Nonprofit Resources
Internal Audit in Higher Education Institutions
Higher education institutions are complex organizations with an array of activities that eclipse those of many other business enterprises. As an institution’s size and resources grow, so does its overall complexity. This makes enterprise risk management (ERM) a complicated but necessary task for institutions.
ERM (also known as governance, risk, and compliance) is an important fiduciary responsibility of your institution’s governing body, and it has been a hot topic in the higher education industry. One key component of ERM is an internal audit, which can provide significant benefits without a significant investment of resources.
Objectives and Scope of an Internal Audit
Almost all colleges and universities are required to have external financial statement audits by an independent auditor due to their spending level and the reporting requirements for institutions that receive Title IV funds. External auditors focus on the major areas of revenues and expenses in their risk assessment and test these areas extensively during the financial statement audit. These areas include:
- Student billings and student accounts receivable
- Payroll
- Non-payroll cash disbursements and accounts payable
Risk identification and assessment are key governing board duties. While an external audit fulfills some of these fiduciary responsibilities, it does not accomplish all of them. Another valuable way to monitor ERM is through an internal audit performed throughout the fiscal year and focused on areas determined by risk assessment. This is usually done by an internal audit function.
An effective internal audit function will provide insight into your institution’s ongoing risk assessment process and the internal control framework over transaction classes. An internal audit does not need to be time-consuming or expensive. It also does not need to be “audit-worthy” to be effective and provide significant value to your institution and board.
The Role of an Internal Auditor
An internal audit is typically performed by an employee or volunteer who is not involved in the process being audited. The internal auditor’s role is to:
- Provide monitoring throughout the fiscal year
- Understand the design and implementation of controls
- Help the institution’s board and management understand the risks of transaction classes
- Report directly to the finance committee or board
This individual should be collaborative and have a working relationship with the areas he or she will monitor. In addition to working with the board to provide an independent risk assessment, an internal auditor should offer insight and identify areas for improvement. The goal of the internal auditor is to help improve the institution, not play “gotcha.”
Board Oversight
The board’s role is to enhance and support the internal audit function, which serves as the board’s “eyes and ears” on the institution’s ability to meet its financial and compliance responsibilities.
The board should also ensure that the institution adjusts its internal controls and practices as necessary. This is often done through a board sub-committee, such as a finance committee, that oversees the internal audit function and reports back to the entire board.
This sub-committee should:
- Work with management to develop the annual internal audit plan
- Review the annual internal audit plan with management before acceptance by the sub-committee
- Make requests for reviews or special investigations that are not part of the approved annual internal audit plan
- Ensure external auditors are consulted if the internal audit findings warrant their involvement
Developing and Updating Your Internal Audit Plan
To create an internal audit plan for your institution, combine an assessment of department-level risks across the institution with a projection of available audit resources to determine the most effective schedule of internal audit activities for the year.
Your internal audit plan should:
- Outline the objectives for the internal audit
- Determine the areas and amount of department-level risk
- Forecast the number of hours needed to accomplish the objectives
- Incorporate and apply the Internal Control-Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
- Specify that results will be reported to the board and/or finance committee and the date or frequency of those reports
To determine the areas and amount of department-level risk, use the following risk factors to assign a risk indicator (e.g., low, moderate, or high) to each identified risk area. The risk factors fall into three broad categories:
- Environment risks, such as legal and regulatory, financial reporting, and financial and social climate
- Process risks, which include five subcategories:
- Operations
- Financial
- Employee and management empowerment
- Information processing/technology
- Integrity
- Information for decision-making risks, which include three subcategories based on the type of information:
- Process/operational
- Business reporting
- Environment/strategic
Risks are always evolving. Having a continuous view of risk assessment will enable your internal audit function to modify its existing audit plan to adjust to changing risk factors and develop future audit plans that address relevant issues.
Internal Control Assessment
It is also important for your internal audit to assess the effectiveness of your institution’s internal controls. Internal controls are like “brakes” for an institution. The brakes on a vehicle enable it to stop when necessary, even when traveling at high speeds. Without them, drivers would need to creep along slowly to avoid accidents. Likewise, effective internal controls can allow your institution to operate quickly and effectively while ensuring you stop and address potential issues when necessary.
And just as the brakes on a vehicle should be checked and maintained by an experienced mechanic, an internal auditor should periodically review and “tune-up” your institution’s controls to make sure they are operating as intended.
Frequency of Testing
The frequency of departmental internal audit testing should be based on the related risk assessment as follows:
Risk Area | Frequency of Testing |
---|---|
Low | Discretionary |
Moderate | Higher frequency |
High | Highest frequency (no more than X years) |
Areas with known issues | Immediate |
The Benefits of Internal Audits
An effective internal audit function can make a department’s current processes more efficient and effective by objectively reviewing, evaluating, and making recommendations that can streamline workflows, create efficiencies, and strengthen internal controls. Internal auditors also can compare the department’s operations to best-in-class organizations inside and outside the higher education industry.
As an example, the board at a large institution may be surprised to learn, through an internal audit, that personnel such as athletic coaches sometimes receive large gifts for the institution from donors who have a personal relationship with that employee. Whether the gifts are mailed or delivered in person, they are received through a system that is outside the institution’s normal processing and receipting. This bypasses important internal controls such as restrictively endorsing the checks as soon as they are received or opening the mail with two employees present.
An internal audit can identify control deficiencies like these while allowing the board to assess the effectiveness of the controls in these areas. The institution in our example can then take the next step, such as implementing control procedures used in large, decentralized organizations that take in cash at various decentralized locations (such as a retailer). Adopting a similar control environment will ensure that any gifts received outside of the normal process are received by more than one individual and are restrictively endorsed to the institution immediately. Studying best-in-class organizations could also help the institution adopt relevant best practices.
Next Steps
It’s crucial to follow up on prior internal and external audit findings. This is another way to provide future coverage without investing significant resources. It also allows your internal audit function to monitor and uphold a presence in areas that may not make it into the current audit plan and evaluate current-year changes that have been implemented.
The internal audit can assess a department’s response to the internal audit findings through brief conversations and check-ins with the department’s management. Does management resolve issues promptly and with practical long-term solutions, or are they repeatedly making the same mistakes and applying temporary fixes? Evaluating this can also provide insight into other potential risks that may exist within the department.
With the right planning and support, ongoing internal audits can help your institution safeguard your resources, uphold financial integrity, and identify and address risks. These audits can provide critical insights and strategic recommendations that help your institution enhance operational effectiveness, prevent issues, and improve overall governance while remaining accountable and transparent to your stakeholders, including your students, employees, faculty, and donors.
Please contact us with any questions.
Special thanks to Columbia International University and Charleston Southern University for their contributions to this article.
Authors: Daniel M. Campbell, Partner and Higher Education Services Director and Junice Jones, Partner
Additional Internal Audit Resources:
Example Higher Education Annual Internal Audit Plan
Example Internal Audit Procedures and Results Summary