AUDIT SERVICES

Annual Report for Fiscal Year 2004

 University of Texas Medical Branch at Galveston
Audit Services FY 2004 Annual Report

Table of Contents

I. Work Plan for Fiscal Year 2004

II. External Quality Assurance Review

III. List of Audits Completed

IV. Organizational Chart

V. Report on Other Internal Audit Activities

VI. Work Plan for Fiscal Year 2005

 University of Texas Medical Branch at Galveston
Audit Services
Fiscal Year 2004 Work Plan - Priority Projects
Plan Completion Update as of August 31, 2004
Priority % Revised Actual Over/
Budgeted of Budgeted Hours (Under) Variance Completion 8/31/04
Audit Areas Hours Total Hours 38,230 Rev. Bud. % Green - Yes; Red - No
Key Financial and Operating
System-wide Audits
Sarbanes-Oxley & Internal Controls Assessmena1 1,000 600 292 (308) -51% Completed - Ongoing
Accounts Receivable and Allowance for Bad Debts1 225 225 247 22 10% Completed - Results reported by PWC
Financial Audits
Financial Data Accumulation & Financial Reporting Interfaces1 550 100 93 (7) -7% Completed - Results reported by PWC
Post Implementation Review Clinical Cash Collections Processad 467 775 980 205 26% Completed
Construction Project Management/Capital Projects 400 100 51 (49) -49% CO-SOURCE - Reporting
MSRDP Review1 300 0 0 0 Obtained coverage through projects with Note 1
Family Practice Residency Programs 200 200 208 8 4% Completed
Financial Consulting
PeopleSoft - Operational2 36 (64) -64% Management outsourced project - will participate as
700 100
needed
Financial Statement - Fund Balance 0 400 412 12 3% Completed
Consulting/Collaboration 0 50 30 (20) -40% Completed
Financial Carryforward
PeopleSoft - Operationa2 100 100 282 182 182% Completed
Service Centers Review - Telecommunicationsb 0 200 387 187 94% Completed
ARP/ATP Grantsc 0 114 114 0 0% Completed
Subtotal 3,942 27% 2,964 3,132 168 6%

Institutional Compliance
System-wide Audits
Endowments 300 400 697 297 74% Completed
Compliance Program Audits
Research Office of Sponsored Programs 850 850 1,138 288 34% Completed
Workers' Compensation Insurance Resource Allocation Programd 200 0 2 2 NA Audit not required, as mgmt. originally thought
Compliance Consulting
Health Insurance Portability & Accountability Act (HIPAA) - Operational2 100 100 40 (60) -60% Ongoing
Reserve for Just-in-Time Auditing/Advisory Servicesb 200 0 0 0 NA Budget was reallocated to another project. See noteb
Compliance Carryforward
Patient Billing-Credit Balancesc 0 26 35 9 Completed
Subtotal 1,650 11% 1,376 1,912 536 39%

Information Technology
System-wide Audits & IT Audits
IT Vulnerability Assurance Audit and Action Plan Follow-up 50 50 21 (29) -58% Completed - See IT Follow-up Issues
TAC 202 Information Security Audit 50 50 22 (28) -56% Completed
Information Technology Audits
Decentralized IT Operations Audits 750 750 811 61 8% Completed
Server Reviews 700 700 819 119 17% Completed
Remote Access & Perimeter Defense (Firewall) 350 350 6 (344) -98% To be completed by DIR in 11/04
Follow-up Activities3 300 300 477 177 59% Ongoing
Integration of IT Auditors on General Audits 100 100 0 (100) -100% Ongoing/As-Needed
Software License Agreements 0 (200) -100% Completed - Incorporated in IT Operations & Server
0 200
Reviews
Information Technology Consulting
Electronic Medical Record System (EMR) - Information Technology3 150 150 0 (150) -100% Mgmt. timing of proj delayed - will partic. as needed

Page 1 of 3
 HIPAA - Information Technology3 50 50 26 (24) -48% Ongoing/As-Needed
Information Services Infrastructure Projects - Phase III 50 50 0 (50) -100% Ongoing/As-Needed
Institutional Business Assurance/ACL Initiative3 50 50 6 (44) -88% Ongoing/As-Needed
Consulting/Collaboration 0 20 22 2 10%
Reserve for Just-in-Time Auditing/Advisory Services - TBA 150 150 0 (150) -100% Staff time not available
Information Technology Carryforward
PeopleSoft - Information Technology3 50 50 228 178 356% Completed
Information Services Infrastructure Projects - Phase II 10 10 25 15 150% Completed
Subtotal 2,810 19% 3,030 2,463 (567) -19%

