Annual Plan Overview

Fiscal Year 2026 Audit Plan

Purpose of the Annual Plan

The purpose of the internal audit annual plan is to opine on the University's current internal control environment and explain how institutional risks are managed through assessment by regular audits, proactive mitigation via advisory services, and investigation of reported concerns.

The plan also includes information that demonstrates the Office of Internal Audit’s (OIA’s) accountability for our resources and our ongoing efforts to continually improve the University’s internal audit program.

Development of the FY 2026 Annual Audit Plan

The development of the annual audit plan is based on information gathered through broad consultation across the University and a formal assessment of existing and emerging risks. We also do a scan to identify areas of emphasis at relevant federal agencies and survey other research universities regarding the assessment of risks within their institutions. Below is a chart that illustrates the approach that was taken in developing the audit plan:

A visual image depiction the steps in developing the 2026 Audit Plan. Information Gathering, Risk Analysis, Audit Plan Development, and Communication are listed as main steps of developing the audit plan.

External Risk Assessment/Scan of the National Landscape of Higher Education

Regulatory Agencies: Key risks receiving attention from federal agencies continue to be: Cybersecurity and Data Protection; IT Modernization; Improper Payments and Financial Management; and Human Capital and Workforce Challenges.

Research Universities: Risks identified in our survey of other research universities found common themes including:

  • University Operations & Administration:
    • Cybersecurity & Data Privacy (breaches,
      ransomware, data protection)
    • Financial Sustainability & Funding
      (enrollment, costs, public funding)
    • Talent Management & Human Resources
      (recruitment, retention, burnout)
    • Campus Safety & Security (crime, active
      threats, emergency preparedness)
    • Student Mental Health & Well-being (crisis
      support, service adequacy)
  • Regulatory and Compliance
    • Data Privacy & Security Compliance (FERPA,
      GDPR, HIPAA, state laws)
    • Title IX & Clery Act Compliance (sex-based
      discrimination, campus safety reporting)
    • Financial Aid & Grant Compliance
      (federal/state aid rules, grant management)
    • Accreditation (institutional and programmatic
      standards)
    • Ethics & Conflict of Interest (research,
      financial, and institutional integrity)
  • Research
    • Research Funding (grant success, budget
      reductions, instability)
    • Research Integrity & Misconduct (fabrication,
      falsification, ethics)
    • Data Management & Security (research data,
      loss, access, sharing mandates)
    • Personnel & Expertise (talent retention, skills
      gaps, staff turnover)
    • Compliance with Specific Research
      Regulations (human/animal subjects, export
      controls)

Internal Risk Assessment Approach

We held discussions with 129 institutional officials and Regents from 71 units to solicit input on the University’s institutional risks and any specific areas of concern. Areas of increased levels of risk/concern include: purchasing processes; PEAK roles and responsibilities; campus safety; changes to healthcare partnerships; leadership transitions; staffing changes and challenges; cybersecurity; aging buildings and infrastructure; system campus enrollment and financing; changes in government regulations; intercollegiate athletics finances and environment changes; budget and personnel reductions; and the rise of online learning and use of artificial intelligence.

We also reviewed the University Institutional Risk Profile, as updated and presented at the Audit and Compliance Committee in September 2024, as well as Board of Regents meeting agendas for topics of interest at the governance
level.

Operational Risk Assessment

Our annual planning process includes re-examining the University’s “audit universe” to ensure that all University activities are considered when determining how audit resources can best be allocated. We also consider new regulatory developments, new business processes, and institutional priorities and strategic initiatives.

OIA continues to utilize a formalized risk assessment methodology in selecting processes and units for inclusion in the annual audit plan. Relative risk assessment is necessary to provide a basis for the optimal deployment of our limited resources across the institution. The risk factors considered in prioritizing institutional activities include:

  • Impact on the University’s mission
  • Impact on University finances
  • Assessment of the activity’s control environment
  • Level of compliance concerns
  • Impact of information technology
  • Complexity and/or diversity of the activity
  • Changes in the organization or leadership
  • Impact on the University’s operations
  • Brand and reputational risk

Our operational risk assessment resulted in a risk ranking of 175 individual auditable units, of which 24 we consider to be high-risk, 115 moderate-risk, and 36 low risk. A rating of “high-risk” does not necessarily mean that the activity is perceived to have control problems, but rather reflects the inherent risk associated with the criticality and/or centrality of the unit to the University’s mission.

Overall Risk Focus and Impact on the FY 2026 Audit Plan

Our proposed internal audit plan for Fiscal Year 2026 includes coverage of key risks and areas of interest including: campus safety, enrollment and finances, information security and data management, athletics, system campuses, healthcare and impacts of changes in administrative operations and staffing on units. Selected academic units and operational areas are also included in the plan to maintain reasonable cycles of audit coverage.

In selecting areas for audit coverage, we were mindful of the risks included in the Institutional Risk Profile as presented to the Audit & Compliance Committee in September 2024. In prior years, we have been attentive to the goals laid out in the MPact 2025 Strategic Plan. For Fiscal Year 2026, we will continue to consider future strategic plans’ objectives into our work and will highlight how units and processes align with the updated University strategic plan once finalized.