USF SYSTEM AUDIT 3702 Spectrum Blvd. Suite 180 • Tampa, FL 33612-9444

(813) 974-2705 • FAX (813) 974-3735

MEMORANDUM TO:

President Judy Genshaft USF Board of Trustees Audit and Compliance Committee

FROM: Virginia Kalil, CIA, CISA, CFE, CRISC Executive Director/Chief Internal Auditor

DATE: June 29, 2018

SUBJECT: 18-026 USF System Audit Self-Assessment with Independent Validation

USF System Audit (Audit) conducted a self-assessment of its internal audit services as required by the Institute of Internal Auditing’s International Standards for the Professional Practice of Internal Auditing (IIA Standards) and the Board of Governors’ (BOG) regulation 4.002 (6)(e). The principal objectives of the assessment was to evaluate Audit’s conformance with the IIA Standards and Code of Ethics in place and effective as of January, 2017. Audit’s self-assessment was concluded on May 11, 2018, and provides senior management and the board with information about Audit as of that date. Audit also evaluated its effectiveness in carrying out its mission, as set forth in Audit’s charter and expressed by USF management and the Board of Trustees (BOT). The results of Audit’s self-assessment were validated by a two-member external assessment team. The assessment team also reviewed Audit’s observations related to successful internal audit practices and opportunities for continuous improvement. The form and frequency of the external assessment, and the independence and qualifications of the assessment team, was discussed with the BOT Audit and Compliance Committee (ACC). A description of the methodology used to complete this assessment is described on page 2 of this report. Based on the review, Audit generally conforms to the IIA Standards and the Code of Ethics. “Generally conforms” means that the relevant structures, policies, and procedures comply with the individual standards and Code of Ethics in all material respects. See Appendix A for additional details. In addition, three recommendations were made based upon the IIA Practice Guides and other best practice guidance for continuous improvement in the efficiency and effectiveness of the internal audit program at USF (see Appendix B). Please contact us at 974-2705 if you have any questions. cc: John Long, Chief Operating Officer and Sr. Vice President, Business and Finance

AUDIT 18-026

2 of 10

SCOPE AND METHODOLOGY

Audit compiled and prepared information consistent with the methodology established in the IIA’s Quality Assessment Manual for the Internal Audit Activity (2017). This information included completed and detailed planning guides, together with all supporting documentation; and an evaluation summary, documenting all conclusions and observations.

To accomplish the objectives, the external assessment team reviewed information prepared by Audit and the conclusions reached in this report. The external assessment team also conducted interviews with selected key stakeholders, including the ACC Chair, senior executives, and Audit management; reviewed a sample of audit projects and associated work papers and reports; reviewed confidential survey data received from key stakeholders and staff; and prepared diagnostic tools consistent with the methodology established in the IIA’s Quality Assessment Manual for the Internal Audit Activity (2017).

The external assessors also prepared an “Independent Validation Statement” to document conclusions related to the validation of Audit’s self-assessment. This statement is included as Attachment A to this report.

SUMMARY OF OBSERVATIONS

Audit believes that the environment in which we operate is well-structured and progressive, where the Standards are understood, the Code of Ethics are being applied, and management endeavors to provide useful audit tools and implement appropriate practices. Consequently, our comments and recommendations are intended to build on this foundation.

Successful Audit Practices – areas where Audit is operating in a particularly effective or efficient manner when compared to the practice of internal auditing demonstrated by internal audit activities in other organizations.

Audit receives a high level of support from USF senior management and the BOT ACC. The Audit program is well-respected and is viewed as a high-performing team. The recent establishment of a dedicated audit committee and the revision of the Audit Charter has helped to ensure audit-related matters receive board attention, and more closely align the reporting of the Chief Audit Executive (CAE) and audit function with IIA best practices.

Although audit has experienced significant turnover in the last two years, the audit team has maintained a wide range of knowledge and experience, including higher education experience. The team’s level of education, knowledge, and professional certification is commendable. The management team takes great care in the development of staff including supporting team members’ educational and professional development, as well as skill enhancement needs.

Audit’s ability to respond promptly to management needs, despite limited staffing resources, demonstrates an effective and efficient use of audit resources and strong project management skills.

Audit has built a strong infrastructure over audit processes, with robust policies and procedures with regular quality assurance points. Audit embraces the use of technology and has embedded the IIA

AUDIT 18-026

3 of 10

Standards within their internal audit management software (TeamMate) templates to ensure compliance. The Audit team remains focused on institutional risks, including information technology and fraud risks, from the development of the two-year work plan through to the development of individual project plans. This helps to ensure Audit remains focused on projects supporting the strategic goals of USF. Gaps to Conformance – areas where Audit falls short of achieving one or more major objectives and attains an opinion of “partially conforms” or “does not conform” with the Standards or Code of Ethics. No gaps identified. Opportunities for Improvement – areas to enhance the efficiency or effectiveness of Audit’s infrastructure of processes. These items do not indicate a lack conformance with the Standards or Code of Ethics. The following three recommendations were made which will help ensure:

• Organizational independence is strengthen by formalizing the ACC’s role in key human resource actions related to the CAE;

• On-going quality improvement efforts are better documented and the results of these efforts are more formally communicated to the ACC; and

• Strategic planning efforts are consolidated demonstrating alignment with the organization’s strategy.

AUDIT 18-026

4 of 10

APPENDIX A EVALUATION SUMMARY AND RATING DEFINITIONS

GC PC DNC

Overall Evaluation X

Attribute Standards (1000 through 1300)

GC PC DNC

1000 Purpose, Authority, and Responsibility X

1010 Recognizing Mandatory Guidance in the Internal Audit Charter X

1100 Independence and Objectivity X

1110 Organizational Independence X

1111 Direct Interaction with the Board X

1112 Chief Audit Executive Roles Beyond Internal Auditing X

1120 Individual Objectivity X

1130 Impairment to Independence or Objectivity X

1200 Proficiency and Due Professional Care X

1210 Proficiency X

1220 Due Professional Care X

1230 Continuing Professional Development X

1300 Quality Assurance and Improvement Program X

1310 Requirements of the Quality Assurance and Improvement Program

X

1311 Internal Assessments X

1312 External Assessments X

1320 Reporting on the Quality Assurance and Improvement Program X

1321 Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing”

X

1322 Disclosure of Nonconformance X

AUDIT 18-026

5 of 10

Performance Standards (2000 through 2600) GC PC DNC

2000 Managing the Internal Audit Activity X

2010 Planning X

2020 Communication and Approval X

2030 Resource Management X

2040 Policies and Procedures X

2050 Coordination and Reliance X

2060 Reporting to Senior Management and the Board X

2070 External Service Provider and Organizational Responsibility for Internal Auditing

X

2100 Nature of Work X

2110 Governance X

2120 Risk Management X

2130 Control X

2200 Engagement Planning X

2201 Planning Considerations X

2210 Engagement Objectives X

2220 Engagement Scope X

2230 Engagement Resource Allocation X

2240 Engagement Work Program X

2300 Performing the Engagement X

2310 Identifying Information X

2320 Analysis and Evaluation X

2330 Documenting Information X

2340 Engagement Supervision X

2400 Communicating Results X

AUDIT 18-026

6 of 10

Performance Standards (2000 through 2600) GC PC DNC

2410 Criteria for Communicating X

2420 Quality of Communications X

2421 Errors and Omissions X

2430 Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing”

X

2431 Engagement Disclosure of Nonconformance X

2440 Disseminating Results X

2450 Overall Opinions X

2500 Monitoring Progress X

2600 Communicating the Acceptance of Risks X

Code of Ethics GC PC DNC

Code of Ethics X

GC – “Generally Conforms” means that the assessor or the assessment team has concluded that the relevant structures, policies, and procedures of the activity, as well as the processes by which they are applied, comply with the requirements of the individual standard or elements of the Code of Ethics in all material respects. For the sections and major categories, this means that there is general conformity to a majority of the individual standard or element of the Code of Ethics and at least partial conformity to the others within the section/category. There may be significant opportunities for improvement, but these should not represent situations where the activity has not implemented the Standards or the Code of Ethics and has not applied them effectively or has not achieved their stated objectives. As indicated above, general conformance does not require complete or perfect conformance, the ideal situation, or successful practice, etc.

PC – “Partially Conforms” means that the assessor or assessment team has concluded that the activity is making good-faith efforts to comply with the requirements of the individual standard or elements of the Code of Ethics, or a section or major category, but falls short of achieving some major objectives. These will usually represent significant opportunities for improvement in effectively applying the Standards or the Code of Ethics and/or achieving their objectives. Some deficiencies may be beyond the control of the internal audit activity and may result in recommendations to senior management or the board of the organization.

DNC – “Does Not Conform” means that the assessor or assessment team has concluded that the internal audit activity is not aware of, is not making good-faith efforts to comply with, or is failing to achieve many or all of the objectives of the individual standard or element of the Code of Ethics, or a section or major category. These deficiencies will usually have a significantly negative impact on the internal audit activity’s effectiveness and its potential to add value to the organization. These may also represent significant opportunities for improvement, including actions by senior management or the board.

AUDIT 18-026

7 of 10

APPENDIX B

EFFICIENCY AND EFFECTIVENESS 1. The Audit and Compliance Committee’s (ACC’s) involvement in human resource

decisions related to the Chief Audit Executive (CAE) was not defined in the charter.

In Spring 2017, the ACC was involved in hiring the CAE and was aware of the CAE’s remuneration level. The ACC charter; however, does not include the role and responsibility of the ACC in decisions regarding the appointment, removal, and remuneration of the CAE. IIA Standard 1110 - Organizational Independence states, “the chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities… Organizational independence is effectively achieved when the CAE reports functionally to the board. Examples of functional reporting to the board involve the board: Approving the internal audit charter. Approving the risk-based internal audit plan. Approving the internal audit budget and resource plan. Receiving communications from the chief audit executive on the internal audit activity’s

performance relative to its plan and other matters. o Approving decisions regarding the appointment and removal of the chief audit executive. o Approving the remuneration of the chief audit executive. Making appropriate inquiries of management and the chief audit executive to determine

whether there are inappropriate scope or resource limitations.” While functional reporting of the internal audit activity to the ACC has been formally defined, organizational independence is further strengthen by formalizing the ACC’s role in key human resource actions related to the CAE.

Recommendation: The ACC charter should be revised to include the ACC’s role and responsibilities regarding the appointment, removal, and remuneration of the CAE.

2. Internal quality assurance efforts were not formally communicated to the board.

IIA Standard 1300 - Quality Assurance and Improvement Program states, “the chief audit

executive must develop and maintain a quality assurance and improvement program (QAIP) which covers all aspects of the internal audit activity. A quality assurance and improvement program is designed to enable an evaluation of the internal audit activity’s conformance with the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement. The chief audit executive should encourage board oversight in the quality assurance and improvement program.” Many of Audit’s QAIP efforts are embedded within the internal audit activity and all its operations. Quality assurance checklists are used by project leads and project managers to ensure conformance with IIA Standards, and key performance metrics are monitored throughout the

AUDIT 18-026

8 of 10

EFFICIENCY AND EFFECTIVENESS project’s life cycle. A new audit closure checklist and performance scorecard were recently

developed and customer feedback surveys were reignited. In addition, Audit leadership identifies areas for continuous improvement annually, which are tracked through to completion. While QAIP efforts are on-going and communicated less formally, more formal communication of these efforts to the ACC will assist in demonstrating board oversight.

Recommendation: Audit should formally communicate the QAIP results to the ACC at least annually.

3. Strategic planning efforts were not formally consolidated into a specific internal audit strategic plan.

IIA Standard 2000 - Managing the Internal Audit Activity states, “The chief audit executive must

effectively manage the internal audit activity to ensure it adds value to the organization... The internal audit activity adds value to the organization and its stakeholders when it considers strategies, objectives, and risks; strives to offer ways to enhance governance, risk management, and control processes; and objectively provides relevant assurance.” After studying the organization’s strategic plan, reviewing risk assessments, meeting with senior management and the board, and conducting strategic workshops with Audit team members, the CAE develops an internal audit strategy and approach that aligns with the goals and expectations of the organization’s leadership. This information is used by the CAE to develop a work plan that includes: a list of proposed audit and consulting engagements; rationale for selecting each proposed engagement; objectives and scope of each proposed engagement; and a list of initiatives or projects that result from the internal audit strategy, but may not be directly related to an audit engagement. While Audit formally produces a two-year work plan, documentation of the department’s internal strategic planning efforts and QAIP initiatives are not formally consolidated into a specific internal audit strategic plan. Formally consolidating these efforts will assist the department in demonstrating how their internal efforts are aligned with the organization’s strategy, as well as assist in communicating Audit’s vision, mission, and future resource needs.

Recommendation: Audit should formally consolidate strategic planning and QAIP efforts into a specific internal audit strategic plan.

Attachment A

9 of 10

AUDIT 18-026

10 of 10