Core Business Processes

System-wide Audits
Physical Security Initiative 200 200 68 (132) -66% In progress
Performance Measures 100 100 0 (100) -100% Project deleted by UT system
Core Business Processes Audits
ClinWeb Charge Capture and Processing1 600 100 54 (46) -46% Will begin in 4th quarter and carry-over to FY05
Hospital/Clinical Operations Revenue Enhancement/Cycle 400 0 4 4 Hospital management outsourced to E&Y
501a Audits/Projects - Clinic Staffing Office 300 300 333 33 11% Completed
Core Business Consulting
Electronic Medical Record Design and Implementation Initiative2 250 80 1 (79) -99% Mgmt. timing of proj delayed - will partic. as needed
Reserve for Just-in-Time Auditing/Advisory Servicesc 300 0 0 0 NA Budget was reallocated to other projects. See notec.
Core Business Carryforward
Research Time & Effort Reportingc 0 38 38 0 Completed
Subtotal 2,150 15% 818 498 (320) -39%

Management Reviews
Management Reviews
Specific Areas - Neurology 600 400 717 317 79% Completed
Management Reviews Carryforward 0
School of Nursingc 0 38 38 0 Completed
Office of Student Affairsc 0 74 73 (1) Completed
Subtotal 600 4% 512 828 316 62%

Follow-up
Follow-up Activities 2 400 400 453 53 13% Ongoing
Subtotal 400 3% 400 453 53 13%

Projects
Consulting Projects
Internal Control & Accountability/Training Phase II 300 300 286 (14) -5% Completed/Ongoing
Institutional Business Assurance/ACL Initiative2 200 200 110 (90) -45% Ongoing
Projects Carryforward
Biocommunications Service Center Reviewc 10 75 65 650% Completed
Other Projects
Investigations4 700 200 21 (179) -90% Ongoing/As-Needed
Internal Quality Assurance Activities4 250 250 122 (128) -51% Ongoing
Peer Review Preparation4 200 200 240 40 20% Completed
Office/Audit Manual Revision4 150 150 458 308 205% Completed
Service Delivery Support Activities4 800 800 1,118 318 40% Ongoing
Institutional Risk Assessment and Work Plan Development4 250 250 422 172 69% Completed
Liaison with External Auditors4 100 100 92 (8) -8% Ongoing
Audit Services' Web Site Upgrade4 100 100 11 (89) -89% Not completed
Subtotal 3,050 21% 2,560 2,955 395 15%

Total Hours 14,602 100% 11,660 12,241

Page 2 of 3
Notes
1
Satisfies UT System requirement for MSRDP audits
2
Additional hours for this audit/project are included for Information Technology (IT) audit personnel in
the IT segment of the work plan
3
Additional hours for this audit/project are included for non-IT audit personnel in other segments of the
4 k l
Inculdes time for general audit and IT audit personne

a
We reduced the original budget for this project based on our anticipated
reduction in the scope of this project. The hours were reallocated to the
Clinical Cash Collections Project to fund a portion of the hours we added to the
budget of that project.
b
This carryforward project was added to our priority audit listing to account for
resources we expended on this endeavor fiscal year to date. The net effect of
this addition on our priority budgeted hours was zero, since we reallocated
hours that were already on our listing under the caption Reserve
“ for Just in
Time Auditing/Advisory Services" to fund this new line item.
c
These carryforward projects were added to our priority audit listing to account
for resources we expended on these endeavors fiscal year to date. The net
effect of these additions on our priority budgeted hours was zero, since we
reallocated hours that were already on our listing under the captionReserve
“ for
Just in Time Auditing/Advisory Services" to fund these new line items.
d
According to feedback received from the UT System Audit Office, this review
is no longer required. We reallocated the 200 hours originally budgeted for this
project to Clinical Cash Collections Project.

Page 3 of 3
II. External Quality Assurance Review
 III. List of Audits Completed
Report No. Report Date Name of Report High-Level Audit Objective(s) Observations/ Findings and Recommendations Current Status (with Fiscal Impact/
brief description if Other Impact
not yet
implemented)

