Audit UMTB

8/7/2019 Audit UMTB

1/26

AUDIT SERVICES

Annual Report for Fiscal Year 2004

8/7/2019 Audit UMTB

2/26

University of Texas Medical Branch at GalvestonAudit Services FY 2004 Annual Report

Table of Contents

I. Work Plan for Fiscal Year 2004

II. External Quality Assurance Review

III. List of Audits Completed

IV. Organizational Chart

V. Report on Other Internal Audit Activities

VI. Work Plan for Fiscal Year 2005

8/7/2019 Audit UMTB

3/26

8/7/2019 Audit UMTB

4/26

8/7/2019 Audit UMTB

5/26

Notes1Satisfies UT System requirement for MSRDP audit

4Inculdes time for general audit and IT audit personne

a We reduced the original budget for this project based on our anticipatedreduction in the scope of this project. The hours were reallocated to theClinical Cash Collections Project to fund a portion of the hours we added to thebudget of that project.

bThis carryforward project was added to our priority audit listing to account for resources we expended on this endeavor fiscal year to date. The net effect of this addition on our priority budgeted hours was zero, since we reallocatedhours that were already on our listing under the caption Reserve for Just in

Time Auditing/Advisory Services " to fund this new line item.cThese carryforward projects were added to our priority audit listing to accountfor resources we expended on these endeavors fiscal year to date. The neteffect of these additions on our priority budgeted hours was zero, since wereallocated hours that were already on our listing under the caption Reserve for Just in Time Auditing/Advisory Services " to fund these new line items.

dAccording to feedback received from the UT System Audit Office, this reviewis no longer required. We reallocated the 200 hours originally budgeted for thisproject to Clinical Cash Collections Project.

2Additional hours for this audit/project are included for Information Technology (IT) audit personnel inthe IT segment of the work plan3Additional hours for this audit/project are included for non-IT audit personnel in other segments of the

Page 3 of 3

8/7/2019 Audit UMTB

6/26

II. External Quality Assurance Review

8/7/2019 Audit UMTB

7/26

8/7/2019 Audit UMTB

8/26

8/7/2019 Audit UMTB

9/26

III. List of Audits Completed

Report No. Report Date Name of Report High-Level Audit Objective(s) Observations/ Findings and Recommendations Current Status (with

brief description if not yetimplemented)

Fiscal Impact/

Other Impact

2004-004 7/23/2004 PostImplementationReview Clinical CashCollectionsProcess

The objective of this audit wasto perform a postimplementation review of theclinical cashcollections/managementsystem that was implementedtwo years ago. The reviewextended to assessing assetsecurity issues in the clinics(e.g., access to the cashdrawers).

Opportunities exist to strengthen controls in theclinical cash collections process. Specifically,management should:

Implement a monitoring mechanism thatestimates the amount of cash that shouldbe collected and compares thatestimation with the amount actuallycollected.

Ensure that established cash collectionsprocedures are consistently applied byclinic personnel.

Ensure adequate physical securitymeasures are in place to safeguard cashcollections.

Record, report, and resolve in a timelymanner all identified overages andshortages.

Ensure cash collection duties areappropriately segregated.

Review daily clinic cash collections on atleast a periodic basis.

Implement a process to ensure that allreportable shortages are communicated

to campus police and the deposit teamand that appropriate disciplinary action istaken as needed.

Ensure management reports accuratelyreflect current activity.

Ensure that all employees with cashcollection/handling responsibilitiescomplete required training.

Target completiondates wereidentified through12/04.

Ensurescollection,posting, anddepositing of allcash collected inclinical areas.

Reduces the riskfor errors,irregularities, andfraud.

1

8/7/2019 Audit UMTB

10/26

Report No. Report Date Name of Report High-Level Audit Objective(s) Observations/ Findings and Recommendations Current Status (withbrief description if not yetimplemented)

Fiscal Impact/Other Impact

2004-007 1/15/2004 Family PracticeResidencyPrograms

The objective of this audit wasto ensure that Texas Higher Education Coordinating Boardfunds were expended inaccordance with programguidelines.

We concluded that program activities for theperiod were properly recorded, reported, andexpended.

Norecommendationsrequiring action.

Ensures accuratefinancial andcompliancereporting to theState and other users of theinformation.

2004-009 9/1/2004 FinancialStatement Fund Balance

The objective of this reviewwas to provide FinancialManagement with informationregarding fund balancereporting, including the transfer process, and providemanagement with opportunitiesfor improvement.

We concluded that there are opportunities for improvement in the following areas:

All equity transfers should be reviewed andapproved by supervisory personnel.

