Board of Governors, June 28, 2000 - APPENDIX III, Annex 1
During 1999/2000, as in the past years, most internal audit work was concentrated in the information systems area. The PeopleSoft Financials and Higher Education projects, information security and Year 2000 work were areas of prime involvement.
MAJOR ACCOMPLISHMENTS DURING 1999/2000
1) PeopleSoft Project
Major project milestones included:
Internal Audit's role in the PeopleSoft project focused on the evaluation of controls, security and audit trails to ensure data is processed accurately, completely and efficiently. The following principles are used when developing audit plans for each module.
Audit plans are divided into the areas of system testing, conversion and business processes for each of the modules within PeopleSoft. The objectives and audit approach for each area are outlined below.
A) System Testing
Objectives: To ensure a comprehensive test of the entire system covering both automated and manual procedures are completed. System testing includes integrated, parallel, volume and interface testing.
Approach: Understand the testing process employed by the implementation teams. Review test plans and results of key data testing.
Objectives: To ensure data is converted completely and accurately at conversion dates and that no errors are introduced as a result of the conversion. Data include existing data and data created for the system.
Approach: Understand the conversion procedures employed by the implementation teams. Perform specific testing or review testing to ensure that the transfer of information was complete and accurate, and that no cutoff errors occurred.
C) Business Processes
Objectives: Identify and evaluate the effectiveness of controls within the system (either automated or manual controls) that would prevent an error from occurring or detect an error should it occur.
Approach: Understand and document the flow of significant transactions through the system. Evaluate the controls that prevent an error from either occurring or being undetected. Participate in training to develop an understanding of business processes. Internal audit work is completed after the system has been implemented and is stabilized.
The following highlights PeopleSoft internal audit work completed during 1999/2000 and plans for 2000/2001.
a) A review of business processes used in the General Ledger, Purchasing and Accounts Payable, and Accounts Receivable/Billing modules was completed. No major control issues were identified.
b) 2000/2001 Plans - During this year, the Financial modules will be upgraded to a new version. The audit impact will be determined.
a) The final conversion of student record data was reviewed. A comparison of record counts from the mainframe to PeopleSoft was completed. In addition, a review of individual academic records for approximately 120 students, who were registered as either undergraduates or graduates in 1998-1999 was completed. The conversion was accurate and complete.
For Student Financials, the conversion from the mainframe to PeopleSoft was completed accurately and completely. However, subsequent to the conversion, there was speculation that the General Ledger accounts did not reconcile to the Student Receivables because of problems identified in the student financials bank clearing account and the student refund cheque account. Financial Services reconciled the bank clearing account and the refund cheques were reconciled by Internal Audit. After these reconciliations, it was expected that the Student Receivables should reconcile to the General Ledger balance. However, this was not the case. Further analysis proved all transactions created within the Student Financials module are recorded in the General Ledger. At this point, an analysis is being done to determine if the transactions were recorded to the correct account. It is expected the analysis will be completed by the end of June.
In addition, the Student Financials module was delivered with a student receivables report that was not functional. The complexities of the student data base has resulted in difficulties trying to create a student receivables report. A report should be available by the beginning of June. Therefore it is unknown at this point, if there is an actual problem with recording transactions in the General Ledger, or if the problem resides with the creation of an accurate report. A plan is in place in the Registrar's Office, to develop a report and reconcile the Student Accounts Receivable.
b) 2000/2001 Plans - Ongoing follow-up to the student receivables reconciliation process will be done through the year. Business process risks and controls will also be reviewed during the summer.
a) Conversion testing for biographic and gift processing records were completed. Both record types were converted completely and accurately.
a) 2000/2001 Plans - Access controls to the Student Administration module will be reviewed. Follow-up to access controls in the Financials and Human Resources modules will be completed during the summer.
In March 1999, the PeopleSoft Resource Group was formed as a collaborative effort among the administrative units to assist in maintaining and developing the PeopleSoft modules. During 1999/2000, the group became operational. Internal audit will work with the Group during 2000/2001 to incorporate an audit methodology into the system upgrade process.
2) The Year 2000 (Y2K)
During 1999, Internal Audit monitored activities in support of the University managing its Y2K risks. Overall, the University had a very smooth transition into the Year 2000, as a testament to the large amount of planning and preparation that was undertaken. The Division of Information Technology Services recorded the following two minor application issues:
· A work tracking system for Physical Plant had a problem that prevented a type of work order from being displayed for a short period of time. No data was lost or damaged.
· An e-mail to Web posting program did not operate and required an upgrade. This was rectified within a short period of time and did not interrupt business operations.
