Nonprofit Resources

Internal Audit in Higher Education Institutions

Executive Summary: The Role of Internal Audit in Higher Education Institutions

Internal audits strengthen risk management in higher education by evaluating controls, monitoring evolving risks, and supporting governing boards in meeting fiduciary responsibilities. These audits deliver risk-based insights into operations and compliance throughout the fiscal year, informing governance oversight, planning, and improvement efforts.

Higher education institutions are complex organizations with an array of activities that eclipse those of many other business enterprises. As an institution’s size and resources grow, so does its overall complexity. This makes enterprise risk management (ERM) a complicated but necessary task.

ERM, also known as governance, risk, and compliance, is a key fiduciary responsibility for an institution’s governing body and a prominent topic across the higher education sector. Internal audits are a crucial component of ERM, offering substantial benefits without requiring a significant investment of resources.

What Are the Objectives and Scope of an Internal Audit in Higher Education?

The core objectives of an internal audit in higher education are to systematically evaluate and improve risk management and internal controls over key transaction classes and provide governing boards with additional insight needed for their risk identification and assessment responsibilities.

Most colleges and universities are required to undergo external financial statement audits* by an independent auditor due to spending levels and Title IV reporting requirements. External auditors focus on the major areas of revenue and expense in their risk assessment and test these areas extensively during the financial statement audit, including:

• Student billings and student accounts receivable
• Payroll
• Non-payroll cash disbursements and accounts payable

Risk identification and assessment are key governing board duties. While external audits fulfill some of these fiduciary responsibilities, they do not accomplish all of them. Internal audits performed throughout the year and guided by risk assessment offer another valuable way to monitor ERM. This is usually done by an internal audit function.

An effective internal audit function provides insight into the institution’s ongoing risk assessment process and internal control framework over transaction classes. Importantly, an internal audit doesn’t need to be time-consuming, costly, or “audit-worthy” to be effective and provide significant value to the institution and board.

What is the Role of an Internal Auditor at a College or University?

The internal auditor serves as an independent, collaborative monitor of risk and internal controls, reporting directly to the finance committee or board.

An internal audit is typically performed by an employee or volunteer who is not involved in the process being audited. The internal auditor’s responsibilities include:

• Providing monitoring throughout the fiscal year
• Understanding the design and implementation of internal controls
• Helping management and the board understand risks associated with transaction classes
• Reporting directly to the finance committee or board

The internal auditor should maintain a collaborative working relationship with those in the areas being monitored while offering independent risk assessment and identifying areas for improvement. The goal is to strengthen the institution, not to play “gotcha.” 

How Does the Board Oversee the Internal Audit Function?

The board’s role is to enhance and support the internal audit function, which serves as the board’s “eyes and ears” regarding the institution’s financial and compliance responsibilities. The board should also ensure that the institution adjusts its internal controls and practices as necessary.

This is often accomplished through a board sub-committee, such as a finance committee, that oversees the internal audit function and reports back to the full board.

This sub-committee should:

• Work with management to develop the annual internal audit plan
• Review the plan with management before acceptance by the sub-committee
• Request reviews or special investigations that are not in the plan, if needed
• Ensure consultation with external auditors if the internal audit findings warrant their involvement

How Do Higher Education Institutions Develop and Update an Internal Audit Plan?

Internal audit plans are developed by combining an assessment of department-level risks across the institution with a projection of available audit resources to determine the most effective schedule of internal audit activities for the year.

To create an effective internal audit plan, higher education institutions should:

• Outline internal audit objectives
• Determine areas and amounts of department-level risks across the institution
• Forecast the hours and resources required
• Incorporate the Internal Control-Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
• Specify expectations and frequency for reporting results to the board or finance committee

To determine the areas and amount of department-level risk, institutions can use the following risk factors to assign a risk indicator (e.g., low, moderate, or high) to each identified risk area. The risk factors fall into three broad categories:

• Environment risks, such as:
  • Legal and regulatory
  • Financial reporting
  • Financial and social climate
• Process risks, which include five subcategories:
  • Operations
  • Financial
  • Employee and management empowerment
  • Information processing and technology
  • Integrity
• Information for decision-making risks, which include three subcategories:
  • Process/operational
  • Business reporting
  • Environment/strategic

Because risks evolve continuously, institutions benefit from viewing risk assessment as an ongoing process. This helps the internal audit function adjust audit plans in response to changing risk factors and develop future plans that address relevant issues.

Why Is Internal Control Assessment Critical in Higher Education?

Assessing the effectiveness of internal controls enables institutions to operate efficiently while identifying and addressing issues before they become significant risks.

Internal controls function like brakes on a vehicle—allowing institutions to operate quickly and effectively while ensuring they can slow down or stop to address potential issues when they arise. And just as vehicle brakes require periodic maintenance by an experienced mechanic, internal auditors should periodically review and adjust the institution’s controls to ensure they operate as intended.

How Often Should Internal Audit Areas Be Tested?

Departmental internal audit testing should align with the assessed risk level, with higher-risk areas receiving more frequent review.

Risk Area	Frequency of Testing
Low	Discretionary
Moderate	Higher frequency
High	Highest frequency (no more than X years)
Areas with known issues	Immediate

What Are the Benefits of Internal Audits for Higher Education Institutions?

Through objective review and evaluation, the internal audit function can make recommendations to streamline workflows, improve efficiency, and address internal control gaps. Internal auditors can also benchmark departmental operations against best-in-class organizations inside and outside the higher education sector.

For example, an internal audit may reveal decentralized gift processing and receipting practices that bypass important internal controls. An internal audit can identify such control deficiencies while allowing the board to assess the effectiveness of the controls in these areas. Studying best-in-class organizations can also help institutions identify and adopt relevant best practices.

What Additional Steps Should an Internal Audit Involve?

Following up on prior internal and external audit findings allows institutions to provide future coverage without significant additional resources. It also enables institutions’ internal audit functions to monitor and maintain a presence in areas that may not make it into the current audit plan and evaluate current-year changes that have been implemented.

Ongoing conversations and check-ins help internal audit functions assess a department’s response to internal audit findings and whether management resolves issues promptly with practical, long-term solutions, or repeats mistakes or applies temporary fixes. This can also reveal additional risk factors that may warrant future review.

Key Takeaways for Financial Leaders

A well-designed and supported internal audit function enables higher education institutions to proactively identify and address risks, safeguard resources, and uphold financial integrity.

These audits can provide critical insights and strategic recommendations that help institutions enhance operational effectiveness, prevent issues, and improve overall governance while remaining accountable and transparent to students, employees, faculty, donors, and other regulators.

Please contact us with any questions.

Special thanks to Columbia International University and Charleston Southern University for their contributions to this article.

 

Authors: Daniel M. Campbell and Junice Jones

 

Additional Internal Audit Resources:

Example Higher Education Annual Internal Audit Plan

Example Internal Audit Procedures and Results Summary

Performing Risk Assessment in Higher Education Institutions

Reporting Internal Audit Results to Your Institution’s Board

Sign up for e-news and alerts