Board of Governors, June 24, 1999 - APPENDIX III, Annex 1



During 1998/99, most internal audit work was concentrated in the information systems area. The PeopleSoft project, information security and Year 2000 work were areas of prime involvement. Overall, the year can be characterized as one of learning and change.


1) PeopleSoft Project

As expected, the PeopleSoft project continued to consume many resources across the University community, including those of Internal Audit during 1998/99. Major project milestones included:

Internal Audit's role in the PeopleSoft project focused on the evaluation of controls, security and audit trails to ensure data is processed accurately, completely and efficiently. The following principles are used when developing audit plans for each module.

Audit plans are divided into the areas of system testing, conversion and business processes for each of the modules within PeopleSoft. The objectives and audit approach for each area are outlined below.

A) System Testing

Objectives: To ensure a comprehensive test of the entire system covering both automated and manual procedures are completed. System testing includes integrated, parallel, volume and interface testing.

Approach: Understand the testing process employed by the implementation teams. Review test plans and results of key data testing.

B) Conversion

Objectives: To ensure data is converted completely and accurately at conversion dates and that no errors are introduced as a result of the conversion. Data include existing data and data created for the system.

Approach: Understand the conversion procedures employed by the implementation teams. Perform specific testing or review testing to ensure that the transfer of information was complete and accurate, and that no cutoff errors occurred.

C) Business Processes

Objectives: Identify and evaluate the effectiveness of controls within the system (either automated or manual controls) that would prevent an error from occurring or detect an error should it occur.

Approach: Understand and document the flow of significant transactions through the system. Evaluate the controls that prevent an error from either occurring or being undetected. Participate in training to develop an understanding of business processes. Internal audit work is completed after the system has been implemented and is stabilized.

The following highlights PeopleSoft internal audit work completed during 1998/99 and plans for 1999/2000.

2) The Year 2000 (Y2K)

Activities relating to the Year 2000 centred on system compliance and conversion, contingency planning and legal issues. Risks associated with Y2K include:

Addressing the Y2K issues within an organization that is as diverse and large as the University is a challenge. There is no 100% Y2K failure-safe solution. However to reduce risk, each organization has a responsibility to reduce the risk of failure. At the University, several initiatives have been undertaken during 1998/99 to reduce the risks. These include:

a) Technology Risks

In addition, the Assistant Director of ITS and the Chair of the Y2K Contingency Planning Committee will meet with Deans and Budget Unit Heads individually to discuss compliance issues and contingency planning. Units will also be asked to state their degree of compliance by July 30, 1999.

b) Business Interruptions

c) Legal Issues

Through these activities, it appears the University is managing Y2K risks. However, these activities must continue for the remainder of 1999 and need to be monitored. Internal Audit will continue to monitor the progress during this period.

3) Campus Computer Security Subcommittee (CCSS)

Internal Audit is a member of CCSS, which is a subcommittee of the Senate Committee on Information Technology Services (SCITS). The committee was formed to provide advice to SCITS on computer and network security issues, to develop and recommend computer security-related policies, and to educate the campus community on computer security issues and policies.

During 1998/99, CCSS discussed information security issues facing the University. A report outlining specific recommendations to improve the information security infrastructure will be discussed at SCITS in June.

4) Legislation Affecting the University

In 1992, a list of legislation affecting the University=s operations was completed and reviewed to identify areas where Board member/officer liability was high. A project to update this list was initiated in 1997/98. The project should be completed during the summer 1999, as a summer student has been hired to complete the review.

5) Special and Mandatory Audits

Work in this area was limited to two investigations of travel policy compliance. One investigation concluded with an employee returning approximately $1,300 to the University. The other review did not find any compliance issues.

6) External Audit Assistance

Internal Audit provides assistance to Ernst & Young on the audit of enrolment and year-end inventory counts. Work completed by Internal Audit on year-end files prior to 1996, is now done by Ernst & Young at a cost of $15,000. Additional corporate audit fees paid in 1998/99 included $16,000 for the Human Resource system conversion and $1,025 for tax advice.

7) Professional Development

Professional development included training in PeopleSoft Query reporting and PeopleSoft Security.

WORK PLAN for 1999/2000

The 1999/2000 work plan is proposed (an allocation of time is presented in Schedule 1) based on the following assumptions:

a) No change in internal audit resources.

b) PeopleSoft continues to be a high risk project for the University.

c) Audit Committee and Senior Administration interests in risks facing the university.