3) Subcommittee on Information Security (SUIS)
Internal Audit is a member of SUIS, which is a subcommittee of the Senate Committee on Information Technology Services (SCITS). SUIS was previously known as the Campus Computer Security Subcommittee (CCSS). In June 1999, CCSS presented recommendations to improve the University's information security infrastructure to SCITS for approval. All recommendations were approved and included:
· Expanding CCSS to extend its representation and expertise. The committee's mandate would change to be more action-oriented and consultative, taking on the mandate to design, develop, monitor, educate and report on security issues on behalf of the University. The committee would change to a standing committee from an ad hoc committee, and the name would change to Subcommittee on Information Security.
· Develop an overall information security strategy for the University, beginning with an overall security self-assessment and the development of a proposed security policy framework.
· Reviewing the existing Code of Behaviour for the Use of Computing Resources and Corporate Data on a regular basis.
· Developing and implementing standards and guidelines for the use and security of computing resources and corporate data.
· Implementing security monitoring and reporting processes.
· Developing security awareness and education programs.
During the 1999/2000, Internal Audit chaired this committee. Currently, the security self-assessment is being completed and the results are expected to be presented to SCITS in the fall.
4) Legislation Affecting the University
In 1992, a list of legislation affecting the University=s operations was completed and reviewed to identify areas where Board member/officer liability was high. A project to update this list was initiated in 1997/98. The project is currently in the final stages of completion.
5) Special and Mandatory Audits
Work in this area was limited to assisting the Registrar's Office with a financial review and investigating an employee's compensation relating to project work. The employee has subsequently left the University.
6) External Audit Assistance
Internal Audit provides assistance to Ernst & Young on the year-end inventory counts at the Book Store, audit of enrolment, ATOP enrolment, and system conversions. Additional corporate audit fees paid in 1999/2000 included $26,500 for the Finance system conversion and $9,800 for tax advice. A budget of $35,000 has been set aside for special audit fees for 2000/2001, of which $22,000 is allocated for the Student Administration conversion.
7) Risk Identification and Management Group (RIM) Group
In the 1998-1999 Annual Report, an outline of changes to the Internal Audit function and the creation of the RIM Group was presented. In summary, both functions focus on risk. The RIM Group would implement a framework to identify and assess the risk of existing and future projects; Internal Audit would develop a strategy that works in conjunction with RIM to identify risks and test how management has mitigated those risks. A plan to develop both functions included:
· Development of a framework to assess risk.
· Selection of a pilot project to test the framework.
· Develop an Internal Audit strategy.
· Develop an audit plan based on the framework and strategy.
During 1999/2000, work relating to the RIM Group and Internal Audit strategy did not progress as was anticipated. This was due primarily to more work being required in the systems area, than was planned. A framework to assess risk was developed and a potential pilot project has been identified. However, no work was done on the Internal Audit strategy. Plans for 2000/2001 will be outlined below.
8) Professional Development
Professional development included an Operational Risk Management conference and the achievement of receiving the professional designation of Certified Information Systems Auditor. In addition, the internal auditor received the Silver Medal from the Toronto Chapter.
WORK PLAN for 2000/2001
The 2000/2001 work plan is proposed (an allocation of time is presented in Schedule 1) based on the following assumptions:
a) No change in internal audit resources.
b) Audit Committee and Senior Administration interests in risks facing the university.
1) Systems Audits
a) PeopleSoft - As indicated earlier in the report, work on PeopleSoft projects will continue, primarily in the Higher Education modules.
b) Subcommittee on Information Security - Work will continue.
2) Special and Mandatory Audits
It is anticipated that projects will be taken on if time permits.
3) External Audit Assistance
Additional time will be required to complete the audit of enrolment for fiscal 2000 due to changes in the system. More time is also required to co-ordinate the government-required audits of OSAP and ATOP.
4) Internal Audit Reviews
The Senior Director, Human Resources has requested a payroll audit with the objectives:
· Understand and evaluate business processes and related business controls.
· Validate process performance measures and business controls.
· Identify any problem areas and propose solutions.
· Make recommendations to improve business process performance.
5) Risk Identification and Management (R.I.M.) Group
As indicated earlier in the report, work did not progress as far as anticipated in 1999/2000. Therefore, during 2000/2001, it is proposed that this work continue. This includes the completion and testing of the risk assessment framework, and the development of an Internal Audit strategy and plan. Given the projects that must be completed in support of the fiscal year end and the Payroll audit, it would be reasonable to expect a more detailed plan by January 2001.
Please accept this as the report on 1999/2000 audit activity and proposed work plan for 2000/2001.
Board of Governors, APPENDIX III, Annex 1
THE UNIVERSITY OF WESTERN ONTARIO
INTERNAL AUDIT WORK PLAN
% OF TIME
% OF TIME
% OF TIME
|Internal Audit Reviews and R.I.M. Group||
|External Audit Assistance||
|Special & Mandatory Audits||