The University of Texas Health Science Center at Houston (UTHealth)

Internal Audit Annual Report for 2021

Purpose of the Internal Audit Annual Report: To provide information on the assurance
services, consulting services, and other activities of the internal audit function. In addition,
the internal audit annual report assists oversight agencies in their planning and coordination
efforts.

Table of Contents

I. Compliance with Texas Government Code, Section 2102.015: Posting

the Internal Audit Plan, Internal Audit Annual Report, and Other Audit
Information on the website ........................................................................2

II. Internal Audit Plan for Fiscal Year 2021,

Compliance with Benefits Proportionality Requirements &
Compliance with the Texas Education Code, Section 51.9337(h) .......... 2

III. Consulting Services and Nonaudit Services Completed........................ 5

IV. External Quality Assurance Review (Peer Review)................................ 7

V. Internal Audit Plan for Fiscal Year 2022 ...................................................8

VI. External Audit Services Procured in Fiscal Year 2021......................... 15

VII. Reporting Suspected Fraud and Abuse ................................................ 15

 The University of Texas Health Science Center at Houston (UTHealth)
Internal Audit Annual Report for 2021

Purpose of the Internal Audit Annual Report: To provide information on the assurance
services, consulting services, and other activities of the internal audit function. In addition, the
internal audit annual report assists oversight agencies in their planning and coordination
efforts.

I. Compliance with Texas Government Code, Section 2102.015: Posting the

Internal Audit Plan, Internal Audit Annual Report, and Other Audit
Information on the website

The Internal Audit Plan and Internal Audit Annual Report is contained within the Reports
to the State section of UTHealth’s web site as required by Texas Government Code,
Section 2102.015. An updated report is provided to the web developer who then posts
the information no later than one day prior to the due date for submission to the
appropriate reporting state agencies.

II. Internal Audit Plan for Fiscal Year 2021

Audit FY 2021 Audit Plan

Description Status Report Date
Number Audit / Project
Financial Audits
21-101 Financial Statements FY 2020 Controls over transaction testing, Complete Report issued
Assurance Work analytical review, and other by D&T at UT
procedures assigned as part of the System level
financial statements assurance
audit.
21-102 Financial Statements FY 2021 Interim work for FY2021 financial Complete Report issued
Assurance Work statements audit. by D&T at UT
System level
21-103 Assist State Auditor’s Office Provide assistance to the State Complete No report
and other external auditors Auditor’s Office and other external issued
audit functions.
Operational Audits
21-108 Title IX Compliance Review for compliance with Complete 07/07/2021
requirements of Senate Bill 212.
21-109 Emergency Preparedness Required every three years, covers Complete 08/30/2021
Plan UTHealth, UTP, and HCPC
21-113 Learning Management System Review the Annual Compliance Complete 05/19/2021
– Annual Compliance Training Training process to ensure efficient
and effective training is provided.
21-116 Benefits Proportionality Review of appropriation years 2018 Complete 10/27/2020
and 2019. Meets the benefits
proportionality audit requirement
prescribed in Rider 8, page III-48,
the General Appropriations Act
(86th Legislature).
Carryforward Audits
20-105 Grants and Contracts Review of processes to review Complete 07/08/2021
accelerated spending and required
disclosures, including protection of
IP.
Page 2 of 15
 The University of Texas Health Science Center at Houston (UTHealth)
Internal Audit Annual Report for 2021
20-109 SecureStor Review controls around the Complete 10/07/2020
application to ensure secure
sharing of PHI and other sensitive
information.
20-113 Visiting Scientists Review to assess processes for Complete 05/25/2021
onboarding visiting scientists and
protection of IP.
20-118 Inventory Controls Review controls of controlled drugs In Progress
in clinic locations.
20-119 Research Conflict of Interest Review on COI and management Complete 11/11/2020
plan process.
20-203 Biomedical Device Review controls around biomedical In Progress
Maintenance device maintenance.
20-207 Disaster Recovery Review disaster recovery planning Complete 11/13/2020
and testing.
Compliance Audits
21-107 Texas Higher Education Provide an opinion on revenue and Complete 12/03/2020
Coordinating Board Residency expenditures reporting on program
Program (THECB) funds.
21-110 Medical School Practice Plan Review compliance with MSRDP Cancelled
(MSRDP) process or bylaws. Will be
performed based on assessed risk.
21-111 Dental School Practice Plan Review to assess efficiency and In Progress
(DSRDP) effectiveness of operations at the
OralMax clinic.
21-117 TEA Compliance (CLI) Report on controls over the security Not
of TEA data. Performed,
data set not
received this
FY
Information Technology Audits
21-118 Epic Security Certification Verify IT Security’s control Complete 11/04/2020
certification to Epic. Annual
requirement.
21-201 Legacy E.H.R. Data Archive Review security controls around the Complete 06/08/2021
HEF Solutions cloud-based archive,
which stores all legacy E.H.R.
health records.
21-202 Medical Devices Network Review capabilities and security Cancelled
Segmentation controls around the segmentation
of medical devices from the central
UTHealth network.
21-203 Patch Management Review controls around the timely Complete 08/11/2021
patching of workstations, servers,
and other IT infrastructure
equipment. Meets biannual audit
requirement for compliance with
TAC 202. Data analytics may also
be used.
21-204 ServiceNow Post-implementation review of the Cancelled
ServiceNow application, which will
house Help Desk workflow and
serve as the IT asset management
system. Data analytics may also be
utilized.
Page 3 of 15
 The University of Texas Health Science Center at Houston (UTHealth)
Internal Audit Annual Report for 2021
21-205 Medical Devices Workflow Review of medical devices for In Progress
Agreements compliance with Security Policy
Workflow Agreements.
21-206 Box Cloud Content Sharing Review of configuration and Cancelled
security controls around Box, a
cloud content management and file
sharing service to be used for
collaboration with outside users.
21-207 Epic Security Review of security controls around In Progress
the Epic application.
21-208 Coupa Integrated Review controls around the Coupa In Progress
Procure to Pay (P2P) system.
Follow-up Audits
21-104 Follow-Up Hours designated to perform Complete 08/21/2021
periodic follow-up to validate the
status of implementing outstanding
recommendations.

Audit 21-110 Medical Service Research and Development Plan (300 budgeted
hours) is an audit of compliance with bylaws and processes. In reviewing the FY
2021 audit plan, the 21-308 Revenue Cycle Consulting engagement satisfies the
related risks and requirements for the medical plan. Therefore, the MSRDP audit
was cancelled without replacement.

Audit 21-202 Medical Devices Network Segmentation was not completed due to
an ongoing review of the best way to protect the network for these devices. As a
result, a different implementation strategy may be selected. Therefore, this audit
was cancelled without replacement.

Audit 21-204 ServiceNow was included in the FY 2021 audit plan, however, a full
implementation of the system was not scheduled until the end of the fiscal year.
Thus, this audit will be included on the FY 2022 audit plan.

The focus of the 21-206 Box Cloud Content Sharing audit (300 budgeted hours)
was to review the Box Cloud Content Sharing service. However, a decision was
made to use the file hosting service Microsoft OneDrive instead. As a result, this
audit was cancelled without replacement.

Compliance with the Benefits Proportionality Audit Requirements for Higher

Education Institutions

Rider 8, page III-46, the General Appropriations Act (86th Legislature, Conference
Committee Report), requires each institution of higher education, excluding Public
Community/Junior Colleges, to conduct an internal audit of benefits proportional by
fund and submit a copy of the internal audit to the Legislative Budget Board,
Comptroller of Public Accounts, and the State Auditor's Office no later than August 31,
Page 4 of 15
 The University of Texas Health Science Center at Houston (UTHealth)
Internal Audit Annual Report for 2021
2022. The audit must examine fiscal years 2019 through 2021 and must be conducted
using a methodology approved by the State Auditor’s Office.

Compliance with the Texas Education Code, Section 51.9337(h)

Senate Bill 20 (84th Legislative Session) made several modifications and additions to
Texas Government Code (TGC) and Texas Education Code (TEC) related to
purchasing and contracting. Effective September 1, 2015, TEC Section 51.9337
requires that, “The chief auditor of an institution of higher education shall annually
assess whether the institution has adopted the rules and policies required by this
section and shall submit a report of findings to the state auditor.” UTHealth’s Auditing
and Advisory Services conducted this required assessment for fiscal year 2021, and
found the following:

Based on review of current institutional policy and the UT System Board of Regents’
Rules and Regulations, UTHealth has generally adopted all of the rules and policies
required by TEC Section 51.9337. Review and revision of institutional and System
policy is an ongoing process. These rules and policies will continue to be assessed
annually to ensure continued compliance with TEC Section 51.9337.

III. Consulting Services and Nonaudit Services Completed

High-Level Consulting Observations /

Report Report
Name of Project Engagement / Non-audit Results and
No. Date Service Objective(s) Recommendations
21-301A 01/05/2021 Employee Health Review of UT Health Services Results
Consulting (UTHS) general operations. communicated to the
department.
21-301B 08/09/2021 Marketing Consulting Review of controls around payments Results
made to Richards/Carlberg. communicated to the
department.
21-304A 02/26/2021 Audit Log Monitoring Review of audit log monitoring by Results
Consulting system owners for communicated to the
applications/databases with PHI. department.
21-304B 01/21/2021 Lockbox Password Review of security controls over Results
Security Consulting lockbox accounts. communicated to the
department.
21-304C 10/19/2020 System Access Review of system owner access Results
Reviews Consulting reviews for applications containing communicated to the
PHI. department.
21-304D N/A Network Access Comparison of network access In Progress
Listing Consulting listing with Active Directory.
21-304E 03/25/2021 Microsoft 365 External Review the security of the external Results
Sharing Consulting sharing functionality of Microsoft communicated to the
365. department.
21-305 N/A Epic Controls Review of controls within the Epic Results
Consulting system. communicated to the
department.

Page 5 of 15
 The University of Texas Health Science Center at Houston (UTHealth)
Internal Audit Annual Report for 2021
21-306 N/A Epic Security Review of security within the Epic Results
Consulting system. communicated to the
department.
21-308 04/08/2021 Revenue Cycle Review of Revenue Cycle Results
Consulting processes. communicated to the
department.

Page 6 of 15
 The University of Texas Health Science Center at Houston (UTHealth)
Internal Audit Annual Report for 2021

IV. External Quality Assurance Review (Peer Review)

Page 7 of 15
 The University of Texas Health Science Center at Houston (UTHealth)
Internal Audit Annual Report for 2021

V. Internal Audit Plan for Fiscal Year 2022

FY 2022 Audit Plan Budgeted

Description
Audit / Project Hours
Assurance Engagements
EMR Data Extracts 500 Review controls around data extracts from EMRs.
Epic DR/BCP 400 Review controls around disaster
recovery/business continuity planning for the Epic
cloud. Meets biannual audit requirement for
compliance with TAC 202.
ServiceNow 500 Post-implementation review of the ServiceNow
application, which will house Help Desk workflow and
serve as the IT asset management system.
SailPoint 500 Review controls around SailPoint (provisioning tool
for Epic/other applications).
Novopath 400 Review controls around NovoPath (Laboratory
Information System), which will interface with Epic.
COVID-19 Vaccine Hub 500 Integrated review of controls around UTHealth
vaccine registry.
MSRDP 300 Review compliance with MSRDP processes or
bylaws. Will be performed based on assessed
risk.
DSRDP 300 Review Biopsy Services.
Telecommuting 400 Review telecommuting practices throughout
UTHealth.
Payroll Services 500 Assess processes for identifying and submitting
benefits payments.
Clinical Research Billing 300 Assess the research billing process within Epic for
efficiency and effectiveness.
Review and Validation 200 Audit based on risk in accordance with UTS 142.1.
Will focus on telecommuting and performance of
the required reconciliations.
Carryforward IT Audits 350 Carryforward of 2021 IT Audits
Carryforward Financial/Operational Audits 350 Carryforward of 2021 General Audits
Assurance Engagements Subtotal 5,500
Required Engagements
Financial Statements FY 2021 100 Controls over transaction testing, analytical review,
and other procedures assigned as part of the
financial assurance audit.
Financial Statements FY 2022 80 Interim work for FY 2022 financial statements.
Assist State Auditor’s Office and other 150 Provide assistance to the State Auditor’s Office and
external auditors other external audit functions.
THECB 50 Provide an opinion on revenue and expenditures
reporting of program funds
TEA Compliance (CLI) 100 Report on controls over the security of TEA data.
Benefits Proportionality 150 Review of appropriation years 2019 through 2021.
Meets the benefits proportionality audit requirement
prescribed in Rider 8, page III-48, of the General
Appropriations Act (86th Legislature).
Epic Security Certification 200 Verify IT Security’s control certification to Epic.
Annual requirement.
Required Engagements Subtotal 830

Page 8 of 15
 The University of Texas Health Science Center at Houston (UTHealth)
Internal Audit Annual Report for 2021

Advisory and Consulting Engagements

Institutional Committees 250 Participation by A&AS in various internal committees.

Training/Assistance Provided by A&AS 100 Train/educate clients on risk and internal audit
concepts, including IDEA.
Consulting Projects Reserve 300 Performance of consulting projects requested by
management.
IT Consulting 1,200 *Epic Security Report Monitoring (200): review
of Epic security reports for risk monitoring.
*Medical Device Workflow Agreements (semi-
annual) (200): verify compensating controls
stipulated in Workflow Agreements are in place
for medical devices.
*Microsoft 365 (200): yearly review of
configuration/functionality changes
*UTH-Share (200): yearly review of
configuration/functionality changes
*Telemedicine Application Usage (200): verify
only approved telemedicine applications are
being used.
*System Administrators/Privileged Users (175):
Review of termination process.
*Network Access Listing (25): Comparison of
network access listing with active directory.
Data analytics is utilized.
Financial Consulting 400 *Money Network Cards (replacement for Buycards)
(50): review of processes for purchasing under this
method as well as determine whether PHI is/is not
retained
*Cash Controls (100): review of cash controls for the
SOD for proper segregation of duties and compliance
with the Cash Handling Manual
*Lockbox – Development (100): review of lockbox
processing activities for the Office of Development,
which were brought in-house to determine proper
segregation of duties
*FAS Team (150): review of researching billing
activities
Revenue Cycle Consulting 200 Assist revenue cycle management with data analytics
and process enhancements.
Campus Diversity Consulting 300 Review and develop an inventory of diversity, equity
and inclusion processes and programs within UTHealth.
Advisory and Consulting Engagements
2,750
Subtotal
Reserve
Management Requests/Emerging Risks 600 Allow for flexibility to add audits as additional risks
are identified or to address rapidly changing areas.

Reserve Subtotal 600

Investigations
Investigations 300 Perform work related to potential thefts or in assisting
other risk mitigating functions
Triage 100 Perform work related to triage/compliance complaint
cases
Investigations Subtotal 400
Page 9 of 15
 The University of Texas Health Science Center at Houston (UTHealth)
Internal Audit Annual Report for 2021

Follow-up
Follow-up 600 Hours designated to perform periodic follow-up to
validate the status of implementing outstanding
recommendations.
Follow-up Subtotal 600
Development - Operations
UT System/External Requests 100 Time devoted to various external reporting
requirements, information requests and other types
of assistance provided to external agencies and
reviewing for compliance with TEC 51.9337
Purchasing Authority Required Standards.
Internal Process Improvement 250 Periodic review and updating of audit processes by
management and staff.
Internal Audit Committee 500 Preparation of documents and reports presented at
the quarterly meetings and related post meeting
documentation.
FY 2023 Audit Plan 400 Development of annual audit plan using risk
assessment techniques as required by Government
Code 2102.
Internal Audit Annual Report 50 Preparation and posting of the Internal
Audit Plan, Internal Audit Annual Report, and other
information as required by TGC 2101.015.
Staff Meetings 700 Recurring departmental staff meetings.
Data Analytics Development 200 Review of UTHealth generated reports and A&AS
reports as part of the ongoing risk assessment
process.
TeamMate/IDEA Development & 150 Maintenance and development of TeamMate
Maintenance database and IDEA.
Quality Assessment Review 150 Departmental process evaluation in preparation for next
year’s external quality assessment. Yellow Book
standards require a QAR every three years.
Development - Operations Subtotal 2,500
Development – Initiatives and Education
Professional Activities 168 Writing, publication, external presentations, and
participation in professional organizations.
UT System Initiatives 150 Participation in UT System initiatives including
committees, workgroups, etc.
Continuing Professional Education 450 Professional trainings and CPE courses to keep
certifications active.
Development – Initiatives and Education
768
Subtotal
Total Budgeted Hours 13,948

Page 10 of 15
 The University of Texas Health Science Center at Houston (UTHealth)
Internal Audit Annual Report for 2021

High Risks Not Included in FY

Explanation / Mitigation Internal Audit Action
2022 Audit Plan
PHI or other sensitive information Monitored by Office of Legal Affairs Monitor Developments
may be disclosed/sent using email or
social media
Institution may not make decisions Monitor Developments Risk will be re-evaluated and will
quickly during events such as COVID continue to monitor
or return to work developments.
Physicians do not sign off on Monitored by Revenue Cycle Monitor Developments
dictation Management and Billing Compliance
Surgery or transplant procedure may Monitored by Revenue Cycle Monitor Developments
not be billed due to lack of Management and Billing Compliance
documentation in the patient record
Physicians may leave due to below Monitor Developments Risk will be re-evaluated and will
market compensation continue to monitor
developments.
Physician's collections decrease Monitored by Revenue Cycle Monitor Developments
once they onboard with UT Management and UT Physicians
Physicians may not complete their Covered by FY21 Epic Report submitted
training in time for EPIC go-live and Controls/Security Controls consulting
won't know how to enter physician engagement
notes, which negatively impacts
billing
Not able to bill for charges due to Monitored by Revenue Cycle Monitor Developments
incomplete medical records in patient Management and UT Physicians
chart
Anticipating/Predicting swings in Monitored by Revenue Cycle Monitor Developments
patient volume and related revenue Management and UT Physicians
can be difficult
Suppressed volumes in NICU due to Monitored by Revenue Cycle Monitor Developments
decline in birthrates as a result of Management and UT Physicians
COVID
Difficulty in faculty coverage due to Monitored by UT Physicians Monitor Developments
division of a portion of Pediatric
Children's Heart Institute
Change in leadership in Neurology Monitor developments, consider as a Monitor Developments
will create a need for transition replacement or emerging risk audit
Elective procedures may halt or be Monitored by UT Physicians and Monitor Developments
delayed should another shut down hospital partners
occur due to COVID
Patients volumes are decreasing due Monitored by Revenue Cycle Monitor Developments
to unemployment caused by COVID Management and UT Physicians

Page 11 of 15
 The University of Texas Health Science Center at Houston (UTHealth)
Internal Audit Annual Report for 2021

There is no process to detect missed Monitored by Revenue Cycle Monitor Developments

charges for surgeons working on-call Management and hospital partners
at outlying hospitals
Physicians may struggle and take Monitored by Implementation Team Monitor Developments
longer to enter notes into the EPIC
system or will need to be done after
the fact, which will negatively impact
revenue

Loss of patients if we do not develop Monitored by Revenue Cycle Monitor Developments

an adequate process to refer patients Management and UT Physicians
to specialists
Increase of mental health issues Monitored by UT Police-Houston Monitor Developments
among staff and students as we rely
more on technology and social media
Title IX hearing and faculty tribunal Covered by 21-113 Title IX Report submitted
determine different findings and
recommended corrective actions
Student disciplinary hearings do not Monitored by the Office of Academic Monitor Developments
follow due process Affairs
Title IX requirements are becoming Covered by 21-113 Title IX Report submitted
too complex and restrictive to
manage
UTHealth is unable to attract and Monitored by Human Resources and Monitor Developments
retain a diverse faculty the Office of Academic Affairs
During emergency situations, Covered by 21-109 Emergency Report submitted
responses to longer term situations Preparedness Plan
have not been developed
Schools will have difficulty recruiting Monitored by Human Resources and Monitor Developments
qualified teaching faculty the Office of Academic Affairs

As UTHealth enters into collaborative Monitored by the Office of Academic Monitor Developments
agreements with foreign institutions, and Research Affairs
an adequate assessment is not
performed to assess the value to the
institution

Intellectual property is at risk from Monitored by the Office of Academic Monitor Developments
increased use of virtual meetings and and Research Affairs, Academic
cloud storage systems Technology

UTHealth is not equipped to manage Monitored by the Office of Student Monitor Developments
student mental health issues Health and Counseling Services

Departments do not manage grant Covered by 20-105 Grants and Report submitted
expenditures, requiring frequent cost Contracts
transfers to be in compliance with
grant terms
Page 12 of 15
 The University of Texas Health Science Center at Houston (UTHealth)
Internal Audit Annual Report for 2021

Departments having their own billing Monitored by Revenue Cycle Monitor Developments
compliance analyst will result in some Management
departments not being in compliance
with billing regulations
Research administration cannot Monitored by the Office of Sponsored Monitor Developments
maintain adequate staffing to keep up Projects Administration
with added funding
Time and effort reviews are not Covered by 20-105 Grants and Report submitted
performed timely leading to added Contracts
cost transfers
Weather events strain institutional Monitored by Facilities, Planning and Monitor Developments
power sources placing the data Engineering
centers at risk
Improper classification when coding Monitored by Billing Compliance Monitor Developments
patient's level of care
University shutdown may adversely Monitored by Academic Affairs and Monitor Developments
affect student’s ability to complete each school
certain courses or delay graduation
Individuals may be taking intellectual Monitored by Academic Technology Monitor Developments
property
There may be short term negative Monitored by Revenue Cycle Monitor Developments
impact to revenue post Epic Management
implementation
FMLA rules not followed by Monitor Developments Risk will be re-evaluated and will
department managers continue to monitor
developments
Schools may not be following HOOP Covered by 21-113 Title IX Report submitted
186 Student Conduct adequately
Individuals may not have listed all of Covered by 20-119 Research Conflict Report submitted
their COI and therefore, a of Interest
management plan may not exist
Paper records containing PHI, PII or Monitored by the Office of Legal Monitor Developments
other sensitive information may not Affairs
be handled properly, especially with
an increase in telecommuting
Relationship with hospital partners Monitored by Finance and Business Monitor Developments
may change the way we are Services
reimbursed, making it difficult to
maintain adequate margins
Foreign nationals are hired and may Monitored by Research Monitor Developments
take intellectual property Administration and Office of
Technology Management

Page 13 of 15
 The University of Texas Health Science Center at Houston (UTHealth)
Internal Audit Annual Report for 2021

