V I R G I N I A P O L Y T E C H N I C I N S T I T U T E A N D S T A T E U N I V E R S I T Y

A n e qua l op po r tu n i t y , a f f i r ma t i ve ac t i on i ns t i t u t io n

Invent the Future

Department of Internal Audit North End Center, Suite 3200, Virginia Tech 300 Turner Street NW Blacksburg, Virginia 24061 Campus Mail Code: 0328 540-231-5883 Fax: 540-231-4681 www.ia.vt.edu

   August  14,  2013    Debra  S.  Gula,  CPA  Executive  Director  of  University  Audit  and  Compliance  University  of  South  Florida  System  3702  Spectrum  Blvd.  Suite  180  Tampa,  FL    33612-­‐9444    Dear  Ms.  Gula:    The  Quality   Assurance   (QA)   Team  was   engaged   to   conduct   an   independent   validation   of   the  University   of   South   Florida   System’s   Office   of   University   Audit   and   Compliance   (UAC)   self-­‐assessment.    The  primary  objective  of  the  validation  was  to  verify  the  assertions  made   in  the  attached   quality   self-­‐assessment   report   concerning   adequate   fulfillment   of   the   University’s  basic  expectations  of  UAC  and   its   conformity   to  The   Institute  of   Internal  Auditors’   (The   IIA’s)  International   Standards   for   the   Professional   Practice   of   Internal   Auditing   (Standards).     Other  matters   that  might  have  been  covered   in  a   full   independent  assessment,   such  as  an   in-­‐depth  analysis   of   successful   practices,   governance,   consulting   services,   and   use   of   advanced  technology,  were  excluded   from  the   scope  of   this   independent  validation  by  agreement  with  the  Executive  Director.    In  acting  as  the  QA  Team,  we  are  fully  independent  of  the  organization  and  have  the  necessary  knowledge  and  skills  to  undertake  this  engagement.    The  validation,  conducted  during  June  19  –  21,  2013,  consisted  primarily  of  a  review  and  testing  of  the  procedures  and  results  of  the  self-­‐assessment.     In  addition,   interviews  were  conducted  with  the  University’s  President,  Board  of  Trustees  Chair,  Board  of  Trustees  Audit  Liaison,  Provost,  Chief  Operating  Officer,  other  senior  members  of  management,  and  the  UAC  Executive  Director.    We   concur   fully   with   UAC’s   conclusions   in   the   self-­‐assessment   report   attached.     While   we  concur   with   the   report   conclusions,   we   noted   the   following   positive   attributes   and  opportunities  for  improvement  related  to  operations  of  UAC.        

V I R G I N I A P O L Y T E C H N I C I N S T I T U T E A N D S T A T E U N I V E R S I T Y

A n e qua l op po r tu n i t y , a f f i r ma t i ve ac t io n i ns t i t u t io n

Positive  Attributes  of  University  of  South  Florida  System’s  Internal  Audit  Program:     Audit  Committee  and  Senior  Management  Support—The  interviews  conveyed  a  high  level  

of  support   from  the  Finance  and  Audit  Workgroup  and  senior  management.    The   Internal  Audit  Program  is  well  respected,  is  involved  in  many  University  activities,  and  management  feels  comfortable  seeking  UAC’s  assistance  for  problematic  situations.        

Communication  and  Approachability—During  the  course  of  our  on-­‐site  visit,  management  expressed   that   the   entire   internal   audit   team   was   very   approachable,   demonstrated  effective  communication  skills,  and  was  extremely  responsive.    UAC’s  prompt  response  to  requests   demonstrates  highly   effective   and  efficient   use  of   limited   staffing   resources   and  strong  project  management  skills.    Additionally,  executive  management  noted  that  the  UAC  Executive  Director  demonstrated  strong  leadership  skills.  

Development  of  Staff—The  management  team  within  UAC  takes  an  interest  and  great  care  in   the   development   of   the   staff   including   professional   development   related   to   specific  knowledge,   skills,   and   abilities   needed   to   perform   their   job   duties.     Additionally,   staff   is  encouraged   to   obtain   professional   certifications   enhancing   their   individual   skills   and  credentials.     Staff   is   closely   supervised   to   enable   audit-­‐related   questions   to   be   answered  within  a  short  period  of  time  and  to  provide  on-­‐site  mentoring.    

Comprehensive  Risk  Assessment—The  process   that  UAC  has   created   to   initiate,   conduct,  and  complete  their  annual  risk  assessment  utilizes  many  tools  and  processes  and  appears  to  be  working  well  for  the  University  of  South  Florida  System.    UAC  management  meets  with  key  executives  of  all  member  institutions  throughout  the  year  to  discuss  risks,  audit  history,  and  trends  within  the  system  and  the  higher  education   industry  to  determine   if   there  are  emerging   risks   that   may   impact   the   system.     Executives   for   each   separately   accredited  institution   of   the   University   of   South   Florida   System   are   able   to   provide   input   on   the  organization’s  risks  and  understand  which  internal  audit  projects  will  take  place  during  the  year  within  their  organizations.  

Opportunities  for  Improvement  –  Effectiveness  and  Efficiency:     Auditor  Position  within  Organization—The  IIA  Practice  Advisory  1110-­‐1  recommends  that  

to   achieve   organizational   independence,   the   Chief   Audit   Executive   should   report  functionally   to   the   Audit   Committee   and   administratively   report   directly   to   the   chief  executive   officer   of   the   organization.     As   of   the   time   of   this   review,   the   UAC   Executive  Director  functionally  reports  to  the  Audit  Liaison  who  is  a  member  of  the  Board  of  Trustees  Finance  and  Audit  Workgroup,  and  administratively   reports   to  the  Chief  Operating  Officer  

V I R G I N I A P O L Y T E C H N I C I N S T I T U T E A N D S T A T E U N I V E R S I T Y

A n e qua l op po r tu n i t y , a f f i r ma t i ve ac t io n i ns t i t u t io n

as   depicted   on   the   university   system's   organization   chart.     However,   with   regard   to  administrative  reporting  lines,  the  2006  UAC  Audit  Charter  reflects  that  UAC  reports  to  the  President  with  day-­‐to-­‐day  oversight  by  the  university’s  Executive  Vice  President.      

We  recommend  that  the  USF  Board  of  Trustees  and  the  President  discuss  the  appropriate  reporting  line  to  ensure  ideal  organizational   independence  for  UAC.    The  UAC  Charter  and  the  university  system  organization  chart  should  be  modified  accordingly.    

Retention   of   Staff—UAC   employees   are  well   qualified  with   relevant   levels   of   experience,  highly  credentialed,  and  marketable.    However,  salaries  are  lagging  behind  when  compared  to   state  peers.    With   concerns   for   retention,  we   recommend   that  USF   consider  adequate  compensation   commensurate   with   UAC   staff   experience   and   accomplishments.    Furthermore,  adequate  professional  development  opportunities  should  be  made  available  for   staff   to   ensure  maintenance  of   knowledge,   skills,   and  abilities  necessary   to   serve  USF  and  to  satisfy  professional  certification  requirements.  

Implementation   of   all   the   recommendations   contained   in   the   self-­‐assessment   report   will  improve  the  effectiveness  and  enhance  the  value  of  UAC  and  ensure  its  full  conformity  to  the  Standards.    We  appreciate  the  courtesy  and  cooperation  received  from  management  and  staff  during  our  independent  validation.    Sincerely,  

     

Sharon  M.  Kurek,  CPA,  CFE  Director  of  Internal  Audit  at  Virginia  Tech    Independent  Validator  and  QA  Team  Lead    

   

Brian  D.  Mikell,  CPA  Chief  Audit  Executive  at  University  of  Florida  Independent  Validator  and  QA  Team  Member    cc:       Dr.  Judy  L.  Genshaft,  Chief  Executive  Officer,  USF  System  

John  W.  Long,  Chief  Operating  Officer  and  Sr.  Vice  President,  Business  and  Finance  Stephanie  E.  Goforth,  Audit  Liaison,  Board  of  Trustees  Finance  &  Audit  Workgroup  John  B.  Ramil,  Chair,  Board  of  Trustees  Finance  &  Audit  Workgroup  

   

UNIVERSITY AUDIT AND COMPLIANCE 3702 Spectrum Blvd. Suite 180 • Tampa, FL 33612-9444

