External Quality Assessment of the Internal Audit Activity

30
External Quality Assessment of the Internal Audit Activity Presented to: The Regents of the University of California June 19, 2008

Transcript of External Quality Assessment of the Internal Audit Activity

Page 1: External Quality Assessment of the Internal Audit Activity

External Quality Assessment of the Internal Audit Activity

Presented to:

The Regents of the University of California

June 19, 2008

Page 2: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 1

Letter of Transmittal

This quality assessment provides The Regents of the University of California with information about the internal audit activity at The University of California (“UC”) as of May 16, 2008. Future changes in environmental factors and actions by personnel, including actions taken to address our recommendations, may have an impact upon the operation of the internal audit (“IA”) activity in a manner that this report did not and cannot anticipate.

Considerable professional judgment is involved in evaluating the findings and developing our recommendations. Accordingly, it should be recognized that others could evaluate the results differently, and draw different conclusions. The criteria that we used to determine our views on conformance with the International Standards for the Professional Practice of Internal Auditing are defined on page 4 to this report and are consistent with the guidance provided by The Institute of Internal Auditors in their Quality Assessment Manual, Fifth Edition.

June 19, 2008Ms. Sheryl VaccaSenior Vice President / Chief Compliance & Audit OfficerUniversity of CaliforniaEthics, Compliance & Audit1111 Franklin Street, 5th FloorOakland, California 94607

Dear Ms. Vacca,

Protiviti completed its external quality assessment (“QA”) of UC’s internal audit activity on May 16, 2008. A QA is required under the International Standards for the Professional Practice of Internal Auditing at least once every five years. Our QA had three main objectives:

1. To assess conformance with IIA Standards;2. To assess the effectiveness of the IA activity in providing assurance and consulting services to the board,

senior executives, and other interested parties.3. To identify opportunities, offer recommendations for improvement, and provide counsel to the Chief Audit

Executive and her staff for improving their performance and services and promoting the image and credibility of the internal audit activity.

Overall, we found that UC-IA generally conforms to IIA Standards. This is the highest rating available for an internal audit activity. Our report also describes areas where we believe UC-IA is operating in an innovative manner, opportunities that we see for continuous improvement, and feedback from your key stakeholders. This information is consistent with our view that an external QA should provide insight and ideas for positive change in your function.

Protiviti Inc.By:

Basil WollerManaging Director

Page 3: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 2

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Table of Contents

Executive SummaryObjectives and Scope 3Conformance with IIA Standards 4Innovative / Leading Practices 5Continuous Improvement Opportunities 6Key Stakeholder Feedback – Summary Comments 9

Conformance with IIA StandardsConformance with IIA Standards – Gap Analysis 10

AppendixExternal Quality Assessment Requirement 22Quality Assessment Approach 23Framework of Quality Assessment Activities 24Key Stakeholders Interviewed 25

Table of Contents

Page 4: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 3

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Objectives and Scope

SCOPE OF QUALITY ASSESSMENT ACTIVITIES

Our scope was designed to address the following considerations:

The expectations of the IA activity expressed by key stakeholders including executive management, IA staff and business partners.

UC’s control environment and the infrastructure of the IA activity.

The focus on evaluating enterprise risk, assessing organizational controls and including aspects of the governance process in audit plans to ensure that audit activities add value to the enterprise.

The integration of internal auditing into the organization’s governance process, including the attendant relationships and communications between and among the key groups involved in that process and aligning audit objectives and plans with the strategic objectives of The University of California as a whole.

Conformance with the IIA Standards.

The mix of knowledge, experience, and disciplines within the IA activity staff, including staff focus on process improvement and value-added activities.

The tools and technology employed by the IA activity, with emphasis on the use of technology.

QUALITY ASSESSMENT OBJECTIVES

The primary objectives of this Quality Assessment were to:

Assess conformance to IIA International Standards for the Professional Practice of Internal Auditing.

Assess the effectiveness of the IA activity in providing assurance and consulting services to the board, senior executives, and other interested parties.

Identify opportunities, offer recommendations for improvement, and provide counsel to the Chief Audit Executive and her staff for improving their performance and services and promoting the image and credibility of the IA activity.

Executive Summary

Page 5: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 4

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Conformance with IIA StandardsGenerally ConformsMeans an internal audit activity has a charter, policies, and processes that are judged to be in accordance with the IIA Standards, with some potential opportunities for improvement.

Partially ConformsMeans deficiencies in practice are noted that are judged to deviate from the IIA Standards, but these deficiencies did not preclude the internal audit activity from performing its responsibilities in an acceptable manner.

Does Not ConformMeans deficiencies in practice are judged to be so significant as to seriously impair or preclude the internal audit activity from performing adequately in all or in significant areas of its responsibilities.

Overall, we found that The University of California’s IA activity generally conforms to IIA Standards. While opportunities remain for improvement, no higher assessment for conformance to IIA Standards exists.

Specifically, we found that The University of California’s IA activity generally conforms to the following IIA Standards and the Code of Ethics:

1000 – Purpose, Authority, and Responsibility

1100 – Independence and Objectivity

1300 – Quality Assurance and Improvement Program

2000 – Managing the Internal Audit Activity

2100 – Nature of Work

2200 – Engagement Planning

2300 – Performing the Engagement

2400 – Communicating Results

2500 – Monitoring Progress

2600 – Resolution of Management’s Acceptance of Risks

The Institute of Internal Auditor’s Code of Ethics

We found that The University of California’s IA activity partially conforms to the following IIA Standard:

1200 – Proficiency and Due Professional Care

Executive Summary

Page 6: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 5

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Innovative / Leading PracticesDuring the course of our quality assessment, we noted several areas where we consider UC’s IA activity to be operating in a manner which is innovative and / or a leading practice:

Sponsorship of IIA Research Foundation ProjectThe University Auditor identified an opportunity to work through the IIA Research Foundation to establish a research project designed to provide benchmark data on internal audit resource requirements within a higher education environment. The information derived from this study may be used to support resource requirements for the UC internal audit activity including requirements for each of the separate campuses. It is our understanding that the study will also define skill requirements necessary to address risks in a higher education environment. We agree that this information will be very useful for performing resource planning.

High Percentage of Certification for Internal Audit ProfessionalsOur review of the qualification of IA indicated a relatively high percentage of internal audit staff and management are professionally certified, demonstrating the group’s strong commitment to the profession.

Involvement of Campus Audit Directors in Regent’s Committee on Audit MeetingsThe campus Audit Directors (“AD”) recently started making presentations before the Regent’s Committee on Audit (“Committee”) on a rotational basis to discuss their local audit program and campus control environment. This has several benefits including enhancing the perceived independence of this group, providing the Committee with visibility into the operations of internal audit at the individual campus level, and affording the Committee direct insight into the capabilities of individual audit directors.

Active Promotion of Ethics on a System-Wide BasisEthics is a key element of an organization’s control environment. Promotion of ethics is an important activity for IA and contributes to strengthening and supporting a positive view of control in the organization. The University Auditor actively promotes ethics through the presentations he gives to various groups. For example, he gave a presentation on ethics to 300 managers at the UC Leadership Institute as well as several presentations to the University Counsel on Ethics and Compliance. In addition, several campus internal audit directors serve on campus level ethics committees.

Executive Summary

Page 7: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 6

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Continuous Improvement OpportunitiesThe following continuous improvement opportunities were noted by Protiviti in conjunction with our quality assessment. Detailed strengths, IIA Standards performance gaps and continuous improvement opportunities are included in the body of this report in the section entitled “Conformance with IIA Standards.” In all instances, these continuous improvement opportunities were not considered significant to the operation of the system-wide audit function. Our view is that implementing these recommendations will help drive additional continuous improvement into the function as contemplated by the Quality Assurance and Improvement standard.

Consider Changing the Structure and Staffing of IT Audit ActivitiesWe found IT audit skill-sets vary widely from campus to campus. While some campuses maintain reasonably deep audit skills in particular IT domains, it is difficult for many of the other campuses to maintain a full complement of the skills required to execute audits across the breadth of IT risks. Because there is no real sharing of audit personnel between campuses, the pockets of specialized skills are not well leveraged. Some campuses have been using outsourced providers to augment their fulltime staff in select audit areas, however the benefits are generally to just that campus as the outsourcing is being managed by campuses individually.

We also noticed that several campuses have put an almost exclusive emphasis on integrated audits and auditors. To develop and maintain technical competence in some areas of IT and IT auditing, such as IT Security, an extended period of practical experience along with primary, if not exclusive, focus is typically required. Likewise, too much reliance on integrated audits, especially if limited in duration, can limit the depth to which IT risks are addressed and a number of stand-alone IT risk areas may never be logically included within the scope of any integrated audit. In several of the integrated audits we reviewed, there was a demonstrated lack of deep examination or testing of the technology related risks or controls.

Because of their size and budget, it will always be difficult for some campuses to individually develop or maintain an adequate set of internal IT audit resources. UC Internal Audit should consider alternatives to the current structure, management, and staffing of its IT audit activities. The goal should be to deliver adequate resources and skills across the UC system to the appropriate set of audits as determined by an effective IT risk assessment process.

We offer some suggestions, which include:

• Defining minimum resource requirements and focus for IT audit resources.• Centralizing or regionalizing certain key IT audit skill sets in domains such as network and database security.• Supplementing with external resources and moving to a standard set of outsourced providers for technically deep components of the IT audit function.• Establishing a guest auditor program that would rotate campus IT resources through the IT audit department for a length of time to lend expertise.

Executive Summary

Page 8: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 7

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Continuous Improvement OpportunitiesExplore Opportunities to Leverage Outside Resources and ExpertiseIn an environment like UC where budgets continue to strain Internal Audit’s ability to add more resources, or hire specialized skills in a hyper competitive marketplace, we feel it’s especially critical to strategically use outside resources and expertise to enhance internal capabilities and formally share knowledge and tools. We also believe periodic use of outside resources can help bring a fresh perspective to the work. The approach to using outside resources might take various forms. One or more of these may be appropriate for UC Internal Audit and include:

• Involving outside experts during the risk assessment and audit planning process.• Including experts to help prepare separate, more deeply focused risk assessments in inherently high risk areas such as IT, Fraud, and Compliance.• Supplementing audit teams with outside resources to help execute selected audits.• Engaging outside experts to conduct specific, technically deep audits, ensuring that there is a knowledge-transfer component.• Engaging outside resources to perform or supplement a full external quality assessment review at the individual campus level.

Continue to Drive Implementation of a Consistent Audit Technology PlatformWe understand Internal Audit has been developing a web based application called CARTS (Comprehensive Audit Reporting and Tracking System) which would support a number of audit activities and allow campus audit departments to use and share a single application. Functionality of CARTS includes the ability to track audit findings, perform time keeping, provide risk assessment templates, support planning and budgeting, and monitor progress of audits. We believe a centralized audit application greatly enhances the efficiency and effectiveness of UC’s internal audit activity. We endorse UC Internal Audit’s efforts to implement CARTS, since in today’s environment where UC Internal Audit conducts its work in a distributed model, it is very difficult today to share tools and information across campuses and track information on a system-wide basis.

We further understand that each campus audit department uses TeamMate, an application which supports electronic audit work papers, and that there is another application called TeamStore which the campuses are not currently using. TeamStore provides the functionality that would allow campuses to share their audit programs. We believe sharing audit programs is one of the most efficient and effective ways of passing knowledge to others and for leveraging previously prepared work. We strongly encourage IA to implement and use TeamStore system-wide.

Executive Summary

Page 9: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 8

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Continuous Improvement OpportunitiesConsider Establishing Criteria for Reporting Audit Results to the Regent’s Committee on AuditThe current reports to the Committee capture information at a system-wide and campus level, including summaries of recent internal audit activity, progress against plan, and outstanding management corrective actions for high risk findings. We noted however the reports do not include highlights of key audit findings resulting from the most recent audits. We believe it would be helpful to formally report and communicate those issues that are deemed significant based upon a set of pre-defined criteria to the Committee. These criteria should be developed in collaboration with the Committee and should be included within the report to provide context for the items reported. Using pre-defined criteria is especially useful when reporting across multiple functions and locations, as it drives consistency and aligns with Committee expectations. These criteria may also be useful in presentations of campus audit directors to the Committee as they provide a common frame of reference across the different campuses. In our experience, we have found the following criteria to be useful when determining which key audit findings to report:

• Material financial loss or impact to the local campus• Inability to attain future monies (e.g., grants, donations, debt)• Negative publicity, lawsuits• Material fines and penalties• Violation of Ethics, laws• Breach of material contracts• Extremely unsafe conditions and exposure to hazards

Consider Adding Frameworks to Further Define and Document the Audit UniverseInternal Audit has a defined audit universe in place which historically had been used to help prepare the annual risk assessment. The universe defines both the auditable entities and processes that are common across the system and those that are specific to the individual campus. We believe there is an opportunity to enhance the current approach to managing the audit universe by applying additional frameworks to help ensure completeness and provide additional views of risk. These frameworks, including a Process Classification Scheme, Risk Models, Six Elements of Infrastructure, COBIT, GAIT, and ITIL can also help to structurally define and ensure completeness of the audit universe.

Executive Summary

Page 10: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 9

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Key Stakeholders Feedback – Summary Comments

Executive Summary

The comments below were derived from the interviews conducted with key stakeholders listed in the Appendix to this report as well as comments received from electronic surveys of internal audit staff. These comments represent general themes that were expressed by more than one stakeholder or that were validated by the review team through their other diagnostic procedures.

Strengths or (“What I Like”)The SVP, Chief Compliance and Audit Officer brings discipline and a fresh perspective.Dual reporting is working well and is helpful for supporting auditor independence.Campus internal audit departments are “looking at the right things”.Campus audit reports are well written, objective and constructive.Campus Audit Directors have high visibility on the campuses and are well respected.Internal Audit is an important function.Internal Audit delivers value added services. They are viewed as advisors on campus, which is evident by the number of management requests for audit services.

Opportunities or (“What Can Be Improved”)Internal Audit should have centralized resources for areas of high expertise (i.e. healthcare, construction, IT, contracts and grants). There are not enough IT auditors and they are difficult to attract, hire, and retain.There needs to be more collaboration and knowledge sharing among campuses. There is no central repository to leverage the work of others.The risk assessment is performed at too low of a level and focuses on departments, rather than “risks”. They lack a strategic view of risk.Investigations often take priority and as a result the core audits get deferred. In addition, system-wide audits should be more focused and not have too many in a year because it comes at the expense of campus specific audits.There does not appear to be any formal succession planning for IA.The risk assessment may not appropriately address the key risks in a healthcare system.

Stakeholders were identified jointly by Protiviti and the University Auditor (UA). All interviews were conducted privately without the CAE and UA present. Confidential electronic surveys were conducted for internal audit staff at all campuses and the UCOP.

Page 11: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 10

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Conformance with IIA Standards – Gap Analysis 1000 – Purpose, Authority, and Responsibility

The purpose, authority, and responsibility of the internal audit activity should be formally defined in a charter, consistent with the Standards, and approved by the board.

StrengthsA written and approved Internal Audit activity charter, which is described within its Internal Audit Manual, is posted on the public website for the University of California’s Office of the President (“UCOP”).

IIA Standards Performance GapsNone noted.

Continuous Improvement OpportunitiesNone noted.

Conformance with

IIA StandardsGenerally Conforms

Conformance with IIA Standards

Page 12: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 11

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Conformance with IIA Standards – Gap Analysis 1100 – Independence and Objectivity

The internal audit activity should be independent, and internal auditors should be objective in performing their work.

Conformance with

IIA StandardsGenerally Conforms

Conformance with IIA Standards

StrengthsThe Senior Vice President, Chief Compliance and Audit Officer (also referred to as the CAE in this document) reports directly to the Chairman of the Regent’s Committee on Audit. Interviews with key stakeholders indicate the CAE has visibility at the highest levels of the organization and is well respected. The interviews also indicate the IA personnel are viewed as independent and objective.On a rotational basis, the Audit Directors are invited to the quarterly meetings of the Regent’s Committee on Audit, which provide opportunities for direct communication regarding any campus matters. UCOP Investigations, which is a function separate from IA, manages campus investigations to avoid potential conflicts of interest.The campus Audit Directors have a dual reporting relationship where they report administratively to a campus executive and functionally to the University Auditor. The University Auditor attends all quarterly campus Audit Committee (“AC”) meetings.

IIA Standards Performance GapsNone noted.

Continuous Improvement OpportunitiesNone noted.

Page 13: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 12

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Conformance with IIA Standards – Gap Analysis 1200 – Proficiency and Due Professional Care

Engagements should be performed with proficiency and due professional care.

Conformance with

IIA StandardsPartially Conforms

Conformance with IIA Standards

StrengthsA majority of the auditors hold at least one professional certification.

IIA Standards Performance GapsIn accordance with Standard 1210, “The internal audit activity collectively should possess or obtain the knowledge, skills, and competencies needed to perform its responsibilities”. Based on our review, we do not believe there are sufficient resources, knowledge, and skills to adequately address IT risk across the university system. In our view, no one campus has a full complement of deep skills in all major IT domains, moreover there are few IT auditors relative to the size and complexity of the university system. IT auditors are not shared among campuses. Some campuses perform “integrated” audits, wherein non-IT resources are trained and leveraged, but we believe that would only achieve a limited coverage of IT risks.In several interviews, we heard stakeholders question whether Internal Audit had the necessary subject matter expertise to perform work in highly specialized areas such as construction.

Continuous Improvement OpportunitiesBecause of their size and budget, it will always be difficult for some campuses to individually develop or maintain an adequate set of internal IT audit resources. UC Internal Audit should consider alternatives to the current structure, management, and staffing of its IT audit activities. The goal should be to deliver adequate resources and skills across the UC system to the appropriate set of audits as determined by an effective IT risk assessment process. In an environment like UC where budgets continue to strain Internal Audit’s ability to add more resources, or hire specialized skills in a hyper competitive marketplace, we feel it’s especially critical to strategically use outside resources and expertise to enhance internal capabilities and formally share knowledge and tools. We also believe periodic use of outside resources can help bring a fresh perspective to the work. We understand the CAE has already made plans to strategically use external resources.

Page 14: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 13

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Conformance with IIA Standards – Gap Analysis 1300 – Quality Assurance and Improvement Program

The Chief Audit Executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. This program includes periodic internal and external quality assessments and ongoing internal monitoring. Each part of the program should be designed to help the internal auditing activity add value and improve the organization’s operations and to provide assurance that the internal audit activity is in conformity with the Standards and the Code of Ethics.

Conformance with

IIA StandardsGenerally Conforms

Conformance with IIA Standards

StrengthsThere is a system-wide program in which campus Audit Directors perform peer reviews on a rotational basis. A formally documented Quality Assurance Review (QAR) manual, which aligns with the IIA Standards, is used by the Audit Directors when performing the review.Every five years, an external quality assessment is performed at the system wide level. The resulting report is posted on the UCOP website for public access.

IIA Standards Performance GapsNone noted.

Continuous Improvement OpportunitiesWe recommend the CAE and University Auditor consider using outside resources to independently perform campus level quality assessment reviews or be included as part of the internal QA team to benefit from an outside, independent perspective. We suggest seeking resources from other universities as a relatively easy option given IA’s active participation in the Association of College and University Auditors (ACUA). Reviews by the IIA or internal audit consulting firms are other options. In all instances, the campus reviews should be under the sponsorship and direction of the CAE or University Auditor.

Page 15: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 14

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Conformance with IIA Standards – Gap Analysis 2000 – Managing the Internal Audit Activity

The Chief Audit Executive should effectively manage the internal audit activity to ensure it adds value to the organization.

Conformance with

IIA StandardsGenerally Conforms

Conformance with IIA Standards

StrengthsA collaboration was recently struck with the Institute of Internal Auditors’ (IIA) Research Foundation to perform a resource study that would help identify the appropriate number and level of IA resources for the UC system.There is a formally documented and published Internal Audit Manual.Audit staff are embedded in the campuses to build local campus visibility and knowledge. An off cycle schedule is used to schedule and hold meetings of the Regent’s Committee on Audits to afford more time for discussion.The campus audit directors make presentations before the Regent’s Committee on Audit on a rotational basis to discuss their local audit program and campus control environment. The CAE chairs the Risk & Strategy group, which is comprised of various executives at the UCOP to discuss risks and risk management.

IIA Standards Performance GapsNone noted.

Continuous Improvement OpportunitiesThe current reports to the Committee capture information at a system-wide and campus level, including summaries of recent internal audit activity, progress against plan, and outstanding management corrective actions for high risk findings. We noted however the reports do not include highlights of key audit findings resulting from the most recent audits. We believe it would be helpful to formally report and communicate those issues that are deemed significant based upon a set of pre-defined criteria to the Committee. These criteria might include:– Material financial loss or impact to the local campus– Inability to attain future monies (e.g., grants, donations, debt)– Negative publicity, lawsuits– Material fines and penalties– Violation of Ethics, laws– Breach of material contracts– Extremely unsafe conditions and exposure to hazards

Page 16: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 15

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Conformance with IIA Standards – Gap Analysis 2100 – Nature of Work

The internal audit activity should evaluate and contribute to the improvement of risk management, control and governance processes using a systematic and disciplined approach.

Conformance with

IIA StandardsGenerally Conforms

Conformance with IIA Standards

StrengthsInternal Audit examines a cross-section of operational, financial, and compliance related aspects of the control environment. The internal audit plan addresses risk management, control and governance.Stakeholder interviews indicated the chairpersons of campus audit committees believe IA is “looking at the right things”.Internal Audit helps to promote an ethical environment by being actively involved in investigations and responding to hotline calls.

IIA Standards Performance GapsNone noted.

Continuous Improvement OpportunitiesIn a number of our interviews, we heard stakeholders express interest in learning the CAE’s strategy for Internal Audit including IA’s relationship to other assurance functions such as Compliance, ERM and Controls &Accountability. While these groups are interviewed as part of the annual risk assessment process, we believe there is an opportunity to work more closely and frequently with them to examine risk and risk management activities at a system wide level. We recognize that to some degree, this may already be occurring through existing executive level meetings, however we encourage a separate, dedicated forum for examining risks and risk management, particularly with these three groups, as there are strong synergies among their activities.In addition to the current risk assessment, we encourage IA to prepare separate, system-wide risk assessments in areas such as IT, Compliance, and Fraud Risk to enable deeper, system wide discussions around inherently higher areas of risk. We also recommend enhancing the current approach to managing the audit universe by applying additional frameworks to help ensure completeness and provide additional views of risk. Other frameworks could include Process Classification Schemes, Risk Models, COBIT, GAIT, and ITIL.

Page 17: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 16

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Conformance with IIA Standards – Gap Analysis 2200 – Engagement Planning

Internal auditors should develop and record a plan for each engagement, including the scope, objectives, timing, and resource allocations.

Conformance with

IIA StandardsGenerally Conforms

Conformance with IIA Standards

StrengthsBased on our review of a sample of audits performed, planning documents are prepared which describe the scope and objectives of the audit. Notice letters are sent and opening meetings are held to discuss the audit plan with audit customers.

