Board of Governors, June 28, 2000 - APPENDIX III, Annex 1

REPORT OF THE INTERNAL AUDIT FUNCTION FOR THE YEAR ENDED APRIL 30, 2000

AND WORK PLAN FOR THE YEAR 2000-2001

INTRODUCTION

During 1999/2000, as in the past years, most internal audit work was concentrated in the information systems area. The PeopleSoft Financials and Higher Education projects, information security and Year 2000 work were areas of prime involvement.

MAJOR ACCOMPLISHMENTS DURING 1999/2000

1) PeopleSoft Project

Major project milestones included:

Internal Audit's role in the PeopleSoft project focused on the evaluation of controls, security and audit trails to ensure data is processed accurately, completely and efficiently. The following principles are used when developing audit plans for each module.

Audit plans are divided into the areas of system testing, conversion and business processes for each of the modules within PeopleSoft. The objectives and audit approach for each area are outlined below.

A) System Testing

Objectives: To ensure a comprehensive test of the entire system covering both automated and manual procedures are completed. System testing includes integrated, parallel, volume and interface testing.

Approach: Understand the testing process employed by the implementation teams. Review test plans and results of key data testing.

B) Conversion

Objectives: To ensure data is converted completely and accurately at conversion dates and that no errors are introduced as a result of the conversion. Data include existing data and data created for the system.

Approach: Understand the conversion procedures employed by the implementation teams. Perform specific testing or review testing to ensure that the transfer of information was complete and accurate, and that no cutoff errors occurred.

C) Business Processes

Objectives: Identify and evaluate the effectiveness of controls within the system (either automated or manual controls) that would prevent an error from occurring or detect an error should it occur.

Approach: Understand and document the flow of significant transactions through the system. Evaluate the controls that prevent an error from either occurring or being undetected. Participate in training to develop an understanding of business processes. Internal audit work is completed after the system has been implemented and is stabilized.

The following highlights PeopleSoft internal audit work completed during 1999/2000 and plans for 2000/2001.

2) The Year 2000 (Y2K)

During 1999, Internal Audit monitored activities in support of the University managing its Y2K risks. Overall, the University had a very smooth transition into the Year 2000, as a testament to the large amount of planning and preparation that was undertaken. The Division of Information Technology Services recorded the following two minor application issues:

A work tracking system for Physical Plant had a problem that prevented a type of work order from being displayed for a short period of time. No data was lost or damaged.

An e-mail to Web posting program did not operate and required an upgrade. This was rectified within a short period of time and did not interrupt business operations.

3) Subcommittee on Information Security (SUIS)

Internal Audit is a member of SUIS, which is a subcommittee of the Senate Committee on Information Technology Services (SCITS). SUIS was previously known as the Campus Computer Security Subcommittee (CCSS). In June 1999, CCSS presented recommendations to improve the University's information security infrastructure to SCITS for approval. All recommendations were approved and included:

Expanding CCSS to extend its representation and expertise. The committee's mandate would change to be more action-oriented and consultative, taking on the mandate to design, develop, monitor, educate and report on security issues on behalf of the University. The committee would change to a standing committee from an ad hoc committee, and the name would change to Subcommittee on Information Security.

Develop an overall information security strategy for the University, beginning with an overall security self-assessment and the development of a proposed security policy framework.

Reviewing the existing Code of Behaviour for the Use of Computing Resources and Corporate Data on a regular basis.

Developing and implementing standards and guidelines for the use and security of computing resources and corporate data.

Implementing security monitoring and reporting processes.

Developing security awareness and education programs.

During the 1999/2000, Internal Audit chaired this committee. Currently, the security self-assessment is being completed and the results are expected to be presented to SCITS in the fall.

4) Legislation Affecting the University

In 1992, a list of legislation affecting the University=s operations was completed and reviewed to identify areas where Board member/officer liability was high. A project to update this list was initiated in 1997/98. The project is currently in the final stages of completion.