(813) 974-2705 • FAX (813) 974-3735

MEMORANDUM TO: President Judy Genshaft

USF Board of Trustees Finance and Audit Workgroup DATE: July 26, 2013

SUBJECT: 13-008 UAC Self-Assessment with Independent Validation

The University of South Florida Audit & Compliance (UAC) department conducted a self-assessment of its Internal Audit (IA) services. The principal objectives of the assessment were to assess UAC’s conformity to the IIA’s Standards for the Professional Practice of Internal Auditing (Standards), evaluate IA’s effectiveness in carrying out its mission (as set forth in its charter and expressed in the expectations of management), and identify opportunities to enhance management and work processes, as well as UAC’s value to the university. Our review included the preparation of the Self-Assessment Guide provided by the IIA (Tool 2), evaluation of UAC’s conformity to the IIA standards (Tool 19) and other supporting documents. In addition, the independent QA review team collected responses from management, auditees, and UAC team member surveys, and interviewed university leadership. Part of UAC’s review included an evaluation of UAC’s risk assessment and audit planning processes, audit tools and methodologies utilized, and engagement and staff management processes. UAC also provided the independent review team with a representative sample of UAC’s working papers and reports. Based on our review, UAC generally conforms to the IIA Attribute and Performance Standards, and the Code of Ethics. “Generally conforms” means that there is a general conformity to a majority of the individual standards and partial conformity to the others, within the section/category. Contained within this report is a recommendation to ensure that UAC fully complies with the standard related to maintaining an internal quality assurance program. This area was assessed as “partially conforms” during our review. In addition, UAC has made three recommendations based upon the IIA Practice Advisories and other best practice guidance to improve the effectiveness of the IA program at USF.

Debra Gula, CPA Executive Director cc: John Long, Chief Operating Officer and Sr. Vice President, Business and Finance

UAC 13-008

2 of 10

OPINION AS TO CONFORMITY TO STANDARDS Our evaluation of UAC’s conformity with the IIA standards indicates that UAC complies with the requirements of the individual elements of the Code of Ethics in all material respects. In addition, it is our opinion that UAC generally conforms with the IIA standards, when applied to the entire category of standards. The standards are divided into two areas: Attribute Standards and Performance Standards. Attribute standards address the attributes of the IA organization and the individuals performing IA services. Performance standards describe the nature of IA services and provide quality criteria against which the performance of these services is measured. Practice advisories provide guidance on how to implement the standards. See Exhibit A for a list of the standards and UAC’s opinion on conformance.

OPINION AS TO EFFECTIVENESS AND EFFICIENCY OF IA FUNCTION Our completion of the Self-Assessment Guide and other supporting documentation and review of client surveys indicated that the IIA function is effectively positioned within the organization to enable UAC to effectively discharge its responsibilities as defined by the UAC Charter. The UAC Charter needs to be expanded to accurately reflect functional versus administrative reporting as well as the current IT audit responsibilities. The established reporting relationship with executive management and the USF Board of Trustees Finance and Audit Workgroup ensures UAC’s independence and adequate consideration of audit recommendations. The USF Board of Trustees Finance and Audit Workgroup serves as the Audit Committee. We have also concluded that the IA environment is well structured and utilizes a structured, disciplined approach to evaluating and improving risk management, control, compliance, and governance processes. The IIA standards, and other relevant standards, are well understood by the UAC team, who receive ongoing professional training. UAC team members are highly credentialed, with over half of the audit team possessing a master’s degree, 80% are CPAs, and all staff possess at least one professional certification (CPA, CIA, CFE, or CISA). UAC continues to review and work on improving its IA processes to identify and document fraud risks, minimize the time from project initiation to reporting, and to ensure all audit processes are focused on risk and aligned with both the IIA standards and the university’s strategic goals and plans. Consequently, our comments and recommendations are intended to build on the foundation put in place over the last several years.

ISSUES AND RECOMMENDATIONS The issues and recommendations that follow originated from UAC’s completion of the Self-Assessment Guide and other supporting documentation and our evaluation of UAC’s conformity with the IIA standards. Our Self-Assessment was performed in accordance with the IIA Quality Assessment Manual – 6th Edition. In addition, external input was obtained through surveys, interviews, and the participation of a two-member independent validation team.

UAC 13-008

3 of 10

COMPLIANCE WITH IIA STANDARDS

1. Internal quality assurance programs were not formally communicated to senior management and the board.

IIA Standard 1320 states, “The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board.” The IIA’s interpretation states, “To demonstrate conformance with the definition of internal auditing, the Code of Ethics, and the standards, the results of external and periodic internal assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually. The results include the assessor’s or assessment team’s evaluation with respect to the degree of conformance.” UAC has integrated compliance monitoring for IIA standards into the day-to-day operations of the activity using TeamMate templates and control checkpoints. In addition, UAC continuously reviews its processes to identify areas where process improvement can occur. Each Spring, internal goals are set for the coming fiscal year. During this goal-setting process, one or more performance areas are selected for process reengineering. Some areas that have been revised in the last five years include: redesigning the report and report-writing process, redesigning the follow-up system to improve management reporting, integrating access control reviews into all projects, and redesigning internal management reports to more effectively monitor UAC projects. UAC also solicits verbal feedback from auditees throughout the engagements. UAC ‘partially conforms’ with this standard because while the department reviews compliance with standards on an ongoing basis and practices continuous process improvement, the detail of these self-assessment activities are not formally communicated to senior management or the board on an annual basis.

