-
Committees of the University of Louisville Board of Trustees
and
Research Foundation Board of Directors
Schedule of Meetings
June 25, 2020
Virtual Meeting Click here to view the livestream
1:00 p.m. Audit, Compliance, Risk Committee of BOT and ULRF
Rogers, Black, Chilton, Smith, Stewart (Advisor, non-voting)
1:20 p.m. Academic and Student Affairs Committee Burse, Black,
Frazier, Noble, Wallace-Boaz, Wright
1:40 p.m. Finance Committee Medley, Brinkman, Burse, Noble,
Wallace-Boaz
2:00 p.m. Executive Committee, Research Foundation Rogers,
Frazier, Medley, Chilton
2:05 p.m. Executive Committee, Board of Trustees Nixon, Burse,
Medley, Black, Rogers, Smith
All meetings will run consecutively.
Page 1 of 255
https://www.youtube.com/channel/UCgrZKOAWEwZGvRxymq0Qvhg/live
-
MEETING OF THE AUDIT, COMPLIANCE, AND RISK COMMITTEE OF THE
UNIVERSITY OF LOUISVILLE BOARD OF TRUSTEES AND
RESEARCH FOUNDATION BOARD OF DIRECTORS
1:00 p.m., June 25, 2020
Virtual Meeting Click here to view the livestream
In Open Session
Rogers
Suda
Russell
Russell
I. Call to Order• Approval of Minutes, 10-24-2019
II. Information Item: Independent External Audit Services
Plan
III. Report of the VP for Risk Management, Audit, &
Compliance• Status Updates• Work Plan• Audit Services Status
Report
IV. Action Item: Approval of 2020-21 Audit Services Work
Plan
V. Adjournment Rogers
Committee Members James Rogers, Chair
Bonita Black John Chilton
John D. Smith Gary Stewart, Advisor, Non-voting
Page 2 of 255
https://www.youtube.com/channel/UCgrZKOAWEwZGvRxymq0Qvhg/live
-
MINUTES OF THE MEETING OF THE AUDIT, COMPLIANCE, AND RISK
COMMITTEE OF THE
BOARD OF TRUSTEES OF THE UNIVERSITY OF LOUISVILLE AND THE BOARD
OF DIRECTORS OF THE UofL RESEARCH FOUNDATION, INC.
October 24, 2019
In Open Session
Members of the Audit, Compliance, and Risk Committee of the
University of Louisville Board of Trustees and UofL Research
Foundation Board of Directors met at 1:23 p.m. on October 24, 2019,
in the atrium of the Arts and Sciences Rowan Building at 1606 Rowan
Street, Louisville, KY 40203, with members present and absent as
follows:
Present: Mr. James Rogers, Chair Ms. Bonita Black Mr. John Smith
Mr. Gary Stewart, Advisor, non-voting
Other Trustees Present: Dr. Raymond Burse
Mr. David Grissom Ms. Diane Medley Ms. Mary Nixon Mr. Jasper
Noble Prof. Krista Wallace-Boaz Dr. Ron Wright
From the University: Dr. Neeli Bendapudi, President
Dr. Beth Boehm, Executive Vice President and University Provost
Dr. Robert Keynton, Executive Vice President for Research and
Innovation Mr. Dan Durbin, Vice President for Finance and CFO Mr.
Vince Tyra, Vice President for Athletics and Athletic Director Ms.
Amy Shoemaker, Deputy General Counsel and Assoc. Athletic Director
Mr. Thomas Hoy, General Counsel Ms. Shannon Rickett, Assistant Vice
President for Government Relations Ms. Sandy Russell, Assistant
Vice President for Risk and Compliance Mr. Mark Watkins, Sr. Assoc.
Vice President for Operations Dr. Toni Ganzel, Executive Dean,
School of Medicine Mr. John Drees, Sr. Associate Vice President for
Communications & Marketing Mr. John Karman, Director of Media
Relations, Communications & Marketing Dr. Faye Jones, Sr.
Associate Vice President for Diversity and Equity Dr. Michael
Mardis, Dean of Students & Vice Provost for Student Affairs Mr.
Jeff Spoelker, Associate Athletic Director for Finance Dr. Pat
Ivey, Assoc. Athletic Director for Student Athlete Health &
Performance
Page 3 of 255
-
Mr. Walter Newell, Treasurer/Controller Ms. Kim Noltemeyer, Sr.
Unit Business Manager, Planning, Design & Constr. Ms. Beverly
Santamouris, Director of Accounting and Reporting Ms. Kimberly
Adams, Chief Information Security Officer Ms. Jennifer Mudd,
Integrity and Compliance Manager Ms. Cheri Jones, Director of Audit
Services, Prof. Sharon Moore, Faculty Director, ULAA Dr. Aesha
Uqdah, Director of the Counseling Center Dr. Rashmi Assudani, ACE
Fellow Mr. David Adams, Accounting Supervisor Ms. Tanisha Allen,
Senior Accounting Specialist Ms. Michelle Comer, Assistant Director
of Accounting and Financing Reporting Mr. Matt Cushing, Accountant
III Ms. Amanda Snyder, Accountant II Ms. Kelly Rose, Accountant I
Ms. Danielle Woods, Accountant I Mr. Michael Wade Smith, Chief of
Staff to the President Mr. Jake Beamer, Boards Liaison and
Assistant Secretary
Others: Mr. Chris Suda, CliftonLarsonAllen, LLC Mr. Ethan Lay,
CliftonLarsonAllen, LLC
I. Call to Order
Having determined a quorum present, Chair Rogers called the
meeting to order at 1:23p.m.
Approval of Minutes, 6-20-2019
Ms. Black made a motion, which Mr. Smith seconded, to approve
the minutes of the June 20, 2019 meeting.
The motion passed.
II. Action Item: Approval of ULRF Audited Financial
Statements
Messrs. Suda and Lay provided an overview of the work completed
by Clifton LarsonAllen (CLA) using the attached presentation. They
then presented the audited financialstatements of the UofL Research
Foundation, Inc. and fielded questions from thecommittee.
Ms. Black made a motion, which Mr. Smith seconded, to approve
the
President’s recommendation that the ULRF Board of Directors
approve the audited financial statements for the period ending June
30, 2019 and
Page 4 of 255
-
Independent Auditor’s Report as presented under Governmental
Accounting Standards (GASB) 34, as attached.
The motion passed.
III. UofL Audited Financial Statements
Information Item: FY 2019 Financial Results
Using the attached presentation, Mr. Durbin presented to the
committee the universityfinancial results for fiscal year 2019.
Highlights included: the university ended the yearwith an
unqualified “clean” audit; total revenues increased by 5% from the
prior year to$1.099 billion; total expenses increased by 3% from
the prior year to $1.076 billion; thenet position or financial
value of the institution increased by $23 million, a
significantgrowth over the prior year performance of $3 million;
the liquidity position is improving;and the university’s financial
position remains strong with total assets and deferredoutflows of
$1.3 billion.
He then fielded questions from committee members.
No action was taken.
Action Item: Approval of Statements
Mr. Suda then presented the university’s audited financial
statements, and with Mr. Lay,fielded questions from committee
members.
Mr. Smith made a motion, which Ms. Black seconded, to approve
the
President’s recommendation that the Board of Trustees approve
the audited financial statements for the period ending June 30,
2019 and Independent Auditor’s Report as presented under
Governmental Accounting Standards Board (GASB) 34, as attached.
The motion passed.
IV. Information Item: Update from University Risk and
Compliance
Ms. Russell provided an update on risk and compliance using the
attached presentation.This included statistics on the university’s
complaint hotline and the audit services reportas of September 30,
2019.
The audit services report is a summary of the department’s
activities over the last fiscalyear and includes risk assessment
and audit plan development information, the 2017-18and 2018-19
audit plan results, quality assurance improvement program, issued
audit
Page 5 of 255
-
reports (compliance, operational, information technology),
projects in process, continuous monitoring activities, and
consulting activities.
Ms. Russell also provided a status report on the 2019-20 Audit
Plan. She then fielded questions from committee members.
No action was taken.
V. Adjournment
Having no other business to come before the committee, Ms. Black
made a motion,which Mr. Smith seconded, to adjourn.
The motion passed and the meeting adjourned at 1:41 p.m.
