The Board of Visitors’ Audit, Compliance and Risk Committee discussed the mid-year audit report and the Audit and Management report in a meeting Thursday. The Committee also received a financial summary from Chief Financial Officer Augie Maurelli.
The Committee reported positive growth in the University’s net position, or the sum of its assets minus liabilities, with a current value of $12.5 billion in net position. Additionally, there was a growth in current assets to roughly $80 million, as well as a $53.9 million increase in current liabilities.
“That's a great situation to be in,” Maurelli said.
David Rasnic, director of higher education programs for the Virginia auditor of public accounts, presented the results of the Audit and Management report from the current fiscal year.
The Committee completed seven audits and two investigations. Organizations that were audited included U.Va. Health Third Party Risk Management, Threat and Vulnerability Management in the Academic Division and the McIntire School of Commerce. Each had at least one control, a term for risk-management procedures in place across the University, that did not meet the objectives or required the development of a management plan to address an identified issue.
Two of the seven audits saw controls that did not meet their designated objective, with the U.Va. Health Third Party Risk Management having two controls failing to meet objectives. Overall, the group met four of the 15 controls completely and nine of the controls were met partially.
Based on the audits, the Committee reported that the University's health management lacks a complete policy to manage third-party risks. Additionally, Health Information Technology has not conducted formal risk assessments for its existing vendors and Management does not have a central third-party inventory to collect key information and analyze it.
After analysis of the audit, Rasnic said that the audit team concluded that organizations need to have an understanding of the standards before an audit is completed. He gave some advice for what should be done.
“Just making sure you're researching the standards and what needs to be done in those situations instead of relying sometimes on us,” Rasnic said.
Threat and Vulnerability Management also failed to meet an objective with one of its controls. Based on the report the Committee concluded that the department must move to address these vulnerabilities, and ITS should consistently follow up on progress. In addition, the report recommended that future risk assessments should occur regularly.
“First is you know, just having a checklist of deliverables, right, you know, like having an analytical review looking for unusual or unexpected financial activity and balances,” Rasnic said.
Additionally, the Committee discussed progress on compliance goals for the 2023 fiscal year. SafeGrounds reporting has continued to enhance incident management capabilities and the University has obtained funding to hire a Director of Privacy Programs. The Committee also considered Medical Center Compliance Goals.
Of all ongoing audits for the current fiscal year involving 35 departments for the University, four of which have been completed, eight in progress and 18 to be started.
The Committee again discussed compliance goals for the 2023 fiscal year. SafeGrounds, an information management system that compiles incidents on Grounds into a database, has continued to be enhanced. Additionally, the Committee announced that funding and a job posting have been provided for a Director of Privacy Programs, who will be tasked with ensuring that the University creates and adheres to strong information privacy guidelines. The Committee also considered Medical Center Compliance Goals and identified the need to have a dedicated auditor to examine compliance with all regulatory requirements.
The Committee will meet again when the Board convenes in February.