The Board of Visitors’ Audit, Compliance and Risk Committee reviewed the University’s internal risk management systems Thursday, flagging a series of audit and compliance concerns. Written reports submitted by the Office of Audit and Compliance to the committee outlined high-risk findings in student services, information technology, parking operations and payroll administration at U.Va. Health.
The meeting opened with a discussion of the Agency Risk Management and Internal Control Standards — a state-required system the University uses to monitor financial risk and internal controls or the processes designed to prevent errors and mismanagement.
Augie Maurelli, vice president for finance and chief financial officer, gave a presentation on ARMICS to the Committee and said the system is intended to ensure accountability across the University’s financial operations.
“The objective of ARMICS is to make sure that everyone in this room, as well as everyone in the Commonwealth, has reasonable assurance on the integrity of all our financial processes, our financial activities and ultimately that [we] will be appropriate stewards of our resources,” Maurelli said.
According to the presentation, the system is a way to track risks, test safeguards and ensure compliance with state regulations across the University. As part of that system, the Board oversees risk management, while University President Scott Beardsley is responsible for certifying that the University meets reporting requirements.
The University’s internal audit work is conducted by the Office of Audit and Compliance, which is responsible for reviewing operations across the University and identifying risks, control failures and areas for improvement. Those findings are then presented to the Board’s Audit, Compliance and Risk Committee, which provides oversight but does not conduct the audits itself.
Maurelli also said the University is increasingly using automation and artificial intelligence to monitor spending and strengthen financial oversight.
“Monitoring is a large part of what we do from a fiscal stewardship perspective,” Maurelli said. “Being in a modern platform, we have the luxury of not only integrating a lot of what we do and automating it, but leadership is constantly asking what type of AI opportunities there are.”
He added that the University has begun incorporating AI tools into areas such as expense reporting, employee credit card use and separation-of-duties monitoring to strengthen internal controls.
Maurelli also contextualized the ARMICS system within the scale of the University’s operations, citing a $6.4 billion fiscal year 2026 operating budget, over 33,000 employees and oversight of three state entities — the Academic Division, the Medical Center and the College at Wise.
Beyond that overview, the most detailed material for the committee came from the committee’s written audit reports, which summarized work completed by the Office of Audit and Compliance between November 2025 and March 2026. The committee did not directly discuss the findings of these reports in open session. Members asked that questions regarding matters in the reports should be asked during closed session.
Board Member Owen D. Griffin Jr., who chairs the committee, highlighted the importance of the written audit reports, noting that they identify ongoing issues that could pose future risks for the University.
“With respect to the written reports that were submitted, I would encourage everybody to read those,” Griffin said. “It identifies a number of areas of the status report on the internal controls, and [we have] some issues and today's internal control observations could represent tomorrow's headlines or issues that we have to grapple with, so it's important for us to stay on top of those [issues].”
In audit terms, a “control” refers to a process, policy or safeguard — such as approvals, oversight or system-based monitoring — designed to prevent errors, fraud or mismanagement.
The reports show a mix of functioning controls — meaning processes working as intended — and significant deficiencies, or areas where processes are not working as intended or do not meet required standards, with audit findings categorized by severity.
According to the written report, a Priority 1 finding reflects a control or process failure serious enough to provide “minimal or no assurance that institutional objectives will be achieved,” while a Priority 2 finding indicates a deficiency that hinders operations and requires timely correction. In information technology audits, “does not meet” indicates a control is either missing or ineffective, while “partially meets” indicates only some standards are satisfied.
The report also shows that audit findings are tracked through management action plans, which include deadlines for resolution and updates on their status.
Across fiscal year 2026 audits to date, the Office of Audit and Compliance reported three Priority 1 findings, 14 “Does Not Meet” IT findings and 30 Priority 2 findings. 97 areas were categorized as working controls.
One of the findings involved military-affiliated students. The audit identified both a Priority 1 and Priority 2 issue in the University’s processing of military education benefits. According to the report, Darden enrollment changes for Fall 2025 were not uploaded to the Student Information System in a timely or complete manner, preventing compliance with the Department of Veterans Affairs’ 30-day reporting requirement.
The audit also found that the University’s Military Education Benefits Request form did not meet data collection requirements mandated by the Commonwealth and did not have required consent language allowing student information to be released to the Department of Veterans Affairs.
