How We Work


UCSF Audit & Advisory Services (A&AS) develops an annual work plan of audits and advisory services projects that we perform based on risk assessments which (1) provide an informed perspective on the operational areas' current risk environment and (2) allow for prioritization of risks that are scalable to available resources.
Risk can be defined as any issue that impacts an institution’s ability to meet its objectives.
The A&AS Work Plan supports our objective to provide the most effective and efficient deployment of our resources in a manner that addresses:  
  1. Areas of highest relative risk
  2. Core business activities of the University
  3. Broad coverage across the spectrum of University operations

Our approach

We assess the audit risk using the following methodology:

  • Soliciting input from Senior Management, process owners and system-wide perspectives
  • Relying on existing risk-identification processes wherever they exist (e.g., Compliance, Risk Management, Privacy Office, functional areas)
  • Gathering and assessing input from both internal and external sources (e.g., regulatory area, industry)
  • Sharing information among UC Health, Campus and Laboratory audit departments to leverage input and ensure consistent consideration of risks of interest and industry sources

The identified risks are considered in terms of impact and likelihood.

Impact is the degree to which a risk(s) poses an actual or potential loss. A loss can be financial, with loss of property (including data) often included in this category; human/stakeholder; operational; intangible/reputational; legal/regulatory (i.e., noncompliance); or strategic.

  • Financial: Material impact based on asset size, revenue or transaction volume or loss of property (including data)
  • Human/Stakeholder: Threats to life, safety or both; negative impact on one or more functional areas, resulting in diminished outcomes for various stakeholders (e.g., talent loss, confidence in management)
  • Operational: Risks that result in inefficient processes or create resource constraints or loss of use of facilities
  • Intangible/Reputational: Negative media exposure or damage to the UCSF brand
  • Legal/Regulatory: Noncompliance with federal or state laws and regulations that may result in sanctions or fines or both
  • Strategic: Risks that adversely impact UCSF achievement of organizational objectives

Likelihood is the probability that the risk(s) will occur and negatively disrupt or prevent the achievement of UCSF's mission and priorities. Areas of likelihood that we consider include:

  • Controls: Can be a process, policy, training or oversight function that is intended to reduce the likelihood or severity of losses related to a given risk
  • Risk Experience: Familiarity with the risk and the ability to detect, respond and recover from the adverse risk event
  • Complexity: The risk effect on other activities, which may include transactional activities, processes or both
  • Rate of Change: The ability of people, processes and systems to manage risk exposure based on frequency or volume of changes within a given operational area (a high number of changes creates a vulnerability and an increased risk impact)