Committees of the University of Louisville Board of Trustees and
Research Foundation Board of Directors
Schedule of Meetings
June 25, 2020
Virtual Meeting Click here to view the livestream
1:00 p.m. Audit, Compliance, Risk Committee of BOT and ULRF Rogers, Black, Chilton, Smith, Stewart (Advisor, non-voting)
1:20 p.m. Academic and Student Affairs Committee Burse, Black, Frazier, Noble, Wallace-Boaz, Wright
1:40 p.m. Finance Committee Medley, Brinkman, Burse, Noble, Wallace-Boaz
2:00 p.m. Executive Committee, Research Foundation Rogers, Frazier, Medley, Chilton
2:05 p.m. Executive Committee, Board of Trustees Nixon, Burse, Medley, Black, Rogers, Smith
All meetings will run consecutively.
Page 1 of 255
https://www.youtube.com/channel/UCgrZKOAWEwZGvRxymq0Qvhg/live
MEETING OF THE AUDIT, COMPLIANCE, AND RISK COMMITTEE OF THE UNIVERSITY OF LOUISVILLE BOARD OF TRUSTEES AND
RESEARCH FOUNDATION BOARD OF DIRECTORS
1:00 p.m., June 25, 2020
Virtual Meeting Click here to view the livestream
In Open Session
Rogers
Suda
Russell
Russell
I. Call to Order• Approval of Minutes, 10-24-2019
II. Information Item: Independent External Audit Services Plan
III. Report of the VP for Risk Management, Audit, & Compliance• Status Updates• Work Plan• Audit Services Status Report
IV. Action Item: Approval of 2020-21 Audit Services Work Plan
V. Adjournment Rogers
Committee Members James Rogers, Chair
Bonita Black John Chilton
John D. Smith Gary Stewart, Advisor, Non-voting
Page 2 of 255
https://www.youtube.com/channel/UCgrZKOAWEwZGvRxymq0Qvhg/live
MINUTES OF THE MEETING OF THE AUDIT, COMPLIANCE, AND RISK COMMITTEE OF THE
BOARD OF TRUSTEES OF THE UNIVERSITY OF LOUISVILLE AND THE BOARD OF DIRECTORS OF THE UofL RESEARCH FOUNDATION, INC.
October 24, 2019
In Open Session
Members of the Audit, Compliance, and Risk Committee of the University of Louisville Board of Trustees and UofL Research Foundation Board of Directors met at 1:23 p.m. on October 24, 2019, in the atrium of the Arts and Sciences Rowan Building at 1606 Rowan Street, Louisville, KY 40203, with members present and absent as follows:
Present: Mr. James Rogers, Chair Ms. Bonita Black Mr. John Smith Mr. Gary Stewart, Advisor, non-voting
Other Trustees Present: Dr. Raymond Burse
Mr. David Grissom Ms. Diane Medley Ms. Mary Nixon Mr. Jasper Noble Prof. Krista Wallace-Boaz Dr. Ron Wright
From the University: Dr. Neeli Bendapudi, President
Dr. Beth Boehm, Executive Vice President and University Provost Dr. Robert Keynton, Executive Vice President for Research and Innovation Mr. Dan Durbin, Vice President for Finance and CFO Mr. Vince Tyra, Vice President for Athletics and Athletic Director Ms. Amy Shoemaker, Deputy General Counsel and Assoc. Athletic Director Mr. Thomas Hoy, General Counsel Ms. Shannon Rickett, Assistant Vice President for Government Relations Ms. Sandy Russell, Assistant Vice President for Risk and Compliance Mr. Mark Watkins, Sr. Assoc. Vice President for Operations Dr. Toni Ganzel, Executive Dean, School of Medicine Mr. John Drees, Sr. Associate Vice President for Communications & Marketing Mr. John Karman, Director of Media Relations, Communications & Marketing Dr. Faye Jones, Sr. Associate Vice President for Diversity and Equity Dr. Michael Mardis, Dean of Students & Vice Provost for Student Affairs Mr. Jeff Spoelker, Associate Athletic Director for Finance Dr. Pat Ivey, Assoc. Athletic Director for Student Athlete Health & Performance
Page 3 of 255
Mr. Walter Newell, Treasurer/Controller Ms. Kim Noltemeyer, Sr. Unit Business Manager, Planning, Design & Constr. Ms. Beverly Santamouris, Director of Accounting and Reporting Ms. Kimberly Adams, Chief Information Security Officer Ms. Jennifer Mudd, Integrity and Compliance Manager Ms. Cheri Jones, Director of Audit Services, Prof. Sharon Moore, Faculty Director, ULAA Dr. Aesha Uqdah, Director of the Counseling Center Dr. Rashmi Assudani, ACE Fellow Mr. David Adams, Accounting Supervisor Ms. Tanisha Allen, Senior Accounting Specialist Ms. Michelle Comer, Assistant Director of Accounting and Financing Reporting Mr. Matt Cushing, Accountant III Ms. Amanda Snyder, Accountant II Ms. Kelly Rose, Accountant I Ms. Danielle Woods, Accountant I Mr. Michael Wade Smith, Chief of Staff to the President Mr. Jake Beamer, Boards Liaison and Assistant Secretary
Others: Mr. Chris Suda, CliftonLarsonAllen, LLC Mr. Ethan Lay, CliftonLarsonAllen, LLC
I. Call to Order
Having determined a quorum present, Chair Rogers called the meeting to order at 1:23p.m.
Approval of Minutes, 6-20-2019
Ms. Black made a motion, which Mr. Smith seconded, to approve the minutes of the June 20, 2019 meeting.
The motion passed.
II. Action Item: Approval of ULRF Audited Financial Statements
Messrs. Suda and Lay provided an overview of the work completed by Clifton LarsonAllen (CLA) using the attached presentation. They then presented the audited financialstatements of the UofL Research Foundation, Inc. and fielded questions from thecommittee.
Ms. Black made a motion, which Mr. Smith seconded, to approve the
President’s recommendation that the ULRF Board of Directors approve the audited financial statements for the period ending June 30, 2019 and
Page 4 of 255
Independent Auditor’s Report as presented under Governmental Accounting Standards (GASB) 34, as attached.
The motion passed.
III. UofL Audited Financial Statements
Information Item: FY 2019 Financial Results
Using the attached presentation, Mr. Durbin presented to the committee the universityfinancial results for fiscal year 2019. Highlights included: the university ended the yearwith an unqualified “clean” audit; total revenues increased by 5% from the prior year to$1.099 billion; total expenses increased by 3% from the prior year to $1.076 billion; thenet position or financial value of the institution increased by $23 million, a significantgrowth over the prior year performance of $3 million; the liquidity position is improving;and the university’s financial position remains strong with total assets and deferredoutflows of $1.3 billion.
He then fielded questions from committee members.
No action was taken.
Action Item: Approval of Statements
Mr. Suda then presented the university’s audited financial statements, and with Mr. Lay,fielded questions from committee members.
Mr. Smith made a motion, which Ms. Black seconded, to approve the
President’s recommendation that the Board of Trustees approve the audited financial statements for the period ending June 30, 2019 and Independent Auditor’s Report as presented under Governmental Accounting Standards Board (GASB) 34, as attached.
The motion passed.
IV. Information Item: Update from University Risk and Compliance
Ms. Russell provided an update on risk and compliance using the attached presentation.This included statistics on the university’s complaint hotline and the audit services reportas of September 30, 2019.
The audit services report is a summary of the department’s activities over the last fiscalyear and includes risk assessment and audit plan development information, the 2017-18and 2018-19 audit plan results, quality assurance improvement program, issued audit
Page 5 of 255
reports (compliance, operational, information technology), projects in process, continuous monitoring activities, and consulting activities.
Ms. Russell also provided a status report on the 2019-20 Audit Plan. She then fielded questions from committee members.
No action was taken.
V. Adjournment
Having no other business to come before the committee, Ms. Black made a motion,which Mr. Smith seconded, to adjourn.
The motion passed and the meeting adjourned at 1:41 p.m.