IIA Standards Performance GapsNone noted.

Continuous Improvement OpportunitiesAs mentioned in the executive summary, we encourage IA to implement and use TeamStore to share audit programs. We believe sharing audit programs is one of the most efficient and effective ways of passing knowledge to others and for leveraging previously prepared work. While budget to actual hours are generally tracked by individual campuses on spreadsheets, we believe all campus departments would benefit from a centralized tracking and analysis of hours to share intelligence for purposes of future planning. As previously mentioned, we understand the CARTS system is currently being built to enable centralized tracking and reporting. We endorse the continued development and implementation of this system.

Page 18: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 17

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Conformance with IIA Standards – Gap Analysis 2300 – Performing the Engagement

Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the engagement’s objectives.

Conformance with

IIA StandardsGenerally Conforms

Conformance with IIA Standards

StrengthsBased on our review of a sample of audits, audit documentation is generally sufficient, appropriately reviewed, and support conclusions drawn.

IIA Standards Performance GapsNone noted.

Continuous Improvement OpportunitiesNone noted.

Page 19: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 18

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Conformance with IIA Standards – Gap Analysis 2400 – Communicating Results

Internal auditors should communicate the engagement results.

Conformance with

IIA StandardsGenerally Conforms

Conformance with IIA Standards

StrengthsDuring our interviews, stakeholders indicated campus audit reports were well written, objective and constructive.

IIA Standards Performance GapsNone noted.

Continuous Improvement OpportunitiesWe noticed during our review IA measures progress against the plan which would monitor at the highest level whether audits are being completed on a timely basis. However, we did not find tracking at a more detailed level which would measure whether audit reports are issued soon after completion of fieldwork. We also did not find any internal policies or guidelines which stipulate the target number of days after fieldwork in which a report should be issued. In our experience, other IA functions typically strive to issue reports within 30-45 days after fieldwork and have mechanisms in place to measure their performance against set targets. We encourage IA to set a target and use CARTS or some other tool to help measure their performance.

Page 20: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 19

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Conformance with IIA Standards – Gap Analysis 2500 – Monitoring Progress

The Chief Audit Executive should establish and maintain a system to monitor the disposition of results communicated to management.

Conformance with

IIA StandardsGenerally Conforms

Conformance with IIA Standards

StrengthsDuring our interviews, a number of stakeholders stated that IA does a good job to follow up with management on audits and to share status with their respective campus audit committees.Management corrective actions that are past due and in high risk areas are listed as part of the quarterly report of the Internal Audit Activity provided to the Chair of the Regent’s Committee on Audit.Stakeholder interviews indicated Internal Audit does a good job to track, report and follow-up on audit findings. We noted the campus IA departments use databases to track the findings.

IIA Standards Performance GapsNone noted.

Continuous Improvement OpportunitiesNone noted.

Page 21: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 20

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Conformance with IIA Standards – Gap Analysis 2600 – Resolution of Management’s Acceptance of Risks

When the Chief Audit Executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the Chief Audit Executive should discuss the matter with senior management. If the decision regarding residual risk is not resolved, the Chief Audit Executive and senior management should report the matter to the board for resolution.

Conformance with

IIA StandardsGenerally Conforms

Conformance with IIA Standards

StrengthsAs a Senior Vice President, the CAE has visibility across the University system and participates in a number of executive committees to allow for a broader view of University risks. She partners with other executives to address risk management and governance.The University Auditor is a routine participant in each campus audit committee meeting and would be alert to any circumstances in which the level of residual risk management wants to accept is unacceptable.

IIA Standards Performance GapsNone noted.

Continuous Improvement OpportunitiesNone noted.

Page 22: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 21

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Conformance with IIA Code of Ethics – Gap AnalysisInternal auditors are expected to apply and uphold the following principles:

IntegrityObjectivity

ConfidentialityCompetency

Conformance with

IIA StandardsGenerally Conforms

Conformance with IIA Standards

StrengthsThe University Auditor has actively promoted ethics through the presentations he gives to various groups. For example, he had done a presentation on ethics to 300 managers at the UC Leadership Institute. He had also done several presentations with the University Counsel on ethics and compliance.In interviews, key stakeholders indicated internal auditors are objective and ethical.At some campuses, the Audit Directors are on the campus ethics committee.

IIA Standards Performance GapsNone noted.

Continuous Improvement OpportunitiesWhen we reviewed the Internal Audit Manual, we noted there is a section for Professional Standards and Ethics, however that section (1400) was blank at the time of our review. We understand IA has already documented the section and will update the manual on the website shortly.

