PURPOSE
OF THE ANNUAL PLAN
The annual internal audit plan is intended to demonstrate:
- the breadth and depth of audit activities addressing financial, operational and compliance risks of the University;
- accountability for our resources; and
- the progress in our efforts to continually improve the University's Internal Audit program.
It is our intent to convey a current sense of the University's internal control environment and the extent to which controls are being assessed by regular audit activities, addressed proactively through advisory services, or investigated as a result of issues raised.
DEVELOPMENT OF THE ANNUAL PLAN
The development of the annual audit plan is based on information gathered through broad consultation across the University and a formal assessment of existing and emerging risks.
External Risk Assessment
To aid in our planning efforts we participate in annual risk assessment surveys with Big 10 institutions and large research universities (See Appendix B). Of the current identified risks, we assessed the following to be most relevant to our institution:
- Information technology and data security
- Declining sponsored funding
- Sponsored account management, particularly the federal regulatory areas of concern regarding effort certification and cost transfers.
- Ethics, corporate/non-profit /Sarbanes-Oxley
- Conflicts of interest (both personal and institutional), and conflict of commitment
- Health Insurance Portability and Accountability Act (HIPAA), and more specifically the security of personal health information
- Athletics
- Expansion of international activities and export controls
Internal Risk Assessment
As part of the planning process, discussions were held with 54 institutional officials to solicit input on areas of concern and obtain feedback on the appropriateness of the proposed audit plan. We also used these meetings as an opportunity to obtain feedback on the quality of audit services we provide. In addition to those noted above, risks specific to the University of Minnesota at this time were noted as:
- Implementation of the Enterprise Financial System (EFS). Over the next 12-18 months there will be significant changes in financial process workflows, redefinition of employee job responsibilities, introduction of new organizational models, and a significant investment of time in employee training, in addition to the operational impacts associated with becoming acclimated to working with the new system.
- Competition for resources resulting from the EFS project as it moves towards final implementation.
- Acclimation to the financial management implications of the new budget model which includes an increasing number of colleges with structural deficits.
- Changes in key leadership positions.
- An increasing interest in expanding international activities.
Overall Risk Assessment
Our annual planning process also includes reconsideration of the audit universe as new activities and programs are identified, together with changes in the existing organization. In addition to the changes within the operating units, we also consider changes in the overall environment within which the University exists. These environmental changes include such circumstances as new regulatory developments, new business processes, and new institutional priorities and strategic initiatives.
The Office of Internal Audit continues to utilize a formalized risk assessment methodology in selecting units for inclusion in the annual audit plan. Relative risk assessment is necessary to provide a basis for the rational deployment of our limited resources across the institution. The risk factors considered in our assessment include:
- Impact of unit/process on other University activities
|
- Organizational change/turnover in key personnel
|
- Significant system development or process change
|
- Known or perceived control concerns
|
- Regulatory compliance issues
|
|
Based on the outcome of this assessment, the 145 individual auditable units are categorized as high, above average, or moderate/low risk. A rating as a “high-risk unit” does not mean that the unit is perceived to have control problems, but rather reflects the criticality or centrality of the unit to the University’s mission.
We have a commitment to the Board of Regents Audit Committee to provide audit coverage of high-risk activities on at least a three-year cycle, and we align our audit plans with the Audit Committee’s Institutional Risk Profile.
Taking into consideration all of the information gathered during our planning process we identified the Enterprise Financial System, Information Technology, and the new merged colleges as the risks most warranting audit coverage in the upcoming year.
|