Internal Audit Annual Plan Year 2016
The annual internal audit plan is intended to demonstrate:
- the breadth and depth of audit activities addressing financial, operational, compliance, strategic, and reputational risks of the University;
- accountability for our resources; and
- the progress in our efforts to continually improve the University's Internal Audit program.
It is our intent to convey a current sense of the University's internal control environment and the extent to which institutional risk mitigation is being assessed by regular audit activities, addressed proactively through advisory services, or investigated as a result of issues raised.
The development of the annual audit plan is based on information gathered through broad consultation across the University and a formal assessment of existing and emerging risks. We also do a scan to identify areas of emphasis at relevant federal agencies and use a survey of other research universities regarding the assessment of risks within their institutions.
External Risk Assessment/Scan of the National Landscape of Higher Education
Regulatory Agencies: The federal regulatory agencies that have significant involvement with University activities continue to be highly focused on the implementation of the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards issued in December 2014, both internally within the agencies themselves, as well as by their grantees.
Research Universities: Our survey of other research universities identified four consistently cited areas of risks being overseen by the governing boards: leadership succession planning and transition, IT security, reputational risks, and student/campus safety.
Internal Risk Assessment
As part of the planning process, we held individual discussions with each member of the Board of Regents to identify areas of risks/ concerns at the governance level for audit consideration. The risks most often identified in these discussions were:
- Human subject research
- Board governance practices
- MN Health
- Succession planning for institutional leadership positions
- Public relations and communications
We also held discussions with 86 institutional officials from 40 units to solicit input on the University’s institutional risks and any specific areas of concern. Themes which emerged from these discussions included the risks associated with 1) developing a field shaping workforce in light of the University’s demographics, including succession planning for key employee turnover, faculty recruitment and retention commitments, etc., 2) the impact of continued administrative cost re-allocations and reductions and rising cost pool charges on collegiate/unit finances, and 3) regulatory compliance concerns associated with Title IX and human subject research.
Operational Risk Assessment
Finally, our annual planning process includes re-examining the audit universe to ensure that all university activities are considered when determining how audit resources will be allocated. We also consider new regulatory developments, new business processes, and institutional priorities and strategic initiatives.
The Office of Internal Audit continues to utilize a formalized risk assessment methodology in selecting processes/units/systems for inclusion in the annual audit plan. Relative risk assessment is necessary to provide a basis for the rational deployment of our limited resources across the institution. The risk factors that we considered in prioritizing institutional activities are:
- Impact on the University’s mission
- Impact on University finances
- Assessment of the activity’s control environment
- Level of compliance concerns
- Impact of information technology
- Complexity and/or diversity of the activity
- Changes in the organization or leadership
Our operational risk assessment resulted in a risk ranking of 175 individual auditable activities, of which 19 are considered to be high risk, 103 moderate risk, and 53 low risk. A rating of “high-risk” does not mean that the activity is perceived to have control problems, but rather reflects the criticality or centrality of the activity to the University’s mission.Back to top
The primary focus of the FY2016 audit plan is two-fold. First, carrying out the requisite audit work to appropriately inform the Audit Committee’s monitoring of the Human Subject Research Implementation Plan. This work will be conducted as both targeted reviews as well as by testing of human subject research activities within individual unit audits. Second, the audit plan includes audits of several significant business processes now that the Enterprise Upgrade is complete. This will allow us to evaluate the impact of the Upgrade on the efficiency and effectiveness of these processes and their related controls.
Additionally, the FY 2016 audit plan includes continued attention on activities within the Academic Health Center.Back to top
The audit plan is based on a planned staffing complement of 15.5 FTE professionals, which is our full complement.
Approximately 55% of the Office of Internal Audit’s resources are committed to the completion of planned audit projects. This year 4% of those resources will be needed to complete carry-over work from our FY 2015 audit plan. Seven audit projects are currently in process and will be completed in FY 2016.
The remainder of our FY 2016 audit resources is reserved as follows:
- 10% has been reserved to accommodate requests from the President, the Board, or members of the senior leadership team. This has been supported by the Audit Committee. The number of hours remains consistent from previous years.
- 6% has been reserved for investigations. The number of hours remains consistent from previous years.
- 4% has been reserved for follow-up procedures performed on behalf of the Audit Committee. The number of hours remains consistent from previous years.
- 25% has been set aside for internal administrative functions, including our continuous improvement efforts. This remains consistent with the previous year.