The University of Texas System Administration Audit Office Annual Audit Report Fiscal Year 2004TABLE OF CONTENTS I. INTERNAL AUDIT PLAN FOR FISCAL YEAR 2004 ..................................................................... 1 OVERSIGHT – PART 1 OF 2.......................................................................................................................... 2 SYSTEM ADMINISTRATION – PART 2 OF 2................................................................................................... 5 II. EXTERNAL QUALITY ASSURANCE REVIEW (PEER REVIEW)...................................................... 9 EXECUTIVE SUMMARY ............................................................................................................................... 9 III. LIST OF AUDITS COMPLETED SHOWING SCOPE, OBSERVATIONS/FINDINGS, RECOMMENDATIONS, AND STATUS..................................................................................... 10 IV. ORGANIZATIONAL CHART.................................................................................................... 48 V. REPORT ON OTHER INTERNAL AUDIT ACTIVITIES.................................................................. 49 VI. INTERNAL AUDIT PLAN FOR FISCAL YEAR 2005 ................................................................... 51 OVERSIGHT – PART 1 OF 2................................................................................................................... ...
Fiscal Year 2004 Audit Plan Oversight Part 1 of 2 FY 2004 Audit Plan -OversightAudit/Project Key Financial and Operating Audits Consulting Implementation of the Spirit of Sarbanes-Oxley Special Requests Carryforward Subtotal Institutional Compliance Audits Endowments Consulting System-wide Compliance Program Support Special Requests Carryforward Subtotal Information Technology Audits Internal Controls (Reserve for IT testing related to Sarbanes-Oxley) UT Brownsville - Financial Aid System UT Tyler - Student Information System Consulting UT Pan American - ORACLE Implementation Project UT Health Center Tyler - Hospital Information System Implementation Project System-wide IT Security Initiative Component Consulting Special Requests Carryforward Subtotal Core Business Processes
System Administration Part 2 of 2 FY 2004 Audit Plan -System Administration2004 Budgeted Audit/Project Hours Key Financial and OperatingAuditsSarbanes-Oxley & Internal Controls Assessment Service Dept. Operating Revenues 300 40Salary & related expenditures 120Professional Fees & Services Expenditures Expenditure Testing 60 UTIMCO 200 Other Audits Follow-up on Comptroller Audit - Appropriate use of Funds by 160 Source (State vs. Institutional) Assisting Outside Auditors 240Permanent University Fund, Long Term Fund, Short/Intermediate Term Fund, General Endowment Fund, Permanent Health Fund FYE 8/31/03 - 160University Lands Accounting (ULAO) and Permanent University Fund expenditure testing FYE 8/31/03 200Audit of Bond Schedules included in the CAFR ConsultingImplementation of the Spirit of Sarbanes-Oxley 200 40Implementation of the Spirit of Sarbanes-Oxley - UTIMCO Special Requests0 Carryforward 0 Subtotal 1,720 Institutional ComplianceAuditsEndowments 100 Continuing Disclosure & Private Business Use of Tax-Exempt 40 Financed Facilities 300Construction Procurement, Federal Clean Water Act, Sexual Harassment and Sexual Misconduct, Security Sensitive Process, Conflict of Interest and Ethics Consulting 100System Administration Compliance Program Inspections of account reconciliations and procards 160 Carryforward 0 Subtotal 700 Information TechnologyAudits 5
FY 2004 Audit Plan -System Administration2004 Budgeted Audit/Project Hours Internal Controls (Reserve for IT testing related to Sarbanes- 300 Oxley) Data Management Audit of UT Austin Hosted Systems 300 UTIMCO - General Controls Audit 400 EGI - Application Audit of UT Touch & Financial Information 300 Systems IT Vulnerability Assessment Action Plan Follow-up 200 Risk Management Claims System Implementation 100 Audit Follow-up 200 ConsultingOIR Peer Review 100 HIPAA Compliance Committee - IT Security Rule 50 Implementation OFPC - Integrated Information Platform Initiative 50 System Administration Departments 50 Special Requests150 CarryforwardIT Recommendation 2003 Follow-up 100 Subtotal 2,300 Core Business ProcessesAuditsOil and Gas Producers on Permanent University Fund Lands 500 500Management Audit of West Texas Operations OFPC Management Audit 400 Contract Administration 200 Accountability & Performance Measures 40 ConsultingProcess Redesign 100 EGI - Disease Management Programs 200 EGI - Premium Reconciliation 70 Special Requests300 Carryforward Subtotal 2,310 Change in Management Change in Management Audits 480VC for Administration's New Areas Department - Police - Facility Management - Human Resources Airplane - of Information Resources - Office Technology - Information - Account Services SA Compliance -
6
FY 2004 Audit Plan -System Administration2004 Budgeted Audit/Project Hours the Chancellor (includes VC for Administration and Dr. 90Office of Malandra's areas) Consulting0 Special Requests0 Carryforward0 Subtotal 570 Follow-upAudits 100Follow-up on System Administration Audit Recommendations (non-IT) Consulting 0 Special Requests0 Carryforward0 Subtotal 100 Audit ProjectsReporting 2002005 Audit Plan 502004 Annual Audit Report Internal Audit Committee 200 Recommendation Tracking System 160 Department Enhancements Proficiency and Awareness 200 ConsultingSystem Administration Departments and/or Executive 80 Management Special Requests300 Carryforward 2004 Audit Plan 20 Subtotal 1,210 Total Hours 8,910
7
Deviations from the Audit Plan Overall A majority of the fiscal year2004 Audit Plan Reportswas completed. were issued for five fiscal year 2004 audits in fiscal year 2005. Several audits in the2004 Audit Planrelated to Sarbanes Oxley and the external financial audit were deferred until fiscal year 2005. The primary reasons for the deviation from the plan were: •Delay of the external financial audit until fiscal year 2005. •Additional executive management requests. reporting requirements occurred as a result of theIncreased and improving • formation of the Audit, Compliance, and Management Review Committee of the Board of Regents (first meeting held in August 2003).
8
II.eRreeP()weivceanursswieevRetnrlaQauilytAEx The University of Texas System Internal Auditing Department Quality Assurance Review January 200 2
Executive Summary The Review At the request of the Director of Audits a Quality Assurance Review of the University of Texas System Audit Office was conducted in accordance with professional standards and current practices within the Internal Audit Profession. The Review encompassed all activities of the System Audit Office identified, for the purposes of the Review, as: audit services to UT System Administration offices, support for UT Permian Basin and other components as needed, coordination of component internal audit operations and involvement in the institutional compliance program. A team of three external and one UT System audit directors performed the Review. Overall Conclusion The University of Texas System Audit Office is in compliance with the Institute of Internal Auditors Professional Standards meeting all of theAttributeandPerformance standards. Audit personnel are experienced, competent and well supervised. Its customers are well satisfied with the services received, and the range of services provided is well aligned with management’s objectives and appropriate to the profession’s revised definition. A characteristic of a sound professional organization is its interest in continuous improvement. Toward that end the Review Team has observed certain opportunities for the Director’s consideration which may further improve the UT Internal Audit program at both the System Administration level and System-wide. ***** We appreciate the opportunity to assist the UT System Audit Office in this important effort, and hope that, as intended, it has been a mutually beneficial professional experience.