REPORT OF THE INTERNAL AUDIT FUNCTION FOR THE YEAR ENDED APRIL 30,1999 ANDWORK PLAN FOR THE YEAR 1999-2000

Board of Governors, June 24, 1999 - APPENDIX III, Annex 1

REPORT OF THE INTERNAL AUDIT FUNCTION
FOR THE YEAR ENDED APRIL 30,1999 AND
WORK PLAN FOR THE YEAR 1999-2000

INTRODUCTION

During 1998/99, most internal audit work was concentrated in the information systems area. The PeopleSoft project, information security and Year 2000 work were areas of prime involvement. Overall, the year can be characterized as one of learning and change.

MAJOR ACCOMPLISHMENTS DURING 1998/99

1) PeopleSoft Project

As expected, the PeopleSoft project continued to consume many resources across the University community, including those of Internal Audit during 1998/99. Major project milestones included:

Continual improvements to the operation and production processes of the Human Resources module.
The Financial General Ledger module went live in May 1998.
The other Financial modules (Purchasing and Accounts Payable, Billing and Accounts Receivable) went live in August 1998.
Graduate Studies and Admissions modules of the Student Administration System went live in November 1998.
The Advancement module will go live in May 1999.

Internal Audit's role in the PeopleSoft project focused on the evaluation of controls, security and audit trails to ensure data is processed accurately, completely and efficiently. The following principles are used when developing audit plans for each module.

Risk-based audit approach that identifies and assesses risks, and reviews controls to address the risk.
Review of processes used by the teams, followed by transaction testing for confirmation.
Focus on the effectiveness of a combination of controls, instead of compliance testing individual control procedures.

Audit plans are divided into the areas of system testing, conversion and business processes for each of the modules within PeopleSoft. The objectives and audit approach for each area are outlined below.

A) System Testing

Objectives: To ensure a comprehensive test of the entire system covering both automated and manual procedures are completed. System testing includes integrated, parallel, volume and interface testing.

Approach: Understand the testing process employed by the implementation teams. Review test plans and results of key data testing.

B) Conversion

Objectives: To ensure data is converted completely and accurately at conversion dates and that no errors are introduced as a result of the conversion. Data include existing data and data created for the system.

Approach: Understand the conversion procedures employed by the implementation teams. Perform specific testing or review testing to ensure that the transfer of information was complete and accurate, and that no cutoff errors occurred.

C) Business Processes

Objectives: Identify and evaluate the effectiveness of controls within the system (either automated or manual controls) that would prevent an error from occurring or detect an error should it occur.

Approach: Understand and document the flow of significant transactions through the system. Evaluate the controls that prevent an error from either occurring or being undetected. Participate in training to develop an understanding of business processes. Internal audit work is completed after the system has been implemented and is stabilized.

The following highlights PeopleSoft internal audit work completed during 1998/99 and plans for 1999/2000.

Human Resources Information System

a) A review of Human Resource business processes as they relate to the PeopleSoft project implementation was completed. Automated and manual controls are working well to ensure payroll transactions are processed accurately. An evaluation to streamline the pay process for work/study students will be completed by the Fall 1999.

b) 1999/2000 Plans - develop audit plans for the upgrade to version 7.5.
Financials

a) System testing and conversion reviews were completed for the General Ledger, Purchasing and Accounts Payable, and Accounts Receivable/Billing modules. For all modules, (i) the testing was adequate and (ii) conversions were complete and accurate.

b) 1999/2000 Plans - Business process risks and controls will be reviewed for the Financial modules.
Student Administration

a) The conversion of graduate student data was reviewed. Twenty-six students who have taken approximately 740 courses from September 1988 to December 1998 have been reviewed in detail. No errors in conversion were found. An evaluation to determine the extent of testing needs to be completed.

b) 1999/2000 Plans - Conversion testing for undergraduate students will be completed. Business process risks and controls will be reviewed.
Advancement System

a) System testing processes followed by the implementation team were reviewed and found to be adequate. Conversion processes were also reviewed and the testing will be completed in the early summer.

b) 1999/2000 Plans - The project will be evaluated during the year for audit involvement.
Information Security

a) As reported at the January 1999 Audit Committee meeting, a general infor mation security controls audit was completed. Follow-up to the audit will occur during 1999/2000.

b) Access controls to the Human Resource module were reviewed and found to be adequate. During 1999/2000, access controls to the Financials and Student Administration modules will be reviewed.

PeopleSoft Resource Group

In March 1999, the PeopleSoft Resource Group was formed as a collaborative effort among the administrative units to assist in maintaining and developing the PeopleSoft modules. Internal audit will work with the Group during 1999/2000 to incorporate an audit methodology into the system upgrade process.

