Appendix H. Annual Risk Assessment and Audit Plan 2013/14

Transcription

1 Annual Risk Assessment and Audit Plan 2013/14 Internal Audit Department September 25, 2013

2 Table f Cntents Intrductin.. 3 Risk Assessment Prcess... 4 Page 2

3 Intrductin Each year, the Internal Audit Department f the University f Nrth Carlina at Chapel Hill develps an audit wrk plan based n a university-wide assessment f risk. This apprach is in keeping with the Institute f Internal Auditrs Internatinal Standards fr the Prfessinal Practice f Internal Auditing (IIA Standards) and the Internal Audit Act (NCGS ) which requires internal audit functins in NC State agencies and institutins t cmply with the IIA Standards. Als, basing audit wrk plans n risk helps ensure that audit resurces are allcated effectively and efficiently and in a way that best helps manage and the Bard f Trustees prvide gvernance and fulfill the University s missin. The primary bjectives f the risk assessment prcess are t: Ensure cmpliance with IIA Perfrmance Standard 2010 Planning which states: The chief audit executive must establish risk-based plan t determine the pririties f the internal audit activity, cnsistent with the rganizatin s gals and with Nrth Carlina s Internal Audit Act; Gather infrmatin abut the rganizatinal structure f the University, its peratins, and its finances and abut trends and recent cncerns in higher educatin; Identify expectatins and risk cncerns f University management and members f the Business and Infrastructure Cmmittee f the Bard f Trustees; Identify pprtunities fr sharing audit resurces and aviding duplicatin f wrk by crdinating audit effrts; Develp an audit wrk plan based n risks and pprtunities identified during the assessment prcess; and Present the wrk plan and results f the risk assessment t the Chancellr f the University f Nrth Carlina at Chapel Hill and the Business and Infrastructure Cmmittee f its Bard f Trustees fr review and apprval. While the initial wrk plan is develped based n a frmal risk assessment prcess, risks change thrughut the year. Therefre, we mnitr changes at the University and in higher educatin during the year and make revisins the wrk plan as needed. Page 3

4 Risk Assessment Prcess The risk assessment prcess begins with a review f the rganizatin structure f the University and the identifying by varius missins, functins, and financial activities f individual departments and ther units. Then, cre business practices and supprting infrmatin technlgy activities and resurces are identified as are key cmpliance issues and ht tpics in higher educatin. Discussins are held with senir management and the Chairpersn f the Business and Infrastructure f the Bard f Trustees t btain infrmatin abut their expectatins and cncerns. This infrmatin was cmbined and analyzed t develp an audit universe. Audit Universe Mdel Management Input Issues in Higher Educatin Financial Activity Crss-Department Activities Schls, Departments, Centers Cmpliance Requirements Cre Business Functins Infrmatin Technlgy Risk Cmpnents Strategic risks relate t missin and gals f the University Financial risks relate t stewardship and safeguarding f resurces Operatinal risks relate t prcesses used t achieve missin and gals Cmpliance risks related t laws, rules, regulatins, and ther requirements Reputatinal/service risk relate t public image and the impact f service failure Page 4

5 Step 1: Update and Create Audit Universe Identify cre business functins and infrmatin technlgy activities these functins, systems, and activities supprt mst peratins at the University; Review rganizatinal charts t identify individual perating units and the reprting relatinships f these units; Review infrmatin abut individual units t determine their nature and primary purpse; Identify unique activities in schl, departments, and centers and crss-departmental activities that are nt cre business functins but shuld be audited separately; Review revenue and expenditures fr each rganizatinal unit and unique activity; Determine if there have been significant changes in cmpliance requirements; Identify majr trends and cncerns in higher educatin; Create ppulatin f auditable units. NOTE: Sme units, such as schls, departments, and centers, will be cmbined int pls fr risk assessment purpses. Each year sme f these units will be selected fr audit based n recent events and management feedback. Als, sme IT activities, such as servers, peridic access reviews, disaster recvery and business cntinuity planning, etc., exist and are managed in many units. We initially assessed these activities as single units. Initial audits f these activities will assess university-wide gvernance f the activities and identify where these activities are managed. At that pint, risk assciated with these activities will be re-assessed at the functinal level. In additin, sme IT activities such as disaster recvery planning and system access reviews will be included in each nn-it audit. Step 2: Assess Risk Interview the Chairman f the Business and Infrastructure Cmmittee f the Bard f Trustees and key members f University management t identify their views f challenges and pprtunities fr the University and t get suggestin fr items t be included in the audit wrk plan; Cnsider risk factrs: Criticality f peratins; Page 5

6 Impact f a service delay r failure; Sensitivity f infrmatin managed; Extent f regulatin; Changes in management r the perating envirnment; Recent events and results f past audits (internal r external); Quality f internal cntrls Public r plitical sensitivity; and Financial characteristics; and likelihd and impact f risks facing an area. Assign relative risk t auditable units: high risk, medium risk; mderate/lw risk. Step 3: Develp Audit Wrk Plan Determine available audit hurs based n size f audit staff, available wrk hurs per staff member, and estimates f time fr administrative activities such as training, meetings, and leave. Allcate blcks f time fr unplanned audits, investigatins, advisry wrk, and mandatry r annual prjects. T select items fr the rest f the 2013/14 audit wrk schedule we cnsidered: Available audit hurs; Prjects frm the 2012/13 audit wrk plan that needed t be carried frward; Specific requests by management r members f the Business and Infrastructure Cmmittee; Results f UNC FIT reviews and hw well key perfrmance indicatrs are met; Date and results f recent audit (internal r external); Nature and timing f any recent r anticipated changes in an area (such as a system cnversin, new financial management, extensive prcess revisins, etc.); and Recent events at the University and at ther clleges and universities that have raised the visibility and sensitivity f certain activities. After pssible units fr the 2013/14 audit wrk schedule were selected, hurs were budgeted fr each prject based n nature f the area audited and the anticipated audit wrk in an area. Page 6

7 If necessary, pssible units were added r drpped in rder t have a wrk plan that fit available hurs Step 4: Finalize the Wrk Plan Submit the risk assessment t the Chancellr and Business and Infrastructure Cmmittee fr review and apprval. Submit the apprved plan t General and Administratin and the Cuncil f Internal Auditing Page 7