SAN DIEGO: AUDIT & MANAGEMENT ADVISORY SERVICES 0919 April 17, 2012 ROBERT N. WEINREB, M.D. Chair Department of Ophthalmology 0946 CATHERINE LEDFORD Administrative Vice Chair Department of Ophthalmology 0946 Subject: Department of Ophthalmology Audit Project 2012-49 The final audit report for Department of Ophthalmology Audit Report 2012-49, is attached. We would like to thank all members of the department for their cooperation and assistance during the audit. Because we were able to reach agreement regarding corrective actions to be taken in response to the audit recommendations, a formal response to the report is not requested. The findings included in this report will be added to our follow-up system. While management corrective actions have been included in the audit report, we may determine that additional audit procedures to validate the actions agreed to or implemented are warranted. We will contact you to schedule a review of the corrective actions, and will advise you when the findings are closed. UC wide policy requires that all draft audit reports, both printed and electronic, be destroyed after the final report is issued. Because draft reports can contain sensitive information, please either return these documents to AMAS personnel, or destroy them. AMAS also requests that draft reports not be photocopied or otherwise redistributed. Stephanie Burke Assistant Vice Chancellor Audit & Management Advisory Services Attachment cc: D. C. R. G. T. S. Brenner Chu Espiritu Matthews Perez Vacca UNIVERSITY OF CALIFORNIA - (Letterhead for Interdepartmental use) AUDIT & MANAGEMENT ADVISORY SERVICES Department of Ophthalmology April 2012 Performed By: Aparna Handa, Auditor Terri Buchanan, Manager Approved By: Stephanie Burke, Assistant Vice Chancellor Project Number: 2012-49 Department of Ophthalmology Audit & Management Advisory Services Project 2012-49 Table of Contents I. Background ......................................................................................................................... 1 II. Audit Objective, Scope, and Procedures............................................................................. 2 III. Conclusion .......................................................................................................................... 2 IV. Observations and Management Corrective Actions ........................................................... 3 A. Research Effort Certification ........................................................................................ 3 B. Deficit Balance Management ........................................................................................ 4 C. Expense Approval Hierarchies ..................................................................................... 5 D. Timekeeping, Payroll and HR functions ....................................................................... 6 E. APM 025 Compliance................................................................................................... 9 F. Transaction Sampling ................................................................................................. 10 G. Information Systems Security ..................................................................................... 10 H. Cash Controls .............................................................................................................. 12 I. Express Card Documentation and Usage .................................................................... 13 J. Equipment Inventory .................................................................................................. 13 Attachment A: Audit Results by Business Office Functional Process Page i Department of Ophthalmology Audit & Management Advisory Services Project 2012-49 I. Background Audit & Management Advisory Services (AMAS) completed a review of Department of Ophthalmology business processes as part of the approved audit plan for Fiscal Year 2011-12. This report summarized the results of our review. Ophthalmology is a department within the University of California, San Diego (UCSD) School of Medicine (SOM). At the time of this review, Ophthalmology had 11 faculty members, and nine PhD or MD research scientists that provide training to medical residents and fellows through certified training programs, conduct research, and provide specialized clinical services to UC San Diego Health System (UCSDHS), and Veteran’s Administration San Diego Health System patients. Ophthalmology operations are conducted in the Shiley Eye Center. Founded in 1991, the Shiley Eye Center is an academic institution with comprehensive programs for the clinical care of patients with eye disorders, research on surgical techniques and the treatment of eye diseases, education in the field of Ophthalmology, and innovative outreach to the community. The Shiley complex consists of the main facility, the Anne F. and Abraham Ratner Children’s Eye Center, the Joan and Irwin Jacobs Retina Center, and the Hamilton Glaucoma Center. The Division of Community Ophthalmology operates the EyeMobile for Children, which provides eye testing services to children in San Diego County through the San Diego Head Start Program and San Diego County public schools. The School of Medicine (SOM) Corporate Statement of Revenue and Expenses for Fiscal Year 2010-11 reported total Ophthalmology revenue of $22.3M. Of that amount, $11.2M (50%) was received from research contracts and grants, and $8.5M (38%) was net clinical revenue. Federal awards contributed $6.9M to the total research revenue, of which National Institutes of Health (NIH) awards totaled $2.4M (35%), and accounted for 21% of the total research revenue. Ophthalmology Business Office staff provides support for critical department business processes including pre and post award support of contracts, grants, and clinical research; financial analysis and reporting; payroll/timekeeping; academic and staff personnel management, and information systems management. Faculty compensation transactions (Payroll Personnel System (PPS) and budget entries) are prepared by the SOM Central Faculty Compensation Unit (CFCU). However, the Business Office retains the responsibility for budgeting and analyzing faculty salaries. On July 1, 2012, Dr. Robert Weinreb was appointed Department Chair and Director of the Shiley Eye Center. Dr. Weinreb also serves as the Director of the Hamilton Glaucoma Center, which provides laboratory and clinical research facilities to enhance Page 1 Department of Ophthalmology Audit & Management Advisory Services Project 2012-49 the discovery and translation of innovative research to prevent and cure glaucoma blindness. II. Audit Objective, Scope, and Procedures The objective of our review was to determine whether Ophthalmology business process controls provided reasonable assurance that financial results were accurately reported, operations were effectively managed, and activities complied with relevant policies, procedures and regulations. The project scope included a review of business practices in place during audit fieldwork, and the analysis of business transactions completed in Fiscal Year 2010-11, and during the period July through December 2011. We completed the following audit procedures to achieve the project objective:        Reviewed applicable University policies and procedures; Reviewed Ophthalmology business documents and information including the department website, the organizational structure, and financial reports; Interviewed Ophthalmology management including the Administrative Vice Chair (AVC), the Business Office Senior Analyst Supervisor, and the Human Resources (HR) Manager to obtain information about the organizational structure and special programs; Interviewed Ophthalmology staff including fund managers, the administrative assistant, and HR staff to discuss key business processes; Conferred with the Campus Disbursements Office on approval authorities, and Campus HR to discuss employee background checks; Evaluated the structure and administration of department information systems and the computing environment with the assistance of the Information Technology (IT) Director, and; Performed detailed testing of a sample of business transactions to verify that transactions were processed in compliance with regulatory requirements and University policy. Because AMAS recently completed a review of Shiley Eye Center clinic cash controls (Project 2011-27B), the cash control review conducted during this project was limited to the Business Office. Other clinic processes including appointment scheduling, medical records management, and charge capture were also excluded from this review. III. Conclusion We concluded that improvements to certain business processes were needed to provide reasonable assurance that financial results were accurately reported, operations were effective and efficient, and activities complied with relevant policies, procedures and regulations. Page 2 Department of Ophthalmology Audit & Management Advisory Services Project 2012-49 Ophthalmology experienced significant organizational changes during Fiscal Year 2011, which included the appointment of a new Chair, and the loss of several key Business Office staff members who had provided fund management and HR support services. The former Business Office Supervisor, who also served as the Department Systems Administrator (DSA), resigned in April 2011 and a replacement was not hired until August 2011. The HR Manager also retired in June 2011. However, she was re-hired to provide limited part-time support until the position was filled, which occurred in January 2012. The Business Office also employs two Fund Managers to assist researchers with the fiscal management of contracts and grants. The Fund Manager with the longest tenure in her position went on an extended leave at the end of October 2011. The second Fund Manager joined the Department in May 2011, but resigned in March 2012. Due to the significant staff changes that occurred, Business Office staff re-prioritized daily responsibilities to ensure that core clinic and research operations were adequately supported, which focused initially on financial analysis, and research pre-award activities. Attachment A provides the results of the business process review. Specific management actions planned or in