FROM: Susan G. Harris

SUBJECT: Minutes of the Meeting of the Audit, Compliance, and Risk Committee on December 6, 2018

The Audit, Compliance, and Risk Committee of the Board of Visitors of the University of Virginia met, in Open Session, at 4:00 p.m., on Thursday, December 6, 2018, in the Board Room of the Rotunda. Dr. Babur Lateef, Chair, presided.

Present: Frank M. Conner III, Robert M. Blue, Mark T. Bowles, L.D. Britt, M.D., James B. Murray Jr., C. Evans Poston Jr., and Adelaide Wilcox King

Whittington W. Clement and Thomas A. DePasquale also were present.

Present as well were James E. Ryan, Jennifer Wagner Davis, Sally N. Barber, Melody S. Bianchetto, Timothy J. Heaphy, Donna P. Henry, W. Thomas Leback, David W. Martel, Kelley D. Stuck, and Pamela Sutton-Wallace.

James S. Matteo, Carolyn D. Saint, Eric M. Sandridge, and Donald E. Sundgren were the presenters.

Dr. Lateef opened the meeting. After reviewing the agenda, he gave the floor to Ms. Bianchetto.

Auditor of Public Accounts Audit and Management Report for FY 2017-2018

Ms. Bianchetto introduced Mr. Eric M. Sandridge, Director of Higher Education Programs for the Virginia Auditor of Public Accounts. Mr. Sandridge said his office has issued unmodified opinions on the University’s consolidated financial statements and on the Medical Center’s financial statements.

The office also reviewed internal controls and compliance. It did not identify any instances or issues it considered to be material weaknesses in internal control, but made several recommendations. At the Academic Division, these included findings related to information security, revenue recognition for a non-reimbursement based grant, and compliance with various federal student aid provisions. The office performed a full federal compliance audit for the management of student financial aid. At the Medical Center, there were recommendations related to information security and bank reconciliation policies and procedures. Some of the recommendations were also listed as compliance items.

Mr. Sandridge said his office did not find any indication of fraudulent transactions or illegal acts and concurred with management’s application of accounting principles. There were no disagreements with management regarding audit, accounting, or disclosure matters. There were a few adjustments to the financial statements, but these did not affect the bottom line.

Recommendations for the Academic Division included one from a prior report dealing with security awareness training; progress has been made, but it is taking time to implement. Other recommendations focused on improving oversight of information technology service providers and improving database security. There were three recommendations regarding financial aid.

Medical Center recommendations included the IT risk management process and documentation. This is a carryover from last year; progress has been made, but the work continues. Another prior year recommendation was made related to third party service providers; once again progress has been made, but the work continues. There was a recommendation related to improving security for the wireless local area network. Given the new patient accounting and billing system, the auditor recommended the Medical Center take a second look at its process for reconciling transaction activity.

Construction Management: Financial Controls and Project Monitoring

Ms. Saint said the University is finalizing the details of its construction audit program and has completed an audit of the Hospital Expansion project with the help of an outside auditor. She asked Mr. Sundgren, Associate Vice President and Chief Facilities Officer, to review the audit.

Mr. Sundgren began with a review the project’s scope and construction contracting methods. The University decided to use a construction manager (CM) and to select subcontractors for the major design packages by a design assist selection process. The project consists of a 440,000 square feet addition and 95,000 square feet of renovation. The addition will be completed in 2020; renovations will be completed in 2021. The budget is $392 million.

The audit report rated the audit findings on the basis of three priorities. Priority 1 ratings were control and/or process deficiencies which provide minimal or no assurance of institutional objectives being achieved. Priority 2 ratings were control and/or process deficiencies which could impede attainment of institutional objectives. Priority 3 ratings were process improvements which could achieve additional control and/or process efficiencies. The report did not list any Priority 1 findings, but identified four Priority 2 observations and twelve Priority 3 recommendations.

Ms. Saint said the auditor will validate Facilities Management’s responses to the audit.

Enterprise Risk Management Program (ERM) Report on FY 2019 Goals

Mr. Matteo reviewed the four goals for FY 2019. The first goal is the extension of the ERM program to the College at Wise. A key risk list will be ready for presentation at the February committee meeting. The second goal is the development of a key-risk interaction map. Its focus is to understand and map how key risks interact with one another. The third goal is the moving of ERM data and processes to the governance, risk, and compliance (GRC) system being implemented by the Audit Department. The fourth goal is the streamlining of the annual ERM cycle and governance structure.

Office of Audit and Compliance: Summary of Current Activities

The Chair directed the committee’s attention to the written report in the committee materials and said questions should be directed to Ms. Saint or Mr. Gary Nimax.

Closed Session

At 5:00 p.m., the committee went into closed session upon the following motion made by Mr. Poston, duly seconded and approved:

Mr. Chair, I move the Audit, Compliance, and Risk Committee into closed meeting to discuss matters related to certain personnel matters involving the performance of identifiable employees or faculty of the University, and to discuss the evaluation of performance of University departments or schools where such evaluation will necessarily involve discussion of the performance of specific individuals, including Audit Reports of individually identified departments and/or school, as authorized by Section 2.2-3711 A(1) of the Code of Virginia. Such closed session discussion will also include controls related to IT security of specific systems as provided for in Section 2.2-3711 A(19) of the Code of Virginia, and business related information pertaining to Medical Center operations as provided for in Section 2.2-3711 A(22) of the Code of Virginia.

At 5:12 p.m., the committee concluded closed session and approved the following motion, made by Mr. Poston and duly seconded, by unanimous roll call vote.

Voting in the affirmative:

Babur B. Lateef, M.D. L. D. Britt, M.D.

Frank M. Conner III James B. Murray Jr.

Robert M. Blue C. Evans Poston Jr.

Mark T. Bowles

Motion:

I move that we vote on and record our certification that, to the best of each Board member’s knowledge, only public business matters lawfully exempted from open meeting requirements and which were identified in the motion authorizing the closed session, were heard, discussed or considered in closed session.

Action Item: Auditor of Public Accounts’ Findings for FY 2017 – 2018

On motion, the committee approved the following resolution and recommended it for full Board approval:

AUDITOR OF PUBLIC ACCOUNTS’ FINDINGS FOR FY 2017-2018

RESOLVED, the Auditor of Public Accounts’ Findings for FY 2017-2018 are approved as recommended by the Audit, Compliance, and Risk Committee.

The chair adjourned the meeting at 5:13 p.m.

SGH:wtl

These minutes have been posted to the University of Virginia’s Board of Visitors website: http://bov.virginia.edu/committees/181