Audit and Compliance Committee - Agenda
THE UN IVERS ITY OF TENNESSEE BOA RD OF TRUST EES
AUDIT AND COMPLIANCE COMMITTEE
2:00 p.m. ET/1:00 p.m. CT 8th Floor Conference Room Monday Andy Holt Tower February 3, 2020 1331 Circle Park Knoxville, Tennessee 37996
AGENDA
Public Session
I. Call to Order
II. Roll Call
III. Consent Agenda ...... Tab 1
Action Item A. Approval of Minutes from Last Meeting ...... Tab 2
Information Items B. 2019 Audit Plan Update ...... Tab 3 C. 2019 Outstanding Audit Issues ...... Tab 4 D. Travel Exception Report ...... Tab 5
IV. Office of Emergency Management – Annual Report ...... Tab 6
V. 2020 Internal Audit Plan – Action Item ...... Tab 7
VI. 2020 Institutional Compliance Workplan – Action Item ...... Tab 8
VII. 2020 IT Security - External Assessment Update
VIII. Other Business Note: Under the Bylaws, items not appearing on the agenda may be considered only upon an affirmative vote representing a majority of the total voting membership of the Committee. Other business necessary to come before the Committee at this meeting should be brought to the Committee Chair’s attention before the meeting.
IX. Adjournment
1 Audit and Compliance Committee - Consent Agenda 1
THE UN IVERSITY OF TENNESSEE BOARD OF TRUSTEES
AGENDA ITEM SUMMARY
Meeting Date: February 3, 2020
Committee: Audit and Compliance
Item: Consent Agenda
Type: Action
Presenter: Amy Miles, Committee Chair
Certain action items have been placed on the Committee Consent Agenda. These items will not be presented or discussed in the Committee unless a Committee member requests removal of an item from the Consent Agenda. In accordance with the Bylaws, before calling for a motion to approve the Consent Agenda, the Committee Chair will ask if any member of the Committee requests that an item be removed from the Consent Agenda. The Bylaws provide that an item will not be removed from the Consent Agenda solely for the purpose of asking questions for clarification. Those questions should be presented to the Secretary before the meeting.
Committee Action
If there are no request to remove an item from the Consent Agenda, the Committee Chair will call for the prepared motion below, a second, and a voice vote. If the motion passes, the items requiring Board approval will go forward to the Consent Agenda of the full Board meeting.
Motion: I move that
1. Minutes of the September 25, 2019 meeting of the Committee be approved as presented in the meeting materials, provided that the Secretary be authorized to make any necessary edits to correct spelling errors, grammatical errors, format errors, or other technical errors subsequently identified.
2 Audit and Compliance Committee - Approval of Minutes from Last Meeting 2
THE UNIVERSITY OF TENNESSEE BOARD OF TRUSTEES
MINUTES OF THE AUDIT AND COMPLIANCE COMMITTEE
September 25, 2019 Knoxville, Tennessee
The Audit and Compliance Committee of The University of Tennessee Board of Trustees met at 2:00 p.m. EDT on September 25, 2019, in the Andy Holt Tower in Knoxville, Tennessee.
I. CALL TO ORDER
Ms. Amy Miles, Chair, called the meeting to order.
II. ROLL CALL
Mr. Brian J. Daniels, Chief Audit and Compliance Officer, called the roll, and the following Audit and Compliance Committee members were present:
Ms. Amy Miles Mr. Brad Box (by video) Mr. D. Crawford Gallimore (by telephone) Mr. Decosta Jenkins (by video) Mr. John Compton (by telephone)
Mr. Daniels announced the presence of a quorum. In compliance with the Open Meetings Act, Mr. Box, Mr. Gallimore, Mr. Jenkins, and Mr. Compton indicated no others were present at their locations. Those present in Knoxville included Mr. Randy Boyd, interim president; Mr. David Miller, chief financial officer; Dr. Herb Byrd, vice president of the Institute for Public Service (IPS); staff from the Office of Audit and Compliance (OAC), and other members of the UT administrative staff.
Page 1 of 6 Audit and Compliance Committee September 25, 2019
3 Audit and Compliance Committee - Approval of Minutes from Last Meeting 2
III. CONSENT AGENDA
Chair Miles asked whether any committee member would like to remove an information item from the Consent Agenda for discussion. Hearing no requests, she called for a motion that the minutes of the April 17, 2019, meeting be approved as presented in the meeting materials. Mr. Jenkins moved approval of the minutes, and Mr. Compton seconded. A roll call vote followed, and the motion carried unanimously.
IV. INFORMATION TECHNOLOGY UPDATE
Mr. Jim Purcell, manager of information technology audits, presented an update on the University’s information technology (IT) security posture. He described improvements resulting from a 2014 external security posture assessment performed by the firm BerryDunn, including an expansion of system-wide IT policies, campus/institute security plans, an IT Security Community of Practice for sharing information, and a requirement that data owners in departments and colleges develop plans to secure information they control. Chair Miles asked whether data owners had guidelines and standards for developing their plans, and Mr. Purcell responded each campus had its own guidelines based on standards developed by the National Institute for Standards and Technology (NIST).
In 2017, Mr. Purcell explained, the University adopted NIST’s Cybersecurity Framework (CSF) as a means of measuring IT security posture. He noted this framework offers a more realistic measure of information security because it acknowledges that breaches will occur and addresses an organization’s ability to detect, respond, and recover from these events in addition to identifying ways to protect information. Each UT campus and institute performed a self-assessment using this framework and determined that implementation of methods to detect breaches currently represented the largest risk for the University.
