Risk analysis and internal audit plan considerations Bucknell

Report
Preliminary Risk Analysis and Proposed FY 2011
Internal Audit Scope
Illinois Institute of Technology
December 21st, 2010
Table of Contents
I. Executive Summary
Slide
Assessment Objectives
3
Risk Assessment Scope and Approach
4
Project Participants
5-6
Significant Observations and Considerations
7
Identifying Opportunities for Improvement
8
Overall Risk Analysis Results
9
Proposed 2011 Internal Audit Plan
10-11
II. Appendix – Detail Analysis
Audit Universe Listing – Business Processes
13
IIT Risk Analysis
14-18
Business Risk Profiling Analysis
19-22
© Grant Thornton LLP. All rights reserved.
2
Risk Assessment Objectives
• Assist Illinois Institute of Technology ("IIT") management and the Board
in identifying relevant risks associated with the University's different
business activities and assess the inherent risk significance of each
• Identify the audit universe and considerations for internal audit attention
to 11 business processes and 63 sub-processes at IIT
• Assist IIT management and the Board in creating the FY 2011 – 2013
audit plan
• Increase practical awareness of risk and controls amongst IIT
management
© Grant Thornton LLP. All rights reserved.
3
Risk Assessment Scope and Approach
• Conducted 15 interviews as a basis for analysis, observations and
recommendations
• Reviewed key documents such as audited financial statements,
organization charts, prior year’s audit reports, available policies and
procedures, and the strategic plan
• Utilized Grant Thornton's proprietary risk model which is based on the
Committee of Sponsoring Organizations (COSO*) Internal Control Integrated Framework
Note: Our review did NOT include the performance of audit testing procedures or validation activities around any
observations noted
* COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business
ethics, effective internal controls, and corporate governance.
© Grant Thornton LLP. All rights reserved.
4
Risk Assessment Participants
Illinois Institute of Technology
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
John Anderson
Pat Laughlin
Brian Laffey
Mary Ann Smith
Ophir Trigalo
Alan Cramb
David McCormick
Donna Taylor
Betsy Hughes
Bruce Mueller
Sharon Muldrow-Thomas
Jatan Clark
Deb Casales
Domenica Pappas
Frank FioRito
© Grant Thornton LLP. All rights reserved.
President
Chief Financial Officer
Controller
General Counsel
Chief Information Officer
Provost & Senior Vice President for Academic Affairs
Senior Vice President, Director of IIT Research Institute
Accounts Payable Manager
Vice President for Institutional Advancement
Chief People Officer
Payroll Manager
Director, Grants and Contract Accounting
Bursar
Director of Sponsored Research and Programs
Purchasing Manager
5
Risk Assessment Participants
Grant Thornton
•
Steve Siemborski – Regional Practice Leader
•
Larry Ladd – National Director, Higher Education Practice
•
Rick O’Callaghan – Senior Manager
•
Nick Saracco – Senior Associate
© Grant Thornton LLP. All rights reserved.
6
Observations and Considerations
• An extensive list of over 60 audit universe considerations has been identified for IIT
across the university, including areas outside of the Finance and Administration functions.
• The areas of highest ‘inherent risk’ are not necessarily the areas of focus to select
for the first year of the internal audit plan. In some cases, controls are considered to be
commensurate with risk, or have been recently audited and found to be effective, and can
therefore be appropriately scheduled in the second or third year of the audit plan.
• The distributed or decentralized nature of certain operations within a University
heightens the inherent risk of inaccurate or incomplete management and financial
information as well as the misappropriation of assets. This suggests a need for broad
annual internal audit coverage and an audit approach and methodology that
maximizes audit coverage within each review.
• Opportunities for immaterial theft, fraud or misappropriation of resources that is not
detected timely appears to be higher in lower risk areas, e.g., auxiliary enterprises. As a
result, the potential aggregate impact could be significant and internal audit coverage
should include certain lower risk areas on a rotational basis, and include lower risk
areas when sample testing higher risk processes across the University.
© Grant Thornton LLP. All rights reserved.
7
Identifying Opportunities for Improvement
• In every audit to be conducted, identifying potential opportunities for process improvement and cost
savings is an expected outcome. Although audit procedures are primarily designed to evaluate the
effectiveness and efficiency of internal controls and compliance with established policies and
regulations, opportunities for operational improvements and/or direct or indirect cost savings are
inevitably found through the audit process.
• Examples of some opportunities to improve internal controls identified through our discussions with
management during the risk assessment include:
– The need to formalize, codify and/or reevaluate University policies and procedures, including
trustee-level (i.e., conflict of interest, investment approval), financial/accounting (e.g., accounts
receivable, payables, capital construction, etc.) and information technology (e.g., information
security, application change management, etc.).
– The opportunity to strengthen control and security over IT assets through a periodic review of
user access and information / network security related to critical IT applications, systems and
resources to ensure it is maintained to restrict access to appropriate personnel and effective
segregation of duties is enforced on an ongoing basis.
– A disaster recovery and business continuity plan, containing an appropriate level of detail and
integration with business process priorities and a crisis management plan in order to be effective
and reduce the potential impact on university operations in the event of IT systems outage.
– The need to reevaluate and enhance the controls around the use of endowment funds.
© Grant Thornton LLP. All rights reserved.
8
Overall Risk Analysis Results
#
Process
Inherent Risk Rating
(Consolidated)
1
Governance, Risk & Compliance
Medium
2
Revenue / Receivables
Medium
3
Expenditures / Payables
High
4
Human Resources
Medium
5
Treasury
High
6
Risk Management
Medium
7
Financial Reporting & Other Accounting
Medium
8
Auxiliary Activities & Other Considerations
Low
9
Student Affairs
Medium
10
Information Systems & Resources
High
11
Development
Medium
© Grant Thornton LLP. All rights reserved.
Proposed Internal Audit Plan for FY2011
The following conclusions were drawn based on our assessment of risk and preliminary perceptions on
internal control within the University:
• Given the outcome of the risk analysis, a suggested audit plan containing approximately 500 – 750
hours per year appears reasonable and appropriate.
• All estimated hours for internal audit activities are intended to understand key risks and controls in each
audit area for the purpose of assessing control design effectiveness and then performing tests of
operating effectiveness.
• However, there are certain other ‘baseline’ audit activities such as external audit assistance and ongoing
compliance monitoring as well as special request projects and follow-up procedures on prior year audits
that are inherent to any University internal audit function and will need to be taken into consideration
annually. These activities could require additional hours of internal audit effort.
• Overall, prioritization of the remaining audit areas identified should be a function of ongoing interaction
between Grant Thornton, the Board and executive management.
© Grant Thornton LLP. All rights reserved.
10
Summary of Audit Areas to Include in the Audit Plan
Process
#
Audit Process Area
Sub-process
Area
Suggested Audit
Frequency
Estimated
Hours
N/A
1
50
2
100 – 150
FY 2011 Internal Audit Plan
*
General Audit Administration, Planning &
Reporting
5
Treasury
Cash
Management /
Point of Service
Collections
10
Information Systems & Resources
Information /
Network Security
1
100 – 150
10
Information Systems & Resources
Application
Development &
Change Controls
1
100 – 150
3
Expenditures / Payables
Purchasing /
Payment Cards
2
70 – 120
3
Expenditures / Payables
Accounts Payable
3
80 – 130
Total 2011 Hours
500 – 750
Audit Frequency Key: 1=yearly, 2=every other year, 3=every third year.
© Grant Thornton LLP. All rights reserved.
11
II. Appendix
© Grant Thornton LLP. All rights reserved.
12
Audit Universe*: Business Processes and SubProcesses
* The audit universe for a typical University environment
•
•
Governance, Risk & Compliance
– Control environment
– Risk assessment
– Information & communication
– Monitoring
– Fraud controls
– Compliance
– Strategic planning
Revenue / Receivables
– Tuition & fees
– Credit & collections
– Grants & contracts
•
Expenditures / Payables
– Purchasing / payment cards
– Capital expenditures
– Construction
– T&E expenses
– Accounts payable
– Facilities maintenance
•
Human Resources
– Employment / employee
relations (Faculty & Staff)
– Executive compensation
– Payroll (employees &
students)
– Employee benefits
– Student employment
© Grant Thornton LLP. All rights reserved.
•
Treasury
– Cash management
– Endowments
– Financing
– Investments
•
Risk Management
– Risk management
– Insurance
– Business continuity & crisis management
– Environmental health & safety
•
Financial Reporting & Other Accounting
– General accounting
– Internal reporting
– External reporting
– Budgeting
– Tax compliance
– Fixed assets
– Intellectual property, copyrights & patents
•
Student Affairs
– Student activities, clubs & events
– Admissions/student recruitment
– Financial aid & scholarships
– Health services
– Residence halls
– Athletics
– Programs abroad & international initiatives
– Privacy (FERPA, HIPAA compliance)
•
Auxiliary Activities and Other
Considerations
– Food service
– Bookstore
– Student/employee cards
– University collectibles
•
Development
– Development / fund raising
– Planned gifts
– Alumni activities
•
Information Systems & Resources
– Applications
– IT governance
– Information security
– Network security / architecture
– Network & infrastructure change
management
– Application integrity controls
– Telecommunications
– Physical security
– Application development & change
controls
– Third-party / vendor management
– Computer operations
– Third party interfaces & connectivity
– Library
– Disaster recovery
13
Risk Analysis for Illinois Institute of Technology
Process
Governance, Risk & Compliance
Revenue / Receivables
© Grant Thornton LLP. All rights reserved.
