Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 1 of 22
Purpose of the Annual Report
Table of Contents
I. Compliance with Texas Government Code, Section 2102.015: Posting the Internal
Audit Plan, Internal Audit Annual Report, and Other Audit information on Internet
Website
II. Internal Audit Plan for Fiscal Year 2016
Compliance with the Benefits Proportionality Audit Requirements for Higher Education
Institutions.
Compliance with the Purchasing and Contracting Requirements for Higher Education
Institutions.
III. Consulting Services and Nonaudit Services Completed
IV. External Quality Assurance Review (Peer Review)
V. Internal Audit Plan for Fiscal Year 2017
VI. External Audit Services Procured in Fiscal Year 2016
VII. Reporting Suspected Fraud and Abuse
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 2 of 22
I. Compliance with Texas Government Code, Section 2102.015: Posting the Internal Audit Plan,
Internal Audit Annual Report, and Other Audit information on Internet Website
The Fiscal Year 2017 audit plan, as approved by the Institutional Audit Committee, will be posted on the MD Anderson external website
as part of the Fiscal Year 2016 SAO Annual Report. The Fiscal Year 2016 SAO Annual Report, including summaries of reports, will be
posted on the MD Anderson external website within 30 days of approval by the President but not later than November 1, 2016, as
required.
The following matrix provides a summary of the weaknesses and action taken by management for projects on the Fiscal Year 2016 Audit Plan, as
required by Texas Government Code, Section 2102.015:
Report
No.
Report
Date
Name of Report
Recommendations
Summary of Action Taken
Progress:
· Fully Implemented
· Substantially Implemented
· Incomplete/Ongoing
· Not Implemented
2015-104 11/23/2015 Nocturnal Program Review
We recommended enhanced controls over:
Professional charge capture and reconciliation
Compliance with requirements for verbal provider orders
Standard operating procedures
Management agreed to enhance controls in the recommended areas.
Incomplete/Ongoing Full Implementation is expected by March 1, 2017.
2016-103 10/28/2015 Segregation of Duties and Account Reconciliations
Management should enhance controls and processes to ensure segregation of duties and sensitive access remediations are closed timely and reconciliations of federally funded accounts are performed.
Management agreed to enhance controls in the recommended areas.
Incomplete/Ongoing Full Implementation is expected by December 15, 2016.
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 3 of 22
Report
No.
Report
Date
Name of Report
Recommendations
Summary of Action Taken
Progress:
· Fully Implemented
· Substantially Implemented
· Incomplete/Ongoing
· Not Implemented
2016-105 8/26/2016 Procurement Review Management should enhance controls and processes surrounding accuracy of contract information, documentation of approvals for contracts and exclusive acquisition forms, compliance with the emergency purchase policy, and monitoring of unauthorized purchases. Furthermore, the Institutional Contract Management Handbook should be finalized.
Management agreed to enhance controls and processes over the areas noted in the report and finalize the Institutional Contract Management Handbook.
Incomplete/Ongoing Full Implementation is expected by October 16, 2016.
2016-107 5/19/2016 Travel and Entertainment – Development Office
Management should consider revising the Development Office travel and business entertainment policy to be more closely aligned with the Institution’s travel policy when possible, and provide training to all staff, including administrative staff, to ensure travel documentation complies with Travel and Entertainment Guidelines. Management should review the department’s guidelines for possible inconsistencies and operational inefficiencies.
Management has agreed to revise the Development Office’s Travel and Entertainment Guidelines, and to educate travelers and travel preparers on the revised guidelines. Management plans to perform annual review of the departmental guidelines to ensure alignment with institutional policy.
Incomplete/ongoing
2016-108 8/31/2016 Facilities’ Service Vendor Audit
Recommendations related to the following process and control areas were noted:
- Existence of Formal Contract Agreements
- Monitoring of Contract Spend - Consistent Invoice Approval - Validation of Service Vendor
Measurements - Discretion with Respect to PO Fund
Application - Detailed Review of Invoiced Rates
Management agreed to enhance controls in the recommended areas.
Incomplete/Ongoing Full Implementation is expected by August 31, 2017.
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 4 of 22
Report
No.
Report
Date
Name of Report
Recommendations
Summary of Action Taken
Progress:
· Fully Implemented
· Substantially Implemented
· Incomplete/Ongoing
· Not Implemented
2016-201 6/23/2016 Review of Executive Officers’ Travel and Business Entertainment Expenditures
We recommended improvements related to:
Resolution of personal expenses using the state-issued travel card
Adequate supporting documentation related to foreign travel and entertainment expenses
Management agreed to enhance controls in the recommended areas.
Fully implemented
2016-203 06/23/2016 Onboarding of Visiting Scientists
We identified opportunities for improvement in the following areas:
Conducting criminal background checks
Verifying educational background
Ensuring compliance with required training
Establishing guidance for departmental oversight
Executing legal agreements
Management agreed to enhance controls in the recommended areas.
Incomplete/Ongoing
2016-204 1/15/2016 Departmental Review – Thoracic Surgery
We recommended enhanced controls over leave management, travel, procurement cards, and system access.
Management agreed to enhance controls in the recommended areas.
Incomplete/ongoing Full implementation is expected by December 31, 2016.
2016-205 3/15/2016 Division of Surgery Review
We recommended enhanced controls over system access, segregation of duties within the service center, updating the billing rates and monitoring net income for the service center, and strengthening asset management.
Management agreed to enhance controls in the recommended areas.
Incomplete/ongoing Full implementation is expected by December 31, 2016.
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 5 of 22
Report
No.
Report
Date
Name of Report
Recommendations
Summary of Action Taken
Progress:
· Fully Implemented
· Substantially Implemented
· Incomplete/Ongoing
· Not Implemented
2016-206 8/31/2016 Departmental Review – Smithville
We recommended enhanced controls over monitoring program income and service center billing rates, enforcement of material transfer agreements (MTAs), monitoring and resolving deficit accounts, monitoring correction requests for over-commitment of effort, accurately recording faculty extramural leave, reviewing and approving grant reconciliations and employee leave in Kronos.
Management agreed to enhance controls in the recommended areas.
Incomplete/Ongoing
Full Implementation is
expected by December 31,
2016.
2016-210 8/30/2016 Division of Radiation Oncology – Charge Capture Assessment
We recommended that Radiation Oncology improve processes to ensure charges are posted to the patient accounts as appropriate. We further recommended that controls should be strengthened for re-billing charges to ensure when a charge is deleted, re-billing occurs as appropriate.
Management agreed to enhance controls in the recommended area.
Incomplete/Ongoing
2016-212 8/30/2016 Division of Diagnostic Imaging – Charge Capture Assessment
We recommended that Diagnostic Imaging strengthen controls to ensure that charges are posted to patient accounts or research protocol accounts as appropriate. We further recommended that controls be strengthened to ensure when a charge is deleted, the action is appropriate.
Management agreed to enhance controls in the recommended area.
Incomplete/Ongoing
Full Implementation is
expected by January 31, 2017.
2016-300 2/24/2016 Excepted from public disclosure
2016-301 02/19/2016
Excepted from public disclosure
2016-303 8/31/2016 Excepted from public disclosure
2016-304 8/30/2016 Excepted from public disclosure
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 6 of 22
Report
No.
