the university of texas at austin office of internal … university of texas at austin, office of...

The University of Texas at Austin

Office of Internal Audits

Annual Audit Report

For the Fiscal Year Ended August 31, 2014

Table of ContentsPage

I. Compliance with House Bill 16: A Brief Description 3

II. Planned Work Related to the Proportionality of Higher Education Benefits 4

III. Internal Audit Plan for Fiscal Year 2014 5This schedule shows:

Project StatusRecommendationsManagement Action Plans Implementation StatusExplanation for Changes in the Audit Plan

IV Consulting Engagements and Non-audit Services Completed 15

V. External Quality Assurance Review (Peer Review) 17

VI. Internal Audit Plan for Fiscal Year 2015 19a. The Audit Planb. Risks Ranked as High and Are Not on the FY 2015 Audit Planc. Description of Risk Assessment or Methodology

VII. External Audit Services Procured in Fiscal Year 2014 27

VIII. Reporting Suspected Fraud and Abuse 28

This report will be posted on the website: http://www.utexas.edu/admin/audit/reports.html

Annual Report Distribution:Governor's Office of Budget, Planning, and PolicyState Auditor's OfficeLegislative Budget BoardSunset Advisory Commission

The University of Texas at Austin, Office of Internal AuditsAnnual Audit Report for Fiscal Year 2014

The University of Texas at Austin Annual Audit Report, FY '14

http://www.utexas.edu/admin/audit/reports.html

I. Compliance with Texas House Bill 16

House Bill 16 requires The University of Texas at Austin to post the Internal Audit Plan, Internal Audit Annual Report, and Other Audit Information on the Internet Web site.

Office of Internal Audits’ Description of Plans to Comply: We plan to continue posting the Internal Audit Annual Report on the Office of Internal Audits’ internet Web site, http://www.utexas.edu/admin/audit/reports.html. We plan to include all required information in the report on that webpage.


http://www.utexas.edu/admin/audit/reports.html

II. Planned Work Related to the Proportionality of Higher Education Benefits

At the request of the Governor, an internal audit of the proportionality of higher education benefits process is underway during the first quarter of fiscal year 2015. A consistent audit methodology has been deployed across the UT System that will assess the reporting process and accuracy of benefits funding information provided to the State Comptroller as applicable under the General Appropriations Act, Article IX, Sec. 6.08: Benefits Paid Proportional by Fund. The audit will be complete by November 30, 2014.


OO FF FF II CC EE OO FF II NN TT EE RR NN AA LL AA UU DD II TT SS

F Y 2 0 1 4 A U D I T P L A N


FY 2014 Audit Plan Audit Report/Project Title

Project Status*

Report # Report Date High Level Objectives Recommendations/ Results

Management Responses/ Action Plans

Status of Implementing Action Plans**

Financial AuditsUT System Requested/Externally Required Audits

FY 2013 Financial Statement Audit - Assistance to External Auditor completed for FY 14 no report not applicable

(N/A) to provide assistance N/A N/A N/A

FY 2014 Financial Statement Audit - Assistance to External Auditor (interim financial work and IT work)

completed for FY 14 no report N/A to provide assistance N/A N/A N/A

Operational AuditsUT System Requested/Externally Required Audits

Presidential Travel, Entertainment, and Housing Expenses - Assistance to UT System

completed for FY 14 no report N/A to assist UT System N/A N/A N/A

Executives' Travel, and Entertainment Expenses FY14 Postponed***

Risk-Based Tier Two AuditsChange in Management Audits, FY14 Near CompletionCamps - Departmental Cancelled***Human Resources - General Controls Postponed***UT Market Near CompletionPayroll - Overtime Hours Postponed***Tuition and Fees Postponed***Building Security Postponed***Longhorn Foundation/Business Office In Progress***

Carryforward - Risk-Based Tier Two AuditsChange in Management Audits, FY13:

Office of the Vice President for Student Affairs completed 805.13 3/28/2014

to determine compliance with certain UT policies and

procedures

Enhance compliance with policies regarding

information systems security.

Management agreed and plans to implement recommendations.

fully implemented

Internal Audit Plan for Fiscal Year 2014

This schedule presents the FY 2014 Audit Plan, displays changes to the audit plan, and provides explanations for the changes (an explanation for changes is at the end of this schedule). This schedule also shows the status of each project. To comply with Texas House Bill 16, high level objectives, recommendations, management action plans, and status of implementing those action plans are provided.



