The Audit, Compliance and Risk Committee of the Board of Visitors convened Thursday to discuss the proposed two-year audit plan and the previous year’s audit. The Board also heard an overview of the work of the Academic Division’s Enterprise Risk Management, which identifies and manages areas of heightened risk for the University such as fraud and security breaches and compliance with endowment regulations.
The Audit, Compliance and Risk committee of the Board is responsible for inspecting the University’s accounts and processes and assessing potential risks for the academic and medical center divisions of the University. This committee utilizes internal and external auditors to analyze the performance, risk and adequacy of accounting processes. Additionally, the committee reviews risk assessment and mitigation strategies at least annually.
The proposed audit plan presented by Chief Audit Executive Carolyn Saint covers the academic division and the health center for fiscal year 2023 and 2024. Within the academic division and the hospital, Saint and her colleagues selected a list of topics to be analyzed over fiscal year 2023 and 2024.
The audit topics include assessing the effectiveness of key financial and security controls as the University switches its financial system from Oracle to Workday beginning July 5 — a change that will incorporate all of the University’s operational details under one system — and ensuring compliance with regulatory requirements surrounding hospice care.
Saint said that the Board will remain updated on the status of the plan as changes are made in response to any new circumstances. She emphasized the flexibility of the plan to meet new risks and demands that surface over the next two fiscal years.
“We plan dynamically — meaning we are flexible to pivot to changing risks and priorities,” Saint said. “Our plan is not set in stone. Our plan is designed to be relevant to emerging risks, to avoid competing for attention with major University initiatives and to be responsive to management requests.”
David Rasnic, director of higher education programs for the Virginia auditor of
public accounts and 2022 audit project manager, then discussed the University’s fiscal year 2022 audit. According to Rasnic, the results of that audit — which covered the academic and medical center of the University — will be presented at the December 2022 meeting of the Board.
Rasnic and his team will provide two financial statement opinions — one for the academic division and one for the medical center — along with a combined report that will be presented in December. Any findings will also appear in the Virginia statewide single audit report — which includes the financial statements for the Commonwealth of Virginia. Additionally, a financial report must be provided to the NCAA annually by all Division One schools.
Rasnic encouraged the committee to inform him of any additional topics or categories they would like to see included in the audit. He also noted that this particular audit is not designed to detect error or fraud. Further, he addressed the overarching goal of the audit to ensure fairness and compliance in the University financials.
“Our first [objective] is the university specific audit objective. So what we're looking at there is your financial position, was it presented fairly in conformity with the generally accepted accounting principles, ” Rasnic said.
To close out the meeting, Augie Maurelli, associate vice president for financial operations, reported on the Academic Division’s Enterprise Risk Management efforts. These efforts include the 2022 report by the Fiscal Sustainability Risk working group — which aims to identify risk and develop risk management plans.
The report evaluated several risks — including capital expenditures and inflation, breach of sensitive financial data, governmental tax policy, regulations impacting athletics revenues and vendor payments. The report identified the University’s decentralized nature as the biggest threat to data security and suggested the University continue to pay attention to risks involved with vendor payment. The working group found that, overall, the University is in a good place with regard to nearly all of the reviewed risks.
”While conducting educational activities in the current environment poses some inherent risks, the University’s current mitigation strategies appear to align with institutional risk appetite and profile,” the report read.
The Board will meet next Sept. 15 and 16, and in the following Board meeting in December, the committee will hear the audit report for fiscal year 2022.