Approved by:
________________________ Assistant Secretary
Page 6 of 255
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC‐registered investment advisor
©2020
CliftonLarsonA
llen LLP
University of LouisvilleFiscal Year Ended June 30, 2020
Independent External Audit Services PlanPresentation to the Audit CommitteeJune 25, 2020
Page 7 of 255
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Agenda• Engagement scope and deliverables• Engagement team• CLA’s responsibilities• University’s responsibilities• Financial audit• Audit methodology• Preliminary risk assessments• Single audit• Engagement timeline• Accounting and auditing standards
2Page 8 of 255
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Engagement Scope and DeliverablesFor the Year Ended June 30, 2020• Independent auditors’ reports on the financial statements of:
– University of Louisville– University of Louisville Athletic Association, Inc.– University of Louisville Research Foundation, Inc.
• Independent Auditors’ Reports on Internal Control over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance With Government Auditing Standards (Yellow Book Report)
• Uniform Guidance Single Audit reports on expenditures of federal awards, internal controls and compliance for the University.
• University of Louisville Athletic Association, Inc. NCAA agreed‐upon procedures report on compliance with requirements relating to activities of revenues and expenses as updated by NCAA amendments
• Report on compliance with provisions of House Bill 622.• Report on Lease Law Compliance.• Reports to the Audit Committee on required auditor communications.
3Page 9 of 255
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Engagement Scope and DeliverablesFor the Year Ended June 30, 2020• Independent auditors’ reports on the financial statements of:
– University of Louisville– University of Louisville Athletic Association, Inc.– University of Louisville Research Foundation, Inc.
• Independent Auditors’ Reports on Internal Control over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance With Government Auditing Standards (Yellow Book Report)
• Uniform Guidance Single Audit reports on expenditures of federal awards, internal controls and compliance for the University.
• University of Louisville Athletic Association, Inc. NCAA agreed‐upon procedures report on compliance with requirements relating to activities of revenues and expenses as updated by NCAA amendments
• Report on compliance with provisions of House Bill 622.• Report on Lease Law Compliance.• Reports to the Audit Committee on required auditor communications.
4Page 10 of 255
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Engagement Leadership Team
5
Amanda KempDirector
Chris SudaPrincipal
Don LobergPrincipal
Josh WilksPrincipal
Tim RichterDirector
Kyla GreenhoeDirector
Page 11 of 255
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Engagement Team (Continued)Name Role Contact details
Chris Suda CLA engagement principal with responsibility for the overall audit.
Phone: 314‐925‐4395 ‐ DirectEmail: [email protected]
Don Loberg CLA engagement principal with responsibility for consulting projects (as requested).
Phone:612‐397‐3064 ‐ DirectEmail: [email protected]
Josh Wilks CLA engagement principal with responsibility for audit work related to the Hospital.
Phone:314‐925‐4309 ‐ DirectEmail: [email protected]
Tim Richter CLA engagement director with responsibility for financialstatement audits.
Phone:314‐925‐4304 ‐ DirectEmail: [email protected]
Brenda Scherer CLA engagement director with responsibility for the student financial aid advisory role.
Phone:612‐376‐4626 ‐ Direct Email: [email protected]
Kyla Greenhoe CLA engagement manager with responsibility for the singleaudit under Uniform Guidance.
Phone:317‐569‐6137 ‐ DirectEmail: [email protected]
Amanda Kemp CLA engagement director with responsibility for the informationsystems review.
Phone:267‐419‐1624 ‐ DirectEmail: [email protected]
Andrew Zebell CLA engagement manager with responsibility for the financial audit.
Phone:314‐925‐4357 ‐ DirectEmail: [email protected]
Ethan Lay CLA engagement senior with responsibility for the financial audit and single audit.
Phone:314‐925‐4416 ‐ DirectEmail: [email protected]
6Page 12 of 255
©2020
CliftonLarsonA
llen LLP
Create Opportunities
CLA’s Responsibilities• Forming and expressing opinions about whether the financial statements that have been prepared by
management with the oversight of those charged with governance are presented fairly, in all material respects, in conformity with generally accepted accounting principles (GAAP).
• Planning and performing the audit to obtain reasonable—not absolute— assurance about whether the financial statements are free of material misstatement, whether caused by fraud or error. Because of the nature of audit evidence and the characteristics of fraud, we are able to obtain reasonable, but not absolute, assurance that material misstatements will be detected. Our audit is not designed to detect error or fraud that is immaterial to the financial statements.
• Evaluating whether the University’s controls sufficiently address:– Identified risks or material misstatement due to fraud.– The risk of management override of other controls.
• Communicating to the Audit Committee, in writing, all significant deficiencies and material weaknesses in internal control identified in the audit and reporting to management deficiencies that, in our professional judgment, are of sufficient importance to merit management’s attention.
• Conducting an audit in accordance with professional standards, including– Government Auditing Standards.
• Complying with the rules and regulations of the Code of Professional Conduct adopted by the American Institute of Certified Public Accountants and the ethical standards of state CPA societies and state boards of accountancy.
• Planning and performing an audit with an attitude of professional skepticism.• Communicating all required information to the University management and to the Audit Committee of
the Board of Trustees.
7Page 13 of 255
©2020
CliftonLarsonA
llen LLP
Create Opportunities
University Responsibilities• Management’s Responsibilities
– Adopting sound accounting policies.– Establishing and maintaining effective internal controls.– Fairly presenting the financial statements in conformity with GAAP.– Compliance with provisions of laws, regulations, contracts, and grant
agreements.– Making all financial records and related information available to the
auditor.– Providing the auditor with a letter confirming certain representations made
during the audit that includes, but are not limited to, management’s:◊ Disclosure of all significant deficiencies, including material weaknesses, in the
design or operation of internal control that could adversely affect the University’s ability to initiate, authorize, record, process, or report financial data.
◊ Acknowledgement of their responsibility for the design and implementation of programs and controls to prevent, deter, and detect fraud.
8Page 14 of 255
©2020
CliftonLarsonA
llen LLP
Create Opportunities
University’s Responsibilities (Continued)• Audit Committee’s Responsibilities
– Oversight of the financial reporting process and oversight of internal controls.
– Ultimately responsible for the establishment and maintenance of internal controls to prevent, deter, and detect fraud.
– Ultimately responsible for setting the proper tone and creating and maintaining a culture of honestly and high ethical standards.
• Management and the Audit Committee’s Responsibilities– Establishing and maintaining internal controls to prevent, deter,
and detect fraud.– Setting the proper tone and creating and maintaining a culture of
honesty and high ethical standards.– The audit of the financial statements does not relieve
management or the Audit Committee of their responsibilities.
9Page 15 of 255
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Financial Audit• Objective:
– To express opinions on the financial statements of:◊ University of Louisville◊ University of Louisville Athletic Association, Inc.◊ University of Louisville Research Foundation, Inc.
– Independent Auditors’ Reports on Internal Control over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance With Government Auditing Standards (Yellow Book Report)
– NCAA Agreed‐upon procedures report on compliance– Report on compliance with provisions of House Bill 622.– Report on Lease Law Compliance.
• Areas of audit emphasis:– Fair presentation of financial statements– Internal controls over financial reporting
10Page 16 of 255
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Audit Methodology
Phase 1Planning & Strategy
Phase 2Systems Evaluation
Phase 3Testing & Analysis
Phase 4Reporting & Follow‐
Up
11
Continuous Communication
Page 17 of 255
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Audit Methodology (Continued)
Phase 1Planning & Strategy
• Perform risk assessment procedures and identify risks• Determine audit strategy• Determine planned audit approach• Evaluate the design and implementation of entity level controls
Phase 2Systems Evaluation
• Understand accounting and reporting activities• Evaluate design and implementation of selected controls• Test operating effectiveness of selected controls• Perform walk‐thru’s of key controls• Assess control risk and risk of significant misstatement
Phase 3Testing & Analysis
• Plan substantive procedures• Perform substantive procedures• Consider if audit evidence is sufficient and appropriate• Conclude on audit objectives
Phase 4Reporting & Follow‐Up
• Perform completion procedures• Perform overall evaluation• Form an audit opinion
12Page 18 of 255
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Preliminary Risk AssessmentFinancial Statement Level Risk Description of Financial Statement Level Risk Planned Audit Approach
Overall economic conditions/ COVID 19 Pandemic
Economic conditions and the COVID 19 pandemic continue to have an impact on the higher education industry, including declines in revenues and earnings. Environment creates a decreased market for tax‐exempt bonds and results in continued cost saving measures.
