Leveraging ERM to Increase Internal Audit Relevancy

February 12, 2020

A New Paradigm

Internal audit, compliance, and enterprise risk management (ERM) play an increasingly important role in how higher education institutions manage risk. Evaluating the intersection of these functions can identify opportunities to enhance their value to an organization. Rather than focusing on their differences, many institutions have begun to focus on the similarities between these important functions and are leveraging them to create a new paradigm for providing effective risk management across the enterprise.

In early 2019, Baker Tilly performed a study that explored how seven major research universities are:

Progressing with ERM
Leveraging ERM to sharpen the focus of their internal audit functions

The study included a survey of how the ERM process started at each university and identified leading ERM practices.

Baker Tilly shared the results of the study and facilitated a panel discussion with representatives from three of the participating research universities at ACUA’s AuditCon 2019 in Baltimore. The representatives included:

Sharon Kurek, Virginia Polytechnic Institute and State University (Virginia Tech)
Joanna Rojas, Duke University
Patti Snopkowski, Oregon State University (OSU)

Over 125 ACUA members attended the session and provided positive feedback. Key takeaways from the study spanned four categories:

Initiation and Planning
Risk Analysis
Risk Response
Sustaining ERM

Initiation and Planning

Internal champions, such as the President or Chief Financial Officer—rather than the governing board—typically initiate the ERM process. After the ERM process is initiated, the internal audit function can serve as initial facilitator for the ERM process. At several of the universities, the Chief Audit Executive role expanded, adding Chief Risk Officer (CRO) responsibilities and responsibility for the ERM process. The remaining universities in the study have a CRO that operates independently of internal audit.

Expanding the existing dialogue regarding strategy and operational performance to include more explicit discussions about risk, as well as using ERM as a tool and catalyst for action, are successful ways to getting started with an ERM program. During the AuditCon panel discussion, Patti Snopkowski described the origins of ERM at OSU and how the university manages the ERM process. In 2014, a change to Oregon’s higher education laws eliminated the statewide higher education system board and established governing boards at the university level. This change also created an internal audit function at each university. For OSU, internal audit’s charge includes identifying enterprise risks for senior leadership and the board. OSU’s enterprise risk identification is part of the annual audit planning process. In 2018, to recognize its facilitation and coordination of enterprise risk and compliance, OSU’s Office of Audit Services was retitled as the Office of Audit, Risk, and Compliance.

Risk Analysis

The study noted promising enterprise risk assessment practices, including:

Simplifying and streamlining the risk universe
Considering the “velocity” of risks
Using “priorities at risk” to focus the risk management process
Developing risk snapshots to provide more context to risk area descriptions
Eliminating the stand-alone internal audit risk assessment and leveraging the ERM risk assessment to develop the internal audit plan
Moving away from focusing on the quantification of the risks to a more qualitative process

Leveraging the ERM risk assessment to develop the audit plan is emerging as a leading practice, demonstrating how the internal audit function is providing positive assurance on risk mitigation strategies.

During the AuditCon panel discussion, Sharon Kurek of Virginia Tech discussed how they are using these tools to assure adequate mitigation of risks. At Virginia Tech, the purpose of the ERM program is to strengthen the university’s ability to achieve its mission and strategic objectives by effectively managing key risks and seizing relevant opportunities. In this context, risk encompasses both negative events (i.e., downside risk) and opportunities (i.e., upside risk). Therefore, the focus of risk identification is on systemic, existential, and institutional risks to simplify and streamline the risk universe with an emphasis on strategic risks.

Based on the likelihood of occurrence, significance of impact, and velocity (i.e., speed of onset), risks are prioritized and assessed, providing three-dimensional views via a risk heat map. Next, each risk is assigned to risk owners who develop risk snapshots to capture risk statements, sub-risks, current key processes, and mitigating action plans to ensure ongoing management of enterprise risks. The enterprise risk landscape is leveraged in the development of the annual audit plan and audits are visually mapped to enterprise risks, enabling visibility of assurance coverage for governance and leadership.

Risk Response

Risk Monitoring: Baker Tilly explored how the universities are using risk monitoring to ensure proper oversight of the subject matter experts who manage high-risk areas. Risk monitoring involves practices such as:

Using data analytics to monitor progress of a risk area (e.g., faculty retention)
Utilizing tabletop exercises in key areas of risk to stress-test mitigation strategies
Documenting specific risk mitigation efforts and assessing their sufficiency
Obtaining assurance via internal audit activities about the operating effectiveness of key risk mitigation strategies

Risk mitigation: One of the most important takeaways is the increased emphasis on risk mitigation activities, including:

Identifying the risk mitigation strategies that are already in place and discussing potential improvements
Deploying a “Mitigation and Monitoring” template to document risk mitigation
Using performance metrics to assess progress on risk mitigation

During the AuditCon panel discussion, Joanna Rojas shared the risk mitigation process used at Duke University. The risk management process has evolved from asking “What is the risk?” to “What is the risk strategy?” This enables the conversation to focus on active risk management, evaluating risk across silos with the goal of prioritizing resources and mitigation plans.

Often times, the ERM process will identify risks that seem non-auditable. By looking at the risk drivers and focusing on the governance and process controls of the area, an audit may be created. For example, consider university facilities, where the risk drivers include aging infrastructure across campus (e.g., buildings, structures, and building equipment). Audits can be created that evaluate the facilities’ risk mitigation processes, including preventative maintenance programs, systems it uses to inventory and track building equipment, and any facility renewal programs.

Human resources is another example, specifically around workforce recruitment, retention, and development. Risk drivers for this area include resiliency and burnout, national talent shortage, the looming retirement wave, and recruiting effectiveness. An audit can be designed to evaluate the recruiting processes and whether they have been consistently implemented across the institution. In addition, reporting accuracy and transparency for metrics regarding cycle time, communication, and turnover can be assessed.

Sustaining ERM

While audit committees retain oversight of the ERM process, Baker Tilly did observe universities engaging other committees by:

Assigning oversight of high-risk areas to other trustee committees
Requiring other committees to report back annually to the audit committee on their risk oversight activities

Conclusion

As internal auditors, we have an opportunity to contribute to broader enterprise risk management efforts. Embracing these opportunities can increase the relevance and value of our services. Internal auditors at leading institutions of higher education are positioning their institutions for continued success in a number of interesting and innovative ways, including engaging in discussions around ERM, using the ERM risk assessment to drive annual audit planning, simplifying the risk assessment process, and providing positive assurance that the risk mitigation strategies are effective.

About the Authors

Frank Bossle

Frank Bossle is a director in Baker Tilly Virchow Krause’s higher education, internal audit and consulting practice. Frank specializes in higher education, healthcare, risk management, compliance, and internal audit and has more than 40 years of accounting and advisory experience. He was previously the Chief Audit Executive of Johns Hopkins University and Johns Hopkins Health System. He has been a frequent contributor to ACUA and other professional organizations.

Articles
Leveraging ERM to Increase Internal Audit Relevancy

John Kiss

John Kiss is a director in Baker Tilly Virchow Krause’s higher education, risk, internal audit and cybersecurity practice, and has more than 14 years of experience in risk management and internal audit. He has a diverse industry background across higher education, healthcare, commercial and government entities. His experience includes providing forensic accounting services, auditing business processes and controls, conducting enterprise-wide risk assessments, and performing strategic reviews.

Articles
Doing Right by Your Donors: Auditing Gift Management
Leveraging ERM to Increase Internal Audit Relevancy