2) The Year 2000 (Y2K)

Activities relating to the Year 2000 centred on system compliance and conversion, contingency planning and legal issues. Risks associated with Y2K include:

Technology Risks - Systems fail or process data incorrectly due to problems arising directly from Year 2000.
Business Interruption - Negative outcomes of Y2K risks may interrupt normal business operations. The source of the risk can be internal (equipment failure) or external relating to external dependencies on suppliers, utilities and telecommunications.
Health and Safety - Interruption of business operations may cause problems in operating equipment and environmental systems, resulting in hazardous working conditions.
Legal Risks - If Y2K exposures are not managed, an organization may be subject to litigation from vendors, customers and employees.

Addressing the Y2K issues within an organization that is as diverse and large as the University is a challenge. There is no 100% Y2K failure-safe solution. However to reduce risk, each organization has a responsibility to reduce the risk of failure. At the University, several initiatives have been undertaken during 1998/99 to reduce the risks. These include:

a) Technology Risks

Conversion of major administrative systems to PeopleSoft remains on schedule.
Formation of a group, comprised of members from ITS and Internal Audit to address compliance of ITS systems and provide assistance, if required, to other departments.
Selection of a new telecommunication system, to be implemented by the Fall 1999.
Development of a 'Y2K Readiness Guide' for UWO employees.
Communications that consistently state "all faculty and staff take personal and individual responsibility for helping to ensure that the technology you use is Y2K ready".
Formation of a Research Subcommittee to reach the research community.

In addition, the Assistant Director of ITS and the Chair of the Y2K Contingency Planning Committee will meet with Deans and Budget Unit Heads individually to discuss compliance issues and contingency planning. Units will also be asked to state their degree of compliance by July 30, 1999.

b) Business Interruptions

Formation of a Y2K Contingency Planning Committee that includes members from across campus, including Internal Audit.
Participation of department Y2K representatives in seminars and workshops held on contingency planning.
Requests for contingency plans from all faculties and departments. Most plans have been received.
Formally recognizing the first priority in contingency planning is safety and security.
During the remainder of 1999, a corporate contingency plan will be developed and tested.

c) Legal Issues

Pensa & Associates completed a legal assessment of Y2K issues at the University.
A final report has not been released to the Y2K Contingency Planning Committee.

Through these activities, it appears the University is managing Y2K risks. However, these activities must continue for the remainder of 1999 and need to be monitored. Internal Audit will continue to monitor the progress during this period.

3) Campus Computer Security Subcommittee (CCSS)

Internal Audit is a member of CCSS, which is a subcommittee of the Senate Committee on Information Technology Services (SCITS). The committee was formed to provide advice to SCITS on computer and network security issues, to develop and recommend computer security-related policies, and to educate the campus community on computer security issues and policies.

During 1998/99, CCSS discussed information security issues facing the University. A report outlining specific recommendations to improve the information security infrastructure will be discussed at SCITS in June.

4) Legislation Affecting the University

In 1992, a list of legislation affecting the University=s operations was completed and reviewed to identify areas where Board member/officer liability was high. A project to update this list was initiated in 1997/98. The project should be completed during the summer 1999, as a summer student has been hired to complete the review.

5) Special and Mandatory Audits

Work in this area was limited to two investigations of travel policy compliance. One investigation concluded with an employee returning approximately $1,300 to the University. The other review did not find any compliance issues.

6) External Audit Assistance

Internal Audit provides assistance to Ernst & Young on the audit of enrolment and year-end inventory counts. Work completed by Internal Audit on year-end files prior to 1996, is now done by Ernst & Young at a cost of $15,000. Additional corporate audit fees paid in 1998/99 included $16,000 for the Human Resource system conversion and $1,025 for tax advice.

7) Professional Development

Professional development included training in PeopleSoft Query reporting and PeopleSoft Security.

WORK PLAN for 1999/2000

The 1999/2000 work plan is proposed (an allocation of time is presented in Schedule 1) based on the following assumptions:

a) No change in internal audit resources.

b) PeopleSoft continues to be a high risk project for the University.

c) Audit Committee and Senior Administration interests in risks facing the university.

1) Systems Audits

a) PeopleSoft - As indicated earlier in the report, work on PeopleSoft projects will continue, but not at the same level as in 1998/99. This is because most of the major implementations have been completed.

b) Year 2000 - As indicated, Internal Audit will continue monitoring progress for the remainder of 1999.

c) Campus Community Security Subcommittee - Work will continue.

2) Special and Mandatory Audits

It is anticipated that projects will be taken on if time permits.

3) Audit Committee

Audit Committee members have expressed an interest in identifying risk areas to the University. In 1992, after identifying areas where Board member/officer liability was high, an indemnification clause covering Governors and Officers was enacted. It is proposed to review this clause to determine if the coverage is adequate or if there are any exclusions. This will be done at the completion of the Legislative review.

4) External Audit Assistance

Additional time will be required to assess the audit of enrolment process for 1999/2000.

5) Risk Identification and Management (R.I.M.) Group

The U.W.O. Internal Audit objective is to assist management in the discharge of its responsibilities by providing objective analysis, appraisals, recommendations and comments concerning the activities reviewed. To attain this objective the Internal Audit Department:

determines whether the overall systems of internal control and the controls in each activity under audit are adequate, effective and functional.
ensures that the institutional policies and procedures, provincial and federal laws and good business practices are being followed.
ascertains the extent to which university assets are accounted for and safeguarded from losses.
determines the reliability and adequacy of the accounting and reporting systems and procedures.

The internal audit function is not responsible for determining and reporting on issues related to the level of efficiency of University operations. If during a review a situation is determined to be resulting in the inefficient expenditure of resources, that situation will be reported.

Audit Strategy

Prior to May 1996, internal audit work consisted of policy compliance reviews, basic control reviews, process reviews, system development reviews and special projects/investigations. The work plan was developed considering the following factors:

statutory requirements
concerns of management and the Audit Committee
significantly altered or new systems/programs
external audit requirements
issues arising from risk assessment. A risk assessment model ranked faculties and departments as a high, medium or low risk depending on the level of materiality, sensitivity, control concerns and management concerns within the unit.

After May 1996, Internal Audit work focused primarily on the PeopleSoft implementation for two reasons: a) the magnitude of the project combined with the impact on the University made it a high risk project, and b) the department size of one person made it difficult to address other risk areas.

However, the future internal audit strategy requires review due to several factors:

1. Audit Committee discomfort with all resources being used in the PeopleSoft project, meaning no review of the risk assessment model has been done. Therefore Audit Committee members do not know what high risk areas are not being covered.

2. The PeopleSoft project will change during 1999 - 2000. All modules will be implemented by August 1999 and the systems will move to a production status. Likely less Internal Audit resources will be required in the systems area.

3. Changes in the internal audit profession that emphasize a proactive approach.

A vision of the future internal audit function includes the following elements:

A focus on the future, emphasizing risks rather than compliance testing.
Education and communication of risk and controls.
Co-operative audits that emphasize participation and evaluation rather than inspection.
Use of self-assessment processes wherever possible.
Integration of technology into the audit process.
Periodic evaluations of audit processes to ensure alignment with the organization's direction.

If internal audit focuses on the future and risks, the audit is more likely to address the full range of issues that concern management. Instead of identifying and testing controls, internal audit will identify risks and test the ways management mitigates those risks. Communicating and educating people about risks and controls, creates an awareness of issues that may not have been overtly addressed in the past. The result is stronger systems and controls. In addition, a cooperative approach creates communication channels that result in improvements for both units and audit processes.

The creation of the R.I.M. Group will improve the risk management process at the University. By implementing a framework to assess risk, existing and future risk projects can be identified. Those projects can then be reviewed to determine how risks are mitigated. While internal audit brings knowledge of existing risks and controls to the group, the advantage is that those risks will not be considered in isolation.

What Needs to be Done

Over the next six months, Internal Audit would like to:

Coordinate the R.I.M. Group. Identify known risk areas to the University. Develop a framework to assess risk.

Select a pilot project to test the framework.

Develop an Internal Audit strategy. The strategy must work in conjunction with the R.I.M. Group. The strategy must be realistic and take into consideration available internal audit resources. In essence the question - Does what we can do equal what we need to do? An audit strategy not based on organizational needs will be difficult to implement. What needs to be done will include work driven by high risk (unit or process reviews), information systems changes, information security and special work. What can be done is limited by the Internal Audit resources. The strategy must address:
- Technology - Identify areas where technology can be used to increase audit coverage.
- Changes in internal auditing processes - an example is control self-assessment. How can this be applied at the University?
- Risk assessment model - Develop a process to monitor risks and controls.
- Education and communication - Develop plans in these areas.
Develop an audit plan. With an audit strategy in place, an audit plan can be developed.

It is proposed that a progress report be made at the next Audit Committee meeting with respect to the R.I.M. Group and Internal Audit strategy.

Please accept this as the report on 1998/99 audit activity and proposed work plan for 1999/2000.

Sharon Farnell
Internal Audit

May 1, 1999

Board of Governors APPENDIX III

Annex 1

Schedule 1

THE UNIVERSITY OF WESTERN ONTARIO

INTERNAL AUDIT WORK PLAN

	1999/2000 PROPOSED % OF TIME	1998/99 ACTUAL % OF TIME	1998/99 PROPOSED % OF TIME
Systems Audits	43	76	67
Special & Mandatory Audits	5	3	8
Audit Committee	8	6	8
External Audit Assistance	9	6	9
Professional Development	5	4	5
Administration	5	5	5
R.I.M. Group	25	0	0
Total	100	100	100

REPORT OF THE INTERNAL AUDIT FUNCTION FOR THE YEAR ENDED APRIL 30,1999 AND WORK PLAN FOR THE YEAR 1999-2000

REPORT OF THE INTERNAL AUDIT FUNCTION
FOR THE YEAR ENDED APRIL 30,1999 AND
WORK PLAN FOR THE YEAR 1999-2000