found to support the allegation of misuse of funds.
Office of Student Financial Services to determine whether procedures for securing social security numbers are adequate and in compliance with relevant policies
not applicable not applicable Department management is in the process of enhancing security over social security numbers.
Semester in Los Angeles The Director of the Semester in Los Angeles Program is alleged to be engaged in (a) financial mismanagement regarding the use/control of University resources and noncompliance with University policies & procedures, (b) misrepresentations of former students as current students for purposes of eligibility for internships in Los Angeles, and (c) a tolerance for alcohol at off-campus student events.
not applicable not applicable Rules were not followed.
Texas Box Office, Frank Erwin Center An hourly employee purchased athletics tickets and event tickets and then allocated them using his code in the Paciolan Ticketing System. Some of these tickets were allocated to prime seats for disabled patrons. Most were resold for profit.
not applicable not applicable Rules were not followed.
Tuition Exemption Investigation A graduate student misused her former spouse's military status to gain a tuition exemption for in-state tuition over six semesters.
not applicable not applicable Rules were not followed.
UT Austin User Accounts User accounts of former employees were noted to have access to University computing resources, e.g. email and file storage.
not applicable not applicable This was included in TAC 202 audit.
UT Power Plant Store An assistant plant maintenance supervisor has a store where he sells perishables such as candy, drinks, and chips, to subordinates for cash. The business is located in a storeroom in the UT Power Plant. In addition, UT vehicles are used to purchase goods needed to restock the store.
not applicable not applicable Department management has discontinued the operation of the Power Plant Store.
Vice President for Research An anonymous caller made an allegation through the University Compliance Services hotline stating that the Vice President for Research (VPR) routinely overrides university policies in a way that has the potential to cause financial harm, create a substantial audit risk, and undermine the ability of staff who is supposed to ensure compliance; the VPR overrides in direct violation of university policy and federal regulations.
not applicable not applicable Based on information provided, the VPR has authority to approve a rate other than the negotiated rate. Internal Audits concludes that the VPR is not violating policies regarding reduced indirect costs; therefore the allegation does not appear to be valid.
Consulting and Non-Audit Services Completed, FY 2014
The University of Texas at Austin Annual Audit Report, FY '14
Page 15
Project High-level Objective or Allegation Report # Report DateObservations, Results, and
Recommendations, if applicable
Consulting and Non-Audit Services Completed, FY 2014
Workday Implementation, Consulting Internal Audits is providing consulting assistance to the team implementing Workday, the new enterprise resource planning (ERP) solution for UT Austin. A work plan and deliverables will be finalized soon.
not applicable not applicable Advice was provided throughout the year.
The University of Texas at Austin Annual Audit Report, FY '14
Page 16
External Quality Assessment
Executive Summary
Performed by PricewaterhouseCoopers, LLP
June 30, 2014
The University of Texas at Austin Annual Audit Report, FY '14
Page 17
June 30, 2014
Mr. Mike VandervortDirector of Internal AuditThe University of Texas at Austin1616 Guadalupe Street, UTA Suite 2.302Austin, TX 78701
We have completed an External Quality Assessment (“EQA”) of The University of Texas at Austin (“UT Austin”) Office of Internal Audit (“IA”). The EQAincluded an assessment of the level of conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice ofInternal Auditing (“the IIA Standards”), the Generally Accepted Government Auditing Standards (“GAGAS”) as well as the relevant requirements of theTexas Internal Auditing Act (“TIAA”). Listed below is our overall assessment of IA’s adherence with these Standards and requirements:• IIA Standards - Based on our work, IA generally conforms. However, we did identify process enhancement opportunities.• GAGAS - No conformance observations were identified.• TIAA requirements – Other than the observations related to IIA Standards, no other observations were identified during our work.
Our Services were performed and this report was developed in accordance with our contract dated February 18, 2014 and are subject to the terms andconditions included therein. Our Services were performed in accordance with the Standards for Consulting Services established by the AmericanInstitute of Certified Public Accountants ("AICPA"). Accordingly, we are providing no opinion, attestation or other form of assurance with respect to ourwork and we did not verify or audit any information provided to us. Our work was limited to the specific procedures and analysis described herein andwas based only on the information made available through April 11, 2014, when field work was substantially completed. Accordingly, changes incircumstances after this date could affect the findings outlined in this report. This information has been prepared solely for the use and benefit of, andpursuant to a client relationship exclusively with The University of Texas System Administration. PwC disclaims any contractual or other responsibility toothers based on its use and, accordingly, this information may not be relied upon by anyone other than The University of Texas System Administrationand UT Austin.
We would like to offer a sincere thank you to you and your staff, and the Internal Audit Committee and management of UT Austin, for the time andattention they provided during this assessment. We appreciate the opportunity to serve The University of Texas System Administration on this importantengagement.
Very truly yours,
PricewaterhouseCoopers, LLP
PricewaterhouseCoopers LLP, 1201 Louisiana, Suite 2900, Houston, TX 77002-5678T: (713) 356 4000, F: (713) 356 4717, www.pwc.com/us
Information contained herein is for the sole benefit and use of UT Austin
The University of Texas at Austin Annual Audit Report, FY '14
Page 18
OO FF FF II CC EE OO FF II NN TT EE RR NN AA LL AA UU DD II TT SS
F Y 2 0 1 5 A U D I T P L A N
The University of Texas at Austin Annual Audit Report, FY '14
Page 19
Audit/Project Budgeted Hours DescriptionFinancial
UT System Requested/Externally Required AuditsFY 2015 Financial Statement Audit - Assistance to External Auditor (interim financial work and IT work)
20 Required by UT System - Assistance to the external auditor for audit of FY14 Financial Statements; to include IT audit work prior to year-end
Financial Subtotal 20 Operational
UT System Requested/Externally Required AuditsPresidential Travel, Entertainment, and Housing Expenses - Assistance to UT System
20 Required by Regents Rule 20205 - Assist UT System Audit with review of travel, entertainment, and housing expenses for the president and spouse
Executives' Travel and Entertainment Expenses FY2014/2015
400 Required by UT System Annually. All sources of funds, including funds from the General Appropriations Act, may be selected for review.*
Risk-Based AuditsDepartmental Change in Management Audits, FY15 1,000 Review and evaluate departmental internal controls and compliance with UT rules. All sources
of funds, including funds from the General Appropriations Act, may be selected for review.*
Human Resources - General Controls 600 Review general controls associated with the Human Resources Department, according to high level of risk within the area (including overtime hours). All sources of funds, including funds from the General Appropriations Act, may be affected by this project.*
Bursar - Cash Management 300 Conduct cash counts using a sample of departments who receive and maintain funds in their areaDonor Scholarships 500 Determine whether donor scholarships are used for intended purposeUniversity Health Services - Billing and Operations
500 Review and evaluate student health center for compliance with applicable federal, state, and University rules regarding billing and operations
40 Acres Pharmacy 500 Review and evaluate the 40 Acres Pharmacy for compliance with applicable federal, state, and University rules regarding billing and operations
Carryforward - Risk-Based AuditsDepartmental Change in Management Audits, FY14 150 Review and evaluate departmental internal controls and compliance with UT rules. All sources
of funds, including funds from the General Appropriations Act, may be selected for review.*
Longhorn Foundation/Business Office 425 Business Office (Transactional and Financial), Contracts (TBD), Longhorn Foundation Ticket Sample
FY 2015 Audit Plan
The University of Texas at Austin Annual Audit Report, FY '14
Page 20
Audit/Project Budgeted Hours Description
FY 2015 Audit Plan
ConsultingWorkday Implementation and Shared Services 500 Provide assistance regarding implementation of new Workday ERP solution. All sources of
funds, including funds from the General Appropriations Act, may be affected by this project.*
Operational Subtotal 4,895 Compliance
UT System Requested/Externally Required AuditsProportionality Funding of Benefits 200 Per request from the Governor; addresses the proportionality of benefits and related risks. All
sources of funds, including funds from the General Appropriations Act, may be affected by this project.*
Education Research Center FY2014/2015 400 Required by contract - Certify that the research center is in full compliance with all terms of the contract and all applicable state and federal laws
NCAA Football Attendance 50 Required by NCAA - Review to verify football game attendance
Risk-Based AuditsNCAA Bylaw 10/14 - Academic Integrity/Eligibility 800 Academic Integrity - Tutors/ Mentor Program; Class auditing; Eligibility CertificationNCAA Bylaw 12 - Amateurism 600 Review amateurism (NCAA Bylaw 12) related to Intercollegiate Athletics NCAA Bylaw 16 - Awards and Benefits 600 Review awards and benefits (NCAA Bylaw 16) related to Intercollegiate AthleticsNCAA Bylaws 18/20 - Post Season Events/Division Membership
400 Review post season events/division membership (NCAA Bylaws 18 & 20) related to Intercollegiate Athletics
Research - Export Controls 500 Review and evaluate export controls and compliance with federal, state, and University rulesUT System Policy 175 Conflicts of Interest in Research 600 Disclosure of significant financial interests and management and reporting of financial conflicts of
