Skip to main content

Risk Assessment and Long-Range Audit Planning

Risk Assessment

The Office of Internal Audit (Office) uses a comprehensive, risk assessment model to develop audit work plans. This model allows all areas of the University to be evaluated using uniform criteria and input from key members of management. The approach is less score-driven and involves more interaction with management and ongoing monitoring of changes at the University and in higher education. This approach allows the audit plan to be adjusted during the year as risks change.

Major factors to be considered in assessing risk include:

  • input from the management;
  • the nature of a unit and any related trends or events in higher education;
  • lack of prior audits or unresolved findings from prior audits;
  • financial impact of a unit;
  • potential for reputational risk or significant impacts from a service failure (complex operations, mission-critical operations, use of sensitive information, consequences of errors or omissions; and
  • recent changes in a unit.

Key Performance Indicators (KPI) provided to UNC General Administration should also be considered in assessing the risk associated with the activities subject to KPI reporting.

The Office assesses risk and develops an audit work plan each year. In some years, management input will come primarily from interaction with these individuals and Board of Trustee members during the year. At least every three years, the assessment process will include formal interviews with members of the Board and a broad group of management.

Risk is also assessed as part of the planning and preliminary survey processes of each project. These processes are used to identify major activities, financial trends, departmental management concerns, etc. The results of the reviews, analyses, and discussions in the planning phase are used to select specific objectives for each audit project.

Audit Plan

The annual work plan includes blocks of time for routine audits, special projects (those requested by management or involving allegations of misuse), and administrative functions such as staff training and development.

Units will be scheduled for audit based on the results of the risk assessment, recommendations from management, trends and recent events in higher education, and staff resources available.

We will audit core business activities (e.g. Payroll, Travel, etc.) as university-wide functions. This process includes an assessment of processes and controls in central departments that oversee a core activity and assessments of related controls and processes in a sample of user departments. This approach allows us to assess the management of activity “birth to death,” to more easily identify missing or duplication of controls and to provide a comprehensive opinion on these activities.

We will also audit unique activities in schools and departments.