Note: This article is part of a series on risk areas that internal audit teams should consider for their risk assessment and audit planning for and throughout 2025. Other articles in the series cover risk trends in specific industries and more broadly:
Public sector entities, including higher education institutions, not-for-profit organizations, and government agencies, regularly face significant challenges related to their operations and sustainability. Public universities and governments navigate complex financial reporting due to varied funding sources, and not-for-profit organizations rely on meticulous financial management to maintain, for example, donor trust.
Internal auditors play a crucial role in addressing a range of risks through audits focused on financial management, compliance, cybersecurity, and workforce planning, and their efforts help strengthen organizational resilience. Following are areas of risk that internal audit teams can proactively address in 2025.
Public sector organizations encounter unique challenges in their financial reporting processes. With varied sources of funding and stringent regulatory requirements, these organizations must implement robust internal controls and adhere to precise accounting standards to maintain transparency, compliance, and continued trust from stakeholders. The complexity of operations and the diverse nature of funding present significant risks that necessitate careful management and diligent oversight.
In institutions of higher education, financial reporting and compliance risks often are linked to the complexity of funding sources, which can include tuition, government grants, donations, and endowments. These institutions must navigate many regulations and reporting requirements, particularly when using federal and state financial aid programs. The risk of noncompliance with these requirements can lead to financial penalties and loss of funding. Additionally, the decentralized nature of many universities, with various departments and research units, can complicate internal controls and increase the risk of errors or fraud in financial reporting.
Not-for-profit organizations face unique financial reporting and compliance risks due to their reliance on donations, grants, and fundraising activities. These organizations must adhere to specific accounting standards, such as those related to donor restrictions and fund accounting, to ensure transparency and accountability. The risk of misreporting or mismanaging funds can damage donor trust and jeopardize future funding. Not-for-profit organizations also face compliance challenges related to tax-exempt status and regulatory requirements.
Financial reporting and compliance risks for government agencies primarily stem from the complexity and scale of their operations, which often involve multiple funding streams and regulatory requirements. These organizations must comply with public sector accounting standards and regulations, which can vary significantly between jurisdictions. The risk of noncompliance can lead to legal consequences and loss of public trust. Additionally, government organizations must manage budgetary constraints and confirm that financial reporting aligns with budgetary allocations.
Internal audit teams can address these unique risks to public sector entities by performing certain audits specific to the entity.
In the public sector, cybersecurity and data protection are critical priorities that necessitate robust strategies to safeguard sensitive information. Public sector entities are particularly vulnerable due to the vast amounts of personal and sensitive data they manage. As cyberthreats grow increasingly sophisticated, these organizations must address the risks posed by potential data breaches to maintain trust, compliance, and operational continuity.
In institutions of higher education, cybersecurity and data protection risks are pronounced particularly regarding the sensitive data they manage, including student records, research data, and intellectual property. These institutions often have open networks to facilitate academic collaboration, which can make them more vulnerable to cyberattacks. A breach can expose personal information and result in a loss of trust among students and faculty. Additionally, theft of research data can undermine academic integrity and competitive advantages. The financial implications of a breach, including response costs and potential legal liabilities, can strain already limited budgets.
Not-for-profit organizations face unique cybersecurity and data protection challenges due to their reliance on donor information and the sensitive nature of the data they manage, such as beneficiary details. These organizations often operate with limited resources, which can result in inadequate cybersecurity infrastructure. A data breach can severely damage donor trust and prompt a decline in funding and support. Furthermore, not-for-profit organizations can face legal and regulatory consequences if they fail to protect sensitive data in compliance with relevant laws. The operational disruption caused by cyberattacks can hinder program delivery and negatively affect the communities they serve.
Government organizations are particularly susceptible to cybersecurity and data protection risks due to the critical nature of the services they provide and the sensitive information they manage. A breach can disrupt essential services, from social programs to emergency response, affecting public safety and welfare. The exposure of citizens’ personal data can erode public trust and lead to significant political ramifications. Additionally, government organizations can face legal penalties and increased scrutiny if they fail to comply with data protection regulations. Cyberattacks involving foreign actors can strain international relations and have broader geopolitical implications.
Internal auditors can encourage leadership and senior management to prioritize robust cybersecurity measures and awareness training to mitigate risk, protect data, and maintain stakeholder trust. Other areas to raise to governance and executive levels include implementing comprehensive cybersecurity strategies and collaborating with other entities to enhance defenses.
Following are examples of how internal audit functions can make a more immediate impact.