process for those areas that were rated “satisfactory” or “improvement suggested” are noted in Attachment A. Those areas which were rated “improvement needed” are described in more detail in the remainder of this report. IV. Observations and Management Corrective Actions A. Research Effort Certification Effort reports were not certified on a timely basis. Federal regulations (OMB Circular A-21, Cost Principles for Educational Institutions) require that direct salary costs devoted to sponsored projects be substantiated. All employee salaries charged directly to federal and federal flow through funds must be certified. The University requires that sponsored project effort be certified within 120 days after the end of the reporting period. AMAS reviewed the January 9, 2012 ECERT1 Effort Reporting Certified Aging Report, which included effort reporting data for Fiscal Year 2010-11. The report revealed that 60 of 197 (31%) of required effort reports were not certified within 120 days. Our evaluation of the Effort Reporting Overdue Aging Report for the 1 The UC Electronic Certification of Effort and Reporting Tool (ECERT) replaced the manual Personnel Activity Reporting (PAR) effort reporting system. Page 3 Department of Ophthalmology Audit & Management Advisory Services Project 2012-49 quarter ended June 30, 2011 identified that approximately 23% of the effort reports had not been certified and are overdue. Additional detailed information2 is presented in the table below: Quarter Total Certifications Required Certifications Not Completed Number of Days Overdue FY11 Jul-Sept FY11 Oct-Dec 68 69 3 (4%) 16 (23%) 344 252 FY11 Jan-Mar 64 13 (20%) 162 FY11 Apr-Jun 57 25 (44%) 71 Timely effort certification is important to provide a documented assertion of the effort dedicated to each research award. Improper or incomplete effort reports can result in disallowances in the event of an external agency review, and could potentially jeopardize future federal research funding. Management Corrective Action: Ophthalmology management will periodically monitor the status of effort certifications in the ECERT system, and work with PIs and/or research staff with outstanding reports to ensure that they are completed timely. B. Deficit Balance Management Selected Ophthalmology funds were in deficit. The UCSD Overdraft Policy requires departments to routinely monitor accounts in overdraft and remediate deficit balances. On January 9, 2012 AMAS ran a financial query in IFIS to identify Ophthalmology fund/indexes with deficit balances of over $10K that had been in overdraft for more than three months. This query identified the following fund/indexes with a cumulative deficit of $476,016 for which no additional revenue was pending to reduce or eliminate the deficit. 2 Information included in the table was extracted from the UCSD ECERT system. Page 4 Department of Ophthalmology Audit & Management Advisory Services Project 2012-49 Fund Type Private Contracts and Grants OPH5089, 85089A SOM Clinical Trials OPHKZ02, 79600A Service Agreements OPHDSZ7, 60153A STIP OPH8823, 69991A Service Agreements, OPHBB02, 60153A Private Contracts and Grants OPH5702, 85702A Service Agreements OPHBB04, 60153A Service Agreements OPHZY01, 60153A Deficit Balance as of January 9, 2012 ($101,527) Number of Months in Deficit 12 ($81,405) 10 ($58,432) 7 ($50,970) 5 ($50,058) 7 ($42,553) 10 ($40,658) 5 ($35,703) 6 Private Contracts and Grants OPH3163, 83163A Total ($14,711) 7 ($476,017) Planned routine overdraft monitoring would assist management with resolving deficits timely, and minimizing negative STIP3 that will be charged to the deficit balances. Management Corrective Action: Business Office staff will take the necessary steps to resolve current deficit balances, and will proactively monitor and timely resolve deficit balances in the future. C. Expense Approval Hierarchies Expense approval hierarchies were not established to ensure compliance with University policy. AMAS obtained and reviewed the expense approval hierarchies list to determine whether approval authority had been assigned in accordance with University policy. The following observations were made based on our review: 3 The Treasurer's Office at the UC Office of the President (UCOP) invests available university cash in short-term securities called the Short Term Investment Pool (STIP). “Negative” STIP is charged to accounts with a deficit balance. Page 5 Department of Ophthalmology Audit & Management Advisory Services Project 2012-49 For some transactions/documents, assigned approvers reported to the preparer or the person initiating the transaction. For example:  Certain Chair expenses were approved by the AVC or Fund Managers.  AVC expenses were approved by the Business Office Supervisor who reported directly to her. Similarly, Business Office Supervisor expenses were approved by the Fund Managers who reported to her.  Approvers had not been established for some transactions initiated by the Business Office Supervisor and the Fund Manager on extended leave. We also noted that an alternate approver was not established for certain expenses approved by the Fund Manager who was on extended leave.  