The Board of Visitors’ Audit, Compliance and Risk Committee convened Friday morning to formally approve the framework for an internal, two-year audit into the academic and medical divisions’ legal and regulatory compliance.
David Rasnic, director of higher education programs for the Virginia Auditor of Public Accounts, also briefed Committee members and University leaders on what to expect from the Commonwealth’s annual audit into the University’s financial statements. The Committee also received written reports that detailed a number of control errors within U.Va. Health as a result of audits completed since the Committee last convened in April.
The Audit, Compliance and Risk Committee is responsible for overseeing audits to University divisions to mitigate reputational, financial, operational and strategic risks. The Committee also reviews the University’s governance framework for assessing and addressing such risks.
As its first order of business, the Committee unanimously approved a two-year internal audit plan to identify risks of noncompliance with regulatory and legal requirements in the academic and health divisions through 2028. Chief Audit Executive Carolyn Saint delivered a brief presentation on the plan’s scope and goals before it received the Committee’s approval.
Saint explained that the University’s Office of Audit and Compliance developed the plan in four stages — assessing risk areas, researching other University’s audit plans as a point of reference, conducting interviews with University stakeholders such as the Office of the President and U.Va. Health’s leadership team and bringing the plan to the Audit, Compliance and Risk Committee for final review. Finally, Saint added that the office balances its goals for the audit plan with the realities of limited University resources — such as staff capacity, budget and time.
To highlight the “shape of the plan,” Saint described a number of audits that will take place within either division as the review progresses.
The audits within the academic division include an annual review of University President Scott Beardsley’s and former University President Jim Ryan’s travel and entertainment expenses. It further includes a review of the two multi-year construction projects at the Center for the Arts and research data center at Fontaine Research Park. The Office will also evaluate “Workday access controls” — such as the current provisioning of responsibilities, purpose and oversight of different roles — for employees, sponsored accounts and contracted workers at the University.
Among the audits which the office will conduct within the Health system, Saint noted three. The first will assess how the Medical Center is responding to the increased usage of clinical artificial intelligence, which she said poses unique and significant risks in the healthcare profession.
“Clinical AI is one of the fastest evolving risk areas in healthcare,” Saint said. “The regulatory environment [for it] is still being written. The risks are inherently significant — potential for data misuse, privacy exposure and transparency to patients.”
Other U.Va. Health audits will assess physical access controls — rules governing where patients, guests and other individuals are permitted within certain U.Va. Health spaces and when, according to Saint. Saint also said that another audit will examine how U.Va. Health mitigates risks associated with third parties, which the health system often relies on to develop software and provide services for everyday operations.
Saint further noted that the Office is increasingly utilizing AI as part of the research phase for its audits to help “scour the internet” for best practices and relevant frameworks.
The Committee was also briefed on an external audit into the University’s finances for FY26, which began July 1, 2025. This audit is carried out annually by the Virginia Auditor of Public Accounts. Rasnic — who is directing the FY26 audit — presented to the Committee on what to expect from the process.
Rasnic said that the Commonwealth will audit the University’s “basic financial statements” like its income statements and cash flows. There are three main goals of the audit, according to Rasnic. The first goal is to assess whether the University reports this information in a manner consistent with the Governmental Accounting Standards Board — an independent and private organization that regulates accounting standards for government entities — and to assess the likelihood that the statements contain errors.
Second, is to review the University's financial information that is sent to the Commonwealth via the HE-10 report — a report completed by higher education institutions in the Commonwealth for the Commonwealth’s Annual Comprehensive Financial Report. The third goal of the external audit is to ensure some supplementary information, such as the medical center’s financial statements, seem fair and accurate “in relation” to the University’s financial report as a whole.
Notably, the GASB made an adjustment to its standards in 2024 — which went into effect this year — and will impact reporting rules. GASB 103 makes adjustments to the narrative explanation these entities provide of their financial statements by requiring several new components, including explicit analysis for why financial patterns change from one year to the next. It also attempts to reduce standardized and repetitive text, consolidates reporting requirements for receiving various unusual items into a single category and revises a number of definitions, among other changes. The University will be required to abide by GASB 103 in preparing its FY26 report.
Rasnic summarized the timeline of the audit, which will include more extensive on-the-ground fieldwork such as meetings with key stakeholders and a review of the University’s records until November. After November, the Office of the auditor will dedicate more time to substantiating the financial statements submitted by the University.
Rasnic also explained that since the University is a public institution of the Commonwealth, its finance reports are scrutinized further as part of the broader collection of the Commonwealth’s financial statements. He further stated that since the University is up for reaccreditation by the Southern Association of Colleges and Schools Commission on Colleges this year, the office of the Virginia Auditor will review its financial aid practices as a requirement of that process.
Augie Maurelli, University vice president and chief financial officer, noted that the University has a deadline of Sept. 29 to report its finances to the Virginia Auditor of Public Accounts, at which point any changes or additions it must make will be considered an “audit adjustment,” explicitly issued for the purpose of correcting a previous error.
After both presentations, the Committee moved into a closed session, where members discussed the University’s response to last month’s security breach that led to Canvas shutdowns at more than 9,000 schools worldwide. The shutdowns occurred after the criminal hacking group ShinyHunters allegedly accessed Canvas users’ names, email addresses, ID numbers and private messages in an attempt to extort Instructure — Canvas’ parent company.
In closed session, members revisited two matters from the Committee’s previous meeting in April. They discussed the implementation of an IT program at the University, and sought legal advice from the Office of the University Counsel on an undisclosed “confidential matter,” according to the meeting book.
During Friday’s meeting, Committee members were further presented with two written comprehensive status reports. The first was a report submitted by the Office of Audit and Compliance Status which detailed the audits completed and in progress since the Committee last met in April, as well as a summary of their key findings.
The audits identified “controls” within the University — processes, policies and safeguards intended to prevent errors, fraud and mismanagement — and assessed whether they were working as intended or in need of corrective action. The most urgent control deficiencies are priority one errors, which are of a high risk and provide “minimal or no assurance that institutional objectives will be achieved” without changes. Priority two errors hinder “the effectiveness … of unit level operations” and require “timely corrective action.”
All audits completed since April occurred within the U.Va. Health division. U.Va. Health’s vendor payment matching control validation — a process confirming that a payment has been correctly matched with corresponding financial records — identified three working controls and one P2 error.
Auditors at U.Va. Health also reviewed mobile access and security controls which found seven working controls, one deficient control and one process improvement. This error was counted separately as a “Partially Meets” error — an IT control that only partially meets relevant standards.
An audit which followed up on U.Va. Health’s “timekeeping and payroll” also revealed one P1- and two P2-level errors which the report did not elaborate on further.
An audit conducted by the Office of University Counsel identified a P1-level error and a P2-level error, but specific information about this audit is protected under attorney-client privilege.
Unlike the Audit Committee’s meeting book from April, Friday’s meeting information contained no progress reports on the University’s action plans, which track the progress towards resolving control deficiencies. The Cavalier Daily previously reported that some action plans to address P2 errors were given as many as two extensions, leaving some issues unresolved for up to four years at a time.
The Committee also received a written status report on the University’s Health Compliance and Privacy Program, which did not contain significant new information since April’s meeting. It indicated that the University is currently in the process of revising its compliance risk assessment for FY26, which previously identified 40 high-priority “Tier One” risks of regulatory noncompliance.
The closed session lasted approximately one hour before the Committee returned to open session and formally adjourned. The Audit, Compliance and Risk Committee is expected to reconvene during the next series of regular Board meetings, which will take place from Sept. 16-19.
Read More
Yale report examines trust in higher education. How does U.Va. compare?
By Grace Little | 17 hours agoTo restore trust in higher education, the report listed areas of recommendations pertaining to the classroom, cost, free speech and university governance that apply to higher education institutions nationwide.
Board of Visitors hears report from President Beardsley on new strategic planning efforts
By Jaylynn Perez | 17 hours agoThe University’s full Board of Visitors convened Friday afternoon to hear remarks from University President Scott Beardsley — who outlined preliminary priorities for the University’s next strategic plan — and remarks from the chair and vice chair of the Health System Board.
Advancement Committee reflects on successful year of donations
By Michael Racz | 18 hours agoThe Advancement Committee is a standing committee within the Board that is responsible for all matters regarding University development, alumni affairs and public communications.
