Board of Governors, June 24, 1999 - APPENDIX III, Annex 1
During 1998/99, most internal audit work was concentrated in the information systems area. The PeopleSoft project, information security and Year 2000 work were areas of prime involvement. Overall, the year can be characterized as one of learning and change.
MAJOR ACCOMPLISHMENTS DURING 1998/99
1) PeopleSoft Project
As expected, the PeopleSoft project continued to consume many resources across the University community, including those of Internal Audit during 1998/99. Major project milestones included:
Internal Audit's role in the PeopleSoft project focused on the evaluation of controls, security and audit trails to ensure data is processed accurately, completely and efficiently. The following principles are used when developing audit plans for each module.
Audit plans are divided into the areas of system testing, conversion and business processes for each of the modules within PeopleSoft. The objectives and audit approach for each area are outlined below.
A) System Testing
Objectives: To ensure a comprehensive test of the entire system covering both automated and manual procedures are completed. System testing includes integrated, parallel, volume and interface testing.
Approach: Understand the testing process employed by the implementation teams. Review test plans and results of key data testing.
Objectives: To ensure data is converted completely and accurately at conversion dates and that no errors are introduced as a result of the conversion. Data include existing data and data created for the system.
Approach: Understand the conversion procedures employed by the implementation teams. Perform specific testing or review testing to ensure that the transfer of information was complete and accurate, and that no cutoff errors occurred.
C) Business Processes
Objectives: Identify and evaluate the effectiveness of controls within the system (either automated or manual controls) that would prevent an error from occurring or detect an error should it occur.
Approach: Understand and document the flow of significant transactions through the system. Evaluate the controls that prevent an error from either occurring or being undetected. Participate in training to develop an understanding of business processes. Internal audit work is completed after the system has been implemented and is stabilized.
The following highlights PeopleSoft internal audit work completed during 1998/99 and plans for 1999/2000.
a) A review of Human Resource business processes as they relate to the PeopleSoft project implementation was completed. Automated and manual controls are working well to ensure payroll transactions are processed accurately. An evaluation to streamline the pay process for work/study students will be completed by the Fall 1999.
b) 1999/2000 Plans - develop audit plans for the upgrade to version 7.5.
a) System testing and conversion reviews were completed for the General Ledger, Purchasing and Accounts Payable, and Accounts Receivable/Billing modules. For all modules, (i) the testing was adequate and (ii) conversions were complete and accurate.
b) 1999/2000 Plans - Business process risks and controls will be reviewed for the Financial modules.
a) The conversion of graduate student data was reviewed. Twenty-six students who have taken approximately 740 courses from September 1988 to December 1998 have been reviewed in detail. No errors in conversion were found. An evaluation to determine the extent of testing needs to be completed.
b) 1999/2000 Plans - Conversion testing for undergraduate students will be completed. Business process risks and controls will be reviewed.
a) System testing processes followed by the implementation team were reviewed and found to be adequate. Conversion processes were also reviewed and the testing will be completed in the early summer.
b) 1999/2000 Plans - The project will be evaluated during the year for audit involvement.
a) As reported at the January 1999 Audit Committee meeting, a general infor mation security controls audit was completed. Follow-up to the audit will occur during 1999/2000.
b) Access controls to the Human Resource module were reviewed and found to be adequate. During 1999/2000, access controls to the Financials and Student Administration modules will be reviewed.
In March 1999, the PeopleSoft Resource Group was formed as a collaborative effort among the administrative units to assist in maintaining and developing the PeopleSoft modules. Internal audit will work with the Group during 1999/2000 to incorporate an audit methodology into the system upgrade process.
2) The Year 2000 (Y2K)
Activities relating to the Year 2000 centred on system compliance and conversion, contingency planning and legal issues. Risks associated with Y2K include:
Addressing the Y2K issues within an organization that is as diverse and large as the University is a challenge. There is no 100% Y2K failure-safe solution. However to reduce risk, each organization has a responsibility to reduce the risk of failure. At the University, several initiatives have been undertaken during 1998/99 to reduce the risks. These include:
a) Technology Risks
In addition, the Assistant Director of ITS and the Chair of the Y2K Contingency Planning Committee will meet with Deans and Budget Unit Heads individually to discuss compliance issues and contingency planning. Units will also be asked to state their degree of compliance by July 30, 1999.
b) Business Interruptions
c) Legal Issues
Through these activities, it appears the University is managing Y2K risks. However, these activities must continue for the remainder of 1999 and need to be monitored. Internal Audit will continue to monitor the progress during this period.
3) Campus Computer Security Subcommittee (CCSS)
Internal Audit is a member of CCSS, which is a subcommittee of the Senate Committee on Information Technology Services (SCITS). The committee was formed to provide advice to SCITS on computer and network security issues, to develop and recommend computer security-related policies, and to educate the campus community on computer security issues and policies.
