wendee shinsato – senior audit manager ann hough – audit manager
TRANSCRIPT
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Audits: The People the Plan & the Process
Wendee Shinsato – Senior Audit ManagerAnn Hough – Audit Manager
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
AgendaOffice of Audit and Advisory ServicesAnnual Audit Planning ProcessIndividual Audit Planning Process2013 Subject Audits2014 Subject AuditsQuestionsContact Information
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Office of Audit and Advisory Services
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Audit Planning ProcessAudit Survey sent to all 23 campuses in the last
quarter of each year. This information is combined with other input, including:Discussions with Chancellor’s Office Management.Discussion with audit committee chair.External trends and input.
We present the audit plan at the January Board of Trustees meeting each year for approval of audit assignments.http://www.calstate.edu/bot/agendas/
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Individual Audit Planning ProcessDetermined by a subject-specific risk assessment that includes, but is not limited to:Review of CSU policies, laws, regulations, and
other criteria.Specialized training in the subject area.Discussions with CO management.Discussions with campus personnel including
Vice Presidents of Administration and Department Managers
Review of previous and related audits, both from inside the CSU and from the outside: state auditors, the UC system, other universities.
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
2013 Subject Audits
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
2013 Subject AuditsEight audits were approved by the Board of
Trustees for 2013:Credit CardsInternational Programs (Round 2)Hazardous MaterialsSensitive Data Security and Protection (2011)Centers and InstitutesStudent Health ServicesSponsored Programs – Post AwardConflicts of Interest (not performed)
Finalized audit reports can be reviewed on our website at http://www.calstate.edu/audit
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
2013 Systemwide AuditsCredit Cards
http://www.calstate.edu/audit/Audit_Reports/creditcards/2013/1323CreditCardsSYS.pdf
Remaining systemwide audits for 2013 have not yet been finalized, but will be available on our website when they are complete.
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Credit Cards – Observations and TrendsPolicies and Procedures – Campuses often did
not have adequate policies and procedures for credit card programs, outside of the main procurement card program.
Personal Liability Cards – Applications were not always appropriately approved and cardholder agreements obtained.
Personal Liability Cards – Use of personal liability cards was not monitored to ensure that only business-related expenses were incurred and payments made in a timely manner.
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Credit Cards – Best PracticesMany campuses performed a 100% audit of
all procurement card reconciliation packages. The key here was to ensure that violations are documented and sanctions enforced.
Include both procurement/travel cards and personal liability cards on separation checklists. Automate notification of separated employees to alert the appropriate credit card administrators.
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
International Programs – Observations and TrendsAuthority – Many programs were not
properly approved.Third-party Providers - Non-compliance with
specific requirements regarding due diligence, and acceptance of material benefits from vendor.
Student Orientations - For CSU students going abroad, and for international students arriving for CSU courses.
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
International Programs – Best PracticesSome campuses had strong centralized
departments that effectively identified and administered all IP programs from various initiating areas: the CO, the individual colleges, and from outside universities.
Some colleges strategically integrated curriculum development with IP opportunities to maximize the benefits to participants . One campus requires all students to participate in an international program as part of the graduation requirement.
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Hazardous Materials Management – Observations and Trends
Roles and Responsibilities - “I thought EH&S did this for us.”
Hazard Communication Program - The requirement to inform employees and students of the hazards in the workplace – labelling was nearly always an issue.
Inspections - Required as part of the Injury and Illness Prevention Program, often the process was in disarray.
Laboratory Safety – Lack of an adequate Chemical Hygiene Plan and/or designation of a Chemical Hygiene Officer
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Hazardous Materials Management – Best Practices
All campuses had well-qualified, experienced and knowledgeable management.
Best practices would include an inspection program that identifies and quantifies the risks; tailors an inspection schedule on perceived risk; clearly identifies and educates responsible parties; and includes processes to monitor completion of assigned inspections and follow up on required remediation.
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Sensitive Data – Observations and TrendsGOVERNANCE!
No inventory of protected data or complete listing of electronic and paper records. Data ownership had not been consistently assigned.
Protected data held in paper documents was not adequately controlled.
New employees with access to sensitive data had not received security awareness training.
Sensitive data stored on servers were not always behind secure campus firewalls or other network controls, and protected data was not always stored in an encrypted format.
Equipment disposition processes did not ensure that data had been wiped from computers prior to being surplused or donated.
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Sensitive Data – Best PracticesA best practice would be to survey or
inventory sensitive data annually, in order to know what data is out there, and who is responsible for it.
Campuses with more centralized IT operations seemed to have a better grasp of overall campus data and the controls in place for that data.
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Centers and Institutes – Observations and TrendsDefinition for centers and institutes could be
improved to ensure that entities are recognized and reported by the campus.
Reviews of centers were not always performed in accordance with campus policy.
Center fiscal administration needed improvement – most often in receipt of funds and use of written agreements and contracts.
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Centers and Institutes – Best PracticesSLO had a well defined and clear
organizational structure that made responsibility for centers and institutes on campus very clear.
Some campuses tied the periodic review to renewal of the center charter.
Northridge had a very robust center and institute policy that included a “one-stop” shop for operating procedures (revenue, expenses, human resources, travel, etc.)
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Student Health Services – Observations and TrendsGovernance and Oversight - The provision that the
campus designate accountability for “all university health services,” including those offered in Athletics and in the academic areas, was not always met.
Types of Services Offered at the SHC – Provisions regarding the vetting and approval of augmented services were not always met.
Pharmacy – Issues regarding segregation of duties noted at smaller campus pharmacies, and exceptions related to appropriate inventory practices.
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Student Health Services – Best PracticesAll campuses substantially met requirements
for the minimum basic services available.One campus had a robust health education
program that was directly tied to relevant information regarding student needs, delivered by a well-trained and supervised peer health team of students pursuing degrees in health education.
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Post Award – Observations and TrendsPI Conflict of Interest statements not always
obtained timely.Effort certifications were not always accurate
or include adequate supporting documentation (additional employment, cost share effort)
Sub-Recipient risk assessments – Documentation, timeliness, signatures and dates.
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Post Award – Best PracticesCost sharing at Chico:
Cost sharing is reviewed every time the sponsor is invoiced.
Use of cost share commitment forms and agreements helps to quantify and track cost share.
Effort reporting:Use of reimbursed-time purchase orders at
some campuses provides easy tracking for faculty time.
Northridge conflict of interest disclosure forms for federal awards include review signatures and actions.
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
2014 Audits
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
2014 Subject AuditsSeven audits were approved by the Board of
Trustees for 2014:Conflict of Interest (carryover from 2013)ADA Web Accessibility (renamed to Accessible
Technology)Lottery FundsExecutive TravelSponsored Programs – Post Award (Round 2)Information SecurityContinuing Education
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Conflict of InterestAudit Scope:
General administration of the conflict of interest program.
Review and identification of designated positions.Timely and accurate completion of conflict-of-
interest disclosure statements and related ethics training.
Employee/vendor relationships.Gift to agency reporting.
Audit Status: Fieldwork completed for first three audits.
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Accessible TechnologyAudit Scope:
Compliance with section 508 and CSU Accessible Technology Initiative requirements.
Student and employee accessibility to technology (i.e., physical structures excluded)
Campus governance and executive supportCoordination between various constituent
groupsCampus responsiveness to requests or
complaintsAudit Status: Fieldwork for pilot audit in
progress.
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Lottery FundsAudit scope:
Review of campus lottery fund allocation and expenditure policies and procedures to ensure compliance with CSU and state requirements.
Review of internal campus processes for monitoring, reviewing and approving campus discretionary allocations to specific programs and/or areas
Examination of specific programs receiving lottery funding to confirm the expenditures are in conformance with state and CSU restrictions.
Audit Status: Fieldwork complete at two campuses.
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Executive TravelBOT Agenda:
Proposed audit scope would include review of campus travel policies and procedures to ensure alignment and compliance with CSU requirements; review of internal campus processes for monitoring, reviewing and approving travel expense claims; and examination of senior management travel and travel expense claims for proper approvals and compliance with campus and CSU travel policy.
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Sponsored Programs – Post AwardAudit Scope:
TrainingConflict of Interest FilingsEffort ReportingCost SharingSub Recipient MonitoringFiscal Administration
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Information SecurityBOT Agenda:
Proposed audit scope would include review of the systems and managerial/technical measures for ongoing evaluation of data/information collected; identifying confidential, private or sensitive information; authorizing access; securing information; detecting security breaches; and security incident reporting and response.
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Continuing EducationBOT Agenda:
Audit scope includes review of the processes for administration of continuing education and extended learning operations as self-supporting entities; budgeting procedures, fee authorizations, and selection and management of courses; faculty workloads and payments to faculty and other instructors; enrollment procedures and maintenance of student records; and reporting of continuing education activity and maintenance of CERF contingency reserves.
CA State Auditor Report: http://www.bsa.ca.gov/reports/summary/2012-113
2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e
Questions??Ann Hough [email protected]
Wendee Shinsato [email protected]
Greg Dove (IT audits) [email protected]
Mike Caldera (Advisory Services) [email protected]