In a recent Baker Tilly and ACUA webinar, titled “Adventures in Small Shop Auditing,” Baker Tilly advisors discussed auditing tools, techniques, and case studies tailored to small audit shops that covered topics including enterprise risk management (ERM), information technology (IT), and sponsored research. Below we address participant questions to provide additional insight regarding the presentation topics.
Internal audit should work with external audit to understand what areas they view as high risk; however, internal audit should not exclusively rely on the external audits to complete the same level review. Internal audit should perform a risk assessment, or if available, leverage a risk assessment completed by ORSP. Additionally, if your organization has an Office of Institutional Compliance, consider reviewing their risk and compliance assessments of sponsored research administration. Once you understand key risk areas, focus your internal audits on the top priority/high risk areas noted, working cooperatively with management.
To understand whether an administrative salary was included in the university’s direct rate, internal audit should work with Grants Accounting, or whomever is responsible for calculating the indirect rate, to determine which administrative costs were included in the indirect rate cost pool. If the administrative salary was included in the indirect rate cost pool, it should not be directly charged to a sponsored award.
Technology is intertwined throughout the institution; whether it is in the classroom, school, or operations. Since IT touches practically everything, the risks to institutional data and the security of the data is extremely imperative to maintaining the institution’s reputation. Data breaches are more likely in this industry than most of the other industries because of the decentralized and open sharing nature of higher education.
Below we identified a couple ways that you can include IT within operational audits: