Top Risk Areas for Internal Audit: Public Sector

Mark Maraccini
3/11/2025
Top Risk Areas for Internal Audit: Public Sector

Internal audit teams across the wide range of public sector organizations, institutions, and agencies should focus on certain risk areas in 2025.

Note: This article is part of a series on risk areas that internal audit teams should consider for their risk assessment and audit planning for and throughout 2025. Other articles in the series cover risk trends in specific industries and more broadly:

Public sector entities, including higher education institutions, not-for-profit organizations, and government agencies, regularly face significant challenges related to their operations and sustainability. Public universities and governments navigate complex financial reporting due to varied funding sources, and not-for-profit organizations rely on meticulous financial management to maintain, for example, donor trust.

Internal auditors play a crucial role in addressing a range of risks through audits focused on financial management, compliance, cybersecurity, and workforce planning, and their efforts help strengthen organizational resilience. Following are areas of risk that internal audit teams can proactively address in 2025.

Financial reporting risks

Public sector organizations encounter unique challenges in their financial reporting processes. With varied sources of funding and stringent regulatory requirements, these organizations must implement robust internal controls and adhere to precise accounting standards to maintain transparency, compliance, and continued trust from stakeholders. The complexity of operations and the diverse nature of funding present significant risks that necessitate careful management and diligent oversight.

Higher education institutions

In institutions of higher education, financial reporting and compliance risks often are linked to the complexity of funding sources, which can include tuition, government grants, donations, and endowments. These institutions must navigate many regulations and reporting requirements, particularly when using federal and state financial aid programs. The risk of noncompliance with these requirements can lead to financial penalties and loss of funding. Additionally, the decentralized nature of many universities, with various departments and research units, can complicate internal controls and increase the risk of errors or fraud in financial reporting.

Not-for-profit organizations

Not-for-profit organizations face unique financial reporting and compliance risks due to their reliance on donations, grants, and fundraising activities. These organizations must adhere to specific accounting standards, such as those related to donor restrictions and fund accounting, to ensure transparency and accountability. The risk of misreporting or mismanaging funds can damage donor trust and jeopardize future funding. Not-for-profit organizations also face compliance challenges related to tax-exempt status and regulatory requirements.

Government entities

Financial reporting and compliance risks for government agencies primarily stem from the complexity and scale of their operations, which often involve multiple funding streams and regulatory requirements. These organizations must comply with public sector accounting standards and regulations, which can vary significantly between jurisdictions. The risk of noncompliance can lead to legal consequences and loss of public trust. Additionally, government organizations must manage budgetary constraints and confirm that financial reporting aligns with budgetary allocations.

Potential internal audit efforts for 2025:

Internal audit teams can address these unique risks to public sector entities by performing certain audits specific to the entity.

  • Budgetary control audit. This audit helps verify accuracy of financial reporting and adherence to relevant regulations and budgetary requirements, including monitoring and reporting on budget variances.
  • Unrelated business income tax (UBIT) audit. The UBIT audit, which is important for tax-exempt institutions of higher education and other not-for-profit organizations, evaluates activities to identify any unrelated business income that might be subject to taxation. It supports compliance with IRS laws and regulations by reviewing income-generating activities, assessing the activities' alignment with the organization's exempt purpose, and identifying potential tax liabilities.
  • Indirect cost allocation audit. Indirect cost or cost allocation audits help verify that costs are properly allocated to public sector funds and programs. These audits are even more critical when dealing with restricted funding sources to determine that the costs allocated to those restricted programs produce value relative to that program.
  • Restricted funding audit. This audit confirms that restricted funding, including grants and donations, is properly spent in accordance with the rules, regulations, and requirements of the funding provider. This audit helps confirm that restricted funds are not used for improper purposes or inappropriately transferred to other operations.

Cybersecurity and data protection

In the public sector, cybersecurity and data protection are critical priorities that necessitate robust strategies to safeguard sensitive information. Public sector entities are particularly vulnerable due to the vast amounts of personal and sensitive data they manage. As cyberthreats grow increasingly sophisticated, these organizations must address the risks posed by potential data breaches to maintain trust, compliance, and operational continuity.

Higher education institutions

In institutions of higher education, cybersecurity and data protection risks are pronounced particularly regarding the sensitive data they manage, including student records, research data, and intellectual property. These institutions often have open networks to facilitate academic collaboration, which can make them more vulnerable to cyberattacks. A breach can expose personal information and result in a loss of trust among students and faculty. Additionally, theft of research data can undermine academic integrity and competitive advantages. The financial implications of a breach, including response costs and potential legal liabilities, can strain already limited budgets.

Not-for-profit organizations

Not-for-profit organizations face unique cybersecurity and data protection challenges due to their reliance on donor information and the sensitive nature of the data they manage, such as beneficiary details. These organizations often operate with limited resources, which can result in inadequate cybersecurity infrastructure. A data breach can severely damage donor trust and prompt a decline in funding and support. Furthermore, not-for-profit organizations can face legal and regulatory consequences if they fail to protect sensitive data in compliance with relevant laws. The operational disruption caused by cyberattacks can hinder program delivery and negatively affect the communities they serve.

Government entities

Government organizations are particularly susceptible to cybersecurity and data protection risks due to the critical nature of the services they provide and the sensitive information they manage. A breach can disrupt essential services, from social programs to emergency response, affecting public safety and welfare. The exposure of citizens’ personal data can erode public trust and lead to significant political ramifications. Additionally, government organizations can face legal penalties and increased scrutiny if they fail to comply with data protection regulations. Cyberattacks involving foreign actors can strain international relations and have broader geopolitical implications.

Potential internal audit efforts for 2025:

Internal auditors can encourage leadership and senior management to prioritize robust cybersecurity measures and awareness training to mitigate risk, protect data, and maintain stakeholder trust. Other areas to raise to governance and executive levels include implementing comprehensive cybersecurity strategies and collaborating with other entities to enhance defenses.

Following are examples of how internal audit functions can make a more immediate impact.

  • Cybersecurity risk assessment. This assessment evaluates the organization’s current cybersecurity posture, identifies vulnerabilities, and evaluates the effectiveness of existing security measures. It also helps organizations understand the potential impact of various cyberthreats.
  • Penetration assessment. A penetration assessment involves internal or external penetration testing to evaluate the organization’s controls to protect against cyberattacks.
  • Data privacy compliance audit. This audit can help confirm that the organization complies with relevant data protection laws and regulations, such as the European Union’s General Data Protection Regulation or the California Consumer Privacy Act, depending on the jurisdiction. It involves reviewing data-handling practices, consent management, and data subject rights.
  • Third-party risk management audit. Since public sector organizations often work with external vendors, this audit assesses the cybersecurity risks associated with third-party relationships. It involves reviewing vendor contracts, security assessments, and data-sharing agreements.
  • Security awareness and training audit. This audit evaluates the effectiveness of the organization’s cybersecurity training programs for employees. It helps assess the frequency, content, and impact of training sessions on employee behavior.

Recruiting and retaining qualified staff

In many ways, the operational success of public sector organizations hinges on the ability to recruit and retain qualified staff. The challenges of attracting and maintaining a skilled workforce are profound. These sectors face unique obstacles due to the specialized nature of roles, competitive job markets, and financial constraints. Effectively addressing these risks is essential to maintaining continuity, achieving organizational goals, and delivering on public and community-oriented missions.

Higher education institutions

Employee recruiting and retention risks are particularly significant due to the specialized nature of academic and administrative roles. The departure of key faculty members can result in a loss of institutional knowledge and disrupt academic programs, research initiatives, and student mentorship. Additionally, the competitive job market for academic professionals can make it challenging to attract and retain top talent, especially when compensation packages might not be as competitive as those offered by private sector institutions. High turnover rates can lead to increased recruitment and training costs and strain financial resources. Furthermore, frequent changes in faculty and staff can affect student satisfaction and the institution’s reputation.

Not-for-profit organizations

Not-for-profit organizations deal with unique recruiting and retention challenges because of their reliance on mission-driven work and often limited financial resources. The departure of key employees can lead to a significant loss of organizational knowledge and disrupt program delivery, both of which affect the communities they serve. Not-for-profit organizations might struggle to offer competitive salaries and benefits, making it difficult to attract and retain qualified candidates in a competitive job market. High turnover also can lead to increased recruitment costs and decreased employee morale because remaining staff can become overburdened. All these challenges affect the organization’s ability to achieve its mission and maintain donor trust.

Government entities

Governments encounter recruiting and retention risks because of the complexity and scale of their operations and the need for specialized skills in areas such as public policy, administration, and technology. The loss of key personnel can disrupt service delivery and hinder the organization’s ability to meet public needs. Additionally, government entities can encounter difficulty when trying to attract talent because of perceptions of bureaucratic work environments and potentially less competitive compensation compared to the private sector. High turnover rates can lead to increased recruitment and training expenses, further constraining budgets, and frequent staff changes can affect employee morale and the organization’s ability to implement strategic initiatives.

Potential internal audit efforts for 2025:

In terms of attracting and retaining talent, the internal audit function might make certain recommendations to leadership, including:

  • Creating and maintaining a supportive work environment and positive organizational culture
  • Offering professional development opportunities for career growth
  • Strengthening workforce management
  • Offering incentives and competitive benefits
  • Investing in workforce development and succession planning

In addition, internal auditors should consider conducting the following audits to help organizations address a variety of risks.