Mr. Purcell stated that OAC conducted audits of each campus and institute in 2019 to verify compliance with system-wide IT security policies. OAC found good compliance overall, but identified a need for campuses and institutes to assess the implementation of the security plans they have developed and to develop continuous monitoring for detecting security breaches. Mr. Purcell indicated that Page 2 of 6 Audit and Compliance Committee September 25, 2019
4 Audit and Compliance Committee - Approval of Minutes from Last Meeting 2
every campus and institute has a remediation plan for addressing all outstanding issues by the end of 2020. Chair Miles asked Mr. Purcell if the work effort needed for remediation was the reason for the 2020 implementation date and whether he felt comfortable with that timeline. Mr. Purcell responded that some campuses had challenges to overcome, but most were ahead of schedule. Mr. Les Matthews, UT System chief information officer, commented that he had a high comfort level with the timeline, given the tremendous amount of work done over the past two years on detection methods and the identification of new risks and mitigation plans to address those risks. Mr. Robert Ridenour, UT System chief information security officer, added that he works with campus and institute chief information officers at least monthly regarding future plans and ways to collaborate.
Mr. Purcell described OAC’s next steps—monitoring completion of outstanding issues from the 2019 audits, partnering with campus and institutes to assess the implementation of their security plans, and initiating either an internally or externally led system-wide security posture assessment in 2022 or 2023.
Chair Miles suggested accelerating the timeline for conducting another comprehensive assessment, given the significance of information security, the fact that the last such assessment occurred in 2014, and the projection that campuses and institutes will have completed their mitigation plans by the end of 2020. Mr. Gallimore and Mr. Boyd concurred with accelerating the timeline.
Mr. Daniels commented that he agreed with the immediacy of addressing this topic and observed that while the campuses and institutes have done good work, there is an opportunity to be strategic as well as tactical by taking a system-wide approach. He explained the intention to map internal audit’s work to the Cybersecurity Framework to align with the efforts of information security officers and to focus on assessing detection functions. He stated he would add the topic of accelerating an external assessment to the Committee’s January meeting agenda.
Mr. Jenkins asked whether there were any high risk issues that needed to be brought to the Committee’s attention, and Mr. Daniels responded he was not aware of any gap in controls, but that OAC would continue to monitor and is ready to conduct its annual risk assessment in preparation for developing the 2020 audit
Page 3 of 6 Audit and Compliance Committee September 25, 2019
5 Audit and Compliance Committee - Approval of Minutes from Last Meeting 2
plan, which would provide an opportunity to identify any high risk areas. Mr. Matthews commented that the system-wide information security office conducts a risk assessment and prioritizes its work plan to focus on high-risk areas.
Mr. Miller informed the Committee of the system-wide IT security training that is mandatory for all employees. Mr. Matthews explained the University purchased various training modules, and campuses and institutes identify the specific modules to deliver at their locations.
V. UPDATE ON CORRECTIVE ACTIONS IN RESPONSE TO THE 2017 SUNSET REVIEW OF THE TENNESSEE FOREIGN LANGUAGE INSTITUTE/ TENNESSEE LANGUAGE CENTER
Dr. Byrd explained that the General Assembly established the Tennessee Foreign Language Institute (TFLI) in 1986 to help recruit foreign businesses to the state. In 2018, the General Assembly passed legislation transferring responsibility for the TFLI from the Tennessee Board of Regents to UT’s Institute for Public Service, where it has been renamed the Tennessee Language Center (TLC).
Dr. Byrd described the actions taken to address the four findings noted in the 2017 sunset audit. TLC has improved controls over cash handling by segregating duties as required by UT fiscal policy. Also, whenever writing grant proposals, TLC is now differentiating the fiscal responsibilities of the TFLI Fund, a nonprofit fundraising entity with a separate governing board, from the programmatic responsibilities of the TLC, a former point of confusion. IPS fiscal staff are overseeing the contract process, ensuring compliance with UT fiscal policy. TLC is expanding its client base by collaborating with other IPS agencies to promote services to their constituents. Dr. Byrd also noted the TFLI governing board was dissolved, and IPS plans to appoint an advisory board for TLC.
Mr. Gallimore asked whether there was any connection between TLC and the English Language Institute in Knoxville, and Dr. Byrd replied that the two entities are not related.
Page 4 of 6 Audit and Compliance Committee September 25, 2019
6 Audit and Compliance Committee - Approval of Minutes from Last Meeting 2
VI. AFFILIATION AGREEMENT WITH UNIVERSITY CLINICAL HEALTH, INC.
Mr. Ryan Stinnett, deputy general counsel, addressed a question from the April Committee meeting about the University’s liability for the financial obligations of University Clinical Health (UCH), one of the UT Health Science Center’s faculty practice plans. The Office of the General Counsel (OCG) determined there was no language in the UCH agreement, as there is in other practice plan agreements, about this issue. Although OCG did not consider the omission to be a significant risk, the staff thought it appropriate to minimize financial and legal risks by drafting an amendment to the current agreement.
The amendment added the following provisions: 1) UCH is solely responsible for all debts and other financial liabilities of its practice, and its debts, liabilities, and obligations are not those of the state or the University, 2) the University is not waiving its or the state’s sovereign immunity, and 3) UCH and the University are not acting as agents of each other.
Mr. Stinnett indicated that Mr. Anthony Ferrara, UT Health Science Center vice chancellor for finance and operations, met with UCH officials who concurred with the amendment; the agreement was executed and became effective as of September 17, 2019.
Mr. Stinnett noted the language in the amendment is similar to that in an existing affiliation agreement between the University and Erlanger Health System. Chair Miles commented that the language in the Erlanger agreement and the UCH amendment, with any necessary adjustments, could be a template for future agreements. Mr. Stinnett agreed.
VII. INSTITUTIONAL COMPLIANCE
Mr. Bill Moles, director of institutional compliance, described progress toward implementing recommendations from an external review of the University’s institutional compliance function conducted by consulting firm Baker Tilly in 2018. To engage senior leaders in discussions of compliance risks, OAC held meetings with executives at UT Chattanooga, UT Martin, and the Institute for Public Service. Executive owners for compliance areas have been assigned at UT Knoxville, UT Chattanooga, and the UT System Administration. An effort to monitor procurement card purchases using data analytics was undertaken to evolve compliance and risk monitoring and analytics. A system-wide compliance roundtable scheduled for November will assist with sharing leading practices
Page 5 of 6 Audit and Compliance Committee September 25, 2019
7 Audit and Compliance Committee - Approval of Minutes from Last Meeting 2
across the University. To leverage the compliance-oriented perspectives of the Office of the General Counsel, a member of that office now sits on the UT System Administration Institutional Compliance Committee. Chair Miles observed Baker Tilly concluded the University had an effective bottom-up approach to compliance, but provided recommendations to ensure the top-down approach was equally sound.
Mr. Moles described other key accomplishments during 2019, including work on risk mitigation at UT Martin, the UT Institute of Agriculture, and IPS. He presented the key risk areas identified by those entities.
Mr. Miller asked whether the risk areas listed were potential risks as opposed to known problems, and Mr. Moles responded that campus and institute compliance officers identified these areas as having control weaknesses and, in some cases, violations.
Chair Miles commented the Committee should discuss at a future meeting how to link strategic planning, compliance, and risk, particularly to ensure the University is identifying the risks to achieving its strategic plan goals.
VIII. OTHER BUSINESS
The Chair called for any other business to come before the Audit and Compliance Committee. There was none.
IX. ADJOURNMENT
There being no further business to come before the Audit and Compliance Committee, the meeting was adjourned.
Respectfully Submitted,
______Brian J. Daniels Chief Audit and Compliance Officer
Page 6 of 6 Audit and Compliance Committee September 25, 2019
8 Audit and Compliance Committee - 2019 Audit Plan Update
THE UNIVERSITY OF TENNESSEE 3 BOARD OF T'RUSTEES
AGENDA ITEM SUMMARY
Meeting Date: February 3, 2020
Committee: Audit and Compliance
Item: 2019 Audit Plan Update
Type: Written Report
Presenter: Brian J. Daniels, Chief Audit and Compliance Officer
Background As required by the International Standards for the Professional Practice of Internal Auditing, a risk-based audit plan is developed each year and approved by the Audit and Compliance Committee. The Committee approved the 2019 plan in January.
Following is the plan’s status as of December 31, 2019. Additions, cancellations, and deferrals (scheduled, but not started; deferred to 2020) are in the left-hand column.
UT System and System Administration Engagements
Self-Assessment of Controls Complete E-commerce Pre-Approvals Complete Security Plan Assessments Complete Audit Follow-Up Complete Complete College Tennessee Act (2019) Complete President's Office Complete Conflict of Interests In Progress General and Application Controls—ANDI In Progress General and Application Controls—K@TE Complete Effort Reporting (College of Veterinary Medicine) In Progress Deferred Effort Reporting (College of Nursing) Scheduled Complete College Tennessee Act (2018) Complete Procurement Card Fraud Review Complete Payroll Data Analytics Complete Discounts for Dependents Complete Renewal and Replacement Funds Complete Added* Clery Act Compliance In Progress
*OAC broadened the scope of two planned campus-based audits (HSC and UTC) in order to assess Clery Act compliance throughout the entire UT System.
9 Audit and Compliance Committee - 2019 Audit Plan Update
THE UNIVERSITY OF TENNESSEE 3 BOARD OF T'RUSTEES
UT Knoxville Engagements
Chancellor’s Office Complete Emergency Management In Progress Athletics Debit Cards for Student Travel Complete Export Controls In Progress Key Business Controls Assessment In Progress UTSI—IT Security Complete Student Life—IT Security In Progress Added Department of Supply Chain Management In Progress Deferred Athletics NCAA Compliance—Eligibility (2019) Scheduled Theatre—IT Security In Progress Cancelled* WUOT Radio Center (External Audit Assist) Cancelled Registrar—Banner Interface Security Audit Complete Vine School Health Center—HIPAA Security Complete Bursar’s Office Reconciliation Process Complete Research Compliance Complete Renewal and Replacement Funds Complete Added McClung Museum Procurement Card Purchases Complete
*External auditors did not require assistance this year.
UT Health Science Center Engagements
Cash Controls Complete University Health Services Revenue In Progress College of Dentistry Inventory Complete Cancelled* Key Business Controls Assessments Scheduled Collaborative Research Network Awards Complete Added College of Pharmacy Continuing Education Contracts Complete Deferred Office of Sponsored Programs Scheduled Consolidated** Clery Act Compliance Cancelled Programs for Minors Complete Renewal and Replacement Funds Complete College of Pharmacy Grant Accounting Complete
*OAC cancelled this audit because of resource constraints and reassignment of auditor time to higher priority projects. HSC team members were assigned to complete projects at UT Martin due to an auditor vacancy there and to the system-wide Clery Act Compliance audit.
**Campus Clery activities included in a system-wide audit of Clery Act Compliance (see UT System and System Administration).
