The Audit Connection Fall 2015 by Augusta University

The Audit Connection Collaborating for Enterprise Excellence

Fall, 2015 Issue No. 10

Inside this issue:

What Is Up with the GRU Department Self-Assessments? Clay Sprouse, Chief Audit Officer

What Is Up with the GRU Department SelfAssessments? New or Not?

Topics 

Entity Level Controls: 3 What Are They & Why Are They Important?

This is a relaunch of a prior program that was considered valuable and successful.



There are numerous benefits of the department self-assessments.



What’s It All About, Auditors?

What’s new about the assessments?



What can you expect when you get the survey and how do you complete it?

Understanding Financial Statements



How do you get more information if you need it?

Meet the Intern

Re-Launch

Internal Audit Staff Clay Sprouse…………………..CAO Kathleen Boyd ..... Assoc. Director Crystal Corey ......... Audit Manager Will Barnes ............. Senior Auditor Sheryl Brown ...............I.T. Auditor Rufus Copeland…………...Auditor Sarah Wilder………………..Auditor Lisa Kedigh………Admin. Asst. III Shannon Runger…………….Intern

The Office of Internal Audit's purpose is to support the mission and vision of the Georgia Regents Enterprise by: providing independent and objective management evaluations; identifying actual and potential problems; providing corrective guidance; developing management recommendations; and providing consultative services in accordance with professional internal auditing standards and compliance review guidelines.

We are here to help you!

As many of you know, the department self-assessments are not new. We were doing these assessments on the Health Sciences Campus before consolidation. These were hardcopy books of checklists, best practices and ready references for department managers. The department self-assessments were stopped during a turbulent time of change when we created more integration with the medical center and then consolidated ASU and GHSU. Now that we are emerging from that time as Georgia Regents University and Georgia Regents Health System, the time is right to relaunch this valuable program.

Benefits The benefits of the surveys always were and still are that business managers and administrators had this quick reference for managing a department and ensuring compliance with numerous rules, procedures, regulations and policies. The checklists can be used to give you and your management assurance that we are doing things right. The tool also provided additional options for training and management evaluation and oversight.

On the back end, Internal Audit is able to gather information about the success of the compliance and risk management processes across campus. This information will be used to help responsible areas such as Human Resources, Compliance, Health and Safety, Procurement, and others to understand how well their programs are working.

706-721-2661 gru.edu/admin/oia

(continued on page 2)

Ask the Auditor! We invite you to send your questions to internal_audit@gru.edu, and we may feature them in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094

Page 2

What Is Up with the GRU Department SelfAssessments? New or Not?

The Audit Connection Better Assurance, Better Results 1

Entity Level Controls: 3 What Are They & Why Are They Important? What’s It All About, Auditors?

Understanding Financial Statements

Meet the Intern

The impact is that we are able to provide more assurance that risks are managed appropriately and that controls are in place and working. With your cooperation, we can now take this assurance deeper and further into the organization than we would ever do by conducting these surveys using Internal Audit department resources alone.

What’s New? Electronic Distribution First, the entire suite of tools, the surveys or checklists, the ready reference to policies, procedures and best practice, the contact information for the various subject matter experts are all electronically stored and available on our website. Surveys will be delivered, completed and administered electronically. You will receive the surveys by email. You can complete this, or you can forward the survey to someone else to complete. On our internal audit website, and links to the resources are embedded in the surveys and emails; you will find much of the same information that everyone enjoyed from the original handbooks: the checklists, links to resources, a synopsis of the related guidance and best practices for success. A Graded Approach The department self-assessment surveys now are going to be completed on a graded approach. Originally, all departments completed all the surveys. We have changed this to an approach that distributes the completion of surveys based on the size and complexity of the departments and the importance and impact of the related survey. We have over 30 different surveys divided into high-medium-and low-risk topics. Over a rolling three-year cycle, we expect that various departments will complete all surveys. Some larger departments will need to do more of the surveys and at a higher frequency; others, such as smaller departments, will see only a few surveys a year, and those will be the most important areas to evaluate. In addition to distributing the surveys differently, we do expect to execute the surveys differently as well. Originally, all surveys were reviewed and evaluated by Internal Audit after they were received. Now, only a sample will be evaluated and followed up. Furthermore, we may be asked by you or management to validate your original self-assessment or perform the survey independently.

