the university of texas system...fy 2008 system admin & consolidation financial audit 1000 9% fy...

The University of Texas System System Audit Office

Annual Audit Report Fiscal Year 2009

The University of Texas System System Audit Office

702 Colorado Street, CLB 3.100 Austin, Texas 78701

The University of Texas System Administration Annual Audit Report System Audit Office Fiscal Year 2009

1

TABLE OF CONTENTS

I. INTERNAL AUDIT PLAN FOR FISCAL YEAR 2009 ..................................................... 2

II. EXTERNAL QUALITY ASSURANCE REVIEW .............................................................. 7

III. LIST OF AUDITS COMPLETED .......................................................................................... 8

IV. LIST OF CONSULTING ENGAGEMENTS AND NON-AUDIT SERVICES COMPLETED ............................................................................................................................ 39

V. ORGANIZATIONAL CHARTS ............................................................................................ 45

VI. REPORT ON OTHER INTERNAL AUDIT ACTIVITIES ............................................ 46

VII. INTERNAL AUDIT PLAN FOR FISCAL YEAR 2010 ................................................... 47

VIII. EXTERNAL AUDIT SERVICES .......................................................................................... 51

IX. REPORTING SUSPECTED FRAUD AND ABUSE ......................................................... 52


2

I. Internal Audit Plan for Fiscal Year 2009

THE UNIVERSITY OF TEXAS SYSTEM ADMINISTRATION Fiscal Year 2009 Audit Plan

System Administration - Part 1 of 2

Priority %

Budgeted of

Audit Areas Hours Total

Financial FY 2008 System Admin & Consolidation Financial Audit 1000 9% FY 2009 System Admin & Consolidation Financial Audit 200 2% Chancellor's Travel, Entertainment & Housing Expense Audit 150 1% JAMP Audit 200

Alzheimer's Council Fiscal Agreement Audit 150 Continuous Monitoring of Financial Information 75 1% UTIMCO Financial Statement Audit Assistance 300 UTIMCO CEO Travel and Other Expenses Audit 150 1% UTIMCO Meetings and Oversight Activities 250 Carryforward Audits UTIMCO CEO Travel and Other Expenses Audit 30 Financial Subtotal 2,505 23% Operational Campus Security & Emergency Preparedness Audit 200 Oil and Gas Producers Audits 1000 OFPC - Construction Project Audits 1000 Preferred Vendors Audit 150 Office of General Counsel Operations Review 300 Office of the Director of the Police Operations Review 300 Office of Employee Benefits Operations Review 300 Shared Services Initiative Review 300 General Audit Assistance to System Administration Departments 75 Change in Management Audits Chancellor's Office Change in Management Audit 150 Office of Strategic Management and Institutional Studies & Policy Analysis 150 Office of Administration 150 Carryforward Audits Office of Federal Relations Departmental Audit 20 Oil and Gas Company Audit - J Cleo Thompson Company 75 Operational Subtotal 4170 39%


3

Priority %

Budgeted of


Compliance Cash Handling Audit Office of Employee Benefits Dependent Audit 200 System-wide Endowment Compliance Audit 300 UTIMCO Due Diligence Audit 300 Student project TBD 500 Carryforward Audits IPSI Audit 100 OFPC Compliance Monitoring 300 Compliance Subtotal 1700 16%

Information Technology TAC 202 Compliance Audit 200 Texas Medical & Dental Schools Application Service (TMDSAS) IT System

Audit 200

Records Management Audit 300 Remote Office Security Audit 300 Application Controls Audit 400 Information Technology Subtotal 1400 13% Follow-up System Administration Follow Up 500 Follow-up Subtotal 500 5% Projects Internal Audit Committee 300 State Reporting 20 FY 2010 Audit Plan and Risk Assessments 100 Special Requests 100 Projects Subtotal 520 5% TOTAL 10,795 100%


4


Oversight - Part 2 of 2 Priority %

Budgeted of


Financial Guidance/Assistance Provided to Institutions Related to System-wide Financial

Audit - FY 2008 1750

Guidance/Assistance Provided to Institutions Related to System-wide Financial Audit - FY 2009

800

Assistance to UT Permian Basin Related to the Financial Audit - FY 2008 600 NCAA Agreed Upon Procedures: UT Arlington, UT El Paso, UT San Antonio,

UT Pan American 1200

Exchange Program 25 Financial Subtotal 4375 59% Operational

Guidance/Assistance Provided to Institutions Related to Cash Handling Audits 75 Audit Assistance to UT Permian Basin 100 To Be Determined - Special Requests 150

Exchange Program 25 Change in Management Audits

UT Southwestern Change in President Audit 150 Carryforward Audits Guidance/Assistance Provided to Health Institutions Related to Student Health

Ctr Audits 75

Operational Subtotal 575 8% Compliance

UTHSC-San Antonio Practice Plan Audit 300 UTHSC-Tyler Practice Plan Audit 300 Guidance/Assistance Provided to Institutions Related to Practice Plan Audits 75

System-wide Compliance Transition 150 Exchange Program 25

Compliance Subtotal 850 11% Information Technology

Guidance/Assistance Provided to Institutions Related to Information Technology Audits

75

Exchange Program 25 Information Technology Subtotal 100 1%


5

Priority %

Budgeted of


Follow-up

System-wide Significant Findings/Recommendations Tracking 300 Follow-up Subtotal 300 4% Projects

Institution Liaison Activities 500 FY 2010 System-wide Audit Plan 25 FY 2010 Institutional Annual Audit Plan Hearings 35 Audit, Compliance, and Management Review Committee (ACMR) 300 Internal Audit Council 200 System Audit Office Peer Review Recommendation Implementation 50

Teambuilding Activities 75 Carryforward 2009 System-wide Audit Plan 25 Projects Subtotal 1210 16% Total Hours 7410 100%


6

Deviations from the Audit Plan The System Audit Office performed all FY 2009 System Administration priority audits with the following deviations. • The hours budgeted for the UTIMCO Due Diligence audit were reallocated to the UTIMCO

Permanent University Fund (PUF) Internal Controls audit, at regental request. • The hours budgeted for the Office of Facilities Planning and Construction (OFPC)

Compliance Monitoring audit were reallocated to the OFPC Customer Satisfaction Survey project, at the request of the department.

• The hours budgeted for the Office of Employee Benefits (OEB) Operational review were reallocated to the OEB Employee Assistance Plan audit, at the request of the department.

• The Office of General Counsel Operational Review will be part of the scope of the System Administration Strategic Audit included in the FY 2010 audit plan.

• The Shared Services review and the two institutional Practice Plan audits were carried forward to the FY 2010 audit plan as processes were not yet in place for the audit activity to be ready for auditing.

• The Texas Medical and Dental School Application Service IT System audit has been postponed indefinitely until the new system is fully implemented. This date has not yet been determined due to complications during the system implementation process.

• The Remote Security audit was cancelled after preliminary planning during which it was found that the audit risk was no longer considered to be high.

• The Records Management audit was cancelled after preliminary planning during which it was found that the compliance function was providing alternate assurance.

All audits in progress at the end of FY 2008 that were carried forward to FY 2009 were completed, and the audits in progress at the end of FY 2009 were carried forward for completion by the early part of FY 2010. The System Audit Office also performed several special request projects deviating from the plan as part of the oversight function and executive management requests during the fiscal year.


7

II. External Quality Assurance Review

The University of Texas System Administration System Audit Office

Quality Assurance Review – May 2008 The Review The Quality Assurance Review (QAR) of The University of Texas System Audit Office was conducted May 19 - 22, 2008, and covered the period from the date of the last review to the present. The objective of the QAR was to provide reasonable assurance that the internal auditing program at The University of Texas System generally complied with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing and Code of Ethics as well as additional standards imposed by the Texas Internal Auditing Act. The objective was achieved by means of interviews with selected members of UT System Administration management, members of the UT Board of Regents’ Audit, Compliance, and management Review Committee (ACMR), members of the System Administration Internal Audit Committee, members of the internal audit staff and management, and UT System institutional audit directors; a review of the self-assessment performed by the System Audit Office; a review of the office’s quality control processes; and an evaluation of the office’s work products. Overall Conclusion The University of Texas System Audit Office complied with the standards in all material respects during the period under review. A follow-up QAR is planned to be scheduled during FY 2010.