Management should implement a formalprocess for performing recurring, routineequity transfers.

Deficit fund balances should be investigatedand resolved.

Journal vouchers should be reviewed andapproved by supervisory personnel, andappropriate approvals at certain dollar thresholds should be established.

Adequate documentation should bemaintained to support all journal entries.

.

Target completiondates wereidentified through2/28/05.

Ensures accuratefinancialreporting.

2

8/7/2019 Audit UMTB

11/26



2004-101 9/2/2004 EndowmentComplianceProgram of theOffice of UniversityAdvancement

The objective of this reviewwas to assess theeffectiveness of the processesin place to monitor the use of endowment funds, establishendowment agreements,ensure compliance with the giftagreements, and facilitateagreement modifications whenappropriate.

Management has not provided adequateoversight to ensure compliance with UT System,UTMB, and donor-specific guidelines. This isevidenced by the following:

The Office of University Advancement does nothave adequate procedures or monitoringsystems in place to ensure compliance with UTSystem and UTMB guidelines and giftagreements.

Training is not sufficient to ensure all pertinentemployees are informed of proper endowmentpractices.

Controls are not in place to ensure that cashreceipts are properly safeguarded, activities areadequately segregated, and accounts are

correctly reconciled.

Controls over quarterly endowment reporting arenot adequate to ensure accurate information isbeing reported to management.

Pending endowments are not properly tracked toensure timely resolution.


Resolution of thenoted issues willimprove theendowmentcomplianceoversightprocess, ensureaccuratereporting of endowmentactivity, andreduce the risk for errors and fraudin the endowmentprocessing area.

3

8/7/2019 Audit UMTB

12/26



2004-102 7/27/2004 Research Officeof SponsoredPrograms

The objective of this audit wasto assess the controls over processes for ensuringcompliance with applicablefederal laws, regulations, andgrant and contract provisions.

anagement did not provide adequate oversightto ensure compliance with applicable federallaws, regulations and grant and contractprovisions. Specifically, we noted the following:

Adequate systems were not in place toensure compliance,

Controls were not sufficient to ensurethat subrecipients, matching costs, andprogram income were monitored,

Cash draws were not requested andposted timely, and

Federal reports were not submittedtimely.

Recommendation: Audit Services recommendedthat management provide adequate oversightover key processes to ensure:

Current systems are improved to ensurecompliance with grant and contractprovisions,

Controls are developed andimplemented to provide for appropriatemonitoring of grant activity,

Controls are developed andimplemented to ensure that cash drawsare made and allocated timely, and

Federal reports are submitted timely.


Ensurecompliance withfederalregulations.

4

8/7/2019 Audit UMTB

13/26



2004-201 7/15/2004 SurgeryDecentralizedInformationTechnologyOperations

The objective of this audit is todetermine if the following isbeing performed in compliancewith UTMB InformationResource Policies and PracticeStandards for the selectedareas that will be reviewed: Existing system securityparameters are configuredappropriately. System is configured toprevent unauthorized access tocritical application, data andsystem resources. Adequate controls are placeover the configuration of user profiles. System level security is

configured to protect criticaldata files and to protectproduction programs. Security events are loggedand monitored. Backup and RecoveryProcedures exist and addressthe risk of the area supported. Physical and Logical Access

to the computer resources isappropriate. Environmental Conditionssurrounding the servers arecontrolled. Staffing, Training, andSeparations of Responsibilitiesare appropriateness. Change Managementoperations represent a proper control environment.

Due to the nature of the information that iscontained in this Information Technology Auditreport, we have elected to provide the details of the report to appropriate parties when requested.

In Progress Minimizes the riskof businessinterruptions.

5

8/7/2019 Audit UMTB

14/26



2004-203 7/15/2003 EducationalAffairsDecentralizedInformationTechnologyOperations

The objective of this audit is todetermine if the following isbeing performed in compliancewith UTMB InformationResource Policies and PracticeStandards for the selectedareas that will be reviewed: Existing system securityparameters are configuredappropriately. System is configured toprevent unauthorized access tocritical application, data andsystem resources. Adequate controls are placeover the configuration of user profiles. System level security is

configured to protect criticaldata files and to protectproduction programs. Security events are loggedand monitored. Backup and RecoveryProcedures exist and addressthe risk of the area supported. Physical and Logical Accessto the computer resources isappropriate. Environmental Conditionssurrounding the servers arecontrolled. Staffing, Training, andSeparations of Responsibilitiesare appropriateness. Change Managementoperations represent a proper control environment.


In Progress Minimizes the riskof businessinterruptions.