5) Special and Mandatory Audits

Work in this area was limited to assisting the Registrar's Office with a financial review and investigating an employee's compensation relating to project work. The employee has subsequently left the University.

6) External Audit Assistance

Internal Audit provides assistance to Ernst & Young on the year-end inventory counts at the Book Store, audit of enrolment, ATOP enrolment, and system conversions. Additional corporate audit fees paid in 1999/2000 included $26,500 for the Finance system conversion and $9,800 for tax advice. A budget of $35,000 has been set aside for special audit fees for 2000/2001, of which $22,000 is allocated for the Student Administration conversion.

7) Risk Identification and Management Group (RIM) Group

In the 1998-1999 Annual Report, an outline of changes to the Internal Audit function and the creation of the RIM Group was presented. In summary, both functions focus on risk. The RIM Group would implement a framework to identify and assess the risk of existing and future projects; Internal Audit would develop a strategy that works in conjunction with RIM to identify risks and test how management has mitigated those risks. A plan to develop both functions included:

Development of a framework to assess risk.

Selection of a pilot project to test the framework.

Develop an Internal Audit strategy.

Develop an audit plan based on the framework and strategy.

During 1999/2000, work relating to the RIM Group and Internal Audit strategy did not progress as was anticipated. This was due primarily to more work being required in the systems area, than was planned. A framework to assess risk was developed and a potential pilot project has been identified. However, no work was done on the Internal Audit strategy. Plans for 2000/2001 will be outlined below.

8) Professional Development

Professional development included an Operational Risk Management conference and the achievement of receiving the professional designation of Certified Information Systems Auditor. In addition, the internal auditor received the Silver Medal from the Toronto Chapter.

WORK PLAN for 2000/2001

The 2000/2001 work plan is proposed (an allocation of time is presented in Schedule 1) based on the following assumptions:

a) No change in internal audit resources.

b) Audit Committee and Senior Administration interests in risks facing the university.

1) Systems Audits

a) PeopleSoft - As indicated earlier in the report, work on PeopleSoft projects will continue, primarily in the Higher Education modules.

b) Subcommittee on Information Security - Work will continue.

2) Special and Mandatory Audits

It is anticipated that projects will be taken on if time permits.

3) External Audit Assistance

Additional time will be required to complete the audit of enrolment for fiscal 2000 due to changes in the system. More time is also required to co-ordinate the government-required audits of OSAP and ATOP.

4) Internal Audit Reviews

The Senior Director, Human Resources has requested a payroll audit with the objectives:

Understand and evaluate business processes and related business controls.

Validate process performance measures and business controls.

Identify any problem areas and propose solutions.

Make recommendations to improve business process performance.

5) Risk Identification and Management (R.I.M.) Group

As indicated earlier in the report, work did not progress as far as anticipated in 1999/2000. Therefore, during 2000/2001, it is proposed that this work continue. This includes the completion and testing of the risk assessment framework, and the development of an Internal Audit strategy and plan. Given the projects that must be completed in support of the fiscal year end and the Payroll audit, it would be reasonable to expect a more detailed plan by January 2001.

Please accept this as the report on 1999/2000 audit activity and proposed work plan for 2000/2001.

Sharon Farnell
Internal Audit

May 2000


Board of Governors, APPENDIX III, Annex 1

Schedule 1

THE UNIVERSITY OF WESTERN ONTARIO

INTERNAL AUDIT WORK PLAN



2000/2001 PROPOSED

% OF TIME

1999/2000 ACTUAL

% OF TIME

1999/2000 PROPOSED

% OF TIME

Internal Audit Reviews and R.I.M. Group

35

9 25
Systems Audits

30

59 43
External Audit Assistance

15

12 9
Special & Mandatory Audits

5

3 5
Audit Committee

5

7 8
Professional Development

5

4 5
Administration

5

6

5

Total

100

100 100