Fiscal Year 2026 Audit Plan Details

This year’s allocation of resources is based on our current staffing complement of 15 FTE auditors for Fiscal Year 2026. This is based on being fully staffed with 16 auditors (in addition to the chief auditor) less expected FMLA and paternity/maternity-related leaves. As previously discussed during the June 2024 Audit Plan presentation, and the Fiscal Year 2025 May Audit and Compliance Committee meeting, OIA is updating several annual budgeting and actual metrics to improve transparency. More information regarding the rationale for updating the metrics and a detailed understanding of how the metrics are calculated are included in Appendix C: Metrics Categories and Budgeting Detail (New & Old Calculations).

Table 1: Percent of Audit Resources for FY 2025 (Budget to Actual) outlines where OIA is projected to end Fiscal Year 2025 using the prior docket calculation method, and this budget was presented to the Committee in June 2024. The increase in Administration hours is primarily due to 1) increased use of data analytics and 2) work OIA performed on our Quality Assurance Review. The time to complete this additional administration came from less than budgeted use of time for Investigations and Special Requests; the amount of time spent on Scheduled Audits was as budgeted.

Fiscal Year 2026’s budget is based on more complete and transparent metrics that accounts for all Overhead time (e.g., vacation, holidays, sick time), which was not included in the historic metrics as outlined in the Table 2: FY 2026 Budget and FY 2022-2025 Actuals. Leveraging the new metrics, approximately 53% of time will be spent on assurance work, with 38% committed to the completion of planned audit projects. This budgeted amount aligns with prior years. In addition, this includes 5% of our total hours, which will be needed to complete carry-over work on the 9 audits started in Fiscal Year 2025 that will be completed in Fiscal Year 2026.

The remainder of our Fiscal Year 2026 audit resources are reserved as follows:

• Approximately 4% has been reserved for investigations. The number of hours remains consistent with what was budgeted for in previous years.
• Approximately 7% has been reserved to accommodate special requests and projects including senior leader transition audits,
  SNAP reviews and requests from the President, the Board, or members of the senior leadership team. The number of hours allocated remains consistent with what was budgeted for in previous years.
• Approximately 4% has been reserved for follow-up procedures on outstanding report issues performed on behalf of the Audit and Compliance Committee. The number of hours remains relatively consistent with what was budgeted for and used in previous years.
• Approximately 22% is reserved for general overhead activities (e.g., vacation, holidays, and sick time), which are primarily mandated by University policy and OIA has limited ability to adjust. This is a slight increase from last year due to filling our open positions.
• Approximately 11% is reserved for internal operations (e.g., workpaper tool support, administrative activities, technology support, and ongoing updates to processes to address changes in response to recommendations from the External Quality Assurance Review and updates to Institute of Internal Auditors standards, as further described to the Committee in May 2025, including the establishment of an OIA strategic plan)
• Approximately 13% has been reserved for risk analysis efforts, innovation, process improvements, talent management, and training.

To avoid duplication of work and reduce the burden on University staff, we continue to place reliance on audit-related work performed by other service providers. We have relied on the external audit work performed by CliftonLarsonAllen in areas such as investments, annual external financial reporting, and RUMINCO (the University’s captive insurance company). CliftonLarsonAllen also provided significant coverage of student financial aid as part of its Uniform Guidance Audit, and NCAA Agreed Upon Procedures, which we take into consideration in our risk assessment. We plan to continue to rely on CliftonLarsonAllen’s external audit work going forward. CliftonLarsonAllen remains under contract to provide these external audit services through 2027 with optional annual extensions to 2030. 

We also rely on the audit work performed by external construction audit firms engaged by the University’s Capital Planning and Project Management (CPPM) unit for construction projects that are delivered using the Design/Build or the Construction Manager at Risk delivery methods. We are in agreement with the scope of this audit work and receive and review copies of their reports.

Our audit planning begins with a review of past audit coverage and results. Appendix A: Audit Assessments for FY 2023 – 2025 recaps the audits completed for the last three fiscal years and the resulting overall control assessments. Appendix B: Status of Fiscal Year 2025 Audit Work details progress made on the Fiscal Year 2025 audit plan and other audit work performed. By the end of Fiscal Year 2025, we will have issued 23 audit reports (19 audits & 4 full transition reviews), which is aligned with the 23 audits (13 audits & 10 full transition reviews) we issued in Fiscal Year 2024. In Fiscal Year 2025, we
completed 6 more audits than Fiscal Year 2024 in part by reducing the number of full transition reviews being conducted by implementing limited transition reviews for some senior leader transitions. As discussed with the Committee and the administration, this change reduced the overall Fiscal Year 2025 audit report count but allowed us to reallocate staffing resources to higher priority projects. 

