Internal Audit Annual Plan Year 2017
The annual internal audit plan is intended to demonstrate:
- the breadth and depth of audit activities addressing financial, operational, compliance, strategic, and reputational risks of the University;
- accountability for our resources; and
- the progress in our efforts to continually improve the University's Internal Audit program.
It is our intent to convey a current sense of the University's internal control environment and the extent to which institutional risk mitigation is being assessed by regular audit activities, addressed proactively through advisory services, or investigated as a result of issues raised.
The development of the annual audit plan is based on information gathered through broad consultation across the University and a formal assessment of existing and emerging risks. We also do a scan to identify areas of emphasis at relevant federal agencies and use a survey of other research universities regarding the assessment of risks within their institutions.
External Risk Assessment/Scan of the National Landscape of Higher Education
Regulatory Agencies: The federal regulatory agencies that have significant involvement with University activities continue to be highly focused on the implementation of the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards issued in December 2014, both internally within the agencies themselves, as well as by their grantees. Additional refinements to the Guidance are under consideration by the Office of Management and Budget. Audits of college and university grantees will be focused on subcontracting practices and oversight, compliance with select agent requirements and transfers, export controls, human research participant protections, and general cost compliance.
Research Universities: Our survey of other research universities found the following items consistently identified as risks warranting governing board attention: funding, student/campus safety, regulatory compliance, IT governance, cybersecurity, leadership and workforce succession planning, and institutional reputation.
Internal Risk Assessment
As part of the planning process, we held individual discussions with each member of the Board of Regents to identify areas of risks/ concerns at the governance level for audit consideration. The risks most often identified in these discussions were Board governance practices, key leadership transitions, and impact of tuition principles/decisions on affordability and access. M Health was also raised as potentially raising risks for the University, as well as opportunities.
We also held discussions with 92 institutional officials from 38 units to solicit input on the University’s institutional risks and any specific areas of concern. Themes which emerged from these discussions included the risks associated with: 1) the local effort needed to adjust to changes resulting from the Enterprise Upgrade for Human Resources and the job family study, 2) the continued direction to cut administrative costs now impacting core academic activities, 3) the potential impact of unionization, and 4) adapting to changes arising from the Human Participant Protection Plan implementation.
Operational Risk Assessment
Finally, our annual planning process includes re-examining the audit universe to ensure that all university activities are considered when determining how audit resources will be allocated. We also consider new regulatory developments, new business processes, and institutional priorities and strategic initiatives.
The Office of Internal Audit continues to utilize a formalized risk assessment methodology in selecting processes/units/systems for inclusion in the annual audit plan. Relative risk assessment is necessary to provide a basis for the rational deployment of our limited resources across the institution. The risk factors that we considered in prioritizing institutional activities are:
- Impact on the University’s mission
- Impact on University finances
- Assessment of the activity’s control environment
- Level of compliance concerns
- Impact of information technology
- Complexity and/or diversity of the activity
- Changes in the organization or leadership
In FY 2016 we devoted significant audit attention to centralized business processes to assess the impact of the Enterprise Upgrade on the University’s control environment. The proposed FY 2017 audit plan provides greater coverage of academic units in response to decanal requests as well as to ensure that the control environments in these units remain stable in light of administrative cost reductions. The audit plan also continues to provide coverage in Athletics and units impacted by the Human Participant Protection implementation plan.
In selecting specific activities for inclusion in the audit plan, we recognize there are areas of high risk across the University that we have intentionally excluded because 1) the issues are well known and are being addressed by the administration, 2) the activity lacks the necessary maturity for meaningful auditing, or 3) the issues are receiving extensive external review. Such risks include those associated with M Health, Psychiatry, fetal tissue procurement, and the Healthcare Center of (IT) Excellence. We will continue to monitor these areas outside of the audit process for indications that audit coverage would be helpful.Back to top
The audit plan is based on a planned staffing complement of 16.75 FTE professionals, which is our full complement.
Approximately 54% of the Office of Internal Audit’s resources are committed to the completion of planned audit projects. This year 6% of those resources will be needed to complete carry-over work from our FY 2016 audit plan. Five audit projects are currently in process and will be completed in FY 2017.
The remainder of our FY 2017 audit resources is reserved as follows:
- 11% has been reserved to accommodate requests from the President, the Board, or members of the senior leadership team. This has been supported by the Audit and Compliance Committee. The number of hours remains consistent from previous years.
- 5% has been reserved for investigations. The number of hours remains consistent from previous years.
- 4% has been reserved for follow-up procedures performed on behalf of the Audit and Compliance Committee. The number of hours remains consistent from previous years.
- 26% has been set aside for internal administrative functions, including our continuous improvement efforts. This remains fairly consistent with the previous year.