Skip to main content
Site navigation
Office of Internal Audit

Risk Assessment and Planning

About

The Internal Auditor prepares a risk assessment and an annual audit plan each year. The overall objective is to prepare a plan using a risk-based approach to ensure that areas and activities specific to SDState with the greatest risks are identified for consideration to be audited, consistent with the Internal Audit Charter and the SDState's Strategic Plan.

magnify glass over the word facts

There are approximately 110 audit entities in SDState's “Audit Universe”. The Internal Auditor analyzes, evaluates, and identifies the inherent risk in each of the entities. Part of this process includes interviewing and/or surveying members of Senior Management during the risk assessment process to get their input on risks inherent to in the organization. Other avenues include reviewing policies, procedures, regulatory requirements, and financial data of the organization. Risk in each audit entity is assessed based on four broad risk categories:

  • Operational Risks
    • These risks will be unique to each specific department/function depending on the operating objectives of the department/function.
  • Financial Risks
    • Risks which impact the accuracy and availability of financial information. This includes both information which is used for external financial reporting and information which is used for internal financial reporting to make management decisions. Financial risks may be unique depending on the specific objectives and functional responsibilities of each individual entity.
  • Compliance Risks
    • Risks which align to State and Federal requirements imposed through laws and regulations. Compliance risks exist due to specific requirements by compliance oversight bodies, State/Federal compliance requirements and state statutes. Compliance risks are unique to the specific requirements imposed on SDState by governing bodies.
  • Public Perception/Reputation Risks
    • Risks that are evident that would affect the public’s trust in the institution.

Additionally, once each audit entity is assigned a risk impact rating of critical, high, medium or low risk in each of the above categories, we determine the relative likelihood of those risks coming to fruition within the next 18 months (almost certain, likely, possible, unlikely). From there, an overall risk rating is assigned to each audit area of either critical, high, medium or low risk. It’s important to note, that a high-risk rating does not mean issues are identified. It simply means it has a high inherent risk to the overall mission of the University.

 

Internal Audit Plan

Outlines the internal audit activities that will be performed by the Internal Auditor during each fiscal year under the direction of SDState's President, VP-Finance and Administration, the General Counsel and the Institutional Internal Audit Committee.