The Business Office Supervisor and Fund Managers were designated responsibility for approving events defined as exceptional entertainment, not hosted by the Chair. However, the required delegation of authority forms had not been completed. The establishment of appropriate approval hierarchies helps to ensure segregation of responsibilities within the procurement process, and increased probability that purchase transactions comply with University policy. A qualified staff member should be assigned to approve expenses in the absence of the primary approver to ensure that transactions are processed timely. Management Corrective Actions: Ophthalmology management will: 1. Ensure that department approval hierarchies are modified to correct the identified exceptions. 2. Submit required delegation of authority forms for exceptional entertainment expenses for events not hosted by the Chair. D. Timekeeping, Payroll and HR functions Timekeeping and payroll documentation and review processes needed improvement. University timekeeping and payroll policy requires business units to ensure that internal controls are implemented, properly documented and periodically Page 6 Department of Ophthalmology Audit & Management Advisory Services Project 2012-49 monitored. During our audit, we noted the following areas of non-compliance with University internal control standards: Timekeeping – Separation of Duties University internal control guidance included in UC Business and Finance Bulletin IA-101: Internal Control Standards: Departmental Payrolls highly recommends separation of duties for key processes. We noted that the Ophthalmology staff Timekeeper entered her own time without secondary review. In addition, in the absence of a dedicated HR Manager, a review of the Timekeeper Audit report was not being performed. Implementation of a monthly review of a sample of timekeeping entries, including time reported by the Timekeeper, to be completed by a second person would help to verify the appropriateness and accuracy of time recorded. Management Corrective Action: The HR Manager hired in January 2012 plans to strengthen timekeeping controls, and will compare a sample of entries on the Timekeeping Entry Verification Report (including time reported by the Timekeeper) to the timesheets on a monthly basis to ensure that time is entered accurately in the system. Faculty and Fellows Time Reporting UCSD PPM 395-4.1, Timekeeping: Attendance Records requires that sufficient documentation be maintained to support the authorization of employee payroll and benefits expenses. The Payroll Time Record (PTR) is used to report work hours for non-exempt employees, and exception time off including vacation, sick leave, and other leave requests for exempt personnel. HR advised AMAS that PTRs were not submitted monthly to the Business Office by most faculty members, and PTRs were not being collected for fellows. However, vacation and sick leave usage information was obtained from Training Program Managers when leave information was needed for fellows, and faculty member leave usage was obtained from other sources. Implementation of a monthly PTR request and follow-up process will ensure that Ophthalmology maintains required time reporting support documents. Page 7 Department of Ophthalmology Audit & Management Advisory Services Project 2012-49 Management Corrective Action: Ophthalmology management will design and implement a consistent method of reporting vacation and sick leave hours for faculty members and fellows to comply with UC time reporting policy requirements. As part of that process, the HR Manager will follow-up to obtain exception time reports that are not submitted timely. Monthly Review of Distribution of Payroll Expense (DOPE) Reports UC Business and Finance Bulletin IA-101: Internal Control Standards: Departmental Payrolls requires that payroll expenditures be reconciled monthly and that the review be documented by signing and dating the Distribution of Payroll Expense (DOPE) report or a reconciliation log (or similar record) maintained for that purpose. AMAS was advised by the Ophthalmology Business Office Supervisor that a monthly DOPE review was performed for sponsored projects, but was not being documented as required by policy. DOPE reviews were not being performed for Business Office and clinical staff salaries that were paid from other fund sources. Inconsistent practices for performing and documenting key internal controls for the areas noted above increases the likelihood that errors or irregularities could go undetected. Management Corrective Actions: 1. Ophthalmology Fund Managers will document monthly DOPE report reviews by initialing and dating a list of accounts within the scope of their responsibility to provide evidence that a DOPE review was performed. 