Your title here
.
 

UNF Internal Audit - Risk Assessment Support

University management is responsible for Enterprise Risk Management (ERM). This includes:

  • establishing a risk tolerance,
  • identifying risks,
  • identifying controls that mitigate risks,
  • assessing the effectiveness of controls
  • monitoring risk mitigation techniques and
  • performing corrective actions on items that pose significant risks to university activities.

Each department must assess its risks associated with the achievement departmental objectives.  Effective and reliable internal controls can mitigate risks.  The Office of Internal Auditing provides assistance to management by:

  • Performing a higher level independent risk assessment
  • Utilizing the results of the independent risk assessment to schedule audit engagements.  The scheduled engagements should be designed to assess internal controls for items that pose the greatest risk within university operations.

 

Additionally, the Office of Internal Auditing may assist management in developing and/or refining its risk assessment methodology.

The OIA’s risk assessment methodology is one that consistently applies qualitative and quantitative factors to a set of risk categories and university functions/processes.  The result is a Risk Score that assists in determining if an item is inherently high, moderate or low risk.  This serves as the basis for developing the audit plan.  Risk Assessment components are as follows:

Risk Categories

Categorizing risks allows us to group similar risks and compare various risk areas (i.e. Finance & Administration vs. Student Affairs vs. Academic Affairs).  The Risk Categories are as follows:
  • Finance, Accounting & Operational Support
  • Legal & Compliance
  • Information Technology
  • Academic Affairs
  • Student Affairs
  • Facilities, Property, Construction & Maintenance

 
  • Development & External Relations
  • Auxiliaries & Other Business Arrangements
  • Risk Management & Insurance, Environmental Health & Safety
  • Governance & Strategic Vision
  • Personnel Management
Risk Functions

Risk functions represent university activities and can be grouped into at least one of the Risk Categories.  All functions pose a risk. This is true in any business as all business comes with its own unique set of risks.  The purpose of the Risk Functions is to identify those items unique to the University of North Florida. 

Consider the following sample/example:

Risk Category

Risk Function

Legal & Compliance

SACS Accreditation

 

NCAA Compliance
Risk Factors

Risk Factors are six qualitative attributes that are applied to every risk function.  Each factor receives a score (1 to 5) and a weighting (0 to 100%).  The result is a risk score that defines the Risk Rating.

The risk factors are as follows:

  • Management’s Control Environment
  • Public and Political Sensitivity
  • Business Exposure

 
  • Compliance Requirements
  • Complexity of Operations
  • Organizational Change and Growth

.
*See next tab for sample reports resulting from proper execution of the methodology

The following is an example/sample of the risk reports to further demostrate how risks are reported and audits selected. These reports do not contain actual data!!

Detailed Risk Inventory Report Sample

risk inventory

Click image or here for a larger view

Risk Rating Summary


risk inventory

Risk Distribution by Category


risk inventory

Click image or here for a larger view

Auditable Units by Risk Category


risk inventory

 

 

.