Project Status*





Nuclear Engineering Teaching Laboratory completed 805.13 11/18/2013to determine compliance

with certain UT policies and procedures


information systems security, inventory, and

entertainment.


substantially implemented

Special Education completed 805.13 9/17/2013, 4/1/14


procedures


information systems security, travel,

entertainment, employee time reporting, cash and

cash equivalent handling, and procurement cards.



Kinesiology and Health Education completed 805.13 11/18/2013, 4/1/14


procedures


information systems security (policy changes), inventory,

account reconciliations, cash and cash equivalent

handling, procurement cards, entertainment, and

travel.



University Health Services completed 805.13 9/17/2013to determine compliance



information systems security, procurement cards,

and entertainment.


fully implemented

Art & Art History completed 805.13 6/13/2014to determine compliance



information systems security, inventory,

purchasing, petty cash, procurement cards, travel,

entertainment, and handling of cash and cash

equivalents.


fully implemented

School of Law Near Completion



Project Status*





Marine Science Institute Completed 817.13 8/19/2014

to evaluate the internal control environment to

determine compliance with University policies

19 recommendations were made to improve internal

controls and compliance in the areas of information systems security, cash

handling, inventory, procurement cards, and

travel.



Change in Management Audits, FY12

Anthropology completed 779.12 9/6/2013to determine compliance



information security, entertainment, handling of cash and cash equivalents,

and purchasing.

Management agreed. substantially implemented

Department of Finance completed 779.12 9/6/2013to determine compliance



information systems security and cashier training.


Department of Accounting (academic) completed 779.12 9/6/2013to determine compliance



information systems security.


Department of Electrical & Computer Engineering completed 779.12 9/6/2013


procedures


information systems security and cash/cash equivalents.

Management moved their IT operations to UT Austin's centralized IT services.


Department of Middle Eastern Studies completed 779.12 9/6/2013to determine compliance



information systems security, inventory,

entertainment, purchasing, and handling of cash and

cash equivalents.


Carryforward - Management Requests

Frank Erwin Center - Box Office Operations Near Completion



Project Status*





Executive Travel and Entertainment Audit FY13 completed 812.13 11/12/2013

to determine compliance with University travel and

entertainment rules

Two campus-wide issues need to be addressed

through revisions to the University policy: serving

alcohol at off-campus university sponsored events and revising the process for approval of executive level entertainment expenses.

Several recommendations were made at the individual executive level to improve compliance with University

policy.

Administration agrees that the policy needs to be

revised. Individual executives agreed with the recommendations and plan

to implement them.


Compliance AuditsUT System Requested/Externally Required Audits

Cancer Prevention Research Institute of Texas (CPRIT) Grant Cancelled***Education Research Center FY 14 Postponed***

NCAA Football Attendance completed 14.013 2/10/2014

to determine whether football attendance

averaged 15,000 or more for all home games, as

required by NCAA to qualify for Division I status

in compliance none none

Management RequestsUT System Policy 175 Conflicts of Interest in Research cancelled***

Risk-Based Tier Two Audits

Research - Export Controls Postponed***

University Health Services (UHS) and Forty Acres Pharmacy Postponed***

NCAA Bylaw 13 - Camps and Clinics Near CompletionNCAA Bylaw 15 - Financial Aid In Progress



Project Status*





Texas Relays Completed

14.017 8/26/2014

to evaluate controls related to the receiving,

processing, and reconciling of participant entry fee

proceeds and spectator ticket sales

recommend enhancements to controls over participant

entry fees

management agrees and plans to implement recommendations

incomplete - to be implemented for the 2015 Texas

Relays

NCAA Bylaw 10/14 - Academic Integrity/Eligibility Postponed***

Carryforward - Risk-Based Tier Two AuditsResearch - Technology Commercialization/ Intellectual Property Near Completion

Clery Act Completed 822.13 7/3/2014

to determine compliance with the Clery Act regarding

gathering and reporting crime and fire safety statistics and policies

Recommendations were made in the following areas: geography, daily crime log, emergency response and evaluation procedures, the

Annual Security Report, missing student notification procedures and fire safety

log.

More training will be offered, policies will be revised, more information will be

included on the Fire Safety Log; communication to

students and employees as to the location of the Daily

Crime Log will be increased

incomplete/ ongoing

Research Compliance Completed 815.13 8/21/2014

to evaluate whether UT Austin's research

compliance program effectively manages high

risks

UT Austin's research compliance program

effectively manages high risks

N/A N/A

Education Research Center, FY 13

Completed 816.13 3/27/2014

to determine compliance with a contract with Tx

Education Agency and Tx Higher Education

Coordinating Board

in compliance, no recommendations N/A N/A



Project Status*





Norman Hackerman Advanced Research Program (ARP) Grants Completed 811.13 3/19/2014

to determine compliance with grant conditions

specified by the Texas Higher Education

Coordinating Board

Recommendations were made in the following areas:

travel, reports, and published project material.

The Office of Accounting reminded department staff about the travel rules; grant management will enhance monitoring the timeliness of

issuing progress and technical reports;

researchers will be reminded with each new

grant that the Coordinating Board needs to be

acknowledged on all publications from the grant

research

fully implemented

Research - Scientific Misconduct

Complete

818.13 3/26/2014

to determine compliance with University policies and

federal regulations on investigating and reporting

scientific misconduct

enhance investigation procedures by interviewing complainants and providing

them an opportunity to review their interview

transcripts and providing respondents an opportunity to review draft inquiry and

investigation reports

Management agrees to implement

recommendations.

incomplete/ ongoing



Project Status*





Information Technology AuditsUT System Requested/Externally Required Audits

Institute for Public School Initiatives (IPSI), TEA Grant Near Completion

National Automated Clearinghouse Association (NACHA) FY14 In Progress

Risk-Based Tier Two AuditsIT General Controls FY14 In ProgressChange in Management Audits, FY14 - IT portion In Progress

Sensitive Data Control Plans In ProgressPayment Card Industry (PCI) Data Security Standards (DSS) Postponed***

Commodity IT Services Postponed***

Health Insurance Portability and Accountability Act (HIPAA) In Progress

Centralized Authentication System Postponed***

Carryforward AuditsIT General Controls FY13 In ProgressChange in Management Audits, FY13 - IT portion Near Completion

Laptop Encryption and IT Inventory Completed 820.13 7/1/2014

to determine whether laptop inventory was

properly controlled and all laptops were either

encrypted or exempt from the exemption requirement

recommend improvements to controls over recording and tracking IT inventory

and properly encrypting all laptops

Management agreed and is taking correction actions.


Texas Administrative Code 202 Completed 801.12 11/25/2013

to determine whether the UT Austin information

security program comply with Texas Administrative

Code 202

generally complies; 5 recommendations to

improve controls related to information resources security safeguards,

Security Standards Policy, and Business Continuity

Planning.

Management agreed and is taking correction actions.




Project Status*





National Automated Clearinghouse Association (NCAA), FY13 Completed 824.13 1/31/2014

to determine compliance with NACHA 2013

Operating Rules for Internet-Initiated/Mobile Entries

in compliance, no recommendations N/A N/A

ReservesReserve for Investigations completed for FY 14 no report

Reserve for Management Requested Projects completed for FY 14 no report

Reserve for Consulting Projects completed for FY 14 no report

Follow-up Audits completed for FY 14 no report

ProjectsQuality Assurance Review, internal completed for FY 14 no reportQuality Assurance Review, external completed for FY 14 no reportInternal Audit Committee completed for FY 14 no reportTechnical Support for Internal Audit Office and Staff completed for FY 14 no report

TeamMate Support and Maintenance completed for FY 14 no reportAnnual Audit Plan and Risk Assessment Process completed for FY 14 no report

Annual Internal Audit Report completed for FY 14 no reportOffice Manual/Website Updates completed for FY 14 no reportUT System Issues and Assistance completed for FY 14 no reportSAO Issues and Assistance completed for FY 14 no reportProfessional Organizations and University Committees completed for FY 14 no report

Annual Financial Report - Monitoring Plan completed for FY 14 no reportData Mining completed for FY 14 no reportProject Update/ Status Meetings completed for FY 14 no report

*Project Status Definitions:Near Completion means reporting stage.In Progress means field work stage.

**Status of Implementing Action PlansN/A - not applicable because there is no report or there are no recommendationsfully implemented - all action plans have been implemented substantially implemented - most of the recommendations have been implementedincomplete/ongoing - management is working on it



Project Status*





*** Explanation for Differences in the Audit Plan

UT Austin's closure for weatherthree consulting projects that addressed new high risks

the Laptop Encryption project requested by UT System

audits on the Audit Plan that required more time than planned

All changes to the Audit Plan were approved by the Internal Audit Committee at UT Austin.

Cancer Prevention Research Institute of Texas (CPRIT) Grant, cancelled: UT System Audit Office engaged Deloitte LLP to conduct this audit for the period through FY13.

Intercollegiate Athletics projects: Internal Audit (IA) management agreed to provide audit services to Intercollegiate Athletics; Athletics management decided which areas they wanted audited after the FY14 Audit Plan had become final. These projects were added after the Audit Plan was approved: NCAA Bylaws, Texas Relays, Longhorn Foundation.

two investigations

Projects were postponed or cancelled to provide more time for:one departmental management request of high IT risk


Project High-level Objective or Allegation Report # Report DateObservations, Results, and

Recommendations, if applicableCentral Business Office to provide advice regarding procedures, policies, and processes - this is a new

officenot applicable not applicable Advice was provided throughout the year

Chemistry/Biochemistry to determine whether a professor received appropriate approval of his work outside UT and whether he was misusing university funds

not applicable not applicable The professor had not received appropriate approval for outside employment. No evidence was found to support the allegation of misuse of funds.

Office of Student Financial Services to determine whether procedures for securing social security numbers are adequate and in compliance with relevant policies

not applicable not applicable Department management is in the process of enhancing security over social security numbers.

Semester in Los Angeles The Director of the Semester in Los Angeles Program is alleged to be engaged in (a) financial mismanagement regarding the use/control of University resources and noncompliance with University policies & procedures, (b) misrepresentations of former students as current students for purposes of eligibility for internships in Los Angeles, and (c) a tolerance for alcohol at off-campus student events.

not applicable not applicable Rules were not followed.

Texas Box Office, Frank Erwin Center An hourly employee purchased athletics tickets and event tickets and then allocated them using his code in the Paciolan Ticketing System. Some of these tickets were allocated to prime seats for disabled patrons. Most were resold for profit.


Tuition Exemption Investigation A graduate student misused her former spouse's military status to gain a tuition exemption for in-state tuition over six semesters.


UT Austin User Accounts User accounts of former employees were noted to have access to University computing resources, e.g. email and file storage.

not applicable not applicable This was included in TAC 202 audit.

UT Power Plant Store An assistant plant maintenance supervisor has a store where he sells perishables such as candy, drinks, and chips, to subordinates for cash. The business is located in a storeroom in the UT Power Plant. In addition, UT vehicles are used to purchase goods needed to restock the store.

not applicable not applicable Department management has discontinued the operation of the Power Plant Store.

Vice President for Research An anonymous caller made an allegation through the University Compliance Services hotline stating that the Vice President for Research (VPR) routinely overrides university policies in a way that has the potential to cause financial harm, create a substantial audit risk, and undermine the ability of staff who is supposed to ensure compliance; the VPR overrides in direct violation of university policy and federal regulations.

not applicable not applicable Based on information provided, the VPR has authority to approve a rate other than the negotiated rate. Internal Audits concludes that the VPR is not violating policies regarding reduced indirect costs; therefore the allegation does not appear to be valid.

Consulting and Non-Audit Services Completed, FY 2014


Project High-level Objective or Allegation Report # Report DateObservations, Results, and

Recommendations, if applicable

Consulting and Non-Audit Services Completed, FY 2014

Workday Implementation, Consulting Internal Audits is providing consulting assistance to the team implementing Workday, the new enterprise resource planning (ERP) solution for UT Austin. A work plan and deliverables will be finalized soon.

not applicable not applicable Advice was provided throughout the year.


External Quality Assessment

Executive Summary

Performed by PricewaterhouseCoopers, LLP

June 30, 2014


June 30, 2014

Mr. Mike VandervortDirector of Internal AuditThe University of Texas at Austin1616 Guadalupe Street, UTA Suite 2.302Austin, TX 78701

We have completed an External Quality Assessment (“EQA”) of The University of Texas at Austin (“UT Austin”) Office of Internal Audit (“IA”). The EQAincluded an assessment of the level of conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice ofInternal Auditing (“the IIA Standards”), the Generally Accepted Government Auditing Standards (“GAGAS”) as well as the relevant requirements of theTexas Internal Auditing Act (“TIAA”). Listed below is our overall assessment of IA’s adherence with these Standards and requirements:• IIA Standards - Based on our work, IA generally conforms. However, we did identify process enhancement opportunities.• GAGAS - No conformance observations were identified.• TIAA requirements – Other than the observations related to IIA Standards, no other observations were identified during our work.

Our Services were performed and this report was developed in accordance with our contract dated February 18, 2014 and are subject to the terms andconditions included therein. Our Services were performed in accordance with the Standards for Consulting Services established by the AmericanInstitute of Certified Public Accountants ("AICPA"). Accordingly, we are providing no opinion, attestation or other form of assurance with respect to ourwork and we did not verify or audit any information provided to us. Our work was limited to the specific procedures and analysis described herein andwas based only on the information made available through April 11, 2014, when field work was substantially completed. Accordingly, changes incircumstances after this date could affect the findings outlined in this report. This information has been prepared solely for the use and benefit of, andpursuant to a client relationship exclusively with The University of Texas System Administration. PwC disclaims any contractual or other responsibility toothers based on its use and, accordingly, this information may not be relied upon by anyone other than The University of Texas System Administrationand UT Austin.

We would like to offer a sincere thank you to you and your staff, and the Internal Audit Committee and management of UT Austin, for the time andattention they provided during this assessment. We appreciate the opportunity to serve The University of Texas System Administration on this importantengagement.

Very truly yours,

PricewaterhouseCoopers, LLP

PricewaterhouseCoopers LLP, 1201 Louisiana, Suite 2900, Houston, TX 77002-5678T: (713) 356 4000, F: (713) 356 4717, www.pwc.com/us

Information contained herein is for the sole benefit and use of UT Austin


OO FF FF II CC EE OO FF II NN TT EE RR NN AA LL AA UU DD II TT SS

F Y 2 0 1 5 A U D I T P L A N


Audit/Project Budgeted Hours DescriptionFinancial

UT System Requested/Externally Required AuditsFY 2015 Financial Statement Audit - Assistance to External Auditor (interim financial work and IT work)

20 Required by UT System - Assistance to the external auditor for audit of FY14 Financial Statements; to include IT audit work prior to year-end

Financial Subtotal 20 Operational

UT System Requested/Externally Required AuditsPresidential Travel, Entertainment, and Housing Expenses - Assistance to UT System

20 Required by Regents Rule 20205 - Assist UT System Audit with review of travel, entertainment, and housing expenses for the president and spouse

Executives' Travel and Entertainment Expenses FY2014/2015

400 Required by UT System Annually. All sources of funds, including funds from the General Appropriations Act, may be selected for review.*

Risk-Based AuditsDepartmental Change in Management Audits, FY15 1,000 Review and evaluate departmental internal controls and compliance with UT rules. All sources

of funds, including funds from the General Appropriations Act, may be selected for review.*

Human Resources - General Controls 600 Review general controls associated with the Human Resources Department, according to high level of risk within the area (including overtime hours). All sources of funds, including funds from the General Appropriations Act, may be affected by this project.*

Bursar - Cash Management 300 Conduct cash counts using a sample of departments who receive and maintain funds in their areaDonor Scholarships 500 Determine whether donor scholarships are used for intended purposeUniversity Health Services - Billing and Operations

500 Review and evaluate student health center for compliance with applicable federal, state, and University rules regarding billing and operations

40 Acres Pharmacy 500 Review and evaluate the 40 Acres Pharmacy for compliance with applicable federal, state, and University rules regarding billing and operations

Carryforward - Risk-Based AuditsDepartmental Change in Management Audits, FY14 150 Review and evaluate departmental internal controls and compliance with UT rules. All sources

of funds, including funds from the General Appropriations Act, may be selected for review.*

Longhorn Foundation/Business Office 425 Business Office (Transactional and Financial), Contracts (TBD), Longhorn Foundation Ticket Sample

FY 2015 Audit Plan


Audit/Project Budgeted Hours Description

FY 2015 Audit Plan

ConsultingWorkday Implementation and Shared Services 500 Provide assistance regarding implementation of new Workday ERP solution. All sources of

funds, including funds from the General Appropriations Act, may be affected by this project.*

Operational Subtotal 4,895 Compliance

UT System Requested/Externally Required AuditsProportionality Funding of Benefits 200 Per request from the Governor; addresses the proportionality of benefits and related risks. All

sources of funds, including funds from the General Appropriations Act, may be affected by this project.*

Education Research Center FY2014/2015 400 Required by contract - Certify that the research center is in full compliance with all terms of the contract and all applicable state and federal laws

NCAA Football Attendance 50 Required by NCAA - Review to verify football game attendance

Risk-Based AuditsNCAA Bylaw 10/14 - Academic Integrity/Eligibility 800 Academic Integrity - Tutors/ Mentor Program; Class auditing; Eligibility CertificationNCAA Bylaw 12 - Amateurism 600 Review amateurism (NCAA Bylaw 12) related to Intercollegiate Athletics NCAA Bylaw 16 - Awards and Benefits 600 Review awards and benefits (NCAA Bylaw 16) related to Intercollegiate AthleticsNCAA Bylaws 18/20 - Post Season Events/Division Membership

400 Review post season events/division membership (NCAA Bylaws 18 & 20) related to Intercollegiate Athletics

Research - Export Controls 500 Review and evaluate export controls and compliance with federal, state, and University rulesUT System Policy 175 Conflicts of Interest in Research 600 Disclosure of significant financial interests and management and reporting of financial conflicts of

interest in research - Requested by Dr. Juan SanchezEnvironmental Health & Safety 500 Evaluate compliance with UT Austin/UT System policies, state/federal rules regarding

environmental health and safety proceduresData Analytics 250 Data analysis to locate inappropriate transactions in various areasMinors on Campus 500 Evaluate compliance with UT Austin/UT System policies, state/federal rules regarding minors on

campus

Carryforward - Risk-Based AuditsNCAA Bylaw 13 - Camps and Clinics 250 Camps/ Operational/ Financial MBB/ WBB/ BA - Fall 2013 - FB/VB - Spring 2014NCAA Bylaw 15 - Financial Aid 425 Equivalency Calculations & Outside Scholarships

Compliance Subtotal 6,075



FY 2015 Audit Plan

Information Technology UT System Requested/Externally Required Audits

Institute for Public School Initiatives (IPSI), TEA Grant 150 Required annually by TEA - Assess security of electronically stored data. Annual audit requirement specified in grant conditions

National Automated Clearinghouse Association (NACHA) FY2015

125 Required annually by NACHA - Review controls over web-based check transactions

Texas Administrative Code (TAC) 202 600 Required every two years by TAC 202 - Review compliance with TAC 202 (Information Security Standards)

Risk-Based AuditsDepartmantal Change in Management Audits, FY15 - IT portion

400 Review and test IT controls as part of Departmental Change in Management Audits

UT Facilities Network (FACnet) 800 Review sufficiency of controls in the university's network of facilites controllers and systemsIncident Handling 400 Review processes in place for monitoring, investigating, and responding to system breachesHealth Insurance Portability and Accountability Act (HIPAA)

400 Review HIPAA covered entities for compliance with HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act

Sensitive Data Control Plans 400 Assess security procedures utilized to protect confidential data used in research or other projects.

IT Audit Assistance for Non-IT Projects 400 Centralized Authentication System 400 Review related IT controls in the university's authentication systemPayment Card Industry (PCI) Data Security Standards (DSS)

400 Review controls to ensure compliance with credit card industry standards (PCI DSS)

Carryforward - Risk-Based AuditsDepartmental Change in Management Audits, FY14 - IT Portion

100 Review and test IT controls as part of Departmental Change in Management Audits

Information Technology Subtotal 4,575 Follow-up

General Follow-up 150 Follow-up on Level-1 IT Recommendations 150

Follow-up Subtotal 300



FY 2015 Audit Plan

ProjectsQuality Assurance Review, internal 100 Internal quality assurance reviewsInternal Audit Committee 400 Preparation and support for Internal Audit Committee meetingsTechnical Support for Internal Audit Office and Staff 400 Internal support for office technology and software

TeamMate Support and Maintenance 125 Maintenance and support of electronic audit management system Annual Audit Plan and Risk Assessment Process 500 Preparation of annual audit plan and risk assessmentAnnual Internal Audit Report 40 Preparation of annual report required by the Texas Government Code, Chapter 2102 (The Internal

Auditing Act)Office Manual/Website Updates 130 Updates to IA's office manual, standard forms/reports, processes, and websiteUT System Issues and Assistance 100 Miscellaneous assistance provided to UT System Audit OfficeSAO Issues and Assistance 35 Miscellaneous assistance provided to the State AuditorProfessional Organizations and University Committees 200 Support and participation in profession audit organizations

Annual Financial Report - Monitoring Plan 100 Required by UT System; UTS142.1 requires annual testing of the monitoring plan for the segregation of duties and reconciliation of accounts.

