Internal Audit Annual Plan 2013-2014
The annual internal audit plan is intended to demonstrate:
- the breadth and depth of audit activities addressing financial, operational, compliance, and strategic risks of the University;
- accountability for our resources; and
- the progress in our efforts to continually improve the University's Internal Audit program.
It is our intent to convey a current sense of the University's internal control environment and the extent to which institutional risk mitigation is being assessed by regular audit activities, addressed proactively through advisory services, or investigated as a result of issues raised.Back to top
- The development of the annual audit plan is based on information gathered through broad consultation across the University and a formal assessment of existing and emerging risks. We also do a scan to identify areas of emphasis at relevant federal agencies and use a survey of other research universities regarding the assessment of risks within their institutions.
Internal Risk Assessment
As part of the planning process, we held risk discussions with the Chairs and Vice Chairs of the Board of Regents committees, along with the Chair of the Board to identify risks of concern at the governance level for audit consideration. The risks most often identified in these discussions were:
- Protection of the University’s reputation
- The “integrated structure” with Fairview and University of Minnesota Physicians and the success of our academic health programs
- Human resources management practices and their impact on the University’s culture
- The need to responsibly manage administrative costs
- Increasing external reporting demands and the associated administrative costs
We also held discussions with 70 institutional officials from 36 units to solicit input on the University’s institutional risks and any specific areas of concern. We also used these meetings as an opportunity to obtain feedback on the quality of audit services we provide. Common themes expressed in these discussions this year were:
- The Enterprise Systems Upgrade Project; most specifically the impact on units when personnel are provided to work on the project
- The integrity of our Human Resources data
- The need for better mechanisms to produce accurate and reliable reporting of unit and institutional data
There were very few concerns expressed related to unit/collegiate finances; or the impact of the federal funding levels or the sequestration.
External Risk Assessment/Scan of the National Landscape of Higher Education
Regulatory Agencies: Based on federal agency audit plans, the regulatory focus for 2013-2014 is on the “usual suspects” of federal funding compliance: cost allowance, cost sharing, adherence to salary caps, etc. While not expected to be finalized for at least another year, the primary regulatory spotlight is on the OMB’s proposal to consolidate several of its regulations (e.g., A-133, A-21, etc.) into one document. There are a number of changes being proposed in the consolidation, some of which may have a significant impact (both positive and negative) on the University.
Research Universities: Reputational risk was again the most often cited highest risk for public research universities. Unlike last year when this risk was described in terms of ethical lapses, this year it was in the context of the public’s perception of value. Not surprisingly, reining in administrative costs, responding to the pressure to stem rising tuition costs, and declining state and federal support were also commonly cited. Cyber security and data privacy continue to remain as risks of concern, as does technology - both as a strategic enabler and a major cost driver. For universities with academic health centers and/or hospitals, the impact of the Affordable Care Act and the changing health care market is receiving heightened attention. Campus safety was also frequently mentioned.
Operational Risk Assessment
Finally, our annual planning process includes re-examining the audit universe to ensure that all university activities are considered when determining how audit resources will be allocated. We also consider new regulatory developments, new business processes, and institutional priorities and strategic initiatives.
The Office of Internal Audit continues to utilize a formalized risk assessment methodology in selecting processes/units/systems for inclusion in the annual audit plan. Relative risk assessment is necessary to provide a basis for the rational deployment of our limited resources across the institution. The risk factors that we considered in prioritizing institutional activities are:
- Impact on the University’s mission
- Impact on University finances
- Assessment of the activity’s control environment
- Level of compliance concerns
- Impact of information technology
- Complexity and/or diversity of the activity
- Changes in the organization or leadership
Our operational risk assessment resulted in a risk ranking of 163 individual auditable activities of which 23 are considered to be high risk, 95 moderate risk, and 45 low risk. A rating of “high-risk” does not mean that the activity is perceived to have control problems, but rather reflects the criticality or centrality of the activity to the University’s mission.Back to top
Taking into account the information we obtained in our risk assessment process, the University’s focus on upgrading its major administrative systems, recent audit coverage of significant institutional processes, the continued acclimation of new institutional leadership, and the amount of change that is occurring within the University, we believe that a “back to the basics” audit plan is most appropriate for FY 2014. The 2014 plan provides an approximately equal percentage of process and unit-based audits. In the past two years we have provided audit coverage over the majority of the University’s significant processes; the 2014 audit plan provides coverage of the major ones remaining. Audits of fundamental information technology functions are also included to reaffirm that continued reliance can be placed on the controls that they are intended to provide. As we have done over the past two years, audit coverage is planned for selected human resources processes. The plan reserves time to provide audit coverage related to the University/Fairview/University of Minnesota Physicians Integrated Structure. The timing and construct of what audit coverage should be provided is as yet undetermined. Time has also been allocated to provide coverage for the Enterprise Systems Upgrade Project (ESUP). We have developed an audit approach which places reliance on the quality assurance reviews conducted by the project’s external implementation partner and are coordinating our work to avoid duplication. Audit coverage will be provided for significant aspects of the project which are not covered by the quality assurance efforts.
Finally, we believe the audit plan will again need to be flexible to be responsive to emerging needs that require audit attention.
The audit plan is based on a planned staffing complement of 15.4 FTE professionals. Because of recent turnover, the current plan, as proposed, exceeds our resource availability. Over the last year we have hired three entry-level auditors. Considering the training and supervision needed to develop these individuals into fully productive auditors, we have decided to defer hiring to fill this most recently vacated position until our recent hires are more self-sufficient. This deferral may result in our inability to complete all of the audits included in the plan. Audits of higher risk areas will receive priority and the Audit Committee will be kept apprised of our progress towards the full completion of the plan and the impact of our hiring deferral.
Approximately 58% of the Office of Internal Audit’s resources are committed to the completion of planned audit projects. This year 3% of those resources will be needed to complete carry-over work from our FY 2013 audit plan. Twelve audit projects are currently in process and will be completed in 2014.
The remainder of our FY 2014 audit resources is reserved as follows:
- 10% has been reserved to accommodate requests from the President, the Board, or executive committee members. This has been supported by the Audit Committee. The number of hours remains consistent from previous years.
- 6% has been reserved for investigations. The number of hours remains consistent from previous years.
- 4% has been reserved for follow-up procedures performed on behalf of the Audit Committee. The number of hours required for follow up has decreased from previous years.
- 22% has been set aside for internal administrative functions, including our continuous improvement efforts.