The Survey Is Simple You have the option of entering more information other than yes or no, but it’s only there if you need it. I do expect you to use your due diligence in garnering the information you need to complete the survey and answer the various questions accurately and honestly. Once you complete the survey, all you do is submit the survey, and we’ll be notified that it’s completed. And the results will be collected in Internal Audit. (continued on page 3) Ask the Auditor! We invite you to send your questions to internal_audit@gru.edu, and we may feature them in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094

Page 3

The Audit Connection

Inside this issue: What is up with the GRU Department SelfAssessments? New or Not?

Once you finish the survey, you will know how your department is doing. With multiple submissions, Internal Audit will analyze, build and share information about campus wide results.

Special Recognition!

Entity Level Controls: 3 What Are They & Why Are They Important? What’s it all about, Auditors?

Understanding Financial Statements

Meet the Intern

While there are going to be required surveys that we’ll send you, you can take the checklist from our website or complete an online survey at any time or any area or domain. For business managers or administrators that complete most of all of the surveys before the three-year rolling period ends, I promise a special recognition for you. So feel free to take all of the surveys on your own accelerated schedule. I’m excited about being able to get to know and work with each of you more, to provide an opportunity to network and collaborate with you and the various subject matter experts, and to provide meaningful information to you and management about what programs are successful and which ones need great attention.

The Bottom Line With greater compliance and risk management, we can reduce uncertainty and improve operations. This will help us all in meeting our own, and the institutions goals and objectives. If you have any questions, please feel free to contact me at csprouse@gru.edu or use our special department self assessment email account, INTERNAL_AUDIT_DSA@gru.edu. I do want your feedback. Please let me know what you think! Thank your for your time and interest in the program, and again, let me say how important this is to all of us at Georgia Regents and how excited that we are getting this program back in place. I look forward to hearing from you and working with you in the future! _______________________________________________________________________________________________

Entity Level Controls: What Are They & Why Are They Important? Kathleen Boyd, Associate Audit Director Recently Internal Audit announced an audit of Entity Level Controls (ELCs) for Georgia Regents University and Health System. In this article we will discuss what we mean when we talk about ELCs, why they are important, and the significance of this audit at this particular time.

ELCs DEFINED ELCs are the over-arching systems, policies and practices that help ensure management directives pertaining to the entire organization are carried out. They help in setting the tone and establishing the expectations for our institution and all those who are involved in advancing its mission and vision. A healthy systems of controls helps to mitigate risk in an environment that is highly regulated, increasingly complex and challenged by budget constraints. The basis of such a system is an infrastructure that guides employees with making ethical and sound business decisions. (continued on page 4) Ask the Auditor! We invite you to send your questions to internal_audit@gru.edu, and we may feature them in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094

Page 4

The Audit Connection

Inside this issue: What Is Up with the GRU Department SelfAssessments? New or Not?

CORE VALUES ARE A KEY ENTITY-LEVEL CONTROL

Do You Know the Core Values of Georgia Regents? 

Collegiality

Entity Level Controls: 3 What Are They & Why Are They Important?



Compassion



Excellence

What’s It All about, Auditors?



Integrity



Inclusivity

Understanding Financial Statements



Leadership

Meet the Intern

Common entity-level controls that you might expect to see in a high-functioning organization include: 

Core values that are reflected in the mission and inform the policies, procedures and practices that drive day-to-day operations



An ethics policy that reinforces the core values



A conflict of interest policy that provides a means for disclosing and mitigating potential conflicts that could compromise an individual’s objectivity, judgment and fiduciary responsibilities at all levels of the organization



A hotline where serious concerns that have not been addressed elsewhere can be reported relating to potential ethical violations, including fraud, waste and abuse (anonymously if preferred) with a nonretaliation policy to those who bring forward such concerns



