Fiscal Year 2025 Internal Audit Annual Plan
Purpose of the Annual Plan
The annual internal audit plan is intended to convey a current sense of the University's internal control environment and the extent to which institutional risk mitigation is being assessed by regular audit activities, addressed proactively through advisory services, or investigated as a result of reported concerns.
The plan also includes information that demonstrates the Office of Internal Audit's (OIA's) accountability for our resources and our ongoing efforts to continually improve the University's internal audit program.
Development of the FY 2025 Annual Audit Plan
The development of the annual audit plan is based on information gathered through broad consultation across the University and a formal assessment of existing and emerging risks. We also do a scan to identify areas of emphasis at relevant federal agencies and survey other research universities regarding the assessment of risks within their institutions. Below is a chart that illustrates the approach that was taken in developing the audit plan:
External Risk Assessment/Scan of the National Landscape of Higher Education
Regulatory Agencies: The areas receiving the most attention by federal agencies continues to be: research data security, financial reporting misstatements, research compliance; and foreign influence and recruiting.
Research Universities: Risks identified in our survey of other research universities found common themes including:
University Operations & Administration: Cybersecurity & Data Security; Public Safety; Mental Health & Wellbeing; Declining Enrollment & Financial Strains; Technological Innovation & Artificial Intelligence; Workforce Challenges
Regulatory & Compliance: Research Compliance; Student and Employee Protection; Data Protection & Privacy; Changing Legal & Regulatory Environment; Athletics Changing Financial & Regulatory Landscape
Research: Foreign Influence & Security; Management of Grants & Awards; Research Data Security.
Internal Risk Assessment Approach
We held discussions with 125 institutional officials and Regents from 57 units to solicit input on the University’s institutional risks and any specific areas of concern. Themes identified include: purchasing processes; PEAK; campus safety; changes to healthcare partnerships; leadership transitions; staffing changes and challenges; cybersecurity; aging infrastructure; system campus enrollment and financing; changes in government regulations; changes in intercollegiate athletics finances and regulations; and the rise of online learning.
We also reviewed the Institutional Risk Profile, as first presented at the Audit and Compliance Committee in September 2023 and its updated form presented in May 2024, as well as Board of Regents meeting agendas for topics of interest at the governance level.
Operational Risk Assessment
Our annual audit planning process includes re-examining the University’s “audit universe” to ensure that all University activities are considered when determining how audit resources can best be allocated. We also consider new regulatory developments, new business processes, and institutional priorities and strategic initiatives.
The Office of Internal Audit continues to utilize a formalized risk assessment methodology in selecting processes/units for inclusion in the annual audit plan. Relative risk assessment is necessary to provide a basis for the rational deployment of our limited resources across the institution. The risk factors considered in prioritizing institutional activities include:
- Impact on the University’s mission
- Impact on University finances
- Assessment of the activity’s control environment
- Level of compliance concerns
- Impact of information technology
- Complexity and/or diversity of the activity
- Changes in the organization or leadership
- Impact on the University's operations
- Brand and reputational risk
Our operational risk assessment resulted in a risk ranking of 174 individual auditable units, of which 24 we consider to be high-risk, 110 moderate-risk, and 40 low-risk. A rating of “high-risk” does not mean that the activity is perceived to have control problems, but rather reflects the inherent risk associated with the criticality and/or centrality of the unit to the University's mission.
Key themes identified: healthcare partnerships; enrollment & finances; staffing: leadership turnover, hiring and workforce challenges; information security & data management; campus safety; administrative operations and changes.
Overall Risk Focus and Impact on the FY 2025 Audit Plan
Our proposed internal audit plan for FY 2025 includes coverage of key risks and areas of interest including: enrollment and finances, information security and data management, athletics, system campuses, and impacts of changes in administrative operations and staffing on units. Selected academic units and operational areas are also included in the plan to maintain reasonable cycles of audit coverage. In addition, other audit work will be performed to address risks associated with senior leader transitions, healthcare partnerships, or other areas as the needs arise.
In selecting areas for audit coverage, we were mindful of the risks included in the Institutional Risk Profile as presented to the Audit & Compliance Committee in May 2024 as well as the goals laid out in the MPact 2025 strategic plan. As applicable, we continue to blend MPact 2025's goals, and future strategic plans' objectives, into our work and highlight how units and processes align with University strategic plans in our audit reporting.