The University of Texas at Dallas · The overall objective of the project was to evaluate whether...

The University of Texas at Dallas

2014 External Quality Assessment of the Office of Internal Audit

www.pwc.com

March 24 2014 Ms. Toni Messer Stephens Executive Director of Internal Audit and Compliance The University of Texas at Dallas 800 West Campbell Rd ROC 32 Richardson, TX 75080 We have completed an External Quality Assessment (“EQA”) of The University of Texas at Dallas (“UTD) Office of Internal Audit (“IA”). The EQA included an assessment of the level of conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing (“the IIA Standards”), the Generally Accepted Government Auditing Standards (“GAGAS”) as well as the relevant requirements of the Texas Internal Auditing Act (“TIAA”). Listed below are our observations: • IIA Standards – Based on our work, overall IA generally conforms. We did identify process enhancement opportunities. • GAGAS – Our assessment of GAGAS was limited, based on IA’s disclosure that no internal audits were performed during our assessment period

under GAGAS. Based on our work, we did not identify conformance observations. We did identify process enhancement opportunities. • TIAA requirements – Other than the observations related to IIA Standards and GAGAS, no other observations were identified during our work.

Our Services were performed and this report was developed in accordance with our contract dated February 18, 2014 and are subject to the terms and conditions included therein. Our Services were performed in accordance with the Standards for Consulting Services established by the American Institute of Certified Public Accountants ("AICPA"). Accordingly, we are providing no opinion, attestation or other form of assurance with respect to our work and we did not verify or audit any information provided to us. Our work was limited to the specific procedures and analysis described herein and was based only on the information made available through March 24, 2014, when field work was substantially completed. Accordingly, changes in circumstances after this date could affect the findings outlined in this report. This information has been prepared solely for the use and benefit of, and pursuant to a client relationship exclusively with The University of Texas System Administration. PwC disclaims any contractual or other responsibility to others based on its use and, accordingly, this information may not be relied upon by anyone other than The University of Texas System Administration and The University of Texas at Dallas. We would like to offer a sincere thank you to you and your staff, and the Internal Audit Committee and management of UTD, for the time and attention they provided during this assessment. We appreciate the opportunity to serve The University of Texas System Administration on this important engagement. Very truly yours,

PricewaterhouseCoopers LLP, 1201 Louisiana, Suite 2900, Houston, TX 77002-5678 T: (713) 356 4000, F: (713) 356 4717, www.pwc.com/us

Information contained herein is for the sole benefit and use of PwC's Client

PwC

Table of Contents

3

Page

Executive Summary

Project objectives, approach, and scope 5

Assessment of IIA Standards 6

Assessment of standards and requirements 7

Summary of internal audit leading practices benchmarking results 8

Positive attributes and/or demonstrated leading practices 9

Opportunities for enhancement and leading practice recommendations 10

Detailed Benchmarking, Observations, and Recommendations 12

Appendices

Appendix A – What we heard from stakeholders 31

Appendix B – Interviewee list 32

Appendix C – Survey Comments 33

Appendix D – Survey Results 35


PwC 4 Information contained herein is for the sole benefit and use of PwC's Client

Executive Summary

PwC

Project objectives, approach, and scope

The overall objective of the project was to evaluate whether The University of Texas at Dallas (“UTD” or “institution”) Office of Internal Audit (“IA” or “IA function”) conforms with the Institute of Internal Auditors’ (“IIA”) International Standards for the Professional Practice of Internal Auditing (“the IIA Standards”), the Generally Accepted Government Auditing Standards (“GAGAS”) as well as the relevant requirements of the Texas Internal Auditing Act (“TIAA”), and to perform an assessment of the IA function compared to leading practices and recommend areas for improvement, efficiencies, and alignment with stakeholders’ expectations. In cases where the IIA Standards and GAGAS varied, we utilized the IIA’s "Supplemental Guidance" document, which provides a suggested approach to assess these standards. Our approach and scope included:

• Interviewing stakeholders of the IA function, including the President & Chief Executive Officer, Internal Audit Committee Chair, Chief Financial & Business Officer, other institution executive team members, certain The University of Texas System personnel and members of the external audit firm responsible for the System audit.

