Comprehensive reviews utilize the Committee of Sponsoring Organizations (COSO) and Control Objectives for Information and Related Technologies (CoBIT) frameworks to provide reasonable assurance to UK’s Board of Trustees and senior management regarding the following:
- Compliance with applicable laws and regulations
- Integrity of financial reporting
- Safeguarding of assets
- Operational efficiency and effectiveness
For each comprehensive review, the full scope is not determined until after UKIA completes the planning phase during which time the risks most likely to impede the attainment of UK’s objectives are identified. Appropriate and sufficient work allows us to assess business practices, evaluate the internal control environment and trend data to provide value-added insights and recommendations to both the client and relevant stakeholders (process owners).
UKIA’s investigations team examines events that may have led to a monetary or physical loss to the university to validate the event, accurately calculate the resulting loss and determine the root cause – the conditions which allowed the event to occur and/or go undetected for a period of time. We ensure that appropriate units within the University’s Multidepartment Action Group (MAG), which comprises UKIA, Human Resources, Office of Legal Counsel, Information Technology Services (ITS), and UK Police Department, have knowledge of our investigations so they can take suitable action. These investigations typically stem from information provided through the following sources: tips (comply line, direct calls to UKIA), auditor observations and UK Police reports.
Information Technology Reviews
Information Technology (IT) reviews utilize the CoBIT framework to evaluate the quality of the controls and safeguards over the information technology resources at the university. The objectives of IT reviews are to ensure the following:
- The effectiveness and efficiency of university IT resources
- The integrity of all UK data and data systems
- Adherence to UK policies and procedures
- Proper controls are in place to protect computer applications and the computing environment.
IT reviews are conducted both as a standalone evaluation and as a component of Comprehensive, Compliance or Investigation reviews.
Follow-up reviews are typically conducted approximately six to 12 months after the initial audit is completed, in accordance with the Work Prioritization Plan. However, their actual commencement may vary based on target completion dates of the client’s remediation strategy, as the purpose of these reviews is to validate that the observations noted in the initial review have been resolved.
Data analytics is used to compare and analyze large and complex data sets to determine exceptions or detect anomalies based on select criteria.
Repetitive Auditing Programs
Our repetitive auditing programs examine areas at high risk for non-compliance, such as ProCards, web application security, non-exempt overtime compensation, asset verification and FERPA. The purpose of these reviews is to assess clients’ practices for compliance with federal regulations and university procedures, though they also support the detection of fraudulent activity at the individual employee level.