In many ways, the operational success of public sector organizations hinges on the ability to recruit and retain qualified staff. The challenges of attracting and maintaining a skilled workforce are profound. These sectors face unique obstacles due to the specialized nature of roles, competitive job markets, and financial constraints. Effectively addressing these risks is essential to maintaining continuity, achieving organizational goals, and delivering on public and community-oriented missions.
Employee recruiting and retention risks are particularly significant due to the specialized nature of academic and administrative roles. The departure of key faculty members can result in a loss of institutional knowledge and disrupt academic programs, research initiatives, and student mentorship. Additionally, the competitive job market for academic professionals can make it challenging to attract and retain top talent, especially when compensation packages might not be as competitive as those offered by private sector institutions. High turnover rates can lead to increased recruitment and training costs and strain financial resources. Furthermore, frequent changes in faculty and staff can affect student satisfaction and the institution’s reputation.
Not-for-profit organizations deal with unique recruiting and retention challenges because of their reliance on mission-driven work and often limited financial resources. The departure of key employees can lead to a significant loss of organizational knowledge and disrupt program delivery, both of which affect the communities they serve. Not-for-profit organizations might struggle to offer competitive salaries and benefits, making it difficult to attract and retain qualified candidates in a competitive job market. High turnover also can lead to increased recruitment costs and decreased employee morale because remaining staff can become overburdened. All these challenges affect the organization’s ability to achieve its mission and maintain donor trust.
Governments encounter recruiting and retention risks because of the complexity and scale of their operations and the need for specialized skills in areas such as public policy, administration, and technology. The loss of key personnel can disrupt service delivery and hinder the organization’s ability to meet public needs. Additionally, government entities can encounter difficulty when trying to attract talent because of perceptions of bureaucratic work environments and potentially less competitive compensation compared to the private sector. High turnover rates can lead to increased recruitment and training expenses, further constraining budgets, and frequent staff changes can affect employee morale and the organization’s ability to implement strategic initiatives.
In terms of attracting and retaining talent, the internal audit function might make certain recommendations to leadership, including:
In addition, internal auditors should consider conducting the following audits to help organizations address a variety of risks.
In the public sector, regulatory compliance with federal and state grants is a fundamental concern for higher education institutions, not-for-profit organizations, and government entities. Adherence to the stringent requirements tied to these funding sources is critical for financial stability and for maintaining institutional credibility and trust. The consequences of noncompliance can significantly affect budgets, operations, and reputation. Vigilant oversight and strategic management can help safeguard against these risks.
In institutions of higher education, the risk of noncompliance with federal and state program grants is particularly significant due to the diverse range of funding sources they rely on, including research grants, financial aid, and educational programs. Noncompliance can lead to severe financial penalties and the requirement to repay funds, which can strain already tight budgets and affect the institution’s ability to fund other initiatives. Legal and regulatory consequences can lead to increased scrutiny from regulators and potential sanctions. The reputational damage from noncompliance can erode trust among students, faculty, and funding agencies, and it can affect future grant opportunities. Additionally, having to resolve noncompliance issues means that resources could be pulled away from academic and research activities, program implementation might be delayed, and educational outcomes could be negatively affected.
Not-for-profit organizations face unique noncompliance risks with federal and state program grants due to their reliance on external funding to support their mission-driven activities. Noncompliance can result in financial penalties and the loss of future funding, and it can severely impact organizations’ ability to deliver services and support their beneficiaries. Legal actions and increased regulatory scrutiny can further strain resources and divert attention from core activities. The reputational damage from noncompliance can undermine donor trust and future fundraising efforts. Additionally, noncompliance can hinder the achievement of program objectives, which can affect the quality and effectiveness of services provided to the community.
Governmental organizations encounter significant noncompliance risks with federal and state program grants due to the complexity and scale of their operations. Noncompliance can lead to financial penalties, repayment of funds, and the loss of future funding, all of which constrain organizations’ ability to deliver essential public services. Legal and regulatory consequences can result in increased oversight, potential sanctions, and reduced autonomy in managing programs. The reputational damage from noncompliance can erode public trust and confidence in the government’s ability to manage funds responsibly. Additionally, addressing noncompliance issues can divert resources from critical services, delay program implementation, and affect service delivery.
To address the risk of noncompliance with federal and state program or grant requirements in a public sector organization, internal auditors should communicate the need for their organizations to implement comprehensive compliance frameworks, including clear policies, effective internal controls, ongoing monitoring, and regular training for staff involved in grant management.
In addition to the audits recommended in the financial reporting risk section of this article, other key audit considerations for federal and state funding include the following: