Annual Risk Assessment and Audit Plan Development


The Annual Audit Plan is a report of scheduled audits by process or location that is developed each year based on results from the audit universe risk assessment. The audit universe is a list of auditable processes and functions within the University of èƵ system. The risk assessment results are used to indicate and communicate which audits should be scheduled for the upcoming year and which audits are not expected to receive adequate audit attention.  This is included in the presentation to senior management for their awareness and opportunity to suggest revisions to the plan prior to review and approval by the Board of Regents Audit and Finance Committee.

The Annual Audit Plan approval usually occurs in May for the upcoming fiscal year.

The scope for each scheduled audit remains tentative until planning begins for individual audits. During the planning phase, an engagement level risk assessment is performed to aid in definition of the audit scope and objectives. As part of this, we perform planning meetings with stakeholders and subject matter experts to gain an understanding of the risks and concerns from their perspective. See the Audit Process Walk-Through for more information.

Annual Risk Assessment of the Audit Universe

The risk assessment takes into consideration the following internal and external factors.

Internal: Institutional Factors

a. Risks and concerns communicated by management in response to the annual stakeholder survey and meetings.

b. Internal concerns communicated by management and staff throughout the year.

Internal: Audit Department Factors

c. Risks that were discovered while conducting audits but not included in the review due to the audit scope.

d. Audits that were planned for the current year but will not be completed due to time or staffing.

e. Functions and processes for which the èƵ benefits from routine review, such as banking, cash receipts and procurement card usage.

f. The last date the unit, function or process was audited.

g. Auditor knowledge of risks based on maintaining relationships with professional organizations and peers and training on various audit topics and risks.

h. Current trends that have an expected impact on higher education organizations (i.e.: opportunities for cost reduction/saving, risk mitigation, areas of concern with recent Office of Inspector General audits at other higher education institutions, information from NACUBO, ACUA, AICPA, IIA, ISACA, ACFE and other professional organizations).

External Factors:

 i.  Concerns communicated by annual financial auditors, federal agency auditors, and legislative auditors during the course of external audit activities.

j. Functions and processes that are required to be audited per the Institute of Internal Auditors International Professional Practices Framework standards, for example:

Standard 2110.A2 - The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives.