Annual Report

Internal Audit Plan for

2023-24

July 19, 2023

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Risk Assessment and Plan Development

RISK ASSESSMENT PROCESS

The result of the risk assessment is an informed perspective on the current risk environment – including a prioritization of risks that are scalable to available resources. The

key steps in the annual audit risk assessment process are outlined below.

Solicit input from the Regents, Senior Management and systemwide and

location management

Rely on existing risk identification processes wherever they exist (e.g.

Compliance, Risk Services, functional areas)

Gather and assess input from external sources (e.g. regulatory, industry)

Share information among location auditors to leverage input and ensure

consistent consideration of risks of interest, industry sources

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Distribution of Direct Hours

DISTRIBUTION BY PROJECT TYPE

The chart below depicts the direct hours distribution by

project type for the 2023-24 plan. It demonstrates that

Internal Audit has allocated over half of its planned direct

hours to planned and supplemental audits. Internal Audit

allocated its remaining time to advisory services,

investigations, audit follow up and audit support activities.

Planned Audits

47%

Advisory

Services

22%

Audit Support

10%

Investigations

Supplemental

Audits

Audit

Follow Up

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Distribution of Direct Hours

PLANNED PROJECTS BY FUNCTIONAL AREA

This chart illustrates the distribution of Internal Audit’s

2023-24 planned projects by functional area. Internal

Audit allocated nearly half of its planned project hours

to information management and technology, health

sciences operations, and financial management.

Information Management

and Technology, 19%

Healthsciences

Operations, 14%

Financial Management,

12%

Governance, 9%

Risk, Environment and

Safety, 8%

Academic Units and

Programs, 7%

Human Resources and

Benefits, 6%

Research, 6%

Auxiliary, Business and

Support Services, 6%

Student Affairs, 4%

Budget and Planning, 3%

Facilities, Construction

and Maintenance, 3%

Office of the President,

Development and

External Relations, 1%

Lab Research Programs

and Processes, 1%

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Systemwide Audits and Other Highlighted Projects

SYSTEMWIDE AUDITS AND HIGHLIGHTS

SYSTEMWIDE AUDITS AND OTHER HIGHLIGHTED PROJECTS

The following projects are planned systemwide audits and other noteworthy projects to be performed by ECAS in 2023-24. ECAS conducts systemwide audits for the

purpose of reviewing an existing or potential issue across the UC system to identify and address common risk areas.

* Will be performed under Attorney/Client Privilege

UC Health Affiliations

ECAS will coordinate an evaluation of UC’s compliance with Regents Policy on Affiliations with

Healthcare Organizations that Have Adopted Policy-Based Restrictions on Care.

Capital Programs

ECAS will review the Office of the President’s role in capital projects, including governance,

oversight, and policy, to identify opportunities for improvement.

Retirement

Administration*

ECAS will conduct an operational review of the Retirement Administrative Services Center to

identify opportunities to improve internal controls and efficiency.

Executive

Compensation

ECAS will coordinate verification of the Annual Report on Executive Compensation, which is

performed by local internal audit departments on a rolling three-year cycle.

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Cybersecurity Audits

CYBERSECURITY AUDITS

ECAS’ Cybersecurity Audit Team (CAT) identified the following priority audits for 2023-24 to address cybersecurity risks. The CAT is a specialized unit within the systemwide

Office of Audit Services that supports local internal audit offices with cybersecurity expertise and performs specialized internal audit projects across the system.

Research Cybersecurity

ECAS will coordinate a systemwide audit focused on evaluating each UC location’s research

cyber-risk management program, including compliance with current and pending federal

government cybersecurity requirements for research data.

Cloud Cybersecurity

ECAS will evaluate a selection of UC locations’ cybersecurity controls to protect University

systems and data that utilize cloud computing services.

Large UC IT Service

Provider

ECAS will assess foundational security controls in units that provide IT services to large segments

of their UC location.

UC Health Data

Warehouse Phase 2

ECAS will review security controls in the new cloud-based architecture as well as overall

governance and security practices for the UC Health Data Warehouse.

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Themes in Location Audit Plans

LOCATION AUDIT THEMES

THEMES IN LOCATION AUDIT PLANS

Each location’s internal audit plan is developed by its local internal audit department based on a risk assessment using a consistent systemwide methodology. ECAS

identified the following themes in its analysis of local audit plans. This analysis illustrates that UC’s internal audit departments are addressing a broad range of high-risk

topics in their 2023-24 plans.

Healthcare Compliance Information Technology Financial Management

• Revenue cycle

• Controlled substances

• 340B program (drug

pricing) compliance

• Title IX

• Sponsored projects

• Web accessibility

• Laboratory safety

• Native American Graves

Protection and Repatriation

Act (NAGPRA)

• System access

• Enterprise system

implementations

• Disaster recovery

• Procurement

• Travel and entertainment

• Incentive plans

• Gift administration

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Resources and Planned Allocation of Effort

OVERVIEW OF RESOURCES AND PLANNED

ACTIVITIES

The table to the right provides a high-level

overview of the 2023-24 consolidated plan

including available internal audit personnel and the

distribution of planned internal audit hours by

service type and University environment.

PERSONNEL:

2023-24 Plan

Prior Year Plan

Authorized staff level

113

FTE’s 109 FTE’s

Average staff level

103

FTE’s 103 FTE’s

DISTRIBUTION OF PLANNED ACTIVITIES:

By Audit Activity Type (hours/%): 2023-24 Plan

Prior Year Plan

Audits

96,247

67% 95,384 65%

Advisory Services

34,639

24% 36,913 25%

Investigations

13,239

9% 14,213 10%

144,125

100% 146,510 100%

2023-24 Plan

Prior Year Plan

By University environment:

Campus/Laboratory* 77%

79%

Health Sciences 23%

21%

100%

*Includes Lawrence Berkeley National Laboratory (LBNL), Agriculture & Natural Resources (ANR), and UCOP

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Resources and Planned Allocation of Effort

AVAILABLE RESOURCES

The table below depicts the staffing level assumed in the plan and

quantifies the human resources available to assign to audit activities. Total

hours are reduced for non-controllable hours, (vacation, holiday and

illness per University policy) program administration and training.

RESOURCE ALLOCATION

The table below displays the deployment of the available resources among

our activities by type (audit, advisory services and investigations). Internal

Audit has committed the majority of its planned efforts to audit projects

with the remaining time committed to advisory services and

investigations.

2023-24 Plan

3/31/23 Annualized

Weighted Average FTE 103 103

Hours Percent Hours Percent

Personnel Hours 213,240

97.7%

214,483

97.3%

Other Resource Hours 4,925

2.3%

6,046

2.7%

Gross Available Hours 218,165

100.0%

220,529

100.0%

Less: Non-Controllable Hours 35,808

16.4%

40,757

18.5%

Less: Admin/Training 21,589

9.9%

29,510

13.4%

Total Direct Hours 160,768

73.7%

150,262

68.1%

2023-24 Plan 3/31/23 Annualized

Audit Program Hours Percent Hours Percent

Planned Audits* (198 projects) 74,880

46.6%

86,579

57.6%

Supplemental Audits 12,098

7.5%

2,452

1.6%

Audit Follow Up 9,269

5.8%

7,088

4.7%

Total Audit Program 96,247

59.9%

96,119

64.0%

Advisory Services

Planned Projects* (71 projects) 17,965

11.1%

N/A

Supplemental Hours 16,674

10.4%

N/A

Total Advisory Services 34,639

21.5%

32,450

21.6%

Investigations 13,239

8.2%

7,031

4.7%

Audit Support Activities 16,643

10.4%

14,662

9.8%

Total Direct Audit Hours 160,768

100.0%

150,262

100.0%

*Total Hours for 269 Planned Projects = 92,595 (See Planned Projects beginning on page 11)

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Resources and Planned Allocation of Effort

DISTRIBUTION OF AVAILABLE HOURS

The table to the right provides a more detailed breakdown of

planned time as a basis for ongoing accountability. From this

detail the continuing commitment to timely audit follow-up is

displayed by the plan to invest over 9,000 hours. The category of

Compliance Support represents our efforts to integrate the

Compliance and Audit Programs into joint efforts such as annual

plan development, project coordination and ongoing risk

monitoring.

2023-24 3/31/2023 Annualized

Plan Percent Actual Percent

INDIRECT HOURS

Administration

12,759

7.0%

20,093

11.2%

Professional Development

7,806

4.3%

9,417

5.2%

Other

1,024

0.6% -

0.0%

TOTAL INDIRECT HOURS

21,589

11.8%

29,510

16.4%

DIRECT HOURS

Audit Program

Planned New Audits

75,180

41.3%

86,578

48.2%

Supplemental Audits

11,798

6.5%

2,452

1.4%

Audit Follow up

9,269

5.1%

7,088

3.9%

Total Audit Program Hours

96,247

52.9%

96,119

53.5%

Advisory Services

Consultations/Spec. Projects

25,342

13.9%

24,136

13.4%

Ext. Audit Coordination

4,965

2.7%

5,151

2.9%

Systems Dev., Reengineering Teams, etc.

1,270

0.7%

0.0%

Internal Control & Accountability

1,461

0.8%

955

0.5%

Compliance Support

1,200

0.7%

2,036

1.1%

IPA, COI & Other

401

0.2%

152

0.1%

Total Advisory Services Hours

34,639

19.0%

32,450

18.1%

Investigations Hours

13,239

7.2%

7,031

3.8%

Audit Support Activities

Audit Planning

4,114

2.3%

3,355

2.0%

Audit Committee Support

1,766

1.0%

761

0.4%

Systemwide Audit Support

3,436

1.9%

4,824

2.7%

Computer Support*

4,496

2.5%

4,327

2.4%

Quality Assurance

2,831

1.6%

1,395

0.8%

Total Audit Support Hours

16,643

9.1%

14,662

8.2%

TOTAL DIRECT HOURS

160,768

88.2%

150,262

83.6%

TOTAL NET AVAILABLE HOURS

182,357

100.0%

179,772

100.0%

* Includes

time spent on audit management system upgrades and functional enhancement

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC OFFICE OF THE PRESIDENT – AUDITS SCOPE STATEMENT HOURS

Prior Year Projects - Carryforward Prior year carryforward.

1,500

UC Health Affiliations (Systemwide) Interim audit to evaluate the University's progress implementing Regents Policy 4405: Policy on Affiliations with

Healthcare Organizations that Have Adopted Policy-Based Restrictions on Care.

300

Annual Report on Executive

Compensation (AREC) and Chancellor

Expenses (G-45) (Systemwide)

Verify the accuracy, completeness, and timely preparation of the Annual Report on Executive Compensation.

Review annual Presidential expense reports to ensure that they have been prepared, reviewed, and submitted in

accordance with policy.

200

Capital Programs

Review the Office of the President’s role in capital projects, including governance, oversight and policy, to identify

opportunities for improvement.

1,000

Retirement Administration Service

Center (RASC)

Operational review of the Retirement Administration Service Center to be performed under Attorney/Client

Privilege.

650

Oracle eLedger and Depreciation A post-implementation assessment of Oracle eLedger (general ledger for the endowment and investments

portfolio) and the systemwide depreciation tool.

225

Medical Centers Clinical Enterprise

Management Recognition Plan (CEMRP)

Annual audit to assess the accuracy of CEMRP award calculations and award compliance with the incentive plan.

350

Office of the Treasurer Annual Incentive

Plan (AIP)

Annual audit to assess the accuracy of AIP award calculations and annual payouts and verify compliance with the

incentive plan.

150

Electric Service Provider (ESP) Power

Supply Verification

Annual audit of power content reporting to the California Energy Commission (CEC).

Lawrence Berkeley National Lab (LBNL)

Audit Support - Home Office Costs

Assistance to LBNL for its annual audit of UC National Laboratories (UCNL) Home Office Costs.

100

Research Cybersecurity (Systemwide) The Cybersecurity Audit Team will lead a systemwide audit focused on evaluating each location’s program to

manage cyber risks in research including compliance with current and pending federal government cybersecurity

requirements for research data. The protection of research data from cybersecurity threats is a crucial aspect of

maintaining data integrity and reproducibility in scientific research, as well as preventing the loss or leakage of

sensitive research data. Results from this audit will help to improve cybersecurity efforts in research areas and

inform an approach to further develop cybersecurity compliance efforts at locations and across the system.

300

The following tables list all the planned audit and advisory service projects at each location, their proposed general scope and corresponding planned hours.

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC OFFICE OF THE PRESIDENT – AUDITS

(CONT.) SCOPE STATEMENT HOURS

Cloud Cybersecurity This audit will focus on UC location cybersecurity programs’ controls to protect University systems and data

that utilize cloud computing services. The audit will identify a sample of cloud computing environments that

process and/or store significant amounts of University data and evaluate a review of cybersecurity controls in

place to protect the data and systems at several UC locations. As part of this audit, the cybersecurity audit team

(CAT) will perform vulnerability assessments and penetration testing.

2,300

UC Health Data Warehouse - Phase 2 This is a continuation of the phase 2 audit of the UC Health Datawarehouse. This audit will focus on security

controls securing the data warehouse in the new cloud-based architecture as well as overall governance and

security practices in place to protect the Health Data Warehouse.

350

Threat Detection and Identification

(TDI) Audit Follow-up

Evaluate the implementation of recommendations from the fiscal year FY21 TDI audit across UC locations and at

the Office of the President.

100

UCLA Health and Student Health

Special Committee Compliance Monitor

Continue to serve as Compliance Monitor for the implementation of recommendations from the UCLA Health

and Student Health Special Committee Report.

300

UC OFFICE OF THE PRESIDENT –

ADVISORY SERVICES SCOPE STATEMENT HOURS

Patent Acknowledgement

Compliance Advisory Assistance

Advisory assistance to improve Patent Acknowledgement compliance across the system.

100

Royalty Audit Approach Develop and refine a systemwide approach for identifying licenses for royalty audits to help ensure that the

University is receiving the full benefit of its license agreements.

250

Treasury Management System

Controls

Review planned procedures for new treasury management system to assess adequacy of internal controls.

200

Accounting Payroll Claims Process Advisory assistance on the UC-State Controller's Office payroll and benefits claims process automation pilot.

100

Climate Funding Evaluate governance, processes, and controls in place to ensure climate funding from the state is allocated and

expended appropriately and in accordance with requirements.

300

UC Office of the President sub-total 8,850

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

LBNL – AUDITS SCOPE STATEMENT HOURS

FY23 UC Office of the National

Laboratories (UCNL) Home Office

Costs

Audit of FY23 UCNL home office costs charged to LBNL.

450

FY24 Office of Management and Budget

(OMB) A-123 Information Technology

(IT) Controls

Audit of selected IT controls for compliance with OMB A-123 requirements.

550

Subcontract audit - Perma-

Fix Old Town

Phase VI

Audit of invoiced costs for Time & Materials (T&M) subcontract #7599224 for compliance with subcontract.

650

FY24 Time and Effort Reporting Review time reporting controls for accuracy and reliability of effort charged to projects.

550

FY24 Procurement Card (Pcard)

Controls

Review Pcard controls to ensure charges are allowable and in compliance with policy.

550

Talent Retention Management Review retention efforts to effectively reduce turnover in critical / difficult-to-replace positions.

550

Work Planning & Control (WPC) -

Electrical Energization Activities

Review WPC safety measures for electrical energization activities in maintenance projects.

550

FY24 Controls Assessment and

Monitoring

Assessment of key controls to address risks and issues from prior audits.

550

LBNL – ADVISORY SERVICES SCOPE STATEMENT HOURS

FY23 Incurred Cost Submission (ICS)

Review

Quality assurance review and mathematical verification of ICS schedules prior to Department of Energy (DOE)

submission.

500

Annual Report on Executive

Compensation (AREC) (Systemwide) &

Senior Management Group (SMG)

Outside Professional Activities (OPA)

Verify the accuracy, completeness, and timely preparation of the Annual Report on Executive Compensation and

SMG OPA for calendar year 2023.

350

LBNL sub-total 5,250

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC BERKELEY – AUDITS SCOPE STATEMENT HOURS

Prior Year Projects - Carryforward Prior year carryforward.

400

Research Conflicts of Interest Evaluate the design and operating effectiveness of internal controls related to the identification, review,

disclosure, and mitigation of potential research conflicts of interest related to sponsored research.

425

Remote Access Protocols to Campus

Systems (Elevated Access Roles -

Admin,

Security, Database)

Evaluate the design and operating effectiveness of internal controls related to remote system access for elevated

access user roles (administrator, security, database, etc.).

425

Student Employment Lifecycle

Evaluate the design and operating effectiveness of internal controls related to the recruitment, hiring, onboarding,

payroll, position management, and offboarding of undergraduate and graduate student employees.

425

Office of Environment, Health & Safety Evaluate the design and operating effectiveness of departmental processes and internal controls related to key

functions and responsibilities.

425

Employee Reimbursement (Travel,

Entertainment, and Miscellaneous)

Evaluate the design and operating effectiveness of internal controls related to employee reimbursements (travel,

entertainment, and miscellaneous), including the risk of fraudulent disbursements.

425

Berkeley Financial System (BFS) System

Access (Segregation of Duties)

Evaluate the design and operating effectiveness of internal controls related to assignment, approval, and

management of user roles in the campus financial system, including appropriate segregation of duties.

425

Office of the Registrar Evaluate the design and operating effectiveness of departmental processes and internal controls related to key

functions and responsibilities.

425

Campus Housing Evaluate the design and operating effectiveness of departmental processes and internal controls related to key

functions and responsibilities.

425

Research Cybersecurity (Systemwide) A systemwide audit focused on evaluating each location’s program to manage cyber risks in research including

compliance with current and pending federal government cybersecurity requirements for research data.

300

UC Berkeley sub-total 4,100

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC DAVIS – AUDITS SCOPE STATEMENT HOURS

Prior Year Projects - Carryforward Prior year carryforward.

200

Data Warehouse Availability Assessment of solutions and processes for critical data warehousing in service of the Davis campus, with a focus

on data integrity and consistency across various end-user facing systems.

300

Purchasing Card Reconciliations Assessment of practices related to departmental payment card expense reporting and Aggie Expense integration.

300

UC Payroll, Academic Personnel,

Timekeeping & Human Resources

system (UCPath) Separation of Duties

Review of risk mitigation strategies for instances where an inadequate separation of duties has been noted within

UCPath.

300

Graduate School of Management

Information Security (IS)-3

Assessment of Graduate School of Management's (GSM) compliance with UC Business Financial Bulletin (BFB)-IS-

3 Electronic Information Security.

300

Online Content Accessibility Assessment of compliance with accessibility requirements for online content; to include webpages, applications,

courses, and other audio/visual materials.

300

Student Data Assessment of procedures for storage and handling of a risk-based sample of student datasets held outside of

Banner.

300

Research Cybersecurity (Systemwide) A systemwide audit focused on evaluating each location’s program to manage cyber risks in research including

compliance with current and pending federal government cybersecurity requirements for research data.

500

Executive Travel Assessment of practices for executive travel and entertainment reporting.

300

Campus Violence Threat Assessment

Process

Assessment of processes for identifying and preparing for potential threats of violence.

300

Data Asset Management Assessment of controls over personal and other sensitive data held outside of the Electronic Medical Record.

300

Multifactor Authentication Assessment of the implementation of MFA solutions on devices and systems managed by UC Davis Health

(UCDH) IT.

300

Retail Pharmacy Revenue Assessment of the accuracy and completeness of billing and accounts receivable collections for Retail Pharmacy

revenue.

300

Denials Management Assessment of processes for root cause analysis, reworking, and resubmission of healthcare reimbursement

claims originally denied by third-party payers.

300

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC DAVIS – AUDITS (CONT.) SCOPE STATEMENT HOURS

Sexual Violence and Sexual Harassment

(SVSH) Complaints Process

Assessment of processes for receiving, logging, triaging, and responding to SVSH complaints at UC Davis Health.

300

Patient Services Recovery Program Assessment of potential for fraud or other unintended loss through a complementary benefits program.

300

UC Health Affiliations (Systemwide) Interim audit to evaluate the University's progress implementing Regents Policy 4405: Policy on Affiliations with

Healthcare Organizations that Have Adopted Policy-Based Restrictions on Care.

300

UC DAVIS – ADVISORY SERVICES SCOPE STATEMENT HOURS

Administrative and Transition Reviews:

Office of Research Admin Review

Assessment of internal controls, administrative processes, and five-year financial performance in a Dean’s, Vice

Chancellor’s or Vice Provost’s office, performed every five years or upon a change in leadership.

300

Administrative and Transition Reviews:

Continuing and Professional Education

Admin Review

Assessment of internal controls, administrative processes, and five-year financial performance in a Dean’s, Vice

Chancellor’s or Vice Provost’s office, performed every five years or upon a change in leadership.

300

Administrative and Transition Reviews:

College of Agricultural and

Environmental Sciences Admin Review

Assessment of internal controls, administrative processes, and five-year financial performance in a Dean’s, Vice

Chancellor’s or Vice Provost’s office, performed every five years or upon a change in leadership.

300

Administrative and Transition Reviews:

University Library Admin Review

Assessment of internal controls, administrative processes, and five-year financial performance in a Dean’s, Vice

Chancellor’s or Vice Provost’s office, performed every five years or upon a change in leadership.

300

Administrative and Transition Reviews:

Information and Educational Technology

Admin Review

Assessment of internal controls, administrative processes, and five-year financial performance in a Dean’s, Vice

Chancellor’s or Vice Provost’s office, performed every five years or upon a change in leadership.

300

Administrative and Transition Reviews:

Diversity, Equity, and Inclusion Admin

Review

Assessment of internal controls, administrative processes, and five-year financial performance in a Dean’s, Vice

Chancellor’s or Vice Provost’s office, performed every five years or upon a change in leadership.

300

Financial Deficits Assessment of the processes implemented to review and monitor financial deficits across the university.

300

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC DAVIS – ADVISORY SERVICES (CONT.) SCOPE STATEMENT HOURS

Aggie Enterprise Financial Controls

Design

Assessment of the design and implementation of financial controls in the Aggie Enterprise financial system.

300

AggieAccess Assessment of implementation and configuration of physical security measures on the Davis campus related to

the AggieAccess project.

300

College of Engineering Contracts and

Grants Accounting

Assessment of transparency and reliability of contracts and grants accounting across the various departments in

the College of Engineering.

300

Specially Funded Programming Assessment of processes for proposing, funding, evaluating, and if appropriate sunsetting special programs.

300

Information Security Governance and

Strategy

Assessment of the information security governance environment, with focus on strategy setting, tone at the top,

and accountability.

300

Firewall Rules Configuration Assessment of the ability of firewall solutions to protect critical UC Davis Health information resources.

300

Central Security Information and Event

Management (SIEM) Logging

Assessment of the comprehensiveness of data collection, and processes for responding to insight gained through

UC Davis Health’s Security Information Event Management Logging program.

300

Emergency Patient Registration Assessment of processes for timely patient registration in the Emergency Department, for the purpose of

accurate billing for services provided.

300

340B Contracting Assessment of processes for managing 340B drug pricing agreements with third-party pharmacies to ensure that

UC Davis Health is receiving bargained-for reimbursement.

300

Revenue Integrity Project Outcomes Comparison of objectives to outcomes of UC Davis Health Financial Services’ Revenue Integrity Project.

300

User Access Management Assessment of processes for ensuring that users of information resources at UC Davis Health have access

tailored to their business needs, and that changes in business needs result in timely changes.

300

UC Davis sub-total 10,600

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC IRVINE – AUDITS SCOPE STATEMENT HOURS

Organized Research Units Travel &

Entertainment

This review will focus on internal controls around processing travel and entertainment expenditures, including

authorization and approval as well as reconciliation and monitoring.

300

Mobile Device Management Assess the adequacy and operating effectiveness of mobile device inventory management and life cycle at UCI

Health.

400

Academic Research Employees

Personnel Charges During Strike

Review controls in place to ensure academic research employees (on strike and not working) did not charge

federal awards.

400

Required Training Compliance

Review the controls in place to ensure required training courses, based on role/position, for campus and health

sciences employees have been properly identified and adequately tracked/monitored to ensure compliance by the

due dates.

300

Gender Recognition and Lived Name

Policy Implementation

Review procedures related to the Gender Recognition and Lived Name policy to ensure proper and timely

implementation.

300

Research Cybersecurity (Systemwide) A systemwide audit focused on evaluating each location’s program to manage cyber risks in research including

compliance with current and pending federal government cybersecurity requirements for research data.

600

Pharmacy 340B Drug Pricing Program Review compliance with 340B Drug Pricing Program requirements.

400

Information Technology Contract

Approval Processes

Review processes used to ensure campus IT contracts have been properly reviewed and approved before

execution.

400

Department of Neurology Determine whether there are adequate internal controls over key administrative and financial processes, such as

financial management, clinical trial administration, and compensation plan activities.

300

Phishing Policies and Guidelines Determine whether UCI Health Phishing policies and guidelines reflect existing practices and cover key areas to

ensure adequate phishing awareness and training.

300

IS-12 Policy Compliance Review the controls and processes in place for IS-12 (IT Recovery) compliance.

400

Fire & Life Safety Services Assess if required inspections, monitoring, and testing of campus facilities, fire protection equipment, and related

processes are being accomplished.

300

School of Engineering Focused review related to processes and controls around Conflicts of Interest and Conflicts of Commitment

within the school.

300

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC IRVINE – AUDITS (CONT.) SCOPE STATEMENT HOURS

Research Security and Integrity

Compliance

Utilizing a risk-based methodology, conduct sample-based reviews to reduce the risk of inaccurate disclosures of

potential conflicts and foreign affiliations.

300

Child Abuse and Neglect Reporting Act

(CANRA) Compliance

Review the controls in place to ensure mandated reporters are properly identified and trained, and reporting

responsibilities have been acknowledged in accordance policy.

400

UC Health Affiliations (Systemwide) Interim audit to evaluate the University's progress implementing Regents Policy 4405: Policy on Affiliations with

Healthcare Organizations that Have Adopted Policy-Based Restrictions on Care.

300

Space Management Assess campus processes used to manage and analyze space inventory and utilization.

400

Website Monitoring Policies and

Practices

Evaluate health sciences website monitoring policies and practices to ensure adequate controls are in place to

properly review and approve websites prior to launching.

300

UC IRVINE – ADVISORY SERVICES SCOPE STATEMENT HOURS

External Audit Coordination Internal Audit Services (IAS) is responsible for the external audit coordination function. IAS guides departments

through audits performed by outside entities and helps facilitate and expedite these reviews.

100

Data Analytics Utilizing data analytics and analysis identify unusual trends and investigate irregular transactions.

200

Review of Closed Management

Corrective Actions

Reviews of high-risk Management Corrective Actions (MCA) closed by Internal Audit Services in prior year

audits to assess continued compliance.

200

Continuous Auditing Corporate Card

Transactions

Utilizing data analytics, test sample corporate card transactions to detect non-compliant transactions or fraud.

200

Physical Inventory Observations Review a sample of department year-end physical inventory activities, including test counts and compliance with

policies and procedures.

100

Campus and Medical Center Advisory

Committees

Internal Audit Services serves on various advisory committees and provides input and advice on risks,

accountability, and internal controls.

100

UC Irvine sub-total 7,300

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC LOS ANGELES – AUDITS SCOPE STATEMENT HOURS

Prior Year Projects - Carryforward Prior year carryforward.

2,300

Research Cybersecurity (Systemwide) A systemwide audit focused on evaluating each location’s program to manage cyber risks in research including

compliance with current and pending federal government cybersecurity requirements for research data.

335

Purchasing - Purchase-to-Pay (P2P) Audit & Advisory Services (A&AS) will review the organizational structure and internal controls, and the related

systems and procedures of the Procurement function.

600

Department of Intercollegiate Athletics:

Youth Camps

A&AS will assess the adequacy and effectiveness of internal controls over Athletics youth camps.

650

Department of Intercollegiate Athletics:

Collectives

A&AS will perform a review of policies, procedures, and controls in place for collectives.

650

Technology Development Group (TDG)

- Incentive Plan

A&AS will review calculations of TDG Incentive plan.

300

Office of Emergency Management

(OEM)

A&AS will review the practices, programs, and training established to respond to emergency situations that occur

on campus, including fire safety, earthquakes, floods, bomb threat, and active shooter, etc.

500

Food Safety and Inspections - Dining

Facilities (Dining Halls, Bakery,

Commissary)

A&AS will assess Housing & Hospitality (H&H) food safety policies and procedures, and Environmental Health &

Safety's (EH&S) food safety and inspection program, to ensure that diners at H&H dining facilities are safeguarded

against food-borne illnesses and, where applicable, compliance with local, state, and federal laws will also be

reviewed.

500

Lab Safety Inspections A&AS will review Environmental Health and Safety’s procedures, practices, and programs established for campus

lab locations to ensure safe operations by students, staff, and faculty; and to minimize the risk of physical harm to

any authorized persons utilizing laboratory facilities and equipment.

500

Associated Students UCLA (ASUCLA)-

Financial Division - Loss Prevention

A&AS will review the organizational structure and internal controls, and the related systems and procedures

surrounding ASUCLA's Loss Prevention program. The audit scope may include Loss Prevention Reports,

Training, Civil Demand Fees, Overages and Shortages, Safety and Emergency Program, Alarm Systems, Safes, and

Key Management.

250

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC LOS ANGELES – AUDITS (CONT.) SCOPE STATEMENT HOURS

Food Safety and Inspections - ASUCLA

Restaurants

A&AS will assess ASUCLA's food safety policies and procedures, as well as EH&S' food safety and inspection

program, to ensure that diners at Campus restaurants are safeguarded against food-borne illnesses and, where

applicable, compliance with local, state, and federal laws will also be reviewed.

250

Facilities Management Central

Warehouse

A&AS will review the internal controls and procedures related to the management of Facilities Management's

central warehouse. The scope may include physical security, inventory practices, system access controls,

receiving, issuance, and separation of duties.

350

Program Review Group (PRG) A&AS will review the procedures and internal controls utilized to receive, manage, and disburse PRG funds from

student fees and Chancellor Opportunity Funds. In addition, the project will examine the process for used for

identifying and selecting projects for PRG funding.

350

Key Security A&AS will review the internal controls, and the related systems and procedures surrounding key security. In

addition, the project will examine the protocols for employing and managing the new BruinCard readers in

campus buildings.

300

Project Closeout A&AS will review the adequacy of Capital Programs' internal controls and procedures governing the closeout of

capital construction projects. In addition, where applicable, compliance with University policies and procedures

will also be evaluated.

350

Delegations of Authority for Capital

Projects

A&AS will review the existing tools, controls, and procedures used by UCLA Capital Programs to manage capital

construction projects and then benchmark against the campus delegated entities (Facilities Mgmt., Housing &

Hospitality Services, and the Health Sciences). In addition, the review will seek to identify any significant variances

in practices that could adversely impact the University.

500

Departmental Audit: College of Letters

& Science (Math Department)

The purpose of the audit is to ensure there are adequate internal controls over administrative and financial

activities. The potential scope of the audit may include financial management, purchasing, information technology

and security, training, infrastructure issues, etc.

700

Departmental Audit: Anderson Business

School

The purpose of the audit is to ensure there are adequate internal controls over administrative and financial

activities. The potential scope of the audit may include financial management, purchasing, information technology

and security, training, infrastructure issues, etc.

700

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC LOS ANGELES – AUDITS (CONT.) SCOPE STATEMENT HOURS

Departmental Audit: UCLA School of

Nursing

The purpose of the audit is to ensure there are adequate internal controls over administrative and financial

activities. The potential scope of the audit may include financial management, purchasing, information technology

and security, training, infrastructure issues, etc.

700

Undergraduate Division-Summer Camps Purpose of the review is to assess controls surrounding safety of minors on Campus for youth camps.

500

Sexual Violence and Sexual Harassment

(SVSH) Referrals – Campus

A&AS will review the effectiveness of communication channels for SVSH complaints.

350

IT Services: Inventory of Systems The purpose of the review is to collaborate with IT Services and identify the inventory of systems that are used

at UCLA and their level of protection.

400

Housing and Hospitality: Lake

Arrowhead Conference Center (LACC)

A&AS will review LACC’s overall organizational structure and controls, and the related systems and procedures,

are conducive to accomplishing its business objectives.

300

Housing and Hospitality: University

Guest House

The purpose of the review is to ensure that the Guest House’s organizational structure and controls, and the

related systems and procedures surrounding Guest House activities, are conducive to accomplishing its business

objectives.

300

Housing and Hospitality: Conference

Services

The purpose of the audit is to review Conference Services organizational structure and controls. Potential areas

of scope are event arrangements, billing and collections, and information systems.

300

Housing and Hospitality (H&H):

Cashiering

Evaluate H&H’s processes and internal controls associated with the cashiering activities to ensure business

practices comply with applicable University accounting principles and standards.

300

Central Ticket Office A&AS will review the effectiveness and efficiency of the process surrounding event creation and other

processes/business practices.

300

UC Health Affiliations (Systemwide) Interim audit to evaluate the University's progress implementing Regents Policy 4405: Policy on Affiliations with

Healthcare Organizations that Have Adopted Policy-Based Restrictions on Care.

335

Charge Capture - Emergency

Department

Audit to assess the adequacy and effectiveness of controls over key charge capture processes, including charge

lag.

500

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC LOS ANGELES – AUDITS (CONT.) SCOPE STATEMENT HOURS

Charge Capture - Pathology Audit to assess the adequacy and effectiveness of controls over key charge capture processes, including charge

lag.

500

SVSH - Phase 2 - Corrective Actions

Training

This project to assess compliance with corrective actions plans outlined by the Special Committee report related

to training requirements.

200

SVSH Referrals - Health Sciences The purpose of the audit is to assess whether departments that may receive complaints about SVSH in the

clinical context were timely reporting those allegations to the Title IX Office.

350

Ronald Regan (RR) Operating Room

(OR) Inventory and Physical Security

Audit to assess the adequacy and effectiveness of controls over RR OR inventory and physical security controls.

300

Tiverton House The audit will assess the adequacy and effectiveness of internal controls over key financial and administrative

activities.

400

Mednet Active Directory Access

Management

The audit will assess IT access management controls.

500

Clinic - Century City - Primary &

Specialty Care

Audits of multiple clinics will assess the adequacy and effectiveness of internal controls over key activities,

including payment handling, revenue capture, and healthcare vendor relationships.

500

Clinic - Thousand Oaks Hampshire

Immediate-Primary Care

Audits of multiple clinics will assess the adequacy and effectiveness of internal controls over key activities,

including payment handling, revenue capture, and healthcare vendor relationships.

500

Clinic - Laguna Hills Breast Surgery Audits of multiple clinics will assess the adequacy and effectiveness of internal controls over key activities,

including payment handling, revenue capture, and healthcare vendor relationships.

500

Department of Pediatrics -

Departmental Audit

These audits will determine whether there are adequate internal controls over key administrative and financial

processes, such as financial management, research administration, and compensation plan activities.

1,000

Clinic - Oral Maxillofacial Surgery -

Specialty Care

Audits of these clinics will assess the adequacy and effectiveness of internal controls over key activities, including

payment handling, revenue capture, and healthcare vendor relationships.

500

Clinic - Venice Dental Center Audits of these clinics will assess the adequacy and effectiveness of internal controls over key activities, including

payment handling, revenue capture, and healthcare vendor relationships.

500

Faculty Compensation Restructure

Evaluate whether the restructured compensation plan is fair, transparent, and still within University policy after it

goes live.

500

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC LOS ANGELES – ADVISORY SERVICES SCOPE STATEMENT HOURS

Student Health & Wellness Advisory

Project

A&AS will assess routing of students to mental health services and certain internal controls.

500

Foreign Influence Advisory Purpose of the advisory review is to advise Research Organization on certain foreign influence controls.

400

OneBill Initiative - Advisory Examine the processes for transportation student accounts receivable within the OneBill initiative. The One Bill

project aims for UCLA to have one ‘true’ one bill for all three UCLA student accounts receivable areas.

300

T2 Flex System The potential scope of the audit may include reviewing controls over rates, sales and refunds.

300

Events & Transportation: BruinAccess

paratransit services

A&AS will review the BruinAccess program’s efficiency and internal controls and review of method of reporting

unfulfilled requests for rides.

300

Performance Management & Personnel

Advisory Project

A&AS will advise on the ongoing merger of the North and South Human Resource and Payroll Center reviewing

its policies and procedures to identify efficiencies and compliance with University policies and procedures in the

areas of digitizing confidential and medical files and rationalizing staff access across service center locations.

300

UC Los Angeles sub-total 22,720

UC MERCED – AUDITS SCOPE STATEMENT HOURS

Prior Year Projects - Carryforward Prior year carryforward.

100

Workers' Compensation Review the current process for compliance with regulations and effectiveness of controls.

300

Donation Restriction Accounting

Review processes, procedures and controls around donation restrictions and trace spending in oracle for release

of restrictions.

300

Project Portfolio Financial Management

(PPFM) Grant Invoicing

Review processes, procedures, and controls around PPFM in the Contracts and Grants process.

300

Research Cybersecurity (Systemwide) A systemwide audit focused on evaluating each location’s program to manage cyber risks in research including

compliance with current and pending federal government cybersecurity requirements for research data.

300

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC MERCED – ADVISORY SERVICES SCOPE STATEMENT HOURS

Title VI, VII & IX Review current procedures for handling complaints and cases for current compliance and controls.

300

HR Hiring Process Review and flowchart current Hiring Process and identify opportunities for improvement.

300

Student Financial Cancellation Process Review process for financial cancellation, assess the effectiveness of controls in place and review for any equity

issues.

300

Assembly Bill (AB) 179 Climate

Initiative Funds Review

Review spending for the initiative and assess compliance with legislative intent.

150

Campus Expansion Allocation Funds

Review

Review spending for the initiative and assess compliance with legislative intent.

150

Transition Reviews Review transition of areas with Senior Management Group (SMG) leadership change.

Prior Management Corrective Action

(MCA) Follow Up

Review prior high risk MCA's for current compliance and controls.