Approved by:
________________________ Assistant Secretary
Page 6 of 255
-
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC‐registered investment advisor
©2020
CliftonLarsonA
llen LLP
University of LouisvilleFiscal Year Ended June 30, 2020
Independent External Audit Services PlanPresentation to the Audit CommitteeJune 25, 2020
Page 7 of 255
-
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Agenda• Engagement scope and deliverables•
Engagement team• CLA’s responsibilities•
University’s responsibilities• Financial audit•
Audit methodology• Preliminary risk assessments•
Single audit• Engagement timeline•
Accounting and auditing standards
2Page 8 of 255
-
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Engagement Scope and DeliverablesFor the Year Ended June 30, 2020•
Independent auditors’ reports on the financial statements of:
– University of Louisville–
University of Louisville Athletic Association, Inc.–
University of Louisville Research Foundation, Inc.
•
Independent Auditors’ Reports on Internal Control over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance With Government Auditing Standards (Yellow Book Report)
•
Uniform Guidance Single Audit reports on expenditures of federal awards, internal controls and compliance for the University.
•
University of Louisville Athletic Association, Inc. NCAA agreed‐upon procedures report on compliance with requirements relating to activities of revenues and expenses as updated by NCAA amendments
•
Report on compliance with provisions of House Bill 622.•
Report on Lease Law Compliance.•
Reports to the Audit Committee on required auditor communications.
3Page 9 of 255
-
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Engagement Scope and DeliverablesFor the Year Ended June 30, 2020•
Independent auditors’ reports on the financial statements of:
– University of Louisville–
University of Louisville Athletic Association, Inc.–
University of Louisville Research Foundation, Inc.
•
Independent Auditors’ Reports on Internal Control over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance With Government Auditing Standards (Yellow Book Report)
•
Uniform Guidance Single Audit reports on expenditures of federal awards, internal controls and compliance for the University.
•
University of Louisville Athletic Association, Inc. NCAA agreed‐upon procedures report on compliance with requirements relating to activities of revenues and expenses as updated by NCAA amendments
•
Report on compliance with provisions of House Bill 622.•
Report on Lease Law Compliance.•
Reports to the Audit Committee on required auditor communications.
4Page 10 of 255
-
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Engagement Leadership Team
5
Amanda KempDirector
Chris SudaPrincipal
Don LobergPrincipal
Josh WilksPrincipal
Tim RichterDirector
Kyla GreenhoeDirector
Page 11 of 255
-
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Engagement Team (Continued)Name Role
Contact details
Chris Suda
CLA engagement principal with responsibility for the overall audit.
Phone: 314‐925‐4395 ‐
DirectEmail: [email protected]
Don Loberg
CLA engagement principal with responsibility for consulting projects (as
requested).
Phone:612‐397‐3064 ‐
DirectEmail: [email protected]
Josh Wilks
CLA engagement principal with responsibility for
audit work related to the Hospital.
Phone:314‐925‐4309 ‐
DirectEmail: [email protected]
Tim Richter
CLA engagement director with responsibility for financialstatement audits.
Phone:314‐925‐4304 ‐
DirectEmail: [email protected]
Brenda Scherer
CLA engagement director with responsibility for the
student financial aid advisory role.
Phone:612‐376‐4626 ‐
Direct Email: [email protected]
Kyla Greenhoe CLA engagement manager
with responsibility for the singleaudit under Uniform Guidance.
Phone:317‐569‐6137 ‐
DirectEmail: [email protected]
Amanda Kemp CLA engagement director
with responsibility for the informationsystems review.
Phone:267‐419‐1624 ‐
DirectEmail: [email protected]
Andrew Zebell
CLA engagement manager with responsibility for the
financial audit.
Phone:314‐925‐4357 ‐
DirectEmail: [email protected]
Ethan Lay
CLA engagement senior with responsibility for the
financial audit and single audit.
Phone:314‐925‐4416 ‐
DirectEmail: [email protected]
6Page 12 of 255
-
©2020
CliftonLarsonA
llen LLP
Create Opportunities
CLA’s Responsibilities•
Forming and expressing opinions about whether the financial statements that have been prepared by
management with the oversight of those charged with governance are presented fairly, in all material respects, in conformity with generally accepted accounting principles (GAAP).
•
Planning and performing the audit to obtain reasonable—not absolute—
assurance about whether the financial statements are free of material misstatement, whether caused by fraud or error. Because of the nature of audit evidence and the characteristics of fraud, we are able to obtain reasonable, but not absolute, assurance that material misstatements will be detected. Our audit is not designed to detect error or fraud that is immaterial to the financial statements.
•
Evaluating whether the University’s controls sufficiently address:–
Identified risks or material misstatement due to fraud.–
The risk of management override of other controls.
•
Communicating to the Audit Committee, in writing, all significant deficiencies and material weaknesses in internal control identified in the audit and reporting to management deficiencies that, in our professional judgment, are of sufficient importance to merit management’s attention.
•
Conducting an audit in accordance with professional standards, including–
Government Auditing Standards.
•
Complying with the rules and regulations of the Code of Professional Conduct adopted by the American Institute of Certified Public Accountants and the ethical standards of state CPA societies and state boards of accountancy.
•
Planning and performing an audit with an attitude of professional skepticism.•
Communicating all required information to the University management and to the Audit Committee of
the Board of Trustees.
7Page 13 of 255
-
©2020
CliftonLarsonA
llen LLP
Create Opportunities
University Responsibilities•
Management’s Responsibilities
– Adopting sound accounting policies.–
Establishing and maintaining effective internal controls.–
Fairly presenting the financial statements in conformity with GAAP.–
Compliance with provisions of laws, regulations, contracts, and grant
agreements.–
Making all financial records and related information available to the
auditor.–
Providing the auditor with a letter confirming certain representations made
during the audit that includes, but are not limited to, management’s:◊
Disclosure of all significant deficiencies, including material weaknesses, in the
design or operation of internal control that could adversely affect the University’s ability to initiate, authorize, record, process, or report financial data.
◊
Acknowledgement of their responsibility for the design and implementation of programs and controls to prevent, deter, and detect fraud.
8Page 14 of 255
-
©2020
CliftonLarsonA
llen LLP
Create Opportunities
University’s Responsibilities (Continued)•
Audit Committee’s Responsibilities
–
Oversight of the financial reporting process and oversight of internal controls.
–
Ultimately responsible for the establishment and maintenance of internal controls to prevent, deter, and detect fraud.
–
Ultimately responsible for setting the proper tone and creating and maintaining a culture of honestly and high ethical standards.
•
Management and the Audit Committee’s Responsibilities–
Establishing and maintaining internal controls to prevent, deter,
and detect fraud.–
Setting the proper tone and creating and maintaining a culture of
honesty and high ethical standards.–
The audit of the financial statements does not relieve
management or the Audit Committee of their responsibilities.
9Page 15 of 255
-
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Financial Audit• Objective:
–
To express opinions on the financial statements of:◊
University of Louisville◊
University of Louisville Athletic Association, Inc.◊
University of Louisville Research Foundation, Inc.
–
Independent Auditors’ Reports on Internal Control over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance With Government Auditing Standards (Yellow Book Report)
–
NCAA Agreed‐upon procedures report on compliance–
Report on compliance with provisions of House Bill 622.–
Report on Lease Law Compliance.
• Areas of audit emphasis:–
Fair presentation of financial statements–
Internal controls over financial reporting
10Page 16 of 255
-
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Audit Methodology
Phase 1Planning & Strategy
Phase 2Systems Evaluation
Phase 3Testing & Analysis
Phase 4Reporting & Follow‐
Up
11
Continuous Communication
Page 17 of 255
-
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Audit Methodology (Continued)
Phase 1Planning & Strategy
•
Perform risk assessment procedures and identify risks•
Determine audit strategy•
Determine planned audit approach•
Evaluate the design and implementation of entity level controls
Phase 2Systems Evaluation
•
Understand accounting and reporting activities•
Evaluate design and implementation of selected controls•
Test operating effectiveness of selected controls•
Perform walk‐thru’s of key controls•
Assess control risk and risk of significant misstatement
Phase 3Testing & Analysis
• Plan substantive procedures•
Perform substantive procedures•
Consider if audit evidence is sufficient and appropriate•
Conclude on audit objectives
Phase 4Reporting & Follow‐Up
• Perform completion procedures•
Perform overall evaluation•
Form an audit opinion
12Page 18 of 255
-
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Preliminary Risk AssessmentFinancial Statement Level Risk
Description of Financial Statement Level Risk
Planned Audit Approach
Overall economic conditions/ COVID 19 Pandemic
Economic conditions and the COVID 19 pandemic continue to have an impact on the higher education industry, including declines in revenues and earnings. Environment creates a decreased market for tax‐exempt bonds and results in continued cost saving measures.
