Internal Audit

Article Dean Dorton

May is Internal Audit Awareness Month, a timely reminder of the important role internal audit and risk assessment play in helping institutions navigate growing complexity and uncertainty.

Higher education is operating with a tighter margin for error than it has in years financially, operationally, and reputationally. Enrollment swings, rising compliance expectations, and cyber risk are hitting at once. When risk assessment and internal audit are positioned well, they give leadership early visibility into what could disrupt the mission, and practical steps to reduce surprises.

The Expanding Risk Landscape

In higher education, the risk environment is uniquely complex, spanning academics, operations, finances, and reputation. In our work with colleges and universities, the pressure points most campuses are managing typically include:

  • Cybersecurity & data privacy: Sensitive student, research, and financial data; evolving threats
  • Regulatory compliance: Title IV, Clery, FERPA, grant requirements
  • Financial sustainability: Enrollment volatility, tuition dependence, declining state support, endowment pressure
  • Research integrity & funding oversight: Federal scrutiny; controls that stand up to review
  • Operational complexity: Decentralization, inconsistent processes, control gaps

When the top risks aren’t clearly prioritized, campuses end up reacting after the fact. A structured risk assessment helps leaders focus early and stay ahead of issues before they become findings, headlines, or budget surprises.

Why the Margin for Error Is Shrinking (Public and Private)

Many institutions feel this, public and private alike. Whether the driver is enrollment volatility, pricing and discounting, endowment performance, or new compliance demands, the margin for surprises is shrinking.

For public institutions, uncertainty in state support can tighten that margin even further. When baseline funding is unpredictable, control breakdowns, delayed reporting, or weak oversight can turn into real budget surprises faster, and with fewer options to absorb them.

The Role of Risk Assessment

A good risk assessment gives leadership a clear, practical view of what could most disrupt the mission and how the institution is responding.

When it’s done well, the risk assessment:

  • Surfaces the highest-impact risks (and separates what’s urgent from what’s just noise)
  • Connects risk to strategy, so priorities reflect where the institution is going, not just where it’s been
  • Calls out gaps in controls, ownership, and governance before they become findings
  • Sets the direction for the audit plan and the work that will move the needle

In our experience, the best risk assessments include a broad mix of voices (academic leadership, finance, IT, compliance, and research administration). That’s how leadership gets a view of risk that matches how the campus actually runs, not just how the organizational chart says it runs.

Internal Audit as a Strategic Partner

Internal audit still gets pegged as a backward-looking function, where someone shows up after the fact and writes a report. That’s not how the strongest teams operate. Modern internal audit helps leadership get ahead of risk, strengthen operations, and build confidence in how things work day to day.

For example, instead of reviewing a process after a breakdown, leading teams are assessing new system implementations, research programs, or third-party relationships early, before risks materialize.

That can look like a quick pre-go-live review of an ERP or student information system change, a readiness check for a new research center, or due diligence around a key vendor before contracts are signed.

In practice, that shows up in a few ways:

  • Independent assurance: pressure-testing whether controls are designed well and operating as intended
  • Advisory support: helping process owners make improvements and think through emerging risks
  • Risk alignment: making sure the audit plan tracks to today’s priorities, not last year’s cycle
  • Governance support: equipping boards and audit committees with the visibility they need for effective oversight

When it’s positioned well, internal audit has a seat at the leadership table, engaged early to shape decisions, while still maintaining the independence and objectivity leaders rely on.

Common Gaps We See

Across higher ed, a few recurring issues tend to get in the way of a strong risk and audit function:

  • Risk assessments that happen too infrequently (or become a one-and-done exercise)
  • Audit plans driven by historical cycles instead of current risk priorities
  • Compliance, risk management, and internal audit operating in silos
  • Teams that are lean relative to the risk profile, especially in technical areas like IT security and research compliance
  • Inconsistent documentation of processes and controls across departments

Closing these gaps doesn’t always require a major investment. Most of the time it starts with clearer ownership, better alignment, and more discipline around prioritization. For smaller audit teams, it can also mean rethinking the delivery model, such as co-sourcing or targeted specialists, so the highest-risk areas get real coverage.

Practical Steps to Strengthen Your Approach

If you want to strengthen your internal audit and risk assessment approach, these are practical moves that tend to pay off. If you do only a few things, start with the “Do now” list, then move to “Do next” as you build momentum.

Do now (next 30 to 60 days)

  1. Confirm the current risk assessment is less than 12 months old; if not, refresh it.
  2. Gather executive and board/audit committee input on what should rise to the top.
  3. Map planned audits to top risks and identify gaps or low-value carryovers.
  4. Identify 2–3 high-risk areas where analytics could add immediate value.
  5. Assess where your team lacks depth (especially cybersecurity, grants management, and research compliance).
  6. Clarify risk ownership and expectations for process owners (what “good controls” looks like).
  7. Identify technical areas where coverage is needed but capacity is limited.

Do next (this year)

  1. Set a cadence (at least annually) and trigger updates when the institution changes (new systems, new programs, major leadership shifts).
  2. Build a repeatable leadership input process (interviews, surveys, workshops) to refresh priorities.
  3. Reallocate limited resources to where coverage will matter most (highest impact, weakest controls, greatest change).
  4. Build repeatable analytics to surface trends, anomalies, and control breakdowns faster than interviews alone.
  5. Line up SMEs (internal or external) for targeted reviews, planning support, or technical testing.
  6. Embed risk thinking into how departments operate (check-ins, metrics, onboarding), not a separate annual exercise.
  7. Use co-sourcing to expand coverage in specialized areas without building permanent fixed costs.

