08-09 UAC Annual Report 110909a FR -...

2008-09

UAC ANNUAL REPORT

V.

University Audit & Compliance 2

University Audit & Compliance Debra Gula, CPA Executive Director Jeff Muir, JD Chief Compliance Officer Kate Head, CPA, CFE, CISA Associate Director Steve Cuppett, CPA, CIA, CISA Assistant Director Amy Alspach, CPA, CFE Assistant Director Josh Maslyn, MCSE, CISA Information Technology Auditor Renee Moll, CPA Sr. Audit Consultant Eric Harmon, CPA Audit Consultant Donette Boddiford, CIA Audit Consultant Jessica Pecora Audit Consultant Anne Giles Office Manager Maureen Breheny Administrative Specialist

2008-09 UAC Team (left to right) Standing: Anne Giles, Maureen Breheny, Renee Moll, Eric Harmon, Josh Maslyn, Donette Boddiford, Jessica Pecora. Seated: Steve Cuppett, Kate Head, Debra Gula, Jeff Muir, Amy Alspach

TABLE OF CONTENTS MESSAGE FROM THE EXECUTIVE

DIRECTOR MISSION AND PURPOSE AUDITS

o TAMPA CASHIER’S OFFICE

o RETROACTIVE EXPENDITURE TRANSFERS

(NON-PAYROLL)

o PROCUREMENT CARD (PCARD) PROCESS

o OASIS TO FAST INTERFACE

o PURCHASING AND ACCOUNTS PAYABLE OVERSIGHT PROCESS

o RETROACTIVE EXPENDITURE TRANSFERS

(PAYROLL) o GRAPHICSTUDIO

DIRECT SERVICES

o CONSULTING SERVICES

o INFORMATION TECHNOLOGY o ADVISORY SERVICES o EXTERNAL SUPPORT & FOLLOW-UP

o INVESTIGATIONS

COMPLIANCE

ACTIVITY CHARTS PROFESSIONAL ACTIVITIES

AND CERTIFICATIONS UPCOMING YEAR


MESSAGE FROM THE EXECUTIVE DIRECTOR

A year of managing risk… According to the Institute of Internal Auditors, internal auditing helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. As the USF system is transitioning from financial risk management to enterprise risk management, UAC has moved from a traditional audit environment where we report unit-based compliance violations, primarily of a financial nature, to a broader, system-wide process focus to our efforts to enhance control structures, actively working with management in the identification and mitigation of the impact of risks. A new USF System Fraud Prevention and Detection Policy was promulgated this year. UAC assists management with the evaluation of internal controls used to detect or mitigate fraud, evaluates the system’s assessment of fraud risk, and are involved in any fraud investigations. Establishing a culture of integrity is a critical component of fraud control. The Chief Compliance Officer, along with the Institutional Compliance and Ethics Council, supports management’s efforts to establish a culture that embraces ethics, honesty, and integrity. The Compliance Office also manages EthicsPoint, USF’s anonymous reporting system, and is responsible for responding to issues raised – some of which may lead to the detection of fraud. Seven audits, six consulting services projects, and eight investigations were completed in FY 2008-09. Two audit reports were issued

subsequent to year-end—Retroactive Expenditure Transfers (RETs) (Payroll) and Graphicstudio. While summaries of all of the audits are included in this report; the recommendations associated with those two audits are not included in the statistical data at June 30, 2009. In addition, two information technology reports were issued to management. Two UAC team members recently received new professional certifications: one Certified Public Accountant and one Certified Internal Auditor. We continued to enhance our internal processes and to increase utilization by management of the Team Central web-based follow-up system. Our 2009-10 Work Plan provides for six new audits including the Florida Centers of Excellence, Social Security Number (SSN) Collection and Exceptions Process, two core processes and two Enterprise Business Systems (EBS) audits. Two audits will carry over from the prior year (Contractual Services and Due To/Due From Accounts). We will also continue to provide Continuous Assurance activities in support of central administrative services. We appreciate the support we receive from the President and the Board of Trustees Finance and Audit Workgroup and the cooperation from all of you in the University community who never stop striving for excellence. Thanks especially to the UAC Team for your talent and dedication. Your commitment to USF and your profession is a constant source of pride and admiration. Debra S. Gula, CPA


MISSION AND PURPOSE

University Audit & Compliance is responsible for providing the University of South Florida with independent and objective assurance and advisory services that promote stewardship, accountability, integrity, efficiency, and compliance. These services assist the University in evaluating and improving business risk management and governance processes. The nature and scope of services provided by University Audit & Compliance include audits, reviews, management advisory services, consulting, and investigations. We are committed to upholding the values of integrity, respect, excellence, and service in the performance of our duties. AUDITS

Tampa Cashier’s Office UAC performed an audit of the USF Tampa Cashier’s Office for the period October 1, 2007 through March 31, 2008. Our report 08-048 was issued December 19, 2008. Our objectives were to determine existence, completeness, timeliness, and accuracy of revenues collected and assigned change/petty cash funds; to determine whether revenue collections procedures complied with laws, regulations, and university policies; and to determine if the internal control structure was adequate and controls were functioning as designed. The Tampa Cashier’s Office has made significant improvements in their control structure since our last review (UAC 06-119 issued October 30, 2006). That review focused on OASIS (Banner) operations, which was the main cashiering function at the time. Due to the centralization of cash collections, many units have moved to Financial Accounting System (FAST) third-

party billing, credit card collections, and/or lockboxes. Due to significant increases in activity recorded in FAST, our current audit included FAST revenue recording and reporting. We made fifteen recommendations to enhance internal controls in the areas of accountability, completeness, timeliness, recordkeeping, safeguards, and policies and procedures. Four opportunities to improve operational efficiency and effectiveness were also identified. Ten recommendations had been implemented before the report was issued. Retroactive Expenditure Transfers (Non-Payroll) UAC performed an audit of non-payroll expenditure transfers processed by Research Financial Management (RFM) for the period July 1, 2007 through March 31, 2008. Our report 08-057 was issued March 13, 2009. This audit focused specifically on non-payroll expenditure transfers which impacted federally sponsored projects. RFM processed 415 non-payroll expenditure transfers affecting federally sponsored projects with a total value of $9,018,759 during our audit period. Our objectives were to determine if these transfers were reasonable, necessary and allocable; recorded accurately and timely; in compliance with federal and university rules, policies and procedures; properly approved; and supported by accurate and detailed documentation. We made four recommendations to enhance internal controls in the areas of accountability, documentation, timeliness, and appropriateness. We also identified one opportunity to improve operational efficiency and effectiveness by electronically linking expenditure transfers to the original FAST


transactions. Four recommendations had been implemented before the report was issued and the fifth one was in process. RFM has been actively implementing new processes and procedures that will reduce risk and increase efficiency, including the acquisition of specialized data analysis software to facilitate continuous monitoring. Procurement Card (PCard) Process UAC performed an audit of the procurement card (PCard) process for the period October 1, 2007 through March 31, 2008. Our report 08-050 was issued April 6, 2009. We specifically excluded travel expenditures from this audit. Also, a separate report was issued on April 6, 2009 (08-050 IT) of control issues directly related to information security. The Division of Purchasing and Property Services, which reports to Campus Business Services, and the Department of Accounts Payable, which reports to the University Controller, share responsibility for the overall administration of the PCard program. During the six-month audit period, 35,928 separate, non-travel PCard transactions were recorded valued at $12,094,816. Our objective was to determine if the control environment would ensure that all transactions were accurately and timely recorded; properly supported; in compliance with laws, regulations and university policies; and that errors and irregularities would be prevented or detected timely. Compliance with PCard policies by the cardholders has significantly improved since our last audit (04-289 issued June 29, 2004). Opportunities exist, however, to improve the card issuance and limit increase processes. The Purchasing PCard Department and the Accounts Payable PCard Compliance Department received six additional staff members in Fall 2007 to establish a more

comprehensive monitoring and oversight process. This increase in staffing has allowed the departments to centralize storage of PCard support, increase monitoring, enhance visibility with the user, and follow-up on violations of policies more timely. We made eighteen recommendations to enhance internal controls in the areas of compliance, accuracy/completeness, accountability, safeguards/security, and procedures and training. We also identified three opportunities to improve operational efficiency and effectiveness: to add an independent review of monitoring activities to ensure appropriate follow-up, to more effectively utilize technology to assist with monitoring efforts, and to eliminate American Express cards. Seven recommendations had been implemented before the report was issued, three were partially resolved, and twelve were in process. OASIS to FAST Interface UAC performed an audit of the OASIS (Banner) to FAST (PeopleSoft) interface. Our report 08-053 was issued June 3, 2009. The OASIS system is a subsidiary system which is used to record student registration, tuition, fees, financial aid, and related transactions. In addition, the main cashiering module is contained in OASIS. In order for these transactions to be recorded in the General Ledger, data must be passed between the two systems. Our objective was to determine if the control environment would ensure all data transferred was accurate, complete, secure, and timely. One of the operational strengths we noted was an excellent change management process implemented by Information Technology for EBS systems.


We identified seventeen instances where internal controls needed to be strengthened including security issues in OASIS, AppWorx, and FAST; lack of reconciliation; missing data input validation checks; and manual daily processes. As a result of the pervasive control issues identified, we were unable to express overall assurance on the effectiveness of the information system’s control environment. While interface activity from the audit period was rendered unauditable based on the pervasive control issues, we were able to reconcile interfaced data for six sample dates from the audit period through a collaborative effort between UAC and the Controller’s Office requiring extensive time and resources. The interfaced data from these six sample dates was transferred accurately and completely from OASIS to FAST, but the data was not transferred timely. We also identified two opportunities to improve operational efficiency and effectiveness by automating all daily core processes and timely resolving processing errors to free up system resources. Six recommendations had been implemented before the report was issued and twelve were in process. The Controller’s Office will continue to look for ways to reduce the lag time in processing journals due to chartfield validation and budget errors. Purchasing and Accounts Payable Oversight Process UAC performed an audit of the purchasing and accounts payable oversight process for the period July 1, 2007 through March 31, 2008. Our report 08-059 was issued June 4, 2009. The Division of Purchasing, which reports to Campus Business Services, and the Department of Accounts Payable, which reports to the University Controller, share primary responsibility for the overall procurement process.

Our audit focused specifically on the internal controls and monitoring of goods and services encumbered through the purchase order (PO) process in the Purchasing and Accounts Payable modules within the University’s PeopleSoft Financial Accounting System (FAST). During the nine-month audit period, over 20,039 separate purchase orders valued at $237 million were generated under the purchase order process. Our objective was to determine if the control environment would ensure purchases were properly approved, accurately and timely recorded, properly supported, and in compliance with laws, regulations, and University policies. In addition, we assessed whether errors and irregularities would be prevented or detected timely. Significant unmitigated fraud risk exists within the PO process as a result of poor controls over vendor setup and validation, allowing initiators to distribute POs to vendors, allowing non-vendor created invoices, and special handling of checks that returns asset custody to the initiating unit. As a result, the only independent control to prevent phantom vendors from occurring is the receipt process, which is subject to significant risk of social engineering, especially in the area of contractual services. During a test of duplicate purchases, we identified fourteen duplicate vendor invoice payments totaling $52,702 that could be directly related to the presence of duplicate vendor numbers. As a result of the material deficiencies in the control issues identified, we are unable to express overall assurance that the control structure would prevent or detect errors or irregularities on a timely basis. In addition to the six instances related to the validity of purchases and payments where fraud risk exists, we made three recommendations regarding the effectiveness of guidance and oversight. Two of the recommendations had been partially implemented before the report


was issued. Some of the action plans, especially the implementation of the FAST Asset Module (Issue 7), will require significant effort and involve additional resources. Retroactive Expenditure Transfers (Payroll) UAC performed an audit of payroll retroactive expenditure transfers (RETs) processed by University Payroll and Research Financial Management (RFM) for the period January 1, 2008 through December 31, 2008. Our report 09-050 was issued on August 10, 2009. During the twelve-month audit period, 4,128 separate RETs were processed valued at $11 million. Of these, 1,493 (or 36%) valued at $3 million were related to sponsored projects. Our audit objectives were to determine if RETs were reasonable, necessary and allocable; recorded accurately and timely; in compliance with Federal and University rules, policies and procedures; and properly approved and supported by accurate and detailed documentation. We made seven recommendations to strengthen internal controls in the areas of accountability, timeliness, guidance and oversight, and IT security. RETs not impacting sponsored projects, such as those from state appropriations and internal funding sources, are processed by University Payroll. University Payroll has not adopted comprehensive guidelines which will ensure consistent, timely, and accurate processing of RETs. Our testing identified instances where proper supporting documents and appropriate approvals were not obtained. RETs impacting sponsored projects were accurate, sufficiently documented, and properly authorized. RETs impacting sponsored projects were consistent with the terms and conditions of the award.

Timeliness of RETs, however, must be improved to ensure accurate and complete financial reporting. The current methodology for identifying RETs (manually generated run control ID) hampers the ability of management to link the RETs with the original transactions and ensure that all RETs submitted through the Right Now Service are processed. Graphicstudio UAC performed an audit of Graphicstudio for the period July 1, 2008 through December 31, 2008. Our report 09-033 was issued on September 30, 2009. During this six-month period, Graphicstudio collected $643 thousand in revenues from artwork sales and subscription fees and received $328 thousand in State appropriations. During the same period, they expended $799 thousand, including $375 thousand in payroll costs which were not included in this review. Graphicstudio financial activities are recorded in three separate legal entities: USF Foundation, USF Research Foundation, and USF. Our audit objectives were:

To provide an assessment of whether systems and controls are working effectively and to assist management in implementing improvements where weaknesses are identified;

To determine whether controls ensure stated objectives are achieved;

To determine whether University (USF, USF Foundation, and USF Research Foundation) rules, policies and procedures are complied with; and,

To determine whether assets are safeguarded, records are complete and accurate, and resources are used efficiently, economically, and effectively.


Significant unmitigated fraud risk existed within the revenue and inventory processes as a result of inadequate controls over recordkeeping and financial reporting, the assignment of incompatible duties, and a lack of independent monitoring and oversight. As a result, artwork could be distributed without a corresponding collection and deposit of funds owed. Due to the material deficiencies in the control issues identified, we are unable to express overall assurance that the control structure would prevent or detect errors or irregularities on a timely basis. In addition, accurate, reliable, consolidated financial reports that would provide a comprehensive view of Graphicstudio activities were not prepared and reviewed on a regular basis. Significant tax issues related to the sale and distribution of artwork, previously raised by the University Tax Department, had not been resolved.

Since we could place no reliance on the controls over revenue and inventory activities, our detailed audit testing was limited to expenditures. Overall, expenditures were adequately supported and accurately recorded in FAST, USF Foundation or USF Research Foundation records. The Dean’s Office has provided independent monitoring and oversight in this area. There are opportunities to enhance internal controls in the areas of expenditures and artists’ contracts and agreements, including ensuring that expenditures are approved in advance, artist payments are made in accordance with contractual terms, and documentation of receipt of goods or services is maintained. Ten out of twenty recommendations had been completed before the report was issued.

Audits/Reviews54%

Follow-Up3%

Consulting Services

23%

Investigations13%

Contingencies7%

UAC DIRECT SERVICESFY 2008-09


DIRECT SERVICES

Consulting Services Consulting projects are collaborations between management and UAC. Services may be requested in advance and included as part of the annual work plan; however, many requests are made during the year. A project’s objective will vary depending on the needs of management, but may include improving a process or procedure, assisting in the implementation of a new system, interpreting laws, rules, policies, and other guidance or facilitating education/training programs. These services are proactive in nature and can be helpful to any University function or department. During 2008-09, six consulting projects were performed for the USF system, including University Services, USF Health, and the USF Research Foundation. Major projects are outlined below: University Services UAC performed a limited internal control review of the expenditure accrual process at the request of the University Controller’s Office. Our review focused on (1) open purchase orders, (2) after-the-fact purchase orders, and (3) unencumbered/direct pay expenditures. Our review of the process used to identify unrecorded liabilities identified the following material deficiencies in the University’s accrual processes: The University has not adopted a full

accrual accounting methodology. Expenses are recorded when invoices are entered and paid, rather than when incurred. As a result, management cannot rely on the FAST reports to accurately reflect expenses or outstanding liabilities in the proper period.

Controls are not in place to ensure that revenues and expenditures are properly matched and recorded in the same accounting period. There are inadequate controls in place to ensure that expenditures are approved, vouchered (invoices entered), and paid on a timely basis since decentralized units do not consistently enter requisitions in advance of payment and/or submit invoices to Accounts Payable timely.

A manually-driven process is performed at year-end to accrue liabilities; but not quarterly when financial statements are also being prepared. The FY 2006-07 accrual process relied upon a threshold ($1,000) to review supporting documentation through an established “cut-off” date (August 20, 2007).

The receiving function in FAST, as currently configured, cannot be relied upon to provide an accurate indicator of the date goods or services were received and a liability accrued.

USF does not use the receiving function for direct payments (no purchase order) and relies upon a receipt date placed in a multi-purpose field, with no data validity controls.

As a result of our review, the process for FY 2007-08 was changed. The Controller’s Office now utilizes the system’s receipt date (which still has validity issues), the invoice date, and the description to review all vouchered expenditures for potential accrual. If they could not determine if an amount should be accrued, then invoices greater than $1,000 were reviewed manually. Our report contained eight recommendations to permit proper accounting for liabilities and the monitoring of activities based on the current financial position of the institution rather than cash outflows. Business process changes recommended will require a


substantial shift in the control environment surrounding the expenditure process. USF Research Foundation As a result of the risk assessment performed for management in July 2008, UAC was asked to review the management and reporting of contracts and grants by the Research Foundation and cash collections. Our objective for the contracts and grants test work was to determine if the control environment would ensure contracts and grants were properly approved, properly supported, appropriately assigned to the Research Foundation for management, accurately and timely recorded, and in compliance with related laws, regulations and University policies. No testing of specific expenditures for compliance with grantor terms and conditions was performed. There are opportunities for the Research Foundation to improve their contract and grant management procedures. Policies need to be developed and implemented to ensure the Research Foundation is appropriately managing contracts and grants according to their authority and infrastructure. The Research Foundation also needs to revise current accounting practices to ensure contracts and grants are accurately and timely accounted for. We have made nine recommendations to enhance compliance, reporting, record-keeping, and policies and procedures for the Research Foundation. The objective of our cash testing was to determine if the control environment would ensure cash received was accurately and timely recorded, properly reconciled between bank records and the general ledger system, completely recorded, and in compliance with related laws, regulations and University

policies. While no testing of expenditures or accounts payable was performed, we did consider the impact of disbursements on the bank reconciliation and other bank controls. Significant unmitigated fraud risk resulted when incompatible cash receipts roles were combined along with inadequate controls over recordkeeping, financial reporting, systems access, and a lack of independent monitoring and oversight. As a result, incoming funds could be received and not deposited without being detected. The completed reconciliations submitted to management lacked the detail necessary to effectively review the reconciliations for completeness or accuracy. Software applications used to support and prepare the financial statements for the Research Foundation were not being used to their full capacity, and both efficiency and controls would be improved if additional system functionality was activated. An existing Banner feature that would require approvals for certain entered transactions was not activated, nor was an access control feature in the online banking system that would require independent authorizations for online banking transactions. Because of the material control deficiencies identified, we are unable to express overall assurance that the control structure would prevent or detect errors or irregularities on a timely basis. Other Efforts UAC also assisted University management with a control assessment of the Byrd Institute, a compliance review of the Office Depot contract, and a limited control review of the Pathology & Cell Biology Auxiliary.


Information Technology

UAC’s information system projects are performed in accordance with the ISACA (Information Systems Audit and Control Association) Standards and Guidelines. ISACA has designed this guidance as the minimum acceptable level of performance required to meet the professional responsibilities set out in the ISACA Code of Ethics for Auditing and Control Professionals. These Standards and Guidelines are consistent with the Control Objectives for Information and Related Technology (COBIT)--an IT governance framework which permits management to bridge the gap between control objectives, technical issues, and business risk. There are currently three Certified Information Systems Auditors (CISAs) on the UAC team. This year the IT Audit Team focused on factors which impacted the confidentiality, integrity, and availability of systems and resources held within these systems. Confidentiality not only includes whether sensitive data is secured, but also whether access is effectively controlled. Emphasis this year also included ensuring entitlement reviews were being performed on a periodic basis, user role assignments were compatible, and access levels were appropriate. In addition to the audits of the OASIS to FAST interface and Purchasing/Accounts Payable Oversight, the IT Audit Team issued two reports resulting in eleven formal recommendations. Due to the sensitive and confidential nature of these recom-mendations, details are not included in this report.

Advisory Services

UAC is committed to providing proactive advice on internal controls, operations, and

compliance. Requests for advisory services may come from various management levels throughout the University. The information we provide through these services assists management in decision-making and improving operations. Results of these types of services are communicated verbally or through memorandums.

External Support and Follow-Up Activity

In accordance with the International Standards for the Professional Practice of Internal Auditing, UAC follows up on all internal audit observations to determine if corrective actions have been taken. We also follow up on recommendations made in reports issued by the State of Florida Office of the Auditor General or other external agencies. Utilizing a web-based tracking system, UAC can efficiently and effectively manage and document follow-up related activities. Two Follow-Up Reports, covering the period from July 1, 2008, through June 30, 2009, were issued during the fiscal year. UAC reported on the implementation status of agreed-upon corrective actions. The recommendations made during this period related to the following categories:

Accountability and responsibility Accuracy and completeness Accuracy and timeliness of recording Compliance with laws, regulations, or

University policies Effective and efficient operations Information security Security and safety Separation of duties Timely and properly authorized Training and guidance


