• TABLE OF CONTENTS
HIDE
 Front Cover
 Message from the Chief Audit...
 Table of Contents
 Introduction
 Operations
 Audits and other planned revie...
 Audit report summaries
 Management advisory services
 Investigations
 Follow-up
 Other activities
 Contacts and resources






Group Title: University of Florida Office of Audit and Compliance Review annual report
Title: University of Florida Office of Audit and Compliance Review Annual Report. 2006-07.
ALL VOLUMES CITATION PDF VIEWER THUMBNAILS PAGE IMAGE ZOOMABLE
Full Citation
STANDARD VIEW MARC VIEW
Permanent Link: http://ufdc.ufl.edu/UF00072255/00005
 Material Information
Title: University of Florida Office of Audit and Compliance Review Annual Report. 2006-07.
Series Title: University of Florida Office of Audit and Compliance Review Annual Report
Physical Description: Serial
Creator: University of Florida Office of Audit and Compliance Review
Publisher: University of Florida Office of Audit and Compliance Review
Publication Date: 2007
 Record Information
Bibliographic ID: UF00072255
Volume ID: VID00005
Source Institution: University of Florida
Rights Management: All rights reserved by the source institution and holding location.

Downloads

This item has the following downloads:

Annual%20Report%202006-2007 ( PDF )


Table of Contents
    Front Cover
        Page 1
    Message from the Chief Audit Executive
        Page 2
    Table of Contents
        Page 2
    Introduction
        Page 3
    Operations
        Page 3
        Page 4
        Page 5
        Page 6
    Audits and other planned reviews
        Page 7
    Audit report summaries
        Page 8
        Page 9
        Page 10
        Page 11
    Management advisory services
        Page 12
    Investigations
        Page 13
    Follow-up
        Page 14
    Other activities
        Page 15
        Page 16
    Contacts and resources
        Page 17
Full Text
















U N I \I HSI I) ol
UFFLORIDA ANNUAL REPORT


..........















OFFICE OF AUDIT & COMPLIANCE REVIEW

-:6 1, G -)i ir k i(
IvI an a e rn e n t A d,,,, c r,,, S c r,,.!': Cl'-,




2006-2007







UNIVERSITY OF FLORIDA


The 2006-2007 Office of Audit and Compliance Review (OACR) Annual
Message Report provides a summary of the OACR's activities for the year and
provides data for benchmarking the effectiveness of its operations.
from The OACR started the fiscal year by preparing for the external Quality
the Chief Assessment (QA) as recommended by the Institute of Internal Audi-
tors. The review team was composed of four audit directors from peer
Audit universities with extensive professional recognition and qualifications.
Executive The QA report provided the highest level of opinion on compliance with
the IIA Standards and commented on the positive perception of the
OACR as adding value to the University's internal controls. The very
Nur Erenguc, CPA, CFE positive QA report and the recommendations contained reinforced the
Chief Audit Executive vision and strategies adopted by the OACR.

The period included a good mix of proactive services to strengthen internal controls and an audit plan addressing high risk processes or
activities. To this end, the OACR
Developed and co-facilitated PRO 303 Internal Controls at UF training program. The session was very well received by over 400
attendees and is included as a required course in the fiscal training program initiated by the Office of Human Resources,
Updated the Internet based control self assessment tool, "CAT," and initiated and compiled the self assessment survey with over 200
participating units,
Initiated and piloted a facilitated Enterprise Risk Management program for campus and for select support organizations.
Another major initiative of the period was the implementation of a 24/7 anonymous hotline managed by a contracted provider. This was
an improvement of the control environment for the University and its affiliated organizations as recognized by the University's Sarbanes-
Oxley committee.
Similar to prior periods, the OACR had significant turnover and recruitment activities for the period and was again reminded that change
is constant and inevitable. We hope to continue serving the University and its affiliated organizations as promoters of positive change for
improved accountability.




CONTENTS

Introduction .............................. .............. 2
Operations .............................. ....... 2
Goals and Objectives
Staffing and Other Resources
Organization Cibi, t
Stit- t
Budget and Expenditure Analysis
Time Analysis
Time Allocation
Audits and Other Planned Reviews ................6
Trend Analysis
Client Surveys
Audit Report Summaries ....................................7
Management Advisory
Services .............................................11
Special Advisory Reviews
Newsletter
Post-Audit Assistance
Investigations ........................................ .... 12
Summary of Significant Issues
Follow-Up......................... ................ 13
Follow-Up Statistics
Other Activities ........................ ............... 14
Reports Issued ........................ ................. 15
Baughman Center Contacts and Resources ................................. 16

2 ........................ ............................................................................... Annual Report







UNIVERSITY OF FLORIDA


The 2006-2007 Office of Audit and Compliance Review (OACR) Annual
Message Report provides a summary of the OACR's activities for the year and
provides data for benchmarking the effectiveness of its operations.
from The OACR started the fiscal year by preparing for the external Quality
the Chief Assessment (QA) as recommended by the Institute of Internal Audi-
tors. The review team was composed of four audit directors from peer
Audit universities with extensive professional recognition and qualifications.
Executive The QA report provided the highest level of opinion on compliance with
the IIA Standards and commented on the positive perception of the
OACR as adding value to the University's internal controls. The very
Nur Erenguc, CPA, CFE positive QA report and the recommendations contained reinforced the
Chief Audit Executive vision and strategies adopted by the OACR.

The period included a good mix of proactive services to strengthen internal controls and an audit plan addressing high risk processes or
activities. To this end, the OACR
Developed and co-facilitated PRO 303 Internal Controls at UF training program. The session was very well received by over 400
attendees and is included as a required course in the fiscal training program initiated by the Office of Human Resources,
Updated the Internet based control self assessment tool, "CAT," and initiated and compiled the self assessment survey with over 200
participating units,
Initiated and piloted a facilitated Enterprise Risk Management program for campus and for select support organizations.
Another major initiative of the period was the implementation of a 24/7 anonymous hotline managed by a contracted provider. This was
an improvement of the control environment for the University and its affiliated organizations as recognized by the University's Sarbanes-
Oxley committee.
Similar to prior periods, the OACR had significant turnover and recruitment activities for the period and was again reminded that change
is constant and inevitable. We hope to continue serving the University and its affiliated organizations as promoters of positive change for
improved accountability.




CONTENTS

Introduction .............................. .............. 2
Operations .............................. ....... 2
Goals and Objectives
Staffing and Other Resources
Organization Cibi, t
Stit- t
Budget and Expenditure Analysis
Time Analysis
Time Allocation
Audits and Other Planned Reviews ................6
Trend Analysis
Client Surveys
Audit Report Summaries ....................................7
Management Advisory
Services .............................................11
Special Advisory Reviews
Newsletter
Post-Audit Assistance
Investigations ........................................ .... 12
Summary of Significant Issues
Follow-Up......................... ................ 13
Follow-Up Statistics
Other Activities ........................ ............... 14
Reports Issued ........................ ................. 15
Baughman Center Contacts and Resources ................................. 16

2 ........................ ............................................................................... Annual Report







OFFICE OF AUDIT & COMPLIANCE REVIEW


INTRODUCTION


The Office of Audit and Compliance Review (OACR) pro-
vides a central point for the coordination of activities that
promote accountability, integrity, and efficiency for the
University of Florida.

The University of Florida
completed the third year
of the myUFL implemen-
tation in 2006-2007. As
the system stabilized, the
Office of Audit and Com-
pliance Review provided
proactive assistance as
well as post implemen-
tation audits to promote
good business procedures
together with a reason-
able level of controls in
a decentralized environ-
ment. We were active in
internal control training
initiatives through Hu-
man Resources and Re- From left to right Lily Reinhart, Shahpar Maclnt
search Administration Newman, Jeff Capehart, Brecka Anderson, Joe
search Administration
and conducted a qual-
ity assessment review of
our office. In 2006-2007, we contracted with a provider of
anonymous complaint services for the University.



OPERATIONS


Goals and Objectives

A key operational objective for the period was completing
the audit work plan, including audits of the university's
direct support organizations. We also developed the 2007-
2010 work plan using a risk based approach. We initiated
and piloted an Enterprise Risk Management (ERM) ap-
proach for the University and its affiliated organizations
including the University Athletic Association and Univer-
sity of Florida Foundation. We conducted facilitated ses-
sions with key management to discuss the enterprise risk
management methodology.

The Institute of Internal Auditors recommends an external
quality assurance review of internal auditing offices every
five years. We assembled a team of audit professionals
from peer institutions in conducting our external quality
assurance review. The audit team spent one week inter-
viewing our staff and clients and examining our internal


procedures to determine if we are in compliance with the
International Standards for the Professional Practice of In-
ternal Auditing. We received the highest level of opinion
allowed and have adopted
many of the team's sugges-
tions for improvement.

We updated the web-
based Control Assessment
Tool (CAT) in 2006-2007
with the intention of pro-
viding unit managers with
easily accessible mecha-
nisms for evaluating their
Suit's internal controls in
Nine different areas. This
project will be ongoing by
A validating the results of
the CAT questionnaires in
2007-2008.

In 2006-2007 we contracted
Ilyn Velez, Craig Reed, Nur Erenguc, Suzanne with The Network, a pro-
a, Chol Chol, Brian Mikell, Hui Zhou
vider of anonymous, con-
fidential hotline services
for many other universi-
ties and corporations. The implementation of the compli-
ance hotline service and subsequent publicity campaign
was a major initiative. The opportunity for anonymous,
confidential disclosure of concerns at UF is essential in
capturing complainant concerns that otherwise may be
unreported.

To help UF staff learn about internal controls and how to
apply them to business processes, we partnered with the
Controller's Office and Human Resources in co-facilitat-
ing a training initiative, PRO0303 Internal Controls at UF.
The course is part of a series of courses that will lead to a
certification in fiscal management. Additionally, The Guid-
ing Principles of Financial Management and Internal Control
Principles was formally adopted by UF and its governing
bodies to provide stakeholders with a reasonable assur-
ance regarding the achievement of established goals and
objectives.

Staffing and Other Resources

During 2006-2007 OACR experienced staff turnover in
four positions. We promoted the Senior IT Auditor to IT
Audit Manager and successfully recruited a Staff IT Audi-
tor toward the end of the year. In addition, we hired one of
our graduate students in a Staff Auditor position. We end-


2006-2007 ........................................................................................................... 3


yre, Mar
Cannell







OFFICE OF AUDIT & COMPLIANCE REVIEW


INTRODUCTION


The Office of Audit and Compliance Review (OACR) pro-
vides a central point for the coordination of activities that
promote accountability, integrity, and efficiency for the
University of Florida.

The University of Florida
completed the third year
of the myUFL implemen-
tation in 2006-2007. As
the system stabilized, the
Office of Audit and Com-
pliance Review provided
proactive assistance as
well as post implemen-
tation audits to promote
good business procedures
together with a reason-
able level of controls in
a decentralized environ-
ment. We were active in
internal control training
initiatives through Hu-
man Resources and Re- From left to right Lily Reinhart, Shahpar Maclnt
search Administration Newman, Jeff Capehart, Brecka Anderson, Joe
search Administration
and conducted a qual-
ity assessment review of
our office. In 2006-2007, we contracted with a provider of
anonymous complaint services for the University.



OPERATIONS


Goals and Objectives

A key operational objective for the period was completing
the audit work plan, including audits of the university's
direct support organizations. We also developed the 2007-
2010 work plan using a risk based approach. We initiated
and piloted an Enterprise Risk Management (ERM) ap-
proach for the University and its affiliated organizations
including the University Athletic Association and Univer-
sity of Florida Foundation. We conducted facilitated ses-
sions with key management to discuss the enterprise risk
management methodology.

The Institute of Internal Auditors recommends an external
quality assurance review of internal auditing offices every
five years. We assembled a team of audit professionals
from peer institutions in conducting our external quality
assurance review. The audit team spent one week inter-
viewing our staff and clients and examining our internal


procedures to determine if we are in compliance with the
International Standards for the Professional Practice of In-
ternal Auditing. We received the highest level of opinion
allowed and have adopted
many of the team's sugges-
tions for improvement.

We updated the web-
based Control Assessment
Tool (CAT) in 2006-2007
with the intention of pro-
viding unit managers with
easily accessible mecha-
nisms for evaluating their
Suit's internal controls in
Nine different areas. This
project will be ongoing by
A validating the results of
the CAT questionnaires in
2007-2008.

In 2006-2007 we contracted
Ilyn Velez, Craig Reed, Nur Erenguc, Suzanne with The Network, a pro-
a, Chol Chol, Brian Mikell, Hui Zhou
vider of anonymous, con-
fidential hotline services
for many other universi-
ties and corporations. The implementation of the compli-
ance hotline service and subsequent publicity campaign
was a major initiative. The opportunity for anonymous,
confidential disclosure of concerns at UF is essential in
capturing complainant concerns that otherwise may be
unreported.

To help UF staff learn about internal controls and how to
apply them to business processes, we partnered with the
Controller's Office and Human Resources in co-facilitat-
ing a training initiative, PRO0303 Internal Controls at UF.
The course is part of a series of courses that will lead to a
certification in fiscal management. Additionally, The Guid-
ing Principles of Financial Management and Internal Control
Principles was formally adopted by UF and its governing
bodies to provide stakeholders with a reasonable assur-
ance regarding the achievement of established goals and
objectives.

Staffing and Other Resources

During 2006-2007 OACR experienced staff turnover in
four positions. We promoted the Senior IT Auditor to IT
Audit Manager and successfully recruited a Staff IT Audi-
tor toward the end of the year. In addition, we hired one of
our graduate students in a Staff Auditor position. We end-


2006-2007 ........................................................................................................... 3


yre, Mar
Cannell








UNIVERSITY OF FLORIDA


OACR ORGANIZATION CHART


TBA
Senior Audit Mgi


Joe Cannella
Audit Manag


Jeff Capehart
IT Audit Manager


Craig Reed
Audit Managei


TBA
SeniorAudior I


Grad Students
Staff Auditor


TBA
Staff Auditor


TBA
StWaITAudtor


Choi Choi
Staff Auditor


Breck Anderson
Staff Auditor


ed the year with four vacancies, although we expect to fill
two positions in the summer of 2007. When fully staffed
at fourteen, the OACR will favorably benchmark with its
peer organizations and meet the internal audit needs of the
university and its support organizations.

Staff Training

Continuing professional education through attendance
to relevant conferences and seminars is promoted. Table
1 reflects a listing of staff participation in formal training
programs in 2006-2007.


Table 1-Staff Training


Accountants Education Grout 4 1


Information Systems Audit and
I (-f- A.-iriafi-


raisley consulting zu 1
State Universities Audit Coundil 116
The Institute of Internal Auditors 89 4
University of Florida 40 10()


4 .......................................................................................................... Annual Report


it


001dwo


t







OFFICE OF AUDIT & COMPLIANCE REVIEW


Budget Expenditure Analysis


Operating Expenses


The OACR budget by category is illustrated in Table
2. The highest budgetary commitment is profes-
sional staff salaries representing 90% of total ex-
penditures. This year, we implemented the compli-
ance hotline and expended resources for aggressive
recruitment of new staff. In addition, we contracted
with a consultant to assist with the Enterprise Risk
Management approach to audit planning and we paid
expenses and fees for a week-long quality assurance
team review. Computer supplies were our largest
expenditure this year, due to the University's higher
threshold for capitalized equipment combined with
lower prices for computer equipment.


6%
h,


2% 6%


33%/


* Office Supplies
o Telephone/Postage
* Maintenance
* Printing


* Personnel Expenses
O Dues/Subscriptions
* Computer Supplies
O Travel/Other


Table 2-Analysis of Expenditures
205-00 2006I2007


Salaries
Other Personal Services (OPS)
Fixed Assets
Operating Expenses
Training
Renovations
AutoAudit Software Purchase
Consultants
Compliance Hotline Implementation
Personnel Recruitment


$1,058,853
21,154
8,879
22,310
15,602
20,308
18,075
4,385


$1,085,247
34,733
2,951
28,713
17,990


15,811
9,500
4,408


Ta $


Time Analysis


Table 3 provides a comparison between time avail-
able as planned and actual time available for projects.
Actual hours lost due to position vacancies exceeded
the planned amount, having an impact on project
progress and completion. The impact was mitigated


by the 910 hours of overtime along with the less than
planned usage of time for training and leave, result-
ing in available hours for the period being only 4.8%
less than planned.


Table 3-Planned/Actual Hours


Time Available 13.8 x 2,040 28,152 28,152


Less: Adjustment for Position Vacancies
Training/ Leave Use/ Operational Support
Total
Excess hours worked


(1,530)
(7,883)


(3,871)
(7,343)


(11,214)
910


2,341
(540)


(910)


2006-2007 ........................................................................................................... 5








UNIVERSITY OF FLORIDA


Time Allocation


Chart A compares the planned activity mix for total time
available with actual effort expended, while Chart B
provides a comparison between prior year and current al-
location of time available for projects. With the exception
of Management Advisory Services (MAS), actual time
by category did not vary significantly from the plan. In
comparison with the prior year, time spent on follow up,
investigations, and operational support remained constant.
The shift in time from audit projects to MAS is largely
due to an increase in requested services from campus, and
initiatives such as campus training, hotline implementa-
tion, and the control self assessment project.


Chart A Allocation of Total Time
Planned vs. Actual


Direct time percentages are established as a productivity
goal for each professional position and for the office as a
whole. Direct time excludes administration, service sup-
port, leave and training.

Chart C compares direct time achieved in the last two
fiscal years. Procedures that were implemented through-
out the year to more closely monitor staff direct time were
effective in increasing our direct time percentage to 71%,
just short of our targeted goal of 72%.





Chart B Allocation of Time Available
for Projects
Prior vs. Current Year


Training/Leave
Use/Op Supp

Follow Up


Investigations


MAS


Audits


29o0
m 3400


50o


6o
160


0% 10% 20% 30% 40% 50% 60%


0% 20% 40%


60% 80%


E Planned N Actual


* 2005-2006 0 2006-2007


Chart C Office Direct Time by Fiscal Years


100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%


Quarter


750., 75",, 750,


Quarter


.. ,1",.


2005-2006 2006-2007 Goal 72%


6 .......................................................................................................... Annual Report


531o


Quarter


Quarter


Total Year







OFFICE OF AUDIT & COMPLIANCE REVIEW


AUDITS AND OTHER
PLANNED REVIEWS


Trend Analysis


Table 4 reflects a three-year analysis of projects planned
and completed. The work plan indudes planned audits
and advisory reviews.

Over the last three years, 70 projects were planned and
59 were completed. Many of the planned projects not
completed are in progress and are included with the fol-
lowing year's work plan.

Internal audits and Management Advisory Services
(MAS) were planned based on evaluation of risk and
included input from university management. Completed
projects for the 2006-2007 fiscal year would have been
higher if not for the shift in available time spent from
audits to MAS (see Chart B). MAS engagements do not
always result in a project report that would be reported as
a completed project.


Trend Analysis of Projects
Planned/Completed


70

59


2006-2007
2005-2006
I 2004-2005


Planned Completed


2005-2006 30 26 16 3 19
2006-2007 31 23 12 7 19*


Client Surveys
(14 Responses)


Client Surveys

In an effort to ensure continued high quality of OACR
services, input from clients is requested at the concu-
sion of each engagement. Feedback is obtained via client
surveys on the overall performance of the engagement,
the quality and usefulness of the report, and the conduct
of the audit team. Results of our client surveys during
the year indicate that OACR services are well received.
Overall, 95% of survey responses from all categories indi-
cated ratings of either good or excellent.


Audit
Performance



Audit Report



Audit Team


159 .
0% 20% 40% 60% 8
Excellent U Good 0 Fair


2006-2007 ........................................................................................................... 7


2.7,
70".


54 5-1







UNIVERSITY OF FLORIDA


AUDIT REPORT SUMMARIES

The summary of reports issued profiles major engage-
ments completed during this fiscal year. The subjects of
the reports illustrate commitment to proactive and mean-
ingful coverage of high risks through audits of contracts
and grants accounting, bank reconciliations, the univer-
sity budgeting process and disbursements from both
University and Foundation funds. Audits of other critical
functions of the University such as purchasing cards and
temporary employment were also conducted during the
period. The IT audits included laptop security at the
Health Science Center, financial aid processing, and an
audit of Computing & Network Services. We continued
to provide audit services to the Direct Support Organ-
zations at the UF Foundation and University Athletic
Association by performing audits and working with their
audit committees.

Petty Cash and Change Funds

Petty cash and change funds are established as a means
to have cash available for day-to-day minor expenses,
for making change and for paying research study par-
ticipants. Fund initiation and dosing are authorized by
University Treasury Management based on need and
are authorized by unit management. A fund custodian
is responsible for overseeing proper use of the fund and
initiates fund replenishment through the disbursement
processing system As of June 30, 2006 there were 117
petty cash and change funds totaling $72,875.

Opportunities for improving controls included training
fund custodians, increased monitoring of funds through


surprise cash counts and evaluating fund replenishment
procedures. Management agreed to address all audit
comments in the areas identified.

Foundation Disbursements Monitoring Plan
Implementation

Effective July 1, 2004, University of Florida Foundation
(UFF) fund expenditures were processed through the
University of Florida's accounting system, myUFL. The
objective of this audit was to evaluate the internal controls
in place to monitor Foundation disbursements and ensure
compliance with university and UFF policies and restric-
tions.

Controls were generally adequate to ensure compliance
with Foundation policies and restrictions for the $18.6
million UFF funds disbursed through the university in
2005-2006. UFF and University Disbursement Services
agreed to develop procedures for following up on miss-
ing support and ensure timely approval of vouchers.
Foundation management agreed to communicate to fund
administrators regarding appropriate payment authoriza-
tion and ensure that authorization is documented prior to
disbursing funds.

University of Florida Golf Course

The primary objectives of this audit were to assess wheth-
er controls provided reasonable assurance that sales and
collection activities, purchasing and inventory manage-
ment, information technology support and compliance
with UAA rules and policies were effective at the Univer-
sity of Florida Golf Course.

The University of Florida Golf Course is an auxiliary of
the University Athletic Association. Its primary mission
is to support the men's and women's golf teams. The
Golf Course is also available to UF staff, faculty, alumni,
students and their guests for a fee. The Golf Course oper-
ates a Pro Shop and a Snack Bar as part of the Golf Course.
Total operating revenues for Golf Course fees, Pro Shop
and Snack Bar were $1.2 million in 2006.

Significant opportunities for improvement existed in the
areas of sales and collections, physical inventory, and
adherence to UAA policies. Management agreed to ad-
dress audit concerns by communicating and monitoring
compliance with UAA policies and procedures at the Golf
Course.


8 ........................................................................................................ Annual Report










Bank Reconciliation

Treasury Management, a department of the Controller's
Office, has the responsibility of reconciling the general
ledger to the subsidiary ledger prior to reconciling the
general ledger to eight Wachovia bank accounts. As of
June 30, 2006, bank balances totaled $124,613,630. The
objective of the audit was to evaluate the effectiveness of
the bank reconciliation process.

We found that the reconciliation process needed im-
provement, meaning that the process had well-designed
controls but they were not always effective and/or other
controls were needed. University management agreed
to hire and train more staff, establish a 30-day timeliness
standard, implement a review checklist for the monthly
reconciliation process, review role security and formalize
the timely resolution and review of the reconciling items
transmittal to supervisors.

Health Science Center Laptop/Portable
Device Security

The primary objective of this audit was to evaluate Infor-
mation Technology (IT) controls relative to restricted data
stored on laptop computers and other portable devices
to ensure compliance with Health Science Center (HSC)
policies and procedures.

The Security Program for the Information and Computing
Environment (SPICE) standards were developed by the
HSC Security Office and Information Security Council to
provide guidance for unit Information Security Manag-
ers (ISM) and Information Security Administrators (ISA).
The SPICE program was designed to protect information
that is owned, managed and used by the HSC in all its
forms, through training, systems analysis and technical
consultation and support.

The security controls in place for administrative access to
production servers, and controls and procedures in place
for managing operating system patches on production
servers were generally effective. However, the controls
over laptop security needed improvement. Management
agreed to address improvements in controls over laptops
as proposed by the audit team.

Admissions Scholarships and Minority
Ambassadors

The Minority Ambassadors Program is an outreach lead-
ership program designed to assist in the recruitment of
minority students or students from low performing high
schools by providing them information about the univer-


OFFICE OF AUDIT & COMPLIANCE REVIEW


sity, tours of the university, conducting high school events
and community service projects. Eligibility for some mi-
nority based scholarships is contingent on participation in
the Minority Ambassadors Program. Awards totaled $3.7
million in 2005-2006.

The objective of the audit was to assess the adequacy and
effectiveness of controls relating to administration, ap-
peals, scholarship eligibility and record maintenance. We
found that controls over the program needed improve-
ment. Management agreed to implement the suggestions
for improvement recommended by the audit team.

University Check Processing and
Disbursements

The objectives of this audit were to evaluate the internal
controls monitoring disbursements and to ensure compli-
ance with university policies and procedures. Disburse-
ments for 2005-2006 totaled over $615 million.

Our audit concluded that the controls over check process-
ing and disbursements needed improvement. The action
plans included communicating to campus the necessity of
adhering to University Directives and Procedures regard-
ing disbursement procedures, the removal of incompat-
ible roles, a plan to minimize mass approval of vouchers,
and the adoption of procedures to monitor the use of
vendor discounts.

Financial Aid Interfaces and Processing

Student Financial Aid, a division of Student Affairs, is
responsible for determining the eligibility of financial aid
recipients and the type and amount of aid they receive.
University Financial Services, part of Finance and Ac-


2006-2007 ........................................................................................................... 9







UNIVERSITY OF FLORIDA


counting, disburses the funds. The two systems interface
when financial aid summary data is passed from the
financial aid system to the myUFL general ledger when
financial aid checks are disbursed. Our audit objectives
were to ensure that interfaces between the two systems
transferred data accurately and securely, processing of
student financial aid payments were complete and accu-
rate and access to online financial aid data was appropri-
ately controlled.

We found that controls over financial aid interfaces and
processing were generally adequate.

Indirect Cost Recoveries

The objective of this audit was to determine whether
surplus indirect cost recoveries were used as directed
in Section 1004.22(5), Florida Statutes, which allows the
university to retain indirect cost recoveries from contract
and grant awards to operate the Division of Sponsored
Research, with any surplus to be used to support research
in any area of the university. The university collected
over $66 million in 2006-2007 as reimbursement for indi-
rect costs.

We concluded that indirect cost recoveries were distrib-
uted in accordance with the Statute to support the Divi-
sion of Sponsored Research and to support other research
or training programs. However, procedures were not in
place to confirm that the expenditures were consistent
with the intent of the Statute. Action plans proposed
by the audit team and agreed upon by DSR include not
allowing transfers from fund 211 without DSR approval,
clarification of research expenditure definitions and a
requirement that units receiving allocations submit a
year-end summary of expenditures to determine the need
for future allocations.

Contracts and Grants Accounting

The contracts and grants receivable module of the myUFL
system, implemented in July 2004, was not functioning
properly and was turned off in October 2005. An ac-
counts receivable database subsidiary system (AR Track-
ing Database) was implemented to temporarily record
and track accounts receivables. The three contract and
grant offices, Finance and Accounting, Institute of Food
and Agricultural Sciences and the College of Engineering,
utilize the database to maintain accounts receivable re-
cords, billing, schedules, and to track financial reporting
requirements. The objective of this audit was to assess the
adequacy and effectiveness of key controls over invoicing
or billing, reporting to sponsors, and monitoring compli-
ance with sponsor restrictions.


We concluded that post award contracts and grants ac-
counting needed improvement. The action plans pro-
posed by the audit team and agreed upon by manage-
ment include improving the timeliness of billing sponsors,
the timeliness of external reporting and the timeliness of
award dose-out procedures.

Purchasing Card Program

The Purchasing Card program provides an efficient way
for university units to purchase goods and services with-
out the traditional controls of a purchase order. As of
December 30, 2006, there were approximately 4,800 active
cardholders with purchases totaling over $76 million dur-
ing 2006.

Our audit focused on monitoring controls established by
the PCard office, processing and approval of PCard trans-
actions at the unit level and on the appropriateness of ap-


proval authority established through role security assign-
ment. We found that controls were generally adequate
over the administration of the PCard. Opportunities for
improvement agreed to by PCard administration included
developing criteria for obtaining supporting documenta-
tion from unresponsive cardholders, communicating with
units who deviate from established procedures, empha-
sizing the role of an appropriate approved over PCard
transactions and reviewing the established transaction/
spending limit data.

Temporary Employment

University employees occupying temporary positions are
classified as Other Personal Services (OPS). The primary
objective of this audit was to evaluate key controls for
the proper utilization of the OPS classification with an
emphasis on the OPS Non-Exempt Regular (OPSN) clas-
sification.

The OPS classification provides a mechanism for hiring
employees on a temporary basis without being subject to
hiring and recruitment guidelines required for regular
employees. OPS employees are not eligible for vacation,


10 ........................................................................................................ Annual Report







OFFICE OF AUDIT & COMPLIANCE REVIEW


insurance or other employment benefits. OPS salaries to-
taled $202 million for the fiscal year ended June 30, 2006,
representing 16% of salaries for all employment classifica-
tions.

We found that controls were adequate over the adminis-
tration of faculty, clinical post doc and housing staff OPS
classifications. We noted that administration of the OPSN
classification needed improvement. The audit team and
human resources management agreed that HR would
modify directives and procedures to better define the
OPSN classification and clarify the documented informa-
tion required for hires based on level of employment.
Human Resource Services will perform an analysis of the
OPSN classification to better define the appropriate length
of employment for the classification and Human Resource
Services will reinforce the importance of timely recording
of terminations.

University Budgeting of State
Appropriations

The focus of the University Budgeting audit was the
execution of the state appropriations budget by the Office
of the Provost and UF's sixteen colleges for the 2005-2006
fiscal year. The University of Florida receives funding
from various sources, including state appropriations. The
University President has designated the Provost as the
chief budget officer for the University of Florida which
authorizes the Provost to budget allocations from state ap-
propriations to budgetary units. Department allocations
are entered by each unit's budget officer into the online
Budget Preparation System in myUFL. State appropria-
tions for the 2005-2006 fiscal year totaled approximately
$749 million, 44% of the university's net revenues of ap-
proximately $1.7 billion.

Our audit concluded that the controls over the budget
process needed improvement. Opportunities for im-
provement included the Office of the Provost adopting


formal procedures to provide guidance regarding appro-
priate budget monitoring frequency and documentation,
guidance regarding the need to document approval for
the initial budget, amendments and transfers and provid-
ing guidance to university units regarding the importance
of maintaining reserves.

CNS Data Center Security

We completed an audit of the Computing and Network-
ing Services (CNS) Data Center security environment,
focusing on controls relating to physical security, risk
management and incident response, change management,
disaster recovery and continuity of operations plans.

CNS is a unit of the Office of Information Technology and
houses and runs hardware and systems software to sup-
port major University of Florida administrative systems
such as the myUFL systems for financial and human
resource management and the Integrated Student Infor-
mation System. CNS also supports many campus-wide
systems, such as the campus Internet connection and
networking infrastructure services.

While the security environment of the CNS data center
was generally adequate, opportunities for improvement
were identified relative to monitoring physical access to
the data center, reducing the risk of system downtime,
and the disaster recovery plan.

UFF Asset Management

The University of Florida Foundation's asset management
controls were audited as of December 31, 2006. The audit
covered permanent collections, furniture and equipment,
vehicles, livestock and real estate. These assets totaled
approximately $45 million as of our audit date.

Controls were generally adequate and control strengths
were noted in all areas. Opportunities for improvement
were identified with respect to the Foundation's perma-
nent collections.


2006-2007 ........................................................................................................... 11







UNIVERSITY OF FLORIDA


MANAGEMENT ADVISORY
SERVICES


OACR is committed to providing proactive, preventive
advice on internal controls, operations and compliance.
Requests for management advisory services (MAS) usu-
ally come from various management levels throughout
the University. The information provided through these
services assists management in decision making and in
improving operations. Results of these types of services
are often communicated through management letters.
OACR actively provides advisory reviews, consulting
assistance, training and training tools, and post-audit as-
sistance, all categorized as MAS. The chart illustrates the
types of MAS performed and the percentage of time spent.

During fiscal year 2006-2007, 4,138 hours were spent on
MAS, which represented 20% of available hours. Follow-
ing are summaries of MAS projects and service/ support:

College of Liberal Arts & Sciences General
Revenue Budget Deficit

In response to concerns over the budget deficit experi-
enced by the College of Liberal Arts and Sciences (CLAS),
we performed a limited scope advisory review of the
CLAS state appropriations budget deficit as of June 30,
2006. We reported a cumulative state appropriation bud-
get deficit as of June 30, 2006 of $4.7 million and identified
contributing internal control weaknesses. The CLAS de-
veloped a five-year plan to address the budget deficit and
initiated changes in their budget administration process.
Subsequently, the five-year plan has been replaced with a
faculty approved plan focusing on attrition and targeted,
modest reinvestment that should render CLAS debt free
by the 2008-2009 fiscal year. Additional training and moni-
toring procedures were also initiated.

First Generation Matching Grant
Program Funds

The First Generation Matching Grant Program was created
to provide need-based student financial aid for under-
graduate students whose parents have not earned a bac-
calaureate degree. Funds appropriated by the legislature
are available to match, on a dollar-for-dollar basis, private
gifts designated for the First Generation Program. We
certified that $1.3 million in private gifts were accurate,
consistent with donor intent and eligible for state match-
ing under the Program.


MAS Effort Distribution


General University Service and Support
0 University Governance and Publications
DSO Service
O Consultations and Advisory Reviews
E Other



J. Wayne Reitz Union Business Office

We performed a review of the J. Wayne Reitz Union
business office. The J. Wayne Reitz Union, a department
of the Office of Student Affairs, provides services for
students, faculty, staff, alumni and guests. The facility
includes a bookstore, an art and entertainment center, a
cinema, restaurants, computer labs, a hotel, and student
legal services. The Reitz Union, an auxiliary enterprise,
generates income from fees. The Reitz Union business of-
fice provides guidance and support for other Reitz Union
departments in the areas of fiscal responsibility, finan-
cial reporting and compliance with university rules and
regulations. Our recommendations included developing
a mission statement, changes in organizational structure,
and improved control procedures.

