Best Practices for Building a University Audit Plan

February 12, 2020

In an environment where the velocity and span of risks facing colleges and universities is outpacing the resources available to perform audits, it can often be daunting to think about how to build an audit plan that provides appropriate coverage. Internal audit’s role expands to include risk management, compliance, and/or privacy responsibilities, in addition to management requests, such as conducting proactive reviews or investigations. Given our expanded roles, this results in even less time to complete planned audits.

So, how does an internal audit department determine where to focus its efforts?

A campus comfortable with their auditors’ involvement, as well as ongoing consideration of risks and controls, reinforces sound management practices and strong control environments.

Having an increased volume of advisory requests, hotline calls, and invitations to committees or other meetings across campus can certainly make completing “routine” audit work more difficult for the internal audit department; however, having internal audit as a visible, engaged, and active participant in activities and decision-making across campus is a win-win strategy. A campus comfortable with their auditors’ involvement, as well as ongoing consideration of risks and controls, reinforces sound management practices and strong control environments.

It is easy to become overwhelmed or feel like the audit plan is inadequate when inundated with discussions of hot topics and new trends, from agile auditing and rolling audit plans, to data analytics and continuous monitoring.

If this situation arises, a few options include:

Find an empty conference room and cry.
Quit auditing and move somewhere tropical.
Stop, breathe, and remember the core purpose of internal audit!

Assuming door #3 is the best option, start with the Institute of Internal Auditor’s (IIA) mission of internal audit: To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. In case that did not engender the espirit de corps, reading your institution’s internal audit charter should do the trick.

Joking aside, it is important to look back at the overall mission and goal of internal audit and think about how the services provided across campus can best meet the defined objective–providing risk-based assurance, advice, and insight to enhance and protect organizational value.

Although it may be a pressure, absolute coverage is not a requirement of internal audit. As medical professionals are guided by the Hippocratic Oath (i.e., do no harm), internal auditors could live by an ethos as well–do what is possible.

It is impossible for an internal audit department to provide absolute coverage of the risks and operations across all aspects of a college/university on an ongoing basis or within a single audit year. Arguably, all aspects of a campus's operations cannot be covered in a multi-year plan, unless the plan spans over a decade.

As university auditors are aware, institutes of higher education, no matter the size, are some of the most complex, regulated, and unique businesses in the world. As an institution's size and available resources grow, so does the complexity. Auditbale areas expand expotentially when you factor in owned or affiliated health systems, geographically separate campuses, international operations, and other unique features (e.g., a system office or university partners).

So, what can internal audit do about it?

There are many approaches to audit planning...the best audit approach results in an acceptable level of coverage provided across high-risk areas.

There are many approaches to audit planning, with no single “right” answer. The best audit approach results in an acceptable level of coverage provided across high-risk areas. As referenced in the IIA’s mission statement, it is key to focus on “risk-based” assurance. Establishing the audit plan, including the scope and nature of work performed in each audit, takes place during the annual audit planning process, where a formal risk assessment is performed.

However, identification and assessment of risk can, and should, be a continuous activity throughout internal audit’s operations. The results of ongoing internal or external audit activities, conversations with departments and operating units, reading student and local community newspapers, and even overhearing conversations around campus can all provide insight into challenges and risks happening across an institution.

Further, the higher education industry has several available resources to identify and understand new and emerging risks. Conferences, webinars, newsletters, and other trainings are available from a myriad of industry groups and external service providers. These resources allow higher education auditors to keep up-to-date with changing trends and risks within the industry, as well as provide opportunities to learn how other institutions are addressing the same issues.

By having a continuous view of risk, an internal audit function can adjust and adapt its current audit plan, as well as develop future audit plans, to focus resources on “hot topics.” According to the Higher Education Compliance Alliance,[1] there are 281 entries on the current compliance matrix in addition to the general business operating processes that fall under internal audit’s purview. Needless to say, there are plenty of areas to consider when developing an audit plan.

The decisions for how to determine what activities to include on the audit plan will come down to the methodology for developing a plan and how risk is viewed and evaluated. For example, is risk categorized as inherent risk or residual risk? Is there a cycle for ensuring audits are performed in certain key areas on a regular basis? How much time in the audit plan is reserved for advisory work, special requests, or investigations? How do you perform audit follow-up? What are the external auditors or second-line functions covering?

The answer to each of these will impact what activities end up on your audit plan:

Inherent versus residual risk: After considering if an institution has a strong control environment and culture of compliance, or if ongoing monitoring activities can be relied on—either self-developed or performed within the first and second line—the remaining (i.e., residual) risks are key areas to focus on for an audit plan. If an ongoing assessment of control effectiveness does not exist, results of past audits can be leveraged; however, the more time that elapses since the last audit was competed should decrease the level of reliance on those results. If the internal audit function was a participant or observer throughout the development and implementation of new processes, then an assessment could be made regarding where risks remain within the process, even if control effectiveness has not been tested yet. Having this involvement can also increase the level of comfort that exists regarding having management run the process more before the process is reviewed/audited.
Cyclical audit plan: Certain operational areas carry significant inherent risk, particularly around how money flows in and out of the institution. While residual risk may be low in these areas, leading practices suggest that conducting audits of certain key areas (e.g., payroll, employee benefits, procurement, and vendor payments) on a routine basis helps to provide independent and objective assurance. However, it is not expected that institutions have a routine cycle for every auditable entity in its risk universe.
Allocation of plan time: As the internal audit function on campus is embraced as a strategic asset, the volume of requests for advisory work can significantly increase. While this may be a Chief Audit Executive’s dream, it can put a strain on the function’s resources and ability to complete the audit plan. The amount of time set aside for advisory services is steadily increasing in audit shops across the country, with many now approaching up to 30% of planned hours allocated to non-assurance activities. With this increase, it is important to prioritize if such activities are adding value to the organization, or if presence in such activities is more "for show." As risks and related demands for audit resources increase, internal audit departments may be approaching a tipping point where they need to decline or defer management’s requests.
Coverage through audit follow-up: The audit follow-up process can be an excellent way to provide coverage with limited investment of resources. Beyond assessing the actual steps taken by management in responding to prior audit findings, follow-up allows the internal audit function to maintain a presence in operating areas on campus that may not make it into the plan. Internal audit can continue to monitor the control environment in those areas, as well as identify and assess change through a few touchpoints and conversations. Evaluating the overall response to an audit finding—does management resolve issues timely with practical solutions, or are they constantly missing or changing dates and applying temporary fixes?—can provide great insight into potential risk in other operations within the same business area.
Leveraging the work of others: It is no longer just external auditors leveraging the work of internal auditors to save the insitution money. Internal auditors can, and should, consider the areas covered by the institution’s external auditors, as well as existing second line or other monitoring functions. If there is acceptable coverage and comfort that those functions are performing their roles as expected, there will be a reduction in the amount of time needed to independently audit these areas. Although it does not completely remove the need for independent and objective assurance, it can help to lower the risk rating of different areas, prolonging the amount of time between coverage from the internal audit function.

Overall, developing an annual audit plan is about balance built around risk-based decision making. As capabilities grow, consider how your department can leverage technology to enhance monitoring for lower-risk or routine activities—by investing in developing your own tools or piggybacking on items built within the institution. In addition, develop relationships with management and consider if your campus’s culture would support and benefit from completing a management self-assessment or other aspects of a broader risk management program. Finally, hold open conversations with the institution’s board and senior leaders about their risk concerns, and provide your view and opinion. While it is still not possible to cover all operations on campus in a single plan, these steps will help the internal audit function address notable risks, provide value-added services, and use available resources in an efficient manner.

[1] https://www.higheredcompliance.org/compliance-matrix/

About the Author

David Clark, CIA, CFE, CRMA

David Clark, CIA, CFE, CRMA is a Managing Director and leader of BDO’s higher education advisory practice with nearly two decades of experience supporting colleges and universities. He specializes in supporting institutions in all manner of areas related to strategy, governance, risk, and compliance. Prior to joining BDO, he served as a Director in the Risk, Internal Audit, and Cybersecurity consulting practice of another international accounting firm as well as a Senior Internal Audit Manager at one of the country’s leading financial institutions. He can be reached at dclark@bdo.com.

Articles
Best Practices for Building a University Audit Plan
Engaging Internal Audit in Initiatives for Diversity, Equity, and Inclusion
Leveraging Technology and AI Tools in Internal Audit: Enhancing Efficiency and Effectiveness