Internal Audit Annual Plan Year 2015
The annual internal audit plan is intended to demonstrate:
- the breadth and depth of audit activities addressing financial, operational, compliance, strategic, and reputational risks of the University;
- accountability for our resources; and
- the progress in our efforts to continually improve the University's Internal Audit program.
It is our intent to convey a current sense of the University's internal control environment and the extent to which institutional risk mitigation is being assessed by regular audit activities, addressed proactively through advisory services, or investigated as a result of issues raised.
The development of the annual audit plan is based on information gathered through broad consultation across the University and a formal assessment of existing and emerging risks. We also do a scan to identify areas of emphasis at relevant federal agencies and use a survey of other research universities regarding the assessment of risks within their institutions.
Internal Risk Assessment
As part of the planning process, we held risk discussions with the Chairs and Vice Chairs of the Board of Regents committees to identify risks of concern at the governance level for audit consideration. The risks most often identified in these discussions were:
- Enrollment management and related financial implications
- Public relations and communications and the distraction of negative media coverage
- All things Academic Health Center: the stature and funding of the Medical School, the relationship with Fairview Health Services and University of Minnesota Physicians and the Integrated Structure, the Ambulatory Care Center, the impact of the Afffordable Care Act, and the success of its new leadership.
We also held discussions with 84 institutional officials from 39 units to solicit input on the University’s institutional risks and any specific areas of concern. These discussions with University leadership did not identify any persistent areas of risk determined to be of concern. It is particularly noteworthy that there were no concerns raised about the potential success of the Enterprise System Upgrade Project. While many acknowledged that there were still many unanswered questions and potential implications, all expressed confidence that the Upgrade would be successful. Several of the academic leaders interviewed emphasized the importance of meeting their enrollment targets to the college’s financial stability. All stated that they are actively working to manage this risk. Finally, there is building curiosity, and optimism, about the Strategic Plan and how it will be advanced throughout the University.
External Risk Assessment/Scan of the National Landscape of Higher Education
Regulatory Agencies: In December 2013, the U.S. Office of Management and Budget issued comprehensive grant reform rules titled “Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards.” The new document consolidates the requirements that were previously addressed in eight separate OMB Circulars into a new "super circular." The super circular, which goes into effect December 2014, includes many changes to existing federal requirements as well as establishes new requirements. Developing plans for its implementation is currently a major focus of our largest federal funding agencies.
Research Universities: Our survey of universities identified three broad areas of concerns. First, is President Obama’s college rating system that is being developed by the Department of Education. Ratings are to be available before the 2015 academic year, but what will be considered in the ratings, and the information that they will be based on, is still ill-defined. Second, universities with Division 1 athletics are concerned about the potential for athlete unionization and/or the provision of stipends for athletes. Lastly, information security and data privacy continue to be “top of mind” for many university audit committees. Universities with academic health centers and/or hospitals are still closely monitoring the impact of the Affordable Care Act and the changing health care market.
Operational Risk Assessment
Finally, our annual planning process includes re-examining the audit universe to ensure that all university activities are considered when determining how audit resources will be allocated. We also consider new regulatory developments, new business processes, and institutional priorities and strategic initiatives.
The Office of Internal Audit continues to utilize a formalized risk assessment methodology in selecting processes/units/systems for inclusion in the annual audit plan. Relative risk assessment is necessary to provide a basis for the rational deployment of our limited resources across the institution. The risk factors that we considered in prioritizing institutional activities are:
- Impact on the University’s mission
- Impact on University finances
- Assessment of the activity’s control environment
- Level of compliance concerns
- Impact of information technology
- Complexity and/or diversity of the activity
- Changes in the organization or leadership
Our operational risk assessment resulted in a risk ranking of 177 individual auditable activities, of which 19 are considered to be high risk, 103 moderate risk, and 55 low risk. A rating of “high-risk” does not mean that the activity is perceived to have control problems, but rather reflects the criticality or centrality of the activity to the University’s mission.Back to top
Interestingly, our review of the external and internal risk landscape did not identify any specific risks that warrant focused attention as we allocate our audit resources. We will continue to closely monitor the Enterprise Upgrade Project as it moves towards its February 2015 implementation date. We have provided recent audit coverage of all of the significant University business processes, which allows us focus our attention on unit audits as central units remain deeply involved in the Upgrade rollout. The University administration is also very cognizant of the importance and magnitude of the new OMB Circular and has established a number of task groups to identify its impact on our operations. These impacts will not be “auditable” in FY2015, but internal audit staff are participating on the task groups, which will keep us informed of the changes that will be coming.
The audit plan is based on a planned staffing complement of 15.3 FTE professionals, which is our full complement. We currently have three open positions, but expect to have them all filled in the near future.
Approximately 55% of the Office of Internal Audit’s resources are committed to the completion of planned audit projects. This year 8% of those resources will be needed to complete carry-over work from our FY 2014 audit plan. Four audit projects are currently in process and will be completed in 2015.
The remainder of our FY 2015 audit resources is reserved as follows:
- 10% has been reserved to accommodate requests from the President, the Board, or members of the senior leadership team. This has been supported by the Audit Committee. The number of hours remains consistent from previous years.
- 6% has been reserved for investigations. The number of hours remains consistent from previous years.
- 4% has been reserved for follow-up procedures performed on behalf of the Audit Committee. The number of hours remains consistent from previous years.
- 25% has been set aside for internal administrative functions, including our continuous improvement efforts. This is a 3% increase from our prior budget to accommodate the training that will be required by all staff for the Enterprise Upgrade.