The Board of Visitors’ Audit, Compliance and Risk Committee met in both open and closed sessions Friday. In open session, the Committee met to approve the University’s internal audit plans for the fiscal years 2026 and 2027 and hear remarks regarding the progress of the fiscal year 2025 auditing process and the use of artificial intelligence at the University. The board then transitioned into closed session.
The Committee oversees the University's internal and external auditors, reviews financial and operational risk mitigation strategies and assesses University compliance with state and national reporting requirements across the University's academic and medical divisions.
Chief Audit Executive Carolyn Saint — responsible for assessing the University’s financial reports and compliance strategies — began Friday’s open session by presenting the FY 2026 and 2027 internal audit plans.
Saint was accompanied by the Senior Auditor for U.Va. Health Ian Day to present the health system’s audit plans, as well as Philip Stavropoulos, director of academic division audits, to present audit plans regarding academic departments. Rishab Shetty, a business consulting manager at Ernst & Young LLP, also presented proposals for IT audits within both medical and academic divisions for FY 2026 and 2027.
According to Shetty, the audit team hopes to focus their evaluation on the University’s use of artificial intelligence tools within the academic division. Additionally, the team plans to ensure that these tools do not pose any risks to University security and privacy.
“With the increase in the use of data, artificial intelligence is not just a buzzword anymore,” Shetty said. “It's very important to assess what are the security protocols around it, from the perspective of data security … especially in a higher education environment.”
The audit team also presented a series of Enterprise Risk Management risk categories — types of financial or operational risks that may affect the University’s departments — and then elaborated on the strategies that the audit team plans to implement to investigate these risks. According to Saint, the audit plan works to balance relevant risks with the available resources and personnel of the evaluation team.
“The plan is aligned to enterprise risks and our available resources. Our many stakeholders have had input and reviewed the plan over the course of its development,” Saint said.
Stavropoulos highlighted the ERM risk categories related to the University’s academic divisions and departments in the FY 2026 audit proposal presentation. Risk categories included compliance, IT security & governance, fiscal sustainability, operations and safety.
According to Stavropoulos, highlights within the proposal include compliance audits related to military-affiliated students as well as audits related to payroll certification processes for research positions. Regarding military-affiliated students, the audit team hopes to evaluate the processes for delivery of required benefits and services for these students. Additionally, the team hopes to assess the Payroll Allocation Confirmation system’s compliance with the federal government.
Day began the audit proposal presentation by highlighting eight ERM risk categories related to U.Va. Health systems to be assessed and evaluated in FY 2026. ERM risks include financial sustainability, security and safety across the health systems.
According to the Committee’s presentation, the audit topic related to the quality & patient safety ERM risk area relates to the “Be Safe” initiative. The initiative was undertaken by U.Va. Health to streamline the reporting process by allowing front-line employees to relay safety and quality issues in the workplace to upper-management. A deferred action-item from the FY 2025 audit proposal, the FY 2026 team hopes to analyze the initiative’s reporting processes and efficiency.
Within the health system section, Shetty’s team hopes to evaluate the security and data management of the system’s online electronic medical records system and assess the Ivy and Rio research environments’ compliance with Cybersecurity Maturity Model Certification standards. Regarding academic divisions, Shetty’s team hopes to evaluate the University’s Data Center management practices and assess network security and IT practices.
Though presenters did not articulate FY 2027 audit plans, their contents can be found in the Committee’s presentation. Following the audit proposals, Committee Chair Rachel Sheridan inquired if the audit team has the ability to investigate the ERM risks that they proposed, and Saint noted that the team hopes to experiment with the use of AI technology to potentially increase such internal controls. Sheridan was then granted a motion from the Board to approve the resolution of the FY 2026-2027 audit plan.
The Committee then moved into a review of the progress made on the FY 2025 audit reporting process. FY 2025 lasts July 1, 2024 through June 30, 2025. The FY 2025 audit reporting process began May 2025 and is expected to conclude December 2025. Augie Maurelli, the University’s vice president for finance and chief financial officer, accompanied David Rasnic, Virginia Auditor of Public Accounts’ project manager and director of higher education audits.
According to Rasnic, his team works to evaluate and ensure the University’s financial statements are in accordance with accepted practice, confirm that there are no materially misrepresented facts on the financial statements, assess consistency across all areas of the financial statements and that the University is mitigating significant risks
Rasnic’s team hopes to issue their report and opinion of the FY 2025 audit by December’s Board meeting. Rasnic noted that because the University is a part of the Commonwealth of Virginia, the University’s statements must also be included in the Commonwealth’s Single Audit Report — an annual financial report for the Commonwealth — in which results are due to the Commonwealth Dec. 15.
Following the conclusion of the remarks regarding the FY 2025 audit report, the Committee proceeded to a closed session. According to Vice Chair Porter Wilkinson, the closed session sought to discuss information about the operations of the Medical Center, the investment of public funds in an enterprise resource planning financial system and the receival of a legal briefing on University compliance matters.
The Committee will reconvene at the next Board meeting in September.
Read More
Board of Visitors hears presentations on viewpoint diversity and research funding
By Cecilia Mould | 4 hours agoThe Board also elected Rachel Sheridan as the next Rector and Porter Wilkinson as next Vice Rector.
Davis, Wetmore clash over 2025-26 budget in Finance Committee meeting
By Vyshnavi Tatta | 5 hours ago“I guess I'm wildly disappointed,” Davis said. “I think we have gone above and beyond to try to be incredibly transparent, to be incredibly fiscally responsive.
Committee on U.Va. Wise hears from faculty representative, discusses growth
By Grace Little | YesterdayWise offers the Year in Wise program in which in-state students on the U.Va. College of Arts and Sciences waitlist may enroll in Wise for one year and then transfer to University Grounds in Charlottesville to complete their degree.
