UKIA's Office of Accountability evaluates high-risk processes that require 100 percent compliance with university policies and associated regulations. Through continuous monitoring programs, the Office of Accountability will assess these areas and provide regular reports to minimize associated risk.
Comprehensive reviews utilize the Committee of Sponsoring Organizations (COSO) and Control Objectives for Information and Related Technologies (CoBIT) frameworks to provide reasonable assurance to UK’s Board of Trustees and senior management regarding the following:
For each comprehensive review, the full scope is not determined until after UKIA completes the planning phase during which time the risks most likely to impede the attainment of UK’s objectives are identified. Appropriate and sufficient work allows us to assess business practices, evaluate the internal control environment and trend data to provide value-added insights and recommendations to both the client and relevant stakeholders (process owners).
UKIA’s investigations team examines events that may have led to a monetary or physical loss to the university to validate the event, accurately calculate the resulting loss and determine the root cause — the conditions which allowed the event to occur and/or go undetected for a period of time. We ensure that appropriate units within Human Resources, the Office of Legal Counsel, Information Technology Services and the UK Police Department have knowledge of our investigations so that they can take suitable action.
These investigations typically stem from information provided through the following sources: tips (UK’s anonymous reporting sources, direct calls to UKIA) and auditor observations.
Information Technology (IT) reviews utilize the CoBIT framework to evaluate the quality of the controls and safeguards over the information technology resources at the university. The objectives of IT reviews are to ensure the following:
IT reviews are conducted both as a standalone evaluation and as a component of Comprehensive, Compliance or Investigation reviews.
Follow-up reviews are typically conducted approximately six to 12 months after the initial audit is completed, in accordance with the Work Prioritization Plan. However, their actual commencement may vary based on target completion dates of the client’s remediation strategy, as the purpose of these reviews is to validate that the observations noted in the initial review have been resolved.
Data analytics is used to compare and analyze large and complex data sets to determine exceptions or detect anomalies based on select criteria.
Our repetitive auditing programs examine areas at high risk for non-compliance, such as ProCards, web application security, non-exempt overtime compensation, asset verification and FERPA. The purpose of these reviews is to assess clients’ practices for compliance with federal regulations and university procedures, though they also support the detection of fraudulent activity at the individual employee level.
UKIA performs assessments, or overall evaluations of a unit’s processes and associated technology, to document practices from a risk standpoint. Typically broader in scope than an audit due to the focus on identifying key process risks, UKIA’s assessments are performed as needed due to changes in management, industry trends or other events. They are typically short in duration but can be quite complex, depending on the area being evaluated. The risk areas identified are then used to inform our annual Work Prioritization Plan, according to risk impact and likelihood.
UKIA’s “big picture” analysis pinpoints units’ strengths and weaknesses and provides unit management with valuable insights and key benchmarks related to their functional responsibility(s) and/or high-risk administrative processes. The unit’s established plans and protocols are evaluated according to their stated goals and obligations. Managers can then use this guidance to be more proactive in implementing initiatives that increase operational efficiency and effectiveness. Consultations are performed at the unit’s request and the nature and scope are agreed upon in advance by the unit.
These web-based trainings (WBTs) facilitate awareness, review policy, and coach attendees on the application of internal controls and departmental procedures that conform to university standards. More information about these programs can be found on UK's Human Resources Training page.
Lessons Learned are WBTs which share insights gleaned from audit activity and current events both here and across the nation. More information can be found on the Lessons Learned page or by contacting UKIA directly.