The Board of Visitors’ Audit, Compliance, and Risk Committee reviewed findings of the most recent audit and planned to increase efficiency in financial reporting during its Thursday 1:45 meeting. The Committee also approved changes to the U.Va. Athletics Compliance Charter and discussed cybersecurity and IT concerns in a closed session.
David Rasnic, director of Higher Education Programs and auditor of public accounts, began by reporting on the conclusion of the audit from the last fiscal year. Rasnic said he was pleased by progress towards consolidating financial reporting between the University and the Medical Center and further recommended an audit for University imaging.
“What we’re looking for is a way for the University and the medical center to ensure alignment on the timing of deliverables and the impact of accounting decisions, not only on the medical side, but on the academic side,” Rasnic said.
One major concern from the audit was U.Va. Health IT’s lack of an actionable approach to tracking Health Insurance Portability and Accountability Act security risks. Analyses are performed on an annual basis but need further guidelines on how they are reviewed, according to the report.
Rasnic also spoke to audit delays following the University’s acquisition of Community Health, which needs to be reinstated for FY 2022 under Governmental Accounting Standards, or GASB. He has already engaged an auditor to complete this process and is currently recruiting two positions on his committee to advance the consolidation.
Augie Maurelli, the University’s vice president for finance and Chief Financial Officer, then reviewed the most recent financial report — completed Feb. 13. The report announced a net position of $4.2 billion in assets along with $4.2 billion of operating activity and a net position of roughly $12 billion.
Maurelli then presented improvement plans based upon the preliminary audit reviewed at the Committee’s Dec. 2022 meeting. In response to observed deficiencies in internal control over financial reporting, Maurelli proposed a proactive and uniform approach to upcoming auditing, which he said has already seen progress.
“We do have aligned engagement, there's recurring meetings with executive and senior leadership ongoing on this,” Maurelli said.
According to the Audit Department Quarterly Report Written Report, seven audits have been completed since the December 2022 report and 12 audits or audit projects are in progress. The audit opinion and internal control report found one material weakness and 10 significant deficiencies. Two of the audits were labeled with “Does Not Meet” ratings – four ratings for HIPAA security follow-ups and one for U.Va. Health IT Disaster Recovery.
Additionally, the Committee approved changes to the U.Va. Athletics Compliance Charter — a document outlining standards for athletics under Univercity, NCAA and ACC regulations. Updates include new language from the NCAA Constitution and ACC Manual about institutional responsibility in control, clarifying that the University President holds final say over athletics programs. The current Charter was last updated in 2017.
In a closed session, the Committee discussed protecting public and personal safety from cybersecurity threats as well as the control features, function and security of the University IT system.
The Audit, Risk and Compliance Committee will convene again during the June meeting of the Board.