Internal Audit’s primary means of serving our customers is the annual audit plan. Each fiscal year the Director of Internal Audit prepares an audit plan for approval by the Finance & Audit Committee of the Board of Trustees. The sources used to prepare the annual plan include, but are not limited to the following:

  1. University and departmental risk assessments
  2. Requests from the Finance & Audit Committee and management
  3. Prior audits and / or historical trends regarding governance, risk, and compliance management issues and goals
  4. Information from external sources, e.g., the University’s external auditor for its financial statements
  5. Federal and local oversight or regulatory trends
  6. University business cycles, e.g., student accounts, IT systems, and grant management
  7. New or significant University initiatives
  8. Feedback or information from Faculty, Staff, or other persons highlighting compliance concerns
  9. Known or suspected high risk financial, legal, compliance, or reputational issues


The sources described above create an audit universe. The number and significance of events captured in the audit universe could be numerous. Events are prioritized and matched against audit resources. In addition, a certain amount of audit resources are reserved for special projects or emerging issues, e.g., investigations. However, in any one fiscal year and over a three year planning cycle, audits attempt to address the University’s significant risk exposures. University risk exposure areas may include: asset protection, liability management, legal/regulatory compliance, data integrity and security, process improvement, financial reporting, and business continuity.


See the Chronology of an Audit for a description of how an audit is implemented and audit reports issued.

 External Resources

Best practices for risk management and strengthening internal controls

The Institute of Internal Auditors