1 / 41

Annual Report on Internal Audit Activities 2006 - 2007

University of California. Annual Report on Internal Audit Activities 2006 - 2007. ANNUAL REPORT ON INTERNAL AUDIT ACTIVITIES 2006 - 2007. Executive Summary - Introduction Audit Program Analysis Audit Program Results Investigation Activities Staffing and Other Benchmark Analyses

Download Presentation

Annual Report on Internal Audit Activities 2006 - 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. University of California Annual Report on Internal Audit Activities 2006 - 2007

  2. ANNUAL REPORT ON INTERNAL AUDIT ACTIVITIES 2006 - 2007 • Executive Summary - Introduction • Audit Program Analysis • Audit Program Results • Investigation Activities • Staffing and Other Benchmark Analyses • Strategic Plan • Appendix 1 Internal Audit Organizational Chart 3 9 13 28 32 39 41

  3. ANNUAL REPORT ON INTERNAL AUDIT ACTIVITIES 2006 - 2007 Executive Summary - Introduction This Annual Report on Internal Audit Activities presents various summary level and analytical information regarding the University of California Internal Audit Program for Fiscal Year 2006-2007 (FY07). The objective of this report is to communicate the results of our Audit, Advisory Service, and Investigation efforts and, through interpretation of these results, comment on the University’s internal control environment. The twelve campus/national laboratory and UCOP Internal Audit Directors prepared annual reports for their local audit committees and leadership which underlie this systemwide annual report. During FY07, we continued the emphasis on follow-up activities to ensure timely corrective action on audit findings. We closed over 2,000 management corrective actions (MCAs) and reduced by 28% the number of open items as compared to the prior June 30th. Since 2005, we have closed over 7,300 management corrective actions. With the creation of our Audit Tracker database, we have been able to report on delinquent MCA’s for those items that we considered to be of the highest risk. Throughout the year, effort was made to address these open conditions, and we reported the status of those items periodically to The Regents’ Committee on Audit as well as to the local audit committees. As of October 2007, there are 12 remaining delinquent MCA’s with high risk exposure. This is down from 67 reported in 2005, and 36 reported in 2006. There are a variety of business reasons for the delays, principally long-term IT solutions and resource constraints. All of these past due corrective actions have been brought to senior management attention and are subject to active plans for completion. A complete listing of the high risk past due items is provided in Section III of this report.

  4. ANNUAL REPORT ON INTERNAL AUDIT ACTIVITIES 2006 - 2007 Highlights During FY07, the UC Internal Audit Program: • Rendered nearly 600 audit, advisory services, and investigation products resulting in nearly 1,800 recommendations for improvements to internal controls that were agreed upon with management. • For the second year in a row, hours devoted to Advisory Services surpassed Investigation hours. This is a positive trend that we hope to continue and build upon as we believe our advisory service efforts address internal control issues more proactively. • Completed several noteworthy systemwide audits (see Section III, pages 19-20) • Reduced the number of open Management Corrective Actions (MCA’s) as follows: • Beginning MCA Number – 859 • MCAs added – 1,798 • MCAs closed – 2,047 • Current open inventory of MCAs – 610 • Reduced the number of Open High Risk MCA’s from 139 in FY06 to 78 for FY07. • Reduced the number of Open High Risk MCA’s that are past due from 36 in FY06 to 12 in FY07

  5. ANNUAL REPORT ON INTERNAL AUDIT ACTIVITIES 2006 - 2007 Highlights (cont’d) • Met or exceeded benchmarks for: • Productivity--86% (goal 85%) • Completion of the Audit Plan--79% (goal > 70%) • Coverage of matters assessed as High Risk (72%) • Coverage of Core Audit areas--26% (target of 20-33% for a 3-5 year cycle) • Led the roll-out of the Ethics Briefing Program and the Conflict of Interest training modules. • Participated in efforts to educate the University about SAS 112 and prepare for its increased levels of reporting on internal controls by external auditors. • The University Auditor’s Office sponsored a three day All Auditor Conference that was attended by over 110 campus and laboratory auditors. The conference provided general audit training as well as specialized sessions for laboratory and health science auditors, and included opening remarks by Regent Ruiz as Audit Committee Chair. • Conducted a number of campus internal audit Quality Assurance reviews, and sponsored a New Auditor Orientation session for newly hired campus and laboratory auditors.

  6. ANNUAL REPORT ON INTERNAL AUDIT ACTIVITIES 2006 - 2007 • Summary and Conclusions We believe the University of California Internal Audit Program continues to be a significant element of the University’s overall control structure and a positive influence on the control environment. A robust program of work was carried out during the year to assist management and The Board of Regents, a substantial portion of which was responsive to current events. Based on our FY07 work, we can assert the following as being generally true with no reportable exceptions: • Management of the University is cognizant of their responsibility for internal controls and takes seriously the need for controls and accountability. • There is respect for the objectives of the Internal Audit Program; a high level of cooperation is received, and there is no interference with either the accomplishment of our tasks or our responsibilities to report to The Regents. • Managers actively participate in the identification of risks and work collaboratively with Internal Auditors to address issues raised during Audits, Advisory Services engagements, and Investigations. • Management is comfortable seeking out Internal Audit for advice and consultation on matters with internal control implications. • Matters of importance are reported to The Regents.

  7. ANNUAL REPORT ON INTERNAL AUDIT ACTIVITIES 2006 - 2007 Summary and Conclusions (cont’d) In conjunction with the nearly 600 completed Audit, Advisory Services and Investigation projects, we identified no conditions that we believed to represent material deficiencies in internal controls to the University system as a whole from a financial standpoint. Further, while we acknowledge that management has ultimate responsibility for establishing internal controls to manage risks, we identified no circumstances in which we believe that management’s decisions resulted in the acceptance of unreasonable levels of risk. Although we did not identify material control weaknesses, there were opportunities for the University to implement more effective monitoring and oversight activities. This observation was evidenced by our work in Construction Soft Costs, Conflict of Commitment and Outside Activities of Faculty Members, and Executive Compensation. Locations also saw this condition in research programs, contract and grant administration, and medical center activities and support the need for an increased level of systemwide monitoring for consistency and compliance with policy. Our audit efforts also identified that the University is faced with the challenge of maintaining adequate security and control over data. Our decentralized campus environment, sophistication of network hackers, and increased regulatory requirements for protecting personal information have increased the risk to the University.

  8. ANNUAL REPORT ON INTERNAL AUDIT ACTIVITIES 2006 - 2007 Challenges The Internal Audit Program is always challenged to keep pace with an ever-changing environment and a growing University with the same or reduced resources. While turnover during 2006-07 was at a normal level, we remain less than fully staffed and are in the process of filling two vacancies at the Audit Director level for the first time in several years. Compensation has proven to be an issue in both of those recruitments. The challenge to keep pace with change and maintaining adequate resources areconstant challenges that only vary by degree from year to year. Our most contemporary and unique challenge currently is adaptation to the establishment of a new combined compliance oversight and audit program under new leadership. This change is also occurring against the backdrop of the restructuring of UCOP and the redefinition of its role. The Internal Audit Program is committed to contributing to the strengthening of the governance structure of the University while maintaining the appropriate role and responsibilities of management for internal controls and preserving a vital Internal Audit Program.

  9. II. Audit Program Analysis The tables and charts contained in the following section show the summary and distribution of Audit Program efforts for the year by type of service (Audits, Advisory Services and Investigations) and across functional areas of the University. They demonstrate the breadth of coverage and areas of greatest concentration. We believe this distribution represents a reasonable deployment of resources and demonstrates our primary commitment to the program of regular audits, availability for advisory services and responsiveness to the needs of investigations without undue intrusion on the audit program. We also believe the distribution along functional lines is reasonably balanced in relation to relative risk in the University’s lines of business. As a result of the creation of Los Alamos National Security, LLC (LANS), effective June 1, 2006, the LANL audit department no longer reports to the University Auditors’ Office and is not a part of the following audit analysis. With the creation of Lawrence Livermore National Security, LLC (LLNS), the LLNL audit department will no longer report to the University Auditor’s Office, however, their audit results for the year ended September 30, 2007 are included in the following analysis. The University Auditor sits on the Audit & Ethics Committees of LANS and LLNS.

  10. II. Audit Program Analysis Table 2 Table 1 Table 3

  11. II. Audit Program Analysis The chart below distributes effort by service type (7-Year Trend). This chart demonstrates that our continued primary emphasis is the program of regular audits. The chart also depicts a leveling off of the advisory services and investigation activities. Our goal has been to increase the advisory service activity but special audit work has prevented us from achieving that goal. Hours Chart 1

  12. II. Audit Program Analysis The chart below distributes Audit, Advisory Service, and Investigation hours by functional area and service type. Chart 2

  13. III. Audit Program Results – FY07 MCA’s As previously indicated, our FY07 audit program work produced approximately 600 audit, advisory service, and investigation products resulting in 1,798 Management Corrective Actions (MCAs). The following charts and tables depict the breadth of coverage over the 13 major functional areas of the University. The table on the following page illustrates that there is generally a high correlation between audit effort and management corrective actions. During FY07, specific areas that received a high level of attention and control improvement recommendations included Logical and Network Security, Cash Management, Procurement, Ethics, Hospital Receivables, HIPAA, Effort Reporting, and Equipment Management and Personal Property controls. Chart 3

  14. III. Audit Program Results – FY07 MCA’s The charts and table below display the functional area distribution of the 1,798 MCAs produced in FY07 and a comparison to the effort expended in these areas. Table 4 The above comparison (Table 4) depicts generally high correlation between audit effort and management corrective actions. Within the Financial Management area, the strengthening of controls were significantly evidenced in the areas of cashiering, business contracts, procurement, conflict of interest/conflict of commitment, recharge activities, and payroll processing. Chart 4

  15. III. Audit Program Results – FY07 MCA’s The chart below shows the risk rating of the 1,798 MCAs for FY07 by service type. Each audit finding and its associated MCA is given a rating of high, medium or low risk by the auditors. This judgment is made in a local context, and items identified as high do not necessarily convey material deficiencies or risks beyond the operating environment in which found. A primary objective of this classification is to drive a greater sense of urgency in completing the corrective action and completion of audit follow-up. High risk MCAs would include those that are systemic or have a broad impact, have contributed to a significant investigation finding, are reportable conditions under our professional literature, create health or safety concerns, involve senior officials, create exposure to fines, penalties or refunds or are otherwise judged as significant control issues. Chart 5

  16. III. Audit Program Results – FY07 MCA’s Of the 1,798 MCAs generated in FY07, we categorized 282 as high risk (16%). Similar to the overall distribution of MCA's (See Chart 4 on page 14) the MCA's rated as high risks tend to be distributed throughout the functional areas audited and in approximate proportion to the audit effort expended. However, there are a certain common themes that arise from the high risk MCA's that are worthy of mention below. As previously mentioned, the University has been challenged with maintaining adequate security and control over data. The distributed campus environment has increased the vulnerability of security breaches. We have found that as a whole the University has had difficulty in enforcing strong security measures in regard to proper network firewalls, installing adequate anti-virus software, timely system patches and vulnerability scans and the use of encryption technology. Accordingly, confidential data such as social security numbers, grades, and credit card information are at risk of loss or unauthorized access. Corrective actions have been developed in an effort to increase the security of this information and educate both data administrators and the users. In addition, Internal Audit is working with IR&C during the current year to review the security self-assessments being performed at each location. A significant number of audit findings have as their root cause, deficiencies in supervision, monitoring and oversight functions by people whom our control structure places in critical control positions (e.g., Principle Investigators on sponsored projects). While the PI's understandably need to rely on the support of University administrative staff as well as our business processes for procurement and payment of invoices, they have ultimate responsibility for the financial management of expenditures charged to their contracts and grants. The failure to provide timely and conscientious review of transactions as they occur, as well as periodic review of charges to contracts and grants eliminates a control upon which the University relies to ensure compliance with policies as well as federal laws. The absence of adequate oversight can be further exacerbated by the fact that the academic unit handling the sponsored projects is typically small, and therefore separation of duties is not ideal. Increased supervision is usually the antidote for poor separation of duties and therefore when supervision is not adequate there is less likelihood that errors will be detected by others in the normal course of performing their duties. A number of recommendations in 2007 addressed this issue at the business unit level. However, we have raised it in broader forums so that it may receive broader attention, such as through training for PI’s.

  17. III. Audit Program Results – FY07 MCA’s Audit Observations Defined by COSO As part of the Audit Tracker system, each location categorizes audit observations and MCAs in accordance with the University’s adopted internal control framework (COSO). The COSO model provides for the following general categories of controls – each with sub-category detail: • Control Environment – Sets the tone of the organization. Factors include integrity, ethical values, management’s operating style and organization. Findings in this area would include matters such as the absence of a code of ethics. • Risk Assessment – This is the identification and analysis of relevant risks to achievement of the established objectives. Findings in this area would include, for example, the lack of a process to recognize or mitigate a particular type of risk in the operating environment of the unit. • Control Activities – These are the policies, procedures, and processes that help ensure the University conducts its business and complies with laws, regulations and University policy. Examples include approval, authorizations, verifications, reconciliations, and segregation of duties among many others. Most findings are in this category because these are the controls most frequently tested by auditors. • Information and Communication – Includes the identification and communication of operational, financial, compliance, and external information. Data security and integrity issues fall into this category. • Monitoring – Includes regular management and supervisory activities, as well as financial, operational, and compliance assessments and evaluations. Findings of inadequate supervision or oversight may be a root cause for many other conditions observed.

  18. III. Audit Program Results – FY07 MCA’s The chart below displays the breakdown of the MCA’s by COSO category. Control activities continue to account for the highest frequency of MCAs because of the numerous types of activities encompassed. However, deficiencies in the control environment are typically significant findings. As mentioned elsewhere in this report, during 2007 there was increased attention to Information and Communications, especially as it relates to information security. Chart 6

  19. III. Audit Program Results – Systemwide Audits Systemwide AuditsInternal Audit locations performed a number of systemwide audits that were overseen by the University Auditor’s Office, and summary results were reported throughout the year to The Regents. The following is a summary of the systemwide reviews and significant outcomes: Executive Compensation – The purpose of this review was to assess the implementation of all recommendations ensuing from the 2006 audits and reviews including the recommendations of the Task Force On UC Compensation, Accountability and Transparency, the Bureau of State Audits report, two PricewaterhouseCoopers reports and two Internal Audit reports. While the recommendations had all received substantial attention, there were select matters, most notably the creation of a Human Resources Information System that were in need of refreshed emphasis, which has now occurred. Construction Soft Costs – We found that different methodologies were used for measuring and assigning direct and indirect charges. We recommended that additional guidance should be provided in the University’s Accounting Manual to be more explicit about the University’s application of generally accepted accounting principles to ensure greater consistency of internal cost recovery and compliance with GAAP. Conflict of Commitment and Outside Activities of Faculty Members – The audit was conducted to assess the management of outside professional activities of UC Faculty, including prior approval and annual reporting. We noted that compliance was lacking with respect to filing required forms, approval signatures, and unresolved conflict issues. Student Loan Programs -A survey of University student and lending practices was conducted and found that no financial conflicts appeared to exist of the nature that received national attention. However, a need for improved individual as well as institutional conflict of interest policies and training was observed. The University Auditor served on the Task Force that recommended the new policy for the President’s approval.

  20. III. Audit Program Results – Systemwide Audits Systemwide Audits (cont’d) Chancellor Special Allocations – With respect to the policy on chancellor’s housing and administrative funds, the audits found that they were largely in compliance, both as to propriety of expenditures and newly created documentation and reporting requirements . There were no pervasive control issues identified and each location has reported on local opportunities for control improvement where called for. Willed Body Program – This review focused on the status of the corrective actions that were the basis for the 2005 report to The Regents By the Task Force headed by former Governor Deukmajian. We found that most of the corrective measures have been completed, and there is oversight over these measures at both the Office of the President and in the dean’s office at each campus. However, the efforts to establish the systemwide database required refreshed attention and resources which is occurring. In addition, at the time the recommendations were made to the campuses, each Willed Body Program was asked to take broader responsibility for all human anatomical material that enters the campuses for research or other purposes. These practices are still evolving. Health Science Compliance Program – Continuing a commitment made as part of the late 1990’s PATH settlement, each medical center campus competed a review of the Health Sciences Corporate Compliance Program, including a detailed review of a selected element of the program. The audits found that the Health Sciences Corporate Compliance Program continues to represent a substantial control over our health sciences billing operations and regulatory compliance efforts.

  21. III. Audit Program Results – MCA Completion Status Status of Completion of Management Corrective Actions The most fundamental objective of the Audit Tracker system is to facilitate the tracking of MCAs to their timely completion. MCAs are classified initially as open and are only moved to closed status after validation by auditors that the agreed upon corrective actions have been taken and sustainable improvement has been achieved. The following charts display the completion status for the entire population of MCAs. Part of our analysis includes an aging of the past due items. We believe that reporting the past due corrective actions to campus audit committees, senior management and The Regents’ Committee on Audit will raise the visibility in a way that helps ensure timely attention to these matters and reduces the number of unmitigated risks. We also believe that reporting to the Audit Committee the unmitigated high risk audit findings fulfills a core professional obligation. The 12 past due items are included in this Section on pages 25-27.

  22. III. Audit Program Results – MCA Completion Status The chart below displays the functional area distribution of the entire population of MCAs since inception (9,840). Chart 7 displays the functional audit area distribution for the entire population of MCAs. Table 5 below compares the distribution percentage for all MCAs to the FY07 percentage, which remained comparable. The following pages address the status Table 5 Chart 7

  23. III. Audit Program Results – MCA Completion Status The chart below shows the status of all 9,840 MCAs The 96% rate of closure of the High rated MCAs reflects the fact that these are the items with the greatest urgency to bring to closure. Added attention to closing the items ranked as Medium risks is now occurring and can be seen in the increase of percent closed (88% in FY06 to 92% in FY07). The volume of open items will always be substantial because of the ongoing nature of our work, although substantial reduction has occurred to date as intended. We expect to be able to establish benchmarks in this area as the Audit Tracker information matures. Table 6 Chart 8

  24. III. Audit Program Results – MCA Completion Status The chart below shows the aging statistics of the inventory of 78 Open High Risk MCAs The majority of the open items (66) are not yet due, however, 12 are past due. These past due issues have been brought to the attention of senior management and active resolution plans are in process. The goal of reducing these items to zero (or a negligible number occasioned by highly unusual circumstances) is clearly understood and accepted by all responsible for addressing these items. The 12 past due MCAs are listed on the following pages. Chart 9

  25. III. Audit Program Results – Past Due MCA’s Table 7

  26. III. Audit Program Results – Past Due MCA’s

  27. III. Audit Program Results – Past Due MCA’s

  28. IV. Investigation Activities This section contains charts that display the sources and methods of reporting improper governmental activities allegations which led to audit investigations during FY07, categorizing the type of improper governmental activity alleged, and the outcomes for the investigations completed in FY07. The University Auditor is responsible for general oversight of all audit investigations as well as communication with The Regents and Senior Management. The University Auditor’s Office is also responsible for conducting audit investigations at the Office of the President, the University of California, Merced and assumes management of investigations that involve two or more campuses or in circumstances where the Chancellor, Vice Chancellor or Locally Designated Official (LDO) are named in the complaint. The LDO, who functions as the whistleblower and investigations coordinator at each location, in conjunction with their Investigations Work Group (comprised of investigation resources including internal audit), assesses each reported allegation for appropriate handling, such as referral to management, assignment for investigation or expanded preliminary assessment before a judgment can be made. Investigations that fall within criteria enumerated in the Whistleblower Policy are reported to the Office of the President and the University Auditor. The most significant matters are reported individually to The Regents as material events occur (principally through the Audit Committee Chair) and on a quarterly basis.

  29. IV. Investigation Activities Internal audit investigation activity is tracked in the University Auditor’s Investigations Notice Database. This database base serves as a case management tool and provides other analytical information. In FY07, the internal audit program initiated 120 new investigations and brought to completion 142 investigations. The charts on the following pages provide a statistical overview of these new and closed investigations. The Investigations Notice Database, as of October 10, 2007, is tracking information on 65 open internal audit investigations. Note for the Future The information tracked by the University Auditor’s office and reported in the following data relates only to investigations in which Internal Auditors are the lead investigator. Through the LDO, many complaints are referred to other investigative bodies including police, human resources (e.g. discrimination or harassment), compliance officers or special investigators. Beginning in FY08, the University Auditor, on behalf of the EVP Business Operations who serves as the systemwide LDO, has initiated a reporting mechanism to report to the Office of the President activity on all complaints received by the LDO’s. Prospectively, we will be in a position to offer broader analysis of a wider range of complaints made and their disposition.

  30. IV. Investigation Activities The charts below display the sources and complaint methods of the 120 new investigations opened in FY07. Chart 10 Chart 11 Investigations conducted by Internal Audit came from a variety of sources that are depicted in Chart 10. For the last two years, UC employees and managers have accounted for 66% and 72% of the cases that we investigated. Chart 11 illustrates that only 21% of our internal audit investigations originate from calls made to the University’s independently operated hotline service. While the number of cases opened from hotline calls in the Internal Audit program is small, it is very important to provide a mechanism for complaints to be made anonymously. The Federal Sentencing Guidelines for Organizations encourage a system whereby employees can report suspected wrongdoing without fear of retribution. Chart 11 reflects that only 23% of individuals choose to remain anonymous when filing a complaint either through the hotline service or by other means. Our hotline service reported in 2006 that across most industries the number of reporting parties choosing to remain anonymous is about 50% and for public administration nearly 30%. The hotline service commented that a number of factors affect the decision to remain anonymous including the level of trust that the information will remain confidential, the significance of the issue reported or confidence that the report will be acted upon. Our 23% anonomimity rate speaks well of an environment in which suspected improprieties can be brought forward without fear of retaliation.

  31. IV. Investigation Activities The charts below display the types of allegations related to the 120 investigations opened in FY07, and the outcome of 142 investigations that closed in FY07. Chart 12 Chart 13 Chart 12 demonstrates the importance of complaints received from anonymous sources in as much as their allegations were substantiated in 38% of the Internal Audit investigations. The overall rate of cases in which one or more allegation was substantiated increased from 33% in FY06 to the 40% number this fiscal year. In chart 13, we see that the five allegation categories of Improper Use of UC Resources, Fraud, Theft/Embezzlement, Payroll/Time Charge Abuse and Misfeasance /Waste accounted for 71% of the Internal Audit investigations. The two previous fiscal years have seen these categories account for the majority of Internal Audit investigations (81% in FY06 and 76% in FY05). In FY07, the hotline service received a total 598 calls. This was comprised of 197 new reports, 108 follow-up calls and 293 calls of a miscellaneous nature that did not constitute a report of impropriety. Many of the 197 reports involved information that was referred to University management for appropriate review and disposition or referred into another process, (e.g., human resources grievance process) or contained insufficient information to initiate an investigation.

  32. V. Staffing and Other Benchmark Analyses This section contains an analysis of staffing levels by location compared to UC and industry benchmarks. The analysis is based on the authorized staffing levels rather than the number of positions actually filled at any moment in time. For FY07, the Internal Audit Program operated at approximately 92% of authorized capacity due to turnover, and positions left open because of budget constraints. The benchmark analysis is presented in the absence of any generally accepted staffing models for internal audit programs universally or in higher education. However, we believe the analysis demonstrates that UC in total and at its campuses and national laboratories maintain moderately adequately staffed audit functions. The GAIN (Global Auditing Information Network) survey used for comparison purposes was conducted in 2005 by the Institute of Internal Auditors and reflects the results for public higher education institutions. In addition, this section contains a table of miscellaneous benchmark information for comparison of UC’s audit program to industry standard practices.

  33. V. Staffing and Other Benchmark Analyses The charts below display staffing benchmarks for the campuses and Office of the President. UC in general varies from the GAIN average for expenditures per auditor by a substantial margin, and this gap has widened in recent years. However, when you combine the employee ratio data you can see that UC employees in general are more highly leveraged than our average counterparts. As a result, at only four campuses, UCB, UCD, UCI and UCSF, is there some concern regarding staffing adequacy. In general, the smaller institutions appear to be more well staffed. However, this is due to the fact that certain audit activities are not directly impacted by size. Management has used this information in the past to consider augmentation of audit staffing, and we continue to share this information with management at each location for the purpose of assessing the adequacy of the audit program staffing. Chart 14 Chart 15

  34. V. Staffing and Other Benchmark Analyses The charts below display staffing benchmarks for the national laboratories. The ratios vary in acceptable degrees and again reflect the tendency for smaller organizations to appear to be better staffed. There is no readily available benchmark information so the comparison is only between the two UC labs. However, if traditional universal benchmarks were applied, the national labs would appear to be generally well staffed. Chart 16 Chart 17

  35. V. Staffing and Other Benchmark Analyses Other Benchmarks UCSurvey Professional Staff: Avg. Years Experience 17.9yrs 19.8yrs Staff Turnover 13% 19% Training Hours Per Auditor 84hrs 56hrs Distribution of Time: Audits 66% 66% Advisory Services 18% 25% Investigations 16% 9%* Matters Reported to Audit Committee: Percent Completion of Plan Yes 77% Productivity Measures Yes 51% Benchmark Comparisons Yes 50% Organizational Structure Yes 51% UCSurvey Audit Planning: Based on Risk Assessment Yes 86% Risk Assessment Model Yes 62% Defined Audit Universe Yes 64% Includes Mgmt. Requests Yes 86% Audit Expected to Provide Consultations On Operational Matters Yes 85% Report Drafts Shared with Mgmt. Yes 99% Use Customer Satisfaction Survey Yes 58% Reporting Structure: Report Functionally to Board or Audit Committee Yes 76% Report Administratively to Management Yes 94% * GAIN Survey includes many non-health sciences and limited research institutions. Chart 18

  36. V. Staffing and Other Benchmark Analyses The Table depicts the modest growth in the Internal Audit Program overall while the Office of the President has actually decreased. Certain efficiencies have been gained in audit process and methodologies, including the use of computer assisted audit techniques. However, the growth of the University, increased regulatory complexity and competing demands (e.g. investigations and systemwide audits) have combined to more than offset efficiency gains. A good example is UCOP, which now provides coverage to UC Merced as well as its traditional customer base, with fewer resources. Table 8

  37. V. Staffing and Other Benchmark Analyses The chart below illustrates that the Internal Audit staffing level has remained fairly constant despite the growth of the University (depicted below in terms of revenue). Chart 19

  38. V. Staffing and Other Benchmark Analyses The chart below illustrates that the Internal Audit staffing level in terms of revenue per auditor has lagged behind the revenue growth of the University. Chart 20

  39. VI. Strategic Plan Strategic Plan Overview • GOALS • The University Auditor and Campus/Lab Internal Audit Directors have sustained a commitment to continuous improvement of the Internal Audit Program over the years. Towards that end, a strategic plan is established and revised every two years to provide strategic guidance to the Audit Program leadership in these efforts. To address contemporary and emerging risks and issues, and to promote a culture of accountability and integrity, the UC Internal Audit Program has identified the following enduring goals: • Operational excellence – Provide timely, quality, cost-effective products and services with the effective use of resources. • Stakeholder/Client Relationships - Be a proactive, responsive, credible, trusted, respected, business-oriented resource. • Innovative Service - Render customized, creative, cutting-edge, functional, and flexible service improvements grounded in our core competencies. • INITIATIVES • In August 2005, the University Auditor and Campus/Lab Internal Audit Directors developed the following strategic initiatives geared towards strengthening the Internal Audit program: • Improve Internal Reporting • Improve Communications • Identify Partnership Opportunities for Corporate Governance • Continuous Monitoring/Auditing • Benchmarking and Staffing

  40. VI. Strategic Plan • Highlights of Current Initiatives: • The development of a Comprehensive Audit Reporting and Tracking System (CARTS) is currently underway. The University Auditor’s Office is working with Information Resources and Communication at UCOP in an effort to automate a number of our project management and reporting processes. The CARTS project, when fully functional, will be a web-based system incorporating a comprehensive time keeping system, automating our risk assessment and planning processes, and generating monthly and quarterly status reports – as well as location ad hoc reports. The CARTS system will also interface with our Audit Tracker, Investigation Notices and employee databases. Several audit locations are currently piloting various components of CARTS. • Several enhancements to Audit Tracker are also planned within the CARTS project. The new system will send email notifications prior to the due date of corrective actions, and provide a mechanism for management to record progress and completion of the corrective actions, alerting Internal Audit as to management’s readiness for our validations efforts. • With the aid of a consultant, we are developing a web access tool that will continuously surf the internet and download information based on our search criteria. The criteria will focus on current and emerging issues of concern to University auditors. The results of the data collection will be made available to all auditors on a real-time basis. • One location has partnered with their finance group to develop extensive continuous monitoring protocols in the areas of payroll and procurement cards. The tools apply a variety of criteria analysis against real time data in an effort to identify problems, trends, and aid management in decision making and will be shared with all locations. These capabilities are being shared among campuses. • A proposal was made to the Institute of Internal Auditors Research Foundation for assistance in developing a staffing model for internal audit programs based on broader analysis of data and factors then currently available. After review of research proposals for an academic research study, a project is about to be launched. A segment of the research study will focus on factors unique to higher education.

  41. Appendix 1 – University of California Internal Audit Program The Regents’ Committee on Audit UCB UCD UCI UCLA UCR UCSB UCSC UCSD UCSF UCOP Chancellor Birgeneau Vice Chancellor Meyer Vice Chancellor Brase Vice Chancellor Olsen Vice Chancellor Bolar Vice Chancellor Carpenter Vice Chancellor Vani Vice Chancellor Matthews Senior Vice Chancellor Barclay University Auditor Reed EVP, Business Operations K. Lapp SVP, Chief Compliance and Audit Officer, S. Vacca University Auditor P.V. Reed LBNL T. Hamilton (7) UCI G. Moore (acting) (9) UCR M. Jenson (6) UCSC G. Gail (4.75) UCSF A. Zubov (11) UCLA E. Pierce (25) UCSB W.L. Riley (6) UCSD S. Burke (15.6) UCOP H. Valness (6.5) Total Professional Staff, including the Director, is in parentheses Total Authorized Professional Positions = 114 (LANL& LLNL Audit Departments not reflected in UC Audit Program) *Director of Investigations / **Director of IT Audit Services UCD R. Catalano (11) UCB S. Siri (8.5) UC Systemwide J. Lohse* / K. Heins** (3.5)

More Related