2. The Ophthalmology AVC or her designee will review the DOPE reports for staff paid from non-research sources on a monthly basis and document that review as described above to provide assurance that payroll charges are accurate and correctly allocated. Staff Performance Evaluations The UC Personnel Policies for staff members requires that “the performance of each employee be appraised annually in writing by the employee’s immediate Supervisor, or more frequently, in accordance with local procedures.” AMAS’ review of the performance evaluation tracking sheet for Fiscal Year 2010-11 Page 8 Department of Ophthalmology Audit & Management Advisory Services Project 2012-49 revealed that 44% of employee performance appraisals had not been completed as of January 2012. The performance appraisal process provides the employee a guide for improving performance and for professional development and is an important tool to assist with the effective management of staff resources. Management Corrective Action: The HR Manager will develop a staff performance evaluation management process to ensure that evaluations are completed timely and in compliance with policy. E. APM 025 Compliance Ophthalmology was not in full compliance with Academic Personnel Manual (APM) 025. APM 025: Conflict of Commitment and Outside Activities of Faculty Members, outlines the processes for reporting and evaluating faculty compensated and uncompensated outside professional and non-professional activities to determine whether reported activities create a conflict of commitment. APM 025 requires that all faculty members file a Report on the Category of I and II Compensated and Outside Professional Activities and additional Teaching Activities annually. The disclosure form is due by November 1 of the following fiscal year. The AVC assumed responsibility for requesting and collecting APM 025 forms while the HR Manager position was vacant. The AVC provided AMAS with an APM 025 tracking sheet for Fiscal Year 2010-11 that showed a disclosure submission rate of 61% as of December 2011. Timely collection and review of APM 025 disclosures assists management with identifying any potential faculty conflict of commitment that would potentially interfere with the successful performance of their University obligations. Management Corrective Actions: 1. The AVC has assigned the responsibility for obtaining completed APM 025 disclosures to the HR Manager. 2. The HR Manager will work with faculty members to obtain the additional APM 025 disclosures needed to achieve full compliance for Fiscal Year 2010-11, and will implement a disclosure request process to help ensure compliance with the November 1 due date in the future. Page 9 Department of Ophthalmology Audit & Management Advisory Services Project 2012-49 F. Transaction Sampling Financial transactions selected by the campus Transaction Sampling system were not timely reviewed and reconciled in all cases. The campus Transaction Sampling process randomly selects a sample of department financial transactions from the campus Integrate Financial Information System (IFIS) to be evaluated during the ledger reconciliation and account validation process. The review process facilitates the identification and correction of processing errors. To qualify for participation in this process, department fund managers are required to complete training and the department’s fiscal officer is required to periodically monitor and review the transaction queue. The following observations were made based on our review of the Transaction Sampling Report for Fiscal Year 2010-11, and July through December 2012:  Only 324 (22%) of all transactions selected for Fiscal Year 2010-11 were reviewed.  As of January 9, 2012, only 23 (8%) of the transactions selected for July through September 2011 were reviewed.  As of February 1, 2012, no transactions have been reviewed for the period October through December 2011. The Transaction Sampling system provides reasonable assurance that transaction errors are timely identified and corrected, while using staff resources effectively. However, if transactions are not reviewed timely, there is increased risk of undetected non-compliance with federal cost allocation requirements. Management Corrective Action: The Business Office Supervisor indicated that she is aware of the low review rate; and will implement procedures to improve the timeliness of the process when fund management processes are re-structured to most effectively leverage existing staff resources. G. Information Systems Security We identified one information security violation related to password sharing. In addition, UCSD Minimum Network Connection Standards (Minimum Standards) could be improved via the implementation of periodic scans for sensitive data. Page 10 Department of Ophthalmology Audit & Management Advisory Services Project 2012-49 System Access Issues The former Department System Administrator (DSA), who also served as the Business Office Supervisor, retired in April 2011. However, although back-up DSA support had been obtained from the School of Medicine, the Supervisor’s system access was not terminated until October 2011. Any delay in system access termination to UC systems may result in unauthorized system access to University information assets. AMAS was also advised that one Fund Manager used another employee’s access credentials to obtain reports from PCIS/Infopac4 to complete new work responsibilities assigned during the staff transition that occurred in October and November 2011. The delay in obtaining PCIS/Infopac system access for the Fund Manager was caused by the long process involved with obtaining system access, which requires that a Fund Manager (1) attend the available training session in Hillcrest, and (2) obtain each PI's approval to gain access to the Infopac reports associated with his or her research project. Regardless, employees should not share passwords under any circumstance, as they will be held accountable if University data is inappropriately modified or obtained by another employee who uses their assigned username and password. Management Corrective Actions: 1. Ophthalmology management has assigned and trained four staff to perform primary and secondary DSA functions to prevent security violations in future. 