Return to: Audits : U of M Home
Gold University of Minnesota M. Skip to main content.University of Minnesota. Home page.
One Stop | Directories | Search U of M 
 

What's inside.

Audit Hotline

Contact Us

Job Openings

Audit Department Charter

Audit Committee

 

 
 Audit Process

Audit Plan

Audit Results

Control Assessments

Risk Profiles/Heat Maps

Most Common Findings & Recommendations

Staff Qualifications

Staff Materials

Links

 
 

Search the Office of Internal Audit website

 
 

Office of Internal Audit Home
 
  Home > Audit Plan> IS Audit Plan

2009- 2010 AUDIT PLAN
ALLOCATION OF AUDIT RESOURCES

The audit plan is based on a planned staffing complement of 14.6 FTE professionals, down from 16.6 in FY2009. This results in 2,600 fewer hours available for internal audit work.

Approximately 57% of the Office of Internal Audit’s resources are committed to the completion of planned audit projects.  The annual audit plan is designed to provide appropriate coverage utilizing a variety of audit methodologies: audits of individual units, functional and process audits, University-wide reviews, and information system projects.

In selecting specific units/functions for inclusion in the audit plan we placed priority on providing coverage of high-risk units/processes, and areas of interest to University administrative and Board leadership.  In the selection process we also aligned our audit plan with our overall risk assessment as well as with the major organizational components of the University.  

In addition to risk-based audits we have also included University-wide reviews of selected business processes, which are an effective and efficient means for extending audit coverage to a broad spectrum of units, including those of moderate/ low risk.

This year 10% of those resources will be needed to complete a higher than average amount of carry over work from our FY 2009 audit plan.  Eight audit projects are currently in process and need to be completed.   While the amount of carry over work exceeds what we normally expect, our approach to the FY 2009 internal audit plan (which delayed the commencement of audit work for 90 days to accommodate the transition to EFS) had the effect of “back-loading” our work effort.  We also have experienced delays in obtaining information and access to personnel within departments as staffing levels have been reduced.

The remainder of our FY 2010 audit resources are reserved as follows:

  • 10% has been reserved to accommodate requests from the President, the Board, or executive committee members.  This has been supported by the Audit Committee.  The actual hours reserved for these requests is slightly lower (by 200 hours) than that of previous years.
  • 6% has been reserved for investigations.  The number of hours remains unchanged from previous years.
  • 6% has been reserved for follow-up procedures performed on behalf of the Audit Committee.  Both the actual hours and resulting percentage are slightly higher (by 350 hours and 2%, respectively than that of previous years).
  • 21% has been set aside for internal administrative functions, including our continuous improvement efforts.   

FY 2010 PLANNED ALLOCATION OF AUDIT RESOURCES

6

FY 2009- 2010 AUDIT PLAN

Taking into consideration the risks identified externally as well as internally, and balancing all of the above with our available resources, the audit plan recommended for FY 2010 includes 22 audits which will provide audit coverage of:

  • Two high-risk cost pools
  • Four central high-risk units/processes within the Chief Financial Officer’s portfolio
  • One high-risk technology management process
  • One high risk information system replacement
  • One high-risk unit within the President’s Office
  • Seven moderate-risk functional units; three of which involve high-risk collegiate units
  • Four audits of coordinate campus activities including two campuses (one moderate-risk and one low-risk) and two audits on the UMD campus
  • One low-risk unit
  • A system-wide review of the University’s performance appraisal process 

The audits selected for inclusion in the FY 2010 audit plan also provide significant coverage of critical activities:

  • 28% of the plan is devoted to information technology risks.
  • Nineteen audits will include a technology component.
  • Seven audits will include evaluations of service quality and productivity.
  • Eight audits will include evaluations of central services.
  • Nine audits will include evaluations of research activities.
  • Six audits will include a component on gift activities in accordance with the Memorandum of Understanding between the University and the University foundations.

By the end of FY 2010, we will have provided audit coverage of 17 of the 21 high risk units.  The FY 2010 plan continues to provide well-balanced coverage across the University.  The following chart shows the distribution of audit coverage by University component for FY 2010.