Sub Process
Control Environment
Inherent Risk
Rating
HIGH
Risk Assessment
MEDIUM
Information and Communication
MEDIUM
Monitoring
MEDIUM
Fraud Controls
MEDIUM
Compliance
MEDIUM
Strategic Planning
MEDIUM
Tuition and Fees
MEDIUM
Credit and Collections
MEDIUM
Grants and Contracts
MEDIUM
14
Risk Analysis for Illinois Institute of Technology
Process
Expenditures / Payables
Human Resources
Sub Process
Purchasing / Payment Cards
© Grant Thornton LLP. All rights reserved.
HIGH
Capital Expenditures
MEDIUM
Construction
MEDIUM
T&E Expenses
LOW
Accounts Payable
HIGH
Facilities Maintenance
HIGH
Employment / Employee Relations
Executive Compensation
Treasury
Inherent Risk
Rating
MEDIUM
LOW
Payroll
MEDIUM
Employee Benefits
MEDIUM
Student Employment
MEDIUM
Cash Management
HIGH
Endowments
HIGH
Financing
HIGH
Investments
HIGH
15
Risk Analysis for Illinois Institute of Technology
Process
Risk Management
Financial Reporting & Other Accounting
Sub Process
Risk Management
MEDIUM
Insurance
MEDIUM
Business Continuity & Crisis Management
HIGH
Environmental Health & Safety
LOW
General Accounting
MEDIUM
Internal Reporting
MEDIUM
External Reporting
MEDIUM
Budgeting
MEDIUM
Tax Compliance
Fixed Assets
Vehicle Inventory & Maintenance
Intellectual Property, Copyrights & Patents
Auxiliary Activities & Other Considerations
© Grant Thornton LLP. All rights reserved.
Inherent Risk
Rating
LOW
MEDIUM
LOW
MEDIUM
Food Service
LOW
Bookstore
LOW
Student / Employee Cards
LOW
University Collectibles
LOW
16
Risk Analysis for Illinois Institute of Technology
Process
Student Affairs
Sub Process
Student Activities, Clubs & Events
LOW
Admissions / Student Recruitment
HIGH
Financial Aid & Scholarships
Development
© Grant Thornton LLP. All rights reserved.
Inherent Risk
Rating
MEDIUM
Health Services
LOW
Residence Halls
LOW
Athletics
LOW
Program Abroad & International Initiatives
MEDIUM
Privacy
MEDIUM
Development / Fund Raising
HIGH
Planned Gifts
MEDIUM
Alumni Activities
MEDIUM
17
Risk Analysis for Illinois Institute of Technology
Process
Information Systems & Resources
Sub Process
Applications
IT Governance
HIGH
MEDIUM
Information Security
HIGH
Network Security / Architecture
HIGH
Network & Infrastructure Change Management
MEDIUM
Application Integrity Controls
MEDIUM
Telecommunications
HIGH
Physical Security
LOW
Application Development & Change Controls
MEDIUM
Third-party / Vendor Management
MEDIUM
Computer Operations
Third-party Interfaces & Connectivity
© Grant Thornton LLP. All rights reserved.
Inherent Risk
Rating
LOW
MEDIUM
Library
LOW
Disaster Recovery
HIGH
18
Business Risk Profiling Summary Analysis
Governance Risk
Definition
Risk that the processes, customs, policies, procedures,
communications and management attributes affecting the way
in which an organization is directed, administered, controlled or
internally monitored is not sufficient, effective or appropriate,
impacting the achievement of organizational goals.
Analysis
Overall, governance risks are moderate to high due to their pervasive
nature and impact, as well as the inherent risk. Although viewed favorably,
changes in leadership can create perceptions of instability in certain areas.
Given the increasing complexity of the organization's risk profile, the
breadth, depth and focus of internal audit activities for addressing relevant
organizational risks has become increasingly important. As there has been
no consistent formal internal audit activity to ensure proper controls are in
place and operating effectively, the University's risk could be increased,
which is factored into this rating.
Personnel Risk
Definition
The risk that the Human Resources function is not adequate
resulting in inconsistent or ineffective recruiting, application of
policy or management of student employees. The risk that
departments are not properly staffed due to turnover, attrition or
lack of sufficient recruiting. The risk that people either do things
they are not supposed to do or fail to do things they should do.
The risk that the University is not fostering a positive working
culture resulting in lower morale among employees.
© Grant Thornton LLP. All rights reserved.
Analysis
Overall, personnel risks are moderate. The decentralized nature of certain
departments and programs and the corresponding responsibility and
delegated authority for and monitoring increases the risk of
misappropriation of assets. As with almost all universities, there is always a
concern related to the recruitment and retention of key faculty in staff.
Additionally, the Human Resources function should be closely monitored to
ensure that it is meeting the needs of everyone it serves.
