Annual Risk Assessment and Audit Plan Development
The Annual Audit Plan is a report of scheduled audits by process or location that is developed each year based on results from the audit universe risk assessment. The audit universe is a list of auditable processes, functions and units within the University of Alaska system. The risk assessment results and the Annual Audit Plan are presented to senior management for comment and input prior to review and approval by the Board of Regents Audit Committee in June for the upcoming fiscal year.
The scope for each scheduled audit remains tentative until planning begins for individual audits. During the planning phase an engagement level risk assessment is performed to aid in definition of the audit scope and objectives. See the Audit Process for more information.
Annual Risk Assessment of the Audit Universe
The risk assessment takes into consideration the following internal and external factors.
Internal: Institutional Factors
a. Risks and concerns communicated by management in response to the annual stakeholder survey.
b. Risk assessment results from the the Statewide Office of Risk Services Annual Risk Register. The stakeholder survey includes questions that permit the updating of the risks reported in the Risk Register to take into consideration that information may have changed since the date of the Risk Register.
c. Internal concerns communicated by management and staff throughout the year.
Internal: Audit Department Factors
d. Risks that were discovered while conducting audits but not included in the review because they were outside the audit scope.
e. Audits that were planned for the current year but will not be completed due to time or staffing.
f. Functions and processes of which the university benefits from routine review, such as cash receipts and procurement card usage.
g. The last date the unit, function or process was audited.
h. Auditor knowledge of risks based on maintaining relationships with professional organizations and peers and attending audit topic seminars.
i. Current trends that have an expected impact on higher education organizations (i.e.: opportunities for cost reduction/saving, areas of concern with recent Office of Inspector General audits at other higher education institutions, information from NACUBO, ACUA, AICPA, IIA, ISACA, ACFE and other professional organizations).
External factors -
j. Concerns communicated by annual financial auditors, federal agency auditors, and legislative auditors during the course of external audit activities.
k. Functions and processes that are required to be audited per the Institute of Internal Auditors International Professional Practices Framework standards, for example:
Standard 2110.A2 -The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives.
The risk assessment results are used to indicate which audits that Audit and Consulting Services can schedule for the upcoming year and which audits are not expected to receive adequate audit attention. This is included in the presentation to senior management and the board for their awareness and opportunity to suggest revisions to the plan.