8

III. List of Audits Completed

UT System Administration

Report Date Name of Audit Report High-Level Audit Objectives(s) Observations/Findings and

Recommendations Current Status Fiscal Impact/ Other Impact

9/26/08 Federal Relations Departmental Audit

The specific objectives of this audit were to determine: • The reliability and integrity of the department’s key financial information; • Whether controls are adequate and effective in safeguarding assets; and • Whether internal control procedures are in place and functioning as intended

Findings • The timing of the departmental accounts

reconciliations was inconsistent. • Account reconciliations are performed by an

employee who also has delegated signature authority on the departmental accounts.

• A personal expense was centrally billed to a departmental travel account and not reimbursed.

Recommendations • The Office of Federal Relations (OFR)

should determine, on a risk basis, the appropriate timing for reconciling the departmental accounts (within one month from the end of the month for which Statements of Account are being reconciled is optimal);

• OFR should reconcile salaries, fringe benefits, and wages accounts at least quarterly;

• An individual without signature authority should perform the departmental account reconciliations;

• The person performing the reconciliation should sign off as preparer on the reconciliation summary sheet;

• The personal charge should be reimbursed to the department;

• OFR should require that travelers submit centrally-billed receipts with other travel documents that are submitted when seeking travel reimbursement and reconcile these receipts to the centrally-billed transactions;

Implemented

Ensure accuracy of reporting and improve internal controls at a departmental level


9




and • OFR should inform all travelers within the

department that the use of state contracted rates for personal travel is prohibited.

10/10/2008 UTIMCO Chief Executive Officer/Chief Investment Officer Expenses Audit

To determine whether expense reimbursements to and payments on behalf of the CEO and any elements of compensation and benefits not included in the UTIMCO Compensation Plan were appropriate and accurate.

Finding While the expenses were reviewed and initialed by the Manager of Finance and Administration and the payment checks were signed by the Executive Assistant, we identified one travel expense reimbursement request and two club membership payments that were not signed/approved prior to payment by the Managing Director of Accounting, Finance, and Administration (“MDAFA”) due to being out of the office for an extended period of time. However, we noted that the MDAFA did review the documents and approve the payments retroactively. Recommendation In keeping with the UTIMCO Travel Guidelines and best practices, all CEO expenses should be reviewed and approved by the designated approver, currently the MDAFA, prior to payment. Additionally, an appropriate director level alternate should be designated to approve the CEO's expenses in the absence of the designated approver. Finding Unusual expenses, such as expensive international travel costs, are not underscored in the quarterly reports submitted to the Chairman of the UTIMCO Board of Directors. Though this is not required, doing so would increase transparency to the UTIMCO Board of Directors. Also, specific guidance for selecting transportation during international travel is not included in the Travel Guidelines. Recommendation In order to increase transparency to the UTIMCO Board of Directors, UTIMCO should highlight unusual expenses, such as expensive international travel costs, and provide applicable information,

Implemented Implemented

Ensure accuracy of reporting and ensure compliance with guidelines.


10




as needed, in the quarterly reports provided to the Chairman. UTIMCO should also develop more detailed guidance for ground transportation costs during international travel to include in their Travel Guidelines. The updated Travel Guidelines should then be approved by the UTIMCO Policy Committee.

11/7/2008 Institute for Public School Initiatives (IPSI) Contracts and Grants Compliance Audit

The objectives of this audit were to: • Determine whether contract and grant activity is in compliance with sponsor agreements and applicable laws, policies, and procedures; • Evaluate adequacy of internal control structure over the use, reporting, and reliability of contract and grant data; and • Determine whether there are adequate information security controls in place to protect data.

Finding During interviews with staff members, we noted that there are no formal training programs used by IPSI to provide additional knowledge and skills necessary to determine allowable and unallowable activities and costs. The A-133 Compliance Supplement, Part 6 - Internal Control for Activities Allowed or Unallowed and Allowable Costs/Cost Principles specifically addresses training programs, both formal and informal, that provide knowledge and skills necessary to determine activities and costs allowed. Recommendation IPSI should provide training to staff, online or in person, so that they can gain additional knowledge and skills to determine allowable costs and activities. This would demonstrate an awareness of the importance of training on allowable activities and costs to prevent violations that may result in a loss of funding or goodwill from inadequate information and communication. Finding There were two time and effort reports where the variance between the actual hours and the hours appointed for the grant was greater than 5% for most months during the certification period. Therefore, an adjustment had to be made to the appointment. The business manager performs a reconciliation every six months when she pre-certifies the time and effort for each individual assigned to a specific grant. Recommendation Consider reviewing time and effort reporting on a quarterly basis,


Ensure controls are in place and functioning appropriately and ensure regulatory guidelines compliance.


11




instead of semi-annually to ensure reporting is accurate within 5% of grant appointed hours allowing more timely adjustments of appointments as necessary. Finding IPSI only performs a state review of procurement and suspension and debarment for vendors but not a federal review or certification. The A-133 Compliance Supplement, Part 6 - Internal Control for Procurement and Suspension and Debarment, requires staff to determine that entities receiving sub awards of any value and procurement contracts equal to or exceeding $25,000 and their principals are not suspended or debarred, and specifies that means will be used to make that determination, Recommendation Review entities receiving sub awards or procurement contracts with the federal government to verify that they are not suspended or debarred through the Excluded Parties Listing System website at https://www.epls.gov to prevent violations that may result in a loss of funding or goodwill from contracting with parties suspended or debarred from dealing with the federal government.

Implemented

11/14/2008 The Texas Council on Alzheimer’s Disease and Related Disorders Audit

The objective of this engagement was to determine if the annual financial statement submitted to the Council was fairly represented as contractually agreed upon.

Finding The initial financial statement prepared and submitted to the Council did not conform to standards set forth in generally accepted accounting principles. Accordingly, the revised financial statement, as prepared by the System Audit Office, lists revenue, expenses, and available funds. This revised statement, and a statement of opinion from the System Audit Office, was communicated to the Council. Recommendation A formal annual financial statement should be prepared by the Office of Health Affairs as directed in the agreement between The Texas Council on Alzheimer’s Disease and Related Disorders and The University of Texas System.

Implemented

Ensure accuracy of reporting.


12




11/25/2008 Chancellor’s Travel, Entertainment and Housing Expenses Audit

The objective of the audit was to determine whether the travel, entertainment, and housing expenses paid on behalf of or reimbursed to the Chancellor or his spouse are appropriate and accurate.

None N/A Ensure controls are in place and functioning appropriately and ensure regulatory compliance.

12/1/2008 UT System Administration FY 2008 Annual Financial Report Audit

The objectives of this audit are to provide assurance to executive management and the Board of Regents that: • the information included in System

Administration's FY 2009 Annual Financial Report (AFR) is accurate in all material respects and consistent in accounting principles and presentation with the prior year, and that

• the internal controls in the key processes that provide information for the AFR may be relied upon to detect and correct potential material misstatements that may be caused by fraud or errors.

Finding As of August 31, 2008, the recorded value of a piece of real estate held as an investment was 50% of the agricultural value when instead, it should have been booked as 50% of the market value. This resulted in an understatement of endowment real estate of $265,465. Recommendation In FY 2009, the Office of Real Estate should perform a supervisory review of the documents supporting the value of real estate properties held by endowments to ensure that System Administration reports these properties at fair market values, as required by GASB 52. Finding The value of the fund liability varies throughout the year. The amount presented on System Administration’s balance sheet for FY 2008 was determined as of January 1 and July 31, 2008, instead of August 31, 2008. Based on our estimate, the fund liability on the balance sheet was overstated by about $884,000. Overall, the amount is immaterial to the balance sheet and does not require an adjustment. Recommendation In future years, the Office of the Controller at System Administration should work with the Office of Gift Planning Services to determine the liability for annuity and life income funds as of fiscal year-end for financial reporting purposes. Finding The fraud risk assessment revealed that fraud training has not been offered to System Administration employees (other than

Scheduled follow-up to be performed during FY 2009 AFR Audit Scheduled follow-up to be performed during FY 2009 AFR Audit



13




new hires, as part of the general compliance training module) since FY 2005. By not having a workforce that is well informed and properly educated the risks of fraud, the likelihood is increased that fraudulent activities will not be prevented or detected. Recommendation The Executive Vice Chancellor of Business Affairs should update and launch the fraud-training program and ensure that fraud training is provided to System Administration employees in a more timely manner.

Scheduled follow-up to be performed during FY 2009 AFR Audit

12/10/2008 UT Southwestern Medical Center at Dallas Office of the President Change in Management Audit

The objectives of this audit were to: •Determine the reliability and integrity of the Office of the President’s key financial information; • Determine whether internal control procedures are adequate and effective in safeguarding assets; • Determine whether other internal control procedures are in place and functioning as intended; and • Review overall departmental operations.

Finding Two individuals within the Office of the President reconcile departmental accounts. Both employees are also part of the approval process for departmental expenditures. In addition, neither the preparer nor the reviewer sign or date the reconciled statements of account; consequently, we could not verify documented evidence that reconciliations are completed timely or on a monthly basis. Currently, no one outside those involved in the reconciliation process monitors or reviews the reconciliations to ensure that the reconciliations are accurate and completed in a timely manner. Recommendation The Office of the President should ensure that: • All reconciled accounts are signed and dated to provide evidence of the reconciliation. • To enhance segregation of duties, those involved in the reconciliation process should not be involved in the approval process. If both reconcilers continue to be involved in the approval process, an individual, with appropriate supervisory authority and who does not reconcile the accounts, should periodically monitor the reconciliations to ensure they are complete, accurate, and performed in a timely manner.

Implemented



14




Finding We noted that not all expenses had comprehensive supporting documentation. Recommendation It a best practice that reimbursement requests for business expenses include a receipt, invoice, or other appropriate acknowledgement that substantiates receipt of payment from the recipient. Though not explicitly required to be reported, the Office of the President should consider including on the quarterly expense report submitted to the UT System Office of Health Affairs those expenses made for or on behalf of the president that are part of the president’s service on outside boards. Finding As part of our salary testing, we compared the amounts budgeted to amounts paid to departmental employees. Although amounts paid were approved amounts, the budget approval process for the Office of the President’s accounts is not formalized. Additionally, there were large transfers during the year used to provide funding for deferred compensation, salaries, clinical activities, development, and other activities within the institution. Although the president and director work closely together and with other departments, formal approval by the president was not documented for these transfer requests. Recommendation Internal controls for the annual budget process can be enhanced by requiring documented approval for budgeted amounts. Additionally, subsequent transfers from presidential accounts should include documentation of the approval of the president or the president’s designee. Finding The Office of the President has not conducted a risk assessment since July 2005.



15




Additionally, job descriptions are maintained by individuals and have not been updated since May 2001. Some titles for current employees have changed since then. Recommendation Given the change in management, the Office of the President should consider updating its risk assessment. Additionally, job descriptions should be reviewed and updated by position or job title. Finding Based on our audit work and discussions with institutional staff, copies of credit card statements and/or personal checks have been deemed acceptable, by themselves, for reimbursement. While copies of credit card statements and front copies of personal checks may corroborate an expense, they, by themselves, do not provide optimal support to substantiate the full details of a business-related expense. Recommendation University policies and procedures surrounding reimbursements for business expenses should be clarified or expanded. Requests for reimbursement of a business expense should be accompanied by comprehensive supporting documentation, which may include a receipt indicating payment, or an original invoice or other valid acknowledgement of receipt of payment from the payee, and proof of payment, which may include canceled check (front and back), a credit card receipt, credit card statement, or other valid proof of payment.


12/17/08 Joint Admission Medical Program Financial Audit

The objective of this audit was to determine the reliability and integrity of key financial information reported on the JAMP financial statement, which details the revenues and expenditures of the JAMP Office at UT System Administration for FY 2007 and FY 2008.

None N/A Ensure accuracy of reporting.


16




12/19/2008 UT System Consolidated Annual Financial Report Audit for FY 2008

Finding General overall control deficiencies found were in the areas of: 1. Performing departmental reconciliation of all accounts. 2. Segregating incompatible duties to the extent that is allowed by departmental resources. 3. Performing on-going monitoring of departmental reconciliation of accounts. 4. Requiring all departmental account holders to certify on at least an annual basis the continuing existence of segregation of duties and the timely monthly reconciliation of accounts. 5. Determining the validity of the certifications. Recommendation Revise UTS 142.1, Policy on the Annual Financial Report to: 1. Require sub-certification by all department heads or account owners (whose accounts are not maintained by the Dean or Division Head office) to their respective Dean or Division Head. It is also acceptable for department heads to sub-certify directly to the Financial Reporting Officer. 2. Require Deans and Division Heads to report to the institutional Financial Reporting Officer any department head who fails to sub-certify as required. 3. Require each institutional Financial Reporting Officer to develop a monitoring plan for segregation of duties and reconciliation of accounts. The monitoring plan should be risk-based but also include random monitoring of low risk departments and should cover all periods in the fiscal year. 4. Require each institutional Financial Reporting Officer, after consultation with the Institutional Audit Director, to file their Segregation of Duties and Reconciliation of Accounts Monitoring Plan by February 28th for the first year this requirement is in effect and any significant changes to the plan by February 28th for all subsequent years, with the UT

Scheduled follow-up to be performed during FY 2009 Consolidated AFR Audit



17




System Financial Reporting Officer. 5. Require modification of the Certifications procedure (Procedure 3) to include the sentence, “They will certify that the Segregation of Duties and Reconciliation of Accounts Monitoring Plan was completed as approved.” 6. Require Institutional Internal Audit to test annually, within 60 days of the fiscal year end, the monitoring plan, the sub-certifications and validate the assertions on segregation of duties and reconciliation of accounts. Finding An opportunity for improvement exists in the Departmental Financial Information Network (*DEFINE) application that impacts the institutions that use *DEFINE: UT Arlington, UT Austin, UT El Paso, UT Permian Basin, UT San Antonio, UT Tyler, and UT System Administration. *DEFINE allows a limited number of individuals to modify transactions that have been created and then approve those transactions. Modifications to the original transactions are not recorded in the document history and the creator is not notified that their original document or transaction has been modified. Reconciliation of the account would uncover a fraudulent transaction only if the reconciliations are performed by a person who does not have this high level of access. Recommendation The Systemwide Chief Information Officer should work with UT Austin to correct this segregation of duties issue with *DEFINE caused by the high level access right to prevent the approval of fraudulent transactions and record any changes to original documents by a person other than the creator.

Scheduled follow-up to be performed during FY 2009 Consolidated AFR Audit

12/19/2008 J. Cleo Thompson Oil and Gas Audit

The objectives were to determine whether: • Production reported to the

University was reasonable; • Proceeds from oil and gas sales

were reasonable, and that the

Details on the observations/findings, recommendations, and implementation status from oil and gas company audit reports are confidential pursuant to Texas Education Code, Section 66.81, and thus not included.

N/A Ensure accuracy of reporting and ensure compliance with guidelines.


18




corresponding royalties have been remitted to the University;

• Gas sales meters and Lease Automated Custody Transfer (LACT) meters were calibrated regularly; and

• Gas stream sampling is conducted every six months in accordance with the Board for Lease Rules and Regulations.

1/28/2009 Joint Admission Medical Program (JAMP) Compliance Audit

The primary objective of this audit was to determine the reliability and integrity of key financial information reported on the JAMP financial statement, which details revenues and expenditures of the JAMP Office at UT System Administration. The secondary objective of this audit was to provide assurance of compliance with requirements in the agreements between the JAMP Council and JAMP participant schools, specifically related to the budget, financial audit, and unused fund reimbursement, as well as the agreement between the JAMP Council and UT System Administration.

Finding Audit reports for nine of the public undergraduate participant schools noted issues of non-compliance in the general areas of expenditures, internal controls, and time and effort reporting. In addition, through our review of activity and expenditure reports submitted by the participant schools, as required by their agreement with the JAMP Council, we noted that four participant schools did not submit their Program Activity Report for FY 2008; one participant school included unreconciled amounts on its Expenditure Report; and six participant schools spent less than 50% of the JAMP funds distributed to their program. Recommendation The JAMP Office should enhance its oversight role to ensure that the participant schools are in compliance with their agreements with the JAMP Council and are addressing any issues identified in their audit reports. Specifically, the JAMP Office, as authorized by the JAMP Council, should implement procedures to track that corrective actions have been taken by participant schools, such as submission of activity and expenditure reports or the return of funds for expenditures identified as not being properly supported and approved. Additionally, the JAMP Office should work with the participant schools to investigate the reasons for high percentages of unused JAMP funds and present these results to the

Implemented

Ensure accuracy of financial reporting. Ensure controls are in place and functioning appropriately and ensure regulatory guidelines compliance.


19




JAMP Council to determine what further steps should be taken.

2/9/2009 Change in Management – Office of the Chancellor

The objectives of this audit are to: • Determine the reliability and integrity of the department’s key financial information; • Determine whether internal control procedures are adequate and effective in safeguarding assets; • Determine whether other internal control procedures are in place and functioning as intended.

Finding On a Request for Payment of Business Expenses, the Chancellor approved his own dues for a professional membership to the Business-Higher Education Forum. Section 2113.104 of The Texas Government Code, mandates that the state agency head, or that person’s designee, must review and approve expenditures for professional memberships. An authorized approver should not sign off on approval of their own expenditures. Recommendation Accounting and Purchasing Services should not process and approve expenditures related to travel and memberships for the Chancellor without prior review and approval by Francie Frederick, General Counsel to the Board of Regents.

Implemented


3/26/2009 Federation Operating Practices and Procedures Audit

The objective of this audit was to determine whether the System Identity Management Federation (Federation) is in compliance with the operating practices and procedures it established to ensure that controls are in place.

Finding Federation is not in compliance with subsections 1 through 7. 1. Federation Administration; 2. Management Structure; 3. Organizational Structure; 4. Policy, Requirements and Standards; 5. Member Applications; 6. Registration of Identity Management and

Resource Provider Systems; 7. Routine Operations; and Recommendation Federation management should update the Federation Operating Procedures (FOP) to accurately reflect the Federation’s operations and then follow the operating practices and procedures they have established.

Scheduled follow-up to be performed during FY 2010

Ensure compliance with guidelines.

5/1/2009 Systemwide Endowment Compliance Audit

• Provide reasonable assurance that an effectively designed endowment compliance program, including existence of written standards, effective oversight, due care in delegation of authority, training,

Finding There is great variance in training material and requirements and monitoring plans by institution. While institutions do report endowment compliance annually to UT System, testing and review of the accuracy of the reported information is not performed.



20




monitoring, discipline, corrective action, and periodic assessment of risks have been implemented and that the program is operating effectively;

• Provide reasonable assurance that Policy UTS 117: Endowment Compliance Plan System-Wide Standards and Compliance is followed as outlined to establish and support endowments;

• Assess the reasonableness of the calculation and supporting documentation for the endowment management and administrative expenses incurred by UT System Administration;

• · Assist Development in determining appropriate actions to take regarding annual endowment compliance report management responses.

Recommendation Systemwide Endowment Compliance should create minimum requirements/guidance for institutional training modules and monitoring activities. Institutions should consider providing renewal training on a periodic basis. Possible requirements for monitoring activities include the following: • Require endowments chosen to be reviewed during the endowment compliance annual report process (sample pool) to be rotated annually so that over a period of time all endowments are reviewed. • For endowments not chosen to be in the sample pool, require endowment account holders to certify that expenses made are allowable under the endowment agreement to provide assurance that these endowments are being reviewed for compliance. Finding System Administration does not have an active Endowment Compliance Committee, and there is not a current Systemwide risk assessment, monitoring plan, or Endowment Compliance Committee (ECC). Recommendation Systemwide Endowment Compliance should create a Systemwide ECC and develop a Systemwide risk assessment and monitoring plan. The Systemwide ECC should include a broad membership to cover various perspectives (e.g. Academic and Health Affairs, Systemwide Compliance, etc.) and conduct periodic meetings with documented minutes. The monitoring plan activities should support the Systemwide risk assessment. Potential monitoring activities include: • Request and review minutes of institutional ECC meetings to monitor issues discussed and the effectiveness of the committees. • Assess adequacy of institutional training and monitoring plans submitted with annual reports (i.e. meeting the minimum

Scheduled follow-up to be performed during FY 2010 Scheduled follow-up to be performed during FY 2010


21




requirements/guidance described in the recommendation above). Obtain results/reports of any internal audit department testing or compliance office inspections. Finding Based on what we reviewed, the program has matured over more than five years and a solid foundation has been put into place. However, an outside review of the Endowment Compliance Program by an institution with a similar program with an outsiders perspective has not been done. A peer review would identify areas for improvement, best practices, or alternatives that may improve an operation's effectiveness and services. Recommendation The Systemwide Endowment Compliance program should consider having an external peer review performed to obtain an objective evaluation of its endowment compliance activities. An independent assessment of the program has many benefits, including the sharing of best practices and demonstrating a proactive effort to improve the program. Finding Currently, there is not a regular timekeeping system to track the amount of time a department actually spends on endowment compliance. Recommendation Systemwide Endowment Compliance should evaluate the endowment management and administrative fee percent requested and the fee usage to reassess the percentage and/or reallocate the fee among UT System Administration departments, as necessary. The evaluation should include a review of time spent by departments on endowment compliance through the use of periodic time certifications to reduce the reliance on estimates in determining endowment-related payroll expenses. The



22




endowment management and administrative fee evaluation results should be documented as support for the allocation of the fee among various departments. A plan should also be put into place to require the institutions to perform this assessment. Finding There is variance and inconsistency in reporting by institutions for similar endowment issues. While information is requested as to if donors are receiving information, the actual content of the information sent out to donors in unknown. Recommendation In order to increase consistency in reporting, Systemwide Endowment Compliance should distribute written guidance for completion of the endowment compliance annual report to accompany the template provided to all institutions. The guidance should contain a description of each of the template sections, include a list of “acceptable reasons” for non-compliance in each of the risk areas, and require institutions to submit an example of a donor "Report of Use Letter" with their annual report. Providing information on what is being communicated to donors across the institutions can identify potential inconsistencies and determine whether a standard format is necessary. Finding The Endowment Compliance Fee and Endowment Management & Administration Fee received by the institutions reported in the Annual report are not verified for correctness from an outside source. Recommendation Systemwide Endowment Compliance should create a checklist of items to be reviewed and verified during their examination of each institution’s annual report with a signature and date line to document the



23




name of the person who completed the review. Finding Data for the summary reports compiled by Systemwide Endowment Compliance is hard keyed into spreadsheets. Recommendation Systemwide Endowment Compliance should consider linking data in summary spreadsheets to the annual report submitted by the institution to prevent potential manual entry errors and to confirm the data source from which the information originated Finding There is variance and inconsistency in reporting by institutions for similar endowment issues. Recommendation Systemwide Endowment Compliance should provide more detailed instructions on management responses from the institutions, including requiring an implementation date for each recommendation and specific steps to be taken to address each recommendation. Additionally, Systemwide Endowment Compliance should establish procedures for institutions to follow to handle non-compliance issues as they arise throughout and/or the end of the year (i.e. who to contact, steps to take upon notification, who to report to, mitigating steps, etc.). Finding After report recommendations are made by Systemwide Endowment Compliance and responses are received from the institutions, progress throughout the year made by institutions on the recommendations is not followed up on. Recommendation Systemwide Endowment Compliance should develop a system (e.g. Access database) to track the implementation of recommendations made as a result of their review of the annual reports. This system

Scheduled follow-up to be performed during FY 2010 Scheduled follow-up to be performed during FY 2010 Scheduled follow-up to be performed during FY 2010


24




could provide an interim database to organize, sort, and track the progress of recommendations until a permanent solution is decided upon. The system should track, by institution, recommendations, management responses, implementation dates, related actions, and whether issues were adequately addressed. Systemwide Endowment Compliance should coordinate with internal audit and/or compliance at the institutions to assist in following up on the recommendations.

5/8/2009 Endeavor Energy Resources Oil & Gas Audit FY 2009

The objectives of our audit were to determine whether: • Production reported to the University was reasonable; • Proceeds from oil and gas sales were reasonable, and the corresponding royalties have been remitted to the University; • Gas sales meters and Lease Automated Custody Transfer ("LACT") meters were calibrated regularly; and • Gas stream sampling is conducted every six months in accordance with the Board for Lease Rules ("BFL") and Regulations



5/22/2009 Texas Administrative Code Section 202 Audit

The objectives of this engagement were to determine whether areas identified as high-risk are in compliance with the security standards contained in TAC 202, and to satisfy the requirement for a biennial review pursuant to TAC 202.71(e).

Finding On an annual basis, OTIS manually compares a report of appointment changes to user accounts; however, if there is no change in appointment during the report period for a user’s account, the account is not changed. This control may not catch employees who have already separated but continue to have approved access for a limited time and for contractors, unpaid interns and other individuals who do not have appointments. Recommendation We recommend that OTIS review and strengthen the process to modify and remove access when a user’s relationship to System Administration or job responsibilities changes.


Ensure compliance with regulatory guidelines.


25




Finding OTIS has drafted a data classification and protection policy that is currently being reviewed by the Office of General Counsel; however, the policy does not define protection procedures necessary for each data classification level, and the database that records data classification is not consistent with OTIS’ classification definitions of confidential, sensitive and public. Recommendation We recommend OTIS 1) amend the data classification and protection policy to include protection procedures for each level of data classification, 2) obtain approval to place the policy into effect, and 3) update the database that records data to reflect data classifications and include all relevant information.


6/4/2009 Office of Employee Benefits Dependent Eligibility Audit

The audit objective was to determine the adequacy of the processes used by OEB and by the institutional benefits offices to collect and verify dependent eligibility information.

Finding Survey results indicate that institutions generally verify eligibility for special dependents but are not consistently verifying eligibility for regular dependents. The survey results are substantiated by our testing of the eligibility verification practices of two selected UT institutions. Recommendation OEB should revise its Administrative Manual to require institutional benefits offices to verify dependent eligibility for all dependents enrolled in the medical plan. The verification should be performed in the processes of new-hire, mid-year changes triggered by a qualifying event, and annual enrollment. Finding Section 230 of OEB’s Administrative Manual, Dependent Eligibility and Enrollment, establishes the frequency of OEB’s dependent eligibility audit. It states: “OEB shall conduct quarterly audits of Subscribers who have enrolled Dependents in Program coverage.” Since 2004, only five audits have been


Ensure controls are in place and functioning appropriately and ensure regulatory guidelines compliance.


26




performed at five different UT institutions, or about one audit per year. Recommendation OEB should conduct dependent audits according to the frequency established in its Administrative Manual or review the policy to determine an achievable frequency that will still allow it to effectively monitor dependent eligibility. If, as part of the dependent audits, OEB discovers that institutional benefits offices do not have an adequate process to verify dependents’ eligibility, OEB should communicate this information to the institutions’ executive management. To promote self-reporting of ineligibility by medical plan participants, OEB should provide more amnesty periods to run simultaneously with the annual enrollment periods, typically held in July of each year. The last amnesty period was provided in 2003 when OEB started performing the dependent audit.


6/10/2009 Office of Administration Departmental Audit

The specific objectives of this audit were to determine: • The reliability and integrity of the

department’s key financial information;

• The adequacy and effectiveness of controls in safeguarding assets; and

• Whether internal control procedures are in place and functioning as intended.

None N/A Ensure accuracy of reporting and improve internal controls at a departmental level

6/10/2009 Campus Security and Emergency Preparedness Audit

The objectives of this audit were to: • Evaluate UT System’s oversight of systemwide emergency preparedness; • Evaluate UT System’s oversight role for systemwide compliance with the Clery Act; and • Assess the UT System Administration emergency management plan.

Finding UT System Administration does not have a formal oversight role for systemwide emergency preparedness. In November 2007, ORM developed a systemwide policy for business resilience and continuity management that assigns a formal oversight role to ORM. The policy was presented to System Council; however, consensus could not be reached and the policy was tabled. No action has been

Ensure adequacy of controls and compliance with guidelines.


27




taken on the policy since that time. Without a systemwide policy for business resiliency, UT System lacks a uniform approach, which may prove detrimental to continuing operations in the event of a disaster. Recommendation ORM should revisit the approval and implementation of the policy for business resilience and continuity management. During this process, ORM should work with System Administration executive management to determine whether its informal role of providing guidance and direction should be expanded to include oversight as included in the draft policy referred to above. Finding ODOP has not inspected all institution police departments every two years, as required by policy. Recommendation ODOP should ensure that they complete the current schedule of inspections for UT System police departments to ensure that each department is inspected at least once every two years. In addition, ODOP should continue to improve the Clery Act compliance portion of the inspection. Finding The ODOP provides training to police department personnel on how to comply with Clery Act requirements only when requested or when a need is identified as part of an inspection, but does not provide general compliance training for all institutions. The U. S. Department of Education and the International Association of Campus Law Enforcement Administrators recommend that Clery Act compliance training be provided to those responsible for implementing the Clery Act.



28




Recommendation The ODOP should provide training to all institutions for compliance with Clery Act requirements. To facilitate inspection and reporting, the training should ensure that Clery Act compliance is standardized among all institutions. Finding The ODOP does many things to reduce crime at the System Administration complex, including updating security systems, reviewing security policies, and conducting walkthroughs of the complex. The ODOP also provides crime prevention information as part of new employee orientation or in response to a specific incident, but employees do not periodically receive reminders on how to reduce and prevent crime at the System Administration complex. Providing on-going crime prevention and awareness information to System Administration employees can increase their awareness of their responsibilities in reporting and preventing crime at the System Administration complex. Recommendation The ODOP should periodically provide crime prevention and awareness information to System Administration employees to ensure they understand their responsibilities in reporting and preventing crime at the System Administration complex. Finding While there appear to be processes and personnel in place to respond to typical emergencies, System Administration could improve its overall infrastructure for emergency response. The NIMS standard, as called for and described in Homeland Security Presidential Directive 5, provides for an overarching framework for System Administration Emergency Management Planning. Plans should be formalized through approval by the Chancellor.



29




Recommendation ORM should have the Emergency Management Plan formally approved and should establish a schedule to review and update the Emergency Response Plan.


6/19/2009 UTIMCO PUF Internal Controls

The objectives of this audit were to provide assurance to UTIMCO management and the UTIMCO Board of Directors’ Audit and Ethics Committee that internal controls over PUF financial reporting are adequately documented and to determine whether these controls are sufficient and functioning as intended. Follow-up procedures were also performed on open recommendations from the audit of internal controls over financial reporting performed in FY 2005.

None N/A Ensure accuracy of reporting and improve internal controls at a departmental level

7/22/2009 Health Science Center-San Antonio, Office of the President Change in Management Audit

Change in management audits primarily focus on financial controls, such as capital asset tracking, account reconciliations, and proper expenditure approval, as well as operational controls such as safeguarding of assets and proper segregation of duties. The specific objectives of this audit were to: • Determine the reliability and integrity of the Office of the President’s key financial information; • Determine whether internal controls are adequate and effective in safeguarding assets; • Determine whether other internal controls are in place and functioning as intended; and • Review overall departmental operations.

Finding The travel policies and procedures outline limits on airfare, no matter the funding source. However, the travel policies and procedures do not have guidance on dollar limits or method of selection for meals and lodging when using practice plan money, and for ground transportation and parking, regardless of source of funds. As a result, we observed a lack of guidance over the use of university resources for travel as evidenced by airfares, hotels, meals, ground transportation, and parking. Recommendation In order to maximize the institution’s travel budget, the travel policies and procedures should be enhanced so that more stringent guidance is provided on the selection and limits for ground transportation and airport parking as well as meals and lodging when using practice plan funds. There should also be a general provision for the conservation of funds and a requirement to document adequate explanations for instances




30




when a more expensive method is selected. Consideration should also be given to requiring submission of meal receipts when spending over the state reimbursement rate. Additionally, the Office of the President should ensure that those individuals who make travel arrangements fully understand the state contracted airfare amounts and airline carriers, adequately document the reasons for purchasing fares over the state rate, and, in general, make efforts to conserve funds while still meeting the traveler’s requirements. Finding Although no errors were found during the testing of travel and entertainment expense payments and reimbursements for executives within the Office of the President, it was noted that these reimbursements are approved by employees that are their direct reports. In addition, while no detailed testing was performed, we learned that it is common practice for the Deans’ travel expenses to be approved by their subordinates. Recommendation Travel and entertainment expense reimbursements for executives in the Office of the President should be approved by someone who does not directly report to them in order to present the correct tone at the top and elevate the expectations of others at the institution. In addition, the Office of the President should ensure key employees, across the institution, are properly trained so that practices over travel and entertainment expenses and reimbursements incorporate appropriate segregation of duties, specifically that employees do not approve expenditures for any person to whom they report, to avoid any appearance of impropriety and reduce reputational risk.



31




Finding In the Office of the President, non-exempt employees accrue hours at straight time instead of at a rate of 1.5 as required by the FLSA overtime provisions. Since state compensatory and overtime balances are maintained by the individual departments, this may be an institution-wide issue. Recommendation Consideration should be given to centralized and automated tracking of state compensatory time and FLSA overtime hours to ensure accurate balances are accrued. In the interim, the Office of the President should ensure that non-exempt employees accrue overtime at a rate of 1.5 as required by the provisions of the FLSA.


8/11/2009 Institutional Studies and Policy Analysis Departmental Audit

The specific objectives of this audit were to determine: • The reliability and integrity of the department’s key financial information; • Whether controls are adequate and effective in safeguarding assets; and • Whether internal control procedures are in place and functioning as intended.

Finding UT System has established account reconciliation guidance that account reconciliations be performed every month. Based on the testing performed and using 30 days after the end of a month as the criterion for timeliness, we found that accounts were not reconciled timely for two of the three months selected. More than 30 days elapsed before that month’s Statements of Account were reconciled and reviewed. Recommendation We recommend that ISPA reconcile its accounts in a timely manner (within one month of the month being reconciled).



8/31/08 FY 2009 Follow Up Perform follow-up audit of all open observations & recommendations with implementation dates on or before May 31, 2009 .

No New Recommendations Of the 22 recommendations not in a major audit area, 20 were implemented, 1 was closed, and 1 was partially implemented. Of the 7 recommendations pertaining to the major audit area of

Monitor and communicate the level of implementation of recommendations included in audit reports.


32




Office of Employee Benefits, 6 were implemented and 1 was partially implemented. All 10 recommendations pertaining to the major audit area of Oil & Gas were implemented.

8/31/2009 FY 2009 IT Follow Up

Perform follow-up audit of open Information Technology audit recommendations with implementation dates on or before May 31, 2009.

No New Recommendations We followed up on the implementation status of 10 outstanding recommendations from 6 audit reports and determined that all 10 recommendations had been implemented.

Monitor and communicate the level of implementation of recommendations included in audit reports.

8/31/2009 Cash Handling and Cash Management Audit

The objective of this audit was to evaluate System Administration’s compliance with UTS166, in particular, System Administration’s fulfillment of its fiduciary responsibility in handling, securing, and investing the funds of the institution

Finding UTS166 was not disseminated to all cash handling departments at System Administration, and there is not currently a designated responsible party at System Administration to ensure compliance with UTS166. Recommendation The Vice Chancellor for Finance and Business Development should work with System Administration management to designate the responsible party for ensuring that the relevant elements of the UTS166 policy are appropriately implemented at System Administration. Finding System Administration does not currently require cash-handling employees to attend training. We also noted that most personnel were not aware of UTS166 or its specific requirements. Recommendation The responsible party for cash handling at System Administration should develop a training course for department heads




33




and employees who handle cash. New employees who handle cash as well as seasoned employees should be required to attend this training. Finding Adequate segregation of duties requires functions to be divided so that no one person has control over all parts of a transaction. For cash and check handling, the responsibilities that are assigned to different employees are 1) open mail, log receipt, and restrictively endorse checks, 2) prepare and make deposits, and 3) reconcile to the Statements of Account. The opening of mail should be performed by two employees who are not involved with the deposit or reconciliation functions to provide assurance that all cash and checks received are properly logged and deposited. During testing, we noted several instances of inadequate segregation of duties with respect to handling cash receipts. Detailed results for each department tested can be found in the appendices following this report. Recommendation The responsible party should ensure that each department that handles cash implements adequate segregation of duties over the deposit process. Additionally, each department should have documented procedures that indicate the responsibilities of each employee involved in the deposit process. Proper segregation of duties should be included as part of the cash handling training. Finding Based on current processes, System Administration’s accounts receivable function is not centralized. UTS166 states that accounts receivable should be consolidated internally, if possible and cost effective, to minimize billing efforts and to identify high-risk accounts.



34




Recommendation The responsible party for UTS166 should consider centralizing the accounts receivable function at System Administration to enhance the internal controls surrounding cash receipts. Finding System Administration has not developed standard operating procedures for managing conferences, and there does not appear to be oversight or training for conferences other than the oversight provided by the department’s management. Recommendation The designated responsible party should consider developing standard procedures for managing conferences and trainings conducted by System Administration departments to increase the consistency of conference operations and to ensure adequate internal controls surrounding conference and training income. Finding We noted that deposits of attorneys’ fees were not always timely. In two instances involving checks under $500, one week (or more) elapsed between OGC’s receipt of a check and the date the check was deposited with Accounting & Purchasing Services (APS). Additionally, OGC receives debtor checks on behalf of, and to be sent to, the institutions. These checks are collected by OGC and sent to the appropriate institutions once a week, on Friday, which is not considered timely according to UTS166. It should also be noted that OGC’s check handling procedures do provide for special cases which require expedited processing for student loan checks, hospital lien checks, and checks over $10,000 received before noon on any day. Recommendation OGC should revise its check handling procedures to ensure that the processing and deposit of funds is completed

Scheduled follow-up to be performed during FY 2010 Scheduled follow-up to be performed during FY 2010 Scheduled follow-up to be performed during FY 2010


35




timely in accordance with UTS166 - Cash Management and Cash Handling Policy. Since the process to transmit debtor checks on a weekly basis to the institutions was approved prior to the implementation of UTS166, OGC should obtain written re-approval for an exception to the twice-weekly deposit requirement from the to-be-designated responsible party for UTS166. Finding In OGC, mail is received and checks are logged by one person. The same individual who prepares and makes the deposit with APS also reconciles the deposits to the Statements of Account. However, the risk posed by one person opening the mail is mitigated since the checks received by OGC are expected (i.e., accounts receivable). Recommendation OGC should enhance the segregation of duties over the cash receipting process by having an individual other than the one who prepares and makes the deposits reconcile both the Statements of Account and the accounts receivable to the check log to verify that the amounts recorded agree with the amounts billed and received. Finding The Office of External Relations (ER) reconciles its Statement of Accounts to its Raiser’s Edge (gift tracking) database on a monthly basis. However, UTS166 requires daily reconciliations between bank deposits and banking records. Regarding transport of System assets, UTS166 requires all transfers made off-campus to be made by contracted armored transport, secure transport, campus police, or security personnel, unless the CBO has given written approval for exceptions. Recommendation ER should consider requesting a copy of the daily bank deposit receipt from UTIMCO to reconcile the deposit

Scheduled follow-up to be performed during FY 2010 Scheduled follow-up to be performed


36




to its accounting records in order to enhance controls over cash handling. Additionally, ER should obtain written approval from appropriate executive management authorizing the off-campus transport of assets by non-security personnel in accordance with UTS166. Finding ER relies on CVENT, an online event management system, to process seminar registrations, including tracking attendees’ payment for the seminars. Based on the information provided by ER, we recalculated expected income based on the CVENT registration list but were not able to reconcile it to the actual income recorded in the *DEFINE accounting records. Recommendation ER should research the variance identified to ensure that all seminar income due was received and appropriately recorded in *DEFINE. If ER determines that the income received and recorded is not accurate based on further investigation, then it should determine the cause of the variance to implement appropriate internal controls over the seminar registration process. Finding University Lands’ internal “Records and Revenue Procedures” appears to have been last updated in 1997 and contains outdated information. Recommendation University Lands should update its documentation to accurately reflect current records and revenue procedures and ensure compliance UTS166, as applicable. Finding We found that IPSI’s grant reimbursements were dated at least five weeks from the end of the month, with one being billed over eight weeks after the end of the month. Since IPSI’s grant-reimbursable expenses are paid up front from System Administration’s

during FY 2010 Scheduled follow-up to be performed during FY 2010 Scheduled follow-up to be performed during FY 2010


37




operating account, untimely reimbursements impact the potential interest earned by System Administration. Recommendation: IPSI should ensure that its grant-related expenses are submitted timely for reimbursement in accordance with UTS166. Finding At IPSI, the same individual who prepares and makes the deposit with APS also reconciles the deposits to the Statements of Account. This does not provide for adequate segregation of duties over the check receipt process. In addition, only one person opens the mail; however, the risk posed by one person opening the mail is mitigated since the checks received by IPSI are expected (i.e., a receivable). Recommendation IPSI should enhance the segregation of duties over the check receipt process by having an individual other than the one who prepares and makes the deposits (and other than the one who maintains the check log) perform the reconciliations of the Statements of Account. If possible, two individuals should perform the mail-opening function. Finding Based on testing, four out of six checks received by ORM selected for testing were not date stamped. While not specifically required by UTS166, ORM’s internal check handling procedures state: “When an administrative assistant receives a check while opening the mail from another section of ORM, they will notify the Risk Finance Administrative Assistant who will then date stamp and initial the check and will also enter it into the check log.” Date stamping received checks provides a way to determine whether a check was received and deposited timely.



38




Recommendation: All checks should be date stamped in accordance with ORM’s check handling procedures.