Report
Date
Name of Report
Recommendations
Summary of Action Taken
Progress:
· Fully Implemented
· Substantially Implemented
· Incomplete/Ongoing
· Not Implemented
2016-403 7/5/2016 Cybersecurity NIST Information is excepted from public disclosure
Information is excepted from public
disclosure
Information is excepted from
public disclosure
2016-404
7/5/2016 Data Loss Prevention (Information Security)
Information is excepted from public
disclosure
Information is excepted from public
disclosure
Information is excepted from
public disclosure
2016-405 8/31/2016 Patch Management Information is excepted from public
disclosure
Information is excepted from public
disclosure
Information is excepted from
public disclosure
2016-408 8/31/2016 Excepted from public disclosure
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 7 of 22
II. Internal Audit Plan for Fiscal Year 2016
The following matrix details the status of the Fiscal Year 2016 Audit Plan:
Project No. Project Title Report Date Project Status
Financial Audits
16-100 FY15 Financial Statement Audit (year-end) Report issued by Deloitte at UT System
level Complete
16-101 FY16 Financial Statement Audit (interim) Report issued by Deloitte at UT System
level Complete
16-102 Physicians Referral Service Practice Plan N/A Project 16-303
Served as the PRS Audit
16-103 Segregation of Duties and Account Reconciliations 10/28/2015 Complete
16-104 Economic Development Agreement Consulting Project – Verbal Comments
provided to Management Complete
16-105 Purchasing Review 8/26/2016 Complete
Risk-Based Audits
16-106 Charge Capture – Division of Pathology and Laboratory Medicine Pending In Progress
16-107 Travel and Entertainment – Development Office 5/19/2016 Complete
16-108 Construction Activities - Facilities’ Service Vendor Audit 8/31/2016 Complete
16-903 Travel and Business Entertainment Expense Review 8/31/2016 Complete
Operational Audits
UT System Requested / Externally Requested Audits
16-200 Presidential Housing, Travel, and Entertainment 5/13/2016 Complete
16-201 Executive Travel and Entertainment 6/23/2016 Complete
Risk-Based Audits
16-202 Security Clearance for Contractors Consulting Project – Verbal comments
provided to management Complete
16-203 Onboarding of Visiting Scientists 6/23/2016 Complete
16-204 Departmental Review – Thoracic Surgery 1/15/2016 Complete
16-205 Division of Surgery Review 3/15/2016 Complete
16-206 Departmental Review - Smithville 8/31/2016 Complete
16-207 Dining Services Cash Handling N/A Cancelled
16-208 Anti-Fraud Initiative 8/31/2016 Complete
16-306 Medical Device Maintenance and Security Assessment Pending In Progress
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 8 of 22
Project No. Project Title Report Date Project Status
Management Requested Audits
- General Consultation with Management N/A Complete
- Institutional Committee Participation N/A Complete
- Management Involvement on Co-sourced Construction Projects N/A Complete
Consulting Projects
16-209 Division of Pharmacy – Business Operations Review Pending In Progress
16-210 Division of Radiation Oncology – Charge Capture Assessment 8/30/2016 Complete
16-211 EHR OneConnect (EPIC) Consulting Project – Verbal comments
provided to management Complete
16-212 Division of Diagnostic Imaging – Charge Capture Assessment 8/30/16 Complete
Compliance Reviews
Excepted from public disclosure
Information Technology Audits
UT System Requested / Externally Requested Audits
16-400 Deloitte Financial Audit Support Report issued by Deloitte at UT System
level Complete
Risk-Based Audits / Consulting Projects
16-401 Cerner Millennium Helix Implementation Pending In Progress
16-402 Post ICD-10 Audit EPIC Integration Pending In Progress
16-403 Cybersecurity / NIST 7/5/2016 Complete
16-404 Data Loss Prevention (Information Security) 7/5/2016 Complete
16-405 Patch Management 8/31/2016 Complete
16-406 EPIC – Post Implementation Work N/A Merged with 16-401
16-407 Clinical Devices Pending In Progress
16-408 Excepted from public disclosure
Management Requested Audits
15-409 OneConnect Program Expenditure Process Assessment 11/23/2015 Complete
Other IT Projects
- IT Follow-up N/A Complete
- Knowledge Sharing and/or Training Documentation Projects N/A Complete
- IT Liaison Activities N/A Complete
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 9 of 22
Project No. Project Title Report Date Project Status
- IT Risk Assessment - FY 17 N/A Complete
- Financial and Operational Audit Assistance N/A Complete
- Administrative Activities N/A Complete
Follow-Up Audits
- Follow-up Audits (Quarterly Reporting and Validation) N/A Complete
Projects