1) Systems Audits

a) PeopleSoft - As indicated earlier in the report, work on PeopleSoft projects will continue, but not at the same level as in 1998/99. This is because most of the major implementations have been completed.

b) Year 2000 - As indicated, Internal Audit will continue monitoring progress for the remainder of 1999.

c) Campus Community Security Subcommittee - Work will continue.

2) Special and Mandatory Audits

It is anticipated that projects will be taken on if time permits.

3) Audit Committee

Audit Committee members have expressed an interest in identifying risk areas to the University. In 1992, after identifying areas where Board member/officer liability was high, an indemnification clause covering Governors and Officers was enacted. It is proposed to review this clause to determine if the coverage is adequate or if there are any exclusions. This will be done at the completion of the Legislative review.

4) External Audit Assistance

Additional time will be required to assess the audit of enrolment process for 1999/2000.

5) Risk Identification and Management (R.I.M.) Group

The U.W.O. Internal Audit objective is to assist management in the discharge of its responsibilities by providing objective analysis, appraisals, recommendations and comments concerning the activities reviewed. To attain this objective the Internal Audit Department:

The internal audit function is not responsible for determining and reporting on issues related to the level of efficiency of University operations. If during a review a situation is determined to be resulting in the inefficient expenditure of resources, that situation will be reported.

Audit Strategy

Prior to May 1996, internal audit work consisted of policy compliance reviews, basic control reviews, process reviews, system development reviews and special projects/investigations. The work plan was developed considering the following factors:

After May 1996, Internal Audit work focused primarily on the PeopleSoft implementation for two reasons: a) the magnitude of the project combined with the impact on the University made it a high risk project, and b) the department size of one person made it difficult to address other risk areas.

However, the future internal audit strategy requires review due to several factors:

1. Audit Committee discomfort with all resources being used in the PeopleSoft project, meaning no review of the risk assessment model has been done. Therefore Audit Committee members do not know what high risk areas are not being covered.

2. The PeopleSoft project will change during 1999 - 2000. All modules will be implemented by August 1999 and the systems will move to a production status. Likely less Internal Audit resources will be required in the systems area.

3. Changes in the internal audit profession that emphasize a proactive approach.

A vision of the future internal audit function includes the following elements:

If internal audit focuses on the future and risks, the audit is more likely to address the full range of issues that concern management. Instead of identifying and testing controls, internal audit will identify risks and test the ways management mitigates those risks. Communicating and educating people about risks and controls, creates an awareness of issues that may not have been overtly addressed in the past. The result is stronger systems and controls. In addition, a cooperative approach creates communication channels that result in improvements for both units and audit processes.

The creation of the R.I.M. Group will improve the risk management process at the University. By implementing a framework to assess risk, existing and future risk projects can be identified. Those projects can then be reviewed to determine how risks are mitigated. While internal audit brings knowledge of existing risks and controls to the group, the advantage is that those risks will not be considered in isolation.

What Needs to be Done

Over the next six months, Internal Audit would like to:

  1. Coordinate the R.I.M. Group. Identify known risk areas to the University. Develop a framework to assess risk.

  2. Select a pilot project to test the framework.

  3. Develop an Internal Audit strategy. The strategy must work in conjunction with the R.I.M. Group. The strategy must be realistic and take into consideration available internal audit resources. In essence the question - Does what we can do equal what we need to do? An audit strategy not based on organizational needs will be difficult to implement. What needs to be done will include work driven by high risk (unit or process reviews), information systems changes, information security and special work. What can be done is limited by the Internal Audit resources. The strategy must address:

    • Technology - Identify areas where technology can be used to increase audit coverage.

  4. Develop an audit plan. With an audit strategy in place, an audit plan can be developed.

It is proposed that a progress report be made at the next Audit Committee meeting with respect to the R.I.M. Group and Internal Audit strategy.

Please accept this as the report on 1998/99 audit activity and proposed work plan for 1999/2000.

Sharon Farnell
Internal Audit

May 1, 1999

Board of Governors APPENDIX III

Annex 1

Schedule 1



1999/2000 PROPOSED


1998/99 ACTUAL


1998/99 PROPOSED


Systems Audits


76 67
Special & Mandatory Audits


3 8
Audit Committee


6 8
External Audit Assistance


6 9
Professional Development


4 5


5 5
R.I.M. Group






100 100