6

8/7/2019 Audit UMTB

15/26



2004-220 Server Reviews The objective of this audit is todetermine if the following isperformed in compliance withUTMB Information ResourcePolicies and PracticeStandards for the selectedservers that will be reviewed: Existing system securityparameters are configuredappropriately. System is configured toprevent unauthorized access tocritical application, data andsystem resources. Adequate controls are placeover the configuration of user profiles. System level security is

configured to protect criticaldata files and to protectproduction programs. Security events are loggedand monitored.


Completed. Minimizes the riskof businessinterruptions.

2004-301 PhysicalSecurity Initiative

The objective of this review isto monitor institutional activitiesrelated to the UT System

Campus Safety and SecurityWorkgroup and performinspection activities onpractices and proceduresimplemented as a result of previous DHHS OIG reviewsand federal and state securitydirectives (e.g. USA Patriot Actof 2001).

Due to the nature of the information that iscontained in this audit report, we have elected toprovide details of the report to appropriate

parties when requested. ( 418.177 TexasGovernment Code 2004)

In progress. Ensuresinstitutionalresources,

especially thoserelated toresearch, areadequatelyprotected fromunauthorizedaccess, use, or disclosure.

7

8/7/2019 Audit UMTB

16/26



2004-307 6/28/2004 UTMBHealthCareSystems ClinicalStaffing Office

The objective of this audit wasto provide a generalassessment of administrativeand operational controls over the Clinical Staffing Office.

Opportunities exist to strengthen controls andimprove the efficiency and effectiveness of theClinical Staffing Office (CSO). Specifically,management should:

Ensure that specific policies andprocedures for the CSO are developed,approved, and disseminated to allemployees.

Continue its efforts to recruit additionalnurses.

Continue its efforts to revise the externalstaffing agency contract template.

Work with UTMB nursing managementto resolve current time capture andapproval issues.

Ensure adequate segregation of dutiesexist between Payroll and HumanResources.

Increase the frequency of monitoringprocesses to validate the accuracy of external agency billing.

In progress. Improve theefficiency andeffectiveness of the HealthcareSystems ClinicalStaffing Officeoperations.


8

8/7/2019 Audit UMTB

17/26

9



2004-401 8/27/2004 Department of NeurologyChange of Management

The objective of these auditswas to provide a generalassessment of the entity'sfinancial, administrative, andcompliance controlenvironments. A major outcome of these reviews willbe the documentation andidentification of significantrelated risk areas for responsible management'scontinued consideration andmitigation efforts.

Opportunities exist to strengthen controls over the operations in the Department of Neurology.

Specifically, management should: Improve controls over cash receipts

including ensuring compliance withUTMBs Cash Handling and ReportingPolicy.

Document departmental accountreviews.

Ensure appropriate separation of dutiesin PeopleSoft.

Ensure appropriate separation of dutiesfor gift check receipts.

Ensure that all financial and progressreports for research projects are filedtimely.

Develop a recruitment and retentionplan.

In progress.

This action hasbeen completed


U i it f T M di l B h I tit ti l O i ti Ch t

8/7/2019 Audit UMTB

18/26

University of Texas Medical Branch Institutional Organization Chart

OFFICE OF THE PRESIDENTPresidentOFFICE OF THE PRESIDENT

President

Executive Vice President

Dean, School of NursingDean, School of Nursing

Dean, GraduateSchool of Bio.

Sciences

Dean, GraduateSchool of Bio.

Sciences

Dean, School of Allied Health

Sciences

Dean, School of Allied Health

Sciences

Dean, School of MedicineDean, School of

Medicine

Vice President for Research

Vice President for Research

Vice President for

UniversityAdvancement

Vice President for University

Advancement

Vice President for Community

Vice President for Community

Vice PresidentBusiness &

Administration

Vice PresidentBusiness &

Administration

Chief FinancialOfficer Chief Financial

Officer

COO & Director of Patient Care

Services

COO & Director of

Patient CareServices

Affirmative ActionAffirmative Action

Audit ServicesAudit Services

Legal AffairsLegal Affairs

Inst. ComplianceCost

Reimbursements

Inst. ComplianceCost

Reimbursements

8/7/2019 Audit UMTB

19/26

V. Report on Other Internal Auditing Activities

Report No. Report Date Name of Report High-Level Audit Objective(s) Observations/ Findings andRecommendations

Current Status (with brief description if not yetimplemented)

Fiscal Impact/ Other Impact

2004-602 InternalControls &Accountability/Training PhaseII

We will continue our efforts inconjunction with FinancialServices and Business Affairs to identify areas for specialreview and/or internal controlaccountability training. Targeted

areas will be those that might nototherwise meet specific criteriafor audit consideration.