CLA will be mindful of the impact of the overall economy and the COVID
19 pandemic on the University. In particular, CLA will evaluate whether such conditions have resulted in any changes to the overall control environment of the University.
General Information Technology ControlsGeneral information technology controls have a pervasive impact on controls throughout the University.
The engagement team includes a member from CLA’s information systems securities group, who will perform walkthroughs and tests of design and operating effectiveness related to information technology general controls related to the general ledger, purchasing, payroll systems, and student billing system. Specific procedures will be performed related to access to programs and data, program changes, program development, computer operations, and end user computing.
Management Override of Controls
As is the case for all entities, management is in a unique position to perpetrate fraud because of its ability to manipulate accounting records and prepare fraudulent financial statements by overriding controls that otherwise appear to be operating effectively. Although the level of risk of management override of controls will vary from entity to entity, the risk is, nevertheless, present in all entities. Due to the unpredictable way in which such override could occur, it is a risk of material misstatement due to fraud and, thus, a significant risk.
CLA will test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of the financial statements. In designing and performing audit procedures for such tests, the auditor should: (1) obtain an understanding of the entity's financial reporting process and controls over journal entries and other adjustments, and the suitability of design and implementation of such controls; (2) make inquiries of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries and other adjustments; (3) consider fraud risk indicators, the nature and complexity of accounts, and entries processed outside the normal course of business; (4) select journal entries and other adjustments made at the end of a reporting period.
13Page 19 of 255
-
©2020
CliftonLarsonA
llen LLP
Create Opportunities
COVID‐19 Impact
OperationsOperations• Auxiliaries and fees•
Cash flow•
CARES Act Higher Education Emergency Relief Fund (HEERF)•
Enrollment retention• COVID related expenses
Audit and Accounting Audit and Accounting •
Risk assessment• Accounting for relief funds•
Accounting for expenses and refunds•
Going concern considerations•
Additional disclosures•
Potential implementation delays
14Page 20 of 255
-
©2020
CliftonLarsonA
llen LLP
Create Opportunities
COVID‐19 Impact
Compliance• Student Financial Aid•
No match required for certain programs (FSEOG, FWS)•
FWS students are eligible to be paid unearned funds•
Loans/grants not counted towards lifetime limits•
Withdrawals: No Pell required to be returned•
SAP allowances
• Other Federal Programs• CARES Act funding•
Extension of spending and filing deadlines•
Other compliance waivers
15Page 21 of 255
-
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Single Audit• Objective:
–
To determine that the University has established effective internal control over compliance with the requirements of federal awards, and has complied with laws and regulations that may have a material effect on the financial statements and major federal programs.
–
Forming and expressing an opinion about whether the University complied with the types of compliance requirements described in the US Office of Management and Budget (OMB) Compliance Supplement that could have a direct and material effect on each of its major federal programs.
•
Federal program to be preliminarily considered major programs is the Student Financial Aid Cluster
• Areas of audit emphasis:–
Internal controls over compliance for major programs–
Compliance requirements for major programs
16Page 22 of 255
-
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Single Audit Methodology
Phase 1Risk Assessment and Planning
Phase 2Systems Evaluation
Phase 3Final Assessment and Reporting
17
Continuous Communication
Page 23 of 255
-
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Engagement Timeline
Significant Milestones Target Date
Entrance conference April 16, 2020
Preliminary fieldwork started May 18, 2020
Final fieldwork starts August 17, 2020
Audit Committee update meeting
To Be Determined
Exit conference – financial statements
September 25, 2020
Final financial and compliance report issued
October 2, 2020
Audit Committee closing meeting
To Be Determined
18Page 24 of 255
-
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Accounting and Auditing Standards Changes
GASB statements (Implementation Postponed One Year):•
Effective for fiscal year ending June 30, 2020
– GASB No. 84,
Fiduciary Activities Establishes criteria for identifying fiduciary activities for state and local governments, focusing on (1) whether the government is controlling the assets of the fiduciary activity, and (2) the beneficiaries with whom a fiduciary relationship exists. Different criteria are included for fiduciary component units and postemployment benefit arrangements.
–
GASB Statement No. 90, Majority Equity Interests—an amendment of GASB Statements No. 14 and No. 61
defines a majority equity interest and specifies that a majority equity interest in a legally separate organization should be reported as an investment if a government’s holding of the equity interest meets the definition of investment.
19Page 25 of 255
-
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Accounting and Auditing Standards Changes (Continued)
GASB Statements Postponed (Continued)•
Effective for fiscal year ending June 30, 2021
–
GASBS No. 87, Leases Requires recognition of certain lease assets and liabilities for leases that were previously classified as operating leases, and establishes a single model for lease accounting based on the foundational principle that leases are financings of the right to use an underlying asset.
–
GASB Statement No. 89, Accounting for Interest Cost Incurred Before the End of a Construction Period
requires interest cost incurred before the end of a construction period to be included in the historical cost of a capital asset reported in a business‐type activity or enterprise fund.
•
Effective for fiscal year ending June 30, 2022–
GASBS No. 91, Conduit Debt Obligations The preliminary objectives of this
statement are to provide a single method of reporting conduit debt obligations by issuers and eliminate diversity in practice associated with (1) commitments extended by issuers, (2) arrangements associated with conduit debt obligations, and (3) related note disclosures.
20Page 26 of 255
-
©2020
CliftonLarsonA
llen LLP
CLAconnect.com
Thank you
Any Questions?
Page 27 of 255
-
Audit, Compliance, and Risk Update
June 25, 2020Page 28 of 255
-
L O U I S V I L L E . E D U
Status of Compliance Reports 7/1/19 through 6/31/20
Period Ended May 31, 2020
Reports by Source:Hotline Initiated 52
Other Avenues (letter, email) 30
Total 82Reports by Status:
Open 12
Closed 70
Total 82Reports by Validity (Closed Reports):
Unsubstantiated 31
Partially Substantiated 6
Substantiated 16
Insufficient Information/Other 17
Total 70
Page 29 of 255
-
L O U I S V I L L E . E D U
Integrity and ComplianceActivity Update
• New or Significantly Revised Policies
• Student Pregnancy Accommodations
• Moped, Scooter, and Motorcycle Use
• Subrecipient Monitoring and Management
• Special Projects
• New website for the online policy and procedure library
Page 30 of 255
-
L O U I S V I L L E . E D U
Status of University Information Security Report
Incidents July 1, 2019 – May 31, 2019
Non-Reportable 10
Reportable FERPA, KYPI and Dept. of Ed 2
HIPAA and KYPI 4
KYPI and FERPA 0
FERPA only 1
KYPI only 0
Compliance Investigation 1
Total number of Events 18
Page 31 of 255
-
L O U I S V I L L E . E D U
University Information Security OfficeActivity Update
Promote security awareness training and education via in-person
and special events.
• For the fiscal year 2019, the ISO has provided security
training to over 600 faculty, staff and students. Training included
access to five new areas and one external entity.
Risk Management and Assessment
• To date for the fiscal year 2019-2020, the ISO has performed
in excess of 150 vendor review requests. More than 100 reviews have
occurred during Q1/Q2 2020, including an e-signature product,
conferencing platforms and other solutions related to work from
home or online teaching due to the recent pandemic.
Page 32 of 255
-
L O U I S V I L L E . E D U
Risk Management Activity Update
Commercial Insurance Program
• Completed 14 Insurance Policy renewals with 7/1/20 renewal
dates.
• Create Virtual Program guidelines, participation release, and
code of conduct for on-line programs.
• Updating Youth Protection Policy and Procedures.
Page 33 of 255
-
The Department of Audit Services
Annual Work Plan 2020-2021
The Department of Audit Service’s mission is to provide
independent and objective assurance and consulting services
designed to add value and improve the organization’s operations. To
help the organization accomplish its objectives by bringing a
systematic, disciplined approach for evaluating and improving the
effectiveness of risk management, control, and governance
processes. In doing so, Audit Services will be considered among the
leaders in our profession by providing an environment rewarding
diversity, empowerment, innovation, teamwork, and open
communication.
