Each year Internal Audit conducts a series of interviews with senior leaders and administrators across campus. Based on the information discussed in the interviews, possible audits are identified and risk/ranked based on the following criteria:

  1. University Mission/Student or Patient Impact
  2. Financial Loss
  3. Legal or Regulatory Impact
  4. Complexity of the Unit or Process
  5. Level of Change
  6. Reputational Risk
  7. Control Environment - (How well is it managed?)
  8. Information Systems - (Is it an IT driven or dependent process?)

Each individual criteria is given a score from one (low risk) to five (high risk) and the sum of all those scores determines the audit's risk ranking.  Those audits with a high risk ranking are evaluated against Internal Audit staffing levels and competencies and the annual audit plan is created.  Each fall, the Audit and Compliance Committee of the Board of Regents reviews and approves our annual audit plan.