PURPOSE OF THE ANNUAL PLAN
The annual internal audit plan is intended to demonstrate:
- the breadth and depth of audit activities addressing financial, operational and compliance risks of the University;
- accountability for our resources; and
- the progress in our efforts to continually improve the University's Internal Audit program.
It is our intent to convey a current sense of the University's internal control environment and the extent to which controls are being assessed by regular audit activities, addressed proactively through advisory services, or investigated as a result of issues raised.
DEVELOPMENT OF THE ANNUAL PLAN
The development of the annual audit plan is based on information gathered through broad consultation across the University and a formal assessment of existing and emerging risks.
External Risk Assessment
To aid in our planning efforts we surveyed other Big 10 institutions regarding the assessment of risks within their institutions. While numerous risks were identified, many of which do impact the University of Minnesota and will be considered as audit work is carried out, none of the risks were of the magnitude to influence our overall planning effort.
Internal Risk Assessment
As part of the planning process, discussions were held with 72 institutional officials from 43 units to solicit input on our institutional risks and any specific areas of concern. We also used these meetings as an opportunity to obtain feedback on the quality of audit services we provide. There was almost unanimity in the risks highlighted as those being of greatest concern over the next year, and they were:
- Senior leadership transitions.
- Effect of recent and anticipated future budget cuts, the hiring pause and overall staff reductions, and the current budget model on the University’s strategic initiatives and its day-to-day operations and activities.
We again solicited the opinions of the committee chairs of the Board of Regents as to their views from a governance perspective of the University’s institutional risks. These risks mirrored those of the institutional offices: 1) leadership transitions, especially those of the President and the Senior Vice President of the Academic Health Center, and 2) the financial future of the University, including the impact of declining state support, the need for long-range financial planning, and the downstream cost impacts of the operations and programming associated with new buildings.
Operational Risk Assessment
Finally, our annual planning process includes re-examining the audit universe to identify new as well as discontinued activities and programs due to other changes in the existing organization. In addition to the changes within the operating units, we also consider changes in the overall environment within which the University exists. These environmental changes include such circumstances as new regulatory developments, new business processes, and new institutional priorities and strategic initiatives.
The Office of Internal Audit continues to utilize a formalized risk assessment methodology in selecting units/processes/activities for inclusion in the annual audit plan. Relative risk assessment is necessary to provide a basis for the rational deployment of our limited resources across the institution. The risk factors considered remain unchanged from 2010 and include:
- Known or perceived control concerns
- Impact of unit on UM mission
- Impact of information technology
- Regulatory compliance issues
- Organizational change/turnover in key personnel
- Complexity/diversity of operations
- Audit history
|
|
Based on the outcome of this assessment, the 187 individual auditable units are categorized as high, moderate, or low risk. A rating as a “high-risk unit” does not mean that the unit is perceived to have control problems, but rather reflects the criticality or centrality of the unit to the University’s mission.
We have a commitment to the Board of Regents Audit Committee to provide audit coverage of high-risk activities on at least a three-year cycle, and we align our audit plans with the Audit Committee’s Institutional Risk Profile. (See Appendix A). Because of the way we have structured our auditable units, several large schools within the University (Medical School, College of Science and Engineering, College of Food, Agricultural and Natural Resource Sciences, College of Liberal Arts) have been broken down into a number of smaller auditable units. These schools, if considered in their entirety, would be placed in the “high risk” category; however, the component units are now considered to be moderate or low risk. Our intent and plan is to audit units within each of these colleges each year to ensure ongoing coverage, but we will not be able to audit them in their entirety during a three year period.
OVERALL RISK ASSESSMENT
Taking into account the information we obtained in our risk assessment process, it is very clear that leadership transitions and the University’s financial future are “top of mind” across the University. We have included audits in the 2011 audit plan which specifically address both of these risk areas and will take these risk factors into consideration when completing other audit work.
|
Return
to: Audits : U
of M Home