Accountability & Responsibility , 14%

Accuracy & Completeness, 17%

Accuracy & Timeliness of Recording, 10%

Compliance with Laws-Other , 8%

Compliance with Laws-Reg-Fed , 9%

Effective & Efficient Operations , 7%

Information Security, 21%

Security & Safety, 2%

Separation of Duties, 2%

Timely & Properly Authorized , 2%

Training & Guidance, 8%

UAC RECOMMENDATIONS

0 5 10 15 20 25 30 35

Accountability & Responsibility

Accuracy & Completeness

Accuracy & Timeliness of Recording

Compliance with Laws‐Other

Compliance with Laws‐Reg‐Fed

Effective & Efficient Operations

Information Security

Security & Safety

Separation of Duties

Timely & Properly Authorized

Training & Guidance

NO LONGER APPLICABLE OUTSTANDING ACCEPTS RISK CLOSED-VERIFIED CLOSED-NOT VERIFIED

IMPLEMENTATION


Investigations The President and the Board of Trustees have charged UAC with performing investigations related to the University and its related organizations. An investigation is an objective review of evidence related to a complaint or allegation. Complaints and concerns may be received from the University’s EthicsPoint reporting system or directly from an individual, or may be forwarded from various University offices or state and local government agencies. Reports of concerns, complaints, and allegations may or may not be supported by the facts. That is why it is critical that the investigative process be managed discreetly and confidentially to ensure the integrity of the process and protect the reputations of named individuals. Florida law supports the need for confidentiality during investigations and permits active investigations to be classified as exempt from public record. Only those with a legitimate business need are provided with information related to ongoing investigations.

Approximately 13% of our project effort (direct services) during 2008-09 was expended on investigations. Out of fifteen total complaints, three were referred to other units and four remained open at June 30, 2009. Of the eight completed investigations, the complaints were unsubstantiated in two cases. However, six of the allegations were substantiated in the following categories:

UAC Investigations

Classification No. of

Investigations

Fiscal misconduct - research 2

Fiscal misconduct – non research 2

Failure to protect data/assets from loss 1

Misappropriation 1

Total 6

Three of the eight completed investigations required more than 40 hours of effort. One investigation related to the loss of two travel advances due to theft. Our review identified significant control issues over the Travel advance process including the issuance of excessive travel advances, significant delays in repayment, and concurrent advances being outstanding at the same time. UAC identified over $168,000 in advances which were not utilized and were returned to the USF Controller’s Office. Two of the investigations related to PCard misuse. In both instances, the PCard administrator identified the irregularity and the PCard holder was required to repay the funds. UAC was asked to review all PCard utilization of these employees.


COMPLIANCE The USF Institutional Compliance and Ethics Program was established in 2007 with the appointment of a University Chief Compliance Officer (CCO) and the Institutional Compliance and Ethics Council (ICEC), composed of university compliance professionals, managers of high-risk units, and faculty representatives. The CCO and ICEC were charged by President Genshaft and the Board of Trustees to create and maintain an effective program based on best-practices to prevent, monitor, detect, and respond to non-compliance and recommend corrective actions to fully meet regulatory requirements. Institutional Compliance and Ethics Program activities during the year included: Major coordination and consulting project

in connection with Southern Association of Colleges and Schools review of USF Regulations and Policies;

Continuation of Enterprise Risk Management process for high-risk units; completion of enterprise risk assessments in the USF Cashier’s Office, Accounts Receivable, and Cash Accounting units within the USF Controller’s Office;

Management of compliance and con-

tractual issues and successful close-out of USF/SRI Transition Agreement;

Numerous consultation projects with USF units concerning compliance-related issues such as records archiving, identity theft, export controls, and acceptance of gifts;

Continuation of projects regarding compilation of an Employee Conduct and Ethics Guide and a Management Handbook;

Drafting and implementation of new USF system Fraud Policy and University Audit & Compliance Policy;

Initiating the implementation of a USF system-wide program for disclosure and management of conflict of interest;

Management and clearance of report backlog for the USF system confidential compliance hotline, EthicsPoint, and management of responses and/or investigations for 29 EthicsPoint reports received during the year.

Of the 29 reports received, 13 were substantiated, 13 were unsubstantiated, and 3 were in progress at year-end.

828%

1138%

14%

27%

310%

310%

13%

EthicsPoint Reports

Human Resources

Financial Fraud/Theft

Data Privacy/Integrity

Conflict of Interest

Research Integrity

Discrimination/Harassment

Athletics


ACTIVITY CHARTS

PROJECT BUDGET % ACTUAL %

DIRECT SERVICES:

Audits/Reviews 4,600 25% 6,085 33%

Follow-up 500 3% 386 2%

Consulting Services 2,900 15% 2,597 14%

Investigations 1,850 10% 1,437 8%

Contingencies 1,353 7% 804 4%

Total Direct Services 11,203 60% 11,309 61%

OTHER:

Administration 3,845 21% 2,849 15%

Staff Development 360 2% 622 3%

Holidays and Leave 3,312 17% 3,940 21%

Total Other 7,517 40% 7,411 39%

TOTAL 18,720 100% 18,720 100%

Audits/Reviews33%

Follow-Up2%

Consulting Services14%

Investigations8%

Contingencies4%

Administration15%

Staff Development3%

Holidays and Leave21%

UAC TOTAL HOURSFY 2008-09


PROFESSIONAL ACTIVITIES & CERTIFICATIONS

UAC is proud of the experience and professionalism of its staff. During 2007-2008, we continued our involvement with organizations that support higher education and internal auditing activities. UAC staff members participate in a number of professional organizations which include: Professional Organizations

Association of College and University Auditors (ACUA)

Institute of Internal Auditors (IIA) Association of Certified Fraud Examiners

(ACFE) Information System Audit & Control

Association (ISACA) American Institute of Certified Public

Accountants (AICPA) National Association of College and

University Business Officers (NACUBO) National Council of University Research

Administrators (NCURA)

Certifications

Our team maintains numerous professional certifications demonstrating their continued commitment to the audit and investigative professions. Current certifications held by our staff include: Certified Public Accountant

Certified Internal Auditor

Certified Fraud Examiner Certified Information Systems Auditor

Microsoft Certified System Engineer

Advanced Degrees

In addition to professional certifications, advanced degrees held by UAC include: Master of Accountancy

University of South Florida

Master of Business Administration University of South Florida

Master of Management - Leadership and Organizational Effectiveness University of South Florida

Master of Education - Instructional

Technology University of South Florida

Master of Public Administration

University of South Florida

Juris Doctor Stetson University

UPCOMING YEAR

The following chart reflects our expected allocation of personnel resources during 2009- 2010.

Audits/Reviews30%

Follow-up3%

Consulting Services

7%Investigations10%

Contingency7%

Administration19%

Holidays/Leave22%

Staff Dev & Training

2%

UNIVERSITY AUDIT & COMPLIANCEFY 2009-10 WORK PLAN


UNIVERSITY AUDIT & COMPLIANCE FY 2009-10 WORK PLAN

Hours % of

Effort

DIRECT SUPPORT Audits/Reviews Core Processes: Contractual Services 800FAST A/R – 3rd party billing 800Grants Billing 800EBS: PS Travel Module (including PCards) 800OASIS TBD 800Financial/Accounting Issues: Transfers (Due To/Due From) 800Academic Affairs/Research and Innovation:Florida Centers of Excellence 400Compliance: SSNs – Collection and Exceptions 400

5,600

Follow-up; Coordinate External Audits 500 6,100 32% Consulting Services Export Controls 200ARRA reporting (GAO, OMB) 200Special Projects 200ERM: System-wide Risk Assessment 250Compliance/Risk Issues 200Emerging IT Issues 200

1,250 7%

Investigations 1,850 10% Contingency 1,300 7% TOTAL DIRECT SUPPORT 10,500 56% INDIRECT SUPPORT Indirect Support 840 Administration 2,825 TOTAL INDIRECT SUPPORT 3,665 20% OTHER Staff Development & Training 360 Staff Vacancy (2 months) 350 Holidays and Leave (includes Leave of Absence) 3,845 TOTAL OTHER 4,555 24% TOTAL HOURS AVAILABLE (CAE + 8 STAFF) 18,720 100%

*Approved by Board of Trustees Finance and Audit Workgroup on August 20, 2009.

University Audit and Compliance 3702 Spectrum Boulevard, Suite 180

Tampa, Florida 33612-9444 Phone: 813-974-2705

Facsimile: 813-974-3735 Website: www.usf.edu/uac

08-09 UAC Annual Report 110909a FR -...

Documents

Transcript of 08-09 UAC Annual Report 110909a FR -...