|Continuous Risk Assessment|
Internal Audit Division (IAD) continuously performs risk assessments (RA) of University units, processes and services to identify areas of high risk. The RA process is at the core of our audit and consulting engagements and is used as an objective tool in the development of our Audit Plans. Our assessment focuses on exposures relating to the University’s governance, operations, and information systems regarding the:
- reliability and integrity of financial and operational information
- effectiveness and efficiency of operations
- safeguarding of assets
- compliance with University and UNC System policy
- compliance with legal, regulatory, and contractual obligations
- detection and prevention of fraud
The Continuous Risk Assessment Process is illustrated here
Objective Risk Factor Criteria
Financial – generally covers budget risk, cash management risk, loss of revenue, cost to recover from failures or other incidents.
Misuse – generally covers misappropriation/misuse of state funds (e.g., fraud, bid rigging, payments to fictitious vendors or employees, use of fraudulent journal entries to conceal the diversion of funds, or embezzlement). Misuse risk is increased in the absence of appropriate controls.
Security – loss of confidentiality, integrity or availability of University Assets (logical or physical); e.g., sensitive critical data, systems, or assets.
Compliance – generally includes non-compliance to University policies, state or federal requirements, or contractual agreements (e.g., Human Resources policies, state spending guidelines, federal requirements for sponsored research).
Reputational – potential to affect the reputation of the University with stakeholders (e.g., Board of Trustees, UNC System, state legislature, federal granting agencies, students, faculty, alumni, business partners, and state citizens).
Operational – affects the delivery of core functions of the unit/department/college/university. Factors to consider include the amount of change in the structure of the unit, the quality of management in the unit, and the quality of the internal control environment. Information comes from prior audits and continuous risk assessments/networking.
Throughout the year, IA meets both formally and informally with University administrative and academic executive management, deans, business officers, department heads, faculty, and staff. All information relating to risk, potential or existing, along with special requests for audits, and identified areas of concern is documented on a “real-time” basis in our RA electronic and physical files.
|Audit Planning Process|
All objective and subjective information and data gathered through our continuous RA process is analyzed when received and again every six months. This on-going analysis process allows IA to determine areas that may need immediate attention, areas that are potential near-term or future audits, and areas that we will continue to watch and monitor through our process.
Our Audit Plan reflects the results of our continuous assessment and analysis process as of the end of the first quarter of each calendar year. Each year’s Plan is presented for approval at the regularly scheduled April meeting of the NC State Board of Trustees and is implemented at the start of the new fiscal year on July 1.
Please click here for a copy of the current NC State Internal Audit Plan.