2004-004 7/23/2004 Post The objective of this audit was Opportunities exist to strengthen controls in the Target completion Ensures
Implementation to perform a post clinical cash collections process. Specifically, dates were collection,
Review – implementation review of the management should: identified through posting, and
Clinical Cash clinical cash 12/04. depositing of all
Collections collections/management • Implement a monitoring mechanism that cash collected in
Process system that was implemented estimates the amount of cash that should clinical areas.
two years ago. The review be collected and compares that
extended to assessing asset estimation with the amount actually Reduces the risk
security issues in the clinics collected. for errors,
(e.g., access to the cash • Ensure that established cash collections irregularities, and
drawers). procedures are consistently applied by fraud.
clinic personnel.
• Ensure adequate physical security
measures are in place to safeguard cash
collections.
• Record, report, and resolve in a timely
manner all identified overages and
shortages.
• Ensure cash collection duties are
appropriately segregated.
• Review daily clinic cash collections on at
least a periodic basis.
• Implement a process to ensure that all
reportable shortages are communicated
to campus police and the deposit team
and that appropriate disciplinary action is
taken as needed.
• Ensure management reports accurately
reflect current activity.
• Ensure that all employees with cash
collection/handling responsibilities
complete required training.

1
Report No. Report Date Name of Report High-Level Audit Objective(s) Observations/ Findings and Recommendations Current Status (with Fiscal Impact/
brief description if Other Impact
not yet
implemented)

2004-007 1/15/2004 Family Practice The objective of this audit was We concluded that program activities for the No Ensures accurate
Residency to ensure that Texas Higher period were properly recorded, reported, and recommendations financial and
Programs Education Coordinating Board expended. requiring action. compliance
funds were expended in reporting to the
accordance with program State and other
guidelines. users of the
information.
2004-009 9/1/2004 Financial The objective of this review We concluded that there are opportunities for Target completion Ensures accurate
Statement – was to provide Financial improvement in the following areas: dates were financial
Fund Balance Management with information • All equity transfers should be reviewed and identified through reporting.
regarding fund balance approved by supervisory personnel. 2/28/05.
reporting, including the transfer • Management should implement a formal
process, and provide process for performing recurring, routine
management with opportunities equity transfers.
for improvement. • Deficit fund balances should be investigated
and resolved.
• Journal vouchers should be reviewed and
approved by supervisory personnel, and
appropriate approvals at certain dollar
thresholds should be established.
• Adequate documentation should be
maintained to support all journal entries.
.

2
Report No. Report Date Name of Report High-Level Audit Objective(s)
2004-101 9/2/2004 Endowment The objective of this review
Compliance was to assess the
Program of the effectiveness of the processes
Office of in place to monitor the use of
University endowment funds, establish
Advancement endowment agreements,
ensure compliance with the gift
agreements, and facilitate
agreement modifications when
appropriate.
Observations/ Findings and Recommendations Current Status (with Fiscal Impact/
brief description if Other Impact
not yet
implemented)
Management has not provided adequate Target completion Resolution of the
oversight to ensure compliance with UT System, dates were noted issues will
UTMB, and donor-specific guidelines. This is identified through improve the
evidenced by the following: 2/28/05. endowment
compliance
The Office of University Advancement does not oversight
have adequate procedures or monitoring process, ensure
systems in place to ensure compliance with UT accurate
System and UTMB guidelines and gift reporting of
agreements. endowment
activity, and
Training is not sufficient to ensure all pertinent reduce the risk for
employees are informed of proper endowment errors and fraud
practices. in the endowment
processing area.
Controls are not in place to ensure that cash
receipts are properly safeguarded, activities are
adequately segregated, and accounts are
correctly reconciled.
Controls over quarterly endowment reporting are
not adequate to ensure accurate information is
being reported to management.
Pending endowments are not properly tracked to
ensure timely resolution.
3
Report No. Report Date Name of Report High-Level Audit Objective(s) Observations/ Findings and Recommendations Current Status (with Fiscal Impact/
brief description if Other Impact
not yet
implemented)

2004-102 7/27/2004 Research Office The objective of this audit was
of Sponsored to assess the controls over
Programs processes for ensuring
compliance with applicable
federal laws, regulations, and
grant and contract provisions.
Management did not provide adequate oversight Target completion Ensure
to ensure compliance with applicable federal dates were compliance with
laws, regulations and grant and contract identified through federal
provisions. Specifically, we noted the following: 6/1/05. regulations.
• Adequate systems were not in place to
ensure compliance,
• Controls were not sufficient to ensure
that subrecipients, matching costs, and
program income were monitored,
• Cash draws were not requested and
posted timely, and
• Federal reports were not submitted
timely.

Recommendation: Audit Services recommended

that management provide adequate oversight
over key processes to ensure:
• Current systems are improved to ensure
compliance with grant and contract
provisions,
• Controls are developed and
implemented to provide for appropriate
monitoring of grant activity,
• Controls are developed and
implemented to ensure that cash draws
are made and allocated timely, and
• Federal reports are submitted timely.