Clinic processes that are new, or are Monitor new processes and practice Monitor Developments
largely different from standard acquisitions and consider as a
processes are not performed well replacement audit or cover as an
emerging risk
Integration of the Neurosciences Monitor and consider for a Change in Monitor Developments
department does not go smoothly Management audit
Foreign influence could affect our Monitored by Research Monitor Developments
ability to protect intellectual property Administration and Office of
Technology Management
No second backup (fuel onsite) Cost prohibitive to acquire backup Monitor Developments
generator for the data center generator. DCOS engaging TECO for
chilled water backup/plans to lease
generator in anticipation of weather
event
A non-UTH laptop/device connects to Ongoing review of the best way to Monitor Developments
the network and spreads malware protect the network for these devices,
and a different implementation
strategy may be selected
Insufficient response/remediation to a Tabletop exercise conducted with UT Monitor Developments
breach System
Phishing/malicious attacks are Ongoing phishing simulation exercise Monitor Developments
successful, resulting in breaches to conducted by IT Security/wide rollout
sensitive data. [also includes publicly- of 2FA
available access reports]
Splunk alerts not configured for high- DCOS working to configure ~1,500 Monitor Developments
risk applications servers for Splunk monitoring. A&AS
will monitor progress
Internet of Things (IoT) is not tightly Ongoing review of the best way to Monitor Developments
controlled protect the network for these devices,
and a different implementation
strategy may be selected
Patches/upgrades not applied timely Covered by FY21 Patch Management Report submitted
to data center
servers/applications/desktops
Medical devices are not adequately Covered by FY20 Biomedical Device Report submitted
cleaned and maintained Maintenance
System owners do not take their Covered by FY21 System Access Report submitted
responsibilities seriously or are Reviews/FY21 Audit Log Monitoring
unaware of their responsibilities
Data is not successfully migrated Covered by FY21 Epic Controls Report submitted
from legacy systems to Epic Consulting, FY21 Legacy E.H.R Data
Archive

Page 14 of 15
 The University of Texas Health Science Center at Houston (UTHealth)
Internal Audit Annual Report for 2021

Our risk assessment methodology included interviews and questionnaires to update

the annual risk assessment. The identified risks were organized into institution-wide
areas such as financial management, human resources management, and
purchasing/warehousing. We developed detailed risk assessments of high-risk areas
of research, information technology, and patient care. For each identified risk,
probability and impact were determined using three to seven factors such as
regulatory environment and frequency of identification in responses for the
financial/operational risks and scope of process and age of system for the IT risks.

VI. External Audit Services Procured in Fiscal Year 2021

Service Provider
Opinion on financial statements of UT Blazek & Vetterling LLP Certified Public
Physicians (a component unit of The Accountants
University of Texas System)
Opinion on financial statements of Harris BKD Certified Public Accountants
County Psychiatric Center (HCPC) (an
operating unit of The University of Texas
Health Science Center at Houston)
Financial Statements FY 2020 Assurance Work Deloitte and Touche LLP (Deloitte) Certified
Public Accountants
Financial Statements FY 2021 Assurance Work Deloitte and Touche LLP (Deloitte) Certified
Public Accountants
Statewide Single Audit, Follow-up to the State Auditor’s Office
Schedule of Expenditures of Federal Awards
Statewide Single Audit, Follow-up to the Research State Auditor’s Office
and Development Cluster
Financial Review for Southern Association of Deloitte and Touche LLP (Deloitte) Certified
Colleges and Schools Commission on Colleges Public Accountants
(SACSCOC)
Cancer Prevention and Research Institute of Texas Deloitte and Touche LLP (Deloitte) Certified
(CPRIT) Program Public Accountants
Benefit Replacement Pay Eligibility Texas Comptroller

VII. Reporting Suspected Fraud and Abuse

UTHealth’s home page contains a link to information on how to report suspected fraud,
waste, and abuse. The information has a link to the State Auditor’s fraud reporting
website and its hotline number, as well as information on the various ways to report
suspected fraud internally. Institutional policies and procedures address the
requirement to report fraud and the Standards of Conduct Guide, applicable to all
employees, addresses the reporting of fraud. The intranet sites of the departments of
Institutional Compliance and Auditing & Advisory Services contain information and
links for reporting suspected fraud.

Page 15 of 15