Monthly Data Analytics Establish process for monthly review of Campus analytics for risk monitoring.

Campus Committee Participation Meet with multiple committees to gather information of the status of risks at the university and also raise the

visibility of Internal Audit (IA).

UC Merced sub-total 2,735

UC RIVERSIDE – AUDITS SCOPE STATEMENT HOURS

R2024-02 Self Supporting Graduate

Degree Programs (SSDP)

General overall audit to determine the adequacy of internal controls and evaluate compliance with applicable

University policies and procedures as well as identify and review revenue and expenditures.

500

R2024-03 Native American Graves

Protection and Repatriation Act

(NAGPRA) Internal Controls follow up

Follow up review of internal controls over human remains and other funerary objects as well as artifacts, cultural

related items and sacred objects and other material in accordance with NAGPRA and the California Native

American Graves Protection and Repatriation Act (CAL-NAGPRA).

300

Chemical Inventory/Laboratory Safety Review internal controls over Chemical inventory and evaluate compliance with various regulations and

applicable UC policies and procedures.

400

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC RIVERSIDE – AUDITS (CONT.) SCOPE STATEMENT HOURS

Research Cybersecurity (Systemwide) A systemwide audit focused on evaluating each location’s program to manage cyber risks in research including

compliance with current and pending federal government cybersecurity requirements for research data.

400

Annual Report on Executive

Compensation (AREC) (Systemwide)

Verify the accuracy, completeness, and timely preparation of the Annual Report on Executive Compensation.

200

UC Health Affiliations (Systemwide) Interim audit to evaluate the University's progress implementing Regents Policy 4405: Policy on Affiliations with

Healthcare Organizations that Have Adopted Policy-Based Restrictions on Care.

300

R2024-08 UCPath Separation of Duties Audit and Advisory Services (A&AS) will review UCR/UCPath separation of duties and mitigating controls.

250

R2024-09 School of Medicine Clinic(s)

(TBD)

Select UCR Clinic/s on a judgmental basis and review the system of internal controls and compliance with

applicable policy provisions.

500

UC RIVERSIDE – ADVISORY SERVICES SCOPE STATEMENT HOURS

R2024-10 Assembly Bill (AB) 179

Climate Initiative Funds Review

Review spending for the initiative and assess compliance with legislative intent. 200

UC Riverside sub-total 3,050

UC SANTA BARBARA - AUDITS SCOPE STATEMENT HOURS

Prior Year Projects - Carryforward Prior year carryforward.

400

Internal Control Review - Humanities

and Fine Arts

Audit and Advisory Services will evaluate effectiveness, efficiency, compliance, and/or the adequacy of internal

controls in one or more areas selected based on risk, with possible coverage of budgeting, revenue (e.g. billing,

accounts receivable, cash), procurement, payroll, sponsored projects, and/or other areas.

275

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC SANTA BARBARA – AUDITS (CONT.) SCOPE STATEMENT HOURS

Conflict of Interest/Conflict of

Commitment in Research

Audit and Advisory Services will assess the adequacy of internal controls over campus sponsored research

conflict of interest and conflict of commitment management processes and overall compliance with related

University policies and procedures. This audit will focus on working in research activities.

275

Research Cybersecurity (Systemwide) A systemwide audit focused on evaluating each location’s program to manage cyber risks in research including

compliance with current and pending federal government cybersecurity requirements for research data.

300

Internal Control Review - Social Science

Division

Along with essential business practices, we will review internal controls in one or more areas selected based on

risk, with possible coverage of budgeting, financial reporting and monitoring, hiring, and/or other areas.

275

IT: Separation of Duties

The objective of this audit would be to identify potential separation of duties gaps in critical campus systems.

Ensuring submitter and approval roles are appropriately assigned and managed in campus systems at the onset of

a system implementation, as well as continued management of roles as is crucial to reduce risks of misuse of

campus resources.

275

Annual Report on Executive

Compensation (AREC) and Chancellor

Expenses (G-45) (Systemwide)

Verify the accuracy, completeness, and timely preparation of the Annual Report on Executive Compensation.

Review annual Presidential expense reports to ensure that they have been prepared, reviewed, and submitted in

accordance with policy.

250

Concur and Travel Cards Audit and Advisory Services will assess internal controls and business practices implemented in the

Travel/Entertainment expense reimbursement system (Concur) to assure current business practices related to

the use of travel cards are in place to support operational effectiveness and efficiency including compliance with

University policies.

310

IT: Critical Security Control in Large IT

Departments

Audit and Advisory Services will evaluate effectiveness, efficiency, compliance, and/or the adequacy of internal

controls in one or more areas selected based on risk, with possible coverage of some of the following areas:

Inventory and Control of Enterprise Assets, Data Protection, Secure Configuration, Access Controls,

Vulnerability Management, Network Infrastructure and Monitoring, Security Awareness, Service Provider

Management, Application Software Security, Incident Response.

300

Faculty Housing Audit and Advisory Services will evaluate the adequacy of internal controls in the faculty housing program to

establish accountability, identify misuse, and enforce compliance with University policy.

300

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC SANTA BARBARA – ADVISORY

SERVICES SCOPE STATEMENT HOURS

IT: Legacy Systems Security The objective of this review will be to identify and assess legacy systems and ensure they are meeting UC and

local policies and requirements related to general controls and information security. Possible areas of focus

include inventory of legacy systems and upgrades to address vulnerabilities and security concerns, password

management, physical security, virus and malware protection, use of administrator privileges, unauthorized,

unlicensed, or not supported software, data storage and backup, security of protected information, etc.

250

Bias Incidents Collection and Reporting This advisory will review the process to collect and report bias incident and determine whether the multiple

entities collecting data regarding bias incidents have implemented adequate practices and controls to avoid

reporting inaccurate, duplicate, or incomplete information.

300

Data Analytics Program - Development

and Collaboration

We have set aside hours for training and other activities for development of our data analytics program, including

possible collaboration with Business & Financial Services.

300

Outreach, Training, and Presentations We will continue our Ethics and Fraud presentation series as part of the Controller’s Financial Management

Certificate Program, Sponsored Projects Training for Administrators in Research (STAR), Payroll and Personnel

System (PPS) Basics classes, and other programs.

280

UC Santa Barbara sub-total 4,090

UC SANTA CRUZ – AUDITS SCOPE STATEMENT HOURS

Prior Year Projects - Carryforward Prior year carryforward.

350

Research Cybersecurity (Systemwide) A systemwide audit focused on evaluating each location’s program to manage cyber risks in research including

compliance with current and pending federal government cybersecurity requirements for research data.

400

UCPath Separation of Duties (SOD) Evaluate the design and operating effectiveness of SOD controls related to payroll transactions.

350

Annual Report on Executive

Compensation (AREC) (Systemwide)

Verify the accuracy, completeness, and timely preparation of the Annual Report on Executive Compensation.

200

Chancellor Expenses (G-45)

(Systemwide)

Review annual Presidential expense reports to ensure that they have been prepared, reviewed, and submitted in

accordance with policy.

150

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC SANTA CRUZ – AUDITS (CONT.) SCOPE STATEMENT HOURS

University Relations (UR) Gift

Administration - Donor Intent

Evaluate the design and operating effectiveness of internal controls related to the spending of gifts according to

donors' intentions.

350

Physical Planning, Development and

Operations (PPDO) Service Request

Response

Evaluate the design and operating effectiveness of internal controls related to the timely response to client

request for services.

350

Web Accessibility Evaluate the design and operating effectiveness of internal controls related to website accessibility for people

with disabilities.

350

Employee Onboarding Process Evaluate the design and operating effectiveness of internal controls related to onboarding of employees.

350

Fire Marshal Services Evaluate the design and operating effectiveness of internal controls related to campus fire marshal key functions

and responsibilities for fire safety.

300

CruzFly Controls Evaluate the design and operating effectiveness of internal controls related to the new CruzFly system for

accurate and timely reimbursements.

350

Climate Resiliency Funds (AB 179)

Controls

Evaluate the design and operating effectiveness of internal controls related to compliance with state climate

resiliency fund requirements.

300

Smarter Balanced Financial

Management

Review yearly budget development process, membership fee calculation procedure, cost allocation

methodologies to services, and reserve fund maintenance/usage procedures to ensure internal controls are in

place to comply with applicable agreements, UC policies and UCSC procedures.

300

UC SANTA CRUZ – ADVISORY SERVICES SCOPE STATEMENT HOURS

University Extension (UNEX) Annual

Monitoring

Evaluate the design and operating effectiveness of internal controls related to UNEX finances of its programs.

200

Leadership Transition for Staff Human

Resources

Provide timely and independent reports of the financial and operational status of the division/unit to the new

leader.

300

National Collegiate Athletic Association

(NCAA) Report Annual Review

Verify NCAA annual report on the equality of campus athletics for the chancellor's signature.

100

Leadership Transition for Athletics &

Recreation Director

Provide timely and independent report of the financial and operational status of the division/unit to the new

leader.

200

UC Santa Cruz sub-total 4,900

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC SAN DIEGO - AUDITS SCOPE STATEMENT HOURS

Prior Year Projects - Carryforward Prior year carryforward.

500

Oracle Financial System (OFC) Post-

Implementation

The objective of this review will be to evaluate the status of OFC post-implementation issue remediation and

optimization efforts, and residual financial risk. This may include analysis to determine if risks are adequately

managed, and understand the financial impact of the transition to the new system. Areas of focused review may

include issue remediation tracking and timelines, status of optimization efforts, default accounts monitoring (to

include aging) and resolution, sponsored projects financial reporting, financial conditions and deficits monitoring,

and other open risks.

400

Balance Sheet Account Management

The objective of this review will be to assess whether internal controls and business processes for managing

balance sheet accounts provide reasonable assurance that operations are effective, result in accurate financial

reporting, and are conducted in compliance with University policies. Subject to the risk

‐

based preliminary survey,

detailed scope of the review may include Internal Controls and Accounting (ICA) internal controls for financial

accounts, campus guidelines, and tools to reconcile these financial accounts.

400

Recharge Processing and Oversight The objective of this review will be to assess whether internal controls and business processes for recharge

activities provide reasonable assurance that recharge operations are effective, result in accurate financial

reporting, and are in compliance with relevant policy. Subject to the risk

‐

based preliminary survey results, the

detailed scope of the review may include campus guidelines and procedures, roles and responsibilities,

monitoring process, and system integration, among other areas.

400

Oracle Access Management The objective of this review will be to assess whether internal controls and business processes for establishing

and maintaining roles and profile configurations provide reasonable assurance that only authorized users have

access to data and resources. Additionally, the review will assess processes for user provisioning (onboarding),

deprovisioning (termination), and job function changes. Analysis will also evaluate segregation of duty conflicts in

application management and business processes. Because the area under review relies on the effectiveness of

other core IT general controls, the scope of the review may also include high

‐

level assessment of the contract

between UCSD and Oracle (service provider) and a review of independent third

‐

party assessments on the

control practices in place at the service provider's operating locations. This audit was deferred from the FY2022-

23 audit plan.

450

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC SAN DIEGO – AUDITS (CONT.) SCOPE STATEMENT HOURS

Digital Accessibility & Compliance The objective of this review will be to assess whether the University's information technology controls and

business processes provide reasonable assurance that public access to its internet content and information

technology are effective and in compliance with regulations and the University policies and guidelines.

400

University Extension

The objective of this review will be to perform an overall assessment of University Extension administrative

internal control environment, and determine whether internal controls provide a reasonable assurance that

operations are effective, in compliance with University policy, and result in accurate financial reporting. Subject to

the risk

‐

based preliminary survey results, the detailed scope of the review may include overall financial condition

and deficits, payroll and benefits, transaction processing, accounts receivable, business contracts, equipment

management, and department

‐

based business transactions, among other areas.

400

Library The objective of this review will be to perform an overall assessment of the Library administrative internal

control environment, and determine whether internal controls provide reasonable assurance that operations are

effective, in compliance with University policy, and result in accurate financial reporting. Subject to the risk

‐

based

preliminary survey results, the detailed scope of the review may include overall financial condition and deficits,

payroll and benefits, transaction processing, physical security, environmental controls, insurance, inventory

management, donations and department

‐

based business transactions, among other areas.

400

Financial Aid Fiscal Operations Report

and Application to Participate (FISAP)

Reporting

The objective of this review will be to perform an overall assessment of the FISAP reporting processes to

determine whether internal controls for the units involved provide reasonable assurance that processes support

accurate reporting, roles are clearly identified, and processes are effective and efficient.

400

Equity in Mental Health Funding The objective of this review will be to determine whether internal controls and processes for the distribution,

expenditure, and oversight spending of mental health and well-being funding are effective and consistent with

program requirements as well as University policies and procedures.

350

Research Cybersecurity (Systemwide) A systemwide audit focused on evaluating each location’s program to manage cyber risks in research including

compliance with current and pending federal government cybersecurity requirements for research data.

600

UC Health Affiliations (Systemwide) Interim audit to evaluate the University's progress implementing Regents Policy 4405: Policy on Affiliations with

Healthcare Organizations that Have Adopted Policy-Based Restrictions on Care.

300

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC SAN DIEGO – AUDITS (CONT.) SCOPE STATEMENT HOURS

Surgical & Perioperative Service Billing The objective of this review will be to evaluate whether internal controls for surgical & perioperative service

billing for UC San Diego Health (UCSDH) services and procedures provide reasonable assurance that operations

are effective, activities are compliant with relevant policies and procedures, and to assess the overall impact on

UCSDH financial results. A preliminary survey will be performed to identify areas where billing occurs, and to

evaluate instances in which billing was incomplete or inaccurate. Based on the preliminary survey, in-depth

analysis of the surgical & perioperative service billing function in one or more areas or service lines may be

performed. The review may include topics such as associated revenue cycle processes, clinician involvement, and

supporting technology.

450

Hospital Late Charges The objective of this review is to assess whether internal controls for late charges for UCSDH hospital-based

services and procedures provide reasonable assurance that operations are effective. A preliminary survey will be

performed to identify areas where late charges occur, and to evaluate the impact of late charges. Based on the

preliminary survey, in-depth analysis of the late charges processes in one or more areas or service lines may be

performed. The review may include topics such as associated revenue cycle processes, staff and clinician

involvement, and supporting technology.

450

Observers and Vendors in Clinical Areas The objective of this review is to evaluate whether internal controls for UCSDH observers and vendors provide

reasonable assurance that operations are effective. A preliminary survey will be performed to identify areas

where observers and vendors are permitted, and to evaluate the impact of their presence in clinical areas. Based

on the preliminary survey, in-

depth analysis of observer and vendor in clinical areas processes may be performed.

The review may include topics such as vetting, background check processes, faculty and clinician involvement, and

physical and/or operational security.

400

Moores Cancer Center (MCC) The objective of this review is to evaluate whether internal controls for MCC business operations, including

clinical trial and other sponsored research oversight, provide reasonable assurance that operations are effective,

in compliance with University policy and sponsored research regulations as applicable, and result in accurate

financial reporting. The results of the current consulting engagement review may be considered as appropriate.

450

Altman Clinical and Translational

Research Institute (ACTRI)

The objective of this review is to evaluate whether ACTRI internal controls provided reasonable assurance that

business processes and financial oversight are effective, conducted in compliance with University policy, federal

regulations and terms of the federal award, and result in accurate financial reporting. Focus is intended to be on

clinical trials utilization, oversight, and related clinic operations.