The risk management and control environments of 22% of the Fiscal Year 2025 audit reports received an overall audit rating of “Needs Improvement,” our lowest rating. These results are slightly higher than the Fiscal Year 2024 results of 14% rated “Needs Improvement.” Some of this increase is likely tied to growing control and compliance requirements coupled with long-term decreases in administration funding and turnover, and some is attributable to Fiscal Year 2025 including more audits identified by OIA in audit planning as potentially higher risk. However, overall, 78% of audits were rated as “Good” or “Adequate,” which still demonstrates an overall culture of compliance and risk management.

Additional information regarding work performed by OIA this year:

• Audits In Progress: 1 of the 23 audit reports are in progress and are expected to still be issued this
  fiscal year.
• Audits Completed Next Fiscal Year: 11 audits are in progress but will be completed in Fiscal Year
  2026.
• Transition Reviews: OIA conducts targeted transition reviews when senior leaders leave their roles.
  • Based upon the nature of the role and risk, some of these are audits with full reports, and some are limited reviews narrowly scoped to financial or other arrangements implemented by the outgoing leader. In Fiscal Year 2025 we completed 4 transition reviews with a full report and 3 limited transition reviews. One full transition review, the department of public safety’s chief of police, is currently underway and expected to be issued in Fiscal Year 2026.
• Investigations: 8 investigations into financial or operational misconduct were conducted in
  accordance with the University Policy on Reporting and Addressing Concerns of Misconduct. OIA
  partnered as appropriate with the University of Minnesota Police Department (UMPD), Office of the
  General Counsel, Office of Institutional Compliance, Research Integrity & Compliance, and other
  units.
• Special Projects: OIA performed annual Gift Testing, 1 SNAP review, and 1 limited unit operations review.
• Deferred Audits: There were no deferred audits from Fiscal Year 2025 to Fiscal Year 2026.
• Employee Surveys: 13 employee surveys were sent out to 2,226 participants as part of regular unit audit processes, with a 67% response rate.

OIA’s Charter, approved by the Audit and Compliance Committee and the Board of Regents in October 2023 states, “To provide for the independence of the Office of Internal Audit, the Board of Regents delegates directly to the Chief Auditor the authorities necessary to perform the duties set forth in the mission and scope of work. The Chief Auditor will have full and free access to the Board of Regents leadership and Audit & Compliance Committee,” and “The Office of Internal Audit is to be free from undue influence in the selection of activities to be examined, the audit techniques and procedures to be used, and the reporting of its results.”

There were no incidents during the year in which the independence or scope of internal audit work was restricted by the administration.

Compliance & Enterprise Risk Partners
OIA coordinates its work with other internal units to maximize the breadth and quality of audit coverage provided, as well as to promote prompt attention when University-wide trends are identified. We have established strong working relationships with the University’s compliance partners, including: Risk Integrity and Compliance; the Human Research Protection Program; Health, Safety, & Risk Management; University Information Security; the Health Information Privacy & Compliance Office; and the Office of the General Counsel. We work closely with each of these units during audits involving complex regulatory issues. 

OIA continues to interface regularly with the Office of Institutional Compliance and the Office of General Counsel, and expanded this in Fiscal Year 2025 to include regular meetings with the Enterprise Risk Management (ERM) function, which we will maintain going forward. Input from the General Counsel, Chief Compliance Officer and ERM is also solicited during our annual audit planning. In addition, throughout the year we report to and collaborate with these groups on issues identified during our audits. We also share the results of employee surveys conducted during audits with the Chief Compliance Officer. Along with the Office of Institutional Compliance, the Office of the General Counsel, and the Office of Human Resources we serve on the triage team for managing UReport allegations, the University’s anonymous hotline. We are also working with the Office of Institutional Compliance and ERM to ensure that duplication does not occur between their compliance and risk assessments and our audits. Our offices are committed to sharing information and leveraging each other’s work as appropriate to optimize resource usage and reduce impact on units involved.

Policy & Process Owners

Audit results are shared with policy owners and central support units such as the Office of Information Technology, Sponsored Projects Administration, the Controller’s Office, and the Office of Human Resources when policy noncompliance or the need for process enhancements are identified. In addition, best practices identified in local unit audits are shared with these central unit process owners for consideration of broader adoption. We also have regular meetings with leadership and other representatives from these offices to discuss audit results and trends, changes in regulations, policy interpretations, etc.

OIA is committed to providing educational opportunities to our staff in order to continually enhance our audit knowledge and abilities. Ever-changing government regulations, new technologies, and new developments in auditing principles and methods dramatically affect not only what we audit, but how we audit. We strive to stay abreast of new developments and improve our audit proficiency to enhance the overall quality of our audits. To accomplish this, we pursue a variety of methods to continue our staff’s professional education. Our memberships with the Institute of Internal Auditors, the Association of College and University Auditors (ACUA), the Association of Certified Fraud Examiners (ACFE), the American Institute of Certified Public Accountants (AICPA), and the Information Systems Audit and Control Association (ISACA) provide staff members the opportunity to attend seminars and conferences that specifically address cu rent issues and techniques in internal auditing. The interaction of our staff members with their peers through these professional organizations helps to keep us up-to-date on the latest auditing trends and issues affecting higher education.

