Continuous Risk Assessment & Audit Planning Process

Continuous Risk Assessment


Internal Audit Division (IAD) continuously performs risk assessments (RA) of University units, processes and services to identify areas of high risk. The RA process is at the core of our audit and consulting engagements and is used as an objective tool in the development of our Audit Plans. Our assessment focuses on exposures relating to the University’s governance, operations, and information systems regarding the:

  • reliability and integrity of financial and operational information
  • effectiveness and efficiency of operations
  • safeguarding of assets
  • compliance with University and UNC System policy
  • compliance with legal, regulatory, and contractual obligations
  • detection and prevention of fraud

The Continuous Risk Assessment Process is illustrated here

Objective  Risk Factor Criteria

Financial generally covers budget risk, cash management risk, loss of  revenue, cost to recover from failures or other incidents.

Misuse generally covers misappropriation/misuse of  state funds (e.g., fraud, bid rigging, payments to fictitious vendors or  employees, use of fraudulent journal entries to conceal the diversion of funds,  or embezzlement).  Misuse risk is  increased in the absence of appropriate controls.

Securityloss of confidentiality, integrity or availability of  University Assets (logical or physical); e.g., sensitive critical data, systems, or assets.

Compliance – generally includes  non-compliance to University policies, state or federal requirements, or contractual agreements (e.g., Human Resources policies, state spending  guidelines, federal requirements for sponsored research).

Reputationalpotential to affect the reputation of the University with stakeholders (e.g., Board of Trustees, UNC System, state legislature, federal  granting agencies, students, faculty, alumni, business partners, and state  citizens).

Operationalaffects the delivery of core  functions of the unit/department/college/university. Factors to consider include the amount of change in the structure of the unit, the quality of management in the unit, and the quality of the internal control environment. Information comes from prior audits and continuous  risk assessments/networking.

Subjective Criteria
Throughout the year, IA meets both formally and  informally with University administrative and academic executive management,  deans, business officers, department heads, faculty, and staff.  All information relating to risk, potential  or existing, along with special requests for audits, and identified areas of concern is documented on a “real-time” basis in our RA electronic and physical  files.

Audit Planning Process

All objective and subjective information and data gathered through our continuous RA process is analyzed when received and again every six months. This on-going analysis process allows IA to determine areas that may need immediate attention, areas that are potential near-term or future audits, and areas that we will continue to watch and monitor through our process.

Our Audit Plan reflects the results of our continuous assessment and analysis process as of the end of the first quarter of each calendar year. Each year’s Plan is presented for approval at the regularly scheduled April meeting of the NC State Board of Trustees and is implemented at the start of the new fiscal year on July 1.

Please click here for a copy of the current NC State Internal Audit Plan.