Top Risk Areas for Internal Audit: Public Sector

Public sector entities are widely recognized for their obligation to uphold principles of transparency, fairness, and accountability in all operations. Amid these high standards, they frequently operate within constrained or diminishing budgetary frameworks while simultaneously experiencing an upward trend in service demand from constituents. The considerable scale and extensive geographic scope that are characteristic of many public organizations, coupled with complex regulatory environments and reliance on legacy systems, elevate operational risk and ongoing maintenance expenditures. These entities must navigate substantial compliance requirements, statutory laws, and administrative policies, which makes the risk of noncompliance a significant and persistent concern.

As public sector organizations strive to deliver essential services efficiently and effectively, they must also contend with evolving expectations regarding performance, technology adoption, and stakeholder engagement, all of which necessitates adaptive strategies and robust management practices to fulfill their mandates.

Public sector organizations in higher education, the not-for-profit sector, and state and local governments should address risks in five areas, including:

• Talent management and retention
• Government and donor funding and funding cuts
• Safety services
• State of good repair
• Outdated and obsolete technology

Following is a breakdown of each of these areas and recommendations for next steps for internal auditors to address risks.

Talent management and retention

Talent management and retention challenges in the public sector stem from constraints in attracting, developing, and retaining a workforce capable of delivering reliable, high-quality services, equipped with the skills needed to understand all aspects of its job responsibilities. Public entities frequently have older workforces, a high number of impending retirements, and insufficient pipelines of future leaders or specialized staff. These factors raise concerns for lack of knowledge transfer and succession planning.

A February 2025 U.S. Government Accountability Office report noted that U.S. federal employment policies are outdated relative to the changing labor market. Additionally, structural features such as civil service rules, collective bargaining agreements, rigid classifications, and multiyear budget cycles shape hiring, pay, and performance management. Unionization remains several times higher in the public sector than in the private sector, which influences mobility and compensation policies.

Top talent management and retention risks

• Structural and bureaucratic constraints: Constraints on organizational budget, political pressures, and service and union rules elongate hiring processes and limit pay flexibility.
• Aging workforce and knowledge drain: Absence of planning related to personnel retirement contributes to lack of knowledge transfer on a regular basis, resulting in transfer of knowledge on an ad hoc basis versus at set intervals or until employees announce that they are leaving.
• Unionized environment: Collective bargaining agreements (CBAs) can restrict changes to performance management and mobility without negotiation.
• Compliance burden: Required credentials or continuing education can halt services or trigger noncompliance.

Next steps for internal auditors

• Strategic workforce planning: Audit talent risk holistically. Verify that there is a board-approved workforce strategy that identifies demographics, cross-training initiatives, and critical roles and skills for areas such as cyber, data, and grants.
• Recruitment and onboarding: Test recruitment for compliance with civil service and CBAs, time-to-hire cycle times, credential checks, and onboarding.
• Compensation and benefits: Review compensation for pay equity controls, adherence to job classifications, market benchmarking, and reasonableness of overtime and allowances.
• Performance management: Sample performance appraisals and confirm that goals align with and inform training plans.
• Retention, turnover, and exit management: Analyze retention, turnover ratios by role or manager, high potential retention, exit interview themes, and knowledge transfer execution.
• Succession planning and leadership development: Assess critical roles, named successors, bench strength, readiness, and progress reporting to executives. Identify and recommend solutions to alleviate blockers to leadership.

Government and donor funding and funding cuts

Noncompliance risks in grants and donor management – and the potential for funding cuts – arise when an organization fails to adhere to the terms, conditions, or regulations tied to public awards and philanthropic support or becomes vulnerable to budgetary shortfalls. Reductions in government or donor funding can result in disallowed costs, repayment obligations, sanctions, reputational harm, and program disruptions. Funding cuts also increase the risk that appropriations, intergovernmental transfers, or grant revenues might decline or grow more slowly than expenses, which can lead to service reductions, workforce impacts, deferred maintenance, and heightened compliance pressures.

Pressure points include federal discretionary caps, the wind‑down of temporary pandemic‑era aid and hard deadlines for obligation and expenditure, post‑ American Rescue Plan Act of 2021 fiscal adjustment at the municipal level, continuing resolutions that restrict new starts and delay grant cycles, slower state revenue growth that tightens budgets, and not-for-profit providers’ reliance on government reimbursements that exposes them to cash‑flow stress when payments lag.

Top government and donor funding and funding cut risks

• Repayment: Misuse of grant funds or unallowable expenditures can lead to disallowed costs, repayment obligations, or loss of future funding.
• Legal and regulatory consequences: Noncompliance with guidance, state regulations, or donor conditions can result in legal actions, sanctions, or heightened scrutiny from regulators and auditors.
• Reputational damage: Donor confidence and public trust can erode if the organization demonstrates weak accountability or transparency.
• Impact on program outcomes: Mismanagement of grant funds or data inaccuracies can hinder achievement of intended program goals and reduce community impact.
• Increased audit and oversight: Persistent noncompliance or prior findings can trigger more frequent, detailed, and costly audits and increase administrative burden.
• Fraud, waste, and abuse: Risks such as intentional misuse, misreporting, or falsification of grant activity, including duplicate billing, inflated costs, or fictitious documentation can go unnoticed.
• Subrecipient and partner risk: Weak monitoring of subrecipients or collaborative partners can result in noncompliance, with ultimate liability and accountability remaining with the prime recipient.
• Delivery chain risk: Providers reliant on government grants can experience cashflow stress from delayed reimbursements, leading to service disruptions.

Next steps for internal auditors

• Compliance audit: Review adherence to the federal uniform guidance, state program requirements, or donor agreement terms. Testing should focus on allowable costs and activities, eligibility, period of performance, and adequate support documentation.
• Grant management audit: Map the grant life cycle from proposal to close-out and test roles, approvals, budget controls, and drawdowns.
• Financial reporting audit: Reconcile accounting records to donor databases and reports. Test revenue recognition, restrictions, and performance metrics.
• Subrecipient monitoring audit: Review risk ratings, agreements, monitoring plans, and site and desk reviews and follow up on findings.
• Procurement and contract management audit: Examine procurement and contracting for competitiveness, applicable grant clauses, sole-source justification, and contract execution.
• Structural balance and scenario planning audit: Validate multiyear revenue and cost forecasts, inflation assumptions, and mapping of one-time funds to ongoing commitments. Run scenarios for continuing resolution or late appropriations and grant lapses.
• Program prioritization and service impact audit: Distinguish mandates from discretionary services, apply outcome and equity scoring, and verify decommissioning criteria and communications.
• Communications and governance audit: Review practices for budget amendments, stakeholder alerts, and transparent disclosures of service reductions.

Safety services

Safety services risk involves mismanaging resident eligibility, assignments, access, safety obligations, or reporting for on‑campus or affiliated housing, which can expose the organization to financial loss, contractual issues, and safety incidents. Risk concentrates in eligibility leakage and incomplete billing documentation; weak card‑access removal and guest tracking; housing agreements that lack periodic legal review or minor consent; data quality issues across housing, registrar, and billing systems; and inconsistent incident response and follow‑up. These risks are relevant for organizations that have students or organizations involved in member-services programming.

Top safety risks

• Fraud and eligibility controls: Ineligible individuals obtaining housing, inaccurate billing, bill waivers, or payment documentation.
• Access and physical security: ID card access management, improper visitor tracking, outsourced security is not monitored, or personnel are not trained adequately.
• Compliance with legal and policy requirements: Missing guardian consent for minors under 18 and other agreements are not reviewed.
• Safety and incident management: Ineffective response to housing-related safety incidents or poor coordination occurs between departments.

Next steps for internal auditors

• Eligibility and occupancy audit: Verify eligibility and occupancy by confirming status before assignment, reconcile agreement and billing records, and test approvals for exceptions or waivers.
• Access controls and security audit: Evaluate access controls and security including provisioning, deprovisioning, and role design in housing systems; key card management; visitor tracking; and oversight and training of third-party security providers.
• Housing agreement compliance audit: Review agreement compliance through legal review, collection of parent or guardian consent for minors, documentation retention, and visitation policies.
• Incident response and safety protocol audit: Assess incident response and safety protocols, including procedures for lockouts, lost IDs, and visitor violations.

State of good repair

State of good repair (SGR) risk is the likelihood that essential assets, such as transportation networks; transit fleets; guideway, water, and wastewater systems; buildings and campuses; parks; and utilities fall behind on maintenance, renewal, or replacement, which can lead to outages, safety hazards, noncompliance, and escalating life cycle costs.

Highway repair needs exceed budgeted amounts across all public roads in recent federal assessments, and national transit estimates place the SGR backlog with nearly half of recent growth attributed to inflation. Clean water needs and drinking water systems face comparable national requirements. Federal building portfolios have seen deferred maintenance and repair increased over the past years. Bridge condition data indicates that more require major work, and construction input prices remain markedly higher, which complicates backlog reduction.

Top state of good repair risks

• Upgrades and inflation: Elevated and volatile construction input prices reduce buying power, and cost growth can outrun budget escalators and construction in process (CIP). Also, code-driven upgrades add scope and cost.
• Backlogs: Backlogs span transportation, transit, water and wastewater, federal and campus buildings, and parks. Backlog growth can outpace annual capital and major maintenance funding.
• Maintenance: Insufficient preventive maintenance (PM) and reactive work practices increase failures, downtime, and total cost of ownership. Fragmented data obscures true condition and PM compliance.

Next steps for internal auditors

• Asset inventory and condition assessment: Internal auditors should begin by verifying a complete, accurate asset register linked to financial and CIP systems, then test condition assessment methods, sample inspections, and trace changes.
• PM and work management: Evaluate PM design and execution including PM schedules, compliance rates, backlog mix, and work order quality management practices.
• Deferred maintenance and backlog reporting: Review deferred maintenance and backlog reporting for defensible cost estimates, inflation and contingency assumptions, and risk-based prioritization.
• Capital planning, prioritization, and affordability: Assess capital planning for multiyear CIP governance, portfolio scoring that favors renewal of critical assets, funding alignment (including grants and matches), and sensitivity to inflation and market capacity.
• Project delivery, cost, and schedule controls: Test project delivery controls, including baseline schedules, schedule risk analysis, change order and claims management, contractor performance metrics, and closeout and decommissioning practices.

Outdated and obsolete technology

Many public sector organizations run mission‑critical legacy systems that are costly to maintain, difficult to secure, and hard to integrate. Across agencies, planned IT spending still skews toward operations and maintenance over modernization, and replacements have a history of delays or overruns when governance is weak.

Top outdated and obsolete technology risks

• Oversight, governance, planning, and ownership: Many agencies lack complete, documented modernization plans with milestones, scope, and clear disposition of old systems, which can increase the odds of overruns and delays.
• Customization (technical debt and vendor lock-in): Highly customized systems, such as enterprise resource planning platforms, raise upgrade cost and complexity, delay adoption of security patches and new capabilities, and entrench vendor dependence.
• Budget constraints and funding limitations: IT budgets skew toward keeping the lights on. Specialized mechanisms exist, but watchdogs find savings to date are limited and disciplined cost estimations are needed.
• Time commitment: Major replacements or upgrades frequently run long, exceed budgets, or fail to deliver, especially when plans are incomplete or governance is weak.
• Integration with other systems: Legacy estates impede application programming interface-based integration and data sharing. Governments stress open standards and interoperability to avoid creating new silos. Emerging public sector guidance and research highlight the significant need to integrate legacy systems with modern technologies.
• Obsolescence: Unsupported software and hardware elevate cyber risk. Controls frameworks require replacing unsupported components or rigorously justifying and isolating their continued use.

Next steps for internal auditors

• Legacy technology inventory and risk assessment audit: Start with a comprehensive legacy technology inventory (for example, validate completeness, accuracy, ownership, and life cycle dates) and assess alignment to policy.
• Modernization planning and governance audit: Evaluate modernization planning and governance, including approved road maps with milestones, scope, legacy‑system disposition, portfolio oversight, and risk and dependency tracking.
• Customization and technical debt review: Review customization and technical debt, including the extent of bespoke code versus vendor-supported features. Upgrade history and blockers, documentation quality, and automated regression-testing coverage.
• Funding and business case audit: Test funding and business cases for full life cycle cost models (such as dual run and decommissioning), return on investment assumptions, use of modernization funding mechanisms, budget compliance, and benefits tracking.
• End-of-life and unsupported components audit: Assess end-of-life risk and identify unsupported software and hardware, patch posture, isolation and segmentation or other compensating controls.

Looking ahead

As public sector organizations enter 2026, internal audit teams must remain proactive in addressing evolving risks that affect transparency, service delivery, and financial stability. Challenges such as workforce retention, funding volatility, safety obligations, infrastructure upkeep, and outdated technology demand an agile and data-driven audit approach.

By prioritizing risk-based methodologies and fostering collaboration across departments, internal auditors can help strengthen governance, support compliance, and enhance organizational resilience. In doing so, they play a critical role in supporting public trust and enabling agencies to deliver efficient, high-quality services amid growing fiscal and operational pressures.