Development - Operations
- Internal Quality Assurance Activities N/A Complete
- Internal Audit Committee Preparation/Participation N/A Complete
- Institutional Risk Assessment & Work Plan Development N/A Complete
- TeamMate Software Upgrade N/A Complete
- All-Hazards Risk Leadership Council N/A Complete
Development – Initiatives & Education
- UT System Coordination N/A Complete
- Professional Organization/Association Participation N/A Complete
Carry Forward
15-104 Nocturnal Programs 11/23/2015 Complete
15-108 Collection of Patient Co-Payments 7/5/2016 Complete
15-107 Clinical Services Spot Agreements 9/28/2015 Complete
Investigations
- Various investigations Consulting Projects – Verbal Comments
provided to management
Complete
Audit / Project cancelled
Audit / Project added to Plan
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 10 of 22
Compliance with the Benefits Proportionality Audit Requirements for Higher Education Institutions: At the request of the Governor, an internal audit of the proportionality of higher education benefits process was performed during fiscal year 2016. A consistent audit methodology has been deployed across the UT System that assessed the reporting process and accuracy of benefits funding information provided to the State Comptroller as applicable under Rider 8, page III-41, the General Appropriations Act (84th Legislature, Conference Committee Report). An audit of the benefits proportionality process will also be conducted during fiscal year 2017 and will comply with Rider 8, page III-41, the General Appropriations Act (84th Legislature, Conference Committee Report). The audit will be complete by February 28, 2017. Compliance with the Purchasing and Contracting Requirements for Higher Education Institutions:
Senate Bill 20 (84th Legislative Session) made several modifications and additions to Texas Government Code (TGC) and Texas Education Code (TEC) related to purchasing and contracting. Effective September 1, 2015, TEC 51.9337 requires that, “The chief auditor of an institution of higher education shall annually assess whether the institution has adopted the rules and policies required by this section and shall submit a report of findings to the state auditor.” The MD Anderson Cancer Center Internal Audit Department conducted this required assessment for fiscal year 2016, and found the following:
Based on review of current institutional policy and the UT System Board of Regents’ Rules and Regulations, MD Anderson Cancer Center has generally adopted all of the rules and policies required by TEC 51.9337. Review and revision of institutional and System policy is an ongoing process. These rules and policies will continue to be assessed annually to ensure continued compliance with TEC 51.9337.
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 11 of 22
III. Consulting Services and Nonaudit Services Completed
Project No. Project Title Report Date Project Objective Services / Observations / Results / Recommendations
2016-104 Texas Economic Development Agreement
Consulting – Verbal Comments provided to Management
To review the reporting methodology and schedules for the annual compliance verification of job creation for the Texas Economic Development Agreement.
The methodologies appeared consistent with previous submissions. Nothing came to our attention that would indicate the Annual Compliance Verification was materially misstated.
2016-200 Presidential Housing, Travel and Entertainment
Consulting – Assisted University of Texas System Audit Office
To assist/coordinate audits by UT System to determine if travel and entertainment activities and expenditures of the President and his spouse are conducted in accordance with UT System and MDACC policy.
Internal Audit assisted The University of Texas System Audit Office (UT System) by providing documentation from institutional systems for review. Any recommendations for improvement were made by UT System.
2016-202 Security Clearance for Contractors
Consulting – Verbal Comments provided to Management
To determine whether appropriate security clearance (Criminal background checks, badging, access, etc.) has been consistently provided for contracted services and independent contractors in accordance with contract provisions.
A consistent process was developed for conducting criminal background checks for all contractors entering the institution.
2016-208 Anti-Fraud Initiative
Consulting – Verbal Comments provided to Management
Utilize external consultants to identify potential fraudulent activity. Follow-up on reports from consultants, and report results to management.
An external vendor performed forensic data mining analysis of accounts payable, vendor, and patient accounting information. Internal Audit conducted a detailed review of the results and did not identify any improprieties or errors that warranted further review. No recommendations were made by Internal Audit as a result of this review.
2016-211 EHR OneConnect (EPIC)
Consulting – Verbal Comments provided to Management
To consult with management and coordinate with consultants regarding the design and implementation of the electronic health record.
The EHR Risk Oversight Council identified financial compliance, and information security controls risks throughout the OneConnect implementation and monitored the status of remediation efforts. Verbal updates were provided to management throughout the project.
- Various investigations
N/A To conduct investigations as necessary.
Information was provided to appropriate levels of management.
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 12 of 22
IV. External Quality Assurance Review (Peer Review)
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 13 of 22
V. Internal Audit Plan for Fiscal Year 2017
FY 2017 Audit Plan Audit/Project
Budgeted Hours
% of Total
Description
Risk Based Audits
Charge Capture - Division of Anesthesiology and Critical Care
700 To conduct a charge capture audit of select areas within the Division to determine if services provided were captured and recorded appropriately. Sustainability - Charge Capture
Charge Capture - Regional Care Centers
700 To ensure that charge capture for professional services at community hospitals is accurately captured and recorded. Sustainability - Charge Capture
Nursing Charge Capture 750 To ensure that charge capture for nursing services is accurately captured and recorded. Sustainability - Charge Capture
Denials Management 650 To conduct an assessment to determine the root cause of denials and assist management with identifying possible solutions to reduce future denials. People We Serve - Patient Registration
650 Excepted from public disclosure
Payroll Review 600 To assess the governance structure and key controls over payroll processes to include employee set-up, payroll adjustments and corrections, reconciliations, interfaces, tax compliance, accuracy of the payroll calculation, and any other related processes. Systems That Support - Payroll
Division of Pediatrics Review 700 To provide a general assessment of the financial, administrative, and compliance controls within the selected division. People Who Serve, Science That Enables, Systems That Support
Departmental Review - Infectious Diseases, Infection Control & Employee Health
600 To provide a general assessment of the financial, administrative, and compliance controls within the selected department. People Who Serve, Science That Enables, Systems That Support
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 14 of 22
FY 2017 Audit Plan Audit/Project
Budgeted Hours
% of Total
Description
450 Excepted from public disclosure
600 Excepted from public disclosure
Physicians Referral Service (PRS) Practice Plan
450 To conduct the annual financial review of the PRS Practice Plan, as required by UTS 155. The scope of this project will be consistent for all applicable UT System components and will be determined by UT System. Systems That Support - Expenses/Accounts Payable
Information Technology Audits
PeopleSoft 9.2 Upgrade 300 Perform a post-implementation review for the PeopleSoft 9.2 upgrade to determine if project objectives were successfully met, gain an understanding on the effectiveness and efficiency of project management practices, effectiveness of the integration with EPIC, and to determine vulnerabilities for the application from the following perspectives: operating effectiveness, ITGC's, security, reporting, and compliance. Systems That Support
400 Excepted from public disclosure
Asset Management 400 Evaluate the Asset Management Process from procurement, commissioning, inventory, and decommissioning for assets including laptops, ipads, iphones, servers, medical devices/workstations, and applications (including cloud/software as a service). Systems That Support
System Portfolio and Roadmap for System Retirement
350 Assess the application portfolio and supporting organizational costs/headcounts as well as the status on specific systems identified as replaced by recent implementations to determine plan for and progress for decommissioning. Evaluate the roadmap for retiring and decommissioning legacy systems replaced by recent implementations such as Epic, PeopleSoft, etc. Consider the cost to the institution and assess risks (security, integrity, data availability, support, etc.) risks to the institution for continuing to maintain legacy systems. Systems That Support
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 15 of 22
FY 2017 Audit Plan Audit/Project
Budgeted Hours
% of Total
Description
Epic - Post Implementation and Governance Process
350 Perform a post-implementation review for Epic to evaluate functionality (charge capture, interfaces, etc.) optimization, and vulnerabilities for the application from the following perspectives: operating effectiveness, ITGC's, security, and compliance. Evaluate governance process post go-live for addressing issues and optimizing the system. Systems That Support
Pharmacy System Assessment 300 Perform a post-implementation review for Willow/Epic to evaluate functionality (charge capture, interfaces, etc.) and assess the controls in place post go live related to the pharmacy applications from the following perspectives: operating effectiveness, ITGC's, security, and compliance. Systems That Support
