Fiscal Year 2024 Internal Audit Annual Plan
Purpose of the Annual Plan
The annual audit plan is intended to convey a current sense of the University's internal control environment and the extent to which institutional risk mitigation is being assessed by regular audit activities, addressed proactively through advisory services, or investigated as a result of reported concerns.
The plan also includes information that demonstrates the Office of Internal Audit's (OIA's) accountability for our resources and our ongoing efforts to continually improve the University's internal audit program.
Development of the FY 2024 Annual Audit Plan
The development of the annual audit plan is based on information gathered through broad consultation across the University and a formal assessment of existing and emerging risks. We also do a scan to identify areas of emphasis at relevant federal agencies and survey other research universities regarding the assessment of risks within their institutions. Below is a chart that illustrates the approach that was taken in developing the audit plan:
External Risk Assessment/Scan of the National Landscape of Higher Education
Regulatory Agencies: The areas receiving the most attention by federal agencies continues to be: research data security, management, reporting and sharing; and foreign influence and recruiting.
Research Universities: Risks identified in our survey of other research universities found common themes around risks associated with: cybersecurity; recently and expected expanding federal research data security requirements; campus safety and crisis preparedness; financial impacts associated with inflation and declining state support; enrollments; safety of minors; and leadership and other staffing changes and challenges. Several also noted concerns regarding: diversity, equity, inclusion & belonging (DEIB); student mental health challenges; and the ongoing changing NCAA landscape including Name, Image, and Likeness (NIL) guidance.
Internal Risk Assessment Approach
We held discussions with 120 institutional officials and Regents from 57 units to solicit input on the University’s institutional risks and any specific areas of concern. Themes identified include: changes to healthcare partnerships; leadership transitions; staffing changes and challenges; campus safety; cybersecurity; DEIB; enrollment and finances; PEAK implementation, federal data sharing and management; aging infrastructure; and impacts of changes in NCAA and NIL guidance and requirements.
We also reviewed the Institutional Risk Profile (established in 2018) as well as Board of Regents meeting agendas for topics of interest at the governance level.
Operational Risk Assessment
Our annual audit planning process includes re-examining the University’s “audit universe” to ensure that all University activities are considered when determining how audit resources can best be allocated. We also consider new regulatory developments, new business processes, and institutional priorities and strategic initiatives.
The Office of Internal Audit continues to utilize a formalized risk assessment methodology in selecting processes/units for inclusion in the annual audit plan. Relative risk assessment is necessary to provide a basis for the rational deployment of our limited resources across the institution. The risk factors considered in prioritizing institutional activities include:
- Impact on the University’s mission
- Impact on University finances
- Assessment of the activity’s control environment
- Level of compliance concerns
- Impact of information technology
- Complexity and/or diversity of the activity
- Changes in the organization or leadership
Our operational risk assessment resulted in a risk ranking of 175 individual auditable units, of which 24 are considered to be high-risk, 110 moderate-risk, and 41 low-risk. A rating of “high-risk” does not mean that the activity is perceived to have control problems, but rather reflects the inherent risk associated with the criticality and/or centrality of the unit to the University's mission.
Overall Risk Focus and Impact on the FY 2024 Audit Plan
Our proposed internal audit plan for FY 2024 includes coverage of key risks and areas of interest including: enrollment and finances, information security and data management, athletics, campus safety, and impacts o inflation and staffing issues on unit's operations. Selected academic units and operational areas are also included in the plan to maintain reasonable cycles of audit coverage. In addition, other audit work will be performed to address risks associate with senior leaders transitions, healthcare partnerships, PEAK implementation, or other areas as the needs arise.
In selecting areas for audit coverage, we were mindful of the risks included in the 2018 Institutional Risk Profile as well as the goals laid out in the MPact 2025 strategic plan. As applicable, we will continue to blend MPact 2025 goals into our work and highlight in our reporting how units and processes align with MPact 2025. We also recognize the importance of Diversity, Equity, Inclusion, and Belonging (DEIB) for creating a positive environment at the University and our community. We have worked to blend DEIB reviews into our audit work, including incorporating it into regular unit audit programs and surveys.