Audit Plan 2008-09
State University of New York
System Administration
Office of the University Auditor
Albany, NY 12246
Approved by the Audit Committee on June 10, 2008
I. Introduction
The objective of the internal audit function is to assist the State University of New York (University) Board of Trustees and management in the effective discharge of their governance responsibilities. The internal audit function is responsible for auditing Campus and System Administration financial, operational, and internal control activities and for providing the Trustees and management with reports on the results of the audits. The audits of the Office of the University Auditor primarily focus on assessing whether processes and controls are adequate to provide reasonable assurance that resources are safeguarded against waste, loss, and misuse; that operations are efficient and effective; that specific management objectives are achieved; that financial and performance reports are reliable; and that there is compliance with applicable laws and regulations. The audit reports issued by the Office of the University Auditor are designed to add value and improve operations. Audit resources are devoted to addressing areas perceived with the highest relative risk and areas that cover the University's core business activities. The results of the audits are communicated to the members of the Audit Committee of the Board of Trustees, Campus officials, the Chancellor, Vice Chancellors, and others as appropriate.
The internal audit function of the University consists of the Office of the University Auditor (OUA), and eight internal audit offices located at six campuses (Albany, Binghamton, Buffalo, Stony Brook, Brooklyn, and Syracuse). Periodically, the OUA reports to the Audit Committee of the Board of Trustee on audit activity for all internal audit offices (University-wide).
The 2008-2009 Audit Plan addresses the audit priorities of the University and serves as the work plan for the Office of the University Auditor. Although located at System Administration, the Office of the University Auditor has been given the authority, under its charter, to audit and examine all areas within the University. In doing so, the Office of the University Auditor strives to coordinate assignments and collaborate with the campus based internal audit departments, as well as with the University's independent auditors and the Office of the State Comptroller to maximize our resources.
II. Development of the Audit Plan
Our 2008-09 Audit Plan was developed taking into account the University's Strategic Plan, including its commitment to “excellence, integrity, and accountability in all that it does” and a formal risk assessment process. The risk assessment was performed by identifying operational and programmatic areas, obtaining input from both system administration and campus management, considering preliminary research, and analyzing data. A valuation grid was used to identify our audit priorities by taking into account various factors such as: safety, financial impact, public image, complexity, size, internal controls, prior audit coverage, available staffing, the significance of risk, and the likelihood of adverse outcome.
III. Audit Standards
Audits are conducted in compliance with the International Standards for the Professional Practice of Internal Auditing promulgated by the Institute of Internal Auditors. The audit standards provide a framework for performing our work and also establish a basis for evaluation of the work.
IV. Staffing
The Office of the University Auditor, in addition to the University Auditor, includes eight professional auditors, and an administrative staff assistant. The Office of the University Auditor has several vacant professional auditor positions and will seek to fill these positions as resources become available. The Office also utilizes the services of one or more student interns throughout the year. This provides students with practical experience in the auditing field and also allows us to provide additional audit coverage. Our audit staff holds professional certifications such as Certified Public Accountant and Certified Government Financial Manager, and some have earned advanced educational degrees. Staff members regularly attend continuing professional education sessions to maintain their professional proficiency and many also actively pursue professional certification opportunities.
V. Audit Areas
- Campus Audits
The Office of the University Auditor (OUA) proposes to conduct the following audits at a sample of campuses, which will encompass System Administration oversight, where applicable. Some of these projects were rolled from the prior year due to unanticipated special projects and staffing shortfalls. The campuses selected for these audits will be based on a focused risk assessment for the area under audit and will take into account comments from University management. The audits will include a review of the campus based internal control programs. OUA anticipates selecting two or more campuses per audit area.
- Campus Financial Management Practices
The audits will assess internal controls in five critical financial management areas: cash receipts, cash disbursements, procurement, payroll, and inventory. - Information Technology - Access Controls and Disaster Recovery
OUA will determine compliance with security procedures to ensure access to data is restricted, and the data is safeguarded. OUA will also assess the adequacy and completeness of plans to address a temporary loss of information technology (IT) systems. - Financial Aid
The audits will assess campus’ compliance with the Attorney General’s student loan code of conduct. - Employee Travel Reimbursement
This joint audit with the Research Foundation of the State University of New York will assess the adequacy of internal controls over reimbursement of travel expenditures and determine if Campus employees were receiving duplicate travel reimbursements from the Campus and the Research Foundation. - Campus-Related Foundations
OUA will assess selected aspects of administrative and operational controls and compliance for selected foundations. - SUNY Press
OUA will complete a joint audit initiative with the Research Foundation to test internal controls and compliance. - Campus Fuel
OUA will assess controls and procedures in place for the use of and access to fuel at six campuses. - Campus Administered Construction
OUA will verify controls and confirm compliance with policies and procedures for two campus administered construction projects.
- Campus Financial Management Practices
- Health Care Audits
OUA proposes to conduct the following audits related to the healthcare interests of the University.
-
Compliance Programs
OUA will examine the compliance programs at a SUNY Dentistry practice. The objective of our examination is to ensure the compliance program includes the recommended elements (written policies and procedures, compliance with HIPAA, education and training, etc.) as outlined by the Office of the Inspector General (OIG) of the Department of Health and Human Services and to ensure the elements are effectively implemented. Additionally, OUA may examine aspects of the compliance program which will include testing for adherence to specific procedures in such areas as credentialing and medical records.
Clinical Practice Plans
OUA will select one clinical practice plan to determine compliance with the SUNY Board of Trustees Policies related to Clinical Practice Plan management, accounting, auditing, compensation of members, and disbursement of income.
- Follow-up Audits
OUA will conduct audits to confirm that the recommendations from a sample of previous audits have been implemented.
- State University Construction Fund
Under a Memorandum of Understanding, OUA has been engaged to audit the following areas: Fleet Vehicles, Payroll, and Procurement of Other Contracts.
- Consulting Engagement
- Educational Opportunity Program
OUA will work with the Educational Opportunity Program (EOP) to identify opportunities to further improve controls. - Compliance Requirements
OUA, in coordination with the Research Foundation and SUNY's Chief Compliance Officer, will assist the Campuses in identifying ways to address numerous compliance requirements.
- Educational Opportunity Program
- Other Activities
- Audit Oversight, Special Requests, Advisory Services, and Investigations
OUA has allocated audit resources to account for supervisory oversight of audits and related work, and to address any special requests for audits, advisory services, and investigations. OUA will provide guidance and assistance to address alleged fraud concerns as members of the Fraud Investigation Committee. This typically involves coordination with campus personnel and, in many cases, on-site work by OUA. - Procurement Testing
OSC requires all State agencies to perform testing of procurement controls. The University accomplishes this requirement in several different ways, including but not limited to the following audit activities:
- Procurement processes and controls are reviewed and tested as part of the Financial Management Practices Audit (current audit plan includes such an audit at two campuses).
- Testing and exception reporting utilizing a software program that enables us to analyze all procurement transactions processed through the State Voucher System (including Quickpay) for campuses, as well as System Administration. If the process identifies any potentially significant exceptions, they will be investigated, as appropriate.
- Procurement processes and controls are reviewed and tested as part of the Financial Management Practices Audit (current audit plan includes such an audit at two campuses).
- Campus Internal Control Program Review
All campuses are required to implement an internal control program and certify compliance with the NYS Internal Control Act. OUA will conduct a desk review of the internal control program and coordinate with the University's internal control officer to develop the scope of the work and assist with the evaluation process. - Coordination with Campus Internal Auditors
OUA will work more closely with campus internal auditors to maximize our audit resources, eliminate any duplication of effort, share best practices, and focus on our highest risk areas. - Communication with Campus and System Administration
OUA will strive to ensure timely communication with our constituents. OUA representatives participate in the meetings of the State University and Community College Business Officers' Associations and also provide senior management with information on audit issues, trends, and emerging issues. - Miscellaneous Campus Evaluation Information
OUA receives and compiles information related to campuses that is received from other entities. As appropriate, this data is distributed to campuses as a precursor to discussions related to operational improvement opportunities. - Continuing Professional Education (CPE)
OUA will endeavor to fulfill the professional auditing standards requirement that auditors obtain continuing professional education in order to maintain and enhance their skills and proficiencies. - Quality Assurance Review
As required by the International Standards for the Professional Practice of Internal Auditing, the Office of the University Auditor will continue to assess its operations for quality improvement opportunities. - Miscellaneous Administrative Requirements
OUA will complete administrative responsibilities, such as: budgeting and scheduling, OSC and external audit assistance, and other related duties.