FY 2010 AUDIT COVERAGE BY UNIVERSITY COMPONENTS

3

As compared to prior years, Finance is receiving a significantly greater percentage of audit resources. This is consistent with the strategy we have followed for the last several years when we provided audit coverage of all the University’s major business processes in the years preceding the implementation of EFS.  Last year we focused our attention on academic units to enable the central financial staff to focus on acclimating to EFS and fine-tuning their centralized business processes.  The centralized financial units are now at the end of their three-year audit cycles, thus warranting audit attention.  The audit resources allocated to the Academic Health Center have decreased from 25% in FY 2009 to 10% in 2010.  We also do not have any audits planned for Research Administration units, although audits of sponsored projects will still be conducted during collegiate audits and an audit of sponsored project financial reporting is included in the FY 2010 audit plan.  This audit, in addition to other advisory services we are involved in, will enable us to evaluate the processes put in place to comply with ARRA reporting requirements.  Very limited audit work will be conducted within University Services in this plan; all of its major units, however, have had recent audit coverage. 

ANALYSIS OF AUDIT COVERAGE 

By the end of the four-year period through FY 2010, we will have completed audits of:

  • 17 of the 21 high-risk units on a three-year cycle.  Three of these high-risk units has been reviewed more than once in these four years.
  • 53 of the 101 moderate-risk units, as well as 24 of the 66 low-risk units.  Of those, 33 units in the moderate risk category and 15 of the low risk units have also had some review through a University-wide audit.
  • University-wide reviews of effort reporting, sub-award contracting and purchasing processes.

We will be out of cycle on four high risk auditable units:

  • Payroll - which does receive ongoing coverage in departmental/collegiate audits
  • Treasury Accounting & Internal/External Sales
  • Accounting Services – which receives regular coverage by LarsonAllen in the annual financial statement audit
  • Medical School Administration – we are uncertain what this auditable unit will be comprised of and are waiting for greater delineation to occur as the AHC/Medical School reorganization rolls out.

Accounting Services and Treasury Accounting were previously audited as part of the Controller’s Office audit.  In breaking out the Controller’s Office’s activities into separate auditable units, all of the units are cycling at the same time.   With audits of central financial functions consuming 20% of our resources, it seemed prudent to delay these two audits until FY 2011.
            

The following charts illustrate our coverage of University activities based on risk levels, as well as the coverage we have provided through University-wide reviews.

AUDIT COVERAGE THROUGH RISK BASED AUDITS

2

Of the 188 auditable units, 28 units have not had audit coverage since prior to FY 2000.  Fourteen of the 28 units are in the moderate-risk category, while the remaining units are considered low-risk units. 

AUDIT COVERAGE THROUGH RISK BASED AND U-WIDE REVIEWS

1

Of the 28 units which have not had audit coverage since prior to FY 2000, five did receive some coverage as part of University-wide process reviews in the past three years. 

FY 2009-2010 RESULTS

To date for FY 2009, we issued 23 audit reports which were the result of planned reviews and requests from management
(See Appendix B).

In addition,

  • Two audits are in the final stages of completion and reports will be issued in the next two months.
  • Eight audits are currently in the planning or fieldwork stages and will be completed in FY 2010.
  • Nine audits were either deferred to FY 2010 or not completed. Explanations for these adjustments to the audit plan are included on Appendix B.

During the past fiscal year we completed and closed out four investigations from FY 2008 and also conducted 18 new investigations in response to allegations of financial or operational misconduct, eleven of which have been closed out.  Where appropriate, we have partnered with the University Police or the Office of the General Counsel to complete these reviews.  Three of the investigations have been referred to the University of Minnesota Police for possible prosecution.

In the FY 2009 Audit Plan, approximately 24% of our resources had been allocated for administrative functions.  However, the actual time spent was approximately 41%.  Of the 17% difference, 9% was devoted to updating audit programs and processes to accommodate the EFS system, investigating opportunities to further automate our audit tools, and continuous improvement opportunities.  Another 6% was devoted to our external peer review. 

COMPARSION OF AUDIT RESOURCES FOR FY 2009 AND FY 2010

Percent of Available Time

5

COORDINATION WITH EXTERNAL AUDITORS 

The Office of Internal Audit continues to coordinate its audit plan with LarsonAllen, LLP to ensure appropriate coverage is achieved through the internal and external audit plans and to leverage the collective efforts of both organizations. The Office of Internal Audit meets the professional standards required by LarsonAllen to place reliance on internal audit work.  

COORDINATION WITH OTHER INTERNAL RESOURCES

The Office of Internal Audit coordinates its work with other internal units to maximize the quality of audit coverage provided as well as to promote prompt attention when University-wide trends are identified.  We have established strong working relationships with the University’s Compliance Officer, the Office of Research Integrity, the Office of Oversight, Analysis and Reporting, the Office of Regulatory Affairs, the Institutional Review Board, and the Department of Environmental Health and Safety, each of which work closely with us during audits involving complex regulatory issues.