interest in research - Requested by Dr. Juan SanchezEnvironmental Health & Safety 500 Evaluate compliance with UT Austin/UT System policies, state/federal rules regarding
environmental health and safety proceduresData Analytics 250 Data analysis to locate inappropriate transactions in various areasMinors on Campus 500 Evaluate compliance with UT Austin/UT System policies, state/federal rules regarding minors on
campus
Carryforward - Risk-Based AuditsNCAA Bylaw 13 - Camps and Clinics 250 Camps/ Operational/ Financial MBB/ WBB/ BA - Fall 2013 - FB/VB - Spring 2014NCAA Bylaw 15 - Financial Aid 425 Equivalency Calculations & Outside Scholarships
Compliance Subtotal 6,075
The University of Texas at Austin Annual Audit Report, FY '14
Page 21
Audit/Project Budgeted Hours Description
FY 2015 Audit Plan
Information Technology UT System Requested/Externally Required Audits
Institute for Public School Initiatives (IPSI), TEA Grant 150 Required annually by TEA - Assess security of electronically stored data. Annual audit requirement specified in grant conditions
National Automated Clearinghouse Association (NACHA) FY2015
125 Required annually by NACHA - Review controls over web-based check transactions
Texas Administrative Code (TAC) 202 600 Required every two years by TAC 202 - Review compliance with TAC 202 (Information Security Standards)
Risk-Based AuditsDepartmantal Change in Management Audits, FY15 - IT portion
400 Review and test IT controls as part of Departmental Change in Management Audits
UT Facilities Network (FACnet) 800 Review sufficiency of controls in the university's network of facilites controllers and systemsIncident Handling 400 Review processes in place for monitoring, investigating, and responding to system breachesHealth Insurance Portability and Accountability Act (HIPAA)
400 Review HIPAA covered entities for compliance with HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act
Sensitive Data Control Plans 400 Assess security procedures utilized to protect confidential data used in research or other projects.
IT Audit Assistance for Non-IT Projects 400 Centralized Authentication System 400 Review related IT controls in the university's authentication systemPayment Card Industry (PCI) Data Security Standards (DSS)
400 Review controls to ensure compliance with credit card industry standards (PCI DSS)
Carryforward - Risk-Based AuditsDepartmental Change in Management Audits, FY14 - IT Portion
100 Review and test IT controls as part of Departmental Change in Management Audits
Information Technology Subtotal 4,575 Follow-up
General Follow-up 150 Follow-up on Level-1 IT Recommendations 150
Follow-up Subtotal 300
The University of Texas at Austin Annual Audit Report, FY '14
Page 22
Audit/Project Budgeted Hours Description
FY 2015 Audit Plan
ProjectsQuality Assurance Review, internal 100 Internal quality assurance reviewsInternal Audit Committee 400 Preparation and support for Internal Audit Committee meetingsTechnical Support for Internal Audit Office and Staff 400 Internal support for office technology and software
TeamMate Support and Maintenance 125 Maintenance and support of electronic audit management system Annual Audit Plan and Risk Assessment Process 500 Preparation of annual audit plan and risk assessmentAnnual Internal Audit Report 40 Preparation of annual report required by the Texas Government Code, Chapter 2102 (The Internal
Auditing Act)Office Manual/Website Updates 130 Updates to IA's office manual, standard forms/reports, processes, and websiteUT System Issues and Assistance 100 Miscellaneous assistance provided to UT System Audit OfficeSAO Issues and Assistance 35 Miscellaneous assistance provided to the State AuditorProfessional Organizations and University Committees 200 Support and participation in profession audit organizations
Annual Financial Report - Monitoring Plan 100 Required by UT System; UTS142.1 requires annual testing of the monitoring plan for the segregation of duties and reconciliation of accounts.
Project Update/Status Meetings 300 Staff meetings regarding updates and status of audits and projectsTraining for Dell Medical School 300
Projects Subtotal 2,730 Reserve All sources of funds, including funds from the General Appropriations Act, may be affected
by projects using hours reserved for unplanned projects.*Reserve for Management Requests 500 Reserve for Investigations 1,238 Reserve for Consulting 500
Reserve Subtotal 2,238 Total Hours 20,833
*Instructions for this schedule require identifying projects in these categories:Projects with blue font address the proportionality of benefits or related risks.Projects with fushia font may relate to expenditure transfers or any other limitations or restriction in the General Appropriations Act.