Several audits also identified issues related to information technology and data security. A review of the University’s network security found that only two of seven evaluated controls fully met their objectives, while others only partially met control objectives or required improvement. A separate audit of IT systems within the College of Arts and Sciences found nine controls that did not meet required control objectives and two that only partially met them, though detailed findings were not publicly disclosed due to security concerns.
Operational issues extended beyond IT. An audit of Parking Services identified six observations related to financial oversight, vendor management and infrastructure planning. Among the concerns listed were the University’s inability to verify whether reserve funds — money set aside for future facility maintenance and expenses — were sufficient over a multi-year period, outdated or missing service agreements.
At U.Va. Health, auditors identified additional issues in both technology and payroll systems. An audit of Epic Clinical Data Security — a data security software through HIPAA-compliant infrastructure — found one control that did not meet required standards, though details were withheld due to the sensitivity of the systems involved.
An audit of timekeeping and payroll practices identified one Priority 1 and two Priority 2 findings. According to the report, some employees remained on temporary “acting pay” beyond the one-year limit allowed under Medical Center policy and Human Resources lacked documentation justifying the extended pay. The audit also found that employees used unauthorized methods to clock in remotely and that some staff used mobile timekeeping applications outside established policy.
In addition to identifying new issues, the reports highlighted a pattern of delayed corrective actions for previously identified problems. Audit findings are typically assigned deadlines for correction, but several remain unresolved years after their original deadlines.
One such issue, first identified in a 2019 audit related to research financial oversight, involves the University’s failure to implement a policy for managing leftover funds from fixed-fee research contracts, as well as a lack of consistent monitoring of those balances. Two corrective actions tied to that issue remained unresolved as of January. The report states that the Office of the Vice President for Research acknowledged the extended delay and accepted the risks associated with leaving the issue unresolved.
Another delayed item stems from a 2023 audit of Workday financial controls. The University has yet to implement a system for tracking incomplete or aging account certifications, with the projected completion date now pushed to January 2027 after multiple extensions.
Student housing and safety-related issues also remain unresolved. According to the report, two action items from a 2025 audit of residence life safety have not yet been implemented. These include developing procedures for retaining and deleting security camera footage and conducting safety assessments for all residence halls. While planning work has been completed, the report states that implementation has not yet begun.
A separate Academic Division Privacy Office status report from the Office of Audit and Compliance noted the February 6 resignation of Meredith Mays Espino, former director of privacy programs, and detailed plans to initiate a search for a replacement later in 2026. The report also described efforts to evaluate the University’s privacy practices against peer institutions and develop a multi-year strategy for strengthening data and risk management.
The Records and Information Management report submitted by the Office of Audit and Compliance highlighted operational updates, including the implementation of a new system used for legal discovery and public records requests. It also noted the unexpected January 9 death of the University Records Officer Caroline Walters who had led the program for 17 years. The report also noted plans to initiate a search for a successor.
Additionally, a U.Va. Health compliance and privacy program status report was submitted to the Committee and showed the regulatory and operational risks facing the Medical Center, which operates under a complex set of federal and state healthcare regulations.
According to the report, U.Va. Health identified approximately 140 regulatory risks across the system and designated 40 as “Tier One” risks to prioritize. These high-priority risks are monitored by the Medical Center’s Corporate Compliance Steering Committee as part of an ongoing, year-over-year risk assessment process.
The U.Va. Health report also identified several of the Health System’s top enterprise risks, including potential decreases in Medicare and Medicaid funding, threats to the federal 340B drug pricing program, disruptions to care continuity, cybersecurity and ransomware threats, negative media coverage, risks to research funding and patient access to care.
The Committee concluded its open session and entered into closed session. According to the meeting agenda, the closed session included discussion of cybersecurity risks, sensitive information technology systems and a confidential legal matter.
The Audit, Compliance and Risk Committee is expected to reconvene in June alongside the regular meeting of the full Board.
Read More
Finance Committee approves an average increase of University tuition by 3.6 percent
By Edward Christopher | 49 minutes agoThe Finance Committee, chaired by Vice Rector Victoria Harker, is responsible for the University’s financial affairs and business operations, and the Committee manages the budget, tuition and student fees.
‘Run with Jim’ returns to Grounds ahead of Ryan’s Valedictory Exercises speech
By Lily Kostro | YesterdayThe run was organized by the Fourth-Year Trustees and was the second Run with Jim since his resignation last June.
Honor Committee holds first meeting of the 185th term
By Isabela Delgado | YesterdayThe Honor Committee held its first meeting for the 185th term Sunday evening, led by Genny Freed, newly-elected Committee chair and third-year College student.