Page 23: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 22

Table of Contents Executive Summary Conformance with IIA Standards Appendix

External Quality Assessment Requirement

The International Standards for the Practice of Internal Auditing (IIA Standards) require that as part of the Internal Audit (IA) activity’s quality assurance and improvement program, an external assessment must be performed at least once every five years by a qualified, independent reviewer or review team from outside the organization. If assessments are not completed, the internal audit activity loses the right to assert conformance with the IIA Standards when reporting on their work.

Relevant IIA Standards regarding external quality assessments of the internal audit activity

IIA Standard 1300 – Quality Assurance and Improvement ProgramThe chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. This program includes periodic internal and external quality assessments and ongoing internal monitoring. Each part of the program should be designed to help the internal audit activity add value and improve the organization’s operations and to provide assurance that the internal audit activity is in conformity with the IIA Standards and the Code of Ethics.

IIA Standard 1312 – External AssessmentsExternal assessments should be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. The potential need for more frequent external assessments as well as the qualifications and independence of the external reviewer or review team, including any potential conflict of interest, should be discussed by the CAE with the Board. Such discussions should also consider the size, complexity and industry of the organization in relation to the experience of the reviewer or review team.

Appendix

Page 24: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 23

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Quality Assessment Approach

Our evaluation of the IA activity included reviewing:

The services provided by the IA activity, including the risk assessment activities performed in developing the annual audit plan

The management processes supporting the services provided

Work papers supporting observations and recommendations for a sample of completed audits

A sample of audit reports.

APPROACH

The Protiviti methodology used to perform this review is guided by and expands upon The Institute of Internal Auditor’s Quality Assessment Manual, Fifth Edition. Our approach is consistent and current with IIA Standards and Practice Advisories that are part of the IIA Professional Practices Framework.

A graphic depicting this process is included on the following page.

As part of our evaluation criteria, we include the following components:

Review of stakeholder needs and expectations

Comparison to internal audit best practices

Benchmark key performance indicators to comparable, peer companies

Conformance with IIA Standards.

Our evaluation methodology included the following tactics to learn more about the operations of the IA activity:

Interviews with key stakeholders to understand expectations and perceptions

Review of operating procedures including evaluating the IA activity’s vision statement, policies, procedures, processes, work papers and reports

Interviews with select IA activity staff members.

Appendix

Page 25: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 24

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Framework of Quality Assessment Activities

Stakeholder Needs and

Expectations

Internal AuditBest

Practices

1. Evaluate the performance of IA as outlined in its current mission

2. Evaluate the desired state and stakeholder needs of IA

3. Identify gaps between current state and best practices

4. Make recommendations necessary to narrow the gap and establish a basis to measure future improvement

Purpose and Organization• Internal Audit Activity Charter

• Reporting Relationship

• Organizational Alignment

• Independence and Objectivity

• Authority, Responsibility & Accountability

• Scope of Activities / Nature of Work

• Internal Audit Spending / Budget

Internal AuditCharter, Plans,

Policies &Procedures

IIAStandards

Resources and Capabilities• Resources (quantity, quality,

availability, deployment)

• Career Development and Succession Planning

• Professional Development / Training

• Managing Service Providers / Consultants

Processes and Working Practices• Internal Audit Methodology

• Control Framework

• Risk Assessment

• Strategy and Annual Planning

• Detailed Project / Assignment Planning

• Project / Assignment Planning

• Audit Execution Strategies

• Testing Standards and Practices

• Documentation Standards

• Issue Tracking and Follow-Up

Tools and Techniques• Automated Tools and Techniques

• Other Tools and Techniques

• Knowledge Sharing and Management

Communication and Reporting• Internal Group Communication

• Communication within the Organization

• Reporting to Management and the Audit Committee

• External Audit Communication and Coordination

• Communication Outside the Organization

Monitoring and Improvement• Measuring Performance

• Internal Quality Assurance Function

• External Quality Assessment Review

Appendix

Page 26: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 25

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Key Stakeholders Interviewed

Appendix

BOARD OF REGENTS

Russ Gould, Chair, Regents’ Committee on Finance

Fred Ruiz, Chair, Regents’ Committee on Audit

Bruce Varner, Vice Chair, Regents’ Committee on Audit

Kent Vining, Financial Advisor to Regents’ Committee on Audit

OFFICE OF THE PRESIDENT

Marie Berggren, CIO, VP Investments, OP and Acting Treasurer of

The Regents

Grace Crickett, CRO

Kris Hefner, Assistant VP and CIO

Wyatt Hume, COO, Provost, and EVP Academic and Health Affairs

Mel Stanton, Associate CIO

Katherine Lapp, EVP Business Operations

Charles Robinson, VP and General Counsel Legal Affairs

OFFICE OF THE PRESIDENT – continued

Dan Sampson, Assistant VP Controls and Accountability

Paul Weiss, Executive Director Application and Technology

Support Services

OFFICE OF THE PRESIDENT – COMPLIANCE AND AUDIT

Sheryl Vacca, SVP Chief Compliance and Audit Officer

Patrick Reed, University Auditor

Lynda Hilliard, Deputy Compliance Officer

Karl Heins, Director IT Audit Services

John Lohse, Director Investigations

Helen Valness, Audit Director

EXTERNAL AUDITOR

Joan Murphy, PwC Partner

Stakeholders were identified jointly by Protiviti and the University Auditor (UA). All interviews were conducted privately without the CAE and UA present. Confidential electronic surveys were conducted for internal audit staff at all campuses and the UCOP.