Management Involvement on Co-Sourced IT Projects
150 To oversee/facilitate audits of IT activities.
Construction Activities 500 To conduct a review of key construction activities and/or processes. Reviews will be co-sourced, utilizing staff with construction expertise. Systems That Support - Facilities Management
Management Involvement on Co-Sourced Construction Projects
50 To oversee/facilitate audits of construction activities.
Carry-Forward Audits
Charge Capture - Pathology and Laboratory Medicine
350 To conduct a charge capture audit of select areas within the Division to determine if services provided were captured and recorded appropriately. This will be an integrated audit with the IT Internal Auditors. Sustainability - Charge Capture
Risk Based Audits Subtotal 10,000 50%
Required Based Audits (Externally and Internally)
FY 2017 Financial Statement Audit (year-end)
325 To assist Deloitte with testing relating to the External Financial Statement Audit. Systems That Support - Financial Reporting
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 16 of 22
FY 2017 Audit Plan Audit/Project
Budgeted Hours
% of Total
Description
FY 2017 Financial Statement Audit (interim)
325 To assist Deloitte with testing relating to the External Financial Statement Audit. Systems That Support - Financial Reporting
Deloitte Financial Audit Support - IT
160 Perform IT general controls procedures as requested by MDACC to support the Deloitte Financial Audit of MDACC. Systems That Support - Financial Reporting
Texas Administrative Code (TAC) 202
350 To evaluate controls and processes at MD Anderson for compliance with TAC 202 regulatory requirements. Systems That Support
Segregation of Duties and Account Reconciliations
250 To review the institution's Monitoring Plan and departmental subcertifications and validate the assertions made by management regarding segregation of duties and account reconciliations, as required by UTS 142.1. Systems That Support - Financial Reporting
Economic Development Agreement
100 To review the reporting methodology and schedules prepared for the annual compliance verification of job creation targets associated with the Economic Development Agreement between MDACC, UT HSC-Houston, and the State of Texas. Systems That Support - Corporate Compliance
Presidential Housing, Travel, and Entertainment
50 To assist/coordinate audits by UT System to determine if travel and entertainment activities and expenditures of the President and his spouse are conducted in accordance with UT System and MDACC policy. Systems That Support - Expenses/Accounts Payable
Executive Travel and Entertainment
300 To perform audits to determine if travel and entertainment activities and expenditures of executive management are conducted in accordance with UT System and MDACC policy. Systems That Support - Expenses/Accounts Payable
Required Audits Subtotal 1,860 9%
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 17 of 22
FY 2017 Audit Plan Audit/Project
Budgeted Hours
% of Total
Description
Consulting Projects
Employee and Faculty Criminal Background Checks
500 Internal Audit will partner with key stakeholders to ensure a background check is conducted for all employees, including faculty, as part of the on-boarding process. People Who Serve - Personnel Management
350 Excepted from public disclosure
Strategic Industry Ventures 250 Internal Audit will partner with key process owners to identify opportunities to mitigate significant business risks during the contracting process for strategic industry ventures. This effort will include, but not be limited to, collaboration with Strategic Industry Ventures, Institutional Compliance, Legal, Research Administration, and Clinical Research Administration. Science That Enables - Research Administration
