Allocation of Audit Resources
This year's allocation of resources is based on our current staffing complement of 13.5 FTE auditors, and an assumption that we will hire our two open auditor positions by January 2025, for a total of 14.5 FTE auditors for FY 2025 (see FY 2025 Staffing below for more details).
At 14.5 FTEs, approximately 62% of the Office of Internal Audit’s resources will be committed to the completion of planned audit projects. This year 10% of our total available hours will be needed to complete carry-over work on the eight audits started in FY 2024 that will be reported in FY 2025.
The remainder of our FY 2025 audit resources is reserved as follows:
- 6% has been reserved for investigations. The number of hours remains consistent with previous years.
- 13% has been reserved to accommodate special requests and projects including senior leader transition audits, SNAP reviews and requests from the President, the Board, or members of the senior leadership team. The number of hours remains consistent with the previous year.
- 6% has been reserved for follow-up procedures on outstanding report issues performed on behalf of the Audit and Compliance Committee. The number of hours remains consistent with previous years.
- 13% of our resources have been allocated for internal administrative functions, such as staff oversight, hiring and onboarding; annual audit planning; data analytics; and other continuous improvement efforts. While last year we spent 19% on administration this was a decrease from 25% in FY 2023 and we expect this number to continue to decrease as we continue to stabilize post a higher period of turnover, which necessitated significant time investment in hiring and onboarding.
Reliance on Other Providers
To avoid duplication of work and reduce burden on University staff, we continue to place reliance on audit-related work performed by other service providers. We have relied on the external audit work performed by Deloitte, LLP in the areas of investments, annual external financial reporting, and RUMINCO (the University’s captive insurance company). Deloitte, LLP historically also provided significant coverage of student financial aid as part of its Uniform Guidance Audit, and NCAA Agreed Upon Procedures, which we take into consideration in our risk assessment. We plan to continue to rely on external audit work going forward, which will now be provided by CliftonLarsonAllen, LLP who in December 2023 was selected to provide these services to the University following a competitive review process. CliftonLarsonAllen, LLP is under contract to provide these external audit services through 2027 with optional annual extensions to 2030.
We also rely on the audit work performed by external construction audit firms engaged by the University’s Capital Planning and Project Management (CPPM) unit for construction projects that are delivered using the Design/Build or the Construction Manager at Risk delivery methods. We are in agreement with the scope of this audit work and receive and review copies of their reports.
Recap of FY 2024 Annual Audit Plan
Our audit planning begins with a review of past audit coverage and results. Appendix A recaps the audits completed for the last three fiscal years and the resulting overall control assessments. Appendix B details progress made against the FY 2024 audit plan and other audit work performed. To date, we have completed 23 audits in FY 2024, which is consistent with the 24 audits we issued in FY 2023. The risk management and control environments of 14% of the audit reports that received overall audit ratings were rated as "Needs Improvement." The remaining 86% of audits were rated "Good" or "Adequate." These results are also consistent with FY 2023 results, which continues to demonstrate an overall culture of compliance and risk management throughout the University.
In addition to the 23 audits completed:
- Audits in Progress: 2 audits are currently in progress, but we expect these to still be completed in FY 2024.
- Completed Next FY: 9 audits are in progress and will be completed in FY 2025.
- SNAP Reviews: 2 SNAP reviews were issued.
- Deferred Audits: 1 audit from the FY 2024 audit plan was deferred to FY 2025 and 1 audit was replaced.
- Audits Deferred to FY 2025: Student Affairs Care Team
- Replacement Audit Work: Data Management replaced Minnesota Supercomputing Institute
- Employee Surveys: 12 employee surveys were sent out to 484 participants as part of regular unit audit processes, with a 60% response rate. Additionally, approximately 7,300 process specific surveys were sent to principal investigators (PIs) as part of the Effort Management audit, which had a 32% response rate.
- Investigations: 11 investigations into financial or operational misconduct were conducted in accordance with the University Policy on Reporting and Addressing Concerns of Misconduct. OIA partnered as appropriate with the University of Minnesota Police Department (UMPD), Office of the General Counsel, Office of Institutional Compliance, Research Intelligence & Compliance Team, and other units as needed.
Independence
Coordination with Other Internal University Resources and Initiatives
Compliance Partners
The Office of Internal Audit coordinates its work with other internal units to maximize the quality of audit coverage provided, as well as to promote prompt attention when University-wide trends are identified. We have established strong working relationships with the University’s compliance partners, including: Risk Integrity and Compliance; the Human Research Protection Program; Health, Safety & Risk Management (including their Enterprise Risk Management function); University Information Security, the Health Information Privacy & Compliance Office; and the Office of the General Counsel. We work closely with each of these units during audits involving complex regulatory issues.