10 Audit and Compliance Committee - 2019 Audit Plan Update
THE UNIVERSITY OF TENNESSEE 3 BOARD OF T'RUSTEES
UT Chattanooga Engagements
Programs for Minors Complete Athletics NCAA Compliance: Recruitment (2018) Complete Deferred Athletics NCAA Compliance Eligibility (2019) Scheduled WUTC Radio Station (External Audit Assist) (2019) In Progress Consolidated* Clery Act Compliance Cancelled Office of Financial Aid In Progress Key Business Controls Assessment In Progress Deferred University Housing Scheduled IT Security Policy Audit Complete WUTC Radio Station-External Assist (2018) Complete Renewal and Replacement Funds Complete
*Campus Clery activities included in a system-wide audit of Clery Act Compliance (see UT System and System Administration).
UT Martin Engagements
Summer Camps Cash Receipts Complete Deferred Athletics NCAA Compliance: Eligibility (2019) Scheduled OVC Special Assistance Funds Complete IT Security Policy Complete Renewal and Replacement Funds Complete Cancelled* Chancellor’s Office Cancelled
*OAC cancelled this audit because of a staff vacancy. The audit was scheduled as part of the statutorily mandated annual audit of chancellors; this cancellation did not adversely affect compliance with the statute.
UT Institute of Agriculture Engagements
Extension County Offices (2019) In Progress Lone Oaks Farm In Progress Entomology and Plant Pathology--IT Security In Progress Extension County Offices (2018) Complete Added Extension Laptop Order In Progress Renewal and Replacement Funds Complete
UT Institute of Public Service
Tennessee Language Center In Progress Renewal and Replacement Funds Complete
11 Audit and Compliance Committee - 2019 Outstanding Audit Issues
THE UNIVERSITY OF TENNESSEE
BOARD OF T'RUSTEES 4
AGENDA ITEM SUMMARY
Meeting Date: February 3, 2020
Committee: Audit and Compliance
Item: 2019 Outstanding Audit Issues
Type: Written Report
Presenter: Brian J. Daniels, Chief Audit and Compliance Officer
Background
During an audit, management develops action plans for implementing recommendations or otherwise reducing the risk(s) associated with each issue auditors identify. The action plan includes an estimated date for implementation. Auditors follow up with management soon after the estimated implementation date to determine the status.
Following are outstanding audit issues as of December 31, 2019. The designation “outstanding” indicates management has not fully implemented the action plan or auditors have not verified the implementation.
T he Chief Audit and Compliance Officer is responsible for notifying the Audit and Compliance Committee and the University’s executive leadership of any undue risk caused by the lack of timely implementation. No undue risk was identified during this reporting period.
12 Audit and Compliance Committee - 2019 Outstanding Audit Issues
THE UNIVERSITY OF TENNESSEE OUTSTANDING AUDIT ISSUES As of December 31, 2019 4
Audit Issue* Report Estimated Revised Status Date Implementation Implementation Date Date System Phishing Security Controls Workstation Administrative Access 11/30/2017 7/2/2018 6/30/2020 1 UTK IT Security Policy Compliance Security Controls Assessment 10/29/2018 12/31/2019 3/2/2020 1 UTIA IT Security Policy Compliance Application Security Plans 11/15/2018 12/30/2019 3/2/2020 1 System IT Security Policy Compliance Application System Security Plans 12/10/2018 6/28/2019 3/2/2020 1 UTK Research Compliance Data Analytics Tracking and Reporting Noncompliance 6/6/2019 8/1/2019 1/31/2020 1 UTK Banner Interface Security Audit Interface Strategy and Design 7/25/2019 2/28/2020 N/A 2 System General & Application Controls (K@TE) System Administrator Authentication 11/18/2019 6/1/2020 N/A 2 UTM Camp Administration Processes Cash Receipts for Unidentified Campers 11/21/2019 8/31/2020 N/A 2
*This report contains issues auditors considered high risk.
Status 1 For projects with estimated implementation dates before or on December 31, 2019, auditors have discussed with management all actions taken thus far, determined that satisfactory progress toward implementing agreed-upon action plans has been made, and identified a revised implementation date and/or a time for auditors to follow up for verification that the issue has been satisfactorily addressed.
2 Auditors will follow up with management soon after the estimated implementation date to confirm status.
13 Audit and Compliance Committee - 2019 Outstanding Audit Issues
Summary of Outstanding Audit Issues 4 The table below shows high-risk audit issue activity from August 31, 2019 (as reported in the September 25 Audit and Compliance Committee meeting) through December 31, 2019:
Time Period Number of Issues Outstanding Audit Issues as of August 31, 2019 19 Issues Added as of December 31, 2019 2 Issues Implemented from August 31 through December 31 13 Remaining Outstanding Audit Issues as of December 31, 2019 8
14 Audit and Compliance Committee - Travel Exception Report
THE UNIVERSITYOF TENNESSEE OFFICE OF THE CHIEFFINANCIAL OFFICER
David L Miller Chief FinancialOfficer 5
MEMOR ANDU M
TO: Audit and Compliance Committee Mr. John Compton, Chair of the Board of Trustees Ms. Amy Miles, Chair, Audit and Compliance Committee Mr. Bill Rhodes, Chair, Finance and Administration Committee
FROM: Mr. David Miller
DATE: January 14, 2020
SUBJECT: Travel Exception Report
The Board of Trustee's policy on travel requires the university to report to the Audit and Compliance Committee any travel exceptions approved on behalf of the President, employees in the President's Office, senior-level administrators, or the Sr. Vice President and Chief Financial Officer. For the quarters, ended September 30, 2019 and December 31, 2019, there were four exceptions approved in accordancew ith the Board''s policy.
On four occasions, Mr. Anthony Haynes, Vice President for Government Relations and Advocacy, traveled to Knoxville for business during UT Knoxville football games and was unable to obtain the university's lodging rate for the weekend. In all instances, he stayed at a Hampton Inn and the rate was reasonable for the four separate stays.
