Annual Risk Assessment

As part of our audit planning, Internal Audit performs a risk assessment analysis of all units to identify the potential areas of high risk throughout the University. We have a separate risk assessment for operational and information technology audits. Both focus on the overall business risk of the units. The factors used to assess operational risk are:

• Criticality of Unit – This factor measures the importance of the unit to the proper functioning of the University. This includes the inability of a unit to provide its service within a required time frame and/or at the expected level.

• Internal Control – This factor measures the quality of the internal control environment based on results of prior audit work, general observations, and/or other interactions. This evaluates whether controls are in place and working effectively.

• Public and/or Political Sensitivity – This measures the sensitivity of the unit to public exposure of critical internal issues. This considers the potential effect on the University overall as the result of negative information.

• Legal and Governance – This evaluates the exposure of the unit to potential litigation and/or governance by outside entities. This includes any potential or current litigation and the compliance with the required laws, policies, etc. of external agencies.

• Change in Management and/or Organizational Structure – This evaluates the extent of change and the stability in the structure of the unit. This includes changes in management, key employees, and new or discontinued areas of responsibility.

• Financial Impact – This considers the annual budget for the unit from all funding sources. This evaluates the impact of inappropriate activity and the liquidity of assets of the unit.