1. Provide Independent and Objective Assurance and Consulting
Services
Perform internal assurance and consulting projects based on an
objective risk evaluation.
Perform high level risk evaluation and develop an audit plan
based on the evaluation.
Continuously evaluate the relevance of the approved audit plan
with consultation with university administration.
Execute the audit plan focusing on identified key risks and
controls.
2. Develop Effective Lines of Communication
Communicate significant risks and controls, emerging risks, and
render opinions on new and changing processes, opinions,
significant procedures, regulations, and policies.
Conduct or attend periodic meetings with administration to
discuss emerging risks and new initiatives.
Issue detailed, concise, and timely project reports that
communicate control weaknesses, recommendations related to best
practices, process improvements, expense reductions, and revenue
enhancements.
Participate in task groups and evaluate new processes, policies,
and procedures.
Page 34 of 255
-
Prepare and distribute quarterly status reports on open audit
issues. Prepare annual Board report on the status of the prior year
audit plan.
3. Conduct Effective Training and Education
Increase community awareness of the red flags of fraud and an
effective internal control environment.
Develop and implement an effective website with tools that the
university community can use. Promote the website through official
university communication.
Develop and implement training that can be conducted during
department staff meetings, in-person training meetings, or with
on-line training tools (consult with Delphi after the emergency
status has ended).
4. Measure Program Effectiveness
Evaluate the Audit Services effectiveness in conducting projects
and communicating results.
Conduct an annual survey with the assistance of the department
of institutional effectiveness (after the emergency status has
ended).
Perform internal quality assurance reviews on all assurance and
consulting projects.
Monitor the existence of recurring issues or issues that are
identified across many different projects.
5. Perform Independent Investigations of Fiscal Misconduct
Perform the initial assessment and applicable investigations of
whether fiscal misconduct is likely to have occurred based on
reports received through the university ethics hotline, directly
from university officials, directly from concerned staff, vendors,
outside parties, or through routine assurance and consulting
projects.
Evaluate evidence for signs of fiscal misconduct for reports
received from external sources. Conduct investigations, and report
on the investigations to applicable departments (e.g., Counsel’s
Office, University Police, President’s Office)
Develop and implement continuous monitoring reports in areas
such as Accounts Payable and Payroll with a focus on the red flags
(indicators) of fraudulent activity.
6. Improve Audit Coverage and Effectiveness
Develop and implement continuous monitoring reports in areas
such as Accounts
Page 35 of 255
-
Improve the effectiveness of internal audit by utilizing
technology and promoting staff education.
Payable and Payroll. Evaluate the reports for evidence of
increased risk, new activity, and possible fraud.
Attend annual training events that promote knowledge of new
techniques, technology, and improve the skills of staff.
Fully staff the department, hiring auditors with skills and
knowledge necessary to knowledge gaps (e.g., IT Auditor)
Page 36 of 255
-
The University Integrity and Compliance Office
Annual Work Plan 2020-2021 The University Integrity and
Compliance Office (UICO) mission is to support and foster a culture
of integrity, compliance, and accountability. The UICO provides
centralized and independent oversight of the University of
Louisville’s compliance and ethics programs and activities and risk
mitigation efforts. The UICO provides ongoing development of
effective policies and procedures, education and training,
monitoring, communication, risk assessment, and response to
reported issues as required by Chapter 8 of the Federal Sentencing
Guidelines. These guidelines set forth the requirements of an
effective compliance and ethics program for organizations and
require not only promoting compliance with laws, but also promoting
a culture of ethical conduct. The UICO will conduct the following
activities as part of its Annual Work Plan for July 1, 2020 to June
30, 2021.
1. Provide Oversight of Compliance and Ethics and Related
Activities
Promote accountability among UofL employees for compliance with
applicable federal, state and local laws and regulations, and
appoint knowledgeable individuals responsible for developing and
implementing a comprehensive compliance and ethics program.
Finalize the draft Accountability Matrix that identifies
compliance partners and their areas of responsibility.
Establish and lead the University Integrity and Compliance
Advisory Committee consisting of compliance partners and
appropriate university representation.
Develop a university-wide compliance and ethics charter.
2. Develop Effective Lines of Communication
Create communication pathways that allow the dissemination of
education and regulatory information and provide a mechanism for
reporting compliance activities or concerns.
Administer and promote the UofL Compliance and Ethics
Hotline.
Maintain and promote the University Integrity and Compliance
Office website.
3. Conduct Effective Training and Education
Educate the UofL community on its compliance responsibilities
and regulatory obligations, and on the university integrity and
compliance program.
Update online general compliance and ethics training for new
employees.
Promote the employee code of conduct to all employees.
Issue announcements regarding employee’s duty to report and
avenues for reporting concerns, including the compliance and ethics
hotline.
Page 37 of 255
-
4. Revise and/or Develop Policies and Procedures
Revise or develop university policies and procedures that
reflect UofL’s commitment to ethical conduct and compliance with
applicable laws and regulations
Oversee and maintain the university’s online policy and
procedure library.
Review and revise the university’s policy on Developing
University Administrative Policies.
Review and update the policy creation and approval process to
align with best practices. Communicate changes and provide
education on the policy life-cycle.
Review and revise the university’s employee Code of Conduct.
5. Conduct Internal Monitoring and Compliance Reviews
Identify and remediate noncompliance through proactive review
and monitoring of risk areas
Review compliance and ethical reports for trends and risk areas,
and address appropriately.
Follow-up with compliance partners regarding risk mitigation
plans to address high-risk areas identified through the compliance
risk assessment process
Oversee and monitor employees, vendors, and affiliates against
governmental agency exclusion and/or debarment lists.
6. Respond Promptly to Detected Problems and Undertake
Corrective Actions
Conduct timely investigations of allegations of noncompliance
and provide guidance on corrective actions
Receive and evaluate reports and allegations of misconduct and
conduct investigations.
Provide recommendations for corrective actions and improvement
to prevent further occurrences of noncompliance and/or unethical
conduct.
7. Enforce/Promote Standards Through Appropriate Incentives and
Disciplinary Guidelines
Promote the compliance and ethics program and university
regulations, policies and procedures, and consequences of
noncompliance.
Promote awareness of new or revised regulations, university
policies and procedures, or other requirements applicable to the
university.
Promote accountability and consistent discipline for identified
occurrences of noncompliance and/or unethical conduct.
8. Measure Program Effectiveness
Evaluate the overall compliance and ethics culture of UofL and
the performance of the University Integrity and Compliance
Office.
Develop a Compliance and Ethics Culture Survey.
9. New Regulations and Special Projects
Partner with Human Resources and Payroll to educate university
employees about Fair
Page 38 of 255
-
Labor Laws and ensure compliance with federal and state wage and
hour laws.
Develop and launch a new university site to promote and store
university policies and procedures.
Coordinate and conduct meetings of the IT Website Accessibility
Work Group to ensure compliance with Americans with Disability
Act.
Page 39 of 255
-
The Office of Athletic Compliance
Annual Work Plan 2020-2021 The mission of the Office of
Athletics Compliance at the University of Louisville is to
advance
the NCAA Principle of Institutional Control and to provide our
student-athletes, coaches, staff
and outside constituents exemplary customer service, sound
guidance, visibility and effective
communication.
The Louisville Office of Athletics Compliance will provide
thorough rules education of NCAA,
ACC and University regulations, develop effective monitoring
systems, and will promote a
culture of compliance within both the Athletic Department and
the University. Through ethical
decision-making and conduct, integrity, monitoring and
enforcement, this mission will provide a
strong foundation for compliance and institutional control for
the university and all of its
stakeholders.
The Office of Athletic Compliance will conduct the following
activities as part of its work plan from July 1, 2020 to June 30,
2021.
1. Continue Providing Enhanced Rules Education to all
Constituent Groups
Deliver Comprehensive Rules Education across the Athletic
Department, Campus Community, and Local Community, with an emphasis
on key stakeholders.
Provide rules education to student-athletes, coaches, staff
members, and boosters, with an emphasis on name, image likeness,
gambling and extra benefits.
Provide rules education to priority campus units (e.g.,
Admissions; Financial Aid; Bursar; Registrar; General Counsel;
Alumni Affairs; etc.) at least once per calendar year; 2x if
possible. Enhance rules education outreach to booster, local media,
promotional partners and local businesses frequented by
student-athletes, prioritizing bars/clubs, restaurants,
barbershops, and automobile dealerships.