If you have any questions, please let me know. c: Mr. Randy Boyd Mr. Brian Daniels Mr. Anthony Haynes Mr. Mark Paganelli
·• Oirde Drive , • •
15 Audit and Compliance Committee - Office of Emergency Management - Annual Report
6
OFFICE OF EMERGENCY MANAGEMENT ANNUAL REPORT 2018 – 2019 FISCAL YEAR
16 Audit and Compliance Committee - Office of Emergency Management - Annual Report
Table of Contents 6
Executive Summary 3
UT System Report 4
UT Knoxville Report 5
UT Chattanooga Report 7
UT Martin Report 9
UT Health Science Center 10 Report
Emergency Management 11 Contacts
2018-2019 University of Tennessee Emergency Management Annual Report 2
17 Audit and Compliance Committee - Office of Emergency Management - Annual Report
6
OFFICE OF EMERGENCY MANAGEMENT ANNUAL REPORT 2018 – 2019 FISCAL YEAR
18 The image part with relationship ID rId8 was not found in the file.
Audit and Compliance Committee - Office of Emergency Management - Annual Report
THE UNIVERSITYOF
TENNESSEE 6 EXECUTIVE SUMMARY
The University of Tennessee Office of Emergency Management is responsible for providing university officials with guidelines to assist campuses/institutes/units in the development and maintenance of plans and procedures that meet emergency prevention/mitigation, preparedness, response and recovery requirements within the National Incident Management System and the Tennessee Emergency Management Plan.
These plans and procedures help ensure that all campuses/institutes/units are able to respond appropriately in the case of emergencies or disasters which could occur within or around the university community in order to minimize negative effects on persons and property and facilitate recovery from these incidents. Most immediate emergency response actions that involve protection from harm to persons and property are executed at the local and regional level.
Therefore, the UT System emergency management program provides general guidelines that assist campuses/institutes/units in responding to emergencies and establishes procedures to monitor the emergency preparedness activities of campuses/institutes/units. The System guidelines specify requirements that campuses/institutes/units must meet to adhere to state and federal requirements.
This report will provide an overview of the various campus level events, exercises, successes and challenges for the 2018-2019 fiscal year. It will also provide a look ahead to the 2019- 2020 fiscal year by listing the goals of each campus and institute and well as priorities for the System office.
Special thanks to all of our campus emergency managers and campus police officers for the around the clock efforts in planning and ensuring that our campuses remain safe environments for UT students, faculty, staff and the general public on an annual basis.
2018-2019 University of Tennessee Emergency Management Annual Report 3
19 Audit and Compliance Committee - Office of Emergency Management - Annual Report
SYSTEM ACHIEVEMENTS
• Sponsored and organized a higher education emergency management retreat for all universities in the state of Tennessee. • Hosted two system-wide emergency management retreats. One in the fall of 2018 at UT 6 Knoxville and one in the spring of 2019 in Franklin. • Represented the UT System on the higher education committee within the Emergency Management Association of Tennessee. The committee fosters communication and best practices from institutes of higher education throughout the state. • Continued an emergency management peer review system for all campuses based on the standards set by the Emergency Management Accreditation Program (EMAP). • Purchased a system-wide contract for weather monitoring through DTN weather solutions. • Tennessee Emergency Management Agency Director Patrick Sheehan visited all four UT campuses to tour and see the emergency facilities first-hand to assist in providing a more detailed plan for the university’s involved should a statewide disaster occur. • The System received a $10 million appropriation from the state to improve security features at all of its campuses. • Mike Gregory, director of emergency management, was named to the Advisory Committee of the National Center for Spectator Sports Safety and Security and to the board of the Emergency Management Association of Tennessee.
EVENTS IN 2018-2019 Actual Disaster, Emergencies and Disruption
• No significant events at the system level this fiscal year
TRAINING
• Completed annual requirements for the Tennessee Emergency Services Coordinator
GOALS FOR FY 2019-2020
• Hold a system- wide discussion-based exercise to test communications between campuses • Establish a system-wide task force to foster the relationship between campuses and learn what resources could be used internally in the event of a crisis on a UT campus • Host two annual meetings of system-wide emergency managers, one of which will include emergency managers from the TBR schools. • Conduct an active shooter exercise involving System administrative staff. • Place fail safe phones in all 95 ag extension offices throughout the state. • Determine the best emergency alert product to better communicate with all 250 UT System employees. • Ensure all UT System employees are provided with basic emergency management training. 2018-2019 University of Tennessee Emergency Management Annual Report 4
20 Audit and Compliance Committee - Office of Emergency Management - Annual Report
T KNOXVILLE CAMPUS ACHIEVEMENTS Includes Knoxville, Institute of Agriculture & Space Institute
• Emergency Management director serving as p resident of the state Emergency Management Association (EMAT). 6 • Created a research protection brochure to assist principal investigators. • Nearing completion of classroom locking mitigation project. • Recertified as a Storm Ready campus by the National Weather Service. • Added a Recovery Annex to the campus Emergency Operations Plan. • Facilitated the creation of a community Family Assistance Center Plan. • Added IPAWS wireless alerting to the notification capabilities. • Added new Campus Safety App LiveSafe. • Added multiple “Stop the Bleed” cabinets to high capacity venues. • UTK Public Safety Department added a public information officer position. • UTSI acquired a marked patrol car to utilize for emergencies. • UTSI upgraded hand-held radio system. The new radios allow for better communication across campus in the event of an emergency and gives designated personnel direct communication to emergency services. • A comprehensive surveillance camera system was installed at UTSI and became operational this fiscal year. This gives authorized users the ability to monitor conditions around campus in real time or to review past incidents.
