The University of Virginia’s Board of Visitors recently reviewed its risk management practices and highlighted several key issues. The Office of Audit and Compliance presented findings that raised concerns in areas like student services, information technology, parking operations, and payroll processes at U.Va. Health.
During the meeting, Vice President for Finance Augie Maurelli explained the Agency Risk Management and Internal Control Standards (ARMICS). This system helps the University keep track of financial risks and internal controls to ensure everything runs smoothly. Maurelli emphasized its importance for maintaining trust and accountability in financial dealings.
According to Maurelli, the University is now embracing automation and artificial intelligence (AI) to improve financial oversight. These tools are being used to streamline processes like expense reporting and staff timekeeping. As Maurelli said, “Monitoring is a large part of what we do from a fiscal stewardship perspective,” making it clear that effective oversight is a top priority.
The University is working with a massive budget of $6.4 billion and employs over 33,000 staff members across various divisions. Despite this scale, several issues were reported, including three high-risk findings that could have serious consequences. For example, problems in processing military education benefits could lead to compliance issues with government regulations.
The reports from the Office of Audit and Compliance also revealed a concerning lack of effective controls in various IT systems. Out of seven evaluated security controls, only two met their objectives fully. The University is aware of these cybersecurity risks, which are compounded by the increasing complexity of data protection laws.
The audit process serves not just to catch errors but to find areas for improvement. However, unresolved issues from previous audits continue to linger. For instance, a 2019 audit found problems with managing leftover research funds that have yet to be addressed. Even recent audits have uncovered delays in fixing critical control systems and student safety measures.
The Medical Center also faces regulatory risks. A report indicated that about 140 regulatory risks were identified, with 40 of these classified as high-priority. With shifts in Medicare funding and cybersecurity threats on the horizon, the importance of active risk management is clear.
In summary, while U.Va. is making strides in risk management, several challenges remain. The University is taking steps to better use technology for monitoring and control, but it needs to tackle unresolved issues promptly to ensure a secure and efficient operation.
For more insights on risk management systems and challenges in higher education, you can check reports from organizations like the National Association of College and University Business Officers (NACUBO).

