Board of VisitorsAudit, Compliance, and Risk Committee

December 9, 20161

REVISEDDecember 6, 2016

Audit Department Activities

2

DECEMBER 2016Audit Plan Status

3

4

17%

33%

4%4%

13%

29%

Types of Audit Projects PerformedThrough November 30, 2016

Agreed Upon ProceduresAuditConsultationFollow UpsPilot AuditProject Health Check

Assurance and Advisory Projects: Completed FY 2017 To Date

Subject UVA DivisionCurry School of Education Academic Division

Darden Fund Transfers Academic

Distributed IT Systems Current State Assessment

Academic

FY2016 Inventories (UVA Bookstore, Pharmacy)

Academic, Health System

Action Plan Implementation Status—Follow Ups

Academic, Health System

Epic Phase 2 Implementation—Project Health Check (2nd Report)

Health System

Integrated Assurance: Athletics Compliance (NCAA)

Academic 5

6

Assurance and Advisory Projects: In Progress as of December 2016 BOV Meeting

Subject Areas of Audit Focus UVA DivisionEpic Phase 2 Implementation—Project Health Check

IT Security; Clinical/Operational Readiness; Project Management

Health System

IT System Security: Privileged Access Management of Administrative Access to Key Medical Center ITSystems

Health System

Fiscal Stewardship: Internal Controls Data Analytics

Research ComplianceControls

Academic

NCAA Football Attendance Certification of Attendance Figures

Academic

SCADA Consultation Security of BuildingsSystems

Academic

7

Assurance and Advisory Projects: In Progress as of December 2016 BOV Meeting

Subject Areas of Focus UVA DivisionSecureUVA-- Project Health Check Security Enhancement

Plan ProgramGovernance, Project Management

Academic

Office of the President: Travel and Expenses (FY16)

Compliance with University ExpenditurePolicies

Pan-University

Ivy Cloud — Project Health Check w/ Security and Governance Focus

Data Security; System Governance

Pan-University

Ufirst HR Transformation Project Health Check

Program Governance; Project Management; Financial Management

Pan-University

8

Current View of Risk-Prioritized Projects(Remainder of FY2017)

Subject UVA DivisionEpic Phase 2 Implementation—Project Health CheckContinues through Go-Live (July 1, 2017)

Health System

340B Drug Discount Program Health System

IT Change Controls Health System

Special Collections Library Controls and Procedures Academic Division

Ufirst Project Health Check Continues through Go-Live Pan-University

Integrated Assurance: Environmental Health & Safety Pan-University

Strategic Investment Fund: Monitoring Pan-University

FOLLOW UP ON MANAGEMENT ACTION PLANSStatus of Action Plans Due Prior to December 2016 BOV Meeting

9

10

2

3

25

2

2

2

0 5 10 15 20 25 30

Priority 1

Priority 2

Legacy (Unrated)

Action Plan Completion Status Through November 30, 2016by Priority Rating

Closed Open

University Compliance: Report on Medical Center Compliance and Privacy

Officer Search

11

Enterprise Risk Management Update

ERM Priorities

ERM Priorities

Reposition Program

Enhance Board

ReportingOnboard Health System

13

14

Adopt ERM Charter

Create Risk Mgmt. Network

Develop Key Risk List

Develop Risk Management /Mitigation

Feb. 2016 Mar. 2016 Dec. 2016 Mar. 2017 Jun. 2017

Academic Division

Health System

Adopt ERM Charter

Create Risk Mgmt. Network

Develop Key Risk List

Develop Risk Management /Mitigation

ERM Priorities Timeline

4.

Response and

Management of Key

Identified Risks

3.

Assessment of Identified

Risks

2.

Identify Risks to Major

Objectives

1.

Clarify Major

Objectives

Updating the Key Risk List

BOV – Audit, Compliance,

and Risk

President and Cabinet

Risk Management

Council

Risk Management

Network –Health System

Risk Management Network–

Academic Division

ERM Network

16

December 2016ERM Key Risk Dashboard – Academic DivisionACADEMIC DIVISION RISK EXEC. OWNER

RESOURCES - diminished, or loss of, financial resources from major funding sources. (e.g., State, Advancement, Research, Endowment) EVP-COO

RESEARCH - research leadership, infrastructure, and funding to adequately support the accomplishment of our research objectives

EVP-ProvostEVP-Health Affairs

STATE - concern about whether public policy in the State will continue to be supportive of quality public higher education President

FACULTY - attracting, retaining, and developing a distinguished faculty EVP-Provost

LEADERSHIP – maintaining and renewing a highly skilled and cooperative executive team given the attractive alternatives for the best executives President

EXECUTIVE TRANSITION – preparing for an executive leadership transition and a potential change in the University’s strategic direction

BOVPresident

IT SECURITY – enhancing cybersecurity in an era of increasing threats EVP-COO

RESOURCE ALLOCATION – developing an optimal process for allocating resources in meeting strategic objectives EVP-COO

ADVANCEMENT – developing a campaign strategy that adequately addresses philanthropic investment, fundraising strategies, and the governance implications of the resulting distribution of resources between the University and foundations VP for Advancement

COMPETITIVE ENVIRONMENT – assessing the University's competitive space in undergraduate programs, especially in comparison with graduate or professional programs EVP-Provost

SAFETY – maintaining a safe environment for the University community EVP-COOVP for Student Affairs

INVESTMENTS - stewarding assets particularly related to investable assets EVP-COO

!

18

Closed Session

Audit, Compliance, and Risk Committee Agenda

CLOSED SESSIONDiscussion of IT security matters

as provided for in § 2.2-3711

(A)(19) of the Code of Virginia

19

20

Resume Open Session and Adjourn