Committees of the University of Louisville Board of Trustees and

Research Foundation Board of Directors

Schedule of Meetings

June 25, 2020

Virtual Meeting Click here to view the livestream

1:00 p.m. Audit, Compliance, Risk Committee of BOT and ULRF Rogers, Black, Chilton, Smith, Stewart (Advisor, non-voting)

1:20 p.m. Academic and Student Affairs Committee Burse, Black, Frazier, Noble, Wallace-Boaz, Wright

1:40 p.m. Finance Committee Medley, Brinkman, Burse, Noble, Wallace-Boaz

2:00 p.m. Executive Committee, Research Foundation Rogers, Frazier, Medley, Chilton

2:05 p.m. Executive Committee, Board of Trustees Nixon, Burse, Medley, Black, Rogers, Smith

All meetings will run consecutively.

Page 1 of 255

https://www.youtube.com/channel/UCgrZKOAWEwZGvRxymq0Qvhg/live

MEETING OF THE AUDIT, COMPLIANCE, AND RISK COMMITTEE OF THE UNIVERSITY OF LOUISVILLE BOARD OF TRUSTEES AND

RESEARCH FOUNDATION BOARD OF DIRECTORS

1:00 p.m., June 25, 2020

Virtual Meeting Click here to view the livestream

In Open Session

Rogers

Suda

Russell

Russell

I. Call to Order• Approval of Minutes, 10-24-2019

II. Information Item: Independent External Audit Services Plan

III. Report of the VP for Risk Management, Audit, & Compliance• Status Updates• Work Plan• Audit Services Status Report

IV. Action Item: Approval of 2020-21 Audit Services Work Plan

V. Adjournment Rogers

Committee Members James Rogers, Chair

Bonita Black John Chilton

John D. Smith Gary Stewart, Advisor, Non-voting

Page 2 of 255

https://www.youtube.com/channel/UCgrZKOAWEwZGvRxymq0Qvhg/live

MINUTES OF THE MEETING OF THE AUDIT, COMPLIANCE, AND RISK COMMITTEE OF THE

BOARD OF TRUSTEES OF THE UNIVERSITY OF LOUISVILLE AND THE BOARD OF DIRECTORS OF THE UofL RESEARCH FOUNDATION, INC.

October 24, 2019

In Open Session

Members of the Audit, Compliance, and Risk Committee of the University of Louisville Board of Trustees and UofL Research Foundation Board of Directors met at 1:23 p.m. on October 24, 2019, in the atrium of the Arts and Sciences Rowan Building at 1606 Rowan Street, Louisville, KY 40203, with members present and absent as follows:

Present: Mr. James Rogers, Chair Ms. Bonita Black Mr. John Smith Mr. Gary Stewart, Advisor, non-voting

Other Trustees Present: Dr. Raymond Burse

Mr. David Grissom Ms. Diane Medley Ms. Mary Nixon Mr. Jasper Noble Prof. Krista Wallace-Boaz Dr. Ron Wright

From the University: Dr. Neeli Bendapudi, President

Dr. Beth Boehm, Executive Vice President and University Provost Dr. Robert Keynton, Executive Vice President for Research and Innovation Mr. Dan Durbin, Vice President for Finance and CFO Mr. Vince Tyra, Vice President for Athletics and Athletic Director Ms. Amy Shoemaker, Deputy General Counsel and Assoc. Athletic Director Mr. Thomas Hoy, General Counsel Ms. Shannon Rickett, Assistant Vice President for Government Relations Ms. Sandy Russell, Assistant Vice President for Risk and Compliance Mr. Mark Watkins, Sr. Assoc. Vice President for Operations Dr. Toni Ganzel, Executive Dean, School of Medicine Mr. John Drees, Sr. Associate Vice President for Communications & Marketing Mr. John Karman, Director of Media Relations, Communications & Marketing Dr. Faye Jones, Sr. Associate Vice President for Diversity and Equity Dr. Michael Mardis, Dean of Students & Vice Provost for Student Affairs Mr. Jeff Spoelker, Associate Athletic Director for Finance Dr. Pat Ivey, Assoc. Athletic Director for Student Athlete Health & Performance

Page 3 of 255

Mr. Walter Newell, Treasurer/Controller Ms. Kim Noltemeyer, Sr. Unit Business Manager, Planning, Design & Constr. Ms. Beverly Santamouris, Director of Accounting and Reporting Ms. Kimberly Adams, Chief Information Security Officer Ms. Jennifer Mudd, Integrity and Compliance Manager Ms. Cheri Jones, Director of Audit Services, Prof. Sharon Moore, Faculty Director, ULAA Dr. Aesha Uqdah, Director of the Counseling Center Dr. Rashmi Assudani, ACE Fellow Mr. David Adams, Accounting Supervisor Ms. Tanisha Allen, Senior Accounting Specialist Ms. Michelle Comer, Assistant Director of Accounting and Financing Reporting Mr. Matt Cushing, Accountant III Ms. Amanda Snyder, Accountant II Ms. Kelly Rose, Accountant I Ms. Danielle Woods, Accountant I Mr. Michael Wade Smith, Chief of Staff to the President Mr. Jake Beamer, Boards Liaison and Assistant Secretary

Others: Mr. Chris Suda, CliftonLarsonAllen, LLC Mr. Ethan Lay, CliftonLarsonAllen, LLC

I. Call to Order

Having determined a quorum present, Chair Rogers called the meeting to order at 1:23p.m.

Approval of Minutes, 6-20-2019

Ms. Black made a motion, which Mr. Smith seconded, to approve the minutes of the June 20, 2019 meeting.

The motion passed.

II. Action Item: Approval of ULRF Audited Financial Statements

Messrs. Suda and Lay provided an overview of the work completed by Clifton LarsonAllen (CLA) using the attached presentation. They then presented the audited financialstatements of the UofL Research Foundation, Inc. and fielded questions from thecommittee.

Ms. Black made a motion, which Mr. Smith seconded, to approve the

President’s recommendation that the ULRF Board of Directors approve the audited financial statements for the period ending June 30, 2019 and

Page 4 of 255

Independent Auditor’s Report as presented under Governmental Accounting Standards (GASB) 34, as attached.

The motion passed.

III. UofL Audited Financial Statements

Information Item: FY 2019 Financial Results

Using the attached presentation, Mr. Durbin presented to the committee the universityfinancial results for fiscal year 2019. Highlights included: the university ended the yearwith an unqualified “clean” audit; total revenues increased by 5% from the prior year to$1.099 billion; total expenses increased by 3% from the prior year to $1.076 billion; thenet position or financial value of the institution increased by $23 million, a significantgrowth over the prior year performance of $3 million; the liquidity position is improving;and the university’s financial position remains strong with total assets and deferredoutflows of $1.3 billion.

He then fielded questions from committee members.

No action was taken.

Action Item: Approval of Statements

Mr. Suda then presented the university’s audited financial statements, and with Mr. Lay,fielded questions from committee members.

Mr. Smith made a motion, which Ms. Black seconded, to approve the

President’s recommendation that the Board of Trustees approve the audited financial statements for the period ending June 30, 2019 and Independent Auditor’s Report as presented under Governmental Accounting Standards Board (GASB) 34, as attached.

The motion passed.

IV. Information Item: Update from University Risk and Compliance

Ms. Russell provided an update on risk and compliance using the attached presentation.This included statistics on the university’s complaint hotline and the audit services reportas of September 30, 2019.

The audit services report is a summary of the department’s activities over the last fiscalyear and includes risk assessment and audit plan development information, the 2017-18and 2018-19 audit plan results, quality assurance improvement program, issued audit

Page 5 of 255

reports (compliance, operational, information technology), projects in process, continuous monitoring activities, and consulting activities.

Ms. Russell also provided a status report on the 2019-20 Audit Plan. She then fielded questions from committee members.

No action was taken.

V. Adjournment

Having no other business to come before the committee, Ms. Black made a motion,which Mr. Smith seconded, to adjourn.

The motion passed and the meeting adjourned at 1:41 p.m.

Approved by:

________________________ Assistant Secretary

Page 6 of 255

WEALTH ADVISORY  |  OUTSOURCING  |  AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC‐registered investment advisor

©2020

 CliftonLarsonA

llen LLP

University of LouisvilleFiscal Year Ended June 30, 2020

Independent External Audit Services PlanPresentation to the Audit CommitteeJune 25, 2020

Page 7 of 255

©2020

 CliftonLarsonA

llen LLP

Create Opportunities

Agenda• Engagement scope and deliverables• Engagement team• CLA’s responsibilities• University’s responsibilities• Financial audit• Audit methodology• Preliminary risk assessments• Single audit• Engagement timeline• Accounting and auditing standards

2Page 8 of 255

©2020

 CliftonLarsonA

llen LLP

Create Opportunities

Engagement Scope and DeliverablesFor the Year Ended June 30, 2020• Independent auditors’ reports on the financial statements of:

– University of Louisville– University of Louisville Athletic Association, Inc.– University of Louisville Research Foundation, Inc.

• Independent Auditors’ Reports on Internal Control over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance With Government Auditing Standards (Yellow Book Report) 

• Uniform Guidance Single Audit reports on expenditures of federal awards, internal controls and compliance for the University.

• University of Louisville Athletic Association, Inc. NCAA agreed‐upon procedures report on compliance with requirements relating to activities of revenues and expenses as updated by NCAA amendments

• Report on compliance with provisions of House Bill 622.• Report on Lease Law Compliance.• Reports to the Audit Committee on required auditor communications.

3Page 9 of 255

©2020

 CliftonLarsonA

llen LLP

Create Opportunities

Engagement Scope and DeliverablesFor the Year Ended June 30, 2020• Independent auditors’ reports on the financial statements of:

– University of Louisville– University of Louisville Athletic Association, Inc.– University of Louisville Research Foundation, Inc.

• Independent Auditors’ Reports on Internal Control over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance With Government Auditing Standards (Yellow Book Report) 

• Uniform Guidance Single Audit reports on expenditures of federal awards, internal controls and compliance for the University.

• University of Louisville Athletic Association, Inc. NCAA agreed‐upon procedures report on compliance with requirements relating to activities of revenues and expenses as updated by NCAA amendments

• Report on compliance with provisions of House Bill 622.• Report on Lease Law Compliance.• Reports to the Audit Committee on required auditor communications.

4Page 10 of 255

©2020

 CliftonLarsonA

llen LLP

Create Opportunities

Engagement Leadership Team

5

Amanda KempDirector

Chris SudaPrincipal

Don LobergPrincipal

Josh WilksPrincipal

Tim RichterDirector

Kyla GreenhoeDirector

Page 11 of 255

©2020

 CliftonLarsonA

llen LLP

Create Opportunities

Engagement Team (Continued)Name Role Contact details

Chris Suda CLA engagement principal with responsibility for the overall audit.

Phone: 314‐925‐4395 ‐ DirectEmail: Chris.Suda@CLAconnect.com

Don Loberg CLA engagement principal with responsibility for consulting projects (as requested).

Phone:612‐397‐3064 ‐ DirectEmail: Don.Loberg@CLAconnect.com

Josh Wilks CLA engagement principal with responsibility for audit work related to the Hospital.

Phone:314‐925‐4309 ‐ DirectEmail: Joshua.Wilks@CLAconnect.com

Tim Richter CLA engagement director with responsibility for financialstatement audits.

Phone:314‐925‐4304 ‐ DirectEmail: Timothy.Richter@CLAconnect.com

Brenda Scherer CLA engagement director with responsibility for the student financial aid advisory role.

Phone:612‐376‐4626 ‐ Direct Email: Brenda.Scherer@CLAconnect.com

Kyla Greenhoe CLA engagement manager with responsibility for the singleaudit under Uniform Guidance.

Phone:317‐569‐6137 ‐ DirectEmail: Kyla.Greenhoe@CLAconnect.com

Amanda Kemp CLA engagement director with responsibility for the informationsystems review. 

Phone:267‐419‐1624 ‐ DirectEmail: Amanda.Kemp@CLAconnect.com

Andrew Zebell CLA engagement manager with responsibility for the financial audit.

Phone:314‐925‐4357 ‐ DirectEmail: Andrew.Zebell@CLAconnect.com

Ethan Lay CLA engagement senior with responsibility for the financial audit and single audit.

Phone:314‐925‐4416 ‐ DirectEmail: Ethan.Lay@CLAconnect.com

6Page 12 of 255

©2020

 CliftonLarsonA

llen LLP

Create Opportunities

CLA’s Responsibilities• Forming and expressing opinions about whether the financial statements that have been prepared by 

management with the oversight of those charged with governance are presented fairly, in all material respects, in conformity with generally accepted accounting principles (GAAP).

• Planning and performing the audit to obtain reasonable—not absolute— assurance about whether the financial statements are free of material misstatement, whether caused by fraud or error. Because of the nature of audit evidence and the characteristics of fraud, we are able to obtain reasonable, but not absolute, assurance that material misstatements will be detected. Our audit is not designed to detect error or fraud that is immaterial to the financial statements.

• Evaluating whether the University’s controls sufficiently address:– Identified risks or material misstatement due to fraud.– The risk of management override of other controls.

• Communicating to the Audit Committee, in writing, all significant deficiencies and material weaknesses in internal control identified in the audit and reporting to management deficiencies that, in our professional judgment, are of sufficient importance to merit management’s attention.

• Conducting an audit in accordance with professional standards, including– Government Auditing Standards.

• Complying with the rules and regulations of the Code of Professional Conduct adopted by the American Institute of Certified Public Accountants and the ethical standards of state CPA societies and state boards of accountancy.

• Planning and performing an audit with an attitude of professional skepticism.• Communicating all required information to the University management and to the Audit Committee of 

the Board of Trustees.

7Page 13 of 255

©2020

 CliftonLarsonA

llen LLP

Create Opportunities

University Responsibilities• Management’s Responsibilities

– Adopting sound accounting policies.– Establishing and maintaining effective internal controls.– Fairly presenting the financial statements in conformity with GAAP.– Compliance with provisions of laws, regulations, contracts, and grant 

agreements.– Making all financial records and related information available to the 

auditor.– Providing the auditor with a letter confirming certain representations made 

during the audit that includes, but are not limited to, management’s:◊ Disclosure of all significant deficiencies, including material weaknesses, in the 

design or operation of internal control that could adversely affect the University’s ability to initiate, authorize, record, process, or report financial data.

◊ Acknowledgement of their responsibility for the design and implementation of programs and controls to prevent, deter, and detect fraud.

8Page 14 of 255

©2020

 CliftonLarsonA

llen LLP

Create Opportunities

University’s Responsibilities (Continued)• Audit Committee’s Responsibilities

– Oversight of the financial reporting process and oversight of internal controls.

– Ultimately responsible for the establishment and maintenance of internal controls to prevent, deter, and detect fraud.

– Ultimately responsible for setting the proper tone and creating and maintaining a culture of honestly and high ethical standards.

• Management and the Audit Committee’s Responsibilities– Establishing and maintaining internal controls to prevent, deter, 

and detect fraud.– Setting the proper tone and creating and maintaining a culture of 

honesty and high ethical standards.– The audit of the financial statements does not relieve 

management or the Audit Committee of their responsibilities.

9Page 15 of 255

©2020

 CliftonLarsonA

llen LLP

Create Opportunities

Financial Audit• Objective:

– To express opinions on the financial statements of:◊ University of Louisville◊ University of Louisville Athletic Association, Inc.◊ University of Louisville Research Foundation, Inc.

– Independent Auditors’ Reports on Internal Control over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance With Government Auditing Standards (Yellow Book Report)

– NCAA Agreed‐upon procedures report on compliance– Report on compliance with provisions of House Bill 622.– Report on Lease Law Compliance.