4
Report No. Report Date Name of Report High-Level Audit Objective(s) Observations/ Findings and Recommendations Current Status (with Fiscal Impact/
brief description if Other Impact
not yet
implemented)

2004-201 7/15/2004 Surgery The objective of this audit is to Due to the nature of the information that is In Progress Minimizes the risk
Decentralized determine if the following is contained in this Information Technology Audit of business
Information being performed in compliance report, we have elected to provide the details of interruptions.
Technology with UTMB Information the report to appropriate parties when requested.
Operations Resource Policies and Practice
Standards for the selected
areas that will be reviewed:
• Existing system security
parameters are configured
appropriately.
• System is configured to
prevent unauthorized access to
critical application, data and
system resources.
• Adequate controls are place
over the configuration of user
profiles.
• System level security is
configured to protect critical
data files and to protect
production programs.
• Security events are logged
and monitored.
• Backup and Recovery
Procedures exist and address
the risk of the area supported.
• Physical and Logical Access
to the computer resources is
appropriate.
• Environmental Conditions
surrounding the servers are
controlled.
• Staffing, Training, and
Separations of Responsibilities
are appropriateness.
• Change Management
operations represent a proper
control environment.

5
Report No. Report Date Name of Report High-Level Audit Objective(s) Observations/ Findings and Recommendations Current Status (with Fiscal Impact/
brief description if Other Impact
not yet
implemented)

2004-203 7/15/2003 Educational The objective of this audit is to Due to the nature of the information that is In Progress Minimizes the risk
Affairs determine if the following is contained in this Information Technology Audit of business
Decentralized being performed in compliance report, we have elected to provide the details of interruptions.
Information with UTMB Information the report to appropriate parties when requested.
Technology Resource Policies and Practice
Operations Standards for the selected
areas that will be reviewed:
• Existing system security
parameters are configured
appropriately.
• System is configured to
prevent unauthorized access to
critical application, data and
system resources.
• Adequate controls are place
over the configuration of user
profiles.
• System level security is
configured to protect critical
data files and to protect
production programs.
• Security events are logged
and monitored.
• Backup and Recovery
Procedures exist and address
the risk of the area supported.
• Physical and Logical Access
to the computer resources is
appropriate.
• Environmental Conditions
surrounding the servers are
controlled.
• Staffing, Training, and
Separations of Responsibilities
are appropriateness.
• Change Management
operations represent a proper
control environment.

6
Report No. Report Date Name of Report High-Level Audit Objective(s) Observations/ Findings and Recommendations Current Status (with Fiscal Impact/
brief description if Other Impact
not yet
implemented)

2004-220 Server Reviews The objective of this audit is to Due to the nature of the information that is Completed. Minimizes the risk
determine if the following is contained in this Information Technology Audit of business
performed in compliance with report, we have elected to provide the details of interruptions.
UTMB Information Resource the report to appropriate parties when requested.
Policies and Practice
Standards for the selected
servers that will be reviewed:
• Existing system security
parameters are configured
appropriately.
• System is configured to
prevent unauthorized access to
critical application, data and
system resources.
• Adequate controls are place
over the configuration of user
profiles.
• System level security is
configured to protect critical
data files and to protect
production programs.
• Security events are logged
and monitored.

2004-301 Physical The objective of this review is Due to the nature of the information that is In progress. Ensures
Security Initiative to monitor institutional activities contained in this audit report, we have elected to institutional
related to the UT System provide details of the report to appropriate resources,
Campus Safety and Security parties when requested. (§ 418.177 Texas especially those
Workgroup and perform Government Code – 2004) related to
inspection activities on research, are
practices and procedures adequately
implemented as a result of protected from
previous DHHS OIG reviews unauthorized
and federal and state security access, use, or
directives (e.g. USA Patriot Act disclosure.
of 2001).

7
Report No. Report Date Name of Report High-Level Audit Objective(s) Observations/ Findings and Recommendations Current Status (with Fiscal Impact/
brief description if Other Impact
not yet
implemented)

2004-307 6/28/2004 UTMB The objective of this audit was Opportunities exist to strengthen controls and In progress. Improve the
HealthCare to provide a general improve the efficiency and effectiveness of the efficiency and
Systems Clinical assessment of administrative Clinical Staffing Office (CSO). Specifically, effectiveness of
Staffing Office and operational controls over management should: the Healthcare
the Clinical Staffing Office. System’s Clinical
• Ensure that specific policies and Staffing Office
procedures for the CSO are developed, operations.
approved, and disseminated to all
employees. Reduces the risk
• Continue its efforts to recruit additional for errors,
nurses. irregularities, and
• Continue its efforts to revise the external fraud.
staffing agency contract template.
• Work with UTMB nursing management
to resolve current time capture and
approval issues.
• Ensure adequate segregation of duties
exist between Payroll and Human
Resources.
• Increase the frequency of monitoring
processes to validate the accuracy of
external agency billing.

