Nonprofit Resources

print
10.28.24 | |

Performing Risk Assessment in Higher Education Institutions

Internal audits are an essential element of enterprise risk management at higher education institutions. And an effective internal audit process includes performing a comprehensive assessment of the risks the institution faces.

This article provides suggestions to help you identify areas of risk within your institution and develop a risk assessment process. Please note that this is intended to be an overview, not a complete guide to risk assessment. For more information, see the Internal Control-Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

 

Assemble the Pieces

A risk assessment is like a jigsaw puzzle: you need to have all the pieces “right-side up” and available in a way that allows you to recognize patterns. When performing a risk assessment, it’s vital to ensure you’ve identified all the risks and applied your institution’s internal and external audit resources effectively to minimize exposure.

Start by following these four steps:

1. Use your audited financial statements to identify the transaction classes that need to be assessed. Every line item in your financial statements is a transaction class, and it’s important to start with an understanding of the nature, volume, and account value of the underlying transactions in each one. Some examples of transaction classes and the underlying transactions include:

  • Student billings – Tuition revenue, room and board revenue, accounts receivable, and deferred revenue
  • Payroll and benefits – Payroll and benefits expense, accrued payroll, and accrued benefits
  • Non-payroll expenses – Cash disbursements and accounts payable
  • Donor support – Cash receipts and contributions with and without donor restrictions
  • Investment income – Dividends and interest, gains, losses (realized and unrealized), and investments (operating and non-operating for long-term purposes)
  • Capital projects – Purchases and maintenance of property, plant, and equipment and physical plant improvements, including repairs and maintenance
  • Endowment net assets – Including endowment portfolio/investment portfolio management, with proper accounting for endowments in alignment with Uniform Prudent Management of Institutional Funds Act UPMIFA and accounting standards
  • Other revenues
  • Other expenses
  • Other assets
  • Other liabilities

2. Identify the departments or budget areas that need to be assessed. Consider the amount spent in each area. If the total is insignificant, you may want to exclude that department.

3. Consider which transaction classes are affected, based on the activity in that budget area. When identifying department-level risks, it’s important to understand the operating activities in each department and the financial transactions generated from those activities.

Start by listing the departments or budget areas involved in each transaction class. Next, consider which transaction classes the operating activities affect and the nature of the financial transactions that relate to those activities. For example, your cafeteria purchases food and sells it to students. The athletic department sells tickets to sporting events.

Different departments may have multiple operating activities that result in several types of financial transactions. The athletic department may also sell concessions and apparel, offer facility rentals, or have a booster club that generates income. As a result, you may need to assess more than one operating activity and the related financial transactions for each department.

4. Assign risk using the following factors and timing of work to be performed:

  1. C for Critical, which may be tested X (multiple) times a year
  2. H for High, which may be tested annually
  3. M for Medium, which may be tested every Y years (e.g., every two years)
  4. L for Low, which may be tested every Z years (e.g., every three years)

 

Develop a Risk Assessment Matrix

It’s helpful to use a risk assessment matrix to evaluate your institution’s risk factors. Your institution should determine the amounts and thresholds based on factors specific to your institution.

Consider the identified risks in terms of impact and likelihood.

Impact is the degree to which a risk can cause a loss or potential loss. The specific loss can be defined in several ways, including:

  • Financial or material impact – Based on asset size, revenue, or transaction volume or loss of property (including data)
  • Operational – Risks that result in inefficient processes, create resource constraints, or cause facilities to become unusable
  • Intangible/reputational – Negative media or public exposure
  • Legal/regulatory – Noncompliance with federal or state laws that may result in sanctions or fines
  • Human/stakeholder – Threats to safety, talent loss, or loss of confidence in management
  • Strategic – Risks that adversely impact the institution’s achievement of its goals and objectives

Likelihood is the probability that a risk will occur and disrupt or prevent the achievement of your institution’s mission and priorities. Specific areas of likelihood can include these factors:

  • Controls – Processes, policies, training, or oversight intended to reduce the likelihood or severity of losses related to a particular risk
  • Risk experience – Familiarity with the risk and the ability to detect, respond to, and recover from the adverse event
  • Complexity – How the risk will affect other activities, including transactional activities and processes
  • Rate of change – The ability of people, processes, and systems to manage risk based on the frequency or volume of changes within an operational area. Changes increase the risk of vulnerability and impact.

In the first example below, the matrix is used to classify risk based on the likelihood of occurrence and the impact on the institution based on subjective judgment. If a risk has both high likelihood and impact, it is classified as a critical risk.

The second example shows the number of risks evaluated and their placement on the matrix, based on quantified factors of impact and the likelihood of occurrence.

Apply Risk Scores

Another way to assess risk is through risk scores.

At least once every two years, your internal auditor should ask various stakeholders and employees to complete a risk survey. This will help your internal auditor stay aware of major institutional changes and update the audit areas as needed.

Your institution can derive the risk scores for each audit area from this feedback by assigning numerical ratings for a pre-determined set of weighted risk factors. You can then rank these scores for an overall risk value, with audits of various areas scheduled accordingly.

This top-down process should include conversations, surveys, and requests for input and ranking of the top risks from these stakeholders:

  • Executive leadership
  • Audit committee
  • Instructional unit leaders
  • Department managers or process owners from each operating area within your institution

 

Develop a Long-range Audit Plan

You can use the final risk assessment score to develop a long-range audit plan covering a multi-year period, such as five years. To develop this plan:

  1. Evaluate the level of risk in each internal audit area to determine the audit frequency. The higher the risk score assigned to a given area, the greater the audit frequency should be. In addition to scheduled audits, the plan should also include time for special projects that may be requested by management or performed as a result of suspected fraud, waste, or abuse.
  2. Create an annual audit plan from the long-range plan.
  3. Have senior management and your audit committee or board review and provide input on the long-range plan.
  4. Adjust the annual audit plan to incorporate additions or changes suggested by senior management and the audit committee or board.

Keep in mind that sometimes the identified risks will be mitigated through an external audit or other source.

A key goal of the internal audit risk assessment process is to provide adequate resources to address management requests for projects involving consultative services, analyses, and efficiency reviews. The goal of an internal audit is to provide assurance of processes, not audits of people.

Examples of risks to ask about during this process include, but are not limited to, the following:

 

Quality of the Control Environment

  1. Turnover of key personnel within the department during the last year (management and non-management positions)
  2. Major programs being modified
  3. New programs
  4. Departmental procedural problems as noted by the department chair or director
  5. Revamped information systems
  6. Monthly reconciliations performed on all departmental revenues and expenditures

 

Business Exposure

  1. Number of programs or areas within the department (complexity)
  2. Total departmental budget
  3. Total department revenue/expenses
  4. Cash income of the department
  5. Other types of income
  6. Volume of transactions
  7. Number of full-time employees for all programs or areas

 

Economic Environment

  1. Significant new legislation or regulations
  2. New technology
  3. Natural disasters or criminal or terrorist actions
  4. Community needs and expectations
  5. Vendor and contractor performance and reliability

 

Data Security (actions by someone inside or outside the institution)

  1. Data breach or leak of protected information
  2. Unauthorized access to student records
  3. Unavailability of critical computer systems
  4. Inappropriate destruction or retention of data
  5. Failure to comply with the Payment Card Industry Data Security Standard (PCI DSS)

 

Public and Political Sensitivity

  1. Sensitivity of the department to bad media publicity
  2. The potential effect of politics on the ability to meet departmental goals

 

Legal and Regulatory Sensitivity

  1. Quantity of grants and contracts
  2. Compliance with federal or state laws that apply to the department
  3. Past noncompliance that resulted in sanctions or fines

 

Other Factors

Other factors to consider include current management or stakeholder concerns and time since the last audit. We also recommend that you consider the answers to these questions:

What could go wrong, or what could prevent my institution or department from achieving its goals?

  • How do I determine how important it is?
  • How much would it impact my area?
  • How often could it occur?

Event Identification

  • How will an employee or stakeholder know that something has gone wrong?
  • When does an employee or stakeholder know that something has gone wrong?
  • How does an employee or stakeholder communicate the event to the right people at the right time?

Risk Response

  • Does the employee or stakeholder know what needs to be done to address a potential problem?
  • How long should it take to correct?
  • Was the correction effective?

Helpful examples are available online, including these departmental and internal control self-assessment questionnaires from Western Kentucky University and this risk assessment questionnaire from East Carolina University.

 

Document and Follow a Consistent Risk Assessment Process

Risk assessment can be subjective, so it’s important to document and follow a consistent process to help create buy-in from your management and board and lead to effective risk assessments.

With the right planning and support, incorporating an effective risk assessment process in your internal audit function can help your institution safeguard your resources, uphold financial integrity, and identify and address risks.

Please contact us with any questions.

 

Authors: Daniel M. Campbell, Partner and Higher Education Services Director and Junice Jones, Partner

 

Additional Resources:

Internal Audit in Higher Education Institutions

Reporting Internal Audit Results to Your Institution’s Board

 

print

Leave a Comment