2. Continue Effective Outreach
Implement Innovative Educational Initiatives and Outreach
Methods for our Coaches/Staff/Student-Athletes
Build in opportunities for regular visits to practice/sport
facilities with coaches and staff (e.g., campus rounds)
Page 40 of 255
-
Increase use of video conferencing software, Blackboard, social
media, and other technologies in delivering rules education in a
more efficient and comprehensive manner sensitive to social
distancing best practices.
3. Increase Monitoring Efficiency
Enhance monitoring processes related to recruiting activities
and time management plans through increased use of compliance
software options.
Continue effective usage of TeamWorks software department wide
for improved real time communication.
Deliver monthly monitoring reports to each sport with cc to
compliance leads and sport administrators. Effectively transition
from JumpFoward to ARMS compliance software to provide
coaches/staff a more user-friendly recruiting and complimentary
admission solution.
4. Develop Policies and Procedures for Student-Athlete Name,
Image Likeness Legislation
Develop university policies and procedures that creates a system
of vetting, approval and monitoring to coincide with anticipated
upcoming legislation that will allow student-athlete compensation
for the use of their name, image, and/or likeness (NIL) in
commercial activities.
Create internal NIL committee representative of specific areas
related to this legislation (Compliance, Legal, Marketing,
Corporate Sponsorships).
Create an effective process for student-athletes to vet
potential opportunities to be pre-approved to avoid potential
eligibility risks.
Create system to vet and educate potential third-party
partners/influences in this process. Provide regular comprehensive
rules education to student-athletes who seek out these
opportunities and other involved third parties.
5. Internal Monitoring, Investigation and Violation
Reporting
Continue to strengthen internal monitoring systems to detect and
promptly report NCAA Level III violations, including continuing to
set expectations for coaches, staff and student-athletes to
self-report potential violations as required by NCAA rules.
Insure timely submission and review of on and off-campus
recruiting activities. Provide and emphasize with coaches, staff
and student-athletes options and outlets for reporting violations
or questionable activity they are aware of that could potentially
lead to a violation.
Review and emphasize areas of focus related to the current NCAA
probation, including housing and campus recruiting activities.
Page 41 of 255
-
6. Prioritize Quality Control of Student-Athlete Academic
Integrity Reviews.
Create campus protocols to review academic misconduct
allegations involving students, to meet recent changes in NCAA
rules related to reasonable standards in this area.
Involve the new Faculty Athletics Representative (FAR) and
Committee on Academic Performance to review daily grade-change
reports for possible Inconsistency, review academic unit misconduct
policies and enhance quality of unit degree audits. Continue
comprehensive academic misconduct rules education, defining roles
and responsibilities of the FAR, CAP, and Academic Services and
other stakeholders in the academic misconduct review process. 7.
Review Head Coach Responsibility Audit Process
Review current Head Coach Responsibility protocols and audit
process to enhance Head Coach compliance communication with their
staff and method for documenting these activities.
Provide compliance education topics and methods to Head Coaches
as it relates to increase their efficiency in communicating
compliance topics and review of areas such as visits, 3rd parties,
etc.
Create more efficiency in documenting the compliance
communication process as it occurs, to protect the HC and program.
Expand role and involvement of sport administrators in the HCR
process.
8. Enhance Elite Student-Athlete Program Education
Continue to identify and create new educational initiatives for
our elite student-athletes.
Develop updated programming to educate in areas such as NIL,
extra benefits, prize money, and financial literacy for
student-athletes focused on professional sport or Olympic
participation. Continue review of amateurism profiles of incoming
high profile student-athletes.
9. Promote Staff Professional Development
Prioritize the need to provide and encourage professional
development opportunities for staff in multiple areas of
athletics.
Provide funding and opportunity for staff to enhance their
professional profile through professional development both in and
out of compliance.
Promote work/life balance by reviewing workloads and setting
expectations with coaches and staff.
Encourage opportunities to increase staff exposure to all areas
of athletic department operations to expand network and future
professional advancement.
10. New Faculty Athletics Representative Orientation
Page 42 of 255
-
Provide comprehensive orientation for the new FAR relative to
her role and responsibilities.
Provide comprehensive education into the policies, procedures of
the NCAA/ACC and other job responsibilities related to the role of
Faculty Athletics Representative including academic certification,
missed class time policies, academic misconduct, coaches recruiting
exam, NCAA waiver sign-off, and NCAA/ACC legislative review.
Page 43 of 255
-
Information Security Office
Annual Work Plan 2020-2021 The Information Security Office (ISO)
serves as the university's resource for guidance on information
security compliance and administers the university's Information
Security Program. The ISO oversees information security policies
and standards; provides compliance oversight, and risk assessments;
coordinates information security efforts, incident response and
user awareness. The ISO works in conjunction with ITS Enterprise
Security, Audit Services, University Integrity and Compliance,
Privacy, Research and other compliance officials to maintain
regulatory compliance and to protect the confidentiality, integrity
and availability of university information assets. Following are
activities of the Information Security Office Annual Work Plan for
July 1, 2020 to June 30, 2021.
1. Provide Oversight Information Security and Related
Activities
Promote accountability, risk management, security responsibility
and compliance with applicable federal, state and local laws and
regulations.
Partner with university compliance areas to promote and provide
guidance on information security controls and regulations.
Partner with Information Technology Services to develop and
implement technologies and processes to support and maintain the
security of university data and assets.
Lead and/or participate in committees, work groups and RFPs to
provide information security input and guidance.
2. Develop Effective Lines of Communication
Create communication pathways that allow the dissemination of
education, compliance and regulatory information which allows for
reporting security incidents or concerns.
Promote the Information Security Office and incident reporting
procedures via electronic and in-person communications and
activities.
Maintain and promote the Information Security Office website as
a communication and educational tool.
3. Conduct Effective Training and Education
Make available information security awareness training which
informs faculty, staff and students of their responsibilities for
protecting the university’s information data and assets in their
care. Utilize various platforms and avenues in order to reach the
university community.
Promote security awareness training and education via in-person
and special events.
Issue periodic announcements regarding information security
responsibilities and topics.
Participate in university and industry awareness
opportunities.
Page 44 of 255
-
4. Oversee the Information Security Policy and Procedure
Lifecycle
Revise or develop university policies and procedures that
establish the university’s Information Security program; reflect
UofL’s commitment to protecting the confidentiality, integrity and
availability of university assets and compliance with applicable
laws and regulations; and that promote consequences for
noncompliance.
Review, revise and publish information security policies and
procedures in accordance with the ISO policy management lifecycle
process.
Develop new policies in accordance with regulatory and
university environment and strategic direction.
5. Manage the Information Security Risk and Assessment
Program
Identify and remediate noncompliance through proactive review
and monitoring of risk areas. Provide recommendations and avenues
for risk identification and mitigation.
Develop and oversee risk management procedures that enable the
university to identify and protect information assets.
Conduct or assist areas in conducting Information security risk
assessments identifying and reporting information security risk and
remediation recommendations.
Assist areas in the review and vetting of security requirements
and controls of third-party vendors providing support and guidance
as needed.
Lead the GLBA Security Program committee in identifying risks
and mitigation recommendations related to student financial
information.
6. Provide Incident Response and Breach Notification
Conduct timely investigations of actual or potential information
security incidents and reporting internally and to external
agencies as required.
Lead the university’s Information Security Incident Response
Team (ISIRT) in investigating, coordinating and reporting of
information security events and incidents.
Monitor the information security office mailbox and respond
timely to incident reports. Provide recommendations for corrective
actions and improvement to prevent further occurrences.
Investigate potential/actual incidents assisting in remediation
and reporting to individuals and regulatory and government agencies
as required.
7. Provide Program Reporting and Enforcement and Standard
Promotion
Promote the Information Security program, policies, and
procedures and potential consequences for non-compliance providing
review and reporting on activities and compliance.
Update and issue the Information Security Office quarterly
report provided to the University of Louisville’s Board of
Trustees’ Risk, Audit, and Compliance Committee.
Provide enforcement and consequence awareness.
Page 45 of 255
-
8. Facility Security Officer
Serve as the Facility Security Officer managing the university’s
Facility Security Clearance Program NOTE: the university is
currently in inactive status.
Maintain the clearance status of the University in compliance
with NISPOM regulations/standards. Provide training, conduct
assessments and participate in DSS audits.
9. New Regulations and Special Projects
Provide information security direction and guidance related to
new regulations and university projects.
Work with the university counsel and other compliance officials
as needed to develop and implement awareness and standards to
comply with new or changing regulations.
Page 46 of 255
-
Privacy Office
Annual Work Plan 2020-2021 The University of Louisville (UofL)
Privacy Office provides guidance and assistance to the UofL
community regarding regulations which may impact the privacy of our
students, our employees, our patients, and our campus visitors. The
UofL Privacy Office assists with privacy concerns and questions,
has oversight responsibility for HIPAA compliance within the health
care component of the UofL covered entity, ensures that HIPAA
training is provided to the UofL community, reviews contracts for
privacy issues, works with faculty and staff to respond to privacy
incidents, and provides assistance to individuals working on UofL
research projects which involve sensitive or health information. In
the event of a suspected breach of protected health information
(PHI), the UofL Privacy Office investigates the incident and, if
required, provides notification to the affected patient(s) and to
the Department of Health and Human Services (DHHS). The UofL
Privacy Office also assists health clinics and care areas that are
outside of the health care component with privacy concerns and
issues, has oversight for UofL’s compliance with Section 1557 of
the Affordable Care Act, and oversight for UofL’s compliance with
the Children’s Online Privacy Protection Act.
In addition to the daily operations and oversight of the UofL
Privacy Office, the following projects are planned for the July 1,
2020 to June 30, 2021 fiscal year.
1. Review/Update the Health Care Component of the UofL Hybrid
Covered Entity
Ensure that designation of the schools, colleges, departments,
and administrative units included in the health care component of
the UofL hybrid covered entity is accurate. Identification of these
areas allows for appropriate oversight to ensure that UofL is in
compliance with regulatory requirements.
Review and update, as applicable, the current designation of the
health care component of the hybrid covered entity to ensure that
the designation of the health care component is correct.
Review of UofL schools, colleges, departments, and
administrative units to identify areas which are not currently in
the health care component, but which should be moved into the
health care component.
2. Policies and Procedures
Ensure that current policies, and procedures are compliant with
privacy regulations.
Introduce the new Privacy Office HIPAA Policy Manual to the
health care component via review/training sessions. [Note: The
Privacy Office HIPAA Policy Manual will be finalized in June
2020].
Page 47 of 255
-
Ensure that workforce members of the health care component have
been trained regarding the Privacy Office HIPAA Policy Manual.
3. HIPAA & HITECH Training for Workforce Members of the UofL
Health Care Component
Ensure that members of the UofL health care component of the
hybrid entity are trained pursuant to HIPAA and HITECH
regulations.
Update the HIPAA training program to: 1) replace current
training materials with new video-based format for basic HIPAA
training; and 2) update the HIPAA training program requirements,
deadlines, and sanctions to ensure that workforce members are
appropriately trained regarding HIPAA and HITECH regulations.
Conduct reviews of training records to ensure that workforce
members of the health care component have received required HIPAA
training.
4. HIPPA Privacy Risk Assessment
Utilize a HIPAA privacy risk assessment to identify vulnerable
areas within the UofL health care component where PHI may be at
risk of inappropriate use, disclosure, or access.
Identify organizational workflows and safeguards within the
health care component covered entities to determine the flow of PHI
internally and externally to detect areas where inappropriate use,
disclosure, or access to PHI is a risk.
Review current practices and procedures for access to PHI,
disclosure of PHI, and storage of PHI by faculty, staff, and
students within the health care component to ensure that PHI is
properly used, disclosed, and stored.
Implement a schedule to monitor and audit covered entities
within the health care component to ensure compliance with UofL
policies and procedures and with HIPAA requirements for safeguards
of PHI.
5. Business Associate Agreement Review
Ensure that Business Associate Agreement (BAA) database is
updated and accurate.
Review the BAA database and consult with members of the health
care component to determine active vs. inactive BAAs.
6. Resource for the UofL Community
Serve as a resource for administrators, faculty, staff,
students, patients, and the community regarding privacy protection
and safeguards.
Design awareness campaigns and participate
in campus awareness programs to ensure
that the UofL community is aware of the
services offered by the Privacy Office.
Assist departments, divisions, and schools
within the UofL community with classroom
Page 48 of 255
-
and community presentations and trainings to
broaden awareness of the services provided
by the Privacy Office.
Assist departments, divisions, and schools
within the UofL community as requested to
respond to concerns/questions regarding
privacy questions and concerns.
7. Affordable Care Act Section 1557 Regulation
Ensure that UofL’s schools, colleges, departments, and
administrative units which are regulated by the Affordable Care Act
Section 1557 are in compliance with regulatory requirements.
Review and update, as applicable, the current designation of all
UofL schools, colleges, departments, and administrative units to
identify areas that are required to follow the Section 1557
regulations.
Conduct a risk assessment of all areas which are required to
follow Section 1557 regulations to ensure that appropriate
resources and training are in place to allow the areas to comply
with the regulations.
8. Children’s Online Privacy Protection Act (COPPA)
Ensure that UofL’s schools, colleges, departments, and
administrative units are in compliance with the Children’s Online
Privacy Protection Act.
Begin review of COPPA regulations and requirements. Once review
of regulations and requirements is complete, begin identification
of the areas within UofL which may be impacted by COPPA
regulations.
Page 49 of 255
-
Conflict of Interest and Commitment Office
Annual Work Plan 2020-2021 The University of Louisville and its
Affiliates expects Covered Persons to conduct University affairs
with high ethical and legal standards and in a manner that supports
the University mission. As part of this duty, Covered Persons must
apply their University time and effort correctly and use University
assets properly. Use of University assets or University time
damaging to the University mission or for personal advantage
represents a conflict of interest. The Conflict of Interest and
Commitment Office (COIC Office) mission is to support and monitor
standards to reduce or eliminate such conflicts and protect the
financial well-being, reputation, and legal duties of the
University. The COIC Office reviews any disclosed external interest
to identify conflicts of interest and determines if the conflict of
interest can be managed or reduced, or if the interest would need
to be eliminated. The COIC Office provides ongoing development of
COIC policies and procedures, education and training, monitoring,
communication, and response to reported issues as required by
University policy and federal regulations. The COIC Office will
conduct the following activities as part of its Annual Work Plan
for July 1, 2020 to June 30, 2021.
1. Provide Oversight of Conflict of Interest and Commitment
Related Activities
Promote compliance among UofL covered persons with applicable
university COCI policy, federal, state and local laws and
regulations.
Develop monitoring tool for individuals overseeing approved
management plans.
Develop/present COIC educational sessions for covered person
population.
Revise COIC Office standard operating procedures.
2. Develop Effective Lines of Communication
Strengthen communication pathways that allow the dissemination
of education and regulatory information and provide a mechanism for
reporting COIC issues.
Coordinate COIC consultations, as requested.
Maintain and promote the Conflict of Interest and Commitment
Office website.
Develop Start up guidance (in conjunction with EPI-Center).
3. Conduct Effective Training and Education
Educate the UofL community on its compliance responsibilities
and regulatory obligations related to conflicts of interest and
commitment.
Update COIC training included in disclosure form.
Update/develop infographics related to COIC topics.
Issue announcements regarding covered persons’ responsibilities
related to conflicts of interest and commitment.
Page 50 of 255
-
4. Implement Revised Policies and Procedures
Implement revised university policies and procedures that
reflect UofL’s commitment to conducting affairs without unmanaged
conflicts of interest/commitment.
Complete revisions to COIC policy and procedure and secure
Trustees’ approval.
Develop implementation plan for revised COIC policy and
procedure.
Update disclosure form to be in sync with revised policy and
procedure.
Initiate pilot rollout of Conflict of Commitment review
procedures.
5. Conduct Internal Monitoring and Compliance Reviews
Identify and remediate noncompliance with COIC policy and
procedure through proactive review and monitoring.
Strengthen COIC compliance reporting available to
Units/Departments.
Follow-up with Appropriate Authorities to identify/address
issues with approved management plans.
Monitor approved management plans.
6. Respond Promptly to Detected Problems and Undertake
Corrective Actions
Conduct timely investigations of allegations of noncompliance
with COIC policy and procedure and provide guidance on corrective
actions.
Receive and evaluate reports and allegations of unmanaged COICs
or noncompliance with approved management plans.
Provide recommendations for corrective actions and improvement
to prevent further occurrences of noncompliance.
7. Measure Program Effectiveness
Evaluate the overall compliance with COIC policy and the
performance of the University Integrity and Compliance Office.
Develop metric reports for units/departments.
Develop metric reports for sponsored
programs.
Develop metric reports for the COIC Office.
Page 51 of 255
-
The Department of Risk Management and Insurance
Annual Work Plan 2020-2021 The Department of Risk Management and
Insurance’s (RMI) mission is to reduce the probability of risks to
person, property, and/or business of the university and safeguard
resources. RMI provides centralized and independent administration
of the University of Louisville’s Enterprise Risk Management
program. RMI administers the university’s commercial insurance
program including but not limited to general and professional
liability, property, cyber, crime, and automobile, along with
workers compensation. RMI has oversight of all university sponsored
and third-party Youth Protection programming. Through collaboration
with university departments and leadership, RMI evaluates and
assists in the mitigation of potential risks and promotes a culture
of risk awareness throughout the university. RMI will do the
following activities as part of the Annual Work Plan for July 1,
2020 to June 30, 2021.
1. Oversight of University Risk and Insurance Programs
Continual assessment of university’s risk exposures and
commercial insurance market place by benchmarking, market analysis,
and research.
Risk & Insurance – Review existing insurance policies,
market trends, and identified exposures, for a gap analysis.
Youth Protection – Provide guidance and support to all
university departments to proactively mitigate risk regarding youth
programs.
2. Effective Communication
Create communication pathways that promote education,
collaborative communication, and procedural guidance and
support.
Risk & Insurance – Continue to provide timely response to
coverage inquiries, update the Risk Management website for
user-friendly access to risk and insurance information.
Youth Protection - Provide timely response to program inquiries,
update the Youth Protection webpage for user-friendly access to
risk insurance information.
3. Training and Education
Educate the university community on Risk Management, Insurance
and Youth Protection for an understanding of procedural
responsibilities.
Risk, Insurance, & Youth – Utilize the Risk Management
website to provide virtual training information. Utilize all
carrier based on-line training.
Page 52 of 255
-
Risk, Insurance, & Youth – Online or synchronous training
opportunities to learn about policies and procedures.
Risk, Insurance, & Youth – Utilize UofL communication
platforms (UofL Today) to provide tips, awareness and updates.
4. Policies and Procedures
Revise and/or develop university policies and procedures that
reflect UofL’s commitment to Risk Management, Insurance and Youth
Protection.
Risk & Insurance – Annually review of existing policies and
procedures, update and add new and/or delete as necessary.
Youth Protection – A final approval for updated policies and
handbook with an annual review thereafter.
Risk, Insurance, & Youth – Complete annual benchmarking of
Risk, Insurance and Youth Protection policies.
5. Conduct Internal Monitoring and Reviews
Identify and asses for potential risk exposures and department
involvement.
Risk & Insurance – Conduct interviews and risk assessments
with university departments and review loss analysis for tends to
develop proactive prevention methods and mitigation strategies.
Youth Protection - Annually complete program inventory and
monitor program data.
6. Prompt Response to Loss
Conduct timely investigations of incident, make necessary
reports and notification, collaborate with third parties (Insurance
Carriers), and provide guidance for corrective actions.
Risk & Insurance – Investigate loss and evaluate mitigation
methods, involving third-party entities when necessary.
Youth Protection – Ensure open communication with youth programs
and make necessary escalated reports in accordance with Youth
Protection policies.
7. Enforce and Promote Risk Awareness
Promote Risk Management, Insurance and Youth Protection program,
policies, and procedures and potential consequences for
non-compliance
Risk & Insurance – Use university platforms to educate
university community regarding risk, the advantage of mitigation,
and describe probable negative outcomes of non-compliance.
Youth Protection – Educate Departments on consequences for
non-compliance. Escalate to leadership for potential program
discipline.
8. Measure Program Effectiveness
Page 53 of 255
-
Evaluate the overall Insurance, and Youth Protection Program
culture of UofL and the performance of the department.
Risk and Insurance – Analyze university claim trends and
determine loss ratios per policies for renewal.
Youth Protection – Provide data reports annually for program
cost vs incident reports, evaluate registered programs vs.
inventoried, satisfaction survey, and fully compliant programs.
Page 54 of 255
-
The mission of Audit Services is to provide the university and
its affiliates with independent and
objective assurance and consulting services. The services are
designed to add value, improve the
university’s operations, and help the university accomplish its
objectives. This is done by bringing a
systematic, disciplined approach for evaluating and improving
the effectiveness of risk management,
control, and governance. All Audit Services activities are
conducted in compliance with university
objectives and policies, as well as the Code of Ethics and
International Standards for the Professional
Practice of Internal Auditing, as defined by the Institute of
Internal Auditors (IIA).
Audit Services currently employs three professional auditors
with a combined experience of over 80
years in higher education and government. In January 2020, the
Information Technology auditor
position became vacant through retirement. A search to fill the
position will be conducted as soon as
practical. Senior staff members are certified in the practice of
internal audit by internationally
recognized professional organizations and adhere to a code of
ethics and principles promoting internal
audit. Junior staff members are strongly encouraged to obtain
professional certification.
This report is a summary of the department’s activities since
September 2019. During the period
Audit Services has received full cooperation from all
administration, staff, and faculty.
NOTE ON COVID-19 EMERGENCY
Since March 2020, Audit Services staff has worked remotely under
the guidelines promulgated by the
university. While staff has been productive, the emergency has
negatively impacted planned audit
projects and department initiatives. In addition, the planned
recruitment of new staff has been shelved
and the recruitment of an IT auditor has been delayed.
RISK ASSESSMENT AND AUDIT PLAN DEVELOPMENT
Audit Services performs an annual risk assessment to determine
the best strategy for deployment of
department resources. The assessment attempts to identify high
risk activities using an evaluation of
the following areas: Regulatory Exposure, Operational Risk
(Complexity), Financial Exposure,
Environmental Risk, and Strategic Risk. Interviews are conducted
with key administration. Based on
the results of this evaluation the attached proposed audit plan
was created and audits have been
scheduled pending the approval of the Board of Trustees. The
proposed audit plan will be
continuously evaluated. Planned projects can be deferred,
cancelled, or added based on this
evaluation. In addition, administration can request a consulting
project to obtain help in identifying
solutions to known issues, to obtain advice in achieving
operational efficiencies, or obtain advice on
internal controls that can be built into new operations,
policies, or procedures. Audit Services is also
responsible for conducting administrative investigations into
cases of alleged fiscal misconduct.
Although resources have been budgeted, investigations can result
in adjustments to planned audits.
Attached is the Proposed 2020-2021 Annual Audit Plan for your
approval.
Page 55 of 255
-
AUDIT ISSUE FOLLOW-UP PROCESS
Audit Services tracks all open audit issues using an automated
web-based system. The issue owner is
responsible for entering status updates and informing Audit
Services when action plans have been
implemented. Audit Services reviews each implemented plan and
verifies the implementation
effectiveness through additional testing, document review, or
interviews with staff. Issues are not
closed until the auditor is satisfied that the underlying risk
has been sufficiently addressed. Formal
follow-up projects will only be scheduled if a project is
assigned an “unsatisfactory” project rating and
mitigation cannot be effectively evaluated during the issue
closeout process.
A report of pending audit issues is generated quarterly, shared
with administration, and is attached to
this report.
RESOURCE BUDGET
Audit Services is staffed by three professional auditors and the
director. All senior staff are certified
with expertise in fraud examination, risk management, internal
audit, and information technology.
The available resources and allocation for 2020-2021 is
illustrated in the table below.
Resource Budget (in hours)
2020-2021
Budget
Total Available Hours 5,850 100%
Total Non-Work Hours 879 15%
Total Administration 506 14%
Total Projects 4,169 71%
Project Breakdown by Type
Assurance Projects 3,549 75%
Consulting/Investigation 620 25%
Non-work hours are university provided benefits, such as
holidays, vacation, and sick leave, and the
time the university is closed due to weather events or
emergencies. Administration consists of the
time spent in department management, staff development and
training, and other activities that are not
directly related to a project.
Page 56 of 255
-
AUDIT SERVICES PROJECTS
Audit Reports Issued
Project: HSC Accounts Receivable Billing and Collections Project
Rating: Excellent
The Office of the Executive Vice President for Health Affairs
centralized hospital-based contract
billing and collections processing. While this has strengthened
the internal control environment, less
than 50% of all HSC accounts receivable balances were included
in the centralization. This project
included only the centralized receivable balances and
processing. The objectives of the audit were to
obtain reasonable assurance that:
Internal controls over contract billing and collection
activities were implemented and effective in reducing the inherent
risks.
Accounts receivable were properly recorded, adjustments were
approved, and collection and write-off processes were adequately
managed.
Accounts receivable balances were routinely reconciled to the
general ledger.
One moderate priority issue was identified:
Issue Title Priority Action Plan Target
Implementation Date/Status
Enhance the Security of Payments Received by
Check
Moderate Implemented
Project: OnBase Content Management System Project Rating: Needs
Improvement
OnBase is a third-party vendor software system that serves as
the university’s platform for managing
and storing document images. It is also an electronic routing
system that facilitates approval and data
capture. The objectives of the project were to obtain reasonable
assurance that:
Controls over OnBase processes were adequate to provide complete
and accurate
information processing.
Content and documents were adequately secured against
unauthorized access,
modification, and disclosure.
Processes and procedures complied with university information
security policies and
applicable regulations.
Page 57 of 255
-
Issues identified during the project were:
Issue Title Priority Action Plan Target
Implementation Date/Status
Encrypt Document Images That Contain Sensitive
Information
High September 30, 2020
Review OnBase Access High Implemented
Comply with Document Retention Policy and
Regulations
Moderate September 30, 2020
Project: Athletics Spirit Groups Project Rating: N/A
Internal control weaknesses were identified in the management
and oversight provided to the Athletics
Spirit Groups which contributed to the monetary losses
experienced by the department under the
tenure of the former Spirit Groups coordinator. This report is
ancillary to a misconduct investigation
conducted by Audit Services, and accordingly a project rating
and issue priorities were not assigned.
Athletics administration has implemented, or is in process of
implementing, corrective actions in the
following areas.
Issue Title Action Plan Target
Implementation Date/Status
Spirit Group Governance and Oversight October 1, 2020
Fundraising Policies and Procedures Implemented
University and Athletics Cash Handling Policies and Procedures
Implemented
Spirit Group Appearances Implemented
Duplicate and Unauthorized Travel Payments July 1, 2020
Unauthorized Purchases Implemented
Student Scholarships Implemented
Distribution and Sale of Discounted Athletics Tickets
Implemented
Conflict of Interest Reporting and Management Implemented
ULAA Digital Imagery Restrictions Implemented
Roster Recordkeeping Implemented
Page 58 of 255
-
Projects in Process
Human Resources Staff Compensation and Hiring
Audit Services performed an operational audit of Human
Resources’ staff compensation approval and
hiring processes. The objectives of the audit were to obtain
reasonable assurance that:
Internal controls are adequate and effective in mitigating the
inherent risks.
Processes are compliant with applicable laws, regulations, and
university policies.
Significant processes are efficient and effective in assisting
the department achieve its goals and objectives.
Audit Services evaluated the current controls over Human
Resources’ staff compensation approval
and hiring processes, including job changes such as
reclassification and in-range adjustments. The
evaluation also included compliance with equal opportunity
clause requirements and HR policies
governing staff employment and compensation, as well as the
effectiveness and efficiency of related
procedures. Faculty and administrator positions were excluded.
Testing was performed on hiring and
compensation transactions occurring between July 1, 2018 and
June 30, 2019 to support conclusions
and recommendations.
A draft report has been issued for management comment and action
plan development.
Distributed Server Security
Audit Services is completing a follow-up project of the
Information Security – Servers project, which
received an “Unsatisfactory” rating in the report issued on
September 25, 2017. The draft report is in
process of administration review.
IT Disaster Recovery Test Observation
On February 11-12, 2020, a disaster recovery (DR) exercise was
conducted by Information
Technology Services (ITS) to test the restoration of the
university’s network and system infrastructure
at the UofL Miller Information Technology Center (MITC) location
and the recovery of the
PeopleSoft systems and auxiliary support applications. This was
the second time a DR test was
conducted after the university contracted with the current
third-party DR services provider. Several
systems, applications, or components were included in the test
for the first time, including I Drive,
PeopleSoft Campus Solutions system, PeopleSoft Human Resources
system, BI Reporting, Business
Operations (system infrastructure only), and SQL Cluster server.
This was also the first DR test
Page 59 of 255
-
without Tivoli Storage Manager (TSM), the IBM backup and
recovery product the university retired
in December 2019. The test was executed from the MITC via web
connectivity to the university's
third-party disaster recovery services provider. Audit Services
observed the planning and execution of
this test, evaluated the test results, and reviewed associated
disaster recovery plan documentation.
A draft report has been issued to ITS administration for comment
and action plan development.
Diabetes and Obesity Center, Efficiency and Effectiveness Review
and Prior Audit Follow-Up
In August 2019, administration of the Diabetes and Obesity
Center requested that Audit Services
perform an effectiveness and efficiency review of the Core
Research Laboratories established with
funding from a Centers of Biomedical Research Excellence (COBRE)
grant. In 2017, Audit Services
performed a routine audit of the Diabetes and Obesity Center’s
administrative business activities. At
that time a project rating of “Needs Improvement” was assigned.
This project included follow-up
procedures to evaluate the effectiveness of the mitigation
actions adopted as a result of the 2017 audit.
A draft report has been issued to administration for comment and
action plan development.
Contracted Services
Audit Services is in process of performing an operational audit
of Contracted Services. The scope of
the audit includes an evaluation of business services’
management of the major contracted services, to
ensure orderly and effective administration and operation of the
services program. Major service
contracts include managed print, mail, bookstore, dining, and
vending.
The preliminary objectives of the audit will be to obtain
reasonable assurance that:
Internal controls over contracted services are implemented and
effective in reducing the inherent risks.
Contracted activity is adequately monitored, reported, and
routinely reconciled.
Service providers are held accountable to achievement of
contracted service metrics and performance goals.
Procurement Services
A routine operational audit of Procurement services is in the
planning stage. The scope and objectives
of the project will be to obtain reasonable assurance that:
Page 60 of 255
-
Key internal controls over procurement activity are implemented
and effective in reducing inherent risks.
Procurement practices are compliant with applicable laws,
regulations, and university policies.
Significant processes are efficient and effective in assisting
Procurement Services achieve its goals and mission.
The planned scope of the audit will include contract management
processes centrally administered by
Procurement Services, focusing on contract development,
execution, and monitoring. A high-level
risk assessment of Uniform Guidance procurement standards will
also be performed. Contracts active
between 5/1/2019 to 4/30/2020 and their related documentation
may be selected for testing to support
conclusions and recommendations. The audit will not include
construction contracts, personal service
contracts (as governed by KRS 45A.690 – 45A.695), or ProCard
processes.
OTHER ACTIVITIES
Other projects include consulting projects, investigations, and
other projects requested by
administration.
Investigations
Audit Services completed 1 investigation from September 30, 2019
through May 29, 2020. One
additional investigation is in process.
Continuous Monitoring Activities
To achieve better audit coverage of higher risk activities, the
development of a continuous auditing
and monitoring program is a best practice. In the fall of 2018,
Audit Services began using a new data
analysis tool to prepare reports that are meaningful. We are
developing new reports that both Audit
Services and Administration can use to better monitor for errors
and omissions.
Consulting
Audit Services continues to consult with administration on new
processes and procedures to help
identify best practices, significant risks, and to recommend
effective and cost-efficient controls.
ProCard Monitoring
Audit Services meets quarterly with staff responsible for
managing the ProCard program at the
university. The ProCard is a credit card program offered through
PNC that allows departments to
Page 61 of 255
-
make allowed purchases without going through the formal
procurement process. The quarterly
meetings are held to review trends, potential program changes,
and the results of monitoring.
Bursar’s Office
Administration has requested Audit Services to review the
internal controls that have been
implemented in the Bursar’s Office over cashiering, system
access, and student receivables.
Page 62 of 255
-
2019-2020 AUDIT PLAN STATUS REPORT
Compliance - Routine Audits to obtain reasonable assurance that
the university is compliant with
applicable laws, regulations, third party obligations, or
university policy.
Project Name Status
Contracted Services In Process
Diabetes and Obesity Center – Follow Up Report out for action
plan development
Operational/Internal Control Reviews - Routine audits to obtain
reasonable assurance tha