CLA will be mindful of the impact of the overall economy and the COVID 19 pandemic on the University. In particular, CLA will evaluate whether such conditions have resulted in any changes to the overall control environment of the University.
General Information Technology ControlsGeneral information technology controls have a pervasive impact on controls throughout the University.
The engagement team includes a member from CLA’s information systems securities group, who will perform walkthroughs and tests of design and operating effectiveness related to information technology general controls related to the general ledger, purchasing, payroll systems, and student billing system. Specific procedures will be performed related to access to programs and data, program changes, program development, computer operations, and end user computing.
Management Override of Controls
As is the case for all entities, management is in a unique position to perpetrate fraud because of its ability to manipulate accounting records and prepare fraudulent financial statements by overriding controls that otherwise appear to be operating effectively. Although the level of risk of management override of controls will vary from entity to entity, the risk is, nevertheless, present in all entities. Due to the unpredictable way in which such override could occur, it is a risk of material misstatement due to fraud and, thus, a significant risk.
CLA will test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of the financial statements. In designing and performing audit procedures for such tests, the auditor should: (1) obtain an understanding of the entity's financial reporting process and controls over journal entries and other adjustments, and the suitability of design and implementation of such controls; (2) make inquiries of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries and other adjustments; (3) consider fraud risk indicators, the nature and complexity of accounts, and entries processed outside the normal course of business; (4) select journal entries and other adjustments made at the end of a reporting period.
13Page 19 of 255
©2020
CliftonLarsonA
llen LLP
Create Opportunities
COVID‐19 Impact
OperationsOperations• Auxiliaries and fees• Cash flow• CARES Act Higher Education Emergency Relief Fund (HEERF)• Enrollment retention• COVID related expenses
Audit and Accounting Audit and Accounting • Risk assessment• Accounting for relief funds• Accounting for expenses and refunds• Going concern considerations• Additional disclosures• Potential implementation delays
14Page 20 of 255
©2020
CliftonLarsonA
llen LLP
Create Opportunities
COVID‐19 Impact
Compliance• Student Financial Aid• No match required for certain programs (FSEOG, FWS)• FWS students are eligible to be paid unearned funds• Loans/grants not counted towards lifetime limits• Withdrawals: No Pell required to be returned• SAP allowances
• Other Federal Programs• CARES Act funding• Extension of spending and filing deadlines• Other compliance waivers
15Page 21 of 255
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Single Audit• Objective:
– To determine that the University has established effective internal control over compliance with the requirements of federal awards, and has complied with laws and regulations that may have a material effect on the financial statements and major federal programs.
– Forming and expressing an opinion about whether the University complied with the types of compliance requirements described in the US Office of Management and Budget (OMB) Compliance Supplement that could have a direct and material effect on each of its major federal programs.
• Federal program to be preliminarily considered major programs is the Student Financial Aid Cluster
• Areas of audit emphasis:– Internal controls over compliance for major programs– Compliance requirements for major programs
16Page 22 of 255
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Single Audit Methodology
Phase 1Risk Assessment and Planning
Phase 2Systems Evaluation
Phase 3Final Assessment and Reporting
17
Continuous Communication
Page 23 of 255
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Engagement Timeline
Significant Milestones Target Date
Entrance conference April 16, 2020
Preliminary fieldwork started May 18, 2020
Final fieldwork starts August 17, 2020
Audit Committee update meeting To Be Determined
Exit conference – financial statements September 25, 2020
Final financial and compliance report issued October 2, 2020
Audit Committee closing meeting To Be Determined
18Page 24 of 255
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Accounting and Auditing Standards Changes
GASB statements (Implementation Postponed One Year):• Effective for fiscal year ending June 30, 2020
– GASB No. 84, Fiduciary Activities Establishes criteria for identifying fiduciary activities for state and local governments, focusing on (1) whether the government is controlling the assets of the fiduciary activity, and (2) the beneficiaries with whom a fiduciary relationship exists. Different criteria are included for fiduciary component units and postemployment benefit arrangements.
– GASB Statement No. 90, Majority Equity Interests—an amendment of GASB Statements No. 14 and No. 61 defines a majority equity interest and specifies that a majority equity interest in a legally separate organization should be reported as an investment if a government’s holding of the equity interest meets the definition of investment.
19Page 25 of 255
©2020
CliftonLarsonA
llen LLP
Create Opportunities
Accounting and Auditing Standards Changes (Continued)
GASB Statements Postponed (Continued)• Effective for fiscal year ending June 30, 2021
– GASBS No. 87, Leases Requires recognition of certain lease assets and liabilities for leases that were previously classified as operating leases, and establishes a single model for lease accounting based on the foundational principle that leases are financings of the right to use an underlying asset.
– GASB Statement No. 89, Accounting for Interest Cost Incurred Before the End of a Construction Period requires interest cost incurred before the end of a construction period to be included in the historical cost of a capital asset reported in a business‐type activity or enterprise fund.
• Effective for fiscal year ending June 30, 2022– GASBS No. 91, Conduit Debt Obligations The preliminary objectives of this
statement are to provide a single method of reporting conduit debt obligations by issuers and eliminate diversity in practice associated with (1) commitments extended by issuers, (2) arrangements associated with conduit debt obligations, and (3) related note disclosures.
20Page 26 of 255
©2020
CliftonLarsonA
llen LLP
CLAconnect.com
Thank you
Any Questions?
Page 27 of 255
Audit, Compliance, and Risk Update
June 25, 2020Page 28 of 255
L O U I S V I L L E . E D U
Status of Compliance Reports 7/1/19 through 6/31/20
Period Ended May 31, 2020
Reports by Source:Hotline Initiated 52
Other Avenues (letter, email) 30
Total 82Reports by Status:
Open 12
Closed 70
Total 82Reports by Validity (Closed Reports):
Unsubstantiated 31
Partially Substantiated 6
Substantiated 16
Insufficient Information/Other 17
Total 70
Page 29 of 255
L O U I S V I L L E . E D U
Integrity and ComplianceActivity Update
• New or Significantly Revised Policies
• Student Pregnancy Accommodations
• Moped, Scooter, and Motorcycle Use
• Subrecipient Monitoring and Management
• Special Projects
• New website for the online policy and procedure library
Page 30 of 255
L O U I S V I L L E . E D U
Status of University Information Security Report
Incidents July 1, 2019 – May 31, 2019
Non-Reportable 10
Reportable FERPA, KYPI and Dept. of Ed 2
HIPAA and KYPI 4
KYPI and FERPA 0
FERPA only 1
KYPI only 0
Compliance Investigation 1
Total number of Events 18
Page 31 of 255
L O U I S V I L L E . E D U
University Information Security OfficeActivity Update
Promote security awareness training and education via in-person and special events.
• For the fiscal year 2019, the ISO has provided security training to over 600 faculty, staff and students. Training included access to five new areas and one external entity.
Risk Management and Assessment
• To date for the fiscal year 2019-2020, the ISO has performed in excess of 150 vendor review requests. More than 100 reviews have occurred during Q1/Q2 2020, including an e-signature product, conferencing platforms and other solutions related to work from home or online teaching due to the recent pandemic.
Page 32 of 255
L O U I S V I L L E . E D U
Risk Management Activity Update
Commercial Insurance Program
• Completed 14 Insurance Policy renewals with 7/1/20 renewal dates.
• Create Virtual Program guidelines, participation release, and code of conduct for on-line programs.
• Updating Youth Protection Policy and Procedures.
Page 33 of 255
The Department of Audit Services
Annual Work Plan 2020-2021
The Department of Audit Service’s mission is to provide independent and objective assurance and consulting services designed to add value and improve the organization’s operations. To help the organization accomplish its objectives by bringing a systematic, disciplined approach for evaluating and improving the effectiveness of risk management, control, and governance processes. In doing so, Audit Services will be considered among the leaders in our profession by providing an environment rewarding diversity, empowerment, innovation, teamwork, and open communication.
