UM Photo Services, Scott Soderberg

Audit Focus

Any audit can be any combination of these focus areas. Our audits are risk-based.  During the planning stages of an audit, the unit to be audited is contacted for background information.  This information is used to develop a risk assessment.  Risks, likelihood, and potential impact are considered to identify the most significant risks and define the scope of the audit.  The risk assessment and audit scope are used to develop an audit program, which is the blueprint for conducting the audit.  While conducting the audit, new information or risks identified may prompt changes to the audit program. 

Operational

Fiscal Responsibility

Compliance

Information Technology

In depth review of a department or process, often including fiscal responsibility, to assess whether controls in place promote achievement of  operational goals and objectives Evaluation of the internal control environment surrounding management, stewardship, and reporting of assets, revenues, and expenses Review of programs charged with oversight for Federal, State, local, and University compliance Assessment of the security and efficiency of technology, data, and IT processes
Examples:
  • Gift administration
  • Inventory management
  • Construction
  • Grade changes
  • Purchasing
  • P-Cards
  • Payroll
  • Charge capture/billing
  • Safety
  • Privacy (FERPA, HIPAA)
  • NCAA
  • Effort reporting
  • Conflict of interest/commitment
  • User access
  • Data security
  • Documentation
  • Processes
  • Physical security

Audits can be directed toward departments, centers, and units on all three campuses and the health system.  In addition, we review University-wide processes and systems to verify the processes and systems function as expected.  These areas of focus can also be applied to data reviews, which could assist with data security or verify data integrity.

Types of Risk

Reputational Risk

The damage or loss to the University caused by adverse publicity or employee dissatisfaction.

Change

The impact caused by responsiveness to changes and external events.  It encompasses internal changes, including process reengineering, structural reorganizations, changes to key personnel, and University changes.

Compliance

Potential losses associated with not conforming to requirements such as laws or regulations.  Some examples of highly regulated activities on campus include healthcare, research involving humans or animals, lab operations, and athletics. 

Safeguarding of Assets

The potential for inappropriate use and/or loss of an entity’s assets and other resources through theft, waste, or neglect.

General Controls

The negative impact of ineffective operations or poorly constructed processes on management’s ability to accomplish specific goals or objectives.  Examples of general controls include policies and procedures, separation of duties, effectiveness of personnel, and communication of general operational expectations.

IT

Effects of the IT governance environment, complexity of systems, custody of data, presence of sensitive data, movement and storage of data, development and acquisition of IT resources, logical and physical access to IT resources, policies/procedures and personnel.

Financial Risk

Weak stewardship of University resources leading to loss of funds or mismanagement of transactions.

Complexity of Operations

The negative effect caused by the number of interconnected systems, sensitivity of the area, reliance on external providers, and people involved in highly detailed processes.