• Surveying other management and Internal Audit Committee members. • Interviewing the IA team members. • Analyzing a sample of IA documents, including Internal Audit Committee and management reports, methodology

documents, annual plans, risk assessments, audit work papers and reports, performance metrics, customer surveys, and other relevant information for fiscal years 2013 and 2014.

During the period covered by this Report, IA informed us that they did not issue any individual audit reports that stated the audit was conducted in accordance with GAGAS. As such, certain GAGAS related to audit execution and reporting were not assessed. This Executive Summary provides a high level summary of our observations and recommendations. Additional details were provided to the Chief Audit Executive (“CAE”).

Executive Summary

5 Information contained herein is for the sole benefit and use of PwC's Client

PwC

Assessment of IIA Standards

We have assessed IA’s conformance with the IIA Standards and our overall assessment is reflected in the table below.

Executive Summary (continued)

6

Standard Number

IIA Standards Assessment of Conformance

1000

The purpose, authority and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.

Generally

Conforms

1100 The internal audit activity must be independent, and internal auditors must be objective in performing their work. Generally Conforms

1200 Engagements must be performed with proficiency and due professional care. Generally Conforms

1300 The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.

Generally Conforms

2000 The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization. Generally Conforms

2100 The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.

Generally Conforms

2200 Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations.

Generally Conforms

2300 Internal auditors must identify, analyze, evaluate and document sufficient information to achieve the engagement’s objectives.

Generally Conforms

2400 Internal auditors must communicate the results of engagements. Generally Conforms

2500 The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.

Generally Conforms

2600 When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.

Generally Conforms


“Generally Conforms” means the IA activity has practices that are in accordance with the IIA Standards, although opportunities for enhancement may exist. “Generally Conforms” is the highest ranking possible.

PwC

TIAA requirements Other than the observations related to IIA Standards and GAGAS, no conformance observations were identified during our work. We did identify a process enhancement opportunity.

GAGAS Our assessment of GAGAS was limited, based on A&AS’s disclosure that no internal audits were performed during our assessment period under GAGAS. Based on our work, we identified a conformance observation that IA deferred the external peer review as directed by the UT System in order to coordinate the process System wide. We also identified process enhancement opportunities.

IIA Standards Based on our work, overall IA generally conforms. We did identify process enhancement opportunities.


7


Assessment of standards and requirements

Below is a summary of our observations of IA’s adherence with IIA Standards, GAGAS, and TIAA requirements. Additional details of observations or recommendations were provided to the CAE.

PwC


Summary of internal audit leading practices benchmarking results We utilized PwC’s Internal Audit Framework, comprised of five major categories, to assess the current state of IA. The analysis was based on stakeholder interviews, surveys, IA documentation, and a comparison with our internal audit leading practices database. We have broken out each of the five categories into sub-categories and provided the following details to the CAE:

- Overview of common benchmark attributes (not UTD specific); - Areas of strength; - Recommendations related to IIA Standards, GAGAS and TIAA

requirements; and - Leading practice recommendations.

A summary of IA’s performance against leading practices is illustrated to the right. This current state assessment benchmarked IA’s operations and activities against internal audit leading practices as of March 24, 2014, when fieldwork was substantially completed.

Some elements of these observations are included in planned UT System-wide initiatives and are identified throughout this report with this symbol: .


Structure

People

Process

Technology

Strategy

Legend:

Limited opportunities for enhancement

Moderate opportunities for enhancements

Significant opportunities for enhancement

PwC

Positive attributes and/or demonstrated leading practices

The following is a summary of positive attributes and/or leading practices demonstrated by the IA function. More detailed information provided to the CAE.



•Risk Assessment Input: The risk assessment is discussed at the quarterly audit committee meeting to ensure the audit approach has the necessary change agility to address current risks facing the University.

•Covered Risks: The risk assessment reflects an appropriately wide variety of risks including financial, operational, IT, and fraud.

Strategy

•Relationships: IA has a collaborative relationship with key stakeholders through regular structured touch points.

•Reporting Lines: IA has the appropriate access to institutional information and is viewed as an independent and objective entity.

Structure

•Job Descriptions: IA has clearly defined job descriptions and qualifications including education, work experience and certification(s).

•Training: The University is committed to ensuring that appropriate budget for training and education is available for IA staff each year. This training is tracked and monitored for all staff on a yearly basis.

People

•Reporting: Reports are clear and concise and ratings are discussed with process owners for feedback prior to report issuance.

•Planning Methodology: Engagement planning is comprehensive and includes consideration of fraud, staffing, reviewing entity background information, previous audit results and discussions with stakeholders.

Process

•Data Analytics: IA understands the importance of data analytics and has dedicated IT staff that will be able to continue to enhance the use of data analytics on each internal audit project, as well as develop an approach to implementing continuous auditing techniques as part of standard auditing procedures.

•Technology Tools: IA utilizes TeamMate, a technology tool utilized for documenting audit procedures and to facilitate project execution to ensure quality and consistency.

Technology

PwC

Opportunities for enhancement and leading practice recommendations

The following is a summary of the top recommendations identified in this external quality assessment of the IA function. More detailed information was provided to the CAE.



•Formalize and document a 2 – 5 year internal audit strategic plan that clearly articulates short and long term initiatives and objectives for Internal Audit. The Plan should not be static, but should rather incorporate changes in the assessment of emerging risk and the impact of such changes on Internal Audit’s objectives.

Strategic Plan

(Strategy)

•Develop and implement a more formalized approach to stakeholder relationship management. Set individual relationship goals for managers and assess performance against those goals.

Relationship Management

(Strategy)

•Formally document the link between the current training plan to the current and emerging risks faced by the University. This plan should align with the overall strategic plan for the department and should include training designed to improve communication, business acumen and leadership skills for IA staff.

•Leverage IA’s brand within the University to help create longer team career paths for staff within the University.

Staffing and Development

(People)

PwC

Opportunities for enhancement and leading practice recommendations (continued)



•Establish a more formalized procedure for the review of outstanding and resolved audit issues. This audit issue log should be updated to reflect any new issues, closed issues, and/or any correspondence between IA and process owners which would validate that management’s corrective actions were implemented as documented in the internal audit reports.

Reporting

(Process)

•Audit documentation should better comply with policies within the Department Manual, ensuring that as final reports are issued the final audit documentation is updated for any new information provided from the client.

•Continue to implement a formal integrated audit approach for all internal audit projects, incorporating information technology and compliance considerations as appropriate.

Work Paper Documentation

(Process)

•Consider developing / formalizing a near and longer term data strategy. The data strategy should consider current projected needs as well as aspirational objectives for the enhanced use of data by Internal Audit and the anticipated value to be delivered.

Quality and Innovation

(Technology)

UTS Coordination


Detailed Benchmarking, Observations, and Recommendations

PwC

Detailed Benchmarking, Observations, and Recommendations

13

Page

Benchmarking approach 14

Summary of Internal Audit Leading Practices Benchmarking Results 15

Detailed Observations and Recommendations

Strategy 16

Structure 21

People 23

Process 25

Technology 28


PwC

PwC’s EQA Methodology Framework – Using our proprietary Profiler™ software tool, we compared IA’s practices against leading practices and data from other high performing internal audit functions, and identified recommendations from enhancement. The following illustration depicts the framework utilized to assess IA’s performance against relevant leading practices.

Benchmarking Approach

Structure

People

Process

Technology

Strategy

Strategy

Mission, Vision and Charter Strategic Analysis Initiative definition & Implementation Performance Measurement &

Reporting Risk Assessment and Annual Plan Stakeholder Management &

Communication

Technology

Audit Workbench Data Analytics and Tools Knowledge Management Automated Control Analysis Tools

People

Career Path & Development Training Performance Management Staffing Model & Mix Recruiting & Placement

Structure Operating Structure Leadership Practice Management Specialists

Process

Methodology Engagement Planning Execution

Reporting Issue Tracking and Follow-up Quality

Information contained herein is for the sole benefit and use of PwC's Client 14

PwC

Summary of Internal Audit Leading Practices Benchmarking Results A summary of IA’s performance against leading practices is illustrated to the right. The analysis was based on stakeholder interviews, surveys, IA documentation, and a comparison with our internal audit leading practices database. This current state assessment benchmarked IA’s operations and activities against internal audit leading practices as of March 24, 2014. On the following pages, we have broken out each of the five categories into sub-categories and provided the following where applicable:

- Overview of common benchmark attributes (not UTD specific); - Areas of strength; - Recommendations related to IIA Standards, GAGAS and TIAA

requirements; - Leading practice recommendations; and - Other recommendations for enhancement.

Some elements of these observations are included in planned UT System-wide initiatives and are identified throughout this report with this symbol: .


Structure

Process

Technology

Legend:


Moderate opportunities for enhancement


Strategy

People

PwC

Legend:

Overview The way the IA function is considered as part of the overall enterprise strategy, the expectations of the key stakeholders, and the key business value drivers.

Summary areas of strength • The risk assessment encompasses all parts of the company and as part of

the process, captures input from various levels of management and is updated at quarterly audit committee meetings.

• The risk assessment reflects a wide variety of risks including financial, operational, IT, ERM and fraud.

Recommendations

Recommendations are detailed on the following pages.

Strategy


#

Mission, Vision, and Charter

Strategic Analysis

Initiative Definition and Implementation

Performance Measurement and Reporting

Risk Assessment and Annual Plan

Stakeholder Management and Communication

1


Moderate opportunities for enhancements


16

Structure

People

Process

Technology

Strategy

3

See next page for standards related leading practice recommendations.

2

PwC

Professional Standards and TIAA Requirements Related Recommendations

Organizational Reporting Relationships

Background The IA Charter states that the CAE is accountable to the institution President and the Internal Audit Committee and directly reports to the institution President and the Internal Audit Committee. The IA Charter further states that the CAE also has an indirect reporting relationship to The University of Texas System Chief Audit Executive and a direct reporting relationship to The University of Texas System Chief Audit Executive for system-wide audits. Historically, the institution President has been the chair of the Internal Audit Committee. Opportunities for Enhancement Given the nomination of the external chair to the Internal Audit Committee, the CAE should consider reassessing her organizational reporting lines and consider the IIA’s Practice Advisory 1110-1: Organizational Independence which recommends that the CAE reports functionally to the board (or Internal Audit Committee) and administratively to the organization’s chief executive officer to facilitate organizational independence. In addition, CAE should consider reassessing her indirect/direct nature of her organizational reporting lines with The University of Texas System Chief Audit Executive and any such changes in her reporting lines should be agree with the Internal Audit Committee and the institution President.

Detailed Recommendations – Strategy


1

UTS Coordination

PwC

Leading Practice Recommendations

Mission, vision, and charter

Background IA has frequent interactions with UTD Executive Management discussing, amongst other things, the institution's strategic and growth initiatives. However, IA currently does not have a formal strategic plan that links to institution’s strategic or growth initiatives. Opportunities for Enhancement IA should formalize and document a two to five year internal audit strategic plan that clearly articulates short and long term initiatives and objectives for Internal Audit. The plan should not be static, but should rather incorporate changes in the assessment of emerging risk and the impact of such changes on Internal Audit’s objectives. The plan could include the following: • Expanded use of technology, • Fully integrated audit processes (including IT and compliance considerations as appropriate), • People and staffing needs, • Succession plans, • Use of subject matter specialists, • Coordination with System, • Engagement with the business. The plan should also include a formalized approach to stakeholder relationship management, setting individual relationship goals for managers and assessing performance against those goals. This will create deeper relationships between IA managers and key business stakeholders, and will help educate IA managers on current initiatives and emerging risks in the University. This will also help to increase the likelihood that IA is appropriately involved in the design phases of new technology / systems implementations and can help access the operational effectiveness and/or efficiency of core business and information technology processes.

Detailed Recommendations – Strategy (continued)


2

PwC


Performance Measurement and Reporting

Background The University of Texas System Administration Audit Office is currently undergoing a pilot program to formalize an audit scorecard to report IA performance metrics. Currently, IA does not routinely share the pilot metrics with the Internal Audit Committee. Opportunities for Enhancement IA should continue to work with The University of Texas System Administration Audit Office to finalize the scorecard and begin reporting the agreed-upon performance metrics to the Internal Audit Committee on a regular basis (e.g., quarterly), including any improvement goals and action plans. Leading practice performance metrics cover both qualitative and quantitative measures such as: • value of cost savings and/or revenue enhancement opportunities, • regulatory fine avoidance, • trends and insights provided, and • completion of audit plan.



3

UTS Coordination

PwC



Other Recommendations

Relationship Management with the Internal Audit Committee

Background During the period of this report, the Internal Audit Committee did not have an external chair and the majority of Internal Audit Committee members with regular participation were the institution’s Executive Management. We were advised that an external chair for the Internal Audit Committee has been nominated as well as other external members to the Internal Audit Committee. Opportunities for Enhancement With the recent nomination of a new external chair for the Internal Audit Committee as well as other external members to the Internal Audit Committee, the CAE should consider establishing a plan to develop her relationship with the recently nominated external Internal Audit Committee members as well as provide relevant information on risks that the institution faces. To enhance IA’s independence and objectivity, the Internal Audit Committee meetings should consider having a standing agenda topic for private sessions between IA and external Internal Audit Committee members. IA should also consider scheduling meetings with the external audit committee members in advance of the full audit committee meeting.

Audit Committee Education

Background Currently there is lack of clarity within the Institution related to the role of System IA and how that differs from the role of UTD IA. Opportunities for Enhancement The current internal audit charter should be updated to include clearly defined roles and responsibilities for System IA, the differences between System IA and UTD IA, and the impact on University. These updates should be made in collaboration with System so that the updated charter will reflect an accurate and clear definition of these roles and responsibilities. IA should educate executive management and the audit committee once these changes have been made and the new charter has been approved.

PwC

Overview The way the internal audit function is structured and supported by the organization to allow it to deliver its mission, including board expectations, organizational alignment, independence, authority and management support. Summary areas of strength • IA has a collaborative relationship with key stakeholders through regular structured touch points.

• IA has the right access to institutional information and is viewed as an independent and objective entity.

Recommendations


Structure


Operating Structure

Leadership

Practice Management

Specialists

Legend:

#




1

Structure

People Technology

Strategy

Process

21


PwC

Detailed Recommendations – Structure

Information contained herein is for the sole benefit and use of PwC's Client. 22


Based on our work, no conformance observations were noted.


Specialized Expertise

Background IA has not recently used subject matter expertise from the business or The University of Texas System Administration Audit Office to assist with executing its audits. Opportunities for Enhancement As the institution’s risk profile changes with the addition of new service lines, system implementations and regulatory requirements, IA should consider whether additional expertise might be required to supplement the audit team (e.g., utilizing The University of Texas System Administration Audit Office, other UT institution IA or third-party expertise) on the audits of newly implemented technology, complex data analytics and analysis and new regulatory requirements

1

PwC

Overview The processes that internal audit functions have regarding attracting and retaining talent, progression of individuals into other roles, skillsets, learning and development, and resourcing level. Summary areas of strength • IA has clearly defined job descriptions and qualifications including

education, work experience and certification(s).

• Budget for training and education is set each year, and all staff are required to have a minimum of 40 CPE hours each year.

Recommendations


People


Career Path & Development

Training

Performance Management

Staffing Model & Mix

Recruiting & Placement

Legend:

#




2

23

Structure

Technology

Strategy

People

Process

1


PwC

Detailed Recommendations – People



Based on our work, no conformance observations were noted.


Staffing and Development

Background The IA department staff are qualified and dedicated individuals. Opportunities for Enhancement Given the competitive and somewhat restricted labor pool for internal audit personnel, a formal talent management process should be established for the IA function, including identifying specific avenues to source talent such as internal transfers, guest auditors, sources for external hires, and sourcing partners to provide talent and subject matter expertise.

Training & Tracking

Background IA staff receive regular internal audit related training, and are required to complete at least 40 hours of training in each fiscal year. Opportunities for Enhancement Formally document the link between the current training plan to the current and emerging risks faced by the University. This plan should align with the overall strategic plan for the department and should include training designed to improve communication, business acumen and leadership skills for IA staff. This alignment will help ensure the internal audit brand will continue to remain strong, and IA staff will have the confidence and skills to interact with process owners and executive management in positive, meaningful ways. In addition, training programs that meet GAGAS training requirements are not explicitly tracked. In order to demonstrate that GAGAS training requirements have been met for those staff that may be performing GAGAS related audits, additional tracking and documentation of those specific training programs that meet the GAGAS training requirements should be incorporated.

1

2

PwC

Overview The operational processes used by the internal audit function to deliver on its objectives and the efficiency and effectiveness of the processes and the communication methods. Summary areas of strength • Reports are clear, concise and ratings are generally accepted by

stakeholders.

• Engagement planning is comprehensive and includes consideration of fraud, staffing, reviewing entity background information, previous audit results and discussions with stakeholders to evaluate risk as well as detailed planning meetings with process owners as applicable.

Recommendations


Process


Methodology

Engagement Planning

Execution

Reporting

Issue tracking & follow up

Quality

Legend:

#




2

4

25

Structure

Technology

Strategy

People

Process


5

1

3

PwC

Detailed Recommendations – Process



Reference to GAGAS Standards

Background IA has documented procedures for conducting audits and other audit activities and these procedures are mapped to the IIA Standards. Additional procedures to address GAGAS requirements have not been established. Opportunities for Enhancement IA should consider establishing procedures to evaluate the annual audit plan for audits that are subject to GAGAS requirements, including procedures related to citing GAGAS in those audit reports. This procedure will help facilitate proper audit planning in accordance applicable standards as well as resource planning in order to assign GAGAS qualified auditors (e.g., auditors meeting GAGAS training requirements).

Reporting

Background The IA function relies on policies and guidelines provided by The University of Texas System Administration Audit Office as well as refers to professional standards in determining the nature and reporting formats to be used in reporting on periodic audits as well as reporting to the Internal Audit Committee. To the extent that these policies, guidelines or standards do not specify required formats or content, the IA function has developed its own reporting practices. Opportunities for Enhancement Formal policies and guidelines should be developed specifying the format to be used for reports of periodic audits (as defined by TIAA) as well as instances when such periodic audits should be performed in accordance with GAGAS and the related reporting references to GAGAS. Formal guidelines should be developed specifying the format and nature of content of periodic reports that IA provides to the Internal Audit Committee (e.g., nature of visual content, summarization of audits, prioritization of findings, significant findings, status in executing annual audit plan, emerging/changing risks and IA’s response).

Frequency of External Quality Assessment Required by GAGAS

Background GAGAS requires that audit organizations performing work in accordance with GAGAS must have an independent external peer review performed at least once every three years. The prior external assessment was performed in 2010 and the subsequent external review was delayed one year at the direction of the UT System to allow for the execution of a single system-wide EQA across all UT institutions. Opportunities for Enhancement As is planned by the System Audit Office, the institution should have an external quality assessment performed every three years going forward.

1

2

3

UTS Coordination

PwC

Detailed Recommendations – Process (continued)



Issue Tracking and Follow-Up

Background Currently the process for audit issue tracking and follow up is informal and is not consistently performed. Opportunities for Enhancement A formalized issued tracking process has historically been in place at UTD. Because of significant department turnover that has occurred recently, that follow up process has not been consistently carried out. We recommend that IA continue it’s follow up process that is designed to update the status of corrective actions implemented in response to IA's findings/recommendations. This tool should be leveraged by IA in assessing and reporting on all audit issues (open and closed).

Work paper Documentation

Background A formal IA policy and procedure manual has been developed to help guide IA staff while executing internal audit projects. Opportunities for Enhancement Audit documentation could better comply with policies within the Department Manual, ensuring that as final reports are issued and that final documentation is updated for any new information provided from the client.

4

5

PwC

Overview The way internal audit functions utilize technology to drive efficiencies and enhance the methodology and processes. Summary areas of strength • IA has dedicated IA staff to further enhance the use of continuous

monitoring and auditing by the department. Observations – See following pages

Observations related to professional Standards, Texas requirements and leading practice recommendations are detailed on the following page.

Technology


1

Audit workbench

Data analytics & flow

Knowledge management

Automated control analysis tools (GRC)

Structure

Technology

Strategy

People

Process

Legend:

See next page for standards related leading practice recommendations. #




PwC

Detailed Recommendations – Technology



No observations.

Develop Data Strategy and Expand Use of Advanced Analytics

Background IA currently utilizes various data tools to perform analytics for individual audit projects. Opportunities for Enhancement IA should consider developing / formalizing a near and longer term data strategy. The data strategy should consider current projected needs as well as aspirational objectives for the enhanced use of data by Internal Audit and the anticipated value to be delivered. IA should also expand its knowledge and use of continuous data analytic techniques.

1

UTS Coordination


Appendices

PwC

Appendix A – What We Heard from Stakeholders

31

Constructive

• While the IA group has smart staff, they often don’t know the area under scope

• IA group needs to change and evolve as the University is evolving.