EVENTS IN 2018-2019 Actual Disaster, Emergencies and Disruptions
• Heavy rain event on Feb. 23, 2019, caused some flooding damage and a sinkhole. • A minor hazard materials release in a laboratory on Aug. 12, 2018, resulted in a minor disruption to building activities but no injuries. • A water main break on Lake Loudon Boulevard created minor traffic disruptions. • An anonymous suspicious package was found on UTSI campus addressed to Bernie Sanders Campaign 2020 with no return address. UTSI officials coordinated with US Air Force security and FBI to determine contents. Air Force K-9’s sniffed for explosives, but detected none. The FBI sent an X-ray team to examine contents and open box. Contents were benign. The responsible person was identified as having no connection to UTSI, but does suffer from possible mental problems. She has been added to FBI watchlist. • UTSI had a false fire alarm in the Main Academic Building due to construction work. All personnel self-evacuated and the building was clear in a matter of minutes. This disrupted the building’s operations for approximately 30 minutes until alarm was reset and all-clear given.
2018-2019 University of Tennessee Emergency Management Annual Report 5
21 Audit and Compliance Committee - Office of Emergency Management - Annual Report
T TRAINING
• Trained 7,558 campus personnel in a variety of emergency preparedness-related deliveries. • Hosted a Joint Hazard Analysis Team exercise and joint UT / Knoxville Utilities Board 6 natural gas leak exercise. • Planned and conducted a policy group discussion exercise, no notice activation exercise and a table top exercise for the library staff. • Conducted G- 367 Emergency Management Planning for Campus Executive Policy Group. • Pursued professional development for the Office of Emergency Management by participating in Southeastern Conference Chiefs and Emergency Managers conference, International Association of Emergency Managers conference and University and College Caucus, Emergency Management Association of Tennessee conference, NCS4 conference, Tennessee higher education emergency manager meetings. Attended multiple webinars and completed numerous online courses. • UTSI conducted Emergency Operations Team meeting and table-top exercise on Dec. 7, 2018. Scenario was a nearby earthquake causing building collapse and power loss during sub-freezing temperatures. • UTSI trained approximately 70 students, faculty and staff in Emergency Management for All in FY 2019.
GOALS FOR FY 2019-2020
• Complete the effort to have a Building Emergency Action Plan for all facilities. • Increase awareness of personal safety app available for campus community. • Identify a structured approach for personnel augmentation for recovery from a major disaster. • Create a plan for manager/faculty level training for campus preparedness. • UTSI plans to update and post new exit plans for occupied buildings.
2018-2019 University of Tennessee Emergency Management Annual Report 6
22 Audit and Compliance Committee - Office of Emergency Management - Annual Report
CHATTANOOGA CAMPUS ACHIEVEMENTS 6 • Improved the communications plan with an easy-to-follow decision tree that incorporates Clery Act requirements. • Updated emergency plans and documents with the goal to achieve accreditation by the Emergency Management Accreditation Program (see Goals for FY 2019-2020). • Participated with EMAP teams for on-site review of two states’ emergency management programs. • Installed improved exit sign/egress lighting units with student green fee funds. • Held a Safe Walk across campus and a Safety Forum with the Student Government Association. • Conducted site walkthroughs and creation of response plans for the two childcare facilities, the Veterans Services office and the Aquatic Recreation Center. • Continuing with proactive testing for mold every quarter in campus housing complexes. The results give us the opportunity to address concerns before they cause complaints.
EVENTS IN 2018-2019 Actual Disaster, Emergencies and Disruptions
• Nov. 4, 2018: President Trump and Vice President Pence held a campaign rally at McKenzie Arena. The event required extensive interagency planning with campus, local and federal agencies over several days. Attendees arrived in the early morning hours for the evening start time. Though protestors were vocal outside the arena, UTC’s coordinated staffing, information gathering/sharing and response prevented significant incidents. • Jan. 29, 2019: Forecasted snow and icy conditions forced a one-day closure of campus offices and cancellation of classes. • Late February – Early March 2019: Significant rainfall inundated the Tennessee River watershed. Eighteen buildings/locations on campus were impacted, mostly by overwhelmed roof drainage and damaged ceiling tile. Scrappy Moore Field (football practice facility) suffered significant damage to the playing surface, storage building, and practice equipment. The field reopened on Aug. 5 in time for the start of summer practice. • April 10, 2019: A campus visitor tampered with the sprinkler system in the EMCS Building, creating a cascading waterfall on a stairwell from the fifth floor. Repairs into the hallways and classrooms will continue into the Fall 2019 term. • June 19, 2019: In the newly renovated Holt Hall, an electrical breaker tripped, thus cutting power to an 80-below freezer. The biological specimen contents thawed, creating a biohazard situation. Research losses could approach $100,000.
2018-2019 University of Tennessee Emergency Management Annual Report 7
23 Audit and Compliance Committee - Office of Emergency Management - Annual Report
TRAINING 6 • Conducted a full-scale active shooter exercise during Spring Break. Multiple campus and community partners participated. UTC Theatre Department faculty applied moulage on student participants. Campus and city police took part, and were supported by the fire department and emergency medical services personnel. Area hospitals and the State of Tennessee Department of Health’s Emergency Preparedness staff assisted in pre-planning discussions. • UTCPD held a tabletop exercise to follow-up on the full-scale exercise above. • Attended a National Weather Service workshop on weather assessment and warning criteria. • Deployed Stop the Bleed kits and provided training for campus police. • For the Emergency Management Association of Tennessee, UTC Emergency Services staff gave presentations at the annual conference, worked on the conference planning committee, and chaired the higher education section of EMAT. • Held monthly training topics that are were open to the campus through an initiative called SafeMocs. Pushing out improved social media content about SafeMocs. • Strongest year ever investing in professional development. Attended conferences from TN State Fire Inspector, Campus Fire Safety Conference, Disaster Recovery Institute, EMAP, International Association of Emergency Management, and the UT/TN higher education emergency managers meeting.