8/31/2009 Approach Operating Oil & Gas Audit

To determine whether Approach Resources Inc. has complied with the oil and gas lease terms as well as the Board for Lease Rules and Regulations related to reporting of oil and gas production and royalty remittance from its leases on PUF lands for the period of December 2007 through January 2009. The objectives of this engagement are to determine whether: • Production reported to the

University was reasonable; • Proceeds from gas and oil sales

were reasonable, and that the corresponding royalties have been remitted to the University;

• Approach has established controls to assure that LACT meters and gas sales meters are calibrated on a regular basis.

• Gas stream sampling is conducted every six months in accordance with the BFL Rules and Regulations.




39

IV. List of Consulting Engagements and Non-audit Services Completed




10/22/2008 Audit of Royalties at UTHSC-H

The objective of this audit was to determine whether UTHSC-H and the inventors receive royalties from the purchase of products with TEEM funds.

Finding Royalties were mistakenly paid for the sale of products purchased with TEEM funds, both from the State Center and through individual purchases. Recommendation UTHSC-H should review prior royalty reports to determine which royalties were paid in error. In the future, UTHSC-H should implement a standard royalty report format for these vendors so that all required information is submitted. To ensure accuracy, the TEEM staff should review the reports to ensure that royalties are not paid for TEEM purchases. Finally, UTHSC-H should provide a list of participating TEEM communities and entities to the vendors to assist them in determining whether or not a product is purchased with TEEM funds.

Implemented

Ensure compliance with guidelines

1/9/09 UTSA NCAA FYE 8/31/08

The objective of the engagement is to perform certain agreed upon procedures to fulfill the requirements of external auditors specified in the NCAA guide.

There were no findings and recommendations from agreed-upon procedures performed.

N/A Reduce the risk of incomplete revenue and expenditure reporting on athletic department activities

1/11/09 UTEP NCAA FYE 8/31/08


There were no findings and recommendations from agreed-upon procedures performed.

N/A Reduce the risk of incomplete revenue and expenditure reporting on athletic department activities

1/11/09 UTPA NCAA FYE 8/31/08


Finding: We noted that all funds received by UTPA Athletics related to a UTPA Coca-Cola contract was classified as sponsorship revenue. However, UTPA Athletics does not control the amount it receives from this contract, as the institution grants the funds at its discretion. Consequently, all of the funds received, with the exception of the actual advertising value granted to Coca-Cola for athletic events, must be classified as direct

Reduce the risk of incomplete revenue and expenditure reporting on athletic department activities


40




institutional support. The funds that can be attributed to Coca-Cola’s advertising at athletic events may remain classified as sponsorship revenue. UTPA transferred $557,461 and $24,000 was deemed sponsorship revenue. Recommendation: We recommend that UTPA Athletics classifies all funds received from the institution related to the Coca-Cola contract be appropriately classified as direct institutional support, with the exception of funds that can be considered specifically due to UTPA Athletics as a result of advertising. Finding: During our testing we noted out-of-state tuition waivers were inconsistent with the number of hours students were enrolled. As a result, we recalculated the value of the tuition waivers received using the number of enrollment hours per student and the difference between the in-state and out-of-state tuition rates and found that tuition waivers were understated by $8,896. Recommendation: We recommend that UTPA Athletics reconcile the UTPA Athletics records related to waivers to the financial aid waiver schedule in order to accurately report the waiver amounts on the SRE.

Scheduled follow-up to be performed during NCAA audit in FY 2010. Scheduled follow-up to be performed during NCAA audit in FY 2010.

1/11/09 UTA NCAA FYE 8/31/08


Finding: Though improved, the manual preparation of supporting schedules remains a time-consuming, manual process that is susceptible to error. Recommendation: The Athletics Department should consider using spreadsheet software to electronically link its supporting schedules with the SRE. Amounts in the supporting schedules should include, at minimum, the account number, account name, amount, object code, and record date, as well as the ultimate location in the SRE as revenue or an expense.

Scheduled follow-up to be performed during NCAA audit in FY 2010.

Reduce the risk of incomplete revenue and expenditure reporting on athletic department activities


41




Finding: We noted that $12,000 in gifts from previous fiscal years was initially included on the SRE as men’s golf gift revenue. Athletics made the correction to the final SRE. Recommendation: In preparation of the SRE, the Athletics Department should identify amounts from the current fiscal year only and not include gifts which were recognized in previous fiscal years. Finding: We noted that the salary and related benefits for a part-time University staff member who provides academic support on behalf of the Athletics Department was not initially included on the SRE. It appears that the salary was not included because it was funded from an account external to the Athletics Department, the Office of the Associate Provost – Administrative and Professional Salaries account. Salaries paid from a separate institutional department for academic support on behalf of the Athletics Department should be included on the SRE. Athletics made the correction to the final SRE. Recommendation: The Athletics Department should develop a process to identify and ensure that all operating revenues and expenses in support of the Athletics Department are included on the SRE. Finding: The initial SRE did not include $49,000 in transfers to the Athletics Department to pay for improvements to the Softball Complex and Maverick Stadium. Athletics made the correction to the final SRE. Recommendation: The Athletics Department should ensure that transfers used to pay expenses on behalf of the Athletics Department for Athletics facilities are included within the SRE.

Scheduled follow-up to be performed during NCAA audit in FY 2010. Scheduled follow-up to be performed during NCAA audit in FY 2010. Scheduled follow-up to be performed during NCAA audit in FY 2010.


42




6/4/2009 Employee Assistance Program Review

The objective of this review was to seek opportunities to improve the effectiveness of the EAP.

Finding OEB has provided limited oversight to institutional EAPs. During the initial years of the program, the institutions submitted utilization reports to OEB; however, the reports were not analyzed by OEB and the reporting practice was discontinued. In addition, while some institutions track their programs, we could not determine, on a systemwide level, whether the program is using State and local resources effectively to achieve the expected benefits outlined in the 1991 plan. Recommendation: OEB should provide oversight of the portion of each institution’s EAP services that are funded through the Health Plan premiums as soon as feasible. Finding Our survey of 15 institutional EAPs indicates that EAP operations vary significantly from one institution to another. The variances from the 1991 EAP plan indicate that the plan has been discarded in practices by UT institutions. Recommendation: OEB should develop a new EAP plan that redefines elements such as eligibility, purposes and goals, program requirements, expected outcomes, and accountability. The new plan should also include fund utilization requirements and guidelines and mandate measurement of the program effectiveness and efficiency by the institutions and OEB. Finding: We identified the following issues related to the use of EAP funds: • In addition to services with a direct impact on the Health Plan (emotional, mental and


Ensure adequacy of controls and compliance with guidelines.


43




psychiatric illness, and chemical dependency related services), EAPs also provide services without a direct impact (such as counseling for job performance, family, relationship, legal, and financial issues). The GAA requires that funds appropriated for higher education employees’ group insurance contributions not be used for non-health- or fitness-related purposes. • One institution provides EAP services to individuals who are not Health Plan-eligible. Health Plan premiums should only be used to benefit-eligible UT System employees, retired employees, and their dependents. • EAP funds may not be used efficiently by some institutions since the average estimated per visit cost of $213 (per visit cost ranges from $112 to $380) appears high when compared to the cost of $64 per hour for a counseling visit covered by the Health Plan. The estimate was based on an institution’s total EAP cost and total number of counseling visits; costs for non-counseling services (such as training and health fairs) were included due to the lack of detailed information. Recommendation: OEB should narrow the terms of the EAP plan to ensure that EAP funds provided to the institutions are used only for health- and fitness-related services that can be clearly connected to the Health Plan. Institutions should be required to limit coverage that is funded by the Health Plan to Health Plan participants only. To the extent that institutions provide non-health- or fitness-related services through the EAP and/or any services to individuals who are not Health Plan participants, such services should not be funded through Health Plan premiums. For EAPs with supplemental funding from the institutions, tracking the spending of the EAP funds is crucial to ensure that Health Plan funds are spent for the appropriate purposes allowed by the legislature. If funds are found to



44




be used inefficiently, OEB should consider re-directing the funds to other allowed activities.

6/11/2009 UT Pan American Management Review

The objective of our engagement was to identify the strengths and the weaknesses of UTPA including emerging challenges.

UTPA needs to develop areas of excellence, readily recognized by students, the community, and the state that are woven into the fabric of UTPA’s identity. Development of signature programs will require a more focused strategy, supplemented by strategic business plans. Additional research facilities and the growth of quality graduate and doctoral programs are necessary for a growing research enterprise. Elevating the university to the next level will also require thoughtful, collaborative fiscal management coupled with strengthening development, marketing, and community engagement. It also is important that UTPA and STC work together to ensure the mutual success of both institutions and meet the higher education needs of one of the fastest growing regions in the nation. The selection of the next president is critical. The new president will need to be a strong leader that is actively engaged in the community, is an effective fundraiser, works collaboratively with state and national legislators, ensures that university’s programs complement area growth, and addresses and prioritizes several challenges and opportunities.

N/A

6/25/2009 OFPC Customer Survey

The objective of this engagement was to assist in administering customer and client surveys and validating the accumulated results for OFPC.

Based on the survey results, we determined that OFPC provides valuable services to its customers.

n/a Value of services provided.


45

V. Organizational Charts

Chief Audit Executive(1)

Manager(2.2)

Assistant Directors(2)

Supervisors(1)

Manager(1)

Administrative Coordinator

(1)

Administrative Associate

(1)Senior Auditor

(3) Auditors

(5)


46

VI. Report on Other Internal Audit Activities

Activity Impact

Entered into agreements with executive management to review areas that they requested our services in.

Provided executive management valuable feedback through performance of special request projects at System Administration and the institutions, including UT Health Science Center – Houston, UT Health Science Center – San Antonio, and UT Pan American.

Presentations to Other Organizations Participated in advancing the internal auditing profession in a variety of capacities and shared knowledge gained in information security, internal controls, and internal auditing through presentations for and executive/board membership in professional organizations such as The Institute of Internal Auditors, the Association of College and University Auditors, Information Systems Audit and Control Association, and the Texas Association of College and university Auditors.

Provided the Audit, Compliance, and Management Review Committee, information on the internal audit function for fiscal year 2009

Improved communication with Board of Regents on the internal audit activities, including oversight at the institutions.

Provided consultation, guidance, assistance and in some cases oversight to the institutions’ internal audit departments

Improved independence, expertise, and audit oversight at the UT institutions. Specifically, we reviewed and provided feedback on institutional annual audit plans, were involved in peer reviews, provided guidance on some of the more complex audits (i.e. police department financial internal controls) and provided assistance to some of the smaller institutions on financial audit work and information technology audits/projects.


47

VII. Internal Audit Plan for Fiscal year 2010


System Administration - Part 1 of 2

Budgeted Priority % of

Audit/Project Hours Total

Financial FY 2009 System Administration and Consolidation Financial Audit 800 FY 2010 System Administration and Consolidation Financial Audit 200 Chancellor's Travel, Entertainment & Housing Expense Audit 100 System Administration Cost Efficiencies Audit 350 UTIMCO Financial Statement Audit Assistance 500 UTIMCO CEO/CIO Travel and Other Expenses Audit 100 UTIMCO Meetings and Oversight Activities 100

Carryforward Audits UTIMCO CEO Travel and Other Expenses Audit 30

Financial Subtotal 2180 22%

Operational Audit of Payments to Insurance Carriers 300 Shared Services Initiative Review 300 Board of Regents Travel and Entertainment Expense Audit 200 System Administration Strategic Audit 800 System Administration Hosted Conferences Audit 200 University Lands Audit 500 Oil and Gas Producers Audits 1000 Office of Facilities, Planning, and Construction (OFPC) Audits 500 General Audit Assistance to System Administration Departments 100

Change in Management/Departmental Audits Office of Strategic Management Departmental Audit 150 Facilities Services Departmental Audit 150 Real Estate Departmental Audit 150

Carryforward Audits Office of the Director of the Police (ODOP) Operations Review 25 OFPC Co-source Audit with Townsend 75


48

Oil and Gas Company Audit - Pioneer Natural Resources 75 Vendor Selection Process Review 75

Operational Subtotal 4600 47%

Compliance Ethics Audit 300 Office of Employee Benefits Dependent Eligibility Audit 200 UTIMCO Derivatives Policy Audit 300 UTIMCO Due Diligence Audit 300

Compliance Subtotal 1100 11%

Information Technology Information Technology (IT) Governance Audit 300 University Lands OGCIS System Audit 300

Carryforward Audits UT Arlington Profile Application Audit 100

Information Technology Subtotal 700 7%

Follow-up System Administration Follow Up FY 2010 500 Carryforward Audits System Administration Follow Up FY 2009 50

Follow Up Subtotal 550 6%

Projects System Administration IT Systems Assessment 100 Internal Audit Committee 300 State Auditor's Office Reporting and Requests 25 FY 2011 Audit Plan and Risk Assessments 50 Special Requests 200

Projects Subtotal 675 7%

Total Hours 9805 100%


49


Oversight - Part 2 of 2


Audit/Project Hours Total

Financial Guidance Provided to the Institutions related to the Systemwide Financial Audit - FY 2009 500 Guidance Provided to the Institutions related to the Systemwide Financial Audit - FY 2010 250 NCAA Agreed Upon Procedures at UT Arlington 400 NCAA Agreed Upon Procedures at UT El Paso 400 NCAA Agreed Upon Procedures at UT San Antonio 400 NCAA Agreed Upon Procedures at UT Pan American 400 NCAA Agreed Upon Procedures at UT Permian Basin 400 Jackson Estate 300

Financial Subtotal 3050 37%

Operational Audit Assistance to Smaller Institutions 50 UT Southwestern President's Travel, Entertainment & Housing Expense Audit 125 UT Medical Branch at Galveston President's Travel, Entertainment & Housing Expense Audit 125 UT El Paso President's Travel, Entertainment & Housing Expense Audit 125

Change in Management/Departmental Audits UT San Antonio President Office Audit 300 UT Brownsville President Office Audit 300 President Office Audit – TBD 300

Operational Subtotal 1325 16%

Compliance UTHSC-San Antonio Practice Plan Audit 300 UTHSC-Tyler Practice Plan Audit 300 Guidance Provided to the Institutions related to the Practice Plan Audits 50 Guidance Provided to the Institutions related to the Stimulus Money (ARRA) 50

Compliance Subtotal 700 9%

Information Technology Texas Administrative Code (TAC) 202 Audit at UTPB 200 Peoplesoft Audit at UT Tyler 300 Guidance provided to UTHSC-Tyler on the TAC 202 and Information Technology Governance Audits 200 Systemwide Huron Time & Effort Application Audit 450


50


Audit/Project Hours Total Systemwide Wireless Access Audit 450 Guidance Provided to the Institutions related to IT Audits 50

Information Technology Subtotal 1650 20%

Follow-up Systemwide Significant Findings/Recommendations Tracking (Red, Orange, Yellow, Green - ROYG) 350

Follow Up Subtotal 350 4%

Projects Institution Liaison Activities 500 Guidance/Assistance Provided to the Institutions related to Audits conducted Systemwide 50 Exchange Program Coordination 25 FY 2011 Systemwide Audit Plan 25 FY 2011 Institutional Annual Audit Plan Hearings 100 Audit, Compliance, and Management Review Committee and Board of Regents Meetings 300 Internal Audit Council 100

Carryforward 2010 System-wide Audit Plan 25

Projects Subtotal 1125 14%

Total Hours 8200 100%


51

VIII. External Audit Services

The University of Texas Investment Management Company (UTIMCO) contracted with Deloitte & Touche, LLP, to perform an independent audit of the Fiscal Year 2008 Financial Statements of UTIMCO Corporation, the Permanent University Fund, the General Endowment Fund, the Permanent Health Fund, the Long Term Fund, and the Intermediate Term Fund.


52

IX. Reporting Suspected Fraud and Abuse Actions taken to implement the requirements of Article IX, Section 17.05, and Article XII, Section 5(c), the General Appropriations Act (81st Legislature) and Texas Government Code, Section 321.022:

• Fraud reporting (per General Appropriations Act 81r, Article IX, Section 17.05)

o Added link on UT System homepage to SAO fraud reporting o Updated UT System policy (UTS118) to reflect reporting fraud involving state

funds to SAO • Reporting requirements (per GAA 81r, Article XII, Section 5(c))

o Not applicable. UT System Administration is not required to submit an ARRA report.

• Texas Government Code, Section 321.022 o Updated UT System policy relating to fraudulent activities. o Provided fraud training during FY 2009, required of all UT System

Administration employees. Refresher fraud training will be provided on a biennial basis.

the university of texas system...fy 2008 system admin & consolidation financial audit 1000 9% fy...

Documents