The Office of Internal Audit interfaces regularly with the Office of Institutional Compliance and we serve on the Executive Compliance Oversight Committee. Input from the Compliance Officer is also solicited during our annual audit planning. In addition, throughout the year we report to and collaborate with the Chief Compliance Officer on issues identified during our audits. We also share the results of employee surveys conducted during audits with the Chief Compliance Officer. Along with the Office of Institutional Compliance, we serve on the triage team for managing UReport, the University’s anonymous hotline. We are also working with the Office of Institutional Compliance to ensure that duplication does not occur between their risk assessments and audits. Both offices are committed to sharing information and leveraging each other’s work as appropriate to optimize resource usage and reduce impact on units involved. Finally, we continue to meet regularly with the interim Chief Compliance Officer and will continue to provide support to the Office of Institutional Compliance as they review their processes and prepare to hire a permanent Chief Compliance Officer.
Policy & Process Owners
Audit results are shared with policy owners and central support units such as the Office of Information Technology, Sponsored Projects Administration, the Controller’s Office, and the Office of Human Resources when policy noncompliance or the need for process enhancements are identified. In addition, best practices identified in local unit audits are shared with these central unit process owners for consideration of broader adoption. We also have regular meetings with leadership and other representatives from these offices to discuss audit results and trends, changes in regulations, policy interpretations, etc.
Enterprise Risk Management and PEAK Initiatives
Enterprise Risk Management (ERM) and Positioned for Excellence, Alignment and Knowledge (PEAK) are two major initiatives with current and future impacts to the audit function in the years ahead.
In FY 2024 we helped coordinate with the ERM function the Audit & Compliance Committee's review of an updated Institutional Risk Profile, in alignment with Board policy assigning the Committee oversight of ERM. As noted above, we continue to work to ensure our audit plan remains in alignment with the highest risks identified through this process. In addition, ERM provided updates on their initial risk analyses to the Committee in May 2024. We expect ERM will work with University leadership and the Audit and Compliance Committee to periodically update the Institutional Risk Profile and we will ensure our audit work remains in alignment. In addition, we expect ERM to provide additional updates to the Committee on their structure and risk analyses as their processes mature.
The Chief Auditor is a member of the PEAK Steering Committee, which helps us ensure we stay abreast of the status of the initiative. As PEAK implementation continues and streamlines administrative activities, it will continue to affect various process audits, risk levels and audit scoping in some unit audits. It will also continue to impact the timelines of issue remediation as units elect to resolve issues identified in audits as part of broader PEAK efforts. In FY 2023 OIA implemented a regular report as part of our Internal Audit Activity update detailing issues management identified would be addressed as part of changes associated with PEAK. We continue to update and maintain this document and regularly present it to the Committee as part of regular Internal Audit Updates. As PEAK is more fully implemented, we will also consider adjusting our audit work to ensure ongoing optimization of audit coverage; we will keep the Committee informed of any significant trends as they emerge.
Staff Development Qualifications and Professional Involvement
The Office of Internal Audit is committed to providing educational opportunities to our staff in order to continually enhance our audit knowledge and abilities. Ever-changing government regulations, new technologies, and new developments in auditing principles and methods dramatically affect not only what we audit, but how we audit. We strive to stay abreast of new developments and improve our audit proficiency to enhance the overall quality of our audits. To accomplish this, we pursue a variety of methods to continue our staff's professional education. Our memberships with the Institute of Internal Auditors (IIA), the Association of College and University Auditors (ACUA), the Association of Certified Fraud Examiners (ACFE), the American Institute of Certified Public Accountants (AICPA), and the Information Systems Audit and Control Association (ISACA) provide staff members the opportunity to attend seminars and conferences that specifically address current issues and techniques in internal auditing. The interaction of our staff members with their peers through these professional organizations helps to keep us up‑to‑date on the latest auditing trends and issues affecting higher education.
In the first 9 months of FY 2024, the Office of Internal Audit provided approximately 1,100 hours of formal and informal training. For FY 2025, 1,160 hours have been budgeted for staff training. This ongoing training also provides the continuing professional development required to maintain the staff's professional credentials.
All but three of our internal audit staff are professionally credentialed or hold advanced degrees,. The remaining three have either been with OIA less than a year or are in the process of obtaining credentials. The number and combinations of certifications held by staff demonstrates a high-level of competency in the skills needed to provide quality audit work in the University’s complex environment.
Professional Standards
Internal Quality Assurance Program
External Quality Assurance Review
Office of Internal Audit FY 2025 Staffing
When fully staffed we have 16 auditors (9 financial/operational auditors, 2 IT auditors, 1 senior data analyst, 1 associate audit director, and 3 audit directors) in addition to the Chief Auditor. OIA experienced an unusually high level of turnover in FY 2022 and 2023, but this has somewhat stabilized in FY 2024 with the loss of only two auditors. While the market for auditors remains challenging, we are currently recruiting both the open IT auditor and financial auditor positions with the assistance of the Office of Human Resources' Talent Acquisition team. Our Audit Plan is built with the expectation that we will have hired both these positions by January 2025.