200 Excepted from public disclosure
General Consultation with Management
150 To consult with management on various high-risk topics.
Institutional Committee Participation
225 To participate, in a consulting role, on committees within the institution.
All-Hazards Risk Leadership Council
120
Consulting Projects Subtotal 1,795 9%
Follow-Up
Quarterly Reporting / Monitoring Activities
250
Validation Activities 500
IT Follow-up Validation Activities 250
Follow-Up Subtotal 1,000 9%
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 18 of 22
FY 2017 Audit Plan Audit/Project
Budgeted Hours
% of Total
Description
Reserve
Reserve for Just-In-Time Auditing/Advisory Services
1.450 Reserve will be used to respond to management’s requests in high-risk areas, as well as to address changing risks in our environment throughout the year.
Reserve for Investigations 400 Reserve will be used to respond to any investigative requests throughout the year.
IT Reserve Just-In-Time Auditing/Advisory Services
100 Reserve Just-In-Time Auditing/Advisory Services will be used to respond to management and Internal Audit’s requests for assessments in emerging high-risk areas related to IT.
IT Financial and Operational Audit Assistance
100 Participation in limited scope activities with the Internal Audit team.
Reserve Subtotal 2,050 10%
Development - Operations
Internal / External Quality Assurance Activities
400 To conduct on-going reviews of audits/projects for compliance with the International Institute of Internal Auditors (IIA) standards. In addition, to prepare for an External Quality Assurance Review
Internal Audit Committee Preparation / Participation
182 To prepare audit committee packets and participate in quarterly meetings.
Institutional Risk Assessment and Work Plan Development
350 To update the comprehensive risk assessment and Work Plan
Audit Strategic Planning 550 To perform strategic planning and manage the overall audit activity.
IT Risk Assessment Fy17 250 Updating of the IT risk assessment and audit plan.
IT Administrative Activities 150
Development – Operations Subtotal
1,882 9%
Development - Initiatives & Education
UT System Coordination 500 To participate in UT System initiatives.
Professional Organization / Association Participation
100 To participate in the IIA Houston Chapter Annual Conference
Training / Continuing Professional Education
818
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 19 of 22
FY 2017 Audit Plan Audit/Project
Budgeted Hours
% of Total Description
IT Knowledge Sharing and/or Training Documentation Projects
80 Sharing thought leadership, perspective, and bringing in technical resources to assist where needed
IT Liaison Activities 80 Participation in staff meetings, the UT InfoSec, IT Leaders meetings, etc.
Development – Initiatives & Education Subtotal
1.578 8%
TOTAL HOURS 20,165 100%
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 20 of 22
Additional “high” risks not included in the FY 2017 Work Plan are found in the following areas:
Timely patient access to services
Updating of patient records
Research protocol billing and coding
Documentation to support hiring decisions
Adherence to institutional badging process
Maintenance of DRG-exempt status
Business continuity
Billing and reimbursement
Privacy and Information security regulated activities and work force training
Regulated research activities
Operational efficiencies
Quality and performance metrics
Our risk assessment methodology included interviews with and/or questionnaires with various
levels of management in the institution. Identified risks were organized into institution-wide
auditable units. For each identified risk, impact and probability were assessed. Our work plan was
developed from the highest risk areas in the institution that are not already being addressed by
other mitigation strategies.
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 21 of 22
VI. External Audit Services Procured in Fiscal Year 2016
Service Provider
Opinion on financial statements of UT MD Anderson Cancer Center
Deloitte
Opinion on financial statements of UT MD Anderson Physicians Network
Deloitte
Opinion on financial statements of UT MD Anderson Services Corporation
Deloitte
Information Technology Internal Audit Co-Sourcing PwC
Electronic Health Record Consulting PwC
Construction Internal Audit Co-Sourcing Protiviti
Construction Internal Audit Co-Sourcing Townsend
The University of Texas MD Anderson Cancer Center
Internal Audit Annual Report for FY2016
Page 22 of 22
VII. Reporting Suspected Fraud and Abuse