  • Workforce planning and succession audit. This audit evaluates strategies for workforce planning and succession management. It assesses the identification of critical roles, talent pipelines, and succession plans to make sure the organization has continuity in key positions.
  • Recruitment process audit. This audit examines the effectiveness and efficiency of the recruitment process. It reviews job descriptions, candidate sourcing strategies, selection criteria, and onboarding processes to identify areas for improvement.
  • Employee retention audit. This audit assesses the factors influencing employee retention, such as job satisfaction, career development opportunities, compensation, and work-life balance. It analyzes turnover data and conducts employee surveys or interviews.
  • Compensation and benefits audit. This audit reviews compensation and benefits packages to confirm they are competitive and aligned with industry standards. It includes benchmarking against similar organizations and assessing the impact on recruitment and retention.
  • Diversity and inclusion audit. This audit assesses efforts to promote diversity and inclusion in the workplace. It reviews policies, practices, and initiatives aimed at creating an inclusive environment that attracts and retains diverse talent.

Compliance with federal and state grants

In the public sector, regulatory compliance with federal and state grants is a fundamental concern for higher education institutions, not-for-profit organizations, and government entities. Adherence to the stringent requirements tied to these funding sources is critical for financial stability and for maintaining institutional credibility and trust. The consequences of noncompliance can significantly affect budgets, operations, and reputation. Vigilant oversight and strategic management can help safeguard against these risks.

Higher education institutions

In institutions of higher education, the risk of noncompliance with federal and state program grants is particularly significant due to the diverse range of funding sources they rely on, including research grants, financial aid, and educational programs. Noncompliance can lead to severe financial penalties and the requirement to repay funds, which can strain already tight budgets and affect the institution’s ability to fund other initiatives. Legal and regulatory consequences can lead to increased scrutiny from regulators and potential sanctions. The reputational damage from noncompliance can erode trust among students, faculty, and funding agencies, and it can affect future grant opportunities. Additionally, having to resolve noncompliance issues means that resources could be pulled away from academic and research activities, program implementation might be delayed, and educational outcomes could be negatively affected.

Not-for-profit organizations

Not-for-profit organizations face unique noncompliance risks with federal and state program grants due to their reliance on external funding to support their mission-driven activities. Noncompliance can result in financial penalties and the loss of future funding, and it can severely impact organizations’ ability to deliver services and support their beneficiaries. Legal actions and increased regulatory scrutiny can further strain resources and divert attention from core activities. The reputational damage from noncompliance can undermine donor trust and future fundraising efforts. Additionally, noncompliance can hinder the achievement of program objectives, which can affect the quality and effectiveness of services provided to the community.

Government entities

Governmental organizations encounter significant noncompliance risks with federal and state program grants due to the complexity and scale of their operations. Noncompliance can lead to financial penalties, repayment of funds, and the loss of future funding, all of which constrain organizations’ ability to deliver essential public services. Legal and regulatory consequences can result in increased oversight, potential sanctions, and reduced autonomy in managing programs. The reputational damage from noncompliance can erode public trust and confidence in the government’s ability to manage funds responsibly. Additionally, addressing noncompliance issues can divert resources from critical services, delay program implementation, and affect service delivery.

Potential internal audit efforts for 2025:

To address the risk of noncompliance with federal and state program or grant requirements in a public sector organization, internal auditors should communicate the need for their organizations to implement comprehensive compliance frameworks, including clear policies, effective internal controls, ongoing monitoring, and regular training for staff involved in grant management.

In addition to the audits recommended in the financial reporting risk section of this article, other key audit considerations for federal and state funding include the following:

  • Program compliance audit. This audit helps confirm that the organization adheres to the specific requirements of federal and state programs or grants. It reviews policies, procedures, and documentation to verify compliance with applicable laws, regulations, and grant conditions. Many times, this audit focuses on programs that are not included in the entity’s single audit but still critical to that organization.
  • Grant management audit. This audit evaluates the effectiveness of the organization’s grant management processes. It assesses the procedures for grant application, fund allocation, monitoring, reporting, and closeout to verify compliance and efficient use of funds.
  • Subrecipient monitoring audit. If the organization passes funds to subrecipients, this audit evaluates the processes for monitoring subrecipient compliance with program and grant requirements. It reviews subrecipient agreements, performance reports, and audit findings.
  • Procurement and contract management audit. This audit reviews the organization’s procurement and contract management practices to confirm compliance with federal and state requirements. It assesses vendor selection, contract terms, and adherence to procurement policies.

Navigate critical risk areas for the public sector

Work with internal auditors who understand the unique challenges of your industry. Contact us to learn more about how our public sector expertise can help your organization manage risks.
Mark-Maraccini-225
Mark Maraccini
Partner, Consulting