Control Self Assessment

OACR developed a self-assessment survey of compli-
ance with university procedures and appropriate internal
controls. The survey consisted of 100 questions that ad-
dressed business functions and included links to sup-
porting policies and suggested practices to provide unit
administrators with an educational resource on controls
as well as a tool to evaluate the controls within their own
environments. We sent the Control Assessment Tool
(CAT) to selected university departments and received re-
sponses from over 200 units, amounting to 84% response
rate. As part of the 2007-2008 audit plan, our staff will
validate the CAT survey responses. The CAT is available
on our web site as a permanent reference and training
tool for units at http://oacr.ufl.edu/Control_Self_Assess-
ment.htm.


12 ....................................................................................................... Annual Report










Internal Control Training

The Office of Audit and Compliance Review developed an
internal control training program in 2006-2007. PRO303
Internal Controls at UF is a course designed to help UF
fiscal staff learn about internal controls and how to apply
them to business processes. Internal Controls at UF is of-
fered through UF's Human Resource Training and Devel-
opment Office and is part of a series of courses leading to
a certification in fiscal management. Co-presented with
the Controller's Office, seven sessions were held reach-
ing over 400 participants. The feedback on the training
program has been extremely positive and will continue
during the 2007-2008 fiscal year.


University of Florida

SPRO SERIES
SThe skills yoU aeid to kno*. ,o /ii iAn griW


General Consultation Services

During the fiscal year, OACR provided MAS consulting
services in response to requests from many University-
related entities including the Vice President for Business
Affairs, University of Florida Foundation, Warrington
College of Business, College of Medicine and various
auxiliaries.

Newsletter

Quarterly newsletters were distributed campus-wide with
regular features that include highlights from projects and
campus-wide issues. Copies are available at http://oacr.
ufl.edu.

Post-Audit Assistance

We routinely provide support and guidance on the imple-
mentation of planned actions.

INVESTIGATIONS

The OACR receives complaints and allegations of fis-
cal improprieties from a variety of internal and external
sources, including hotline calls, direct correspondence,
and referrals from other university offices and state
agencies. The investigative reviews conducted by OACR
have dual objectives of responding to facts of allegations


OFFICE OF AUDIT & COMPLIANCE REVIEW


and addressing relevant fiscal and administrative control
weaknesses. Where appropriate, recommendations for
improvements of internal controls are communicated to
management and are monitored for implementation. In
total, 1,135 hours, or 5% of available hours were commit-
ted to investigative efforts.

Significant issues from these reviews are summarized
below.

Resource Misuse

* Concerns were presented to the OACR regarding the
possibility of resource misuse after a University employee
was suspected of using a University purchasing card to
inappropriately purchase gift cards for personal benefit.
Of gift card purchases totaling $33,608, it was determined
that $30,250 was fraudulent and not approved by the Col-
lege. The University Police department and the Alachua
County Sheriff's Office were actively involved in this
investigation. Recommendations that included amending
purchasing card procedures and gift card oversight were
immediately implemented by the College.

* Concerns were presented to the OACR regarding
possible theft of cash deposits by a University employee.
The review confirmed that five deposits with funds total-
ing $1,119 were misdirected and the University Police
Department filed a sworn complaint against the employee
for theft. Recommendations were made to improve the
departmental cash handling controls over cash deposits.

Conflict of Interest

* An allegation stated that a University employee
obtained design and engineering services for personal
use from contractors that perform services in the unit in
which the employee works. While no discounts or pre-
ferred payment arrangements were identified, a lack of
sensitivity and compliance with a code of ethics resulted
in the department conducting ethics training, distributing
a code of ethics and documenting acknowledgement by
staff that the code had been read and would be complied
with.

* An allegation stated that a University employee had
a spouse, hired as an OPS employee in the same depart-
ment, whose salary was being inappropriately paid from
a restricted funding source. An OACR review confirmed
portions of the salary were in fact paid from the specific
fund. However, the employment was already terminated
before the initiation of the review.


2006-2007 ........................................................................................................... 13







UNIVERSITY OF FLORIDA


FOLLOW-UP


Audit reports include auditor's comments and planned ac-
tions developed and agreed to by the audit team and man-
agement and the estimated time for their implementation.
Reports issued by external auditors, including the Office
of Auditor General, contain recommendations for which
university management also provides a corrective imple-
mentation plan.

Standard 2500, Standardsfor the Professional Practice of Inter-
nal Auditing, promulgated by the Institute of Internal Audi-
tors, requires that the internal auditor determine that man-
agement has taken appropriate action regarding reported
audit comments.

Quarterly follow-up activities were conducted throughout
the year and their results were communicated to Univer-
sity management and the Board of Trustees Audit Commit-


Tnhle .-Fnllnw Un Act-ivitia


Academic Affairs
Business Affairs
Health Affairs
Sponsored Research
Student Affairs
UAA
UFF


tee. For the report period, the OACR staff expended 1,194
hours or 6% of available hours for follow-up activities.

Table 5 summarizes the results of our follow-up activities
for the year ended June 30, 2007.

As reflected by the summarized information, management
generally reacted in an effective manner to implement au-
dit recommendations and planned actions, however these
actions were not always completed timely.

The caption "in process" includes action plans that were
not fully implemented during our follow-up review pro-
cess for the year ended June 30, 2007. The caption "not
to be implemented" generally reflects changing conditions
that render the plan obsolete.


33 21 12 0 64% 79%
45 38 7 0 84% 79%
4 2 2 0 50% 100%
4 4 0 0 100% N/A
4 4 0 0 100% 80%
9 9 0 0 100% 100%
9 8 1 0 89% 83%


Ta I 820%


Planned Action
Implementation Percentage


100o 890o


1 Academic Affairs
2 Business Affairs
3 Health Affairs
4 Sponsored Research
5 Student Affairs
6 University Athletic Association
7 University of Florida Foundation


S H 503 100o 100
1 2 3 4 5 6 7


14 ....................................................................................................... Annual Report










OTHER ACTIVITIES

Professional Activities

OACR staff participated in various national initiatives,
training and organizations including:

* Member Association for College and University
Auditors (ACUA)

* Member Institute of Internal Auditors

* Member Association of Healthcare Internal Audi-
tors (AHIA)

* Member American Institute of Certified Public Ac-
countants (AICPA)

* Member Florida Institute of Certified Public Ac-
countants (FICPA)

* Member Association of Certified Fraud Examiners
(ACFE)

* Member IIA North Central Florida Chapter

* Treasurer IIA North Central Florida Chapter

* Program Committee IIA North Central Florida
Chapter

* Board Member IIA North Central Florida Chapter

* Web Master IIA North Central Florida Chapter

* Chair State University Auditors Consortium
(SUAC)

University Service

During 2006-2007, OACR members participated in vari-
ous university-wide initiatives and assignments includ-
ing:

* Member University Information Technology Advi-
sory Committee Information Security Management
(ITAC-ISM)

* Member UF Bridges Information Technology Advi-
sory User Committee

* Member University Information Technology Advi-
sory Committee- Network Infrastructure (ITAC-NI)


OFFICE OF AUDIT & COMPLIANCE REVIEW


* Audit Coordination (External)

* Member Auxiliary Review Committee

* Member University of Florida Communications
Network (UFCN)

* Presenter Division of Sponsored Research Re-
search Administration Training Series

* Facilitated Enterprise Resource Management Ses-
sions

* Direct Support Organization Audit Committee Coor-
dination (UAA, UFF & Gator Boosters)


The Bat House

2006-2007 ........................................................................................................... 15


U--- r







UNIVERSITY OF FLORIDA


Table 6-Reports Issued 2006-07


CLAS General Revenue
Budget Deficit
Pelly Cash and Change Funds
UFF Disbursements Monitoring
Plan Implementation
University of Florida Golf
Course
Bank Reconciliation
HSC Laptop/Portable Device
Security
Admissions Scholarships and
Minority Ambassadors
Check Processing and
Disbursements
First Generation Matching
Grant Program Funds
Reitz Union Business Office
Financial Aid Interfaces and
Processing
Indirect Cost Recoveries
Contracts and Grants
Accounting*
Purchasing Card Program"

Temporary Employment*

Control Self Assessment"
University Budgeting of State
Appropriations*
UFF Asset Management*

CNS Data Center*


As of June 30, 2006

As of June 30, 2006

As of June 30, 2006

12/1/06 8/31/06

As of June 30, 2006

As of June 30, 2006
As of August 31,
2006
As of June 30, 2006
As of December 15,
2006
As of November 15.
2006
As of November 15,
2006
As of December 31.
2006
As of December 31,
2006
As of December 31,
2006
As of December 31,
2006
As of May 2007

As of June 30, 2006
As of December 31,
2006
As of June 22, 2007


9/21/06

10/25/06

11/17/06

11/21/06

11/27/06

12/4/06

12/15/06

1/5/07

2/1/07

2/19/07

3/5/07

5/22/07

7/5/07

7/11/07

7/12/07

7/18/07

8/22/07

9/7/07

9/14/07


71.200701

UF-06-464-16

UF-06-452-04

UF-07-480-01

UF-06-466-18

UF-07-508-29

UF-07-507-28

UF-06-460-12

71.200704

71.200701

UF-06-473-25

UF-07-500-21

UF-06-463-15

UF-07-501-22

UF-06-468-20

72.200702

UF-07-496-17

UF-07-489-10

UF-07-495-16


MAS

Inlernal Audit

Internal Audit

Internal Audit

Internal Audit

Inlernal Audit

Internal Audit

Inlernal Audit

MAS

MAS

Internal Audit

Internal Audit

Internal Audit

Internal Audit

Internal Audit

MAS

Internal Audit

Internal Audit

Internal Audit


* Substantially completed as of June 30, 2007.


16 ....................................................................................................... Annual Report










CONTACTS AND RESOURCES

The Office of Audit and Complaince Review works col-
laboratively and cooperatively with many other offices.
Below is a partial listing of the contacts and resources used
frequently.

State Auditor General
http://www.state.fl.us/audgen/
Gainesville Office: (352) 334-1740
Campus Office: (352) 392-5255

FL Department of Financial Services
Consumer Helpline: 1-800-342-2762
Get Lean Hotline: 1-800-GET-LEAN
www.fldfs.com

University Controller's Office
http://fa.ufl.edu/uco/
(352) 392-1321

Board of Governors
http://www.fldcu.org/

Board of Trustees
http://www.trustees.ufl.edu/

Health Science Center Compliance
http://www.med.ufl.edu/complian/
(352) 265-8359

Division of Sponsored Research
http://rgp.ufl.edu/research/
(352) 392-1582

Institutional Review Board
http://irb.ufl.edu/

University Contracts & Grants
http://fa.ufl.edu/cg/
(352) 392-1235

IFAS Sponsored Programs
http://grants.ifas.ufl.edu
(352) 392-2356

Engineering Contract & Grants
http://www.eng.ufl.edu/home/cng/
(352) 392-6626

University Athletic Association
http://www.uaa.ufl.edu/
(352) 375-4683


OFFICE OF AUDIT & COMPLIANCE REVIEW


Equal Opportunity Programs Office
http://www.hr.ufl.edu/eeo/default.htm
(352) 392-1075

University Ombudsman
http://www.ombudsman.ufl.edu/
(352) 392-1308

General Counsel and Vice President
http://www.generalcounsel.ufl.edu/
(352) 392-1358

University Police Department
http://www.police.ufl.edu/
(352) 392-1111

Shands Auditing
(352) 265-7969

Senior Vice President for Administration/Human
Resources
http://www.hr.ufl.edu/
(352) 392-1075

Vice President for Business Affairs
http://www.admin.ufl.edu/
(352) 392-1336


HIPAA (Privacy Office)
http://privacy.health.ufl.edu/
(352) 263-5094



pTa


University Auditorium


2006-2007 ........................................................................................................... 17




University of Florida Home Page
© 2004 - 2010 University of Florida George A. Smathers Libraries.
All rights reserved.

Acceptable Use, Copyright, and Disclaimer Statement
Last updated October 10, 2010 - - mvs