2. Ophthalmology management will remind all personnel that sharing of system access credentials is a violation of UCSD information security policy. Scanning for Sensitive Data UCSD Minimum Standards for workstations and servers that process and manage sensitive information require departments to scan their systems to identify unencrypted sensitive data at least monthly (PPM 135, Computing Services, Section 5.2.5, Scan for Sensitive Data). Minimum Standards further state that, sensitive data should be removed from the system when possible. If it cannot be removed, sensitive data must be encrypted. During our review, we noted that the Information Systems Manager had not implemented a process to periodically address unencrypted sensitive data, which increases the potential of security threats to department information resources. 4 Infopac is a Medical Center system used to run reports on patient data Page 11 Department of Ophthalmology Audit & Management Advisory Services Project 2012-49 Management Corrective Action: Ophthalmology management will request that the IS Manager research available scanning software options, and develop a process to perform periodic scans on servers and workstations to identify and secure unencrypted sensitive data. H. Cash Controls Certain cash management controls were not implemented as required by UC BUS 49. Business Office staff received cash payments for service agreements and clinical research projects. We determined that background checks had not been completed for all staff members who received and deposited cash payments as required by UC Business and Financial Bulletin (BUS) 49, Policy for Cash and Cash Equivalents Received: Section IV.1, which states in part: “the campus must perform background checks prior to employing cashiers, cash handlers and individuals in other critical positions.” The University now requires that a background check be obtained for new staff with cash handling responsibilities included in their job description. However, because requirement became a standard practice within the past several years, staff hired before that may be performing cash handling functions without meeting the background check requirement. We also found that checks received by certain Business Office staff were not endorsed upon receipt as required by BUS-49. Because checks received in Ophthalmology must be processed and transferred to the Main Cashier for deposit, checks should be restrictively endorsed when first received to minimize the risk of conversion if lost during transfer. Management Corrective Actions: 1. In accordance with staff personnel policies Ophthalmology management will work with existing staff with cash handling responsibilities to have a background check completed. 2. Ophthalmology management will remind all Business Office staff to endorse checks upon receipt. Page 12 Department of Ophthalmology Audit & Management Advisory Services Project 2012-49 I. Express Card Documentation and Usage Supporting documents for Express Card were not available in some cases, and one restricted purchase was identified. The University’s Express Card program is designed to simplify the purchasing process for goods and services. However, charges must to be validated to ensure that expenses are appropriate. AMAS’ review of a sample of 14 Express Card purchases identified three transactions that did not have receipts/invoices to support the charge. Lack of supporting documentation prevents assessment of the validity of the expense. The Express Card program places some restrictions on the use of Express Cards. One transaction in the review sample was for a gift card purchase, which is identified as a restricted purchase. The transaction had been previously audited by the Express Card Team and the Business Office was advised of the violation. Management Corrective Actions: 1. The Business Office has advised the Express Card holder about the gift card purchase restriction to avoid future violations. 