Page 27: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 26

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Key Stakeholders Interviewed

Appendix

UC – BERKELEY

Robert J. Birgeneau, Chancellor

Wanda Lynn Riley, Audit Director

Jeremy Lapidus, IT Audit Manager

UC – DAVIS

Barbara Horowitz, Provost

Larry N. Vanderhoef, Chancellor

Bob Loessberg-Zahl, Assistant Executive Vice Chancellor

Rick Catalano, Audit Director

Leslyn Kraus, Associate Director Campus

UC – IRVINE

Michael V. Drake, Chancellor

Wendell Brase, Vice Chancellor Administrative & Business

Services

Mark Askren, Assistant Vice Chancellor Administrative

Computing Services

Ron King, Chief Financial Executive Medical

Larry Collum, Audit Director

Gregory Moore, Manager Health Sciences

Wilson Crider, IT Principal Auditor

Stakeholders were identified jointly by Protiviti and the University Auditor (UA). All interviews were conducted privately without the CAE and UA present. Confidential electronic surveys were conducted for internal audit staff at all campuses and the UCOP.

Page 28: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 27

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Key Stakeholders Interviewed

Appendix

UC – LOS ANGELES

Gene D. Block, Chancellor

Steve Olsen, Vice Chancellor Finance, Budgeting & Capital

Programs

David Feinberg, CEO and Interim Associate Vice Chancellor

Paul Staton, CFO Medical

Edwin Pierce, Audit Director

Dave Curry, Associate Director

Jeff Tan, Associate Director

Agnes Warren, Director Admin-Financial Management Services

UC – RIVERSIDE

Robert D. Grey, Acting Chancellor

Gretchen Bolar, Vice Chancellor Academic Planning and Budget

UC – RIVERSIDE – continued

Rodolfo Jeturian, Assistant Director

Michael Jenson, Audit Director

UC – SAN DIEGO

Marye Anne Fox, Chancellor

Gary Matthews, Vice Chancellor Resource Management and

Planning

Elazar Harel, Assistant Vice Chancellor Admin and

Telecommunications

Robert Hogan, CFO Financial Administration

Stephanie Burke, Audit Director

Terri Buchanan, Audit Management and Advisory Services

Manager

David Meier, Manager Campus Audits

Stakeholders were identified jointly by Protiviti and the University Auditor (UA). All interviews were conducted privately without the CAE and UA present. Confidential electronic surveys were conducted for internal audit staff at all campuses and the UCOP.

Page 29: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 28

Table of Contents Executive Summary Conformance with IIA Standards Appendix

Key Stakeholders Interviewed

Appendix

UC – SAN FRANCISCO

J. Michael Bishop, Chancellor

Steve Barclay, Senior Vice Chancellor Finance and

Administration

Mark Laret, CEO Medical

Susan Moore, CFO Medical

Louisa Burgio, Associate Controller School of Medicine

Carl Tianen, Information Security Officer

Abby Zubov, Audit Director

Zuleikha Shakoor, Associate Director Medical Center and

Investigations

Tom Poon, Associate Director Campus and IT

UC – SANTA BARBARA

Henry T. Y. Yang, Chancellor

Donna Carpenter, Vice Chancellor Administrative Services

UC – SANTA BARBARA – continued

Peter Cataldo, Interim AD

Sam Hartline, Principal Auditor

UC – SANTA CRUZ

George W. Blumenthal, Chancellor

Tom Vani, Vice Chancellor Business and Administration Services

Geraldine Gail, Audit Director

David V. Lane, Assistant Director and Principal Auditor

LAWRENCE BERKELEY NATIONAL LABRATORY

Steven Chu, Laboratory Director

Terence Hamilton, Audit Director

Adel Flores, Audit Group Leader, Investigations

Stakeholders were identified jointly by Protiviti and the University Auditor (UA). All interviews were conducted privately without the CAE and UA present. Confidential electronic surveys were conducted for internal audit staff at all campuses and the UCOP.

Page 30: External Quality Assessment of the Internal Audit Activity

The Regents of the University of California | 29

At Protiviti, we believe the companies that most effectively understand and manage their risk are the companies that most often succeed. Or as we like to say…