Details

To avoid duplication of work and reduce burden on University staff, we continue to place reliance on audit-related work performed by other service providers. We rely on the external audit work performed by Deloitte, LLP in the areas of investments, annual external financial reporting, and RUMINCO (the University’s captive insurance company). Deloitte, LLP also provides significant coverage of student financial aid as part of its Uniform Guidance Audit, which we take into consideration in our risk assessment.

We also rely on the audit work performed by external construction audit firms engaged by the University’s Capital Planning and Project Management (CPPM) unit for construction projects that are delivered using the Design/Build or the Construction Manager at Risk delivery methods. We are in agreement with the scope of this audit work and receive and review copies of their reports.

Our audit planning begins with a review of past audit coverage and results. Appendix A recaps the audits completed for the last three fiscal years and the resulting overall control assessments.  Appendix B details progress made against the FY 2023 audit plan and other audit work performed.  To date, we have completed 24 audits in FY 2023.  The risk management and control environments of 16% of the activities audited were rated as "Needs Improvement." The remaining 84% of audits were rated "Good" or "Adequate." These results continue to demonstrate an overall culture of compliance and risk management throughout the University.

In addition to the 24 audits completed:

• Audits in Progress: 4 - audits are currently in progress and plan to be completed in FY 2023. 
• Completed Next FY: 5 - audits are in progress and will be completed in FY 2024.
• SNAP Reviews: 3 - SNAP reviews were issued.
• Deferred Audits: 4 - Tier 2 audits from the FY 2023 audit plan were deferred to FY 2024 and 2 additional audits were added as communicated to the Committee in February.  The FY 2023 audit plan was built on the expectation of hiring all but one open position by the end of December 2022.  Although we successfully hired most open positions, one IT audit position was not filled until March 2023, and an additional financial auditor left the department this spring.  This limited our ability to replace some deferred audit work especially related to IT.
  • Audits Deferred to FY 2024: Parking &  Transportation Services, Central Cloud Platform; Minnesota Supercomputing Institute,; and Gramm-Leach-Bliley Act (GLBA)
  • Replacement Audit Work:  Institute on the Environment (IonE), and Aerospace Engineering & Mechanics
• Employee Surveys: 36 - employee surveys were sent out to 1085 participants as part of regular unit audit processes, with a 70% response rate.
• Investigations: 7 - investigations into financial or operational misconduct were conducted in accordance with the University Policy on Reporting and Addressing Concerns of Misconduct.  OIA partnered as appropriate with the University of Minnesota Police Department (UMPD), Office of the General Counsel, Office of Institutional Compliance, Research Intelligence & Compliance Team, and other units to complete these reviews.

The Office of Internal Audit’s Charter, approved by the Chair of the Audit and Compliance Committee in 2019 states, “To provide for the independence of the Office of Internal Audit, the Board of Regents delegates directly to the Chief Auditor the authorities necessary to perform the duties set forth in the mission and scope of work. Additionally, the Chief Auditor is delegated administrative and operational authorities by the President of the University. The Office of Internal Audit is to be free from undue influence in the selection of activities to be examined and the audit techniques and procedures to be used.”

There were no incidences during the year in which the independence or scope of internal audit work was restricted by the client.

Compliance Partners

The Office of Internal Audit coordinates its work with other internal units to maximize the quality of audit coverage provided, as well as to promote prompt attention when University-wide trends are identified. We have established strong working relationships with the University’s compliance partners, including: the Risk Intelligence and Compliance Team; the Human Research Protection Program; Health, Safety & Risk Management; University Information Security, the Health Information Privacy & Compliance Office; and the Office of the General Counsel. We work closely with each of these units during audits involving complex regulatory issues. 

The Office of Internal Audit interfaces regularly with the Institutional Compliance Officer and we serve on the Executive Compliance Oversight Committee.  Input from the Compliance Officer is also solicited during our annual audit planning.  In addition, throughout the year we report to and collaborate with the Compliance Officer on issues identified during our audits. We also share the results of employee surveys conducted during audits with the Compliance Officer. Along with the Office of Institutional Compliance, we serve on the triage team for managing UReport, the University’s anonymous hotline. We are also working with the Office of Institutional Compliance to ensure that duplication does not occur between their risk assessments and audits. Both offices are committed to sharing information and leveraging each other’s work as appropriate to optimize resource usage and reduce impact on units involved.

Policy & Process Owners

Audit results are shared with policy owners and central support units such as the Office of Information Technology, Sponsored Projects Administration, Controller’s Office, and the Office of Human Resources when policy non-compliance or the need for process enhancements are identified. In addition, best practices identified in local unit audits are shared with these central unit process owners for consideration of broader adoption. We also have regular meetings with leadership and other representatives from these offices to discuss audit results and trends, changes in regulations, policy interpretations, etc.

