University of Minnesota
University of Minnesota
Office of Internal Audits
For reporting misconduct:     UReport »
West Bank Office Building

Office of Internal Audit
Suite 510 WBOB
Minneapolis, MN

612-625-1368 (phone)
612-625-1512 (fax)

Internal Audit Annual Plan Year 2017

Purpose of the Annual Plan

The annual internal audit plan is intended to demonstrate:

  • the breadth and depth of audit activities addressing financial, operational, compliance, strategic, and reputational risks of the University;
  • accountability for our resources; and
  • the progress in our efforts to continually improve the University's Internal Audit program. 

It is our intent to convey a current sense of the University's internal control environment and the extent to which institutional risk mitigation is being assessed by regular audit activities, addressed proactively through advisory services, or investigated as a result of issues raised.

Back to top

Development of the Annual Plan

The development of the annual audit plan is based on information gathered through broad consultation across the University and a formal assessment of existing and emerging risks.  We also do a scan to identify areas of emphasis at relevant federal agencies and use a survey of other research universities regarding the assessment of risks within their institutions. 

External Risk Assessment/Scan of the National Landscape of Higher Education

Regulatory Agencies:  The federal regulatory agencies that have significant involvement with University activities continue to be highly focused on the implementation of the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards issued in December 2014, both internally within the agencies themselves, as well as by their grantees.  Additional refinements to the Guidance are under consideration by the Office of Management and Budget.  Audits of college and university grantees will be focused on subcontracting practices and oversight, compliance with select agent requirements and transfers, export controls, human research participant protections, and general cost compliance.

Research Universities:  Our survey of other research universities found the following items consistently identified as risks warranting governing board attention:  funding, student/campus safety, regulatory compliance, IT governance, cybersecurity, leadership and workforce succession planning, and institutional reputation.

Internal Risk Assessment

As part of the planning process, we held individual discussions with each member of the Board of Regents to identify areas of risks/ concerns at the governance level for audit consideration.  The risks most often identified in these discussions were Board governance practices, key leadership transitions, and impact of tuition principles/decisions on affordability and access.  M Health was also raised as potentially raising risks for the University, as well as opportunities.

We also held discussions with 92 institutional officials from 38 units to solicit input on the University’s institutional risks and any specific areas of concern. Themes which emerged from these discussions included the risks associated with: 1) the local effort needed to adjust to changes resulting from the Enterprise Upgrade for Human Resources and the job family study, 2) the continued direction to cut administrative costs now impacting core academic activities, 3) the potential impact of unionization, and 4) adapting to changes arising from the Human Participant Protection Plan implementation. 

Operational Risk Assessment

Finally, our annual planning process includes re-examining the audit universe to ensure that all university activities are considered when determining how audit resources will be allocated.  We also consider new regulatory developments, new business processes, and institutional priorities and strategic initiatives. 

The Office of Internal Audit continues to utilize a formalized risk assessment methodology in selecting processes/units/systems for inclusion in the annual audit plan.  Relative risk assessment is necessary to provide a basis for the rational deployment of our limited resources across the institution. The risk factors that we considered in prioritizing institutional activities are:

  • Impact on the University’s mission
  • Impact on University finances
  • Assessment of the activity’s control environment
  • Level of compliance concerns
  • Impact of information technology
  • Complexity and/or diversity of the activity
  • Changes in the organization or leadership
Our operational risk assessment resulted in a risk ranking of 180 individual auditable activities, of which 22 are considered to be high risk, 107 moderate risk, and 51 low risk.  A rating of “high-risk” does not mean that the activity is perceived to have control problems, but rather reflects the criticality or centrality of the activity to the University’s mission.

Back to top

Overall Risk Assessment

In FY 2016 we devoted significant audit attention to centralized business processes to assess the impact of the Enterprise Upgrade on the University’s control environment.  The proposed FY 2017 audit plan provides greater coverage of academic units in response to decanal requests as well as to ensure that the control environments in these units remain stable in light of administrative cost reductions.  The audit plan also continues to provide coverage in Athletics and units impacted by the Human Participant Protection implementation plan.

In selecting specific activities for inclusion in the audit plan, we recognize there are areas of high risk across the University that we have intentionally excluded because 1) the issues are well known and are being addressed by the administration, 2) the activity lacks the necessary maturity for meaningful auditing, or 3) the issues are receiving extensive external review.  Such risks include those associated with M Health, Psychiatry, fetal tissue procurement, and the Healthcare Center of (IT) Excellence.  We will continue to monitor these areas outside of the audit process for indications that audit coverage would be helpful.

Back to top

Allocation of Audit Resources

The audit plan is based on a planned staffing complement of 16.75 FTE professionals, which is our full complement.

Approximately 54% of the Office of Internal Audit’s resources are committed to the completion of planned audit projects.  This year 6% of those resources will be needed to complete carry-over work from our FY 2016 audit plan.  Five audit projects are currently in process and will be completed in FY 2017.

The remainder of our FY 2017 audit resources is reserved as follows:

  • 11% has been reserved to accommodate requests from the President, the Board, or members of the senior leadership team.  This has been supported by the Audit and Compliance Committee.  The number of hours remains consistent from previous years.
  • 5% has been reserved for investigations.  The number of hours remains consistent from previous years.
  • 4% has been reserved for follow-up procedures performed on behalf of the Audit and Compliance Committee.  The number of hours remains consistent from previous years.
  • 26% has been set aside for internal administrative functions, including our continuous improvement efforts.  This remains fairly consistent with the previous year. 

Back to top