Details

Allocation of Audit Resources

This year's allocation of resources is based on our current staffing complement of 13.5 FTE auditors, and an assumption that we will hire our two open auditor positions by January 2025, for a total of 14.5 FTE auditors for FY 2025 (see FY 2025 Staffing below for more details).   

At 14.5 FTEs, approximately 62% of the Office of Internal Audit’s resources will be committed to the completion of planned audit projects. This year 10% of our total available hours will be needed to complete carry-over work on the eight audits started in FY 2024 that will be reported in FY 2025.  

The remainder of our FY 2025 audit resources is reserved as follows:

  • 6% has been reserved for investigations. The number of hours remains consistent with previous years.
  • 13% has been reserved to accommodate special requests and projects including senior leader transition audits, SNAP reviews and requests from the President, the Board, or members of the senior leadership team.  The number of hours remains consistent with the previous year.
  • 6% has been reserved for follow-up procedures on outstanding report issues performed on behalf of the Audit and Compliance Committee. The number of hours remains consistent with previous years. 
  • 13% of our resources have been allocated for internal administrative functions, such as staff oversight, hiring and onboarding; annual audit planning; data analytics; and other continuous improvement efforts.  While last year we spent 19% on administration this was a decrease from 25% in FY 2023 and we expect this number to continue to decrease as we continue to stabilize post a higher period of turnover, which necessitated significant time investment in hiring and onboarding.   
2025 Audit Resources

 

Expand all

Reliance on Other Providers

To avoid duplication of work and reduce burden on University staff, we continue to place reliance on audit-related work performed by other service providers. We have relied on the external audit work performed by Deloitte, LLP in the areas of investments, annual external financial reporting, and RUMINCO (the University’s captive insurance company). Deloitte, LLP historically also provided significant coverage of student financial aid as part of its Uniform Guidance Audit, and NCAA Agreed Upon Procedures, which we take into consideration in our risk assessment.  We plan to continue to rely on external audit work going forward, which will now be provided by CliftonLarsonAllen, LLP who in December 2023 was selected to provide these services to the University following a competitive review process.  CliftonLarsonAllen, LLP is under contract to provide these external audit services through 2027 with optional annual extensions to 2030.  

We also rely on the audit work performed by external construction audit firms engaged by the University’s Capital Planning and Project Management (CPPM) unit for construction projects that are delivered using the Design/Build or the Construction Manager at Risk delivery methods. We are in agreement with the scope of this audit work and receive and review copies of their reports.

Recap of FY 2024 Annual Audit Plan

Our audit planning begins with a review of past audit coverage and results. Appendix A recaps the audits completed for the last three fiscal years and the resulting overall control assessments.  Appendix B details progress made against the FY 2024 audit plan and other audit work performed.  To date, we have completed 23 audits in FY 2024, which is consistent with the 24 audits we issued in FY 2023.  The risk management and control environments of 14% of the audit reports that received overall audit ratings were rated as "Needs Improvement." The remaining 86% of audits were rated "Good" or "Adequate." These results are also consistent with FY 2023 results, which continues to demonstrate an overall culture of compliance and risk management throughout the University.

In addition to the 23 audits completed:

  • Audits in Progress:  2 audits are currently in progress, but we expect these to still be completed in FY 2024. 
  • Completed Next FY:  9 audits are in progress and will be completed in FY 2025.
  • SNAP Reviews:  2 SNAP reviews were issued.
  • Deferred Audits:  1 audit from the FY 2024 audit plan was deferred to FY 2025 and 1 audit was replaced.
    • Audits Deferred to FY 2025: Student Affairs Care Team
    • Replacement Audit Work: Data Management replaced Minnesota Supercomputing Institute 
  • Employee Surveys:  12 employee surveys were sent out to 484 participants as part of regular unit audit processes, with a 60% response rate.  Additionally, approximately 7,300 process specific surveys were sent to principal investigators (PIs) as part of the Effort Management audit, which had a 32% response rate.
  • Investigations:  11  investigations into financial or operational misconduct were conducted in accordance with the University Policy on Reporting and Addressing Concerns of Misconduct.  OIA partnered as appropriate with the University of Minnesota Police Department (UMPD), Office of the General Counsel, Office of Institutional Compliance, Research Intelligence & Compliance Team, and other units as needed.  