Enterprise Risk Management and PEAK Initiatives

Enterprise Risk Management (ERM) and Positioned for Excellence, Alignment and Knowledge (PEAK) are two major initiatives with current and future impacts to the audit function in the years ahead.  The Chief Auditor is a member of the ERM Task Force and the PEAK Steering Committee to ensure we stay abreast of these initiatives.  In FY 2024 we expect ERM will work with University leadership and the Board of Regents to establish new institutional risk profile.  We will ensure our audit work remains in alignment with the highest risks identified through this process.  In addition, we expect ERM to play a larger and more consistent role in the Audit and Compliance Committee, which is responsible for overseeing it. As PEAK implementation continues and streamlines administrative activities, it will likely continue to affect various process audits, risk levels and audit scoping in some unit audits.  It may also impact the timelines of issue remediation as units elect to resolve issues identified in audits as part of broader PEAK efforts.   In FY 2023 OIA implemented a regular report as part of our Internal Audit Activity update detailing issues management identified would be addressed as part of changes associated with PEAK.  We will continue to update and maintain this document in FY 2024. As PEAK is implemented, we will also consider adjusting our audit work to ensure ongoing optimization of audit coverage, we will keep the Committee informed of any significant trends as they emerge.

The Office of Internal Audit is committed to providing educational opportunities to our staff in order to continually enhance our audit knowledge and abilities. Ever-changing government regulations, new technologies, and new developments in auditing principles and methods dramatically affect not only what we audit, but how we audit. We strive to stay abreast of new developments and improve our audit proficiency to enhance the overall quality of our audits. To accomplish this, we pursue a variety of methods to continue our staff's professional education.  Our memberships with the Institute of Internal Auditors (IIA), the Association of College and University Auditors (ACUA), the Association of Certified Fraud Examiners (ACFE), the American Institute of Certified Public Accountants (AICPA), and ISACA provide staff members the opportunity to attend seminars and conferences that specifically address current issues and techniques in internal auditing. The interaction of our staff members with their peers through these professional organizations helps to keep us up‑to‑date on the latest auditing trends and issues affecting higher education.

All but three of our internal audit staff are professionally credentialed or hold advanced degrees,. the remaining three have been with OIA less than a year and one is in the process of obtaining credentials.  The number and combinations of certifications held by staff demonstrates a high-level of competency in the skills needed to provide quality audit work in the University’s complex environment.

In the first 10 months of FY 2023, the Office of Internal Audit provided approximately 1,000 hours of formal and informal training.  These hours do not include the time associated with competing coursework partially funded by the University's Regents Scholarship Program.  For FY 2024, 1,150 hours have been budgeted for staff training.  This ongoing training also provides the continuing professional development required to maintain the staff's professional credentials.

The Office of Internal Audit conducts its work in accordance with the Institute of Internal Auditors’ Standards for the Professional Practice of Internal Auditing. All audit staff is also required to comply with the Institute’s Code of Conduct for Internal Auditors.

We have established an internal quality assurance program within the Office of Internal Audit. This program is structured around the robust supervision of audit staff and their work products and are supplemented with peer quality assessments. In addition, internal practices and tools are routinely evaluated for their effectiveness and efficiency and changes are made when potential improvements are identified. Our quality assurance measures throughout the year confirmed our practices met the requirements of our professional Standards.

Our professional standards require that our audit practice undergo an external quality assurance review every five years. Our most current external review was conducted in January 2020 and determined that 1) our work was in full compliance with the Standards, and 2) University management and the Board of Regents can appropriately rely on the assurance provided by the work performed by OIA. The review team commended the department for maintaining a very strong internal audit function that provides valued assurance services to a dynamic, diverse and complex institution. Our next external quality assurance review will be completed in FY 2025.

When fully staffed we have 16 auditors (9 financial/operational auditors, 2 IT auditors, 1 senior data analyst, 1 associate audit director, and 3 audit directors) in addition to the Chief Auditor.  OIA has experienced an unusually high level of turnover in the last 18 months consistent with broader employment rends.  We have worked to onboard five new auditors since April of 2022 including a new IT audit director.  We are actively recurring for two open financial/operational auditors with the assistance of the Office of Human Resources' Talent Acquisition team.  Our Audit Plan is built with the expectation that we will have hired at least one of these positions by January 2024. 

The Office of Internal Audit reallocations from FY 2022 and FY 2023 were restored for FY 2023 to partially address a longstanding structural deficit, but our allocation will be reduced again in FY 2024 by a small amount.  This reduction is consistent with those asked of all University units.  However, we have no alternative revenue sources available and 94% of our expenses are salaries.  In consultation with management and Board leadership, we plan to use carryforward balances accrued through previous years' salary savings associated with turnover to fund expected operational deficits in FY 2024.  We plan to discuss with the administration options for long-term funding solutions for FY 2025.

We are receiving preliminary funding for a 3.75% merit pool compensation increase and an additional .25% for market adjustments with the administration's expected pay plans.

We appreciate the thoughtful budgeting process and the continued financial and operational support we receive from the administration.