Project Update/Status Meetings 300 Staff meetings regarding updates and status of audits and projectsTraining for Dell Medical School 300

Projects Subtotal 2,730 Reserve All sources of funds, including funds from the General Appropriations Act, may be affected

by projects using hours reserved for unplanned projects.*Reserve for Management Requests 500 Reserve for Investigations 1,238 Reserve for Consulting 500

Reserve Subtotal 2,238 Total Hours 20,833

*Instructions for this schedule require identifying projects in these categories:Projects with blue font address the proportionality of benefits or related risks.Projects with fushia font may relate to expenditure transfers or any other limitations or restriction in the General Appropriations Act.


Risk Explanation/MitigationCompliance - Capturing All Investigations - Incl Hotline Calls

This area is currently in transition and controls are being reviewed for future best practices. Internal Audits will consider this area for the FY 2016 audit plan.

Lack of effort reporting &/or non-compliance with OMB Circular A-21

Internal Audits is planning to conduct two audits in the area of research for the FY2015 audit plan. This risk will be considered for the FY2016 audit plan.

Non-compliance with federal purchasing requirements

Self Assessment Review

Lack of license compliance monitoring & enforcement

Audited FY2014

Consent process with human subjects Human Subjects Research is externally accredited. Internal Audits reviewed this accreditation as an audit step in FY2014.

Lack of or inadeqate reporting of Scientific Misconduct

Audited FY2014

Inaccurate reporting on lobbying Internal Audits is planning to conduct two audits in the area of research for the FY2015 audit plan. This risk will be considered for the FY2016 audit plan.

Facilities, Athletics Audited FY2014IT Services, Athletics This area was reviewed in the FY2014 audit of Texas Box Office (Paciolan system).

Internal Audits will consider a more thorough review of this risk for the FY2016 audit plan.

Servers/ Virtual Machines Services are currently being expanded in this area; IA will consider auditing this risk in future years.

Building Access Control System The UT Information Security Office recently performed a security review of BACS, and BACS is currently being reviewed by a 3rd party; IA will consider auditing this risk in future years.

Information Mgmt. - Development An audit of information management in the Development Office was performed by IA in FY09. Time constraints do not allow for this risk to be audited this year; IA will consider auditing this risk in future years.

Phishing Attacks - Financial Services Two-factor authentication is currently being implemented for payroll and additional areas are being implemented in future phases; IA will consider auditing this risk in future years.

Failure to manage contracts, ITS Administration

Time constraints do not allow for this risk to be audited this year; IA will consider auditing this risk in future years.

High Level Risks NOT Covered in Audit Plan for FY 2015


The Process for Developing Risk Assessments for the Audit Plan As part of preparing the annual audit plan, Internal Audit (IA) management and staff met with the President’s Office, each vice president, the Director of University Compliance Services, and the Director of Information Technology Services/Chief Information Officer to review his/her risk assessments. Discussions included IA’s prior year’s risk assessment, changes in the executive’s portfolio, changes and expected changes in the environment and/or industry, and changes in how risks may be evaluated. Then the updated risk assessments are used for the annual audit plan. The University of Texas System Audit Office (UTS) provides a spreadsheet identifying the audit universe in different levels (Tier One, Two, and Three). IA matches the universe to the prepared risk assessments to be sure all risks are evaluated. UTS requires the following selected risk assessments to be exhibited with the Audit Plan: Overall Risk Assessment (Tier One Level)

• Institutional Risk Assessment The risk rankings are a weighted average of the detailed risk assessments.

Detailed Risk Assessments (Tier Two Level) - selected • Research Risk Assessment • Information Technology Risk Assessment, all IT risk assessments considered Texas Administrative

Code 202 • Institutional Tier 2 Risk Assessment

Evaluating Risks (Guidelines from UTS) Risk Assessments The vertical axis of the risk assessment represents the applicable business processes. The horizontal axis of the risk assessment represents business risks identified for each process or sub-process. All types of business risks were included: strategic, financial, operational, and compliance. Each individual risk identified was ranked for impact and probability. Determination of Impact Impact of a risk is the effect a single occurrence of that risk will have upon the achievement of UT Austin’s goals and objectives. There are three values: • High – The effect will cause the institution not to achieve its goals and objectives: “show stopper” • Medium – The effect will cause the institution to operate inefficiently and/or expend unplanned resources to

meet goals and objectives • Low – There will be no measurable effect upon the achievement of institutional goals and objectives

Methodology to determine the Impact Value: • Identify consequences to the organization if a risk were to become a reality • Value the effect on the organization for each consequence (high, medium, or low) • Assign Impact value of an identified risk based upon the value of its highest potential consequence


Determination of Probability Probability of a risk is the likelihood the risk will become reality. There are three values: • High – The risk will become a reality frequently • Medium – The risk will become a reality infrequently • Low – The risk will rarely become a reality


Scope Type Frequency External Auditors Audit Required By:

UT Austin Department of Intercollegiate Athletics Statement of Revenues and Expenses For The Year Ended August 31, 2013 and Independent Accountants'' Report on Applying Agreed-upon Procedures

Agreed-Upon Procedures Annual Maxwell Locke &

Ritter, LLP NCAA Bylaw 6.2.3.1

KUT Radio of The University of Texas at Austin Financial Statements and Independent Auditor's Report Years Ended August 31, 2013 and 2012

Financial AnnualGindler, Chappell, Morrison, and Co. P.C.