19
Business Risk Profiling Summary Analysis
Financial Risk
Definition
The risk that an organization will be unable to fulfill its financial
obligations as a party to a financial transaction. The risk that an
entity cannot obtain cash quickly enough to pay current
obligations. Actual losses may occur as a result of the entity's
inability to fund the operational or financial obligations of the
business. The risk that tuition pricing is more than students are
willing to pay resulting in decreasing enrollment.
Analysis
Overall financial risk at IIT appears to be high. IIT financial reporting and
accounting departments have had significant write-offs in FY10, and
issues have been raised in regards to the current endowment and debt
financing positions. New management has assumed key roles in the
finance and accounting departments with a goal of not only reviewing and
correcting actions from prior year, but also establishing key objectives for
future growth. However, since some of these initiatives are still in the early
stages, the overall financial risk remains high.
Operational and Process Risk
Definition
The risk that organization operations and procedures are not
effective or efficient resulting in incomplete or inaccurate
financial or management information, frustration or loss of
students and employees, or the loss or misappropriation of
assets. The risk that employee and student health and safety is
not sufficiently controlled exposing the university to potentially
significant liability and impairment of image and reputation.
© Grant Thornton LLP. All rights reserved.
Analysis
Overall, the operational and process risks are moderate at IIT. Concerns
related to the viability of the current business continuity and crisis
management plans appear to be the highest inherent operational risk
areas. Increased attention to purchasing and payables, including the use
of procurement cards should also be considered.
20
Business Risk Profiling Summary Analysis
Compliance Risk
Definition
The risk that reports of operating or financial information required
by regulatory agencies (Federal / State government, NCAA,
Accreditation, etc.) are incomplete, inaccurate or untimely,
exposing the company to fines, penalties and sanctions. The risk
that financial reports include material misstatements or omit
material facts, making them misleading. The risk of noncompliance
with tax regulations, payment and filing requirements or that
transactions of the University have adverse tax consequences that
could have been avoided had they been structured appropriately.
Analysis
Overall, compliance risks appears to be low to moderate. The inherent
nature of the many rules and regulations that the University is subject
to, raises the risk level in this area. Internal compliance with policies
and procedures appears to be an area of lower risk, given the current
state of formally documented policies and procedures. The lack of a full
time Compliance Officer or department creates added risk; however,
these risks are slightly mitigated by the Compliance Committee.
Technology Risk
Definition
The risk that the organization does not have an effective
information technology infrastructure to support the current or future
needs of the University in an efficient, cost-effective and wellcontrolled fashion. The risk that the processes used to develop,
maintain and operate an information processing environment is not
sufficient to provide for the accuracy, completeness, integrity,
security, availability or recoverability of organizational information.
This risk includes development or modification of applications and
infrastructure as well as security related to end users and ISR
personnel. The risk that a technology strategy does not exist or is
not aligned with organizational strategy or objectives.
© Grant Thornton LLP. All rights reserved.
Analysis
Overall, technology risks are considered high. The University is highly
dependent upon information technology for its administrative and
academic operations. Information and network security, systems
availability and recovery have become highly important considerations.
There is a concern over the reliability of the current infrastructure as
upgrades have not been possible given recent year budget constraints.
Additional areas of concern include the viability of the disaster recovery
plan, as well as the potential loss of revenue from the Educational
Broadband Services ("EBS") channels.
21
Business Risk Profiling Summary Analysis
Environmental Risk
Definition
Major competitors take actions to establish and sustain
competitive advantage over the University or even threaten its
ability to survive. Changes in regulations and actions by national
or local regulators can result in increased competitive pressures
and significantly affect an organization's ability to efficiently or
effectively conduct business. Other environmental or external
factors outside of the span of the University’s control may also
adversely impact the organization and its operations. Failure to
monitor a changing environment may result in obsolete
strategies.
Analysis
Overall, environmental risks appear to be low and are monitored.
Competitor risk is high as competition for qualified students increases,
and close proximity to other universities dictates. Compliance with
regulatory requirements and maintaining accreditation status is essential
for preventing potential impairment of image and reputation.
Fraud Risk
Definition
The risk that employees, students, vendors or third parties
individually or in collusion perpetrate fraud against the
University, resulting in financial loss or unauthorized use or
misappropriation of physical, financial or information assets.
There is also potential for legal exposure, impairment of image
and reputation as well as an adverse impact on operations.
© Grant Thornton LLP. All rights reserved.
Analysis
Overall, fraud risks appear to be moderate. As the University has tackled
many pressing issues over the past couple years, it appears there has
been less focus on ensuring that design and operating effectiveness of
policies, procedures, and controls is adequate. Additionally, a lack of a
consistent, formal internal audit program increases the opportunity for
fraud and/or misappropriation of assets.
22

similar documents