• Areas of audit emphasis:– Fair presentation of financial statements– Internal controls over financial reporting

10Page 16 of 255

©2020

 CliftonLarsonA

llen LLP

Create Opportunities

Audit Methodology

Phase 1Planning & Strategy

Phase 2Systems Evaluation

Phase 3Testing & Analysis 

Phase 4Reporting & Follow‐

Up

11

Continuous Communication

Page 17 of 255

©2020

 CliftonLarsonA

llen LLP

Create Opportunities

Audit Methodology (Continued)

Phase 1Planning & Strategy

• Perform risk assessment procedures and identify risks• Determine audit strategy• Determine planned audit approach• Evaluate the design and implementation of entity level controls

Phase 2Systems Evaluation

• Understand accounting and reporting activities• Evaluate design and implementation of selected controls• Test operating effectiveness of selected controls• Perform walk‐thru’s of key controls• Assess control risk and risk of significant misstatement

Phase 3Testing & Analysis

• Plan substantive procedures• Perform substantive procedures• Consider if audit evidence is sufficient and appropriate• Conclude on audit objectives

Phase 4Reporting & Follow‐Up

• Perform completion procedures• Perform overall evaluation• Form an audit opinion

12Page 18 of 255

©2020

 CliftonLarsonA

llen LLP

Create Opportunities

Preliminary Risk AssessmentFinancial Statement Level Risk Description of Financial Statement Level Risk Planned Audit Approach

Overall economic conditions/ COVID 19 Pandemic

Economic conditions and the COVID 19 pandemic continue to have an impact on the higher education industry, including declines in revenues and earnings. Environment creates a decreased market for tax‐exempt bonds and results in continued cost saving measures.

CLA will be mindful of the impact of the overall economy and the COVID 19 pandemic on the University. In particular, CLA will evaluate whether such conditions have resulted in any changes to the overall control environment of the University.

General Information Technology ControlsGeneral information technology controls have a pervasive impact on controls throughout the University. 

The engagement team includes a member from CLA’s information systems securities group, who will perform walkthroughs and tests of design and operating effectiveness related to information technology general controls related to the general ledger, purchasing, payroll systems, and student billing system. Specific procedures will be performed related to access to programs and data, program changes, program development, computer operations, and end user computing.

Management Override of Controls

As is the case for all entities, management is in a unique position to perpetrate fraud because of its ability to manipulate accounting records and prepare fraudulent financial statements by overriding controls that otherwise appear to be operating effectively. Although the level of risk of management override of controls will vary from entity to entity, the risk is, nevertheless, present in all entities. Due to the unpredictable way in which such override could occur, it is a risk of material misstatement due to fraud and, thus, a significant risk.

CLA will test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of the financial statements. In designing and performing audit procedures for such tests, the auditor should: (1) obtain an understanding of the entity's financial reporting process and controls over journal entries and other adjustments, and the suitability of design and implementation of such controls; (2) make inquiries of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries and other adjustments; (3) consider fraud risk indicators, the nature and complexity of accounts, and entries processed outside the normal course of business; (4) select journal entries and other adjustments made at the end of a reporting period.

13Page 19 of 255

©2020

 CliftonLarsonA

llen LLP

Create Opportunities

COVID‐19 Impact

OperationsOperations• Auxiliaries and fees• Cash flow• CARES Act Higher Education Emergency Relief Fund (HEERF)• Enrollment retention• COVID related expenses

Audit and Accounting Audit and Accounting • Risk assessment• Accounting for relief funds• Accounting for expenses and refunds• Going concern considerations• Additional disclosures• Potential implementation delays

14Page 20 of 255

©2020

 CliftonLarsonA

llen LLP

Create Opportunities

COVID‐19 Impact

Compliance• Student Financial Aid• No match required for certain programs (FSEOG, FWS)• FWS students are eligible to be paid unearned funds• Loans/grants not counted towards lifetime limits• Withdrawals:  No Pell required to be returned• SAP allowances

• Other Federal Programs• CARES Act funding• Extension of spending and filing deadlines• Other compliance waivers

15Page 21 of 255

©2020

 CliftonLarsonA

llen LLP

Create Opportunities

Single Audit• Objective:

– To determine that the University has established effective internal control over compliance with the requirements of federal awards, and has complied with laws and regulations that may have a material effect on the financial statements and major federal programs.

– Forming and expressing an opinion about whether the University complied with the types of compliance requirements described in the US Office of Management and Budget (OMB) Compliance Supplement that could have a direct and material effect on each of its major federal programs.

• Federal program to be preliminarily considered major programs is the Student Financial Aid Cluster

• Areas of audit emphasis:– Internal controls over compliance for major programs– Compliance requirements for major programs

16Page 22 of 255

©2020

 CliftonLarsonA

llen LLP

Create Opportunities

Single Audit Methodology

Phase 1Risk Assessment and Planning

Phase 2Systems Evaluation

Phase 3Final Assessment and Reporting

17

Continuous Communication

Page 23 of 255

©2020

 CliftonLarsonA

llen LLP

Create Opportunities

Engagement Timeline

Significant Milestones Target Date

Entrance conference April 16, 2020

Preliminary fieldwork started May 18, 2020

Final fieldwork starts August 17, 2020

Audit Committee update meeting To Be Determined

Exit conference – financial statements September 25, 2020

Final financial and compliance report issued October 2, 2020

Audit Committee closing meeting To Be Determined

18Page 24 of 255

©2020

 CliftonLarsonA

llen LLP

Create Opportunities

Accounting and Auditing Standards Changes

GASB statements (Implementation Postponed One Year):• Effective for fiscal year ending June 30, 2020

– GASB No. 84, Fiduciary Activities Establishes criteria for identifying fiduciary activities for state and local governments, focusing on (1) whether the government is controlling the assets of the fiduciary activity, and (2) the beneficiaries with whom a fiduciary relationship exists. Different criteria are included for fiduciary component units and postemployment benefit arrangements.

– GASB Statement No. 90, Majority Equity Interests—an amendment of GASB Statements No. 14 and No. 61 defines a majority equity interest and specifies that a majority equity interest in a legally separate organization should be reported as an investment if a government’s holding of the equity interest meets the definition of investment.

19Page 25 of 255

©2020

 CliftonLarsonA

llen LLP

Create Opportunities

Accounting and Auditing Standards Changes (Continued)

GASB Statements Postponed (Continued)• Effective for fiscal year ending June 30, 2021

– GASBS No. 87, Leases Requires recognition of certain lease assets and liabilities for leases that were previously classified as operating leases, and establishes a single model for lease accounting based on the foundational principle that leases are financings of the right to use an underlying asset.

– GASB Statement No. 89, Accounting for Interest Cost Incurred Before the End of a Construction Period requires interest cost incurred before the end of a construction period to be included in the historical cost of a capital asset reported in a business‐type activity or enterprise fund.

• Effective for fiscal year ending June 30, 2022– GASBS No. 91, Conduit Debt Obligations The preliminary objectives of this 

statement are to provide a single method of reporting conduit debt obligations by issuers and eliminate diversity in practice associated with (1) commitments extended by issuers, (2) arrangements associated with conduit debt obligations, and (3) related note disclosures. 

20Page 26 of 255

©2020

 CliftonLarsonA

llen LLP

CLAconnect.com

Thank you

Any Questions?

Page 27 of 255

Audit, Compliance, and Risk Update

June 25, 2020Page 28 of 255

L O U I S V I L L E . E D U

Status of Compliance Reports 7/1/19 through 6/31/20

Period Ended May 31, 2020

Reports by Source:Hotline Initiated 52

Other Avenues (letter, email) 30

Total 82Reports by Status:

Open 12

Closed 70

Total 82Reports by Validity (Closed Reports):

Unsubstantiated 31

Partially Substantiated 6

Substantiated 16

Insufficient Information/Other 17

Total 70

Page 29 of 255

L O U I S V I L L E . E D U

Integrity and ComplianceActivity Update

• New or Significantly Revised Policies

• Student Pregnancy Accommodations

• Moped, Scooter, and Motorcycle Use

• Subrecipient Monitoring and Management

• Special Projects

• New website for the online policy and procedure library

Page 30 of 255

L O U I S V I L L E . E D U

Status of University Information Security Report

Incidents July 1, 2019 – May 31, 2019

Non-Reportable 10

Reportable FERPA, KYPI and Dept. of Ed 2

HIPAA and KYPI 4

KYPI and FERPA 0

FERPA only 1

KYPI only 0

Compliance Investigation 1

Total number of Events 18

Page 31 of 255

L O U I S V I L L E . E D U

University Information Security OfficeActivity Update

Promote security awareness training and education via in-person and special events.

• For the fiscal year 2019, the ISO has provided security training to over 600 faculty, staff and students. Training included access to five new areas and one external entity.

Risk Management and Assessment

• To date for the fiscal year 2019-2020, the ISO has performed in excess of 150 vendor review requests. More than 100 reviews have occurred during Q1/Q2 2020, including an e-signature product, conferencing platforms and other solutions related to work from home or online teaching due to the recent pandemic.

Page 32 of 255

L O U I S V I L L E . E D U

Risk Management Activity Update

Commercial Insurance Program

• Completed 14 Insurance Policy renewals with 7/1/20 renewal dates.

• Create Virtual Program guidelines, participation release, and code of conduct for on-line programs.

• Updating Youth Protection Policy and Procedures.

Page 33 of 255

The Department of Audit Services

Annual Work Plan 2020-2021

The Department of Audit Service’s mission is to provide independent and objective assurance and consulting services designed to add value and improve the organization’s operations. To help the organization accomplish its objectives by bringing a systematic, disciplined approach for evaluating and improving the effectiveness of risk management, control, and governance processes. In doing so, Audit Services will be considered among the leaders in our profession by providing an environment rewarding diversity, empowerment, innovation, teamwork, and open communication.

1. Provide Independent and Objective Assurance and Consulting Services

Perform internal assurance and consulting projects based on an objective risk evaluation.

Perform high level risk evaluation and develop an audit plan based on the evaluation.

Continuously evaluate the relevance of the approved audit plan with consultation with university administration.

Execute the audit plan focusing on identified key risks and controls.

2. Develop Effective Lines of Communication

Communicate significant risks and controls, emerging risks, and render opinions on new and changing processes, opinions, significant procedures, regulations, and policies.

Conduct or attend periodic meetings with administration to discuss emerging risks and new initiatives.

Issue detailed, concise, and timely project reports that communicate control weaknesses, recommendations related to best practices, process improvements, expense reductions, and revenue enhancements.

Participate in task groups and evaluate new processes, policies, and procedures.

Page 34 of 255

Prepare and distribute quarterly status reports on open audit issues. Prepare annual Board report on the status of the prior year audit plan.

3. Conduct Effective Training and Education

Increase community awareness of the red flags of fraud and an effective internal control environment.

Develop and implement an effective website with tools that the university community can use. Promote the website through official university communication.

Develop and implement training that can be conducted during department staff meetings, in-person training meetings, or with on-line training tools (consult with Delphi after the emergency status has ended).

4. Measure Program Effectiveness

Evaluate the Audit Services effectiveness in conducting projects and communicating results.

Conduct an annual survey with the assistance of the department of institutional effectiveness (after the emergency status has ended).

Perform internal quality assurance reviews on all assurance and consulting projects.

Monitor the existence of recurring issues or issues that are identified across many different projects.

5. Perform Independent Investigations of Fiscal Misconduct

Perform the initial assessment and applicable investigations of whether fiscal misconduct is likely to have occurred based on reports received through the university ethics hotline, directly from university officials, directly from concerned staff, vendors, outside parties, or through routine assurance and consulting projects.

Evaluate evidence for signs of fiscal misconduct for reports received from external sources. Conduct investigations, and report on the investigations to applicable departments (e.g., Counsel’s Office, University Police, President’s Office)

Develop and implement continuous monitoring reports in areas such as Accounts Payable and Payroll with a focus on the red flags (indicators) of fraudulent activity.

6. Improve Audit Coverage and Effectiveness

Develop and implement continuous monitoring reports in areas such as Accounts

Page 35 of 255

Improve the effectiveness of internal audit by utilizing technology and promoting staff education.

Payable and Payroll. Evaluate the reports for evidence of increased risk, new activity, and possible fraud.

Attend annual training events that promote knowledge of new techniques, technology, and improve the skills of staff.

Fully staff the department, hiring auditors with skills and knowledge necessary to knowledge gaps (e.g., IT Auditor)

Page 36 of 255

The University Integrity and Compliance Office

Annual Work Plan 2020-2021 The University Integrity and Compliance Office (UICO) mission is to support and foster a culture of integrity, compliance, and accountability. The UICO provides centralized and independent oversight of the University of Louisville’s compliance and ethics programs and activities and risk mitigation efforts. The UICO provides ongoing development of effective policies and procedures, education and training, monitoring, communication, risk assessment, and response to reported issues as required by Chapter 8 of the Federal Sentencing Guidelines. These guidelines set forth the requirements of an effective compliance and ethics program for organizations and require not only promoting compliance with laws, but also promoting a culture of ethical conduct. The UICO will conduct the following activities as part of its Annual Work Plan for July 1, 2020 to June 30, 2021.

1. Provide Oversight of Compliance and Ethics and Related Activities

Promote accountability among UofL employees for compliance with applicable federal, state and local laws and regulations, and appoint knowledgeable individuals responsible for developing and implementing a comprehensive compliance and ethics program.

Finalize the draft Accountability Matrix that identifies compliance partners and their areas of responsibility.

Establish and lead the University Integrity and Compliance Advisory Committee consisting of compliance partners and appropriate university representation.

Develop a university-wide compliance and ethics charter.

2. Develop Effective Lines of Communication

Create communication pathways that allow the dissemination of education and regulatory information and provide a mechanism for reporting compliance activities or concerns.

Administer and promote the UofL Compliance and Ethics Hotline.

Maintain and promote the University Integrity and Compliance Office website.

3. Conduct Effective Training and Education

Educate the UofL community on its compliance responsibilities and regulatory obligations, and on the university integrity and compliance program.

Update online general compliance and ethics training for new employees.

Promote the employee code of conduct to all employees.

Issue announcements regarding employee’s duty to report and avenues for reporting concerns, including the compliance and ethics hotline.

Page 37 of 255

4. Revise and/or Develop Policies and Procedures

Revise or develop university policies and procedures that reflect UofL’s commitment to ethical conduct and compliance with applicable laws and regulations

Oversee and maintain the university’s online policy and procedure library.

Review and revise the university’s policy on Developing University Administrative Policies.

Review and update the policy creation and approval process to align with best practices. Communicate changes and provide education on the policy life-cycle.

Review and revise the university’s employee Code of Conduct.

5. Conduct Internal Monitoring and Compliance Reviews

Identify and remediate noncompliance through proactive review and monitoring of risk areas

Review compliance and ethical reports for trends and risk areas, and address appropriately.

Follow-up with compliance partners regarding risk mitigation plans to address high-risk areas identified through the compliance risk assessment process

Oversee and monitor employees, vendors, and affiliates against governmental agency exclusion and/or debarment lists.

6. Respond Promptly to Detected Problems and Undertake Corrective Actions

Conduct timely investigations of allegations of noncompliance and provide guidance on corrective actions

Receive and evaluate reports and allegations of misconduct and conduct investigations.

Provide recommendations for corrective actions and improvement to prevent further occurrences of noncompliance and/or unethical conduct.

7. Enforce/Promote Standards Through Appropriate Incentives and Disciplinary Guidelines

Promote the compliance and ethics program and university regulations, policies and procedures, and consequences of noncompliance.

Promote awareness of new or revised regulations, university policies and procedures, or other requirements applicable to the university.

Promote accountability and consistent discipline for identified occurrences of noncompliance and/or unethical conduct.

8. Measure Program Effectiveness

Evaluate the overall compliance and ethics culture of UofL and the performance of the University Integrity and Compliance Office.

Develop a Compliance and Ethics Culture Survey.

9. New Regulations and Special Projects

Partner with Human Resources and Payroll to educate university employees about Fair

Page 38 of 255

Labor Laws and ensure compliance with federal and state wage and hour laws.

Develop and launch a new university site to promote and store university policies and procedures.

Coordinate and conduct meetings of the IT Website Accessibility Work Group to ensure compliance with Americans with Disability Act.

Page 39 of 255

The Office of Athletic Compliance

Annual Work Plan 2020-2021 The mission of the Office of Athletics Compliance at the University of Louisville is to advance

the NCAA Principle of Institutional Control and to provide our student-athletes, coaches, staff

and outside constituents exemplary customer service, sound guidance, visibility and effective

communication.

The Louisville Office of Athletics Compliance will provide thorough rules education of NCAA,

ACC and University regulations, develop effective monitoring systems, and will promote a

culture of compliance within both the Athletic Department and the University. Through ethical

decision-making and conduct, integrity, monitoring and enforcement, this mission will provide a

strong foundation for compliance and institutional control for the university and all of its

stakeholders.