• IA should be more “proactive” vs “reactive” in terms of auditing and monitoring.

• Focus on driving value or educating business owners of the value they provide.

• Opportunities exist to issue final reports faster – i.e. between formal close meeting where the draft is discussed and final issuance

• IA should consider new and emerging risks

Positive

• IA is very collaborative in their approach to audits

• Reports are well written, clear and concise

• IA has the ability to remain objective and independent while also working with management to make sure the messaging around audit results is factual and constructive.

• They show a great deal of professionalism

• They effectively reports to the Audit Committee

• We view internal audit as a partner


PwC

Appendix B – Interviewee List

32

IA Team Title

1 Colby Taylor IT Staff Auditor

2 Ashley Mathew Staff Auditor

3 Brandon Bergman Staff Investigative Auditor

4 Dylan Becker Senior Auditor

5 Polly Atchison IA Manager

6 Ali Subhani IT Audit Manager

Institution Stakeholder Title

1 Dr. David Daniel President

2 Toni Stephens Executive Director of Audit & Compliance

3 Terry Pankratz Vice President for Budget and Finance

4 Dr. Andrew Blanchard Vice President for Information Resources and Chief Information Office; Dean of Undergraduate Education

5 Lisa Choate External Audit Committee member; Partner, Ultimate Health Resources

6 Dr. Hobson Wildenthal Executive Vice President and Provost

7 Tim Shaw University Attorney

8 Carla Garner Compliance Manager


External Auditor – Deloitte

Title

1 George Scott Partner

2 Tracey Guidry Director

UT System Stakeholder Title

1 Dr. Francisco Gonzalez Cigarroa

The University of Texas System Chancellor

2 Brenda Pejovich The University of Texas System Regent and Audit, Compliance, and Management Review Committee Chairman

3 J. Michael Peppers The University of Texas System Chief Audit Executive

PwC

Appendix C – Survey Comments


Executive Management and Internal Audit Committee Member Survey Comments

Positive

• IA builds relationships to establish trust. • IA provides detailed information to support best practices and make improvements as needed.

• IA works with management in a very collaborative way. • Audit reports are clear and concise.

Constructive

• Develop a more proactive vs reactive approach • Monitor areas after the report is presented, allowing to dig a bit deeper and verify a directional change is taking place.

PwC

Appendix C – Survey Comments (continued)


Management Survey Comments

Positive

• The report s were clear and their follow-up was helpful. • Internal Audit works very collaboratively with Management.

• The communication and reporting are excellent. • The knowledge of higher education auditing is exceptionally high.

• IA builds relationships to establish trust. • The staff is very knowledgeable and helpful. IA provided great feedback and recommendations.

• IA provides quality feedback to the departments audited and gains a good understanding of the area audited and makes recommendations that are achievable.

• IA works patiently, courteously and respectfully and is therefore seen as a group that can help us be more efficient without beating us up.

Constructive

• Regular updates throughout the audit process would be more beneficial.

• Stay involved with new campus initiatives and properly focus attention on high risk areas.

• Continue to use technology to identify risks. • Ensure reports/findings/responses are discussed with appropriate senior leader prior to Audit Committee meetings.

• It does not seem like they are adequately staffed to cover the wide range departments and audit needs on our campus.

• Better communication throughout the audit process.

• IA needs to better understand business practices of functional areas.

• Need to stay focused on auditing rather than advising on performance improvements in areas that they do not possess the appropriate expertise.

PwC

Appendix D – Survey Results


Executive Management and Internal Audit Committee Survey Strongly

Agree Agree Neutral Disagree

Strongly Disagree

Cannot Rate

The internal audit function is independent and objective through its authority, reporting structure and in performing its work.

8 4 - - - -

The internal audit function is appropriately supported and empowered by Senior Management to perform its role.

10 2 - - - -

Management is able to provide adequate input into internal audit’s annual risk assessment and audit planning process.

9 3 - - - -

The annual internal audit plan effectively captures and prioritizes key risks including strategic, operational, financial, information technology and compliance related risks.

7 4 1 - - -

The internal audit function effectively co-ordinates, partners or integrates with other risk and compliance functions.

7 5 - - - -

The internal audit function focuses on the appropriate areas (e.g. critical risks) during audits, and at the appropriate level of detail (not just skimming the surface of a complex process).