In the first 10 months of Fiscal Year 2025, OIA provided approximately 1,550 hours of formal and informal training. For Fiscal Year 2026, 1,250 hours have been budgeted for staff training. This ongoing training provides the continuing professional development required to maintain the staff’s professional credentials.

All but three of our internal audit staff are professionally credentialed and/or hold advanced degrees. The remaining three are working towards obtaining their certifications or have been recently promoted and are considering which certifications they would like to achieve. The number and combinations of certifications held by staff demonstrates a high-level of competency in the skills needed to provide quality audit work in the University’s complex environment.

OIA conducts its work in accordance with the Institute of Internal Auditors’ Standards for the Professional Practice of Internal Auditing (IIA Standards). All audit staff are also required to comply with the Institute’s Code of Ethics for Internal Auditors. 

The IIA updated these standards with the changes effective January of 2025. As described to the Committee in May 2025, we reviewed these changes in Fiscal Year 2025 and are in the process of incorporating updates to our internal processes and key documents after the completion of our external Quality Assurance Review performed this past year (as detailed below).

IIA Topical Standards
The IIA is introducing Topical Requirements, a mandatory component of its global professional standards, designed to ensure consistent and high-quality internal audits of specific, critical risk areas. These requirements provide a baseline for assessing governance, risk management, and control processes for designated
topics. These standards are still in draft and expected to be rolled out in calendar year 2026. OIA is contin ing to adapt its methodologies and ensure staff are prepared to apply these focused standards.

We have an established internal quality assurance program within the OIA. This program is structured around the robust supervision of audit staff and their work products and is supplemented with peer quality assessments. In addition, internal practices and tools are routinely evaluated for their effectiveness and efficiency and changes are made when potential improvements are identified. Our quality assurance measures throughout the year confirmed our practices met the requirements of our professional IIA Standards.

IIA Standards require our audit practice to undergo an external quality assurance review every five years. OIA underwent an external Quality Assessment Review (QAR) in Fiscal Year 2025, with the validation conducted by an external team of audit and risk executives from peer institutions. The primary objective was to verify OIA's conformity with IIA Standards and Code of Ethics for Internal Auditors. The external assessment team agreed with OIA's self-assessment, concluding that the internal audit function "Generally Conforms" with the IIA Standards and Code of Ethics for Internal Auditors. This is the highest rating achievable and signifies that OIA’s charter, policies, procedures, and practices are judged to be in accordance with IIA Standards.

As described in presentations to the Committee in December 2024 and May 2025, the QAR identified several strengths of OIA, including its role as a valued partner, its independence and objectivity, highly respected leadership, and skilled audit team. The report also highlighted OIA's robust audit plan development process and strong commitment to continuous improvement. Opportunities for further enhancement were noted in areas such as modifications to OIA’s charter, developing a strategic plan, communications and outreach, reporting of audit results, performance management, and the use of technology. OIA’s work on addressing these improvements was detailed in a presentation to the Committee in May 2025, but two areas to highlight are planned Amendments to the Audit Charter and Strategic Planning:

Amendments to the Audit Charter
OIA’s proposed Audit Charter updates are being presented to the Audit & Compliance Committee in June for Committee and Board Approval. Changes to the charter were made primarily to align with the new IIA Standards issued in January 2025.

Office of Internal Audit Strategic Planning
In Fiscal Year 2026, OIA will develop a department strategic plan incorporating the University’s strategic plan, information gathered from broad consultations across the University, an assessment of existing opportunities to improve operational activities, a review of areas emphasized by the QAR, and surveys of other research universities. The development and implementation of this strategy, and associated project plan, will continue to evolve as the University’s strategic plan progresses.

Our fully staffed office currently includes the chief auditor and 16 other positions: 9 financial/operational auditors, 2 IT auditors, 1 senior data analyst, 1 associate audit director, and 3 audit directors. While budgeted for a full complement of 16 positions in Fiscal Year 2026, OIA anticipates operating with the equivalent of 15 full-time staff hours due to staff turnover and onboarding and extended medical and parental leaves.

OIA reallocations from Fiscal Year 2022 and Fiscal Year 2023 were restored for Fiscal Year 2023 to partially address a longstanding structural deficit, but our allocation was reduced by small amounts in Fiscal Year 2024 and Fiscal Year 2025, and is proposed to be reduced again in Fiscal Year 2026. These reductions are consistent with those asked of all University units. However, we have no alternative revenue sources available and 95% of our expenses are salaries. In consultation with management and Board leadership, we plan to use carryforward balances accrued through previous years’ salary savings associated with turnover to fund expected operational deficits in Fiscal Year 2026. We plan to continue discussions with the administration on options for long-term funding solutions for a balanced budget.

We are receiving preliminary funding for a 3% compensation increase and a 1% increase for market adjustments, which is consistent with the administration’s expected pay plans. We appreciate the thoughtful budgeting process and the continued financial and operational support we receive from the administration.

Additional details related to OIA’s budget and resources were reviewed by Committee leadership in alignment with IIA Standards.