1. Provide Independent and Objective Assurance and Consulting Services
Perform internal assurance and consulting projects based on an objective risk evaluation.
Perform high level risk evaluation and develop an audit plan based on the evaluation.
Continuously evaluate the relevance of the approved audit plan with consultation with university administration.
Execute the audit plan focusing on identified key risks and controls.
2. Develop Effective Lines of Communication
Communicate significant risks and controls, emerging risks, and render opinions on new and changing processes, opinions, significant procedures, regulations, and policies.
Conduct or attend periodic meetings with administration to discuss emerging risks and new initiatives.
Issue detailed, concise, and timely project reports that communicate control weaknesses, recommendations related to best practices, process improvements, expense reductions, and revenue enhancements.
Participate in task groups and evaluate new processes, policies, and procedures.
Page 34 of 255
Prepare and distribute quarterly status reports on open audit issues. Prepare annual Board report on the status of the prior year audit plan.
3. Conduct Effective Training and Education
Increase community awareness of the red flags of fraud and an effective internal control environment.
Develop and implement an effective website with tools that the university community can use. Promote the website through official university communication.
Develop and implement training that can be conducted during department staff meetings, in-person training meetings, or with on-line training tools (consult with Delphi after the emergency status has ended).
4. Measure Program Effectiveness
Evaluate the Audit Services effectiveness in conducting projects and communicating results.
Conduct an annual survey with the assistance of the department of institutional effectiveness (after the emergency status has ended).
Perform internal quality assurance reviews on all assurance and consulting projects.
Monitor the existence of recurring issues or issues that are identified across many different projects.
5. Perform Independent Investigations of Fiscal Misconduct
Perform the initial assessment and applicable investigations of whether fiscal misconduct is likely to have occurred based on reports received through the university ethics hotline, directly from university officials, directly from concerned staff, vendors, outside parties, or through routine assurance and consulting projects.
Evaluate evidence for signs of fiscal misconduct for reports received from external sources. Conduct investigations, and report on the investigations to applicable departments (e.g., Counsel’s Office, University Police, President’s Office)
Develop and implement continuous monitoring reports in areas such as Accounts Payable and Payroll with a focus on the red flags (indicators) of fraudulent activity.
6. Improve Audit Coverage and Effectiveness
Develop and implement continuous monitoring reports in areas such as Accounts
Page 35 of 255
Improve the effectiveness of internal audit by utilizing technology and promoting staff education.
Payable and Payroll. Evaluate the reports for evidence of increased risk, new activity, and possible fraud.
Attend annual training events that promote knowledge of new techniques, technology, and improve the skills of staff.
Fully staff the department, hiring auditors with skills and knowledge necessary to knowledge gaps (e.g., IT Auditor)
Page 36 of 255
The University Integrity and Compliance Office
Annual Work Plan 2020-2021 The University Integrity and Compliance Office (UICO) mission is to support and foster a culture of integrity, compliance, and accountability. The UICO provides centralized and independent oversight of the University of Louisville’s compliance and ethics programs and activities and risk mitigation efforts. The UICO provides ongoing development of effective policies and procedures, education and training, monitoring, communication, risk assessment, and response to reported issues as required by Chapter 8 of the Federal Sentencing Guidelines. These guidelines set forth the requirements of an effective compliance and ethics program for organizations and require not only promoting compliance with laws, but also promoting a culture of ethical conduct. The UICO will conduct the following activities as part of its Annual Work Plan for July 1, 2020 to June 30, 2021.
1. Provide Oversight of Compliance and Ethics and Related Activities
Promote accountability among UofL employees for compliance with applicable federal, state and local laws and regulations, and appoint knowledgeable individuals responsible for developing and implementing a comprehensive compliance and ethics program.
Finalize the draft Accountability Matrix that identifies compliance partners and their areas of responsibility.
Establish and lead the University Integrity and Compliance Advisory Committee consisting of compliance partners and appropriate university representation.
Develop a university-wide compliance and ethics charter.
2. Develop Effective Lines of Communication
Create communication pathways that allow the dissemination of education and regulatory information and provide a mechanism for reporting compliance activities or concerns.
Administer and promote the UofL Compliance and Ethics Hotline.
Maintain and promote the University Integrity and Compliance Office website.
3. Conduct Effective Training and Education
Educate the UofL community on its compliance responsibilities and regulatory obligations, and on the university integrity and compliance program.
Update online general compliance and ethics training for new employees.
Promote the employee code of conduct to all employees.
Issue announcements regarding employee’s duty to report and avenues for reporting concerns, including the compliance and ethics hotline.
Page 37 of 255
4. Revise and/or Develop Policies and Procedures
Revise or develop university policies and procedures that reflect UofL’s commitment to ethical conduct and compliance with applicable laws and regulations
Oversee and maintain the university’s online policy and procedure library.
Review and revise the university’s policy on Developing University Administrative Policies.
Review and update the policy creation and approval process to align with best practices. Communicate changes and provide education on the policy life-cycle.
Review and revise the university’s employee Code of Conduct.
5. Conduct Internal Monitoring and Compliance Reviews
Identify and remediate noncompliance through proactive review and monitoring of risk areas
Review compliance and ethical reports for trends and risk areas, and address appropriately.
Follow-up with compliance partners regarding risk mitigation plans to address high-risk areas identified through the compliance risk assessment process
Oversee and monitor employees, vendors, and affiliates against governmental agency exclusion and/or debarment lists.
6. Respond Promptly to Detected Problems and Undertake Corrective Actions
Conduct timely investigations of allegations of noncompliance and provide guidance on corrective actions
Receive and evaluate reports and allegations of misconduct and conduct investigations.
Provide recommendations for corrective actions and improvement to prevent further occurrences of noncompliance and/or unethical conduct.
7. Enforce/Promote Standards Through Appropriate Incentives and Disciplinary Guidelines
Promote the compliance and ethics program and university regulations, policies and procedures, and consequences of noncompliance.
Promote awareness of new or revised regulations, university policies and procedures, or other requirements applicable to the university.
Promote accountability and consistent discipline for identified occurrences of noncompliance and/or unethical conduct.
8. Measure Program Effectiveness
Evaluate the overall compliance and ethics culture of UofL and the performance of the University Integrity and Compliance Office.
Develop a Compliance and Ethics Culture Survey.
9. New Regulations and Special Projects
Partner with Human Resources and Payroll to educate university employees about Fair
Page 38 of 255
Labor Laws and ensure compliance with federal and state wage and hour laws.
Develop and launch a new university site to promote and store university policies and procedures.
Coordinate and conduct meetings of the IT Website Accessibility Work Group to ensure compliance with Americans with Disability Act.
Page 39 of 255
The Office of Athletic Compliance
Annual Work Plan 2020-2021 The mission of the Office of Athletics Compliance at the University of Louisville is to advance
the NCAA Principle of Institutional Control and to provide our student-athletes, coaches, staff
and outside constituents exemplary customer service, sound guidance, visibility and effective
communication.
The Louisville Office of Athletics Compliance will provide thorough rules education of NCAA,
ACC and University regulations, develop effective monitoring systems, and will promote a
culture of compliance within both the Athletic Department and the University. Through ethical
decision-making and conduct, integrity, monitoring and enforcement, this mission will provide a
strong foundation for compliance and institutional control for the university and all of its
stakeholders.
The Office of Athletic Compliance will conduct the following activities as part of its work plan from July 1, 2020 to June 30, 2021.
1. Continue Providing Enhanced Rules Education to all Constituent Groups
Deliver Comprehensive Rules Education across the Athletic Department, Campus Community, and Local Community, with an emphasis on key stakeholders.
Provide rules education to student-athletes, coaches, staff members, and boosters, with an emphasis on name, image likeness, gambling and extra benefits.
Provide rules education to priority campus units (e.g., Admissions; Financial Aid; Bursar; Registrar; General Counsel; Alumni Affairs; etc.) at least once per calendar year; 2x if possible. Enhance rules education outreach to booster, local media, promotional partners and local businesses frequented by student-athletes, prioritizing bars/clubs, restaurants, barbershops, and automobile dealerships.
