University of Minnesota
University of Minnesota
Office of Internal Audits
For reporting misconduct:     UReport »
West Bank Office Building

University of Minnesota

Office of Internal Audit

1300 S 2nd St, Suite 510
Minneapolis, MN 55454

612-625-1368 (phone)
612-625-1512 (fax)

Internal Audit Annual Plan

Purpose of the Annual Plan

The annual internal audit plan is intended to convey a current sense of the University's internal control environment and the extent to which institutional risk mitigation is being assessed by regular audit activities, addressed proactively through advisory services, or investigated as a result of reported concerns.

The plan also includes information that demonstrates our acountability for our resources and our ongoing efforts to continually improve the University's internal audit program.

Back to top

Development of the FY 2020 Annual Plan

The development of the annual audit plan is based on information gathered through broad consultation across the University and a formal assessment of existing and emerging risks.  We also do a scan to identify areas of emphasis at relevant federal agencies and survey other research universities regarding the assessment of risks within their institutions. Below is a chart that illustrates the approach that was taken in developing the audit plan:

External Risk Assessment/Scan of the National Landscape of Higher Education

Regulatory Agencies:  The majority of the audit work undertaken by the Inspector Generals of the National Institute of Health (NIH) and the National Science Foundation (NSF) have focused on sub-recipient monitoring, and specifically the due diligence performed on international sub-recipients. Agencies are also scrutinizing award close-outs and end-of-award spending very closely. Some enforcement actions have been taken against Universities on the calculation and application of indirect cost rates and the allocation of procurement rebates to sponsored accounts. The area currently receiving the most attention by federal agencies is their growing concern regarding undue foreign influence on university campuses.

Research Universities:  Risks identified in our survey of other research universities found common themes around risks associated with research conducted off shore, cybersecurity, and disruptive technologies especially on-line education/learning strategies. Several noted concerns regarding admission processes; some arising from a recent highly publicized admission fraud, while others focused on the impact of changing demographics on enrollment goals, etc. Surprisingly, none identified state funding as a current risk -- it appears that reduced funding has moved into a status as the "new normal." The risks associated with performance-based funding did appear for the first time.

Internal Risk Assessment Approach

We held discussions with 75 institutional officials from 40 units to solicit input on the University’s institutional risks and any specific areas of concern. Themes identified include President and other Senior Leader transitions, mental health, aging facilities, and the reorganization of the former Academic Health Center.

We also reviewed the Insitutional Risk Profile as well as Board of Regents meeting agendas for topics of interest at the governance level.

Operational Risk Assessment

Our annual planning process includes re-examining the University's "audit universe" to ensure that all University activities are considered when determining how audit resources can best be allocated.  We also consider new regulatory developments, new business processes, and institutional priorities and strategic initiatives. 

The Office of Internal Audit continues to utilize a formalized risk assessment methodology in selecting processes/units/systems for inclusion in the annual audit plan.  Relative risk assessment is necessary to provide a basis for the rational deployment of our limited resources across the institution. The risk factors that we considered in prioritizing institutional activities are:

  • Impact on the University’s mission
  • Impact on University finances
  • Assessment of the activity’s control environment
  • Level of compliance concerns
  • Impact of information technology
  • Complexity and/or diversity of the activity
  • Changes in the organization or leadership

Our operational risk assessment resulted in a risk ranking of 177 individual auditable activities, of which 24 are considered to be high-risk, 108 moderate-risk, and 45 low-risk.  A rating of “high-risk” does not mean that the activity is perceived to have control problems, but rather reflects the criticality or centrality of the activity to the University’s mission.

Back to top

Overall Risk Focus and Impact on the FY 2020 Audit Plan

Our proposed internal audit plan for FY 2020 focuses on activities that impact campus safety, campus climate and the student experience. Audit work is also planned to assess controls to mitigate the occurrence of undue foreign influence. Selected academic units and operational areas are also included in the plan to maintain reasonable cycles of audit coverage.

We are approaching the audit plan with an expectation that flexibility may be needed to accommodate the needs of President-Designate Gabel as she joins the University and becomes more knowledgeable about its risks and their mitigation.

Additionally, President-Designate Gabel has expressed a preference for transition audits to be performed when senior leaders turnover. We will plan and make resource allocations for these audits as transitions occur.

Back to top