450

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC SAN DIEGO – AUDITS (CONT.) SCOPE STATEMENT HOURS

Vice Chancellor Health Sciences

Executive Accounts

The objective of this review will be to evaluate whether internal controls and business processes for oversight

for Vice Chancellor Health Sciences executive accounts provide reasonable assurance that operations are

effective, efficient, and in compliance with University policy and procedures. The scope of the review may include

internal controls for selected core business operations (such as payroll and timekeeping, travel and

entertainment, procurement, etc.), overall financial status/fund balances, delegations of authority, and detailed

testing of expenses charged to executive accounts.

400

UC SAN DIEGO – ADVISORY SERVICES SCOPE STATEMENT HOURS

Office for the Prevention of Harassment

& Discrimination (OPHD)

Documentation Review – I-Sight

The objective of this review will be to evaluate, from an advisory perspective, OPHD practices for use of the I-

Sight system for case management and documentation for complaints and investigations in this area.

200

Invoicing for Principal Investigator (PI)-

Initiated Clinical Trials

The objective of this review will be to evaluate, from an advisory perspective, business processes and workflow

related to invoicing and accounts receivable for PI-initiated clinical trials. The review may include comparison of

processes related to industry-initiated clinical trials, or other sponsored project invoicing.

200

Native American Graves Protection and

Repatriation Act (NAGPRA)

Compliance

The objective of this review is to evaluate, from an advisory perspective, the effectiveness of the UCSD

NAGPRA compliance program, and make recommendations for improvement. Areas of focused review may

include the adequacy of campus training programs; the timeliness of campus repatriation efforts; the methods for

receiving complaints of noncompliance; and the manner allegations of noncompliance are reviewed and

investigated.

250

Chancellor Expenses (G-45)

(Systemwide)

Review annual Presidential expense reports to ensure that they have been prepared, reviewed, and submitted in

accordance with policy.

250

Annual Report on Executive

Compensation (AREC) (Systemwide)

Verify the accuracy, completeness, and timely preparation of the Annual Report on Executive Compensation.

150

Faculty Compensation – Constructive

Receipt

The objective of this review will be to consult with Vice Chancellor for Health Sciences (VCHS) regarding

guidance on compliance with Internal Revenue Service rules and the roles and responsibilities of department

administrators in the disbursements.

200

UC San Diego sub-total 8,850

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC SAN FRANCISCO – AUDITS SCOPE STATEMENT HOURS

Research Data Management and Sharing

Program

Assess the processes and controls for planning, submission and implementing Research Data Management and

Sharing Plans to ensure compliance with regulatory requirements.

300

Procure to Pay – Accounts Payable Review the internal controls for the approval and payment of invoices.

300

Contracts and Grants – Post Award Review the award verification activities for ensuring that Principal Investigators meet the requirements of the

Uniform Guidance for federal awards.

300

Fire Marshal Services Review of UCSF’s Fire Prevention Program’s scope of services and responsibilities to ensure compliance with

California State regulations.

350

Student Affairs Evaluate the processes and controls surrounding the students’ grievance/ complaints process.

300

School of Dentistry – Departmental

Program Fees

Assess the effectiveness of the internal controls over collection, deposits and reconciliation of department’s

residents fee program.

250

Institutional Affiliation Agreement Assess the processes and controls in place for oversight, management and compliance monitoring of selected

Institutional Affiliation Agreements.

300

Lab Chemical Safety (Follow-Up) Validate the mitigation actions taken to address the risks identified from a prior review have been sustained.

300

Research Cybersecurity (Systemwide) A systemwide audit focused on evaluating each location’s program to manage cyber risks in research including

compliance with current and pending federal government cybersecurity requirements for research data.

400

School of Medicine – Departmental

Review

Review administrative and financial practices in selected School of Medicine departments to assess their

compliance with University policies.

300

Construction Review construction project invoiced costs and fees for the Parnassus Research and Academic Building (PRAB)

to ensure compliance with contract agreement and to assess the adequacy of internal controls and processes for

management of costs.

300

Drug Diversion Prevention and

Monitoring

Assess controls in place to prevent and detect diversion of controlled substances and high-cost drugs.

300

Medical Records – Request for

Information

Evaluate processes in place to respond to patient requests for information and implementation of controls to

comply with Cures Act requirements.

300

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC SAN FRANCISCO – AUDITS (CONT.) SCOPE STATEMENT HOURS

UC Health Affiliations (Systemwide) Interim audit to evaluate the University's progress implementing Regents Policy 4405: Policy on Affiliations with

Healthcare Organizations that Have Adopted Policy-Based Restrictions on Care.

300

Controlled Substances Evaluate processes and controls in place for managing and monitoring controlled substances.

300

Cardiology Charge Capture Review charge capture workflows to validate that controls are in place for accuracy and completeness of posted

charges.

300

Advanced Patient-Centered Excellence

(APeX) Work Queue Management

Assess the governance, assignment and monitoring of work queues to ensure effective review and clearance.

300

Sexual Violence and Sexual Assault

(SVSH) in Clinical Setting

Evaluate progress of implementing guidance and directives’ core elements for SVSH in Patient Care.

250

Timekeeping

Assess implementation of new timekeeping processes for nursing and validate that controls are in place to ensure

accuracy.

300

Patient Capacity Management Center –

System Access

Validate that appropriate controls are in place for access provisioning for selected Patient Capacity Management

Center dashboards containing Protected Health Information (PHI).

250

Clinical Funds Flow Assess the adequacy of the internal controls and processes for ensuring accurate assessment and allocation of

clinical funds.

300

UC SAN FRANCISCO – ADVISORY

SERVICES SCOPE STATEMENT HOURS

Data Backup and Recovery Validate that data backup and recovery procedures are in place and are tested for select IT systems.

300

Disaster Recovery Assess processes in place for establishing disaster recovery plans, including determining disaster recovery

environments needed.

300

Third Party and Affiliates Risk

Management

Evaluate processes in place for identifying and managing risks related to third party or affiliate access.

300

Leadership transition Review –

Executive

Vice Chancellor and Provost Office

Assess the financial performance and internal controls over accounting and administrative practices within the

Executive Vice Chancellor & Provost Office.

300

INTERNAL AUDIT PLAN 2023-24ETHICS, COMPLIANCE AND AUDIT SERVICES UNIVERSITY OF CALIFORNIA

Planned Internal Audit Projects

UC SAN FRANCISCO – ADVISORY

SERVICES (CONT.) SCOPE STATEMENT HOURS

Pre-System Implementation Advisory

Participation – Research Proposal

System

Provide advice on internal controls, regulatory and policy compliance and project management and governance

for the new research application compliance system.

300

Financial and Compliance Dashboard Continue with optimization of the financial and compliance dashboard.

250

Workplace Violence Prevention Advise on the implementation of new requirements around workplace violence and safety.

300

Discharge Process Evaluate processes and controls in place over discharge processes and provide recommendations for enhancing

efficiency and effectiveness.

300

Data Analytics Program Perform enterprise-wide data analytics to identify areas for continuous improvement and monitoring of controls.

250

Pre-System Implementation Advisory

Participation – Administrative Systems

Providing advice on internal controls, policy compliance and project management and governance for the

Administrative systems assessment and implementation.

150

Committee and Workgroups Participate on committees and workgroups to provide advice on risks and internal controls.

500

Fraud Risk Analysis Continue developing and enhancing fraud risk assessment and analysis to identify high risk areas for fraud and

assist departments to design and implement control activities to prevent and detect fraud.

300

Fraud Awareness Training Continue education and training to raise fraud risk awareness throughout the organization.

300

UC San Francisco sub-total 10,150

TOTAL AUDIT AND ADVISORY SERVICE PROJECT HOURS 92,595