2. Continue Effective Outreach
Implement Innovative Educational Initiatives and Outreach Methods for our Coaches/Staff/Student-Athletes
Build in opportunities for regular visits to practice/sport facilities with coaches and staff (e.g., campus rounds)
Page 40 of 255
Increase use of video conferencing software, Blackboard, social media, and other technologies in delivering rules education in a more efficient and comprehensive manner sensitive to social distancing best practices.
3. Increase Monitoring Efficiency
Enhance monitoring processes related to recruiting activities and time management plans through increased use of compliance software options.
Continue effective usage of TeamWorks software department wide for improved real time communication.
Deliver monthly monitoring reports to each sport with cc to compliance leads and sport administrators. Effectively transition from JumpFoward to ARMS compliance software to provide coaches/staff a more user-friendly recruiting and complimentary admission solution.
4. Develop Policies and Procedures for Student-Athlete Name, Image Likeness Legislation
Develop university policies and procedures that creates a system of vetting, approval and monitoring to coincide with anticipated upcoming legislation that will allow student-athlete compensation for the use of their name, image, and/or likeness (NIL) in commercial activities.
Create internal NIL committee representative of specific areas related to this legislation (Compliance, Legal, Marketing, Corporate Sponsorships).
Create an effective process for student-athletes to vet potential opportunities to be pre-approved to avoid potential eligibility risks.
Create system to vet and educate potential third-party partners/influences in this process. Provide regular comprehensive rules education to student-athletes who seek out these opportunities and other involved third parties.
5. Internal Monitoring, Investigation and Violation Reporting
Continue to strengthen internal monitoring systems to detect and promptly report NCAA Level III violations, including continuing to set expectations for coaches, staff and student-athletes to self-report potential violations as required by NCAA rules.
Insure timely submission and review of on and off-campus recruiting activities. Provide and emphasize with coaches, staff and student-athletes options and outlets for reporting violations or questionable activity they are aware of that could potentially lead to a violation.
Review and emphasize areas of focus related to the current NCAA probation, including housing and campus recruiting activities.
Page 41 of 255
6. Prioritize Quality Control of Student-Athlete Academic Integrity Reviews.
Create campus protocols to review academic misconduct allegations involving students, to meet recent changes in NCAA rules related to reasonable standards in this area.
Involve the new Faculty Athletics Representative (FAR) and Committee on Academic Performance to review daily grade-change reports for possible Inconsistency, review academic unit misconduct policies and enhance quality of unit degree audits. Continue comprehensive academic misconduct rules education, defining roles and responsibilities of the FAR, CAP, and Academic Services and other stakeholders in the academic misconduct review process. 7. Review Head Coach Responsibility Audit Process
Review current Head Coach Responsibility protocols and audit process to enhance Head Coach compliance communication with their staff and method for documenting these activities.
Provide compliance education topics and methods to Head Coaches as it relates to increase their efficiency in communicating compliance topics and review of areas such as visits, 3rd parties, etc.
Create more efficiency in documenting the compliance communication process as it occurs, to protect the HC and program. Expand role and involvement of sport administrators in the HCR process.
8. Enhance Elite Student-Athlete Program Education
Continue to identify and create new educational initiatives for our elite student-athletes.
Develop updated programming to educate in areas such as NIL, extra benefits, prize money, and financial literacy for student-athletes focused on professional sport or Olympic participation. Continue review of amateurism profiles of incoming high profile student-athletes.
9. Promote Staff Professional Development
Prioritize the need to provide and encourage professional development opportunities for staff in multiple areas of athletics.
Provide funding and opportunity for staff to enhance their professional profile through professional development both in and out of compliance.
Promote work/life balance by reviewing workloads and setting expectations with coaches and staff.
Encourage opportunities to increase staff exposure to all areas of athletic department operations to expand network and future professional advancement.
10. New Faculty Athletics Representative Orientation
Page 42 of 255
Provide comprehensive orientation for the new FAR relative to her role and responsibilities.
Provide comprehensive education into the policies, procedures of the NCAA/ACC and other job responsibilities related to the role of Faculty Athletics Representative including academic certification, missed class time policies, academic misconduct, coaches recruiting exam, NCAA waiver sign-off, and NCAA/ACC legislative review.
Page 43 of 255
Information Security Office
Annual Work Plan 2020-2021 The Information Security Office (ISO) serves as the university's resource for guidance on information security compliance and administers the university's Information Security Program. The ISO oversees information security policies and standards; provides compliance oversight, and risk assessments; coordinates information security efforts, incident response and user awareness. The ISO works in conjunction with ITS Enterprise Security, Audit Services, University Integrity and Compliance, Privacy, Research and other compliance officials to maintain regulatory compliance and to protect the confidentiality, integrity and availability of university information assets. Following are activities of the Information Security Office Annual Work Plan for July 1, 2020 to June 30, 2021.
1. Provide Oversight Information Security and Related Activities
Promote accountability, risk management, security responsibility and compliance with applicable federal, state and local laws and regulations.
Partner with university compliance areas to promote and provide guidance on information security controls and regulations.
Partner with Information Technology Services to develop and implement technologies and processes to support and maintain the security of university data and assets.
Lead and/or participate in committees, work groups and RFPs to provide information security input and guidance.
2. Develop Effective Lines of Communication
Create communication pathways that allow the dissemination of education, compliance and regulatory information which allows for reporting security incidents or concerns.
Promote the Information Security Office and incident reporting procedures via electronic and in-person communications and activities.
Maintain and promote the Information Security Office website as a communication and educational tool.
3. Conduct Effective Training and Education
Make available information security awareness training which informs faculty, staff and students of their responsibilities for protecting the university’s information data and assets in their care. Utilize various platforms and avenues in order to reach the university community.
Promote security awareness training and education via in-person and special events.
Issue periodic announcements regarding information security responsibilities and topics.
Participate in university and industry awareness opportunities.
Page 44 of 255
4. Oversee the Information Security Policy and Procedure Lifecycle
Revise or develop university policies and procedures that establish the university’s Information Security program; reflect UofL’s commitment to protecting the confidentiality, integrity and availability of university assets and compliance with applicable laws and regulations; and that promote consequences for noncompliance.
Review, revise and publish information security policies and procedures in accordance with the ISO policy management lifecycle process.
Develop new policies in accordance with regulatory and university environment and strategic direction.
5. Manage the Information Security Risk and Assessment Program
Identify and remediate noncompliance through proactive review and monitoring of risk areas. Provide recommendations and avenues for risk identification and mitigation.
Develop and oversee risk management procedures that enable the university to identify and protect information assets.
Conduct or assist areas in conducting Information security risk assessments identifying and reporting information security risk and remediation recommendations.
Assist areas in the review and vetting of security requirements and controls of third-party vendors providing support and guidance as needed.
Lead the GLBA Security Program committee in identifying risks and mitigation recommendations related to student financial information.
6. Provide Incident Response and Breach Notification
Conduct timely investigations of actual or potential information security incidents and reporting internally and to external agencies as required.
Lead the university’s Information Security Incident Response Team (ISIRT) in investigating, coordinating and reporting of information security events and incidents.
Monitor the information security office mailbox and respond timely to incident reports. Provide recommendations for corrective actions and improvement to prevent further occurrences.
Investigate potential/actual incidents assisting in remediation and reporting to individuals and regulatory and government agencies as required.
7. Provide Program Reporting and Enforcement and Standard Promotion
Promote the Information Security program, policies, and procedures and potential consequences for non-compliance providing review and reporting on activities and compliance.
Update and issue the Information Security Office quarterly report provided to the University of Louisville’s Board of Trustees’ Risk, Audit, and Compliance Committee.
Provide enforcement and consequence awareness.
Page 45 of 255
8. Facility Security Officer
Serve as the Facility Security Officer managing the university’s Facility Security Clearance Program NOTE: the university is currently in inactive status.
Maintain the clearance status of the University in compliance with NISPOM regulations/standards. Provide training, conduct assessments and participate in DSS audits.
9. New Regulations and Special Projects
Provide information security direction and guidance related to new regulations and university projects.
Work with the university counsel and other compliance officials as needed to develop and implement awareness and standards to comply with new or changing regulations.
Page 46 of 255
Privacy Office
Annual Work Plan 2020-2021 The University of Louisville (UofL) Privacy Office provides guidance and assistance to the UofL community regarding regulations which may impact the privacy of our students, our employees, our patients, and our campus visitors. The UofL Privacy Office assists with privacy concerns and questions, has oversight responsibility for HIPAA compliance within the health care component of the UofL covered entity, ensures that HIPAA training is provided to the UofL community, reviews contracts for privacy issues, works with faculty and staff to respond to privacy incidents, and provides assistance to individuals working on UofL research projects which involve sensitive or health information. In the event of a suspected breach of protected health information (PHI), the UofL Privacy Office investigates the incident and, if required, provides notification to the affected patient(s) and to the Department of Health and Human Services (DHHS). The UofL Privacy Office also assists health clinics and care areas that are outside of the health care component with privacy concerns and issues, has oversight for UofL’s compliance with Section 1557 of the Affordable Care Act, and oversight for UofL’s compliance with the Children’s Online Privacy Protection Act.
In addition to the daily operations and oversight of the UofL Privacy Office, the following projects are planned for the July 1, 2020 to June 30, 2021 fiscal year.
1. Review/Update the Health Care Component of the UofL Hybrid Covered Entity
Ensure that designation of the schools, colleges, departments, and administrative units included in the health care component of the UofL hybrid covered entity is accurate. Identification of these areas allows for appropriate oversight to ensure that UofL is in compliance with regulatory requirements.
Review and update, as applicable, the current designation of the health care component of the hybrid covered entity to ensure that the designation of the health care component is correct.
Review of UofL schools, colleges, departments, and administrative units to identify areas which are not currently in the health care component, but which should be moved into the health care component.
2. Policies and Procedures
Ensure that current policies, and procedures are compliant with privacy regulations.
Introduce the new Privacy Office HIPAA Policy Manual to the health care component via review/training sessions. [Note: The Privacy Office HIPAA Policy Manual will be finalized in June 2020].
Page 47 of 255
Ensure that workforce members of the health care component have been trained regarding the Privacy Office HIPAA Policy Manual.
3. HIPAA & HITECH Training for Workforce Members of the UofL Health Care Component
Ensure that members of the UofL health care component of the hybrid entity are trained pursuant to HIPAA and HITECH regulations.
Update the HIPAA training program to: 1) replace current training materials with new video-based format for basic HIPAA training; and 2) update the HIPAA training program requirements, deadlines, and sanctions to ensure that workforce members are appropriately trained regarding HIPAA and HITECH regulations.
Conduct reviews of training records to ensure that workforce members of the health care component have received required HIPAA training.
4. HIPPA Privacy Risk Assessment
Utilize a HIPAA privacy risk assessment to identify vulnerable areas within the UofL health care component where PHI may be at risk of inappropriate use, disclosure, or access.
Identify organizational workflows and safeguards within the health care component covered entities to determine the flow of PHI internally and externally to detect areas where inappropriate use, disclosure, or access to PHI is a risk.
Review current practices and procedures for access to PHI, disclosure of PHI, and storage of PHI by faculty, staff, and students within the health care component to ensure that PHI is properly used, disclosed, and stored.
Implement a schedule to monitor and audit covered entities within the health care component to ensure compliance with UofL policies and procedures and with HIPAA requirements for safeguards of PHI.
5. Business Associate Agreement Review
Ensure that Business Associate Agreement (BAA) database is updated and accurate.
Review the BAA database and consult with members of the health care component to determine active vs. inactive BAAs.
6. Resource for the UofL Community
Serve as a resource for administrators, faculty, staff, students, patients, and the community regarding privacy protection and safeguards.
Design awareness campaigns and participate
in campus awareness programs to ensure
that the UofL community is aware of the
services offered by the Privacy Office.
Assist departments, divisions, and schools
within the UofL community with classroom
Page 48 of 255
and community presentations and trainings to
broaden awareness of the services provided
by the Privacy Office.
Assist departments, divisions, and schools
within the UofL community as requested to
respond to concerns/questions regarding
privacy questions and concerns.
7. Affordable Care Act Section 1557 Regulation
Ensure that UofL’s schools, colleges, departments, and administrative units which are regulated by the Affordable Care Act Section 1557 are in compliance with regulatory requirements.
Review and update, as applicable, the current designation of all UofL schools, colleges, departments, and administrative units to identify areas that are required to follow the Section 1557 regulations.
Conduct a risk assessment of all areas which are required to follow Section 1557 regulations to ensure that appropriate resources and training are in place to allow the areas to comply with the regulations.
8. Children’s Online Privacy Protection Act (COPPA)
Ensure that UofL’s schools, colleges, departments, and administrative units are in compliance with the Children’s Online Privacy Protection Act.
Begin review of COPPA regulations and requirements. Once review of regulations and requirements is complete, begin identification of the areas within UofL which may be impacted by COPPA regulations.
Page 49 of 255
Conflict of Interest and Commitment Office
Annual Work Plan 2020-2021 The University of Louisville and its Affiliates expects Covered Persons to conduct University affairs with high ethical and legal standards and in a manner that supports the University mission. As part of this duty, Covered Persons must apply their University time and effort correctly and use University assets properly. Use of University assets or University time damaging to the University mission or for personal advantage represents a conflict of interest. The Conflict of Interest and Commitment Office (COIC Office) mission is to support and monitor standards to reduce or eliminate such conflicts and protect the financial well-being, reputation, and legal duties of the University. The COIC Office reviews any disclosed external interest to identify conflicts of interest and determines if the conflict of interest can be managed or reduced, or if the interest would need to be eliminated. The COIC Office provides ongoing development of COIC policies and procedures, education and training, monitoring, communication, and response to reported issues as required by University policy and federal regulations. The COIC Office will conduct the following activities as part of its Annual Work Plan for July 1, 2020 to June 30, 2021.
1. Provide Oversight of Conflict of Interest and Commitment Related Activities
Promote compliance among UofL covered persons with applicable university COCI policy, federal, state and local laws and regulations.
Develop monitoring tool for individuals overseeing approved management plans.
Develop/present COIC educational sessions for covered person population.
Revise COIC Office standard operating procedures.
2. Develop Effective Lines of Communication
Strengthen communication pathways that allow the dissemination of education and regulatory information and provide a mechanism for reporting COIC issues.
Coordinate COIC consultations, as requested.
Maintain and promote the Conflict of Interest and Commitment Office website.
Develop Start up guidance (in conjunction with EPI-Center).
3. Conduct Effective Training and Education
Educate the UofL community on its compliance responsibilities and regulatory obligations related to conflicts of interest and commitment.
Update COIC training included in disclosure form.
Update/develop infographics related to COIC topics.
Issue announcements regarding covered persons’ responsibilities related to conflicts of interest and commitment.
Page 50 of 255
4. Implement Revised Policies and Procedures
Implement revised university policies and procedures that reflect UofL’s commitment to conducting affairs without unmanaged conflicts of interest/commitment.
Complete revisions to COIC policy and procedure and secure Trustees’ approval.
Develop implementation plan for revised COIC policy and procedure.
Update disclosure form to be in sync with revised policy and procedure.
Initiate pilot rollout of Conflict of Commitment review procedures.
5. Conduct Internal Monitoring and Compliance Reviews
Identify and remediate noncompliance with COIC policy and procedure through proactive review and monitoring.
Strengthen COIC compliance reporting available to Units/Departments.
Follow-up with Appropriate Authorities to identify/address issues with approved management plans.
Monitor approved management plans.
6. Respond Promptly to Detected Problems and Undertake Corrective Actions
Conduct timely investigations of allegations of noncompliance with COIC policy and procedure and provide guidance on corrective actions.
Receive and evaluate reports and allegations of unmanaged COICs or noncompliance with approved management plans.
Provide recommendations for corrective actions and improvement to prevent further occurrences of noncompliance.
7. Measure Program Effectiveness
Evaluate the overall compliance with COIC policy and the performance of the University Integrity and Compliance Office.
Develop metric reports for units/departments.
Develop metric reports for sponsored
programs.
Develop metric reports for the COIC Office.
Page 51 of 255
The Department of Risk Management and Insurance
Annual Work Plan 2020-2021 The Department of Risk Management and Insurance’s (RMI) mission is to reduce the probability of risks to person, property, and/or business of the university and safeguard resources. RMI provides centralized and independent administration of the University of Louisville’s Enterprise Risk Management program. RMI administers the university’s commercial insurance program including but not limited to general and professional liability, property, cyber, crime, and automobile, along with workers compensation. RMI has oversight of all university sponsored and third-party Youth Protection programming. Through collaboration with university departments and leadership, RMI evaluates and assists in the mitigation of potential risks and promotes a culture of risk awareness throughout the university. RMI will do the following activities as part of the Annual Work Plan for July 1, 2020 to June 30, 2021.
1. Oversight of University Risk and Insurance Programs
Continual assessment of university’s risk exposures and commercial insurance market place by benchmarking, market analysis, and research.
Risk & Insurance – Review existing insurance policies, market trends, and identified exposures, for a gap analysis.
Youth Protection – Provide guidance and support to all university departments to proactively mitigate risk regarding youth programs.
2. Effective Communication
Create communication pathways that promote education, collaborative communication, and procedural guidance and support.
Risk & Insurance – Continue to provide timely response to coverage inquiries, update the Risk Management website for user-friendly access to risk and insurance information.
Youth Protection - Provide timely response to program inquiries, update the Youth Protection webpage for user-friendly access to risk insurance information.
3. Training and Education
Educate the university community on Risk Management, Insurance and Youth Protection for an understanding of procedural responsibilities.
Risk, Insurance, & Youth – Utilize the Risk Management website to provide virtual training information. Utilize all carrier based on-line training.
Page 52 of 255
Risk, Insurance, & Youth – Online or synchronous training opportunities to learn about policies and procedures.
Risk, Insurance, & Youth – Utilize UofL communication platforms (UofL Today) to provide tips, awareness and updates.
4. Policies and Procedures
Revise and/or develop university policies and procedures that reflect UofL’s commitment to Risk Management, Insurance and Youth Protection.
Risk & Insurance – Annually review of existing policies and procedures, update and add new and/or delete as necessary.
Youth Protection – A final approval for updated policies and handbook with an annual review thereafter.
Risk, Insurance, & Youth – Complete annual benchmarking of Risk, Insurance and Youth Protection policies.
5. Conduct Internal Monitoring and Reviews
Identify and asses for potential risk exposures and department involvement.
Risk & Insurance – Conduct interviews and risk assessments with university departments and review loss analysis for tends to develop proactive prevention methods and mitigation strategies.
Youth Protection - Annually complete program inventory and monitor program data.
6. Prompt Response to Loss
Conduct timely investigations of incident, make necessary reports and notification, collaborate with third parties (Insurance Carriers), and provide guidance for corrective actions.
Risk & Insurance – Investigate loss and evaluate mitigation methods, involving third-party entities when necessary.
Youth Protection – Ensure open communication with youth programs and make necessary escalated reports in accordance with Youth Protection policies.
7. Enforce and Promote Risk Awareness
Promote Risk Management, Insurance and Youth Protection program, policies, and procedures and potential consequences for non-compliance
Risk & Insurance – Use university platforms to educate university community regarding risk, the advantage of mitigation, and describe probable negative outcomes of non-compliance.
Youth Protection – Educate Departments on consequences for non-compliance. Escalate to leadership for potential program discipline.
8. Measure Program Effectiveness
Page 53 of 255
Evaluate the overall Insurance, and Youth Protection Program culture of UofL and the performance of the department.
Risk and Insurance – Analyze university claim trends and determine loss ratios per policies for renewal.
Youth Protection – Provide data reports annually for program cost vs incident reports, evaluate registered programs vs. inventoried, satisfaction survey, and fully compliant programs.
Page 54 of 255
The mission of Audit Services is to provide the university and its affiliates with independent and
objective assurance and consulting services. The services are designed to add value, improve the
university’s operations, and help the university accomplish its objectives. This is done by bringing a
systematic, disciplined approach for evaluating and improving the effectiveness of risk management,
control, and governance. All Audit Services activities are conducted in compliance with university
objectives and policies, as well as the Code of Ethics and International Standards for the Professional
Practice of Internal Auditing, as defined by the Institute of Internal Auditors (IIA).
Audit Services currently employs three professional auditors with a combined experience of over 80
years in higher education and government. In January 2020, the Information Technology auditor
position became vacant through retirement. A search to fill the position will be conducted as soon as
practical. Senior staff members are certified in the practice of internal audit by internationally
recognized professional organizations and adhere to a code of ethics and principles promoting internal
audit. Junior staff members are strongly encouraged to obtain professional certification.
This report is a summary of the department’s activities since September 2019. During the period
Audit Services has received full cooperation from all administration, staff, and faculty.
NOTE ON COVID-19 EMERGENCY
Since March 2020, Audit Services staff has worked remotely under the guidelines promulgated by the
university. While staff has been productive, the emergency has negatively impacted planned audit
projects and department initiatives. In addition, the planned recruitment of new staff has been shelved
and the recruitment of an IT auditor has been delayed.
RISK ASSESSMENT AND AUDIT PLAN DEVELOPMENT
Audit Services performs an annual risk assessment to determine the best strategy for deployment of
department resources. The assessment attempts to identify high risk activities using an evaluation of
the following areas: Regulatory Exposure, Operational Risk (Complexity), Financial Exposure,
Environmental Risk, and Strategic Risk. Interviews are conducted with key administration. Based on
the results of this evaluation the attached proposed audit plan was created and audits have been
scheduled pending the approval of the Board of Trustees. The proposed audit plan will be
continuously evaluated. Planned projects can be deferred, cancelled, or added based on this
evaluation. In addition, administration can request a consulting project to obtain help in identifying
solutions to known issues, to obtain advice in achieving operational efficiencies, or obtain advice on
internal controls that can be built into new operations, policies, or procedures. Audit Services is also
responsible for conducting administrative investigations into cases of alleged fiscal misconduct.
Although resources have been budgeted, investigations can result in adjustments to planned audits.
Attached is the Proposed 2020-2021 Annual Audit Plan for your approval.
Page 55 of 255
AUDIT ISSUE FOLLOW-UP PROCESS
Audit Services tracks all open audit issues using an automated web-based system. The issue owner is
responsible for entering status updates and informing Audit Services when action plans have been
implemented. Audit Services reviews each implemented plan and verifies the implementation
effectiveness through additional testing, document review, or interviews with staff. Issues are not
closed until the auditor is satisfied that the underlying risk has been sufficiently addressed. Formal
follow-up projects will only be scheduled if a project is assigned an “unsatisfactory” project rating and
mitigation cannot be effectively evaluated during the issue closeout process.
A report of pending audit issues is generated quarterly, shared with administration, and is attached to
this report.
RESOURCE BUDGET
Audit Services is staffed by three professional auditors and the director. All senior staff are certified
with expertise in fraud examination, risk management, internal audit, and information technology.
The available resources and allocation for 2020-2021 is illustrated in the table below.
Resource Budget (in hours)
2020-2021
Budget
Total Available Hours 5,850 100%
Total Non-Work Hours 879 15%
Total Administration 506 14%
Total Projects 4,169 71%
Project Breakdown by Type
Assurance Projects 3,549 75%
Consulting/Investigation 620 25%
Non-work hours are university provided benefits, such as holidays, vacation, and sick leave, and the
time the university is closed due to weather events or emergencies. Administration consists of the
time spent in department management, staff development and training, and other activities that are not
directly related to a project.
Page 56 of 255
AUDIT SERVICES PROJECTS
Audit Reports Issued
Project: HSC Accounts Receivable Billing and Collections Project Rating: Excellent
The Office of the Executive Vice President for Health Affairs centralized hospital-based contract
billing and collections processing. While this has strengthened the internal control environment, less
than 50% of all HSC accounts receivable balances were included in the centralization. This project
included only the centralized receivable balances and processing. The objectives of the audit were to
obtain reasonable assurance that:
Internal controls over contract billing and collection activities were implemented and effective in reducing the inherent risks.
Accounts receivable were properly recorded, adjustments were approved, and collection and write-off processes were adequately managed.
Accounts receivable balances were routinely reconciled to the general ledger.
One moderate priority issue was identified:
Issue Title Priority Action Plan Target
Implementation Date/Status
Enhance the Security of Payments Received by
Check
Moderate Implemented
Project: OnBase Content Management System Project Rating: Needs Improvement
OnBase is a third-party vendor software system that serves as the university’s platform for managing
and storing document images. It is also an electronic routing system that facilitates approval and data
capture. The objectives of the project were to obtain reasonable assurance that:
Controls over OnBase processes were adequate to provide complete and accurate
information processing.
Content and documents were adequately secured against unauthorized access,
modification, and disclosure.
Processes and procedures complied with university information security policies and
applicable regulations.
Page 57 of 255
Issues identified during the project were:
Issue Title Priority Action Plan Target
Implementation Date/Status
Encrypt Document Images That Contain Sensitive
Information
High September 30, 2020
Review OnBase Access High Implemented
Comply with Document Retention Policy and
Regulations
Moderate September 30, 2020
Project: Athletics Spirit Groups Project Rating: N/A
Internal control weaknesses were identified in the management and oversight provided to the Athletics
Spirit Groups which contributed to the monetary losses experienced by the department under the
tenure of the former Spirit Groups coordinator. This report is ancillary to a misconduct investigation
conducted by Audit Services, and accordingly a project rating and issue priorities were not assigned.
Athletics administration has implemented, or is in process of implementing, corrective actions in the
following areas.
Issue Title Action Plan Target
Implementation Date/Status
Spirit Group Governance and Oversight October 1, 2020
Fundraising Policies and Procedures Implemented
University and Athletics Cash Handling Policies and Procedures Implemented
Spirit Group Appearances Implemented
Duplicate and Unauthorized Travel Payments July 1, 2020
Unauthorized Purchases Implemented
Student Scholarships Implemented
Distribution and Sale of Discounted Athletics Tickets Implemented
Conflict of Interest Reporting and Management Implemented
ULAA Digital Imagery Restrictions Implemented
Roster Recordkeeping Implemented
Page 58 of 255
Projects in Process
Human Resources Staff Compensation and Hiring
Audit Services performed an operational audit of Human Resources’ staff compensation approval and
hiring processes. The objectives of the audit were to obtain reasonable assurance that:
Internal controls are adequate and effective in mitigating the inherent risks.
Processes are compliant with applicable laws, regulations, and university policies.
Significant processes are efficient and effective in assisting the department achieve its goals and objectives.
Audit Services evaluated the current controls over Human Resources’ staff compensation approval
and hiring processes, including job changes such as reclassification and in-range adjustments. The
evaluation also included compliance with equal opportunity clause requirements and HR policies
governing staff employment and compensation, as well as the effectiveness and efficiency of related
procedures. Faculty and administrator positions were excluded. Testing was performed on hiring and
compensation transactions occurring between July 1, 2018 and June 30, 2019 to support conclusions
and recommendations.
A draft report has been issued for management comment and action plan development.
Distributed Server Security
Audit Services is completing a follow-up project of the Information Security – Servers project, which
received an “Unsatisfactory” rating in the report issued on September 25, 2017. The draft report is in
process of administration review.
IT Disaster Recovery Test Observation
On February 11-12, 2020, a disaster recovery (DR) exercise was conducted by Information
Technology Services (ITS) to test the restoration of the university’s network and system infrastructure
at the UofL Miller Information Technology Center (MITC) location and the recovery of the
PeopleSoft systems and auxiliary support applications. This was the second time a DR test was
conducted after the university contracted with the current third-party DR services provider. Several
systems, applications, or components were included in the test for the first time, including I Drive,
PeopleSoft Campus Solutions system, PeopleSoft Human Resources system, BI Reporting, Business
Operations (system infrastructure only), and SQL Cluster server. This was also the first DR test
Page 59 of 255
without Tivoli Storage Manager (TSM), the IBM backup and recovery product the university retired
in December 2019. The test was executed from the MITC via web connectivity to the university's
third-party disaster recovery services provider. Audit Services observed the planning and execution of
this test, evaluated the test results, and reviewed associated disaster recovery plan documentation.
A draft report has been issued to ITS administration for comment and action plan development.
Diabetes and Obesity Center, Efficiency and Effectiveness Review and Prior Audit Follow-Up
In August 2019, administration of the Diabetes and Obesity Center requested that Audit Services
perform an effectiveness and efficiency review of the Core Research Laboratories established with
funding from a Centers of Biomedical Research Excellence (COBRE) grant. In 2017, Audit Services
performed a routine audit of the Diabetes and Obesity Center’s administrative business activities. At
that time a project rating of “Needs Improvement” was assigned. This project included follow-up
procedures to evaluate the effectiveness of the mitigation actions adopted as a result of the 2017 audit.
A draft report has been issued to administration for comment and action plan development.
Contracted Services
Audit Services is in process of performing an operational audit of Contracted Services. The scope of
the audit includes an evaluation of business services’ management of the major contracted services, to
ensure orderly and effective administration and operation of the services program. Major service
contracts include managed print, mail, bookstore, dining, and vending.
The preliminary objectives of the audit will be to obtain reasonable assurance that:
Internal controls over contracted services are implemented and effective in reducing the inherent risks.
Contracted activity is adequately monitored, reported, and routinely reconciled.
Service providers are held accountable to achievement of contracted service metrics and performance goals.
Procurement Services
A routine operational audit of Procurement services is in the planning stage. The scope and objectives
of the project will be to obtain reasonable assurance that:
Page 60 of 255
Key internal controls over procurement activity are implemented and effective in reducing inherent risks.
Procurement practices are compliant with applicable laws, regulations, and university policies.
Significant processes are efficient and effective in assisting Procurement Services achieve its goals and mission.
The planned scope of the audit will include contract management processes centrally administered by
Procurement Services, focusing on contract development, execution, and monitoring. A high-level
risk assessment of Uniform Guidance procurement standards will also be performed. Contracts active
between 5/1/2019 to 4/30/2020 and their related documentation may be selected for testing to support
conclusions and recommendations. The audit will not include construction contracts, personal service
contracts (as governed by KRS 45A.690 – 45A.695), or ProCard processes.
OTHER ACTIVITIES
Other projects include consulting projects, investigations, and other projects requested by
administration.
Investigations
Audit Services completed 1 investigation from September 30, 2019 through May 29, 2020. One
additional investigation is in process.
Continuous Monitoring Activities
To achieve better audit coverage of higher risk activities, the development of a continuous auditing
and monitoring program is a best practice. In the fall of 2018, Audit Services began using a new data
analysis tool to prepare reports that are meaningful. We are developing new reports that both Audit
Services and Administration can use to better monitor for errors and omissions.
Consulting
Audit Services continues to consult with administration on new processes and procedures to help
identify best practices, significant risks, and to recommend effective and cost-efficient controls.
ProCard Monitoring
Audit Services meets quarterly with staff responsible for managing the ProCard program at the
university. The ProCard is a credit card program offered through PNC that allows departments to
Page 61 of 255
make allowed purchases without going through the formal procurement process. The quarterly
meetings are held to review trends, potential program changes, and the results of monitoring.
Bursar’s Office
Administration has requested Audit Services to review the internal controls that have been
implemented in the Bursar’s Office over cashiering, system access, and student receivables.
Page 62 of 255
2019-2020 AUDIT PLAN STATUS REPORT
Compliance - Routine Audits to obtain reasonable assurance that the university is compliant with
applicable laws, regulations, third party obligations, or university policy.
Project Name Status
Contracted Services In Process
Diabetes and Obesity Center – Follow Up Report out for action plan development
Operational/Internal Control Reviews - Routine audits to obtain reasonable assurance tha