1. University of Bristol
HIGHER EDUCATION INSTITUTIONS
(HEI )
KEY RISKS & CHALLENGES
P R E S E N T E D B Y ,
M I R M O U Z A M A L I , C P A , C I A , M B A
's
1
4. EXTERNAL RISKS
1. Cyber Security & Privacy - HEIs hold a substantial amount of
personally identifiable information (PII), payment information,
sensitive R&D data etc.
Source: Cyber Security Breaches Survey July 2022 (Gov.uk)
Examine the oversight processes and controls
Access to data, "Business purpose" according to roles
Event logging, Log History
Access termination (Workday/SAP/Cloud system)
ITGC - COBIT (Control Objectives for Information and
Related Technology) framework
Examine the personal smart devices policy
Audit: Access management & Data protection
1.
2.
3.
4.
5.
6.
4
5. EXTERNAL RISKS
Review the Authorisation & approval processes
Appropriate segregation of duties (Authorisation/Reconciliation/Custody)
Management review of Service Level Agreements (SLAs)
Service auditor report including Service Organisation Control (SOC) reports (eg. ADP
payroll services) - Assurance & Reliance
2. Third-party vendors - These vendors support some of the critical operations & delivery
of service (eg., Good procurement, service provider).
Audit:
1.
2.
3.
4.
5
Reduce risk
of fraud
Data integrity
&
Controls environment
Suppliers Service provider
6. INTERNAL RISKS
6
Gain understanding of management's strategy
Inspect steps taken by management
Examine how actively management is pursuing improvements
Analyse and obtain evidence of periodic review by management
1. Relevant - Learning and Educational outcomes to meet students needs &
expectations and wider needs of society.
Audit:
7. INTERNAL RISKS
OfS (The office for Students)
Organisational policies
Data protection regulations etc.
Review financial, operational & governance processes
Review effectiveness of Risk Management controls
Non-compliance reported at appropriate level
Upto date with new regulations
2. Compliance - Applicable regulations like;
Audit:
7
8. 6
INTERNAL RISKS
Review changes to standing policies that were made during the pandemic to ensure those
changes don’t themselves pose a risk. Eg., Due diligence regarding employment verification
may also have been neglected.
3. Review Pandemic Policy Changes:
8
9. 6
INTERNAL RISKS
Risks that might not have raised major concerns pre-pandemic may now warrant more
attention
Adjust risk level
What would have been low or medium is may now be rated high.
4. Recalibrate Risk Assessments:
9