What’s on Your Audit Plan?
May 24, 2023
Every Spring, university audit shops must determine what to include on their audit plan for the next fiscal year. The Chief Audit Executive performs a risk assessment, seeks input from senior leadership, reviews strategic plans and industry trends, and analyzes resources to form an effective plan. While every college and university has unique individual risks and goals, common audit themes emerge and change from year to year.
Most Beneficial Audits of FY23
The ACUA Journal polled the membership and asked which engagements were the most impactful from Fiscal Year 2023. Out of the 58 surveys submitted, 33% of the responses said cybersecurity was most critical. Higher education institutions maintain a wide range of sensitive data, including academic records, student financial details and health care information, along with sensitive research and financial information. Colleges and universities continue to be victims of phishing and ransomware attacks. It is not surprising that cybersecurity audits top the list. Information Technology (IT) general controls and user access were other important IT audits.
Audits of human resources was the second highest, at 16% of responses. This is likely due to employment changes due to the pandemic, with some campuses auditing work from home practices. Payroll audits were beneficial at three universities.
Research security was third highest, at 9% of responses. This topic goes hand in hand with general cybersecurity, as research and study subject data is highly sensitive and desirable. Other topics included foreign influence and research administration, operations, and post-award reviews. Grant funding reviews were noted, including HEERF and CARES pandemic funding grants.
Athletics, admissions, and minors on campus were also noted as the most beneficial audits. See the complete list below:
Hot Audit Topics for FY24
The ACUA Journal asked for the “hot” audit topics on the FY24 audit plan, and the responses were surprisingly diverse. Of the 62 topics offered, no single topic received more than six votes. This speaks to the wide risk universe present at colleges and universities. The hottest topics were contracted services with third parties and a repeat of cybersecurity, each with 10%. Research compliance, a perennial favorite, was third on the list with four votes.
Admissions is receiving more attention this year, with planned audits of course fees, enrollment, scholarships, student aid, and student fees. Name, image and likeness (NIL) appeared on the athletics topics. Diversity, equity and inclusion (DEI) and environmental, social and governance (ESG) are increasing in importance this year. Three universities are in various stages of auditing Workday software implementation.
Campus safety, including minors on campus and lab safety, are hot topics this year. There is also an interest in auditing student life, with planned audits of study abroad and student mental health. Familiar financial audits like purchasing cards, segregation of duties, and competitive bids round out the list. The complete list of hot audit topics for FY24 are below:
Common Audit Plan Favorites
In addition to the hot and emerging topics, there is value in considering recurring internal audit projects with sizable risk. Here are some of the most common college and university audit topics by category:
- Admissions – admissions review
- Athletics – NCAA compliance
- Capital Projects – construction and contracts
- Financial Management – travel and entertainment review, purchasing card review, payroll
- Human Resources – hiring, retention, terminations and DEI
- Information Technology – system implementation, IT general controls, access, disaster recovery, data privacy and cybersecurity
- Operations – college general controls, centers and institutes
- Research – sponsored award administrative review, foreign influence, conflict of interest, effort reporting
- Student Life – housing, Greek life
Whether your work plan includes emerging trends, classic engagements, or a combination of both, it should be tailored to your college or university’s risks and strategic plans to ensure internal audit resources address your specific business processes and risk drivers. Even the best audit plan needs to be agile and budget for contingencies.
About the Author
Kara Hefner
Kara Hefner, CPA, CIA, CFE is the editor of the College and University Auditor Journal and an audit supervisor at the University of North Carolina, Chapel. Kara has 22 years of internal audit experience, is a frequent speaker...
Read Full Author Bio