Index

Audit Home Page

U of M Home Page

---

DEVELOPMENT OF THE ANNUAL WORK PLAN

The annual audit plan for 2000-2001 incorporates the principles of the Integrated Framework of Internal Control, as it:

• focuses on high risk activities, maintaining a three year audit cycle for these units,
• includes coverage of activities and strategic initiatives which have a significant impact on the University’s overall mission,
• provides proactive coverage of emerging areas of risk/opportunities,
• provides a comprehensive program of audit coverage of information systems risks at both the departmental and central level,
• provides a comprehensive program of audit coverage of regulatory compliance risks, and
• provides appropriate audit attention to projects and areas which have significant financial impact/risk.

In addition the plan allows for audit cycles not exceeding eight years for all University units and also reserves a portion of available audit resources to address management concerns and special requests.

The development of the annual audit plan is based on information gathered through broad consultation across the University, and a formal assessment of existing and emerging risks. As part of the planning process, discussions were held with 42 institutional officials to solicit input on areas of concern and obtain feedback on the appropriateness of the proposed audit plan. We also used these meetings as an opportunity to discuss the quality of audit services provided by the department.

Risk Assessment

The Department of Audits utilizes a formalized risk assessment methodology in selecting units for inclusion in the annual audit plan. This assessment measures a unit’s overall risk relative to other University units. The risk factors considered in the Department’s assessment include:

• Level of sponsored and non-sponsored revenues and expenditures
• Impact of unit/process on other University activities
• Significant system development or process change
• Regulatory compliance issues
• Pending or potential litigation issues
• Organizational change/turnover
• Known or perceived control concerns
• Audit history

Based on the outcome of this assessment, individual units are categorized into one of four risk levels: high, above average, moderate, or low risk. A rating as a "high risk unit" does not necessarily mean that the unit is perceived to have control problems, but rather is a reflection of the criticality or impact of the unit to the University’s mission.

The audit population was revised and updated this year to reflect changes in our audit approach as well as reorganizations within the University. This has resulted in:

• a decrease in the total number of auditable units, and
• an increase in high risk units.

Audit Cycles

The Department of Audits strives to provide audit coverage of units on regular cycles based on its risk assessments:

• High risk units are planned to receive audit coverage every three years
• Above average risk units are planned to receive audit coverage every four years
• Moderate risk units are planned to receive audit coverage every six years
• Low risk units are planned to receive audit coverage every eight years.

While the cycles for moderate and low risk units have been extended from five and six years to six and eight years, respectively, we believe the planned cycles are still reasonable. We also continue to look for ways to provide audit coverage for these lower risk units through University-wide reviews.

Emerging Areas of Risk

In addition to completing the unit based risk assessment, the Department of Audits also considers changes or contemporary issues facing the University for potential impact on the institution’s risk profile. The FY2001 Audit Plan allocates 14% of departmental resources for responding to emerging issues such as new systems development, construction, and grants management oversight.

We are also monitoring developments in areas such as E-Commerce to identify if audit coverage is warranted.

2000-2001 AUDIT PLAN

Cycled Audit Coverage: The audit plan will provide audit coverage of 31 University units:

• 7 high risk units
• 14 above average risk units
• 8 moderate risk units
• 2 low risk units

Our program of cycled audits also ensures continued coverage of high risk operating areas such as Athletics, the administrative restructured functions of the Medical School, and areas of special interest to the Administration.

Information Systems Audits: To continue the program of audit coverage of information systems risks, the 2000-2001 plan contains audits of:

• The Enterprise project, including evaluation of key system enhancements planned for the year, data integrity testing, and work flow changes,
• The Library replacement project,
• The replacement of the telecommunication PBX,
• Disaster recovery planning, and
• Strategic Planning.

The Department of Audits continues to coordinate its audit plan with Deloitte and Touche, LLP to ensure appropriate coverage is achieved through the internal and external audit plans, and to leverage the collective efforts of both organizations. The Department of Audits meets the professional standards required by Deloitte and Touche to place reliance on internal audit work. This, along with the composition of our audit plan, enables the external auditors to utilize a significant amount of internal audit work in completing the annual financial statement and A-133 audits.

RESOURCE ALLOCATION

The Department of Audits allocates approximately 70% of its resources to the completion of the annual work plan. Because of their significance, coverage of contemporary and emerging risks comprises 14% of these resources. The remaining resources are allocated to: investigations (10%), special projects and internal control advisory services (8%), follow up on outstanding audit recommendations on behalf of the Audit Committee (2%), and internal administrative activities (11%).

In March 2000, the policy "Dealing with Allegations of Financial and Operational Misconduct" became effective. The Department of Audits has significant responsibilities under this policy for responding to and investigating reported allegations, including maintenance of a reporting "hot line". Since the release of the policy, the number of allegations received has notably increased. We are, as yet, unsure if this increase will be sustained or is a temporary aberration caused by the new policy. Consequently, resources allocated for investigations remain at 10%.

The graph below illustrates the allocation of resources for the 2000-2001 annual plan as compared to the planned and actual use of resources in 1999-2000. The University’s Administration continues to provide the financial support needed to carry out a responsible level of audit coverage.

APPLICATION OF AUDIT RESOURCES

AUDIT COVERAGE BASED ON RISK PROJECTS

The chart above details our coverage of University activities based on risk levels. While the chart indicates that by the end of the four year period through fiscal year 2001 we will have completed audits of 18 high risk units, it should be noted that 5 of the 18 units will have received coverage more than once in four years. Included in the 18 are also 2 units which will be provided audit coverage in fiscal year 2001 as part of the review of the new systems development related to the implementation of PeopleSoft.

STAFF QUALIFICATIONS

The Department of Audits is committed to maintaining a diverse staff who collectively hold professional certifications, have advanced degrees and/or specialized fields of auditing. Of the current eighteen professional staff:

• Twelve have professional certifications;
• Three have Master of Business Administration degrees;
• Four are pursuing certifications/additional certifications; and
• One is pursuing a Master of Business Administration degree.

During this year one of the senior staff acquired a Certification for Fraud Examiners. This adds considerable value in our investigative audits.

SERVICE QUALITY

We continue to look for opportunities to communicate results of audit activities more effectively. For example, in response to interest expressed by the Audit Committee, we have begun providing charts illustrating the progress made by units in taking corrective action on audit recommendations.