Transparency in financial reporting to management, audit committees and interested parties

In recent years, the importance of entity-level controls has been recognized by accounting boards, certified public accountants, internal auditors, financial consultants and academic leaders, including the National Association of College and University Business Officers. “The international clamor for increased accountability and transparency has prompted stakeholders around the globe to press companies to better manage risks through stronger internal controls. Key elements of a strong internal control structure include a top-down risk assessment, effective and efficient communications and monitoring, robust control activities, and a well-established control environment. Entity-level controls strengthen internal controls overall by helping companies to meet their regulatory, business and operations priorities.” Ernst and Young, 2007

(continued on page 5) Ask the Auditor! We invite you to send your questions to internal_audit@gru.edu, and we may feature them in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094

Page 5

The Audit Connection

Inside this issue: What Is Up with the GRU Department SelfAssessments? New or Not?

Entity Level Controls: 3 What Are They & Why Are They Important? What’s It All about, Auditors?

Understanding Financial Statements

Meet the Intern

The objective of this audit is to assess the overall control environment of Georgia Regents by examining key components that collectively set the ethical tone for all stakeholders, including governing boards and those who work, study, conduct research and/or attend to patients. We believe that an assessment of these controls is vital to the success of the new university and health system. The culture and tone of GRU/GRHealth is surfacing from the tides of change that brought the health system into existence, rejoined the operations of the medical center and university, and consolidated two unique learning institutions. Clay Sprouse, chief audit officer, explained why this audit is being conducted now, “This audit was added to the FY16 Audit Plan to bring awareness of the existing control structure to the new administration. We look forward to bringing the results of this audit to you in the coming months.” _________________________________________________________________________________________________

What’s It All about, Auditors? (Risk Assessment and Audit Planning) Sheryl Brown, IT Auditor How do those internal auditors determine what to audit? Internal Audit develops a flexible plan of focus areas for a rolling 18-month period, based on current or impending risks to the organization. These audit plans are presented to leaders in the medical center, medical associates, and the university. The audit committees approve the plans for the not-for-profit areas of the organization, and the vice chancellor of the University System of Georgia approves the plans for the health system and the university. Many of the focus areas are identified through periodic Enterprise Risk Assessment interviews with all levels of management across the enterprise. Risk areas considered include:    

Reputation/ perception of the enterprise or how the general public views Georgia Regents Operational such as our effectiveness in achieving organizational goals and objectives and the efficiency of operations Compliance with internal policies and procedures and external law/ regulations Financial, comprising accuracy of reporting, financial sustainability and viability of Georgia Regents, and safeguarding of financial assets

The plan also sets aside time to address unanticipated management requests for internal assurance or consulting services.

(continued on page 6)

Page 6

The Audit Connection What will it cost my budget to get Internal Audit’s services for a specific need?

Inside this issue: What Is Up with the GRU Department SelfAssessments? New or Not?

Entity Level Controls: 3 What Are They & Why Are They Important? What’s It All about, Auditors?

Understanding Financial Statements

Meet the Intern

Internal Audit also conducts audits or advisory engagements by management request, Managers or senior leaders in any of the entities who have a concern or would just like an objective opinion about the internal controls in their area of responsibility can make a request to the chief audit officer, who will consider how audit can best respond. The entire audit staff also hears management concerns and documents the pertinent information in a repository of potential audits, which will be taken into consideration in developing future audit plans. Internal Audit does not charge departments for its services. Okay, so what if I am pleased, or unsatisfied, with Internal Audit’s work? After each engagement is completed, the customer is asked to evaluate the work of the auditor. _________________________________________________________________________________________________

Understanding Financial Statements Internal Audit Hosts “Lunch & Learn” for ACERM Committee Members Kathleen Boyd, Associate Audit Director On August 20, 2015, audit committee members gathered with Georgia Regents professionals from Internal Audit, Compliance, Legal Affairs and Finance for a “Lunch and Learn” on Understanding Financial Statements. The response has been positive. At Georgia Regents, there are multiple Audit, Compliance and Enterprise Risk Management (ACERM) committees that have governance, audit and risk management oversight responsibilities for their respective entities. Given the size and complexity of the organizational structure at Georgia Regents, it follows that numerous audit committees are in place to help ensure that oversight functions are adequate. The three primary ACERM committees are listed in the chart below: Georgia Regents ACERM Committees Entity

Audit Chair

Georgia Regents Medical Center GRMC

Cobbs Nixon

Georgia Regents Medical Associates GRMA

Adam Berman, M.D.