During 1998/99, CCSS discussed information security issues facing the University. A report outlining specific recommendations to improve the information security infrastructure will be discussed at SCITS in June.
4) Legislation Affecting the University
In 1992, a list of legislation affecting the University=s operations was completed and reviewed to identify areas where Board member/officer liability was high. A project to update this list was initiated in 1997/98. The project should be completed during the summer 1999, as a summer student has been hired to complete the review.
5) Special and Mandatory Audits
Work in this area was limited to two investigations of travel policy compliance. One investigation concluded with an employee returning approximately $1,300 to the University. The other review did not find any compliance issues.
6) External Audit Assistance
Internal Audit provides assistance to Ernst & Young on the audit of enrolment and year-end inventory counts. Work completed by Internal Audit on year-end files prior to 1996, is now done by Ernst & Young at a cost of $15,000. Additional corporate audit fees paid in 1998/99 included $16,000 for the Human Resource system conversion and $1,025 for tax advice.
7) Professional Development
Professional development included training in PeopleSoft Query reporting and PeopleSoft Security.
WORK PLAN for 1999/2000
The 1999/2000 work plan is proposed (an allocation of time is presented in Schedule 1) based on the following assumptions:
a) No change in internal audit resources.
b) PeopleSoft continues to be a high risk project for the University.
c) Audit Committee and Senior Administration interests in risks facing the university.
1) Systems Audits
a) PeopleSoft - As indicated earlier in the report, work on PeopleSoft projects will continue, but not at the same level as in 1998/99. This is because most of the major implementations have been completed.
b) Year 2000 - As indicated, Internal Audit will continue monitoring progress for the remainder of 1999.
c) Campus Community Security Subcommittee - Work will continue.
2) Special and Mandatory Audits
It is anticipated that projects will be taken on if time permits.
3) Audit Committee
Audit Committee members have expressed an interest in identifying risk areas to the University. In 1992, after identifying areas where Board member/officer liability was high, an indemnification clause covering Governors and Officers was enacted. It is proposed to review this clause to determine if the coverage is adequate or if there are any exclusions. This will be done at the completion of the Legislative review.
4) External Audit Assistance
Additional time will be required to assess the audit of enrolment process for 1999/2000.
5) Risk Identification and Management (R.I.M.) Group
The U.W.O. Internal Audit objective is to assist management in the discharge of its responsibilities by providing objective analysis, appraisals, recommendations and comments concerning the activities reviewed. To attain this objective the Internal Audit Department:
The internal audit function is not responsible for determining and reporting on issues related to the level of efficiency of University operations. If during a review a situation is determined to be resulting in the inefficient expenditure of resources, that situation will be reported.
Prior to May 1996, internal audit work consisted of policy compliance reviews, basic control reviews, process reviews, system development reviews and special projects/investigations. The work plan was developed considering the following factors:
After May 1996, Internal Audit work focused primarily on the PeopleSoft implementation for two reasons: a) the magnitude of the project combined with the impact on the University made it a high risk project, and b) the department size of one person made it difficult to address other risk areas.
However, the future internal audit strategy requires review due to several factors:
1. Audit Committee discomfort with all resources being used in the PeopleSoft project, meaning no review of the risk assessment model has been done. Therefore Audit Committee members do not know what high risk areas are not being covered.
2. The PeopleSoft project will change during 1999 - 2000. All modules will be implemented by August 1999 and the systems will move to a production status. Likely less Internal Audit resources will be required in the systems area.
3. Changes in the internal audit profession that emphasize a proactive approach.
A vision of the future internal audit function includes the following elements:
If internal audit focuses on the future and risks, the audit is more likely to address the full range of issues that concern management. Instead of identifying and testing controls, internal audit will identify risks and test the ways management mitigates those risks. Communicating and educating people about risks and controls, creates an awareness of issues that may not have been overtly addressed in the past. The result is stronger systems and controls. In addition, a cooperative approach creates communication channels that result in improvements for both units and audit processes.
The creation of the R.I.M. Group will improve the risk management process at the University. By implementing a framework to assess risk, existing and future risk projects can be identified. Those projects can then be reviewed to determine how risks are mitigated. While internal audit brings knowledge of existing risks and controls to the group, the advantage is that those risks will not be considered in isolation.
What Needs to be Done
Over the next six months, Internal Audit would like to:
It is proposed that a progress report be made at the next Audit Committee meeting with respect to the R.I.M. Group and Internal Audit strategy.
Please accept this as the report on 1998/99 audit activity and proposed work plan for 1999/2000.
May 1, 1999
Board of Governors APPENDIX III
THE UNIVERSITY OF WESTERN ONTARIO
INTERNAL AUDIT WORK PLAN
% OF TIME
% OF TIME
% OF TIME
|Special & Mandatory Audits||
|External Audit Assistance||