The Office of Internal Audit interfaces regularly with the Institutional Compliance Officer and we serve on the Executive Compliance Oversight Committee and the Research Compliance Committee.  Input from the Compliance Officer is solicited during our annual audit planning.  In addition, throughout the year we report to and collaborate with the Compliance Officer on issues identified during our audits.  We also share the results of employee surveys with the Compliance Officer.  During fiscal year 2009, a total of 905 surveys were sent out as part of our audit process, with a 57% response rate.  Along with the Institutional Compliance Office, we serve as a triage office for managing U Report, the University’s confidential reporting line. 


Audit results are also shared with central support units such as Office of Information Technology, Sponsored Project Administration, Payroll, Purchasing, Training Services, and Human Resources, when policy non-compliance or when the need for process enhancements are identified.  Best practices identified in local unit audits are also shared with these central unit process owners for consideration of broader adoption.  This year we have worked extensively with the Office of Information Technology and collegiate IT Directors to identify actions and tools that can be immediately leveraged to resolve or prevent common control issues identified in internal audits. The CIO and the collegiate IT Directors chartered separate working groups to work on 1) disaster recovery preparation, 2) security, 3) code change management, and 4) IT risk assessment.  The groups have produced specific deliverables that collegiate and functional units have found to be very useful in quickly and successfully resolving outstanding audit findings.

STAFF DEVELOPMENT AND QUALIFICATIONS

The Office of Internal Audit is committed to providing educational opportunities to our staff in order to enhance our audit knowledge and abilities and to achieve our professional best. Ever-changing government regulations, new technologies, and new developments in auditing principles and methods dramatically affect not only what we audit, but also how we audit. We constantly strive to stay abreast of new developments and improve our audit proficiency in order to enhance the overall quality of our audits. To accomplish this, we pursued a variety of methods to continue our staff's professional education.

Our departmental memberships with the Institute of Internal Auditors (IIA), the Association of College and University Auditors (ACUA), the Association of Certified Fraud Examiners (ACFE), the American Institute of Certified Public Accountants (AICPA), and the Information Systems Audit and Control Association (ISACA) provided staff members the opportunity to attend seminars and conferences that specifically address current issues and techniques in internal auditing. The interaction of our staff members with their peers through these professional organizations helps to keep us up‑to‑date on the latest auditing trends and issues affecting higher education.

Of the current fifteen professional staff: 

  • twelve have professional certifications of Certified Internal Auditors, Certified Public Accountants, Certified Information Systems Auditors, and Certified Fraud Examiners;
  • five have Master of Business Administration degrees;
  • one has a Master of Arts- Economics degree;
  • one is pursuing a Master of Public Policy degree; and
  • two are pursuing professional certifications.

In FY 2009, the Office of Internal Audit provided 1,844 hours of training (an average of 123 hours for each employee).  These hours do not include the time associated with completing evening coursework funded by the University’s Regents Scholarship Program.  A significant amount of time was devoted to training on the EFS system.

Our information systems auditors developed and provided a curriculum for information systems auditing to the remainder of the audit staff to increase our overall skills in this important and fairly technical area.  The staff of Hennepin County’s audit function participated in this training at our invitation.

We continue to hold monthly Brown Bag lunch meetings at which University leaders are invited to speak with the audit staff.

For FY 2010, 810 hours have been budgeted for staff training, an average of 55 hours per employee. 

A member of the audit staff is participating in a review of the audit function at the City of Minneapolis being conducted at the request of the City Administrator and the Board of Estimation and Taxation.
STAFFING

During FY 2009 two of our managers retired under the Retirement Incentive Option.  Each of these individuals had over 35 years of experience in the Office of Internal Audit.  We replaced one of the positions through internal promotion.  Another Senior Auditor left the University mid-year and has not been replaced.  Keeping these two positions open enabled us to accommodate the reduction in our budget for this fiscal year. 

We continue to receive appropriate financial and organizational support from the administration. 

QUALITY ASSURANCE REVIEW

As required by the International Standards for the Professional Practice of Internal Audit we underwent an independent external quality assurance review in March 2009.  The review determined that 1) the practices of the Office of Internal Audit fully comply in all respects to the Standards, and 2) University Management and the Board of Regents can appropriately rely on the assurance provided by the work performed by the Office of Internal Audit.

 
APPENDIX   A

4

 

APPENDIX B 


7

 

Jump to: [Audit Plan]
 
©2006 Regents of the University of Minnesota. All rights reserved. Trouble seeing the text? | Contact U of M | Privacy
The University of Minnesota is an equal opportunity educator and employer.  Last modified on September 1, 2009
5