Wendee Shinsato – Senior Audit Manager Ann Hough – Audit Manager.

2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e

Audits: The People the Plan & the Process

Wendee Shinsato – Senior Audit ManagerAnn Hough – Audit Manager

2 0 1 4 F O A / P SS O A C S U B u s i n e s s C o n f e r e n c e

AgendaOffice of Audit and Advisory ServicesAnnual Audit Planning ProcessIndividual Audit Planning Process2013 Subject Audits2014 Subject AuditsQuestionsContact Information


Office of Audit and Advisory Services


Audit Planning ProcessAudit Survey sent to all 23 campuses in the last

quarter of each year. This information is combined with other input, including:Discussions with Chancellor’s Office Management.Discussion with audit committee chair.External trends and input.

We present the audit plan at the January Board of Trustees meeting each year for approval of audit assignments.http://www.calstate.edu/bot/agendas/

http://www.calstate.edu/bot/agendas/


Individual Audit Planning ProcessDetermined by a subject-specific risk assessment that includes, but is not limited to:Review of CSU policies, laws, regulations, and

other criteria.Specialized training in the subject area.Discussions with CO management.Discussions with campus personnel including

Vice Presidents of Administration and Department Managers

Review of previous and related audits, both from inside the CSU and from the outside: state auditors, the UC system, other universities.


2013 Subject Audits


2013 Subject AuditsEight audits were approved by the Board of

Trustees for 2013:Credit CardsInternational Programs (Round 2)Hazardous MaterialsSensitive Data Security and Protection (2011)Centers and InstitutesStudent Health ServicesSponsored Programs – Post AwardConflicts of Interest (not performed)

Finalized audit reports can be reviewed on our website at http://www.calstate.edu/audit

http://www.calstate.edu/audit


2013 Systemwide AuditsCredit Cards

http://www.calstate.edu/audit/Audit_Reports/creditcards/2013/1323CreditCardsSYS.pdf

Remaining systemwide audits for 2013 have not yet been finalized, but will be available on our website when they are complete.





Credit Cards – Observations and TrendsPolicies and Procedures – Campuses often did

not have adequate policies and procedures for credit card programs, outside of the main procurement card program.

Personal Liability Cards – Applications were not always appropriately approved and cardholder agreements obtained.

Personal Liability Cards – Use of personal liability cards was not monitored to ensure that only business-related expenses were incurred and payments made in a timely manner.


Credit Cards – Best PracticesMany campuses performed a 100% audit of

all procurement card reconciliation packages. The key here was to ensure that violations are documented and sanctions enforced.

Include both procurement/travel cards and personal liability cards on separation checklists. Automate notification of separated employees to alert the appropriate credit card administrators.


International Programs – Observations and TrendsAuthority – Many programs were not

properly approved.Third-party Providers - Non-compliance with

specific requirements regarding due diligence, and acceptance of material benefits from vendor.

Student Orientations - For CSU students going abroad, and for international students arriving for CSU courses.


International Programs – Best PracticesSome campuses had strong centralized

departments that effectively identified and administered all IP programs from various initiating areas: the CO, the individual colleges, and from outside universities.

Some colleges strategically integrated curriculum development with IP opportunities to maximize the benefits to participants . One campus requires all students to participate in an international program as part of the graduation requirement.


Hazardous Materials Management – Observations and Trends

Roles and Responsibilities - “I thought EH&S did this for us.”

Hazard Communication Program - The requirement to inform employees and students of the hazards in the workplace – labelling was nearly always an issue.

Inspections - Required as part of the Injury and Illness Prevention Program, often the process was in disarray.

Laboratory Safety – Lack of an adequate Chemical Hygiene Plan and/or designation of a Chemical Hygiene Officer


Hazardous Materials Management – Best Practices

All campuses had well-qualified, experienced and knowledgeable management.

Best practices would include an inspection program that identifies and quantifies the risks; tailors an inspection schedule on perceived risk; clearly identifies and educates responsible parties; and includes processes to monitor completion of assigned inspections and follow up on required remediation.


Sensitive Data – Observations and TrendsGOVERNANCE!

No inventory of protected data or complete listing of electronic and paper records. Data ownership had not been consistently assigned.

Protected data held in paper documents was not adequately controlled.

New employees with access to sensitive data had not received security awareness training.

Sensitive data stored on servers were not always behind secure campus firewalls or other network controls, and protected data was not always stored in an encrypted format.

Equipment disposition processes did not ensure that data had been wiped from computers prior to being surplused or donated.


Sensitive Data – Best PracticesA best practice would be to survey or

inventory sensitive data annually, in order to know what data is out there, and who is responsible for it.

Campuses with more centralized IT operations seemed to have a better grasp of overall campus data and the controls in place for that data.


Centers and Institutes – Observations and TrendsDefinition for centers and institutes could be

improved to ensure that entities are recognized and reported by the campus.

Reviews of centers were not always performed in accordance with campus policy.

Center fiscal administration needed improvement – most often in receipt of funds and use of written agreements and contracts.


Centers and Institutes – Best PracticesSLO had a well defined and clear

organizational structure that made responsibility for centers and institutes on campus very clear.

Some campuses tied the periodic review to renewal of the center charter.

Northridge had a very robust center and institute policy that included a “one-stop” shop for operating procedures (revenue, expenses, human resources, travel, etc.)


Student Health Services – Observations and TrendsGovernance and Oversight - The provision that the

campus designate accountability for “all university health services,” including those offered in Athletics and in the academic areas, was not always met.

Types of Services Offered at the SHC – Provisions regarding the vetting and approval of augmented services were not always met.

Pharmacy – Issues regarding segregation of duties noted at smaller campus pharmacies, and exceptions related to appropriate inventory practices.


Student Health Services – Best PracticesAll campuses substantially met requirements

for the minimum basic services available.One campus had a robust health education

program that was directly tied to relevant information regarding student needs, delivered by a well-trained and supervised peer health team of students pursuing degrees in health education.


Post Award – Observations and TrendsPI Conflict of Interest statements not always

obtained timely.Effort certifications were not always accurate

or include adequate supporting documentation (additional employment, cost share effort)

Sub-Recipient risk assessments – Documentation, timeliness, signatures and dates.


Post Award – Best PracticesCost sharing at Chico:

Cost sharing is reviewed every time the sponsor is invoiced.

Use of cost share commitment forms and agreements helps to quantify and track cost share.

Effort reporting:Use of reimbursed-time purchase orders at

some campuses provides easy tracking for faculty time.

Northridge conflict of interest disclosure forms for federal awards include review signatures and actions.


2014 Audits


2014 Subject AuditsSeven audits were approved by the Board of

Trustees for 2014:Conflict of Interest (carryover from 2013)ADA Web Accessibility (renamed to Accessible

Technology)Lottery FundsExecutive TravelSponsored Programs – Post Award (Round 2)Information SecurityContinuing Education


Conflict of InterestAudit Scope:

General administration of the conflict of interest program.

Review and identification of designated positions.Timely and accurate completion of conflict-of-

interest disclosure statements and related ethics training.

Employee/vendor relationships.Gift to agency reporting.

Audit Status: Fieldwork completed for first three audits.


Accessible TechnologyAudit Scope:

Compliance with section 508 and CSU Accessible Technology Initiative requirements.

Student and employee accessibility to technology (i.e., physical structures excluded)

Campus governance and executive supportCoordination between various constituent

groupsCampus responsiveness to requests or

complaintsAudit Status: Fieldwork for pilot audit in

progress.


Lottery FundsAudit scope:

Review of campus lottery fund allocation and expenditure policies and procedures to ensure compliance with CSU and state requirements.

Review of internal campus processes for monitoring, reviewing and approving campus discretionary allocations to specific programs and/or areas

Examination of specific programs receiving lottery funding to confirm the expenditures are in conformance with state and CSU restrictions.

Audit Status: Fieldwork complete at two campuses.


Executive TravelBOT Agenda:

Proposed audit scope would include review of campus travel policies and procedures to ensure alignment and compliance with CSU requirements; review of internal campus processes for monitoring, reviewing and approving travel expense claims; and examination of senior management travel and travel expense claims for proper approvals and compliance with campus and CSU travel policy.


Sponsored Programs – Post AwardAudit Scope:

TrainingConflict of Interest FilingsEffort ReportingCost SharingSub Recipient MonitoringFiscal Administration


Information SecurityBOT Agenda:

Proposed audit scope would include review of the systems and managerial/technical measures for ongoing evaluation of data/information collected; identifying confidential, private or sensitive information; authorizing access; securing information; detecting security breaches; and security incident reporting and response.


Continuing EducationBOT Agenda:

Audit scope includes review of the processes for administration of continuing education and extended learning operations as self-supporting entities; budgeting procedures, fee authorizations, and selection and management of courses; faculty workloads and payments to faculty and other instructors; enrollment procedures and maintenance of student records; and reporting of continuing education activity and maintenance of CERF contingency reserves.

CA State Auditor Report: http://www.bsa.ca.gov/reports/summary/2012-113

http://www.bsa.ca.gov/reports/summary/2012-113

http://www.bsa.ca.gov/reports/summary/2012-113


Questions??Ann Hough [email protected]

Wendee Shinsato [email protected]

Greg Dove (IT audits) [email protected]

Mike Caldera (Advisory Services) [email protected]

mailto:[email protected]




Wendee Shinsato – Senior Audit Manager Ann Hough – Audit Manager.

Documents

Transcript of Wendee Shinsato – Senior Audit Manager Ann Hough – Audit Manager.