Independence

The Office of Internal Audit’s Charter, approved by the Audit and Compliance Committee and the Board of Regents in October 2023 states, "To provide for the independence of the Office of Internal Audit, the Board of Regents delegates directly to the Chief Auditor the authorities necessary to perform the duties set forth in the mission and scope of work.  The Chief Auditor will have full and free access to the Board of Regents leadership and the Audit & Compliance Committee," and "The Office of Internal Audit is to be free from undue influence in the selection of activities to be examined, the audit techniques and procedures to be used, and the reporting of its results.”

There were no incidences during the year in which the independence or scope of internal audit work was restricted by the administration.

Coordination with Other Internal University Resources and Initiatives

Compliance Partners

The Office of Internal Audit coordinates its work with other internal units to maximize the quality of audit coverage provided, as well as to promote prompt attention when University-wide trends are identified. We have established strong working relationships with the University’s compliance partners, including: Risk Integrity and Compliance; the Human Research Protection Program; Health, Safety & Risk Management (including their Enterprise Risk Management function); University Information Security, the Health Information Privacy & Compliance Office; and the Office of the General Counsel. We work closely with each of these units during audits involving complex regulatory issues. 

The Office of Internal Audit interfaces regularly with the Office of Institutional Compliance and we serve on the Executive Compliance Oversight Committee.  Input from the Compliance Officer is also solicited during our annual audit planning.  In addition, throughout the year we report to and collaborate with the Chief Compliance Officer on issues identified during our audits. We also share the results of employee surveys conducted during audits with the Chief Compliance Officer. Along with the Office of Institutional Compliance, we serve on the triage team for managing UReport, the University’s anonymous hotline. We are also working with the Office of Institutional Compliance to ensure that duplication does not occur between their risk assessments and audits. Both offices are committed to sharing information and leveraging each other’s work as appropriate to optimize resource usage and reduce impact on units involved. Finally, we continue to meet regularly with the interim Chief Compliance Officer and will continue to provide support to the Office of Institutional Compliance as they review their processes and prepare to hire a permanent Chief Compliance Officer.

Policy & Process Owners

Audit results are shared with policy owners and central support units such as the Office of Information Technology, Sponsored Projects Administration, the Controller’s Office, and the Office of Human Resources when policy noncompliance or the need for process enhancements are identified. In addition, best practices identified in local unit audits are shared with these central unit process owners for consideration of broader adoption. We also have regular meetings with leadership and other representatives from these offices to discuss audit results and trends, changes in regulations, policy interpretations, etc.

Enterprise Risk Management and PEAK Initiatives

Enterprise Risk Management (ERM) and Positioned for Excellence, Alignment and Knowledge (PEAK) are two major initiatives with current and future impacts to the audit function in the years ahead.  

In FY 2024 we helped coordinate with the ERM function the Audit & Compliance Committee's review of an updated Institutional Risk Profile, in alignment with Board policy assigning the Committee oversight of ERM.  As noted above, we continue to work to ensure our audit plan remains in alignment with the highest risks identified through this process.  In addition, ERM provided updates on their initial risk analyses to the Committee in May 2024.  We expect ERM will work with University leadership and the Audit and Compliance Committee to periodically update the Institutional Risk Profile and we will ensure our audit work remains in alignment.  In addition, we expect ERM to provide additional updates to the Committee on their structure and risk analyses as their processes mature.  

The Chief Auditor is a member of the PEAK Steering Committee, which helps us ensure we stay abreast of the status of the initiative.  As PEAK implementation continues and streamlines administrative activities, it will continue to affect various process audits, risk levels and audit scoping in some unit audits.  It will also continue to impact the timelines of issue remediation as units elect to resolve issues identified in audits as part of broader PEAK efforts.  In FY 2023 OIA implemented a regular report as part of our Internal Audit Activity update detailing issues management identified would be addressed as part of changes associated with PEAK.  We continue to update and maintain this document and regularly present it to the Committee as part of regular Internal Audit Updates.  As PEAK is more fully implemented, we will also consider adjusting our audit work to ensure ongoing optimization of audit coverage; we will keep the Committee informed of any significant trends as they emerge.

 

Staff Development Qualifications and Professional Involvement

The Office of Internal Audit is committed to providing educational opportunities to our staff in order to continually enhance our audit knowledge and abilities. Ever-changing government regulations, new technologies, and new developments in auditing principles and methods dramatically affect not only what we audit, but how we audit. We strive to stay abreast of new developments and improve our audit proficiency to enhance the overall quality of our audits. To accomplish this, we pursue a variety of methods to continue our staff's professional education.  Our memberships with the Institute of Internal Auditors (IIA), the Association of College and University Auditors (ACUA), the Association of Certified Fraud Examiners (ACFE), the American Institute of Certified Public Accountants (AICPA), and the Information Systems Audit and Control Association (ISACA) provide staff members the opportunity to attend seminars and conferences that specifically address current issues and techniques in internal auditing. The interaction of our staff members with their peers through these professional organizations helps to keep us up‑to‑date on the latest auditing trends and issues affecting higher education.

In the first 9 months of FY 2024, the Office of Internal Audit provided approximately 1,100 hours of formal and informal training. For FY 2025, 1,160 hours have been budgeted for staff training.  This ongoing training also provides the continuing professional development required to maintain the staff's professional credentials.

All but three of our internal audit staff are professionally credentialed or hold advanced degrees,.  The remaining three have either been with OIA less than a year or are in the process of obtaining credentials.  The number and combinations of certifications held by staff demonstrates a high-level of competency in the skills needed to provide quality audit work in the University’s complex environment.

2025 Staff Certifications

 

Professional Standards

The Office of Internal Audit conducts its work in accordance with the Institute of Internal Auditors’ Standards for the Professional Practice of Internal Auditing. All audit staff are also required to comply with the Institute’s Code of Conduct for Internal Auditors.

The Institute of Internal Audit is in the process of updating these Standards with the changes scheduled to go into effect in January 2025.  We plan to review these changes in FY 2025 and make any necessary updates to our internal processes and key documents after the completion of our External Quality Assurance Review.  We will keep the Committee apprised of any pertinent changes to our processes and/or updates that may be required to the Office of Internal Audit's Charter.

Internal Quality Assurance Program

We have established an internal quality assurance program within the Office of Internal Audit. This program is structured around the robust supervision of audit staff and their work products and are supplemented with peer quality assessments. In addition, internal practices and tools are routinely evaluated for their effectiveness and efficiency and changes are made when potential improvements are identified. Our quality assurance measures throughout the year confirmed our practices met the requirements of our professional Standards.

External Quality Assurance Review

Our professional standards require that our audit practice undergo an external quality assurance review every five years. Our most current external review was conducted in January 2020 and determined that 1) our work was in full compliance with the Standards, and 2) University management and the Board of Regents can appropriately rely on the assurance provided by the work performed by OIA. The review team commended the department for maintaining a very strong internal audit function that provides valued assurance services to a dynamic, diverse and complex institution. Our next external quality assurance review will be completed in FY 2025, with the external review team tentatively scheduled to be on campus in October 2024.

Office of Internal Audit FY 2025 Staffing

When fully staffed we have 16 auditors (9 financial/operational auditors, 2 IT auditors, 1 senior data analyst, 1 associate audit director, and 3 audit directors) in addition to the Chief Auditor.  OIA experienced an unusually high level of turnover in FY 2022 and 2023, but this has somewhat stabilized in FY 2024 with the loss of only two auditors.  While the market for auditors remains challenging, we are currently recruiting both the open IT auditor and financial auditor positions with the assistance of the Office of Human Resources' Talent Acquisition team.  Our Audit Plan is built with the expectation that we will have hired both these positions by January 2025.  

Office of Internal Audit Budget Status

The Office of Internal Audit reallocations from FY 2022 and FY 2023 were restored for FY 2023 to partially address a longstanding structural deficit, but our allocation will be reduced again in FY 2024  and FY 2025.  These reductions are consistent with those asked of all University units.  However, we have no alternative revenue sources available and 95% of our expenses are salaries.  In consultation with management and Board leadership, we plan to use carryforward balances accrued through previous years' salary savings associated with turnover to fund expected operational deficits in FY 2025.  We plan to continue discussions with the administration on options for long-term funding solutions for a balanced budget.

We are receiving preliminary funding for a 3.00 % merit pool compensation increase, which is consistent with the administration's expected pay plans.  

We appreciate the thoughtful budgeting process, and the continued financial and operational support we receive from the administration.