2. Ophthalmology management will require that Express Card receipts be retained and validated to provide support for purchase transactions, and will design document retention standards. Retention methods could include document scanning solutions. J. Equipment Inventory An equipment inventory count had not been conducted in over five years. UC Business and Finance Bulletin (BUS) 29: Management and Control of University Equipment requires that the custodial department complete a physical inventory of all University inventorial equipment, government inventorial equipment, other government property, and other inventorial items at least every two years. The policy further states that the individual who performs the inventory may not also be assigned the responsibility for authorizing the purchase of property, maintaining the property records, or maintaining direct custody of the property. The Campus Asset Management System (CAMS) equipment inventory report for February 9, 2012 indicated that a physical inventory of Ophthalmology equipment valued at approximately $4.4M had not been completed in over five years. An Page 13 Department of Ophthalmology Audit & Management Advisory Services Project 2012-49 equipment inventory is needed to ensure that location codes are correct and to remove replaced or unaccounted for equipment from inventory records. Management Corrective Action: Ophthalmology management will complete an equipment inventory in Fiscal Year 2011-12, and every two years thereafter as required by University policy. Page 14 Department of Ophthalmology Audit Results by Business Office Functional Process Audit & Management Advisory Services Project #2012-49 ATTACHMENT A AMAS Audit Review Procedure Business Office Process Payroll Expenditure Transfers Non-Payroll Expenditure Transfers Contract & Grant Activity (Post Award Admin.) Analytical Review of Financial Data √ √ √ Internal Control Questionnaire/ Separation of Duties Matrix Process Walk-through (Ltd Document Review) Transaction Testing (Sample Basis) √ Verified selected adjusted payroll charges in the operating ledgers and reviewed them for reasonableness. √ Examined selected operating ledgers and financial reports. √ Reviewed five awards totaling $17.4M, and evaluated selected invoices and expenses for the period July 2010 to February 2012. 1 Risk & Controls Balance Reasonable (Yes or No) SAS 112 Key Control Audit Conclusion1 Yes Yes Ledger Transaction Verification Satisfactory Expense transfer explanations appeared reasonable. No exceptions were identified. Satisfactory Expense transfers appeared reasonable. No exceptions were identified. Yes Yes Yes Fiscal Operations Review Yes Internal Controls Comments Satisfactory Grant expenses appeared reasonable. No exceptions were identified. Audit conclusions used in this report included the following four levels from highest to lowest; Satisfactory, Satisfactory/Improvement Suggested, Satisfactory/Improvement Needed and Improvement Needed. Page 1 Department of Ophthalmology Audit Results by Business Office Functional Process Audit & Management Advisory Services Project #2012-49 ATTACHMENT A AMAS Audit Review Procedure Business Office Process Travel Entertainment Analytical Review of Financial Data √ √ Internal Control Questionnaire/ Separation of Duties Matrix √ √ Process Walk-through (Ltd Document Review) Transaction Testing (Sample Basis) Reviewed a judgmental sample of 10 transactions from July 2010 – January 2012; traced to vouchers (TEVs) and supporting documents. Reviewed a judgmental sample of 10 transactions from July 2010 – January 2012, reviewed approvals and traced to supporting documents. Page 2 Risk & Controls Balance Reasonable (Yes or No) SAS 112 Key Control Audit Conclusion1 Yes Yes Ledger Transaction Verification Satisfactory Comments All transactions appeared appropriately allocated to the fund. No exceptions were identified. Although expenses appeared appropriate, an itemized receipt was not retained for one event. Yes Yes Ledger Transaction Verification Satisfactory/ Improvement Needed Expenses for a second event were incurred by the Business Office Manager on behalf of the Chair, but not submitted through the Chair expense approval process. The Business Office was advised of the oversight, and will avoid similar errors in the future. Department of Ophthalmology Audit Results by Business Office Functional Process Audit & Management Advisory Services Project #2012-49 ATTACHMENT A AMAS Audit Review Procedure Business Office Process Effort Reporting (PARs) Analytical Review of Financial Data √ Internal Control Questionnaire/ Separation of Duties Matrix √ Process Walk-through (Ltd Document Review) Transaction Testing (Sample Basis) Reviewed ECERT reports and the certification summaries for the Fiscal Year 2010/11, and the period July through December 2011. Risk & Controls Balance Reasonable (Yes or No) SAS 112 Key Control Yes No Effort Reporting Audit Conclusion1 Improvement Needed Comments The effort for one key person was reduced by more than 25% on one grant (OPH5778) for the grant year February 2011 through January 2012 (Budget = 5%, Actual = 3.5%). However, the Fund Manager was aware of the issue and requested a payroll correction in September 2011, which was not processed until January 2012. The adjustment will help to ensure that effort is consistent with the budget prospectively. In addition, effort report certifications were not completed timely. As of January 2012, approximately 23% of effort reports had not been certified for Fiscal Year 2010/11. (Audit Report Finding A) Page 3 Department of Ophthalmology Audit Results by Business Office Functional Process Audit & Management Advisory Services Project #2012-49 ATTACHMENT A AMAS Audit Review Procedure Business Office Process Operating Ledger Review & Financial Reporting Non-Payroll Expenditures Analytical Review of Financial Data √ Internal Control Questionnaire/ Separation of Duties Matrix Process Walk-through (Ltd Document Review) Examined sample of operating ledgers and financial reports and analyzed overdraft balances as of January 2012. √ √ Transaction Testing (Sample Basis) Reviewed a judgmental sample of 12 transactions and traced them to available supporting documents. √ Risk & Controls Balance Reasonable (Yes or No) SAS 112 Key Control Audit Conclusion1 Yes No Fiscal Operations Review Yes Yes Ledger Transaction Verification Improvement Needed Comments Several deficit balances were identified. (Audit Report Finding B) Satisfactory/ Improvement Needed All transactions appeared to be appropriately allocated to the fund. However, certain expense approval hierarchies were incomplete or in appropriate. (Audit Report Finding C) Timekeeping and Payroll √ √ √ Reviewed timesheets, absence slips, and Timekeeper Audit Reports. Supporting payroll and timekeeping documents were maintained. Yes No Payroll Expense Verification Improvement Needed However, we noted the following issues: - The timekeeper entered her own time. -The timekeeper audit report Page 4 Department of Ophthalmology Audit Results by Business Office Functional Process Audit & Management Advisory Services Project #2012-49 ATTACHMENT A AMAS Audit Review Procedure Business Office Process Analytical Review of Financial Data Internal Control Questionnaire/ Separation of Duties Matrix Process Walk-through (Ltd Document Review) Transaction Testing (Sample Basis) Risk & Controls Balance Reasonable (Yes or No) SAS 112 Key Control Audit Conclusion1 Comments was not being reviewed by a second individual. -The timesheet submission rate for faculty and fellows needed improvement. Distribution of Payroll Expense (DOPE) report reviews were not being documented. - Staff performance evaluations were not completed timely. (Audit Report Finding D) APM 025 Disclosures √ √ Interviewed management, and reviewed the APM 025 disclosure log for Fiscal Year 2011. Page 5 No No Improvement Needed Ophthalmology faculty members were not in full compliance with APM 025. (Audit Report Finding E) Department of Ophthalmology Audit Results by Business Office Functional Process Audit & Management Advisory Services Project #2012-49 ATTACHMENT A AMAS Audit Review Procedure Business Office Process Non-payroll Expenditure Transactions – Transaction Sampling Information Systems Analytical Review of Financial Data √ Internal Control Questionnaire/ Separation of Duties Matrix √ √ Process Walk-through (Ltd Document Review) √ √ Transaction Testing (Sample Basis) Analyzed Transaction Sampling management reports for the period April through September 2011. Reviewed the responses to the IT internal control questionnaire and interviewed the IT Director. Risk & Controls Balance Reasonable (Yes or No) SAS 112 Key Control Audit Conclusion1 Yes No Ledger Transaction Verification Improvement Needed Comments Transactions selected by the campus Transaction Sampling system were not timely reviewed and reconciled in all cases. (Audit Report Finding F) Yes No Individual Security Access Improvement Needed A group username and password was used to access imaging equipment that stored patient data. The age of the equipment prevents individual access credentials from being implemented. Management believes that this issue will be resolved when the Epic Kaleidoscope module is implemented. One instance of inappropriate system access was identified, and system scans were not completed periodically to identify Personal Identifiable Information (PII) stored on Page 6 Department of Ophthalmology Audit Results by Business Office Functional Process Audit & Management Advisory Services Project #2012-49 ATTACHMENT A AMAS Audit Review Procedure Business Office Process Analytical Review of Financial Data Internal Control Questionnaire/ Separation of Duties Matrix Process Walk-through (Ltd Document Review) Transaction Testing (Sample Basis) Risk & Controls Balance Reasonable (Yes or No) SAS 112 Key Control Audit Conclusion1 Comments department servers and workstations. (Audit Report Finding G) Cash Handling √ Interviewed management. Yes Yes Internal Controls Improvement Needed Background checks need to be performed for all Business Office staff with cash handling responsibilities (Audit Report Finding H) Express Cards Equipment Inventory Management √ √ √ √ Selected a judgmental sample of 14 transactions and traced them to supporting documents. Reviewed the Campus Asset Management System (CAMS) equipment inventory report on February 9, 2012. Page 7 Yes No Ledger Transaction Verification Improvement Needed Supporting documents for Express Card were not available in some cases, and one restricted purchase was identified. (Audit Report Finding I) Yes No Physical Inventory Improvement Needed An equipment inventory had not been performed in over five years. (Audit Report Finding J)