For a better experience, click the Compatibility Mode icon above to turn off Compatibility Mode, which is only for viewing older websites.


Risk Management

Internal Audit – Identifies all auditable activities and relevant risk factors, and assess their significance through an annual risk assessment.

Internal Audit utilizes the Committee of Sponsoring Organization’s (COSO) Internal Control – Integrated Framework risk model

Risk is viewed in four major areas:

  • Operational  (Processes and procedures)
  • Financial  (Data rolling up to internal/external statements)
  • Regulatory   (Federal, State, Local, Organizational Policy)
  • Reputation  (Institutional)

Key Concepts

  • Internal control is a process. It is a means to an end, not an end in itself.
  • Internal control is affected by people. It’s not merely policy manuals and forms, but people at every level of an organization.
  • Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
  • Internal control is geared to the achievement of organizational objectives.

Risk Assessment

The Internal audit plan is designed to meet the objective of providing the most efficient and effective deployment of internal audit resources in a manner that addresses

  1. areas of highest relative risk,
  2. core business activities of the University,
  3. broad coverage across the University and the College of Medicine. 

Audit Scope – involves assessing the five interrelated components of Internal Control:

  1. The control environment,
  2. Risk assessments,
  3. Control activities,
  4. Monitoring activity,
  5. Information and communication