The Office of Athletic Compliance will conduct the following activities as part of its work plan from July 1, 2020 to June 30, 2021.

1. Continue Providing Enhanced Rules Education to all Constituent Groups

Deliver Comprehensive Rules Education across the Athletic Department, Campus Community, and Local Community, with an emphasis on key stakeholders.

Provide rules education to student-athletes, coaches, staff members, and boosters, with an emphasis on name, image likeness, gambling and extra benefits.

Provide rules education to priority campus units (e.g., Admissions; Financial Aid; Bursar; Registrar; General Counsel; Alumni Affairs; etc.) at least once per calendar year; 2x if possible. Enhance rules education outreach to booster, local media, promotional partners and local businesses frequented by student-athletes, prioritizing bars/clubs, restaurants, barbershops, and automobile dealerships.

2. Continue Effective Outreach

Implement Innovative Educational Initiatives and Outreach Methods for our Coaches/Staff/Student-Athletes

Build in opportunities for regular visits to practice/sport facilities with coaches and staff (e.g., campus rounds)

Page 40 of 255

Increase use of video conferencing software, Blackboard, social media, and other technologies in delivering rules education in a more efficient and comprehensive manner sensitive to social distancing best practices.

3. Increase Monitoring Efficiency

Enhance monitoring processes related to recruiting activities and time management plans through increased use of compliance software options.

Continue effective usage of TeamWorks software department wide for improved real time communication.

Deliver monthly monitoring reports to each sport with cc to compliance leads and sport administrators. Effectively transition from JumpFoward to ARMS compliance software to provide coaches/staff a more user-friendly recruiting and complimentary admission solution.

4. Develop Policies and Procedures for Student-Athlete Name, Image Likeness Legislation

Develop university policies and procedures that creates a system of vetting, approval and monitoring to coincide with anticipated upcoming legislation that will allow student-athlete compensation for the use of their name, image, and/or likeness (NIL) in commercial activities.

Create internal NIL committee representative of specific areas related to this legislation (Compliance, Legal, Marketing, Corporate Sponsorships).

Create an effective process for student-athletes to vet potential opportunities to be pre-approved to avoid potential eligibility risks.

Create system to vet and educate potential third-party partners/influences in this process. Provide regular comprehensive rules education to student-athletes who seek out these opportunities and other involved third parties.

5. Internal Monitoring, Investigation and Violation Reporting

Continue to strengthen internal monitoring systems to detect and promptly report NCAA Level III violations, including continuing to set expectations for coaches, staff and student-athletes to self-report potential violations as required by NCAA rules.

Insure timely submission and review of on and off-campus recruiting activities. Provide and emphasize with coaches, staff and student-athletes options and outlets for reporting violations or questionable activity they are aware of that could potentially lead to a violation.

Review and emphasize areas of focus related to the current NCAA probation, including housing and campus recruiting activities.

Page 41 of 255

6. Prioritize Quality Control of Student-Athlete Academic Integrity Reviews.

Create campus protocols to review academic misconduct allegations involving students, to meet recent changes in NCAA rules related to reasonable standards in this area.

Involve the new Faculty Athletics Representative (FAR) and Committee on Academic Performance to review daily grade-change reports for possible Inconsistency, review academic unit misconduct policies and enhance quality of unit degree audits. Continue comprehensive academic misconduct rules education, defining roles and responsibilities of the FAR, CAP, and Academic Services and other stakeholders in the academic misconduct review process. 7. Review Head Coach Responsibility Audit Process

Review current Head Coach Responsibility protocols and audit process to enhance Head Coach compliance communication with their staff and method for documenting these activities.

Provide compliance education topics and methods to Head Coaches as it relates to increase their efficiency in communicating compliance topics and review of areas such as visits, 3rd parties, etc.

Create more efficiency in documenting the compliance communication process as it occurs, to protect the HC and program. Expand role and involvement of sport administrators in the HCR process.

8. Enhance Elite Student-Athlete Program Education

Continue to identify and create new educational initiatives for our elite student-athletes.

Develop updated programming to educate in areas such as NIL, extra benefits, prize money, and financial literacy for student-athletes focused on professional sport or Olympic participation. Continue review of amateurism profiles of incoming high profile student-athletes.

9. Promote Staff Professional Development

Prioritize the need to provide and encourage professional development opportunities for staff in multiple areas of athletics.

Provide funding and opportunity for staff to enhance their professional profile through professional development both in and out of compliance.

Promote work/life balance by reviewing workloads and setting expectations with coaches and staff.

Encourage opportunities to increase staff exposure to all areas of athletic department operations to expand network and future professional advancement.

10. New Faculty Athletics Representative Orientation

Page 42 of 255

Provide comprehensive orientation for the new FAR relative to her role and responsibilities.

Provide comprehensive education into the policies, procedures of the NCAA/ACC and other job responsibilities related to the role of Faculty Athletics Representative including academic certification, missed class time policies, academic misconduct, coaches recruiting exam, NCAA waiver sign-off, and NCAA/ACC legislative review.

Page 43 of 255

Information Security Office

Annual Work Plan 2020-2021 The Information Security Office (ISO) serves as the university's resource for guidance on information security compliance and administers the university's Information Security Program. The ISO oversees information security policies and standards; provides compliance oversight, and risk assessments; coordinates information security efforts, incident response and user awareness. The ISO works in conjunction with ITS Enterprise Security, Audit Services, University Integrity and Compliance, Privacy, Research and other compliance officials to maintain regulatory compliance and to protect the confidentiality, integrity and availability of university information assets. Following are activities of the Information Security Office Annual Work Plan for July 1, 2020 to June 30, 2021.

1. Provide Oversight Information Security and Related Activities

Promote accountability, risk management, security responsibility and compliance with applicable federal, state and local laws and regulations.

Partner with university compliance areas to promote and provide guidance on information security controls and regulations.

Partner with Information Technology Services to develop and implement technologies and processes to support and maintain the security of university data and assets.

Lead and/or participate in committees, work groups and RFPs to provide information security input and guidance.

2. Develop Effective Lines of Communication

Create communication pathways that allow the dissemination of education, compliance and regulatory information which allows for reporting security incidents or concerns.

Promote the Information Security Office and incident reporting procedures via electronic and in-person communications and activities.

Maintain and promote the Information Security Office website as a communication and educational tool.

3. Conduct Effective Training and Education

Make available information security awareness training which informs faculty, staff and students of their responsibilities for protecting the university’s information data and assets in their care. Utilize various platforms and avenues in order to reach the university community.

Promote security awareness training and education via in-person and special events.

Issue periodic announcements regarding information security responsibilities and topics.

Participate in university and industry awareness opportunities.

Page 44 of 255

4. Oversee the Information Security Policy and Procedure Lifecycle

Revise or develop university policies and procedures that establish the university’s Information Security program; reflect UofL’s commitment to protecting the confidentiality, integrity and availability of university assets and compliance with applicable laws and regulations; and that promote consequences for noncompliance.

Review, revise and publish information security policies and procedures in accordance with the ISO policy management lifecycle process.

Develop new policies in accordance with regulatory and university environment and strategic direction.

5. Manage the Information Security Risk and Assessment Program

Identify and remediate noncompliance through proactive review and monitoring of risk areas. Provide recommendations and avenues for risk identification and mitigation.

Develop and oversee risk management procedures that enable the university to identify and protect information assets.

Conduct or assist areas in conducting Information security risk assessments identifying and reporting information security risk and remediation recommendations.

Assist areas in the review and vetting of security requirements and controls of third-party vendors providing support and guidance as needed.

Lead the GLBA Security Program committee in identifying risks and mitigation recommendations related to student financial information.

6. Provide Incident Response and Breach Notification

Conduct timely investigations of actual or potential information security incidents and reporting internally and to external agencies as required.

Lead the university’s Information Security Incident Response Team (ISIRT) in investigating, coordinating and reporting of information security events and incidents.

Monitor the information security office mailbox and respond timely to incident reports. Provide recommendations for corrective actions and improvement to prevent further occurrences.

Investigate potential/actual incidents assisting in remediation and reporting to individuals and regulatory and government agencies as required.

7. Provide Program Reporting and Enforcement and Standard Promotion

Promote the Information Security program, policies, and procedures and potential consequences for non-compliance providing review and reporting on activities and compliance.

Update and issue the Information Security Office quarterly report provided to the University of Louisville’s Board of Trustees’ Risk, Audit, and Compliance Committee.

Provide enforcement and consequence awareness.

Page 45 of 255

8. Facility Security Officer

Serve as the Facility Security Officer managing the university’s Facility Security Clearance Program NOTE: the university is currently in inactive status.

Maintain the clearance status of the University in compliance with NISPOM regulations/standards. Provide training, conduct assessments and participate in DSS audits.

9. New Regulations and Special Projects

Provide information security direction and guidance related to new regulations and university projects.

Work with the university counsel and other compliance officials as needed to develop and implement awareness and standards to comply with new or changing regulations.

Page 46 of 255

Privacy Office

Annual Work Plan 2020-2021 The University of Louisville (UofL) Privacy Office provides guidance and assistance to the UofL community regarding regulations which may impact the privacy of our students, our employees, our patients, and our campus visitors. The UofL Privacy Office assists with privacy concerns and questions, has oversight responsibility for HIPAA compliance within the health care component of the UofL covered entity, ensures that HIPAA training is provided to the UofL community, reviews contracts for privacy issues, works with faculty and staff to respond to privacy incidents, and provides assistance to individuals working on UofL research projects which involve sensitive or health information. In the event of a suspected breach of protected health information (PHI), the UofL Privacy Office investigates the incident and, if required, provides notification to the affected patient(s) and to the Department of Health and Human Services (DHHS). The UofL Privacy Office also assists health clinics and care areas that are outside of the health care component with privacy concerns and issues, has oversight for UofL’s compliance with Section 1557 of the Affordable Care Act, and oversight for UofL’s compliance with the Children’s Online Privacy Protection Act.

In addition to the daily operations and oversight of the UofL Privacy Office, the following projects are planned for the July 1, 2020 to June 30, 2021 fiscal year.

1. Review/Update the Health Care Component of the UofL Hybrid Covered Entity

Ensure that designation of the schools, colleges, departments, and administrative units included in the health care component of the UofL hybrid covered entity is accurate. Identification of these areas allows for appropriate oversight to ensure that UofL is in compliance with regulatory requirements.

Review and update, as applicable, the current designation of the health care component of the hybrid covered entity to ensure that the designation of the health care component is correct.

Review of UofL schools, colleges, departments, and administrative units to identify areas which are not currently in the health care component, but which should be moved into the health care component.

2. Policies and Procedures

Ensure that current policies, and procedures are compliant with privacy regulations.

Introduce the new Privacy Office HIPAA Policy Manual to the health care component via review/training sessions. [Note: The Privacy Office HIPAA Policy Manual will be finalized in June 2020].

Page 47 of 255

Ensure that workforce members of the health care component have been trained regarding the Privacy Office HIPAA Policy Manual.

3. HIPAA & HITECH Training for Workforce Members of the UofL Health Care Component

Ensure that members of the UofL health care component of the hybrid entity are trained pursuant to HIPAA and HITECH regulations.

Update the HIPAA training program to: 1) replace current training materials with new video-based format for basic HIPAA training; and 2) update the HIPAA training program requirements, deadlines, and sanctions to ensure that workforce members are appropriately trained regarding HIPAA and HITECH regulations.

Conduct reviews of training records to ensure that workforce members of the health care component have received required HIPAA training.

4. HIPPA Privacy Risk Assessment

Utilize a HIPAA privacy risk assessment to identify vulnerable areas within the UofL health care component where PHI may be at risk of inappropriate use, disclosure, or access.

Identify organizational workflows and safeguards within the health care component covered entities to determine the flow of PHI internally and externally to detect areas where inappropriate use, disclosure, or access to PHI is a risk.

Review current practices and procedures for access to PHI, disclosure of PHI, and storage of PHI by faculty, staff, and students within the health care component to ensure that PHI is properly used, disclosed, and stored.

Implement a schedule to monitor and audit covered entities within the health care component to ensure compliance with UofL policies and procedures and with HIPAA requirements for safeguards of PHI.

5. Business Associate Agreement Review

Ensure that Business Associate Agreement (BAA) database is updated and accurate.

Review the BAA database and consult with members of the health care component to determine active vs. inactive BAAs.

6. Resource for the UofL Community

Serve as a resource for administrators, faculty, staff, students, patients, and the community regarding privacy protection and safeguards.

Design awareness campaigns and participate

in campus awareness programs to ensure

that the UofL community is aware of the

services offered by the Privacy Office.

Assist departments, divisions, and schools

within the UofL community with classroom

Page 48 of 255

and community presentations and trainings to

broaden awareness of the services provided

by the Privacy Office.

Assist departments, divisions, and schools

within the UofL community as requested to

respond to concerns/questions regarding

privacy questions and concerns.

7. Affordable Care Act Section 1557 Regulation

Ensure that UofL’s schools, colleges, departments, and administrative units which are regulated by the Affordable Care Act Section 1557 are in compliance with regulatory requirements.

Review and update, as applicable, the current designation of all UofL schools, colleges, departments, and administrative units to identify areas that are required to follow the Section 1557 regulations.

Conduct a risk assessment of all areas which are required to follow Section 1557 regulations to ensure that appropriate resources and training are in place to allow the areas to comply with the regulations.

8. Children’s Online Privacy Protection Act (COPPA)

Ensure that UofL’s schools, colleges, departments, and administrative units are in compliance with the Children’s Online Privacy Protection Act.

Begin review of COPPA regulations and requirements. Once review of regulations and requirements is complete, begin identification of the areas within UofL which may be impacted by COPPA regulations.

Page 49 of 255

Conflict of Interest and Commitment Office

Annual Work Plan 2020-2021 The University of Louisville and its Affiliates expects Covered Persons to conduct University affairs with high ethical and legal standards and in a manner that supports the University mission. As part of this duty, Covered Persons must apply their University time and effort correctly and use University assets properly. Use of University assets or University time damaging to the University mission or for personal advantage represents a conflict of interest. The Conflict of Interest and Commitment Office (COIC Office) mission is to support and monitor standards to reduce or eliminate such conflicts and protect the financial well-being, reputation, and legal duties of the University. The COIC Office reviews any disclosed external interest to identify conflicts of interest and determines if the conflict of interest can be managed or reduced, or if the interest would need to be eliminated. The COIC Office provides ongoing development of COIC policies and procedures, education and training, monitoring, communication, and response to reported issues as required by University policy and federal regulations. The COIC Office will conduct the following activities as part of its Annual Work Plan for July 1, 2020 to June 30, 2021.

1. Provide Oversight of Conflict of Interest and Commitment Related Activities

Promote compliance among UofL covered persons with applicable university COCI policy, federal, state and local laws and regulations.

Develop monitoring tool for individuals overseeing approved management plans.

Develop/present COIC educational sessions for covered person population.

Revise COIC Office standard operating procedures.

2. Develop Effective Lines of Communication

Strengthen communication pathways that allow the dissemination of education and regulatory information and provide a mechanism for reporting COIC issues.

Coordinate COIC consultations, as requested.

Maintain and promote the Conflict of Interest and Commitment Office website.

Develop Start up guidance (in conjunction with EPI-Center).

3. Conduct Effective Training and Education

Educate the UofL community on its compliance responsibilities and regulatory obligations related to conflicts of interest and commitment.

Update COIC training included in disclosure form.

Update/develop infographics related to COIC topics.

Issue announcements regarding covered persons’ responsibilities related to conflicts of interest and commitment.

Page 50 of 255

4. Implement Revised Policies and Procedures

Implement revised university policies and procedures that reflect UofL’s commitment to conducting affairs without unmanaged conflicts of interest/commitment.

Complete revisions to COIC policy and procedure and secure Trustees’ approval.

Develop implementation plan for revised COIC policy and procedure.

Update disclosure form to be in sync with revised policy and procedure.

Initiate pilot rollout of Conflict of Commitment review procedures.

5. Conduct Internal Monitoring and Compliance Reviews

Identify and remediate noncompliance with COIC policy and procedure through proactive review and monitoring.

Strengthen COIC compliance reporting available to Units/Departments.

Follow-up with Appropriate Authorities to identify/address issues with approved management plans.

Monitor approved management plans.

6. Respond Promptly to Detected Problems and Undertake Corrective Actions

Conduct timely investigations of allegations of noncompliance with COIC policy and procedure and provide guidance on corrective actions.

Receive and evaluate reports and allegations of unmanaged COICs or noncompliance with approved management plans.

Provide recommendations for corrective actions and improvement to prevent further occurrences of noncompliance.

7. Measure Program Effectiveness

Evaluate the overall compliance with COIC policy and the performance of the University Integrity and Compliance Office.

Develop metric reports for units/departments.

Develop metric reports for sponsored

programs.

Develop metric reports for the COIC Office.

Page 51 of 255

The Department of Risk Management and Insurance

Annual Work Plan 2020-2021 The Department of Risk Management and Insurance’s (RMI) mission is to reduce the probability of risks to person, property, and/or business of the university and safeguard resources. RMI provides centralized and independent administration of the University of Louisville’s Enterprise Risk Management program. RMI administers the university’s commercial insurance program including but not limited to general and professional liability, property, cyber, crime, and automobile, along with workers compensation. RMI has oversight of all university sponsored and third-party Youth Protection programming. Through collaboration with university departments and leadership, RMI evaluates and assists in the mitigation of potential risks and promotes a culture of risk awareness throughout the university. RMI will do the following activities as part of the Annual Work Plan for July 1, 2020 to June 30, 2021.

1. Oversight of University Risk and Insurance Programs

Continual assessment of university’s risk exposures and commercial insurance market place by benchmarking, market analysis, and research.

Risk & Insurance – Review existing insurance policies, market trends, and identified exposures, for a gap analysis.

Youth Protection – Provide guidance and support to all university departments to proactively mitigate risk regarding youth programs.

2. Effective Communication

Create communication pathways that promote education, collaborative communication, and procedural guidance and support.

Risk & Insurance – Continue to provide timely response to coverage inquiries, update the Risk Management website for user-friendly access to risk and insurance information.

Youth Protection - Provide timely response to program inquiries, update the Youth Protection webpage for user-friendly access to risk insurance information.

3. Training and Education

Educate the university community on Risk Management, Insurance and Youth Protection for an understanding of procedural responsibilities.

Risk, Insurance, & Youth – Utilize the Risk Management website to provide virtual training information. Utilize all carrier based on-line training.

Page 52 of 255

Risk, Insurance, & Youth – Online or synchronous training opportunities to learn about policies and procedures.

Risk, Insurance, & Youth – Utilize UofL communication platforms (UofL Today) to provide tips, awareness and updates.

4. Policies and Procedures

Revise and/or develop university policies and procedures that reflect UofL’s commitment to Risk Management, Insurance and Youth Protection.

Risk & Insurance – Annually review of existing policies and procedures, update and add new and/or delete as necessary.

Youth Protection – A final approval for updated policies and handbook with an annual review thereafter.

Risk, Insurance, & Youth – Complete annual benchmarking of Risk, Insurance and Youth Protection policies.

5. Conduct Internal Monitoring and Reviews

Identify and asses for potential risk exposures and department involvement.

Risk & Insurance – Conduct interviews and risk assessments with university departments and review loss analysis for tends to develop proactive prevention methods and mitigation strategies.

Youth Protection - Annually complete program inventory and monitor program data.

6. Prompt Response to Loss

Conduct timely investigations of incident, make necessary reports and notification, collaborate with third parties (Insurance Carriers), and provide guidance for corrective actions.

Risk & Insurance – Investigate loss and evaluate mitigation methods, involving third-party entities when necessary.

Youth Protection – Ensure open communication with youth programs and make necessary escalated reports in accordance with Youth Protection policies.

7. Enforce and Promote Risk Awareness

Promote Risk Management, Insurance and Youth Protection program, policies, and procedures and potential consequences for non-compliance

Risk & Insurance – Use university platforms to educate university community regarding risk, the advantage of mitigation, and describe probable negative outcomes of non-compliance.

Youth Protection – Educate Departments on consequences for non-compliance. Escalate to leadership for potential program discipline.

8. Measure Program Effectiveness

Page 53 of 255

Evaluate the overall Insurance, and Youth Protection Program culture of UofL and the performance of the department.

Risk and Insurance – Analyze university claim trends and determine loss ratios per policies for renewal.

Youth Protection – Provide data reports annually for program cost vs incident reports, evaluate registered programs vs. inventoried, satisfaction survey, and fully compliant programs.

Page 54 of 255

The mission of Audit Services is to provide the university and its affiliates with independent and

objective assurance and consulting services. The services are designed to add value, improve the

university’s operations, and help the university accomplish its objectives. This is done by bringing a

systematic, disciplined approach for evaluating and improving the effectiveness of risk management,

control, and governance. All Audit Services activities are conducted in compliance with university

objectives and policies, as well as the Code of Ethics and International Standards for the Professional

Practice of Internal Auditing, as defined by the Institute of Internal Auditors (IIA).

Audit Services currently employs three professional auditors with a combined experience of over 80

years in higher education and government. In January 2020, the Information Technology auditor

position became vacant through retirement. A search to fill the position will be conducted as soon as

practical. Senior staff members are certified in the practice of internal audit by internationally

recognized professional organizations and adhere to a code of ethics and principles promoting internal

audit. Junior staff members are strongly encouraged to obtain professional certification.

This report is a summary of the department’s activities since September 2019. During the period

Audit Services has received full cooperation from all administration, staff, and faculty.

NOTE ON COVID-19 EMERGENCY

Since March 2020, Audit Services staff has worked remotely under the guidelines promulgated by the

university. While staff has been productive, the emergency has negatively impacted planned audit

projects and department initiatives. In addition, the planned recruitment of new staff has been shelved

and the recruitment of an IT auditor has been delayed.

RISK ASSESSMENT AND AUDIT PLAN DEVELOPMENT

Audit Services performs an annual risk assessment to determine the best strategy for deployment of

department resources. The assessment attempts to identify high risk activities using an evaluation of

the following areas: Regulatory Exposure, Operational Risk (Complexity), Financial Exposure,

Environmental Risk, and Strategic Risk. Interviews are conducted with key administration. Based on

the results of this evaluation the attached proposed audit plan was created and audits have been

scheduled pending the approval of the Board of Trustees. The proposed audit plan will be

continuously evaluated. Planned projects can be deferred, cancelled, or added based on this

evaluation. In addition, administration can request a consulting project to obtain help in identifying

solutions to known issues, to obtain advice in achieving operational efficiencies, or obtain advice on

internal controls that can be built into new operations, policies, or procedures. Audit Services is also

responsible for conducting administrative investigations into cases of alleged fiscal misconduct.

Although resources have been budgeted, investigations can result in adjustments to planned audits.

Attached is the Proposed 2020-2021 Annual Audit Plan for your approval.

Page 55 of 255

AUDIT ISSUE FOLLOW-UP PROCESS

Audit Services tracks all open audit issues using an automated web-based system. The issue owner is

responsible for entering status updates and informing Audit Services when action plans have been

implemented. Audit Services reviews each implemented plan and verifies the implementation

effectiveness through additional testing, document review, or interviews with staff. Issues are not

closed until the auditor is satisfied that the underlying risk has been sufficiently addressed. Formal

follow-up projects will only be scheduled if a project is assigned an “unsatisfactory” project rating and

mitigation cannot be effectively evaluated during the issue closeout process.

A report of pending audit issues is generated quarterly, shared with administration, and is attached to

this report.

RESOURCE BUDGET

Audit Services is staffed by three professional auditors and the director. All senior staff are certified

with expertise in fraud examination, risk management, internal audit, and information technology.

The available resources and allocation for 2020-2021 is illustrated in the table below.

Resource Budget (in hours)

2020-2021

Budget

Total Available Hours 5,850 100%

Total Non-Work Hours 879 15%

Total Administration 506 14%

Total Projects 4,169 71%

Project Breakdown by Type

Assurance Projects 3,549 75%

Consulting/Investigation 620 25%

Non-work hours are university provided benefits, such as holidays, vacation, and sick leave, and the

time the university is closed due to weather events or emergencies. Administration consists of the

time spent in department management, staff development and training, and other activities that are not

directly related to a project.

Page 56 of 255

AUDIT SERVICES PROJECTS

Audit Reports Issued

Project: HSC Accounts Receivable Billing and Collections Project Rating: Excellent

The Office of the Executive Vice President for Health Affairs centralized hospital-based contract

billing and collections processing. While this has strengthened the internal control environment, less

than 50% of all HSC accounts receivable balances were included in the centralization. This project

included only the centralized receivable balances and processing. The objectives of the audit were to

obtain reasonable assurance that:

Internal controls over contract billing and collection activities were implemented and effective in reducing the inherent risks.

Accounts receivable were properly recorded, adjustments were approved, and collection and write-off processes were adequately managed.

Accounts receivable balances were routinely reconciled to the general ledger.

One moderate priority issue was identified:

Issue Title Priority Action Plan Target

Implementation Date/Status

Enhance the Security of Payments Received by

Check

Moderate Implemented

Project: OnBase Content Management System Project Rating: Needs Improvement

OnBase is a third-party vendor software system that serves as the university’s platform for managing

and storing document images. It is also an electronic routing system that facilitates approval and data

capture. The objectives of the project were to obtain reasonable assurance that:

Controls over OnBase processes were adequate to provide complete and accurate

information processing.

Content and documents were adequately secured against unauthorized access,

modification, and disclosure.

Processes and procedures complied with university information security policies and

applicable regulations.

Page 57 of 255

Issues identified during the project were:

Issue Title Priority Action Plan Target

Implementation Date/Status

Encrypt Document Images That Contain Sensitive

Information

High September 30, 2020

Review OnBase Access High Implemented

Comply with Document Retention Policy and

Regulations

Moderate September 30, 2020

Project: Athletics Spirit Groups Project Rating: N/A

Internal control weaknesses were identified in the management and oversight provided to the Athletics

Spirit Groups which contributed to the monetary losses experienced by the department under the

tenure of the former Spirit Groups coordinator. This report is ancillary to a misconduct investigation

conducted by Audit Services, and accordingly a project rating and issue priorities were not assigned.

Athletics administration has implemented, or is in process of implementing, corrective actions in the

following areas.

Issue Title Action Plan Target

Implementation Date/Status

Spirit Group Governance and Oversight October 1, 2020

Fundraising Policies and Procedures Implemented

University and Athletics Cash Handling Policies and Procedures Implemented

Spirit Group Appearances Implemented

Duplicate and Unauthorized Travel Payments July 1, 2020

Unauthorized Purchases Implemented

Student Scholarships Implemented

Distribution and Sale of Discounted Athletics Tickets Implemented

Conflict of Interest Reporting and Management Implemented

ULAA Digital Imagery Restrictions Implemented

Roster Recordkeeping Implemented

Page 58 of 255

Projects in Process

Human Resources Staff Compensation and Hiring

Audit Services performed an operational audit of Human Resources’ staff compensation approval and

hiring processes. The objectives of the audit were to obtain reasonable assurance that:

Internal controls are adequate and effective in mitigating the inherent risks.

Processes are compliant with applicable laws, regulations, and university policies.

Significant processes are efficient and effective in assisting the department achieve its goals and objectives.

Audit Services evaluated the current controls over Human Resources’ staff compensation approval

and hiring processes, including job changes such as reclassification and in-range adjustments. The

evaluation also included compliance with equal opportunity clause requirements and HR policies

governing staff employment and compensation, as well as the effectiveness and efficiency of related

procedures. Faculty and administrator positions were excluded. Testing was performed on hiring and

compensation transactions occurring between July 1, 2018 and June 30, 2019 to support conclusions

and recommendations.

A draft report has been issued for management comment and action plan development.

Distributed Server Security

Audit Services is completing a follow-up project of the Information Security – Servers project, which

received an “Unsatisfactory” rating in the report issued on September 25, 2017. The draft report is in

process of administration review.

IT Disaster Recovery Test Observation

On February 11-12, 2020, a disaster recovery (DR) exercise was conducted by Information

Technology Services (ITS) to test the restoration of the university’s network and system infrastructure

at the UofL Miller Information Technology Center (MITC) location and the recovery of the

PeopleSoft systems and auxiliary support applications. This was the second time a DR test was

conducted after the university contracted with the current third-party DR services provider. Several

systems, applications, or components were included in the test for the first time, including I Drive,

PeopleSoft Campus Solutions system, PeopleSoft Human Resources system, BI Reporting, Business

Operations (system infrastructure only), and SQL Cluster server. This was also the first DR test

Page 59 of 255

without Tivoli Storage Manager (TSM), the IBM backup and recovery product the university retired

in December 2019. The test was executed from the MITC via web connectivity to the university's

third-party disaster recovery services provider. Audit Services observed the planning and execution of

this test, evaluated the test results, and reviewed associated disaster recovery plan documentation.

A draft report has been issued to ITS administration for comment and action plan development.

Diabetes and Obesity Center, Efficiency and Effectiveness Review and Prior Audit Follow-Up

In August 2019, administration of the Diabetes and Obesity Center requested that Audit Services

perform an effectiveness and efficiency review of the Core Research Laboratories established with

funding from a Centers of Biomedical Research Excellence (COBRE) grant. In 2017, Audit Services

performed a routine audit of the Diabetes and Obesity Center’s administrative business activities. At

that time a project rating of “Needs Improvement” was assigned. This project included follow-up

procedures to evaluate the effectiveness of the mitigation actions adopted as a result of the 2017 audit.

A draft report has been issued to administration for comment and action plan development.

Contracted Services

Audit Services is in process of performing an operational audit of Contracted Services. The scope of

the audit includes an evaluation of business services’ management of the major contracted services, to

ensure orderly and effective administration and operation of the services program. Major service

contracts include managed print, mail, bookstore, dining, and vending.

The preliminary objectives of the audit will be to obtain reasonable assurance that:

Internal controls over contracted services are implemented and effective in reducing the inherent risks.

Contracted activity is adequately monitored, reported, and routinely reconciled.

Service providers are held accountable to achievement of contracted service metrics and performance goals.

Procurement Services

A routine operational audit of Procurement services is in the planning stage. The scope and objectives

of the project will be to obtain reasonable assurance that:

Page 60 of 255

Key internal controls over procurement activity are implemented and effective in reducing inherent risks.

Procurement practices are compliant with applicable laws, regulations, and university policies.

Significant processes are efficient and effective in assisting Procurement Services achieve its goals and mission.

The planned scope of the audit will include contract management processes centrally administered by

Procurement Services, focusing on contract development, execution, and monitoring. A high-level

risk assessment of Uniform Guidance procurement standards will also be performed. Contracts active

between 5/1/2019 to 4/30/2020 and their related documentation may be selected for testing to support

conclusions and recommendations. The audit will not include construction contracts, personal service

contracts (as governed by KRS 45A.690 – 45A.695), or ProCard processes.

OTHER ACTIVITIES

Other projects include consulting projects, investigations, and other projects requested by

administration.

Investigations

Audit Services completed 1 investigation from September 30, 2019 through May 29, 2020. One

additional investigation is in process.

Continuous Monitoring Activities

To achieve better audit coverage of higher risk activities, the development of a continuous auditing

and monitoring program is a best practice. In the fall of 2018, Audit Services began using a new data

analysis tool to prepare reports that are meaningful. We are developing new reports that both Audit

Services and Administration can use to better monitor for errors and omissions.

Consulting

Audit Services continues to consult with administration on new processes and procedures to help

identify best practices, significant risks, and to recommend effective and cost-efficient controls.

ProCard Monitoring

Audit Services meets quarterly with staff responsible for managing the ProCard program at the

university. The ProCard is a credit card program offered through PNC that allows departments to

Page 61 of 255

make allowed purchases without going through the formal procurement process. The quarterly

meetings are held to review trends, potential program changes, and the results of monitoring.

Bursar’s Office

Administration has requested Audit Services to review the internal controls that have been

implemented in the Bursar’s Office over cashiering, system access, and student receivables.

Page 62 of 255

2019-2020 AUDIT PLAN STATUS REPORT

Compliance - Routine Audits to obtain reasonable assurance that the university is compliant with

applicable laws, regulations, third party obligations, or university policy.

Project Name Status

Contracted Services In Process

Diabetes and Obesity Center – Follow Up Report out for action plan development

Operational/Internal Control Reviews - Routine audits to obtain reasonable assurance tha