Risk Assessment Support

University management is responsible for Enterprise Risk Management (ERM). This includes:

  • establishing a risk tolerance,
  • identifying risks,
  • identifying controls that mitigate risks,
  • assessing the effectiveness of controls
  • monitoring risk mitigation techniques and
  • performing corrective actions on items that pose significant risks to university activities.

Each department must assess its risks associated with the achievement departmental objectives.  Effective and reliable internal controls can mitigate risks.  The Office of Internal Auditing provides assistance to management by:

  • Performing a higher level independent risk assessment
  • Utilizing the results of the independent risk assessment to schedule audit engagements.  The scheduled engagements should be designed to assess internal controls for items that pose the greatest risk within university operations.

Additionally, the Office of Internal Auditing may assist management in developing and/or refining its risk assessment methodology.

Audit's Methodology

The OIA’s risk assessment methodology is one that consistently applies qualitative and quantitative factors to a set of risk categories and university functions/processes.  The result is a Risk Score that assists in determining if an item is inherently high, moderate or low risk.  This serves as the basis for developing the audit plan.  Risk Assessment components are as follows: 

Risk Categories

 

Categorizing risks allows us to group similar risks and compare various risk areas (i.e. Finance & Administration vs. Student Affairs vs. Academic Affairs).  The Risk Categories are as follows:
  
.
  • Academic Affairs                                                               

  • Auxiliaries & Other Business Arrangements

  • Development & External Relations

  • Facilities, Property, Construction & Maintenance     

  • Finance, Accounting & Operational Support                        

  • Governance & Strategic Vision

 
  • Information Technology

  • Legal & Compliance

  • Personnel Management

  • Risk Management & Insurance, Environmental Health & Safety

  • Student Affairs

 
Risk Functions

 

Risk functions represent university activities and can be grouped into at least one of the Risk Categories.  All functions pose a risk. This is true in any business as all business comes with its own unique set of risks. The purpose of the Risk Functions is to identify those items unique to the University of North Florida.  Consider the following sample/example:
 
.
Risk Category   Risk Function  

Legal & Compliance

SACS Accreditation
 

NCAA Compliance
 
Risk Factors

 

Risk Factors are six qualitative attributes that are applied to every risk function.  Each factor receives a score (1 to 5) and a weighting (0 to 100%).  The result is a risk score that defines the Risk Rating.

The risk factors are as follows:

  • Management’s Control Environment

  • Public and Political Sensitivity

  • Business Exposure

  • Compliance Requirements

  • Complexity of Operations
  • Organizational Change and Growth

View Sample Risk Reports