Gaining assurance on key areas of institutional risk in the absence of an internal audit function

As the complexity of higher education increases, so does the need for institution leadership to foster an effective and intentional approach to gaining assurance over the management of institutional risks. Not every institution, however, can invest in a robust in-house internal audit capability.

The challenge – A desire for strong assurance over institutional risks

Many trustees of colleges and universities lead for-profit and public companies, where a well-developed internal audit function provides ongoing assurance about major areas of risk. However, many colleges and universities have limited or no internal audit functions, and therefore do not maintain the infrastructure to provide similar assurances to trustees and senior leaders. Concerns without an immediate financial reporting impact in areas such as cybersecurity, sexual misconduct, and donor stewardship may not be sufficiently addressed, especially in the absence of a formalized enterprise risk management program.

To bridge the gap, institutions may seek external support for an internal audit-like capability. Depending on current infrastructure and resources, this could take the form of a co-sourced (supplemental resources) internal audit model, or a shared services model. In a co-sourced model, an institution typically has an internal audit director and/or a small staff, but may not have the resources to provide full coverage for an annual audit plan, or may not have the subject matter expertise to complete certain audits. On the other hand, an institution may have no internal audit function and may wish to tap into a shared services capability to achieve its risk assurance goals. 

The Solution – Evaluate your current situation

For institutions with an existing but limited internal audit function, supplementing existing resources and subject matter expertise with outside resources can be an effective solution. For institutions that choose not to invest in a robust, in-house internal audit capability, it can be effective to leverage a shared service capability to obtain internal audit-like assurance. In some instances, this capability can be provided on a project basis from an institution’s existing external financial statement audit firm.

It is important to consider in both co-sourced and shared service models the service partner’s degree of knowledge and expertise in higher education, including in areas of non-financial risk (e.g., operating and compliance risks), and the ability to gain perspectives from multiple institutions. Consider also the alignment of your service partner with your institution’s culture.

Evolving risk assurance roles

Risk assurance roles – where most effective – can be an ally as management ensures alignment of risk management with realization of strategy, and boards gain assurance over risks affecting institutional reputation. 

The risk assurance function can play a critical consultative role and lay out an effective complement of risk- and compliance-based auditing activities. This capability can also be a catalyst for improving controls over compliance, financial, and operational areas, and in many cases, in leading institutions to develop enterprise risk management approaches.

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.