The Board of Visitors Audit Compliance and Risk Committee met primarily in closed session to discuss cybersecurity risks to the University Information Technology Systems during its regularly scheduled Friday meeting. The Committee also approved updates to a global standard of auditing to clarify internal audit mandates and enhance focus on ethics and professionalism.
Prior to closed session, the Committee approved implementing updated auditing standards in line with the most recent version of the Institute of Internal Auditors global internal audit. The IIA is an international professional association which develops best practice standards for internal auditors. Updated in January 2024, the global internal audit standards provide a framework for evaluating and elevating the quality of internal auditing which organizations are expected to conform to worldwide.
According to the Committee agenda, significant updates to this charter include defining the oversight role of the BOV regarding internal audit function as well as the disclosure of the responsibilities of Chief Audit Executive Carolyn Saint regarding the University’s institutional compliance program. This program monitors adherence to all applicable federal, state and local regulations, as well as internal protocols.
Saint said that the IIA standards mandate that the Committee conduct an external audit of these standards every five years to provide updates and ensure Committee compliance. The last external quality assessment was conducted in 2021, and according to Saint, the Committee will task outside assessors to evaluate the auditing functioning of the University based on the IIA standards in 2026.
“The new standards put greater emphasis on internal audit strategy, relationship building and communication, also on performance measurement and quality assessment,” Saint said.
In closed session, the Committee discussed cybersecurity risks and enhancement plans concerning University information technology systems according to the online Committee agenda. They also discussed proprietary information in regards to the business operations of the University Medical Center.
The Committee reportedly also discussed strategic financial considerations for the U.Va. Health System as it undergoes a change in leadership following the resignation of former CEO Craig Kent. Kent resigned after an external review of Kent’s leadership was presented to the Board Feb. 25 — this review was conducted by the Audit, Compliance and Risk Committee as a direct result of a no-confidence letter from 128 anonymous physicians which was delivered to the Board last Fall.
Within the first five minutes of the meeting, Committee Chair Rachel Sheridan proposed the move to closed session stating that open discussion of cybersecurity may pose a security risk to University technology systems. Sheridan also said that sharing business operations and financial strategies would negatively affect the competitive standing of the U.Va. Health System.
The Committee will reconvene at the next Board meeting in June.
Read More
Who is Ken Cuccinelli, the new Board of Visitors appointee?
By Vyshnavi Tatta | 8 hours agoCuccinelli is a contributor to Project 2025 and former Virginia Attorney General
Clay Dickerson aims to invest in financial accessibility as Student Council president
By Lauren Seeliger | YesterdayTwo of his main hopes for the term are to institutionalize a University-wide business closet and to establish a higher number of advisory boards, which consist of students and community members.
Honor Committee discusses term goals and plans for finals week
By Bertie Azqueta | YesterdayThe Honor Committee held its first meeting of the 2025-2026 new term Sunday evening, during which members introduced themselves and discussed their goals for the semester.