Make Internal Audit Accessible Across Campuses

For decentralized institutions, internal audit is most effective when it’s visible, approachable, and easy to engage. A few moves that can help:

  • Predictable touch points: Virtual office hours and periodic on-site days
  • Campus liaisons: One point of contact per campus/area to coordinate and escalate
  • Simple intake: One clear pathway (advisory request, concern, training) and response times
  • Short learning sessions: 30-minute, role-based webinars on common pain points
  • Plain-language tools: One-page checklists and “what good looks like” examples
  • Feedback loop: Quick post-engagement input to improve timing, communication, and deliverables

If you’re not sure where to start, pilot two or three of these steps at one campus this quarter, then scale what works across the system.

The Bottom Line

Higher education can’t eliminate risk, but it can be managed far more intentionally. A thoughtful risk assessment paired with a well-positioned internal audit function gives leaders visibility, strengthens controls, and supports confident decision-making.

When resources are tight and expectations keep rising, that kind of clarity isn’t a nice to have. It’s what keeps surprises from becoming crises.

If you’re reassessing your approach, consider benchmarking your current audit plan against today’s risk profile, then selecting one “Do now” action to tackle in the next 30 to 60 days. Contact the Dean Dorton team to discuss how we can help support your internal audit and risk assessment efforts.

Article Dean Dorton

The challenges posed by the coronavirus (COVID-19) continue to grow and evolve with each passing day. Organizations require timely information and a sophisticated approach to manage the pandemic’s impacts on employee health and productivity, fiscal implications, supply chain disruptions, cybersecurity vulnerabilities, the health of local and global markets, and more.

We are seeing internal audit efforts being pushed off or delayed by many organizations. Many internal audit departments are struggling with the decision to either continue with scheduled internal audits, or change their plans and audit areas that may be easier to manage remotely. Some are even considering if they should cancel the audit all together and not bother the organization at all. We believe that internal audit has an important role to play in supporting organizational efforts and will help management navigate the many challenges they are facing. 

As most companies transition to having a remote workforce, there are many controls that might change in the process. Internal audit needs to review these controls to ensure they are working efficiently and effectively.

Controls to be reviewed and/or tested include:

  • Cash disbursements: Are there two levels of approval for all disbursements? Is there proper supporting documentation for all disbursements? Do you still have proper segregation of duties?
  • Cash receipts: Are cash receipts still being deposited timely? Is someone monitoring customer situations and payments to ensure bad debts do not increase greatly? Do you still have proper segregation of duties?
  • Monthly reconciliations: Are all monthly reconciliations still being completed timely and properly?
  • Vendors: Who and how is the organization updating mission critical vendors and understanding how COVID-19 has impacted them? If they go away or are substantially impacted how does that impact your organization?

Internal auditors also need to determine where fraud risk has increased and perform testing in those areas. The current situation might increase the risk of fraud because there may be more opportunities to commit fraud due to controls not being adequate and employees feeling increased financial pressure due to significant other losing their job. Additionally, cybersecurity threats and frauds have increased due to more people working remotely and relying more heavily on electronic communications instead of face-to-face or phone conversations.

Internal auditors should also provide assistance and value to management in other areas:

  • Review loan applications for accuracy
  • Relative to compliance with stimulus loans, the internal audit team should assess any new controls needed to track the administration of loan proceeds to ensure compliance and possible forgiveness under the payroll protection loan program. The internal audit team should also have visibility and input on the development of any new controls to help with compliance.
  • Review of cash forecasts and budgets

Lastly internal audit departments need to ensure they have the proper processes, procedures and protocols in place to perform “remote audits.” Internal audit departments should communicate thoroughly with the Audit Committee to see how COVID-19 is being addressed by the organization  in order to accurately update risk assessments and document changes.

We know many of these things are hard to do remotely, especially if you are facing dramatic staffing changes. Dean Dorton’s internal audit team can provide short-term assistance as well as long-term planning guidance as you prepare for things to get back up and running. It is vital that you have a plan before acting, in order to stay compliant but also make it easier on yourself for analyzing and reporting in the long run. Please do not hesitate to reach out with any questions.

For more information on how the Coronavirus is impacting businesses across multiple industries, visit our COVID-19 resource page:

COVID-19 Resources

Article Dean Dorton

The Institute of Internal Auditors (IIA) recently released a report which examines outsourcing of internal audit activity.

Over 50% of North American companies participating in the survey use third parties to support their internal audit functions. The demands of internal audit have increased the prevalence of using third parties. Key aspects of using third parties include:

  • Supplementing staff to address staff shortage or help meet tight deadlines
  • Adding specialized skills including certified fraud examiners, IT specialists and data extraction experts
  • Handling special projects
  • Covering remote locations

IIA clearly states that best practices promote having at least one internal employee handle the oversight of the internal audit function and serve as the liaison with the third party service provider.

At Dean Dorton, we have seen the benefits of working with both private and public companies in a co-sourcing arrangement. Our expertise in a broad range of industries, coupled with our internal audit tools, allows a company to maximize the benefits of an internal audit function. We concur with the IIA’s recommendations to:

  • Think of the stakeholders and how third parties add value to meet stakeholder interests
  • Formalize the arrangement with the third party to establish expectations
  • Establish protocol for remediation and follow up steps
  • Allow third parties to share best practices including risk assessments

For more information, please contact:
Bill Kohm: bkohm@deandortonstg.wpenginepowered.com, 859.425.7625
Jim Tencza: jtencza@deandortonstg.wpenginepowered.com, 502.566.1071

View Bill Kohm’s Bio
View Jim Tencza’s Bio