Recommendation: UAC should formally communicate the annual internal assessment of the department’s quality assurance and improvement program to senior management and the board in UAC’s Annual Report.

UAC 13-008

4 of 10

EFFICIENCY AND EFFECTIVENESS 1. The Finance & Audit Workgroup’s roles and responsibilities do not include all of

the functional responsibilities outlined in the IIA Practice Advisory. PA 1110-1: Organizational Independence states, “Functional reporting to the board typically involves the board: . . . Approving all decisions regarding the performance evaluation, appointment, or removal of the CAE and approving the annual compensation and salary adjustment of the CAE.”

Recommendation: In order to enhance the organizational independence of the internal audit activity, the Finance & Audit Workgroup’s roles and responsibilities should be modified to include the following responsibilities:

1. Review with management and the Executive Director the charter, activities, staffing, and organizational structure of the internal audit function.

2. Approve all decisions regarding the performance evaluation, appointment, or removal of the Executive Director.

3. Approve the annual compensation and salary adjustments of the Executive Director.

2. UAC’s charter does not accurately reflect IT audit responsibilities.

IIA Standard 2120.A.1 states, “The internal audit activity must evaluate the risk exposures related to the organization’s governance, operations, and information systems regarding the achievement of the organization’s strategic objectives, reliability and integrity of financial and operational information, effectiveness and efficiency of operations and programs; safeguarding of assets, and compliance with laws, regulations, policies, procedures, and contracts.” Since the promulgation of the current charter in 2006, UAC has adopted an integrated audit approach, which involves incorporating reviews of controls imbedded in information systems (IS) into all audits. IS controls designed to ensure the confidentiality, integrity, and availability of financial and operational data, critical to meet USF strategic goals, are reviewed. For audits and consulting projects with emphasis in information technology, UAC utilizes ISACA standards, which are mapped to the COBIT Framework for IT Governance and Control. UAC relies on the expertise of their IT audit team, who have obtained certifications in risk and information system controls (CRISC) and/or information systems auditing (CISA). The IT audit team, which includes the Associate Director, Assistant Director, and Sr. IT Auditor, perform IT systems reviews such as review of IT Governance, Data Center Operations, Change Management, and Security Administration.

UAC 13-008

5 of 10

EFFICIENCY AND EFFECTIVENESS ISACA Guideline G5 states, “The IS auditor should have a clear mandate to perform the IS audit function. This mandate is ordinarily documented in an audit charter that should be formally accepted. Where an audit charter exists for the audit function as a whole, the IS audit mandate should be incorporated.” Although the Finance and Audit Workgroup’s responsibilities address information technology security and control, UAC does not currently have a specific mandate included in its charter regarding information systems auditing.

Recommendation: UAC’s CAE should work with the Board of Trustees Audit Liaison to revise the UAC charter to ensure UAC’s responsibilities regarding information systems auditing are included. The revised charter should be presented to and approved by the President and the Finance and Audit Workgroup.

3. Fraud risk assessment is not formally documented.

IIA Standard 2120 Risk Management states, “The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.” In June 2009, the Executive Director promulgated USF Policy 0-024, Fraud Prevention and Detection, which addresses the responsibility of USF system employees as it relates to fraud. The state Auditor General sends a fraud questionnaire annually to senior management and the Executive Director. Fraud risks are considered during ERM activities, but are not assessed separately. IIA Standard 2210 A.2. Audit Engagement Objectives states, “Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.” UAC has two Certified Fraud Examiners, the Associate Director and an Assistant Director. UAC uses the expertise of these individuals to ensure fraud risk is identified and utilizes the Association of Certified Fraud Examiners Fraud Risk Assessment tools to assist in the identification and assessment of fraud risks. During the performance of preliminary risk assessments, they work to ensure fraud risk is adequately incorporated into audit programs. When appropriate, specific fraud detection tests are performed.

UAC 13-008

6 of 10

EFFICIENCY AND EFFECTIVENESS Recommendation: UAC should develop a formal methodology for assessing

and documenting fraud risk. This methodology should be used to perform a fraud risk assessment which identifies potential fraud schemes and prioritizes them based on risk. Key fraud prevention and detection controls will be mapped to the fraud risks and tested for effectiveness during the performance of UAC audit projects.

UAC 13-008

7 of 10

EXHIBIT A

UAC’s Conformity to the IIA Standards

Generally Conforms

Partially Conforms

Does Not Conform

OVERALL EVALUATION ☒

☐

☐

ATTRIBUTE STANDARDS ☒

☐

☐

1000 Purpose, Authority, and Responsibility (Charter)

☒

☐

☐

1100 Independence and Objectivity ☒

☐

☐

1110 Organizational Independence ☒

☐

☐

1120 Individual Objectivity ☒

☐

☐

1130 Impairments to Independence or Objectivity ☒

☐

☐

1200 Proficiency and Due Professional Care ☒

☐

☐

1210 Proficiency ☒

☐

☐

1220 Due Professional Care ☒

☐

☐

1230 Continuing Professional Development ☒

☐

☐

1300 Quality Assurance/Improvement Program ☒

☐

☐

1310 Quality Program Assessments ☒

☐

☐

1311 Internal Assessments ☒

☐

☐

1312 External Assessments ☒

☐

☐

1320 Reporting on the Quality Program ☐

☒

☐

1330 Use of “Conducted in Accordance with the Standards”

☒

☐

☐

1340 Disclosure of Noncompliance ☒

☐

☐

UAC 13-008

8 of 10

Generally Conforms

Partially Conforms

Does Not Conform

PERFORMANCE STANDARDS ☒

☐

☐

2000 Managing the Internal Audit Activity ☒

☐

☐

2010 Planning ☒

☐

☐

2020 Communication and Approval ☒

☐

☐

2030 Resource Management ☒

☐

☐

2040 Policies and Procedures ☒

☐

☐

2050 Coordination ☒

☐

☐

2060 Reporting to the Board and Senior Management

☒

☐

☐

2100 Nature of Work ☒

☐

☐

2110 Governance ☒

☐

☐

2120 Risk Management ☒

☐

☐

2130 Control ☒

☐

☐

2200 Engagement Planning ☒

☐

☐

2201 Planning Considerations ☒

☐

☐

2210 Engagement Objectives ☒

☐

☐

2220 Engagement Scope ☒

☐

☐

2230 Engagement Resource Allocation ☒

☐

☐

2240 Engagement Work Program ☒

☐

☐

2300 Performing the Engagement ☒

☐

☐

2310 Identifying Information ☒

☐

☐

2320 Analysis and Evaluation ☒

☐

☐

UAC 13-008

9 of 10

Generally Conforms

Partially Conforms

Does Not Conform

2330 Recording Information ☒

☐

☐

2340 Engagement Supervision ☒

☐

☐

2400 Communicating Results ☒

☐

☐

2410 Criteria for Communicating ☒

☐

☐

2420 Quality of Communications ☒

☐

☐

2421 Errors and Omissions ☒

☐

☐

2430 Engagement Disclosure of Noncompliance with Standards

☒

☐

☐

2440 Disseminating Results ☒

☐

☐

2500 Monitoring Progress ☒

☐

☐

2600 Management’s Acceptance of Risks ☒

☐

☐

IIA CODE OF ETHICS ☒

☐

☐

Legend: Generally Conforms: The evaluator has concluded that the relevant structures, policies, and procedures of the activity, as well as the processes by which they are applied, comply with the requirements of the individual Standard or element of the Code of Ethics in all material respects. For the sections and major categories, this means that there is general conformity to a majority of the individual Standards or elements of the Code of Ethics, and partial conformity to the others, within the section/category. There may be significant opportunities for improvement, but these should not represent situations where the activity has not implemented the Standards or the Code of Ethics, is not applying them effectively, or is not achieving their stated objectives. Partially Conforms: The evaluator has concluded that the activity is making good faith efforts to comply with the requirements of the individual Standard or element of the Code of Ethics, section, or major category, but has fallen short of achieving some of their major objectives. These will usually represent some significant opportunities for improvement in effectively applying the Standards or Code of Ethics and/or achieving their objectives. Some of the deficiencies may be beyond the control of the activity and may result in recommendations to senior management or the board of the organization.

UAC 13-008

10 of 10

Does Not Conform: The evaluator has concluded that the activity is not aware of, is not making good-faith efforts to comply with, or is failing to achieve many/all of the objectives of the individual Standard or element of the Code of Ethics, section, or major category. These deficiencies will usually have a significant negative impact on the activity’s effectiveness and its potential to add value to the organization. They may also represent significant opportunities for improvement, including actions by senior management or the board.