GOALS FOR FY 2019-2020
• Aid in the creation and testing of COOP through the use of tabletop exercise for multiple departments across campus. • Update the radio system with modern technology to improve functionality and cost-efficiency for university departments • Conduct a full-scale exercise (tornado) with the Hamilton County Emergency Management Agency. • Complete all steps and documents necessary to apply for EMAP accreditation.
2018-2019 University of Tennessee Emergency Management Annual Report 8
24 Audit and Compliance Committee - Office of Emergency Management - Annual Report
MARTIN CAMPUS ACHIEVEMENTS 6 • Holly Rowan was named new campus emergency manager/safety officer, replacing Doug Sliger who had served the campus for over 30 years. • UTM had the pleasure of Tennessee Emergency Management Association Director Patrick Sheehan visiting the campus on May 21, 2019.
EVENTS IN 2018-2019 Actual Disaster, Emergencies and Disruptions
• UTM has had no significant weather events, disasters, or emergencies in 2018-2019.
TRAINING
• Holly Rowan completed her Incident Command System training. • Attendance at Local Emergency Planning Committee (LEPC) meetings for Weakley County as well as the West Tennessee Emergency Management Association for Homeland Security District 9.
GOALS FOR FY 2019-2020
• UTM will participate in the 2019 Great Central U.S. Shake Out Earthquake Drill in October 2019. • Hold a disaster drill that will include members of the community such as West Tennessee Healthcare Volunteer Hospital. • Including TEMA for table top drills for a more in-depth review of the functionality of our Emergency Response Plan. • Visit educational outreach centers in Jackson, Parsons, Selmer, and Ripley to meet concerning their Emergency Response plans. These visits will be twice annually. • Test the broadcast speaker that sits atop the Humanities Building which has the capability to communicate to the campus community during an emergency. • Conduct a test of the Rave system for both text delivery and email delivery.
2018-2019 University of Tennessee Emergency Management Annual Report 9
25 Audit and Compliance Committee - Office of Emergency Management - Annual Report
UTHSC CAMPUS ACHIEVEMENTS
• Reduced nuisance fire alarm totals from 150 in 2016 to 30 total in 2018. Success due to 6 mitigation of typical alarm causes: steam, dust, etc…. • Completed campus safety guide and emergency preparedness quick guide for campus. In process of acquiring print services to distribute through campus. • Acquired a listserv account to inform areas of campus of hazardous weather information provided by the National Weather Service and Interactive National Weather Service. This voluntary signup added 343 members to the distribution list. • Investigating adding additional notification services (tornado, etc) to campus fire systems voice evacuation.
EVENTS IN 2018-2019 Actual Disaster, Emergencies and Disruptions
• No significant emergencies to report.
GOALS FOR FY 2019-2020
• Conduct severe weather and tornado drills campus wide. • Liaise with National Weather Service to conduct Skywarn training on campus • Complete building emergency action plans for all campus buildings • Complete National Weather Service Storm Ready Certification for campus • Continue working on hazard mitigation planning for campus • Gain approval on in process UTHSC Incident Management Handbook. This handbook is designed for use within a National Incident Management System/Incident Command System, that explains positional job requirements and structures within defined emergency situations. • Complete UTHSC revamp of emergency signage to include shelter areas, and other vital information. • Continue to introduce facility to the campus emergency management policies. • Complete re-write of the overall campus emergency management plan. • Work with human resources to implement modules to the onboarding/new employee process to provide employees basic emergency management information.
2018-2019 University of Tennessee Emergency Management Annual Report 10
26 Audit and Compliance Committee - Office of Emergency Management - Annual Report
EMERGENCY MANAGEMENT CONTACTS 6
T
UT System – Mike Gregory – 865-974-5028 – [email protected]
UT Knoxville – Brian Gard – 865-974-3061 – [email protected]
UT Knoxville – Brad Walker – 865-974-3061 – [email protected]
UT Chattanooga – Robie Robinson – 423-425-5741 – [email protected]
UT Chattanooga – Bob Jackson – 423-425-5949 – [email protected]
UT Chattanooga – Tim Pridemore – 423-425-5209 – [email protected]
UT Martin – Holly Rowan – 731-881-7583 – [email protected]
UT Health Science Center – Scott Campbell – 901-448-1334 – [email protected]
UT Space Institute – Chris Armstrong – 931-393-7208 – [email protected]
UT Space Institute – Leo Bonner – 393-7298 – [email protected]
TEMA ESC Contacts
Mike Gregory
Brian Gard
2018-2019 University of Tennessee Emergency Management Annual Report 11
27 Audit and Compliance Committee - 2020 Internal Audit Plan - Action Item
Office of Audit and Compliance Annual Internal Audit Plan For the Year ending December 31, 2020 7
UNIVERSITY OF TENNESSEE SYSTEM
28 Audit and Compliance Committee - 2020 Internal Audit Plan - Action Item
SYSTEM Overview 7 The annual plan includes five categories of work: Category Description Risk-Based & Planned engagements based on our risk 1 Compliance assessment Audits required by statute, administrative policy, 2 Annual or agreements with management 3 Special Projects Special projects and FWA investigations 4 Prior Year Audits in progress on January 1, 2019 5 Advisory Service Value-added work and consulting
THE UNIVERSITY OF TENNESSEE SYSTEM
29 Audit and Compliance Committee - 2020 Internal Audit Plan - Action Item
SYSTEM 2019 Allocation of Effort Effort 7
19% Risk-Based & Compliance
D Annual 5%
■ Special Projects 56% 11% D Prior Year
9% ■ Advisory Services
THE UNIVERSITY OF TENNESSEE SYSTEM
30 Audit and Compliance Committee - 2020 Internal Audit Plan - Action Item
SYSTEM Effort by Entity 7 Entity Hours University of Tennessee System 7,935 UTK+UTIA 3,615 UTHSC 3,015 UTC 1,810 UTM 1,630 IPS 570 Grand Total 18,575
THE UNIVERSITY OF TENNESSEE SYSTEM
31 Audit and Compliance Committee - 2020 Internal Audit Plan - Action Item
SYSTEM Risk-Based Audits 7 Risk-Based Audit -■Entity Risk-Based Audit Entity Clery Act Compliance System Export Controls -UTHSC Background Checks -■System Intellectual Property UTHSC Conflicts of Interest System HIPAA Security Rule -UTHSC Windows Server Security -■System Export Controls UTIA IT Security - Parking Services System Sponsored Projects Accounting -UTIA IT Security - Controller Office Security Plan System IT Security - TN Language Center UTIPS MSSQL Security Configuration – BI -■System Student Tuition and Fee Refunds -UTK International Travel System Programs for Minors UTK Vendor Insurance -■UTC IT Security - College of Arts & Sciences -UTK Cash Controls -■UTHSC Effort Reporting - College of Nursing UTK Office of Sponsored Programs UTHSC Cash Controls -UTM Management Services Agreements -■UTHSC Office of Sponsored Programs UTM 24 Total Projects-
THE UNIVERSITY OF TENNESSEE SYSTEM
32 Audit and Compliance Committee - 2020 Internal Audit Plan - Action Item
SYSTEM Policy Compliance Audits 7 Audit Entity 2020 2021 (selected each year) UTC Administrative Division x UTC Academic Division x UTK Administrative Division x UTK Academic Division -- x UTM Administrative Division --x UTM Academic Division x UTHSC Administrative Division x UTHSC Academic Division -- x IPS or Other Institute -- x UTSA Division x
THE UNIVERSITY OF TENNESSEE SYSTEM
33 Audit and Compliance Committee - 2020 Internal Audit Plan - Action Item
SYSTEM Annual Audits 7
Annual Audit Entity 2020 Complete College Tennessee Act -System President's Office System Athletics NCAA Compliance - Eligibility -UTK Extension Regional and County Offices UTIA Athletics NCAA Compliance - Eligibility -UTM OVC Special Assistance Funds UTM UTM Chancellor -UTM Athletics NCAA Compliance - Eligibility UTC UTC Chancellor -UTC 9 Total Projects
THE UNIVERSITY OF TENNESSEE SYSTEM
34 Audit and Compliance Committee - 2020 Internal Audit Plan - Action Item
SYSTEM Advisory Service Projects 7
Advisory Service Projects Entity
Self-Assessment of Controls System Joint UTK-ORNL Faculty UTK Psychological Clinic – IT Security Assessment UTK College of Dentistry Capital Funds -UTHSC College of Graduate Health Sciences Faculty Succession UTHSC I-9 Compliance -UTHSC International Programs Travel UTM UTC College of Arts & Sciences -UTC WUTC Radio Station UTC Housing -UTC
THE UNIVERSITY OF TENNESSEE SYSTEM
35 Audit and Compliance Committee - 2020 Institutional Compliance Workplan - Action Item ■ UNIVERSITY OF TENNESSEE ■
Office of Institutional Compliance 8
Work Plan for the Year Ending December 31, 2020
Bill Moles, CCEP, CIA Director of Institutional Compliance
36 Audit and Compliance Committee - 2020 Institutional Compliance Workplan - Action Item ■ UNIVERSITY OF TENNESSEE ■ 2020 Areas of Focus Strategic Compliance Oversight
• Streamline the risk assessment process to enable 8 strategic identification and prioritization of top compliance risks.
o Expand the responsibilities of the UT System Administration Institutional Compliance Committee. o Include UT System Administrative Council involvement in prioritizing and validating top compliance risks.
37 Audit and Compliance Committee - 2020 Institutional Compliance Workplan - Action Item ■ UNIVERSITY OF TENNESSEE ■ 2020 Areas of Focus
Collaboration 8
• Expand opportunities for sharing leading practices across the System. o New regulations and policy changes o Identified risks o Best practices o Compliance leader roundtable
38 Audit and Compliance Committee - 2020 Institutional Compliance Workplan - Action Item ■ UNIVERSITY OF TENNESSEE ■ 2020 Areas of Focus Monitoring
8 • Improve the feedback loop for monitoring effectiveness of the compliance program. o Executive and mid-level management o Compliance officers o Compliance committee members • Fully implement and refine an automated procurement card monitoring process for future monitoring and audits.
39 Audit and Compliance Committee - 2020 Institutional Compliance Workplan - Action Item ■ UNIVERSITY OF TENNESSEE ■ 2020 Areas of Focus
Compliance Risk Assessments and Action Plans 8
• Perform compliance risk assessments at UT Knoxville and UT Chattanooga. • Track implementation of risk mitigation plans at other campuses and institutes.
40 Audit and Compliance Committee - 2020 Institutional Compliance Workplan - Action Item ■ UNIVERSITY OF TENNESSEE ■ 2020 Areas of Focus
Promote an Ethical Culture 8 • Promote the UT Compliance Hotline, the Code of Conduct, and other compliance and ethics information. • Promote the Code of Conduct training module to campuses/institutes and encourage them to require the training. (UTC, UTHSC, UTIA)
41