Georgia Regents Health System GRHS

Lewis Horne, Acting Chair

Note: Georgia Regents University is governed by the University System of Georgia, which has its own board of directors and audit committee. (continued on page 7) Ask the Auditor! We invite you to send your questions to internal_audit@gru.edu, and we may feature them in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094

Page 7

The Audit Connection

Inside this issue: What Is Up with the GRU Department SelfAssessments? New or Not?

Entity Level Controls: 3 What Are They & Why Are They Important? Whatâ&#x20AC;&#x2122;s It All About, Auditors?

Understanding Financial Statements

Meet the Intern

Serving on an audit committee is no small task. As stewards of the public trust, committee members must remain objective, inquisitive and have the capacity to recognize warning signs that might indicate a change in the overall health of the organization. In order to carry out their fiduciary responsibilities, committee members are expected to have substantive financial literacy. They must be able to read and interpret financial reports, understand the meaning behind the numbers, identify trends and spot red flags that might signal a shift in underlying conditions. Internal Audit recognizes the importance of helping its audit committee members in carrying out this responsibility. In organizing the Lunch and Learn, Clay Sprouse recognized that some ACERM members might appreciate some assistance in navigating the financial statements of Georgia Regents. Enter Greg Damron, vice president and chief financial officer for Georgia Regents Medical Center to the rescue. Using the medical centerâ&#x20AC;&#x2122;s audited financial statements from FY14, Damron walked the audience through some accounting basics and then explained further about the meaning behind an audit opinion, the importance of a good credit rating, the impact of cash flow on operations and the significance of maintaining healthy reserves.

Cobbs Nixon, Audit Chair, Georgia Regents Medical Center Cobbs Nixon, chair of the Georgia Regents Medical Center Audit Committee, was among the attendees at the Lunch and Learn. Based on the positive feedback received from this initial Lunch and Learn, we expect to introduce more of these sessions throughout FY16. Check the OIA website for announcements about future trainings. gru.edu/admin/oia/

Page 8

The Audit Connection

Inside this issue: What Is Up with the GRU Department SelfAssessments? New or Not?

Entity Level Controls: 3 What Are They & Why Are They Important? What’s It All about, Auditors?

Understanding Financial Statements

Meet the Intern

Meet the Intern “I think the greatest thing about this internship is the inclusion of the intern in the various audits that are being handled by the office. I feel like I will get a wellrounded understanding of internal audit through this experience.” – Shannon Runger

Shannon Runger became interested in the internship after attending a student luncheon at the Office of Internal Audit. There she learned that auditing encompassed more than the stereotypical idea of searching for fraud. She became increasingly interested while attending a course taught by Prof. Steve Loflin, who has a background in audit and frequently incorporates audit policies and procedures into his accounting lectures. Through the internship, Runger hopes to gain a better understanding of the role and benefit of internal audit for the university and health system. She was delighted to have the opportunity in May to job shadow Anthony Wagner, the executive vice president of administration and finance for Georgia Regents University, and had a chance to see how the various systems work together to achieve a common goal. The experience opened her eyes to the many employment opportunities offered by GRU. Runger is originally from Iowa, but an enlistment with the Air Force and a position at Fort Gordon brought her to Augusta in 2005. After an eight-year military career, she decided to pursue a degree in accounting and enrolled at Augusta State University. She saw the university through the consolidation into GRU and has been impressed with the degree of professionalism and aid to students that the Hull College of Business provides. She intends to continue her studies through a master’s degree program and hopes to obtain multiple professional certifications.