8
Report No. Report Date Name of Report High-Level Audit Objective(s)
2004-401 8/27/2004 Department of The objective of these audits
Neurology was to provide a general
Change of assessment of the entity's
Management financial, administrative, and
compliance control
environments. A major
outcome of these reviews will
be the documentation and
identification of significant
related risk areas for
responsible management's
continued consideration and
mitigation efforts.
Observations/ Findings and Recommendations Current Status (with Fiscal Impact/
brief description if Other Impact
not yet
implemented)
Opportunities exist to strengthen controls over In progress. Reduces the risk
the operations in the Department of Neurology. for errors,
irregularities, and
Specifically, management should: fraud.
• Improve controls over cash receipts
including ensuring compliance with
UTMB’s Cash Handling and Reporting
Policy.
• Document departmental account
reviews.
• Ensure appropriate separation of duties
in PeopleSoft.
• Ensure appropriate separation of duties This action has
for gift check receipts. been completed
• Ensure that all financial and progress
reports for research projects are filed
timely.
• Develop a recruitment and retention
plan.
9
University of Texas Medical Branch Institutional Organization Chart

OFFICE OF THE PRESIDENT

OFFICE OF THE PRESIDENT
President
President

Executive Vice President

Vice President
Vice President
Business &
Business &
Administration
Administration
Dean, School of
Dean, School of
Nursing Chief Financial
Nursing Chief Financial
Officer
Officer
Dean, Graduate
Dean, Graduate
School of Bio.
School of Bio. COO & Director of
Sciences COO & Director of
Sciences Patient Care
Patient Care
Services
Services
Dean, School of
Dean, School of
Allied Health
Allied Health
Sciences
Sciences Affirmative Action
Affirmative Action

Dean, School of
Dean, School of
Medicine
Medicine
Audit Services
Audit Services
Vice President for
Vice President for
Research
Research
Legal Affairs
Legal Affairs
Vice President for
Vice President for
University
University
Advancement
Advancement
Inst. Compliance
Inst. Compliance
Vice President for Cost
Vice President for Cost
Community Reimbursements
Community Reimbursements
Outreach
Outreach

Correctional Care
Correctional Care
 V. Report on Other Internal Auditing Activities
Report No. Report Date Name of Report High-Level Audit Objective(s) Observations/ Findings and Current Status (with brief Fiscal Impact/ Other
Recommendations description if not yet Impact
implemented)

2004-602 Internal We will continue our efforts in
Controls & conjunction with Financial
Accountability/ Services and Business Affairs –
Training Phase to identify areas for special
II review and/or internal control
accountability training. Targeted
areas will be those that might not
otherwise meet specific criteria
for audit consideration.
• Facilitated the completion of Completed Reinforces
baseline Internal Controls self- management’s
assessments by senior and responsibility and
executive management. Provided a accountability for
summary of results to entity leaders ensuring effective
and Financial Services for further internal control
action. systems are in place
and functioning
• Developed an executive level throughout the
training session on internal controls. institution.
Provided classroom training to
senior and executive management.

• Reviewed and commented on the

draft Management Responsibilities
Handbook.

2004-603- Institutional UTMB has contracted with ACL These efforts are ongoing and there Completed Ensure monitoring of
A Business to provide continuous monitoring have been no observations or account activity –
Assurance/ scripts that will assist recommendations requiring action. insure compliance
ACL Initiative management in monitoring with state and federal
activity within the PeopleSoft regulations.
application. In addition to these
standard reports, management
has expressed the need to run
ad-hoc reports, and Audit
Services has assisted them in
running ACL to retrieve specific
data from our financial reporting
system. We expect this to
continue in FY 2004 until the
processing departments are well-
trained in the use of ACL.