The University of Texas at Austin Annual Audit Report, FY '14
Page 23
Risk Explanation/MitigationCompliance - Capturing All Investigations - Incl Hotline Calls
This area is currently in transition and controls are being reviewed for future best practices. Internal Audits will consider this area for the FY 2016 audit plan.
Lack of effort reporting &/or non-compliance with OMB Circular A-21
Internal Audits is planning to conduct two audits in the area of research for the FY2015 audit plan. This risk will be considered for the FY2016 audit plan.
Non-compliance with federal purchasing requirements
Self Assessment Review
Lack of license compliance monitoring & enforcement
Audited FY2014
Consent process with human subjects Human Subjects Research is externally accredited. Internal Audits reviewed this accreditation as an audit step in FY2014.
Lack of or inadeqate reporting of Scientific Misconduct
Audited FY2014
Inaccurate reporting on lobbying Internal Audits is planning to conduct two audits in the area of research for the FY2015 audit plan. This risk will be considered for the FY2016 audit plan.
Facilities, Athletics Audited FY2014IT Services, Athletics This area was reviewed in the FY2014 audit of Texas Box Office (Paciolan system).
Internal Audits will consider a more thorough review of this risk for the FY2016 audit plan.
Servers/ Virtual Machines Services are currently being expanded in this area; IA will consider auditing this risk in future years.
Building Access Control System The UT Information Security Office recently performed a security review of BACS, and BACS is currently being reviewed by a 3rd party; IA will consider auditing this risk in future years.
Information Mgmt. - Development An audit of information management in the Development Office was performed by IA in FY09. Time constraints do not allow for this risk to be audited this year; IA will consider auditing this risk in future years.
Phishing Attacks - Financial Services Two-factor authentication is currently being implemented for payroll and additional areas are being implemented in future phases; IA will consider auditing this risk in future years.
Failure to manage contracts, ITS Administration
Time constraints do not allow for this risk to be audited this year; IA will consider auditing this risk in future years.
High Level Risks NOT Covered in Audit Plan for FY 2015
The University of Texas at Austin Annual Audit Report, FY '14
Page 24
The Process for Developing Risk Assessments for the Audit Plan As part of preparing the annual audit plan, Internal Audit (IA) management and staff met with the President’s Office, each vice president, the Director of University Compliance Services, and the Director of Information Technology Services/Chief Information Officer to review his/her risk assessments. Discussions included IA’s prior year’s risk assessment, changes in the executive’s portfolio, changes and expected changes in the environment and/or industry, and changes in how risks may be evaluated. Then the updated risk assessments are used for the annual audit plan. The University of Texas System Audit Office (UTS) provides a spreadsheet identifying the audit universe in different levels (Tier One, Two, and Three). IA matches the universe to the prepared risk assessments to be sure all risks are evaluated. UTS requires the following selected risk assessments to be exhibited with the Audit Plan: Overall Risk Assessment (Tier One Level)
• Institutional Risk Assessment The risk rankings are a weighted average of the detailed risk assessments.
Detailed Risk Assessments (Tier Two Level) - selected • Research Risk Assessment • Information Technology Risk Assessment, all IT risk assessments considered Texas Administrative
Code 202 • Institutional Tier 2 Risk Assessment
Evaluating Risks (Guidelines from UTS) Risk Assessments The vertical axis of the risk assessment represents the applicable business processes. The horizontal axis of the risk assessment represents business risks identified for each process or sub-process. All types of business risks were included: strategic, financial, operational, and compliance. Each individual risk identified was ranked for impact and probability. Determination of Impact Impact of a risk is the effect a single occurrence of that risk will have upon the achievement of UT Austin’s goals and objectives. There are three values: • High – The effect will cause the institution not to achieve its goals and objectives: “show stopper” • Medium – The effect will cause the institution to operate inefficiently and/or expend unplanned resources to
meet goals and objectives • Low – There will be no measurable effect upon the achievement of institutional goals and objectives
Methodology to determine the Impact Value: • Identify consequences to the organization if a risk were to become a reality • Value the effect on the organization for each consequence (high, medium, or low) • Assign Impact value of an identified risk based upon the value of its highest potential consequence
The University of Texas at Austin Annual Audit Report, FY '14
Page 25
Determination of Probability Probability of a risk is the likelihood the risk will become reality. There are three values: • High – The risk will become a reality frequently • Medium – The risk will become a reality infrequently • Low – The risk will rarely become a reality
The University of Texas at Austin Annual Audit Report, FY '14
Page 26
Scope Type Frequency External Auditors Audit Required By:
UT Austin Department of Intercollegiate Athletics Statement of Revenues and Expenses For The Year Ended August 31, 2013 and Independent Accountants'' Report on Applying Agreed-upon Procedures
Agreed-Upon Procedures Annual Maxwell Locke &
Ritter, LLP NCAA Bylaw 6.2.3.1
KUT Radio of The University of Texas at Austin Financial Statements and Independent Auditor's Report Years Ended August 31, 2013 and 2012
Financial AnnualGindler, Chappell, Morrison, and Co. P.C.
The Corporation for Public Broadcasting
University of Texas University Charter School Annual Financial Report For The Year Ended August 31, 2013 Financial Annual West, Davis &
Company, LLPTexas Education Code, Section 12.111
University of Texas Elementary School Annual Financial Report For the Year Ended August 31, 2013 Financial Annual Belt Harris
Pechacek, LLLPTexas Education Code, Section 12.111
State of Texas Compliance with Federal Portion of the Statewide Single Audit Report For The Fiscal Year Ended August 31, 2013, Report # 14-325
Financial AnnualJohn Keel, CPA State Auditor and KPMG, LLP
Single Audit Act Amendments of 1996 and OMB Circular A-133, Audits of States, Local Governments, and Non-Profit Organizations
State of Texas Financial Portion of the Statewide Single Audit Report For The Year Ended August 31, 2013, Report # 14-555
Financial Annual John Keel, CPA State Auditor
Single Audit Act Amendments of 1996
University Interscholastic League Annual Financial Report For The Year Ended August 31, 2012 Financial Annual West, Davis &
Company, LLPTexas Education Code, Section 33.083
External Audit Services, FY14
The University of Texas at Austin Annual Audit Report, FY '14
Page 27
Reporting Suspected Fraud and Abuse
Requirement #1:
General Appropriations Act Sec. 7.10. Fraud Reporting. A state agency or institution of higher education appropriated funds by this Act, shall use appropriated funds to assist with the detection and reporting of fraud involving state funds, including funds received pursuant to the American Recovery and Reinvestment Act, as follows:
(a) By providing information on the home page of the entity's website on how to report suspected fraud, waste, and abuse involving state resources directly to the State Auditor's Office. This shall include, at a minimum, the State Auditor's fraud hotline information and a link to the State Auditor's website for fraud reporting; and
(b) By including in the agency or institution's policies information on how to report suspected fraud involving state funds to the state auditor.
Description of How The University of Texas at Austin complies:
The University has a link for reporting fraud on the home page of its website. Please see http://www.utexas.edu/. This link includes information on how and where to report fraud, including the following statement: You may also report suspected fraud, waste, and abuse to the State Auditor’s Office Hotline at 1-800-TX-AUDIT (1-800-892-8348). The State Auditor’s Office provides additional information at its website, http://sao.fraud.state.tx.us.
The University of Texas at Austin’s Suspected Dishonest or Fraudulent Activities policy is now on-line: http://www.policies.utexas.edu/policies/suspected-dishonest-or-fraudulent-activities.
Requirement #2: Texas Government Code, Section 321.022. Coordination of Investigations
(a) If the administrative head of a department or entity that is subject to audit by the state auditor has reasonable cause to believe that money received from the state by the department or entity or by a client or contractor of the department or entity may have been lost, misappropriated, or misused, or that other fraudulent or unlawful conduct has occurred in relation to the operation of the department or entity, the administrative head shall report the reason and basis for the belief to the state auditor. The state auditor may investigate the report or may monitor any investigation conducted by the department or entity.
(b) The state auditor, in consultation with state agencies and institutions, shall prescribe the form, content, and timing of a report required by this section.
(c) All records of a communication by or to the state auditor relating to a report to the state auditor under Subsection (a) are audit working papers of the state auditor. Description of How The University of Texas at Austin complies:
The Office of Internal Audits at The University of Texas at Austin reports all suspected fraud and abuse to the State Auditor’s Office through their Website: http://sao.fraud.state.tx.us.
The University of Texas at Austin Annual Audit Report, FY '14
Page 28