U.Va. audits show unresolved risks

University of Virginia auditors told the Board of Visitors on April 16 that high-risk problems were still open in student services, information technology, parking and U.Va. Health payroll. (cavalierdaily.com) The Board’s Audit, Compliance and Risk Committee reviewed those findings during a public meeting at the Rotunda, using written reports from the Office of Audit and Compliance. The committee’s charter says it oversees internal audit, compliance and enterprise risk management for both the academic and medical center divisions. (bov.virginia.edu) The committee’s April 16 open-session book lists written status reports from four areas: the University Audit Department, institutional academic compliance, information management, and the compliance and privacy program. The same agenda also set aside a closed session for discussion of sensitive U.Va. Health information technology matters. (bov.virginia.edu) At the same meeting, finance chief Augie Maurelli said the University’s control system is built around Virginia’s Agency Risk Management and Internal Control Standards, or ARMICS. The state-required framework is meant to give “reasonable assurance” that fiscal processes are accurate, legal and protected against misuse. (cavalierdaily.com) That framework puts the Board in an oversight role and requires management to certify controls. The April 16 presentation says U.Va. has a fiscal year 2026 operating budget of $6.4 billion, including $3.9 billion at the Medical Center, with 33,808 total employees across the University and health system. (bov.virginia.edu) The immediate issue was not whether U.Va. has an audit structure on paper. It was that some findings described to the committee had stayed open for years, according to The Cavalier Daily’s account of the reports reviewed on April 16. (cavalierdaily.com) That timing matters at a university where the audit committee is supposed to review risk governance and mitigation strategies at least once a year. A finding that remains open across multiple reporting cycles can signal that a unit fixed symptoms without closing the root control problem. (bov.virginia.edu) U.Va. has spent the last two years talking publicly about internal controls in other areas too, including financial reporting. In December 2025, the same committee said the University had received a clean fiscal year 2025 audit opinion and ended a multi-year material weakness in financial reporting. (cavalierdaily.com) The April 16 presentation also showed how much the University now leans on automated monitoring: 4.5 million Workday actions completed annually, more than 38,000 security roles certified each year, and user-activity monitoring through Kainos. Those tools can flag unusual activity, but they do not close audit findings by themselves. (bov.virginia.edu) The next public test is whether future committee books show those same items moving off the open list. For now, the April 16 meeting left U.Va. with a clear record that some of its highest-risk problems were still awaiting a full fix. (bov.virginia.edu)