1
Report No. Report Date Name of Report High-Level Audit Objective(s) Observations/ Findings and Current Status (with brief Fiscal Impact/ Other
Recommendations description if not yet Impact
implemented)

2004-002 Accounts The objective of this audit was We performed work on Accounts Completed Ensure accurate
Receivable review the methodology used for Receivable and Allowance for Bad Debt financial reporting.
and Allowance valuing the (net) accounts balances in conjunction with an Agreed
for Bad Debts receivable and to determine the Upon Procedures engagement
reasonableness of the allowance performed by
for doubtful accounts balance as PricewaterhouseCoopers(PC).
of August 31, 2003. Procedures performed and
observations made were communicated
to Financial Management in a report
prepared by PC.
2004-003 Financial Data The objective of this project was We performed work in this area, Completed Ensure accurate
Accumulation to review and assess transaction specifically on Accrued Liability financial reporting.
& Financial flow and reconciliation processes balances, in conjunction with an Agreed
Reporting between major subsidiary Upon Procedures engagement
Interfaces systems and the general ledger performed by
at 8/31/03 for the purposes of PricewaterhouseCoopers(PC).
giving management assurances Procedures performed and
as to accuracy and gathering observations made were communicated
information which will assist in to Financial Management in a report
Sarbanes-Oxley-related control prepared by PC.
activities.

2004-211 IT Vulnerability The objective of the audit was to Due to the nature of the information that In Progress Minimizes the risk of
Assurance provide UT System with status is contained in this Information business
Audit & Action updates on how UTMB is making Technology Audit report, we have interruptions.
Plan Follow-Up progress on the action plans elected to provide the details of the
from the FY 2003 Inventory and report to appropriate parties when
Vulnerability Assessments. Audit requested.
Services will track and report
status updates to the UT System
Audit Office (UTSAO) on a
quarterly basis or an alternative
schedule as deemed by the
UTSAO.

2
Report No. Report Date Name of Report High-Level Audit Objective(s) Observations/ Findings and Current Status (with brief Fiscal Impact/ Other
Recommendations description if not yet Impact
implemented)

TAC 202 Since UTMB Information Due to the nature of the information that In Progress Minimizes the risk of
Information Services has hired a firm to is contained in this Information business
Security Audit perform a review to comply with Technology Audit report, we have interruptions.
Texas Administrative Code elected to provide the details of the
(TAC) 202, Audit Services will report to appropriate parties when
perform a Follow-up on the requested.
action plans that address the
issue in the review. If the review
does not provide coverage that
would have been done in a TAC
202 audit, Audit Services will
then conduct an audit to
determine whether UTMB
complies with TAC 202.

3
 Appendix A

Fiscal Year 2005 Work Plan

The University of Texas Medical Branch at Galveston
Office of Audit Services

A
Budgeted

Priority
Audit/Project Hours % of Total Description

Key Financial and Operating Information

System-wide Audits
External Financial Statement Audit4 1500 1500 9 The objective of this project is to assist with the external financial statement audit
of the University of Texas System for FY 2005. This project includes hours for
training of staff on the external auditor's working papers, cutoff procedures on
8/31/04 financial statement balances, testing of capitalized assets, and performing
interim work for the external auditors in accordance with contract requirements set
forth by UT System.

Financial Audits
Financial Statement Project - Wire Transfers and ACH Transactions
Financial Statement Project - Transfers and Adjusting / Closing Entries
450 450 9 Audit Services will perform additional financial statement work in the area of Cash.
The exact scope of the project will depend on the scope of the external audit and
the areas of risk that my not be addressed during that audit. The primary focus wil
be on controls over wire transfers.
430 430 9 The objective of this review is to determine whether all journal entries, including
but not limited to adjusting entries, closing entries, and transfers, are adequately
supported, necessary and reasonable, and properly approved.

ARP/ATP Grants 250 250 9 The objective of this audit is to verify that State of Texas ARP/ATP grant funds
were expended in accordance with program guidelines.
MSRDP Financial Review 430 430 9 The objective of this review is to perform financial analysis of selected MSRDP
revenues and expenditures in accordance with BPM 31.
Family Practice Residency Programs 100 100 9 The objective of this audit is to ensure that Texas Higher Education Coordinating
Board funds were expended in accordance with program guidelines.
Facilitated Self Assessments of Management-Controlled Moderate Risk 470 During the risk assessment, areas of moderate risk were identified in which
Areas management controls should be in place to mitigate those risks to an appropriate
level. Rather than full-scope audits, facilitated self-assessments will be utilized to
reach this large and important area of financial operations.

Financial Consulting
Cost Savings Report 200 200 9 As required by UT System, we will be reviewing the Cost Savings Report,
prepared by the institution, to evaluate the reasonableness of the information
presented therein.
Reserve for Just-in-Time Auditing/Advisory Services - TBA 300 This reserve will be used to respond to management requests for audit/advisory
assessments in emerging high-risk areas.

Key Financial and Operating Information Subtota 4130 22% 3360 23%

Institutional Compliance
Compliance Program Audits
Human Subjects Protection 425 425 9 The objective of this audit will be to provide validation of the 2004 Action Plan for
Implementation in the area of Human Subjects Protection.

Biodefense Regulations and Security 450 450 9 The objective of this audit will be to provide validation of the 2004 Action Plan for
Implementation in the area of Biodefense Regulations and Security.

DRAFT - 10/28/2004 1
 Appendix A

Fiscal Year 2005 Work Plan

The University of Texas Medical Branch at Galveston
Office of Audit Services

Student Financial Aid 500 The objective of this audit is to assess the controls in place to ensure compliance
with federal guidelines related to Student Financial Aid Programs.

Compliance Consulting
Reserve for Just-in-Time Auditing/Advisory Services - TBA 200 200 9 This reserve will be used to respond to management requests for audit/advisory
assessments in emerging high-risk areas.

Institutional Compliance Subtota 1575 9% 1075 7%

Information Technology
Information Technology Audits
Application Reviews 1050 1050 9 The objective of the audit is to provide techincal assistance to the operational
auditors during the review of applications.

Decentralized IT Operations and Server Reviews
400 400 9 The objective of this audit is to determine if the following is performed in
compliance with UTMB Information Resource Policies and Practice Standards for
the selected servers that will be reviewed:
• Existing system security parameters are configured appropriately.
• System is configured to prevent unauthorized access to critical application, data
and system resources.
• Adequate controls are place over the configuration of user profiles.
• System level security is configured to protect critical data files and to protect
production programs.
• Security events are logged and monitored.

HIPAA 100 50 9 Audit Services will participate in various aspects of HIPAA readiness preparation.
This may include design and implementation reviews of specific elements of the
HIPAA requirements.

Kronos (electronic timekeeping system) 200 200 9 The objective of this audit is to ensure the reliability and integrity of information and
safeguarding of assets through a review of the following: usage policies, access
controls, backup and recovery procedures, audit trails, system parameters,
monitoring and system administration practices.

Third Party Services 300 The objective of this audit is to ensure that role and responsibilities of third parties
are clearly defined, adhered to, and continue to meet business requirements.

Pathology Laboratory Information Systems 300 300 9 The objective of this audit is to ensure the reliability and integrity of information and
safeguarding of assets through a review of the following: usage policies, access
controls, backup and recovery procedures, audit trails, system parameters,
monitoring and system administration practices.

Matrix Management 400 400 9 The objective of this audit is to assess the design and effectiveness of the
institutional processes in place to manage the security program.

System Design Assessment / Reassessment for Major Conversion 300 150 9 The purpose of this project is to provide consulting services during major system
Projects conversions.

Follow-up Activities3 200 200 9 The objective of these reviews is to perform follow-up activities on the significant
audit issues reported in previous audit engagements.

Information Technology Consulting

DRAFT - 10/28/2004 2
 Appendix A

Fiscal Year 2005 Work Plan

The University of Texas Medical Branch at Galveston
Office of Audit Services

IT Standing Committees 250 250 9 The objective of these meetings is to participate, gain knowledge, and provide
advisory services on UT System and institutional committees.

Facilitated Self Assessments of Management-Controlled Moderate Risk 200 During the risk assessment, areas of moderate risk were identified in which
Areas management controls should be in place to mitigate those risks to an appropriate
level. Rather than full-scope audits, facilitated self-assessments will be utilized to
reach this large and important area of IT operations.

Reserve for Just-in-Time Auditing/Advisory Services - TBD 335 This reserve will be used to respond to management requests for audit/advisory
assessments in emerging high-risk areas.

Information Technology Subtotal 4035 22% 3000 20%

Core Business Processes

Core Business Processes Audits
Human Resources 800 800 9 We will conduct a risk assessment of the Human Resources / Human Capital
Management process to determine appropriate objectives for detailed audit testing
This will include an assessment accross functional areas, including both the
departments of Human Resources and Payroll Services.

Correctional Managed Care 500 500 9 We will conduct a risk assessment of the Correctional Managed Care areas to
determine the appropriate objectives for detailed audit review.

Managing Patient Information
Construction Project Management / Capital Projects
Certified Not-For-Profit Health Corporation (CNPHC) Audits/Projects TBA
500 500 9 We will conduct a risk assessment of the critical system applications involved in
collecting and managing patient information to determine the appropriate
objectives for detailed audit review. This may include controls to ensure patient
information is current and complete, secured to ensure privacy, and available
when needed.
375 375 9 This project will be outsourced to a firm with experience in Contruction Auditing.
The objective of this review is to perform an operational review of project
management procedures and documentation for non-OFPC managed construction
projects. This may include selection processes, contracting, change orders, and
monitoring of budgets and schedules.
500 250 9 Audit Services has agreed to perform internal auditing services for UTMB
HealthCare Systems, Inc., a nonprofit healthcare organization certified under
Section 5.01(a) of the Texas Medical Practice Act. Our risk assessment for the
CNPHC is continually updated with management and the CNPHC Audit
Committee to consider changes in the business lines.

Charge Automation 600 400 9 The objective of this audit is to evaluate the effectiveness and efficiency of the
ClinWeb application and its supporting processes for capturing and processing
outpatient professional and technical fee charges. Scope considerations include,
but are not limited to the completeness, accuracy, and timeliness of the current
processes.

Core Business Consulting

System Design Assessment / Reassessment for Major Conversion 500 500 9 The purpose of this project is to provide consulting services during major system
Projects conversions.

Business Continuity Planning 375 375 9 This project will be outsourced to a firm with experience in Business Continuity
Planning. Previous work in this area provided input to and assessment of
business continuity plans for critical areas. This project will focus on the
effectiveness achieved in maintaining those plans and assessing the extent to
which plans have been developed across all institutional entities.

DRAFT - 10/28/2004 3
 Appendix A

Fiscal Year 2005 Work Plan

The University of Texas Medical Branch at Galveston
Office of Audit Services

Reserve for Just-in-Time Auditing/Advisory Services - TBA 400 This reserve will be used to respond to management requests for audit/advisory
assessments in emerging high-risk areas.

Core Business Processes Subtotal 4550 25% 3700 25%

Change of Management
Change of Management Review - Department of Neurosciences and Cell 350 350 9 The objective of this audit is to provide a general assessment of the entity's
Biology financial, administrative, and compliance controls. A major outcome of these
reviews will be the documentation and identification of significant related risk areas
for management's continued consideration and mitigation efforts.

Change of Management Review - TBD 350 350 9 The objective of this audit is to provide a general assessment of the entity's
financial, administrative, and compliance controls. A major outcome of these
reviews will be the documentation and identification of significant related risk areas
for management's continued consideration and mitigation efforts.

Change of Management Subtotal 700 4% 700 5%

Follow-up
Follow-up Activities2 750 750 9 The objective of these reviews is to perform follow-up activities on the significant
audit issues reported in previous audit engagements. This will include, specifically
a review of the follow-up activities relating to recent audits of "Research Time &
Effort Reporting" and Basic and Clinical Research Management & Contracts and
Grants."

Follow-up Subtotal 750 4% 750 5%

Projects
Consulting Projects
Internal Control & Accountability/Training Phase II 250 200 9 We will continue our efforts in conjunction with Financial Services and Business
Affairs – to identify areas for special review and/or internal control accountability
training. Targeted areas will be those that might not otherwise meet specific
criteria for audit consideration.
Enterprise-wide Risk Management (ERM) 250 150 9 This project will provide facilitation assistance to management in the formative
stages of considering and possibly implementing a system of enterprise-wide risk
management (ERM).

UTMB Compact 200 The objective of this review is to validate the achievement of UTMB's Compact
with the Chancellor to determine the progress made toward stated goals.

Governor's Executive Order on Fraud Prevention and Detection 200 100 9 This project will provide facilitation assistance to management in the formative
stages of implementing the 2004 Governor's Executive Order on Fraud Prevention
and Detection.

Consulting Projects Subtotal 900 450

Other Projects
Investigations4 500 350 9
Internal Quality Assurance Activities4 250 250 9
Service Delivery Support Activities4 400 400 9
Institutional Risk Assessment and Work Plan Development4 300 300 9
Liaison with External Auditors4 100 100 9
Audit Services' Web Site Upgrade4 100 100 9

DRAFT - 10/28/2004 4
 Appendix A

Fiscal Year 2005 Work Plan

The University of Texas Medical Branch at Galveston
Office of Audit Services

On-the-job Training 126 126 9

Other Projects Subtotal 1776

Projects Total 2676 15% 2076 14%

Total Hours 18416 100% 14661 Total Hours for Priority Projects
80%

Notes

2
Additional hours for this audit/project are included for IT audit personnel in the Information Technology (IT) segment of the work plan
3
Additional hours for this audit/project are included for non IT audit personnel in other segments of the work plan
4
Inculdes time for general audit and IT audit personnel

DRAFT - 10/28/2004 5