The Corporation for Public Broadcasting

University of Texas University Charter School Annual Financial Report For The Year Ended August 31, 2013 Financial Annual West, Davis &

Company, LLPTexas Education Code, Section 12.111

University of Texas Elementary School Annual Financial Report For the Year Ended August 31, 2013 Financial Annual Belt Harris

Pechacek, LLLPTexas Education Code, Section 12.111

State of Texas Compliance with Federal Portion of the Statewide Single Audit Report For The Fiscal Year Ended August 31, 2013, Report # 14-325

Financial AnnualJohn Keel, CPA State Auditor and KPMG, LLP

Single Audit Act Amendments of 1996 and OMB Circular A-133, Audits of States, Local Governments, and Non-Profit Organizations

State of Texas Financial Portion of the Statewide Single Audit Report For The Year Ended August 31, 2013, Report # 14-555

Financial Annual John Keel, CPA State Auditor

Single Audit Act Amendments of 1996

University Interscholastic League Annual Financial Report For The Year Ended August 31, 2012 Financial Annual West, Davis &

Company, LLPTexas Education Code, Section 33.083

External Audit Services, FY14


Reporting Suspected Fraud and Abuse

Requirement #1:

General Appropriations Act Sec. 7.10. Fraud Reporting. A state agency or institution of higher education appropriated funds by this Act, shall use appropriated funds to assist with the detection and reporting of fraud involving state funds, including funds received pursuant to the American Recovery and Reinvestment Act, as follows:

(a) By providing information on the home page of the entity's website on how to report suspected fraud, waste, and abuse involving state resources directly to the State Auditor's Office. This shall include, at a minimum, the State Auditor's fraud hotline information and a link to the State Auditor's website for fraud reporting; and

(b) By including in the agency or institution's policies information on how to report suspected fraud involving state funds to the state auditor.

Description of How The University of Texas at Austin complies:

The University has a link for reporting fraud on the home page of its website. Please see http://www.utexas.edu/. This link includes information on how and where to report fraud, including the following statement: You may also report suspected fraud, waste, and abuse to the State Auditor’s Office Hotline at 1-800-TX-AUDIT (1-800-892-8348). The State Auditor’s Office provides additional information at its website, http://sao.fraud.state.tx.us.

The University of Texas at Austin’s Suspected Dishonest or Fraudulent Activities policy is now on-line: http://www.policies.utexas.edu/policies/suspected-dishonest-or-fraudulent-activities.

Requirement #2: Texas Government Code, Section 321.022. Coordination of Investigations

(a) If the administrative head of a department or entity that is subject to audit by the state auditor has reasonable cause to believe that money received from the state by the department or entity or by a client or contractor of the department or entity may have been lost, misappropriated, or misused, or that other fraudulent or unlawful conduct has occurred in relation to the operation of the department or entity, the administrative head shall report the reason and basis for the belief to the state auditor. The state auditor may investigate the report or may monitor any investigation conducted by the department or entity.

(b) The state auditor, in consultation with state agencies and institutions, shall prescribe the form, content, and timing of a report required by this section.

(c) All records of a communication by or to the state auditor relating to a report to the state auditor under Subsection (a) are audit working papers of the state auditor. Description of How The University of Texas at Austin complies:

The Office of Internal Audits at The University of Texas at Austin reports all suspected fraud and abuse to the State Auditor’s Office through their Website: http://sao.fraud.state.tx.us.


http://www.utexas.edu/

http://www.utexas.edu/compliance/reporting.html

http://sao.fraud.state.tx.us/

http://www.policies.utexas.edu/policies/suspected-dishonest-or-fraudulent-activities

http://www.policies.utexas.edu/policies/suspected-dishonest-or-fraudulent-activities

http://sao.fraud.state.tx.us/

the university of texas at austin office of internal … university of texas at austin, office of...

Documents