6 6 - - - -

The internal audit function adds value to the institution. 8 4 - - - -

Internal audit personnel have the right knowledge, skills and technical capabilities to effectively address the key risks of the institution.

10 2 - - - -

Reports issued by the internal audit function, containing findings and recommendations, provide management with meaningful insight to help improve processes and/or enhance the control environment.

10 1 1 - - -

Reports issued by the internal audit function are timely, accurate, concise, and provide the appropriate level of focus on issues or risks that matter.

8 4 - - - -

The Chief Audit Executive provides the Audit Committee sufficient and relevant information regarding what matters most to you.

7 3 - - - 2

Audit Committee communications from the Chief Audit Executive are impactful and timely.

7 4 - - - 1

The internal audit function provides perspectives on new/emerging risks. 6 4 1 - - 1

The Chief Audit Executive has adequate time to discuss institutional matters with external members of the Audit Committee in private sessions.

8 2 - 1 - 1

Overall, the internal audit function operates effectively. 11 1 - - - -

PwC

Appendix D – Survey Results (continued)


Management Survey Strongly


Strongly Disagree

Cannot Rate

The internal audit function adds value to your business function in the following ways:

Improves management’s control environment 15 11 4 - - -

Reduces compliance risks 18 10 2 - - -

Provides useful business advice and process improvements 11 13 3 3 - -

The internal audit function is appropriately involved in the design phases of new technology and systems implementations and provides valuable advice to implementation teams.

1 7 5 4 1 12

The internal audit function is appropriately involved in the following areas to help manage risks across your business function:

Financial compliance and controls assurance 15 14 - - - 1

Operational effectiveness/efficiency of your core business processes 10 12 3 3 1 1

Operational effectiveness/efficiency of administrative processes 9 12 2 4 1 2

Legal and regulatory compliance 13 13 - 2 - 2

Ethics and compliance 12 13 1 1 - 3

Fraud detection and prevention 14 12 1 1 - 2

Information technology, including data security 4 12 7 3 1 3

Enterprise-Wide Risk Management 6 14 5 1 1 3

Management has adequate input into the annual risk assessment and audit planning process so that the audit plan effectively captures and prioritizes all key risks including strategic, information technology, operational, financial and compliance related risks.

13 9 1 - - 7

The internal audit function effectively coordinates, partners or integrates with other risk and compliance functions.

9 9 5 2 1 4

Internal audit personnel have the right knowledge, skills and technical capabilities to effectively address the key risks of the institution.

7 13 5 3 - 2

The internal audit function focuses on the appropriate areas (e.g. critical risks) during audits, and at the appropriate level of detail (not just skimming the surface of a complex process).

10 13 3 3 - 1

PwC

Appendix D – Survey Results (continued)


Management Survey (continued) Strongly


Strongly Disagree

Cannot Rate

The internal audit function demonstrates a clear understanding of business issues and related risks.

10 10 4 4 - 2

The internal audit function shares its knowledge of the organization, industry and best practice concepts with management throughout the institution.

9 12 4 - 1 4

The internal audit function is seen as independent and objective through its authority, reporting structure and in performing its work.

16 11 1 1 - 1

The internal audit function is appropriately supported and empowered by Senior Management to perform its role.

18 7 1 3 - 1

Concerns and potential issues are discussed prior to issuance of internal audit reports. 11 13 2 2 1 1

Reports issued by the internal audit function are timely, accurate, concise, and provide the appropriate level of focus on issues or risks that matter.

7 15 5 2 1 -

Reports issued by the internal audit function, containing findings and recommendations, provide management with meaningful insight to help improve processes and/or enhance the control environment.

11 12 6 - 1 -

Overall, the internal audit function operates effectively. 12 12 5 1 - -

Our Services were performed and this Deliverable was prepared for the sole use and benefit of, and pursuant to a client relationship exclusively with The University of Texas System Administration ("Client"). PwC is providing no opinion, attestation or other form of assurance and disclaims any contractual or other responsibility to others based on their access to or use of the Deliverable. Accordingly, the information in this Deliverable may not be relied upon by anyone other than Client.

© 2014 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

The University of Texas at Dallas · The overall objective of the project was to evaluate whether...

Documents

Transcript of The University of Texas at Dallas · The overall objective of the project was to evaluate whether...