- Audit Oversight, Special Requests, Advisory Services, and Investigations
State University of New York
Office of the University Auditor
2008-2009 Audit Plan
Reconciliation of Audit Plan to Available Work Days
| Audit Plan Requirement | Allocated Work Days |
% of Time |
|---|---|---|
| Campus Financial Management Practices | 160 | 10.8% |
| IT Access Controls and Disaster Recovery | 100 | 6.7% |
| Financial Aid - Student Loan Code of Conduct | 60 | 4.1% |
| Travel Reimbursement Research Foundation Joint Project | 60 | 4.1% |
| Campus Related Foundations | 100 | 6.7% |
| SUNY Press | 60 | 4.1% |
| Campus Fuel Controls | 60 | 4.1% |
| Campus Administered Construction | 90 | 6.1% |
| Healthcare - OIG Compliance Plan | 80 | 5.4% |
| Healthcare - Clinical Practice Plan | 120 | 8.1% |
| Follow-up Audits | 60 | 4.1% |
| Construction Fund (MOU) | 100 | 6.7% |
| Consultation: EOP and Compliance Requirements | 100 | 6.7% |
| Special Requests, Advisory Services, External Audits, and Investigations | 330 | 22.3% |
| Total Audit Plan Requirement | 1,480 | 100.0% |
| Reconciliation to Available Work Days | ||
| Annual Number of Work Days | 260 | |
| Less Non-Audit Assignments: | ||
| Administrative Responsibilities | 12 | |
| Allocation for Leave Time | 20 | |
| Allocation for Holidays | 13 | |
| CPE (IIA Standards) | 5 | |
| Work Days Available per Staff | 210 | |
| Number of Staff Available | 8 | |
| Total Annual Work Days Available for Audit Plan | 1,680 | |
| Work Days for Carryover from 2007-08 | 200 | |
| Adjusted for Available Work Days | 1,480 | |
State University of New York
Office of the University Auditor
2008-2009 Audit Plan
| Audit Plan Requirement | Description | Campus Visits | Allocated Work Days | % of Time |
|---|---|---|---|---|
| Campus Financial Management | Audit controls over cash receipts & disbursements, procurement (including P-card and travel card activity), payroll, and inventory. | 2 | 160 | 10.8% |
| IT Access Controls & Disaster Recovery | Review of compliance to security procedures to ensure authorized access to data, and safeguarding of the same. Also, review of contingency plans to address loss of IT services. | 2 Campuses including review of System Administration Oversight & Controls | 100 | 6.7% |
| Financial Aid | Verify compliance with the Attorney General's Student Loan Code of Conduct. | 4 | 60 | 4.1% |
| Travel Reimbursement | Joint Project with RF to review controls and ensure no duplicate reimbursements. | 2 | 60 | 4.1% |
| Campus-related Foundations | Audit of selected aspects of operations and compliance | 2 | 100 | 6.7% |
| SUNY Press | Joint Project with RF: Audit controls and compliance. | N/A | 60 | 4.1% |
| Fuel | To assess controls over campus fuel access and utilization. | 6 | 60 | 4.1% |
| Campus Administered Construction Projects | To assess compliance and procedures related to campus construction. | 2 | 90 | 6.1% |
| Healthcare – Compliance Programs | Audit compliance programs in accordance with OIG guidelines. | 1 Dental Clinic | 80 | 5.4% |
| Healthcare – Clinical Practice Plans | Audit clinical practice plans to ensure compliance with the policies of the Board of Trustees. | 1 Clinical Practice Plan | 120 | 8.1% |
| Follow-up Audits | Confirm that recommendations have been implemented by the Campuses. | 6 | 60 | 4.1% |
| State University Construction Fund (MOU) |
Audits of Fund procurement processes and procedures over other contract services, payroll, and fleet vehicles. | N/A | 100 | 6.7% |
| University Wide Programs: EOP and Campus Compliance Concerns | Consultation to assist in improving controls for the Educational Opportunity Programs, and facilitate campus compliance with various requirements. | Collaborative consultant work; Visits to be determined | 100 | 6.7% |
| Audit Oversight, Special Requests, Advisory Services, External Audits and Investigations | Provide audit oversight and review areas and campuses as requested and assist in investigations. | N/A | 330 | 22.3% |
| Total Audit Plan Requirement | 1,480 | 100.0% | ||
Note: If additional resources become available or the resources budgeted for specially requests, advisory services, and investigations are not needed, the audit plan will be expanded to address the following audit area(s): Income Fund Reimbursable Program, Student Financial Aid, International Education Program, Firearm Safety, Tuition, and Accounts Receivable.