Facilitated the completion of baseline Internal Controls self-assessments by senior andexecutive management. Provided asummary of results to entity leadersand Financial Services for further

action.

Developed an executive leveltraining session on internal controls.Provided classroom training tosenior and executive management.

Reviewed and commented on the

draft Management Responsibilities

Handbook.

Completed Reinforcesmanagementsresponsibility andaccountability for ensuring effectiveinternal control

systems are in placeand functioningthroughout theinstitution.

2004-603-A

InstitutionalBusinessAssurance/ACL Initiative

UTMB has contracted with ACLto provide continuous monitoringscripts that will assistmanagement in monitoringactivity within the PeopleSoftapplication. In addition to thesestandard reports, managementhas expressed the need to runad-hoc reports, and AuditServices has assisted them inrunning ACL to retrieve specificdata from our financial reportingsystem. We expect this tocontinue in FY 2004 until theprocessing departments are well-trained in the use of ACL.

These efforts are ongoing and therehave been no observations or recommendations requiring action.

Completed Ensure monitoring of account activity insure compliancewith state and federalregulations.

1

8/7/2019 Audit UMTB

20/26




2004-002 AccountsReceivableand Allowancefor Bad Debts

The objective of this audit wasreview the methodology used for valuing the (net) accountsreceivable and to determine thereasonableness of the allowancefor doubtful accounts balance asof August 31, 2003.

We performed work on AccountsReceivable and Allowance for Bad Debtbalances in conjunction with an AgreedUpon Procedures engagementperformed byPricewaterhouseCoopers(PC).Procedures performed andobservations made were communicatedto Financial Management in a reportprepared by PC.

Completed Ensure accuratefinancial reporting.

2004-003 Financial DataAccumulation& FinancialReportingInterfaces

The objective of this project wasto review and assess transactionflow and reconciliation processesbetween major subsidiarysystems and the general ledger at 8/31/03 for the purposes of giving management assurancesas to accuracy and gathering

information which will assist inSarbanes-Oxley-related controlactivities.

We performed work in this area,specifically on Accrued Liabilitybalances, in conjunction with an AgreedUpon Procedures engagementperformed byPricewaterhouseCoopers(PC).Procedures performed andobservations made were communicated

to Financial Management in a reportprepared by PC.

Completed Ensure accuratefinancial reporting.

2004-211 IT VulnerabilityAssuranceAudit & ActionPlan Follow-Up

The objective of the audit was toprovide UT System with statusupdates on how UTMB is makingprogress on the action plansfrom the FY 2003 Inventory andVulnerability Assessments. AuditServices will track and reportstatus updates to the UT SystemAudit Office (UTSAO) on aquarterly basis or an alternativeschedule as deemed by theUTSAO.

Due to the nature of the information thatis contained in this InformationTechnology Audit report, we haveelected to provide the details of thereport to appropriate parties whenrequested.

In Progress Minimizes the risk of businessinterruptions.

2

8/7/2019 Audit UMTB

21/26

3




TAC 202InformationSecurity Audit

Since UTMB InformationServices has hired a firm toperform a review to comply withTexas Administrative Code(TAC) 202, Audit Services willperform a Follow-up on theaction plans that address theissue in the review. If the reviewdoes not provide coverage thatwould have been done in a TAC202 audit, Audit Services willthen conduct an audit todetermine whether UTMBcomplies with TAC 202.

Due to the nature of the information thatis contained in this InformationTechnology Audit report, we haveelected to provide the details of thereport to appropriate parties whenrequested.

In Progress Minimizes the risk of businessinterruptions.

8/7/2019 Audit UMTB

22/26

8/7/2019 Audit UMTB

23/26

8/7/2019 Audit UMTB

24/26

8/7/2019 Audit UMTB

25/26

8/7/2019 Audit UMTB

26/26

Appendix A

Fiscal Year 2005 Work PlanThe University of Texas Medical Branch at Galveston

Office of Audit Services

On-the-job Training 126 126

Other Projects Subtotal 1776

Projects Total 2676 15% 2076 14%

Total Hours 18416 100% 1466180%

Notes

4Inculdes time for general audit and IT audit personnel

Total Hours for Priority Projects

2Additional hours for this audit/project are included for IT audit personnel in the Information Technology (IT) segment of the work plan

3Additional hours for this audit/project are included for non IT audit personnel in other segments of the work plan

DRAFT - 10/28/2004 5

Audit UMTB

Documents